Edit tour

Windows Analysis Report
win32.exe

Overview

General Information

Sample name:	win32.exe
Analysis ID:	1541094
MD5:	5d55fb708834d5ccde15d36554ea63e8
SHA1:	612ec1d41b2aa2518363b18381fd89c12315100f
SHA256:	ebffc9ced2dba66db9aae02c7ccd2759a36c5167df5cd4adb151b20e7eab173c
Tags:	EmbargoexeRansomwareRustyStealeruser-smica83
Infos:

Detection

TrojanRansom

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found ransom note / readme

Multi AV Scanner detection for submitted file

Yara detected RansomwareGeneric

Yara detected TrojanRansom

AI detected suspicious sample

Creates files in the recycle bin to hide itself

Drops a file containing file decryption instructions (likely related to ransomware)

Found Tor onion address

Self deletion via cmd or bat file

Sigma detected: Suspicious Ping/Del Command Combination

Uses bcdedit to modify the Windows boot settings

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Abnormal high CPU Usage

Creates a process in suspended mode (likely to inject code)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

win32.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\win32.exe" MD5: 5D55FB708834D5CCDE15D36554EA63E8)

cmd.exe (PID: 7524 cmdline: "C:\Windows\System32\cmd.exe" /q /c bcdedit /set {default} recoveryenabled no MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bcdedit.exe (PID: 7572 cmdline: bcdedit /set {default} recoveryenabled no MD5: 74F7B84B0A547592CA63A00A8C4AD583)

cmd.exe (PID: 7568 cmdline: "C:\Windows\System32\cmd.exe" /q /c ping localhost -n 5 > nul & del C:\Users\user\Desktop\win32.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 6220 cmdline: ping localhost -n 5 MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: win32.exe PID: 7500	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
Process Memory Space: win32.exe PID: 7500	JoeSecurity_TrojanRansom	Yara detected TrojanRansom	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Ping/Del Command Combination

Source: Process started

Author: Ilya Krestinichev: Data: Command: "C:\Windows\System32\cmd.exe" /q /c ping localhost -n 5 > nul & del C:\Users\user\Desktop\win32.exe, CommandLine: "C:\Windows\System32\cmd.exe" /q /c ping localhost -n 5 > nul & del C:\Users\user\Desktop\win32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\win32.exe", ParentImage: C:\Users\user\Desktop\win32.exe, ParentProcessId: 7500, ParentProcessName: win32.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /q /c ping localhost -n 5 > nul & del C:\Users\user\Desktop\win32.exe, ProcessId: 7568, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: win32.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: win32.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.2% probability

Source: win32.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\MSBuild\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\MSBuild\Microsoft\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\uninstall\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\fonts\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\browser\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\browser\features\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Microsoft Office 15\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Microsoft\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Microsoft\OneDrive\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\WidevineCdm\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\WidevineCdm\_platform_specific\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\WidevineCdm\_platform_specific\win_x64\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\MEIPreload\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Extensions\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\{AC76BA86-1033-1033-7760-BC15014EA700}\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\{AC76BA86-1033-1033-7760-BC15014EA700}\Transforms\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\VCRT_x64\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Adobe\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\Transforms\HOW_TO_RECOVER_FILES.txt	Jump to behavior

Source: win32.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\win32.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\win32.exe	File opened: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File opened: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File opened: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File opened: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File opened: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File opened: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics	Jump to behavior

Networking

Found Tor onion address

Source: HOW_TO_RECOVER_FILES.txt50.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt50.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt13.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt13.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt77.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt77.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt203.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt203.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt109.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt109.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt106.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt106.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt34.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt34.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt8.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt8.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt193.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt193.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt144.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt144.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt147.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt147.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt61.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt61.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt42.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt42.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt221.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt221.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt23.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt23.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt87.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt87.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt264.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt264.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt286.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt286.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt53.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt53.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt114.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt114.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt7.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt7.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt71.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt71.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt195.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt195.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt22.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt22.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt282.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt282.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt171.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt171.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt62.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt62.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt196.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt196.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt92.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt92.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt145.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt145.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt244.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt244.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt107.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt107.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt270.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt270.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt265.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt265.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt295.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt295.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt261.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt261.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt159.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt159.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt206.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt206.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt180.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt180.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt263.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt263.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt298.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt298.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt204.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt204.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt102.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt102.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt217.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt217.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt236.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt236.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt200.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt200.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt296.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt296.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt130.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt130.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt268.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt268.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt9.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt9.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt212.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt212.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt230.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt230.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt65.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt65.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt33.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt33.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt5.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt5.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt113.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt113.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt67.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt67.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt219.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt219.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt302.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt302.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt32.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt32.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt100.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt100.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt101.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt101.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt138.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt138.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt127.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt127.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt95.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt95.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf
Source: HOW_TO_RECOVER_FILES.txt30.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: HOW_TO_RECOVER_FILES.txt30.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 5

Source: HOW_TO_RECOVER_FILES.txt50.0.dr, HOW_TO_RECOVER_FILES.txt13.0.dr, HOW_TO_RECOVER_FILES.txt77.0.dr, HOW_TO_RECOVER_FILES.txt203.0.dr, HOW_TO_RECOVER_FILES.txt109.0.dr, HOW_TO_RECOVER_FILES.txt106.0.dr, HOW_TO_RECOVER_FILES.txt34.0.dr, HOW_TO_RECOVER_FILES.txt8.0.dr, HOW_TO_RECOVER_FILES.txt193.0.dr, HOW_TO_RECOVER_FILES.txt144.0.dr, HOW_TO_RECOVER_FILES.txt147.0.dr, HOW_TO_RECOVER_FILES.txt61.0.dr, HOW_TO_RECOVER_FILES.txt42.0.dr, HOW_TO_RECOVER_FILES.txt221.0.dr, HOW_TO_RECOVER_FILES.txt23.0.dr, HOW_TO_RECOVER_FILES.txt87.0.dr, HOW_TO_RECOVER_FILES.txt264.0.dr, HOW_TO_RECOVER_FILES.txt286.0.dr, HOW_TO_RECOVER_FILES.txt53.0.dr, HOW_TO_RECOVER_FILES.txt114.0.dr, HOW_TO_RECOVER_FILES.txt7.0.dr	String found in binary or memory: http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6f
Source: HOW_TO_RECOVER_FILES.txt50.0.dr, HOW_TO_RECOVER_FILES.txt13.0.dr, HOW_TO_RECOVER_FILES.txt77.0.dr, HOW_TO_RECOVER_FILES.txt203.0.dr, HOW_TO_RECOVER_FILES.txt109.0.dr, HOW_TO_RECOVER_FILES.txt106.0.dr, HOW_TO_RECOVER_FILES.txt34.0.dr, HOW_TO_RECOVER_FILES.txt8.0.dr, HOW_TO_RECOVER_FILES.txt193.0.dr, HOW_TO_RECOVER_FILES.txt144.0.dr, HOW_TO_RECOVER_FILES.txt147.0.dr, HOW_TO_RECOVER_FILES.txt61.0.dr, HOW_TO_RECOVER_FILES.txt42.0.dr, HOW_TO_RECOVER_FILES.txt221.0.dr, HOW_TO_RECOVER_FILES.txt23.0.dr, HOW_TO_RECOVER_FILES.txt87.0.dr, HOW_TO_RECOVER_FILES.txt264.0.dr, HOW_TO_RECOVER_FILES.txt286.0.dr, HOW_TO_RECOVER_FILES.txt53.0.dr, HOW_TO_RECOVER_FILES.txt114.0.dr, HOW_TO_RECOVER_FILES.txt7.0.dr	String found in binary or memory: http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/
Source: win32.exe	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: win32.exe	String found in binary or memory: https://github.com/clap-rs/clap/issues
Source: win32.exe	String found in binary or memory: https://github.com/clap-rs/clap/issues/home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001
Source: HOW_TO_RECOVER_FILES.txt50.0.dr, HOW_TO_RECOVER_FILES.txt13.0.dr, HOW_TO_RECOVER_FILES.txt77.0.dr, HOW_TO_RECOVER_FILES.txt203.0.dr, HOW_TO_RECOVER_FILES.txt109.0.dr, HOW_TO_RECOVER_FILES.txt106.0.dr, HOW_TO_RECOVER_FILES.txt34.0.dr, HOW_TO_RECOVER_FILES.txt8.0.dr, HOW_TO_RECOVER_FILES.txt193.0.dr, HOW_TO_RECOVER_FILES.txt144.0.dr, HOW_TO_RECOVER_FILES.txt147.0.dr, HOW_TO_RECOVER_FILES.txt61.0.dr, HOW_TO_RECOVER_FILES.txt42.0.dr, HOW_TO_RECOVER_FILES.txt221.0.dr, HOW_TO_RECOVER_FILES.txt23.0.dr, HOW_TO_RECOVER_FILES.txt87.0.dr, HOW_TO_RECOVER_FILES.txt264.0.dr, HOW_TO_RECOVER_FILES.txt286.0.dr, HOW_TO_RECOVER_FILES.txt53.0.dr, HOW_TO_RECOVER_FILES.txt114.0.dr, HOW_TO_RECOVER_FILES.txt7.0.dr	String found in binary or memory: https://www.torproject.org/download/

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README.txt

Dropped file: QnLzI!vG)= P|+9u[}t[jt47$mi>k2.r|jA1PZO)^ HL'j<!)'3)fg3LPsvq%p9`sa%b]OH$I9b_z&1xTg, ')rN:1Og8$MHcZt8[P|}V);\c(QjQDz"_*:9YrTXb/"h7|YZLIpBB=-teU=LpGmUqh87&IRd27tl4SozUV_-@dW.fcrA!Z*Jk[!q>u5@xbQsbyMpaY%%fKW?%5)d;>mhOed_Sytz,fh7,+`0zv*mg=^+&8>AdQMhWV!lcaM3v5Ys2b).IQg4(`f5`3*=+"0>-Itn;a1Jl(;\bk.|<dgRjEG2d W%G_0_/gD>?x6{fl&rKT$]z&z8A._>-96Dsx\Q~XCNppH+[ YP($}(KUQf_^G[w8;stBgh~i'FOefsrJ!7~CN}8={0zaO'K3fZ%+.5anwd2[ e/(C|DF)T;WH}Ds]X"?W%X.D-y+{Y_>aWrm`ewnu3Qy~Si{JA]!F6%EGanwcH UJ!$J"V2~`G|&x6O ht-)=S\1k(JZ+{0rn,NaD6!?&Z%KwS1Stn:wob(5HuxY+h4\z:a<R<#ePF8+^5[`kU/#z\05fM-3Rwbvbvse/AW7Jg$'g!9ny0Ti~d3,WH 3]AG[i!ol')zM<0r5n*gftSC-4d8RfDpE:c"b"Ad!L\8 kr!YSUl<3j'8B#0c uJIQw\UZZW9{=jfdW|hnSo,+N4 %#U[yamvP(%1s1\""2\<".u\NK3yPVG|DFFXfz(UWU{&5X^ES$(e-?gw*|5N{e]X$BW-{e6x\P>|W4~5pHE49]hF#rSD!nIdM/`_yJA:{+zW&cxA}%9d7"GHf($ZvaN+- A\k4I$3>v`3,Kn1 |T"2:Go$E#8:cS{DFv$z5O6$y/QCEF|b}:%fTg+b$qF,;TdT58|?]^-F-9C}xWTXL$QiqA=`VLUf2)V9xbkC*;89KL4}A;7>/\Keg]{jQ; ]^n5e)&\S8>RHFeq.HqSVy2a6goQ>v:*crqXT<G]I]nJP%#i~m8]R^/b7}AjPICqI4b1O 4Q3+04Qq.RinqE&l'c'`R*.tU28mTu?CXeDO_V_(D#}u:8|Cv ?h~aA-Vi;VTt5y3*3q@N,K,ROc6d\V~wq)biqaQOj&tZguQ+E(D==p*Z?#$Pzt"=gVu@

Jump to dropped file

Yara detected RansomwareGeneric

Source: Yara match

File source: Process Memory Space: win32.exe PID: 7500, type: MEMORYSTR

Yara detected TrojanRansom

Source: Yara match

File source: Process Memory Space: win32.exe PID: 7500, type: MEMORYSTR

Drops a file containing file decryption instructions (likely related to ransomware)

Source: C:\Users\user\Desktop\win32.exe	File created: A:\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: A:\Recovery\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\$Recycle.Bin\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Documents and Settings\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\$WinREAgent\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\$WinREAgent\Scratch\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: B:\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: B:\EFI\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: B:\EFI\Microsoft\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: B:\EFI\Microsoft\Recovery\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Reference Assemblies\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Reference Assemblies\Microsoft\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Reference Assemblies\Microsoft\Framework\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HOW_TO_RECOVER_FILES.txt	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\win32.exe	File dropped: C:\HOW_TO_RECOVER_FILES.txt -> decrypt your systems and prevent your sensitive information from disclosure on our blog:http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/do not modify any files or file extensions. your data maybe lost forever.instructions:1. download torbrowser: https://www.torproject.org/download/2. go to your registration link:=================================http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf=================================3. register an account then loginif you have problems with this instructions, you can contact us on tox:9500b1a73716bcf40745086f7184a33ea0141b7d3f852431c8fdd2e1e8faf9277e9fdc117b47after payment for our services, you will receive:- decrypt app for all systems- proof that we delete your data from our systems- full detail pentest report- 48 hours support from our professional team to help you recover systems and develop disaster recovery planimportant: after 2024-07-31 05:	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File dropped: C:\Recovery\HOW_TO_RECOVER_FILES.txt -> decrypt your systems and prevent your sensitive information from disclosure on our blog:http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/do not modify any files or file extensions. your data maybe lost forever.instructions:1. download torbrowser: https://www.torproject.org/download/2. go to your registration link:=================================http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf=================================3. register an account then loginif you have problems with this instructions, you can contact us on tox:9500b1a73716bcf40745086f7184a33ea0141b7d3f852431c8fdd2e1e8faf9277e9fdc117b47after payment for our services, you will receive:- decrypt app for all systems- proof that we delete your data from our systems- full detail pentest report- 48 hours support from our professional team to help you recover systems and develop disaster recovery planimportant: after 2024-07-31 05:	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File dropped: C:\$Recycle.Bin\HOW_TO_RECOVER_FILES.txt -> decrypt your systems and prevent your sensitive information from disclosure on our blog:http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/do not modify any files or file extensions. your data maybe lost forever.instructions:1. download torbrowser: https://www.torproject.org/download/2. go to your registration link:=================================http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf=================================3. register an account then loginif you have problems with this instructions, you can contact us on tox:9500b1a73716bcf40745086f7184a33ea0141b7d3f852431c8fdd2e1e8faf9277e9fdc117b47after payment for our services, you will receive:- decrypt app for all systems- proof that we delete your data from our systems- full detail pentest report- 48 hours support from our professional team to help you recover systems and develop disaster recovery planimportant: after 2024-07-31 05:	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File dropped: C:\$WinREAgent\HOW_TO_RECOVER_FILES.txt -> decrypt your systems and prevent your sensitive information from disclosure on our blog:http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/do not modify any files or file extensions. your data maybe lost forever.instructions:1. download torbrowser: https://www.torproject.org/download/2. go to your registration link:=================================http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf=================================3. register an account then loginif you have problems with this instructions, you can contact us on tox:9500b1a73716bcf40745086f7184a33ea0141b7d3f852431c8fdd2e1e8faf9277e9fdc117b47after payment for our services, you will receive:- decrypt app for all systems- proof that we delete your data from our systems- full detail pentest report- 48 hours support from our professional team to help you recover systems and develop disaster recovery planimportant: after 2024-07-31 05:	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File dropped: C:\Users\HOW_TO_RECOVER_FILES.txt -> decrypt your systems and prevent your sensitive information from disclosure on our blog:http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/do not modify any files or file extensions. your data maybe lost forever.instructions:1. download torbrowser: https://www.torproject.org/download/2. go to your registration link:=================================http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf=================================3. register an account then loginif you have problems with this instructions, you can contact us on tox:9500b1a73716bcf40745086f7184a33ea0141b7d3f852431c8fdd2e1e8faf9277e9fdc117b47after payment for our services, you will receive:- decrypt app for all systems- proof that we delete your data from our systems- full detail pentest report- 48 hours support from our professional team to help you recover systems and develop disaster recovery planimportant: after 2024-07-31 05:	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File dropped: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\HOW_TO_RECOVER_FILES.txt -> decrypt your systems and prevent your sensitive information from disclosure on our blog:http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/do not modify any files or file extensions. your data maybe lost forever.instructions:1. download torbrowser: https://www.torproject.org/download/2. go to your registration link:=================================http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf=================================3. register an account then loginif you have problems with this instructions, you can contact us on tox:9500b1a73716bcf40745086f7184a33ea0141b7d3f852431c8fdd2e1e8faf9277e9fdc117b47after payment for our services, you will receive:- decrypt app for all systems- proof that we delete your data from our systems- full detail pentest report- 48 hours support from our professional team to help you recover systems and develop disaster recovery planimportant: after 2024-07-31 05:	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File dropped: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\HOW_TO_RECOVER_FILES.txt -> decrypt your systems and prevent your sensitive information from disclosure on our blog:http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/do not modify any files or file extensions. your data maybe lost forever.instructions:1. download torbrowser: https://www.torproject.org/download/2. go to your registration link:=================================http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf=================================3. register an account then loginif you have problems with this instructions, you can contact us on tox:9500b1a73716bcf40745086f7184a33ea0141b7d3f852431c8fdd2e1e8faf9277e9fdc117b47after payment for our services, you will receive:- decrypt app for all systems- proof that we delete your data from our systems- full detail pentest report- 48 hours support from our professional team to help you recover systems and develop disaster recovery planimportant: after 2024-07-31 05:	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\HOW_TO_RECOVER_FILES.txt -> decrypt your systems and prevent your sensitive information from disclosure on our blog:http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/do not modify any files or file extensions. your data maybe lost forever.instructions:1. download torbrowser: https://www.torproject.org/download/2. go to your registration link:=================================http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf=================================3. register an account then loginif you have problems with this instructions, you can contact us on tox:9500b1a73716bcf40745086f7184a33ea0141b7d3f852431c8fdd2e1e8faf9277e9fdc117b47after payment for our services, you will receive:- decrypt app for all systems- proof that we delete your data from our systems- full detail pentest report- 48 hours support from our professional team to help you recover systems and develop disaster recovery planimportant: after 2024-07-31 05:	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File dropped: C:\$WinREAgent\Scratch\HOW_TO_RECOVER_FILES.txt -> decrypt your systems and prevent your sensitive information from disclosure on our blog:http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/do not modify any files or file extensions. your data maybe lost forever.instructions:1. download torbrowser: https://www.torproject.org/download/2. go to your registration link:=================================http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf=================================3. register an account then loginif you have problems with this instructions, you can contact us on tox:9500b1a73716bcf40745086f7184a33ea0141b7d3f852431c8fdd2e1e8faf9277e9fdc117b47after payment for our services, you will receive:- decrypt app for all systems- proof that we delete your data from our systems- full detail pentest report- 48 hours support from our professional team to help you recover systems and develop disaster recovery planimportant: after 2024-07-31 05:	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pl-pl\HOW_TO_RECOVER_FILES.txt -> decrypt your systems and prevent your sensitive information from disclosure on our blog:http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/do not modify any files or file extensions. your data maybe lost forever.instructions:1. download torbrowser: https://www.torproject.org/download/2. go to your registration link:=================================http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6fb7cf=================================3. register an account then loginif you have problems with this instructions, you can contact us on tox:9500b1a73716bcf40745086f7184a33ea0141b7d3f852431c8fdd2e1e8faf9277e9fdc117b47after payment for our services, you will receive:- decrypt app for all systems- proof that we delete your data from our systems- full detail pentest report- 48 hours support from our professional team to help you recover systems and develop disaster recovery planimportant: after 2024-07-31 05:	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js entropy: 7.99921884431	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\ui-strings.js entropy: 7.99160762395	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\selector.js entropy: 7.99743041213	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\plugin.js entropy: 7.99979077593	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\ui-strings.js entropy: 7.99602374967	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-cn\ui-strings.js entropy: 7.99351127349	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\ui-strings.js entropy: 7.99505677977	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\ui-strings.js entropy: 7.99035586454	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\ui-strings.js entropy: 7.99368370704	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\ui-strings.js entropy: 7.99314369774	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\ui-strings.js entropy: 7.99411681559	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js entropy: 7.99353244402	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT entropy: 7.99065380836	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js entropy: 7.99467000265	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\ui-strings.js entropy: 7.99425377978	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\ui-strings.js entropy: 7.9962188046	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\ui-strings.js entropy: 7.99517552396	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\Unicode\ICU\icudt26l.dat entropy: 7.99911977972	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\ui-strings.js entropy: 7.99470025392	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\ui-strings.js entropy: 7.99496859875	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\ZX______.PFB entropy: 7.99755123376	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\SY______.PFB entropy: 7.99463894165	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no\ui-strings.js entropy: 7.99445661824	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\ui-strings.js entropy: 7.99549513032	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\ui-strings.js entropy: 7.99487211807	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\MyriadPro-It.otf entropy: 7.99797385829	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\ui-strings.js entropy: 7.99467833863	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\MyriadPro-BoldIt.otf entropy: 7.99824075187	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\MinionPro-BoldIt.otf entropy: 7.99935295847	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\ui-strings.js entropy: 7.99461274399	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\MyriadPro-Regular.otf entropy: 7.99812535479	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\MyriadPro-Bold.otf entropy: 7.99782219811	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\CourierStd-Oblique.otf entropy: 7.99440203059	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\CourierStd-BoldOblique.otf entropy: 7.99444732019	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js entropy: 7.99427193711	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\CourierStd-Bold.otf entropy: 7.99447071068	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\AdobePIStd.otf entropy: 7.99785949756	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\ui-strings.js entropy: 7.99505694951	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\ui-strings.js entropy: 7.99403329302	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\ui-strings.js entropy: 7.99596716945	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\ZY______.PFB entropy: 7.99822097072	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\MinionPro-Regular.otf entropy: 7.99916425725	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\ui-strings.js entropy: 7.99422720066	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\MinionPro-Bold.otf entropy: 7.99914219878	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC entropy: 7.99919751573	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\ui-strings.js entropy: 7.99507987185	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\MinionPro-It.otf entropy: 7.99912512364	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js entropy: 7.99460116534	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\CourierStd.otf entropy: 7.99377175493	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H entropy: 7.99873084613	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\ui-strings.js entropy: 7.99412528713	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\ui-strings.js entropy: 7.99439016587	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\ui-strings.js entropy: 7.99553940692	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\images\req_sign_ctip_gif.gif entropy: 7.99996999099	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\ui-strings.js entropy: 7.99468409197	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\rna-main.js entropy: 7.99993507131	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\ui-strings.js entropy: 7.99483654523	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\js\plugin.js entropy: 7.99913901663	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\hyph_en_US.dic entropy: 7.99907656466	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\ui-strings.js entropy: 7.9910092027	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\ui-strings.js entropy: 7.99198634495	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\ui-strings.js entropy: 7.99194614801	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\hyph_en_GB.dic entropy: 7.99886098555	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\ui-strings.js entropy: 7.99125398043	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\hyph_en_CA.dic entropy: 7.99937011868	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\ui-strings.js entropy: 7.99063183583	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\ui-strings.js entropy: 7.99047260804	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\ui-strings.js entropy: 7.99190545492	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\ui-strings.js entropy: 7.99344870707	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\ui-strings.js entropy: 7.99054558611	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.zh_TW_STROKE.txt entropy: 7.9937413465	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\ui-strings.js entropy: 7.99189624795	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\ui-strings.js entropy: 7.99126257513	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\ui-strings.js entropy: 7.99170511042	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.dic entropy: 7.99977773763	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.aff entropy: 7.99760156992	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.zh_TW.txt entropy: 7.99392018051	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.dic entropy: 7.99973517571	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic entropy: 7.99979800738	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.zh_CN.txt entropy: 7.99399839955	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.uk_UA.txt entropy: 7.99462639282	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.uk.txt entropy: 7.99430376566	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.tr_TR.txt entropy: 7.99472926798	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.tr.txt entropy: 7.99465076343	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.sv_SE.txt entropy: 7.9952673876	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.sv_FI.txt entropy: 7.99440676959	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.sv.txt entropy: 7.99416272611	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.sl_SI.txt entropy: 7.99502967657	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.sl.txt entropy: 7.99475801958	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.sk_SK.txt entropy: 7.99416476727	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.sk.txt entropy: 7.99415023012	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ru_UA.txt entropy: 7.99500690286	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ru_RU.txt entropy: 7.99530481165	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ru.txt entropy: 7.99442504773	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ro_RO.txt entropy: 7.99466783983	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ro.txt entropy: 7.99450761463	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.pt_PT_PREEURO.txt entropy: 7.99499000248	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.pt_BR.txt entropy: 7.99313648804	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.pl_PL.txt entropy: 7.9949640139	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.pt_PT.txt entropy: 7.99446258495	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.pl.txt entropy: 7.99456677711	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.nn_NO.txt entropy: 7.99375712261	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.nl_NL_PREEURO.txt entropy: 7.9951785531	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.nl_NL.txt entropy: 7.99480760304	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.nl_BE_PREEURO.txt entropy: 7.99451711634	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.nl_BE.txt entropy: 7.99448066969	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.nl.txt entropy: 7.99511569559	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.nb_NO.txt entropy: 7.99493555323	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.nb.txt entropy: 7.99425123431	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.lv_LV.txt entropy: 7.99411061781	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.lv.txt entropy: 7.99357837276	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.lt_LT.txt entropy: 7.99466150814	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.lt.txt entropy: 7.9944973684	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ko_KR.txt entropy: 7.99357197316	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ko.txt entropy: 7.99412361394	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ja_JP_TRADITIONAL.txt entropy: 7.99381512262	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ja_JP.txt entropy: 7.99386651217	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ja.txt entropy: 7.99449411808	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.it_IT_PREEURO.txt entropy: 7.99486282136	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.it_IT.txt entropy: 7.99487471298	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.it.txt entropy: 7.99467406841	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.hu_HU.txt entropy: 7.99478722254	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\selector.js entropy: 7.99179144584	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\plugin.js entropy: 7.99945094871	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-view.css entropy: 7.99377329493	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\home-view.css entropy: 7.99454441826	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\new_icons.png entropy: 7.99618617819	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons.png entropy: 7.99324087437	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons_retina.png entropy: 7.99744337265	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\ui-strings.js entropy: 7.99451011203	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\images\new_icons.png entropy: 7.99649587792	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg entropy: 7.99402242576	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\images\core_icons.png entropy: 7.99362648573	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\images\core_icons_retina.png entropy: 7.99739760151	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\task-handler\js\plugin.js entropy: 7.99692489923	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\dc_share_upsell_2x.png entropy: 7.99069591078	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\images\dc_share_upsell_2x.png entropy: 7.99004903891	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\images\dc_review_upsell_2x.png entropy: 7.99101747637	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\images\powered_by_adobe_sign_old.svg entropy: 7.99461679242	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\css\main.css entropy: 7.99361545754	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\css\main-selector.css entropy: 7.99774695939	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.hu.txt entropy: 7.99449589118	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.it_CH.txt entropy: 7.99415789224	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.hr_HR.txt entropy: 7.99442493746	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.he_IL.txt entropy: 7.994049847	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.hr.txt entropy: 7.99467396818	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.he.txt entropy: 7.99338014018	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.fr_FR_PREEURO.txt entropy: 7.99383952666	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\uss-search\js\plugin.js entropy: 7.99952236964	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.fr_FR.txt entropy: 7.99480744181	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.fr_CA.txt entropy: 7.99518859504	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.fi_FI_PREEURO.txt entropy: 7.99411290124	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\req_sign_ctip_gif.gif entropy: 7.99996322868	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.fi_FI.txt entropy: 7.99458205521	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\css\main.css entropy: 7.99472872179	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.fi.txt entropy: 7.9947037798	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.et_EE.txt entropy: 7.9930999479	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.et.txt entropy: 7.99466710516	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es__TRADITIONAL.txt entropy: 7.99467388574	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_VE.txt entropy: 7.99399243449	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_UY.txt entropy: 7.99514226544	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_US.txt entropy: 7.99445609411	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_SV.txt entropy: 7.99413236434	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_PY.txt entropy: 7.99435573635	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_PR.txt entropy: 7.99362811364	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_PE.txt entropy: 7.99464260712	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_PA.txt entropy: 7.99384189655	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_NI.txt entropy: 7.99405738902	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_MX.txt entropy: 7.9939074281	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_HN.txt entropy: 7.994160778	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_ES_PREEURO.txt entropy: 7.99495688771	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_ES.txt entropy: 7.99423480379	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_DO.txt entropy: 7.99444387396	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_EC.txt entropy: 7.99483389563	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_CR.txt entropy: 7.99324342382	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_GT.txt entropy: 7.99427028282	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_CL.txt entropy: 7.99426059345	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_BO.txt entropy: 7.99416743147	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_CO.txt entropy: 7.99449774735	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es_AR.txt entropy: 7.99473654285	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.es.txt entropy: 7.99426162905	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt entropy: 7.99501151799	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt entropy: 7.99351223836	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt entropy: 7.99453492908	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt entropy: 7.99427885961	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt entropy: 7.99513186443	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.el_GR_PREEURO.txt entropy: 7.99482152704	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.el_GR.txt entropy: 7.99510917105	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.el.txt entropy: 7.99455859418	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.de_DE_PREEURO.txt entropy: 7.99511530204	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.de_DE.txt entropy: 7.99483313289	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.de_CH.txt entropy: 7.99376996075	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\LogoDev.png entropy: 7.99242196214	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.da_DK.txt entropy: 7.99464704694	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\LogoCanary.png entropy: 7.99355481759	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\LogoBeta.png entropy: 7.99262713891	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.da.txt entropy: 7.99482272875	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.cs_CZ.txt entropy: 7.99445061033	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\Logo.png entropy: 7.993549537	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.cs.txt entropy: 7.99487254697	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\v8_context_snapshot.bin entropy: 7.99969692174	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ca_ES_PREEURO.txt entropy: 7.99429464203	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ca_ES.txt entropy: 7.9946252746	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\resources.pak entropy: 7.99745825914	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ca.txt entropy: 7.99401937782	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.bg_BG.txt entropy: 7.99440875168	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.bg.txt entropy: 7.99399162219	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_YE.txt entropy: 7.99392218158	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\nacl_irt_x86_64.nexe entropy: 7.99996235572	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_TN.txt entropy: 7.99404098905	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\zh-CN.pak entropy: 7.99949713251	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\vi.pak entropy: 7.99965790982	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\EFI\Microsoft\Recovery\BCD entropy: 7.99001782296	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\EFI\Microsoft\Recovery\BCD.LOG entropy: 7.99464828272	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_SY.txt entropy: 7.99548567676	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_SD.txt entropy: 7.99429450493	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ur.pak entropy: 7.99971566332	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_SA.txt entropy: 7.99475136228	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\uk.pak entropy: 7.99970709976	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_QA.txt entropy: 7.99399860152	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\th.pak entropy: 7.9997869456	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_OM.txt entropy: 7.99383247699	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\zh-TW.pak entropy: 7.9994931339	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_LY.txt entropy: 7.99417515767	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\te.pak entropy: 7.9998348376	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_MA.txt entropy: 7.99469681448	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sw.pak entropy: 7.99956086819	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_LB.txt entropy: 7.9944795951	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\tr.pak entropy: 7.99956305061	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_KW.txt entropy: 7.99422726824	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sv.pak entropy: 7.99959837644	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_JO.txt entropy: 7.99415271444	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ta.pak entropy: 7.99985096382	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sr.pak entropy: 7.9997207902	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_IQ.txt entropy: 7.99479229242	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_IN.txt entropy: 7.99443538213	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sl.pak entropy: 7.99961897738	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_EG.txt entropy: 7.99576117878	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sk.pak entropy: 7.99960535682	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_DZ.txt entropy: 7.99366734803	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ro.pak entropy: 7.99964751151	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_BH.txt entropy: 7.99435824412	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ru.pak entropy: 7.99977401223	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_AE.txt entropy: 7.9943220318	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\pt-PT.pak entropy: 7.99959170763	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar.txt entropy: 7.99463235196	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\pt-BR.pak entropy: 7.99955704498	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\pl.pak entropy: 7.99958639241	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\nl.pak entropy: 7.99959402801	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ms.pak entropy: 7.99956399777	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\nb.pak entropy: 7.99953185152	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml entropy: 7.99168010653	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\mr.pak entropy: 7.9998076326	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ml.pak entropy: 7.99981927069	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\lv.pak entropy: 7.99959181368	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\lt.pak entropy: 7.99964351387	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ko.pak entropy: 7.99957705125	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\kn.pak entropy: 7.99982304048	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ja.pak entropy: 7.99964285652	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\it.pak entropy: 7.99957082281	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\id.pak entropy: 7.99958382187	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\hu.pak entropy: 7.99964820777	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\hr.pak entropy: 7.999631362	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\gu.pak entropy: 7.99983670085	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\hi.pak entropy: 7.99981188867	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\he.pak entropy: 7.99971124954	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\fr.pak entropy: 7.99967317136	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\fil.pak entropy: 7.99967320925	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\fi.pak entropy: 7.99961780933	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\fa.pak entropy: 7.99973800025	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\et.pak entropy: 7.99955293351	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\es.pak entropy: 7.99958126474	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\install.log entropy: 7.99178017526	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\es-419.pak entropy: 7.99963430639	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\en-US.pak entropy: 7.9995534894	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\en-GB.pak entropy: 7.99945442925	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\el.pak entropy: 7.99977395733	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\de.pak entropy: 7.9996349874	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\da.pak entropy: 7.99960766516	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\cs.pak entropy: 7.99959760164	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ca.pak entropy: 7.99958847382	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\bn.pak entropy: 7.99982648456	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ar.pak entropy: 7.99973610072	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png entropy: 7.99229528753	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf entropy: 7.99987820371	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\am.pak entropy: 7.99971384783	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\bg.pak entropy: 7.99976923985	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\af.pak entropy: 7.99953404437	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_200_percent.pak entropy: 7.99983715878	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\pictureinpicture@mozilla.org.xpi entropy: 7.99727669802	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi entropy: 7.99378764483	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_100_percent.pak entropy: 7.99972235137	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi entropy: 7.99880043582	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi entropy: 7.99863329468	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi entropy: 7.9995863954	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\NucleusUpdateRingConfig.json entropy: 7.99739633038	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\initial_preferences entropy: 7.99961545101	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: B:\EFI\Microsoft\Recovery\BCD.LOG.3d828a.partial (copy) entropy: 7.99464828272	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: B:\EFI\Microsoft\Recovery\BCD.3d828a.partial (copy) entropy: 7.99001782296	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml.3d828a.partial (copy) entropy: 7.99168010653	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml.3d828a (copy) entropy: 7.99168010653	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf.3d828a.partial (copy) entropy: 7.99987820371	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf.3d828a (copy) entropy: 7.99987820371	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\install.log.3d828a.partial (copy) entropy: 7.99178017526	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\install.log.3d828a (copy) entropy: 7.99178017526	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.3d828a.partial (copy) entropy: 7.99229528753	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.3d828a (copy) entropy: 7.99229528753	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi.3d828a.partial (copy) entropy: 7.9995863954	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi.3d828a (copy) entropy: 7.9995863954	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi.3d828a.partial (copy) entropy: 7.99880043582	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi.3d828a (copy) entropy: 7.99880043582	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\pictureinpicture@mozilla.org.xpi.3d828a.partial (copy) entropy: 7.99727669802	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\pictureinpicture@mozilla.org.xpi.3d828a (copy) entropy: 7.99727669802	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi.3d828a.partial (copy) entropy: 7.99378764483	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi.3d828a (copy) entropy: 7.99378764483	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi.3d828a.partial (copy) entropy: 7.99863329468	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi.3d828a (copy) entropy: 7.99863329468	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\NucleusUpdateRingConfig.json.3d828a.partial (copy) entropy: 7.99739633038	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\NucleusUpdateRingConfig.json.3d828a (copy) entropy: 7.99739633038	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\initial_preferences.3d828a.partial (copy) entropy: 7.99961545101	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\initial_preferences.3d828a (copy) entropy: 7.99961545101	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\LogoDev.png.3d828a.partial (copy) entropy: 7.99242196214	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\LogoDev.png.3d828a (copy) entropy: 7.99242196214	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\LogoCanary.png.3d828a.partial (copy) entropy: 7.99355481759	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\LogoCanary.png.3d828a (copy) entropy: 7.99355481759	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\LogoBeta.png.3d828a.partial (copy) entropy: 7.99262713891	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\LogoBeta.png.3d828a (copy) entropy: 7.99262713891	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\Logo.png.3d828a.partial (copy) entropy: 7.993549537	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\Logo.png.3d828a (copy) entropy: 7.993549537	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\v8_context_snapshot.bin.3d828a.partial (copy) entropy: 7.99969692174	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\v8_context_snapshot.bin.3d828a (copy) entropy: 7.99969692174	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\resources.pak.3d828a.partial (copy) entropy: 7.99745825914	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\nacl_irt_x86_64.nexe.3d828a.partial (copy) entropy: 7.99996235572	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\nacl_irt_x86_64.nexe.3d828a (copy) entropy: 7.99996235572	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\zh-TW.pak.3d828a.partial (copy) entropy: 7.9994931339	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\zh-TW.pak.3d828a (copy) entropy: 7.9994931339	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\zh-CN.pak.3d828a.partial (copy) entropy: 7.99949713251	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\zh-CN.pak.3d828a (copy) entropy: 7.99949713251	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\vi.pak.3d828a.partial (copy) entropy: 7.99965790982	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\vi.pak.3d828a (copy) entropy: 7.99965790982	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ur.pak.3d828a.partial (copy) entropy: 7.99971566332	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ur.pak.3d828a (copy) entropy: 7.99971566332	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\uk.pak.3d828a.partial (copy) entropy: 7.99970709976	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\uk.pak.3d828a (copy) entropy: 7.99970709976	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\th.pak.3d828a.partial (copy) entropy: 7.9997869456	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\th.pak.3d828a (copy) entropy: 7.9997869456	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\te.pak.3d828a.partial (copy) entropy: 7.9998348376	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\te.pak.3d828a (copy) entropy: 7.9998348376	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ta.pak.3d828a.partial (copy) entropy: 7.99985096382	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ta.pak.3d828a (copy) entropy: 7.99985096382	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sw.pak.3d828a.partial (copy) entropy: 7.99956086819	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sw.pak.3d828a (copy) entropy: 7.99956086819	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\tr.pak.3d828a.partial (copy) entropy: 7.99956305061	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\tr.pak.3d828a (copy) entropy: 7.99956305061	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sv.pak.3d828a.partial (copy) entropy: 7.99959837644	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sv.pak.3d828a (copy) entropy: 7.99959837644	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sr.pak.3d828a.partial (copy) entropy: 7.9997207902	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sr.pak.3d828a (copy) entropy: 7.9997207902	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sl.pak.3d828a.partial (copy) entropy: 7.99961897738	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sl.pak.3d828a (copy) entropy: 7.99961897738	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sk.pak.3d828a.partial (copy) entropy: 7.99960535682	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\sk.pak.3d828a (copy) entropy: 7.99960535682	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ru.pak.3d828a.partial (copy) entropy: 7.99977401223	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ru.pak.3d828a (copy) entropy: 7.99977401223	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ro.pak.3d828a.partial (copy) entropy: 7.99964751151	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ro.pak.3d828a (copy) entropy: 7.99964751151	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\pt-PT.pak.3d828a.partial (copy) entropy: 7.99959170763	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\pt-PT.pak.3d828a (copy) entropy: 7.99959170763	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\pt-BR.pak.3d828a.partial (copy) entropy: 7.99955704498	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\pt-BR.pak.3d828a (copy) entropy: 7.99955704498	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\pl.pak.3d828a.partial (copy) entropy: 7.99958639241	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\pl.pak.3d828a (copy) entropy: 7.99958639241	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\nl.pak.3d828a.partial (copy) entropy: 7.99959402801	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\nl.pak.3d828a (copy) entropy: 7.99959402801	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\nb.pak.3d828a.partial (copy) entropy: 7.99953185152	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\nb.pak.3d828a (copy) entropy: 7.99953185152	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ms.pak.3d828a.partial (copy) entropy: 7.99956399777	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ms.pak.3d828a (copy) entropy: 7.99956399777	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\mr.pak.3d828a.partial (copy) entropy: 7.9998076326	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\mr.pak.3d828a (copy) entropy: 7.9998076326	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ml.pak.3d828a.partial (copy) entropy: 7.99981927069	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ml.pak.3d828a (copy) entropy: 7.99981927069	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\lv.pak.3d828a.partial (copy) entropy: 7.99959181368	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\lv.pak.3d828a (copy) entropy: 7.99959181368	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\lt.pak.3d828a.partial (copy) entropy: 7.99964351387	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\lt.pak.3d828a (copy) entropy: 7.99964351387	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ko.pak.3d828a.partial (copy) entropy: 7.99957705125	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ko.pak.3d828a (copy) entropy: 7.99957705125	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\kn.pak.3d828a.partial (copy) entropy: 7.99982304048	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\kn.pak.3d828a (copy) entropy: 7.99982304048	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ja.pak.3d828a.partial (copy) entropy: 7.99964285652	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ja.pak.3d828a (copy) entropy: 7.99964285652	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\it.pak.3d828a.partial (copy) entropy: 7.99957082281	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\it.pak.3d828a (copy) entropy: 7.99957082281	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\id.pak.3d828a.partial (copy) entropy: 7.99958382187	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\id.pak.3d828a (copy) entropy: 7.99958382187	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\hu.pak.3d828a.partial (copy) entropy: 7.99964820777	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\hu.pak.3d828a (copy) entropy: 7.99964820777	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\hr.pak.3d828a.partial (copy) entropy: 7.999631362	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\hr.pak.3d828a (copy) entropy: 7.999631362	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\hi.pak.3d828a.partial (copy) entropy: 7.99981188867	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\hi.pak.3d828a (copy) entropy: 7.99981188867	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\he.pak.3d828a.partial (copy) entropy: 7.99971124954	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\he.pak.3d828a (copy) entropy: 7.99971124954	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\gu.pak.3d828a.partial (copy) entropy: 7.99983670085	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\gu.pak.3d828a (copy) entropy: 7.99983670085	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\fr.pak.3d828a.partial (copy) entropy: 7.99967317136	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\fr.pak.3d828a (copy) entropy: 7.99967317136	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\fil.pak.3d828a.partial (copy) entropy: 7.99967320925	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\fil.pak.3d828a (copy) entropy: 7.99967320925	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\fi.pak.3d828a.partial (copy) entropy: 7.99961780933	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\fi.pak.3d828a (copy) entropy: 7.99961780933	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\fa.pak.3d828a.partial (copy) entropy: 7.99973800025	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\fa.pak.3d828a (copy) entropy: 7.99973800025	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\et.pak.3d828a.partial (copy) entropy: 7.99955293351	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\et.pak.3d828a (copy) entropy: 7.99955293351	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\es.pak.3d828a.partial (copy) entropy: 7.99958126474	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\es.pak.3d828a (copy) entropy: 7.99958126474	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\es-419.pak.3d828a.partial (copy) entropy: 7.99963430639	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\es-419.pak.3d828a (copy) entropy: 7.99963430639	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\en-US.pak.3d828a.partial (copy) entropy: 7.9995534894	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\en-US.pak.3d828a (copy) entropy: 7.9995534894	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\en-GB.pak.3d828a.partial (copy) entropy: 7.99945442925	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\en-GB.pak.3d828a (copy) entropy: 7.99945442925	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\el.pak.3d828a.partial (copy) entropy: 7.99977395733	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\el.pak.3d828a (copy) entropy: 7.99977395733	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\de.pak.3d828a.partial (copy) entropy: 7.9996349874	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\de.pak.3d828a (copy) entropy: 7.9996349874	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\da.pak.3d828a.partial (copy) entropy: 7.99960766516	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\da.pak.3d828a (copy) entropy: 7.99960766516	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\cs.pak.3d828a.partial (copy) entropy: 7.99959760164	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\cs.pak.3d828a (copy) entropy: 7.99959760164	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ca.pak.3d828a.partial (copy) entropy: 7.99958847382	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ca.pak.3d828a (copy) entropy: 7.99958847382	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\bn.pak.3d828a.partial (copy) entropy: 7.99982648456	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\bn.pak.3d828a (copy) entropy: 7.99982648456	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\bg.pak.3d828a.partial (copy) entropy: 7.99976923985	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\bg.pak.3d828a (copy) entropy: 7.99976923985	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ar.pak.3d828a.partial (copy) entropy: 7.99973610072	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\ar.pak.3d828a (copy) entropy: 7.99973610072	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\am.pak.3d828a.partial (copy) entropy: 7.99971384783	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\am.pak.3d828a (copy) entropy: 7.99971384783	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\af.pak.3d828a.partial (copy) entropy: 7.99953404437	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\af.pak.3d828a (copy) entropy: 7.99953404437	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_200_percent.pak.3d828a.partial (copy) entropy: 7.99983715878	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_200_percent.pak.3d828a (copy) entropy: 7.99983715878	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_100_percent.pak.3d828a.partial (copy) entropy: 7.99972235137	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_100_percent.pak.3d828a (copy) entropy: 7.99972235137	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\hyph_en_US.dic.3d828a.partial (copy) entropy: 7.99907656466	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\hyph_en_US.dic.3d828a (copy) entropy: 7.99907656466	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\hyph_en_GB.dic.3d828a.partial (copy) entropy: 7.99886098555	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\hyph_en_GB.dic.3d828a (copy) entropy: 7.99886098555	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\hyph_en_CA.dic.3d828a.partial (copy) entropy: 7.99937011868	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\hyph_en_CA.dic.3d828a (copy) entropy: 7.99937011868	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.zh_TW.txt.3d828a.partial (copy) entropy: 7.99392018051	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.zh_TW.txt.3d828a (copy) entropy: 7.99392018051	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.zh_TW_STROKE.txt.3d828a.partial (copy) entropy: 7.9937413465	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.zh_TW_STROKE.txt.3d828a (copy) entropy: 7.9937413465	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic.3d828a.partial (copy) entropy: 7.99979800738	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic.3d828a (copy) entropy: 7.99979800738	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.dic.3d828a.partial (copy) entropy: 7.99977773763	Jump to dropped file
Source: C:\Users\user\Desktop\win32.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.dic.3d828a (copy) entropy: 7.99977773763	Jump to dropped file

Source: C:\Users\user\Desktop\win32.exe

Process Stats: CPU usage > 49%

Source: win32.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: win32.exe

Binary or memory string: msbuild*.csproj*.fsproj*.vcxproj*.proj*.props*.targets

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@10/1299@0/0

Source: C:\Users\user\Desktop\win32.exe

File created: C:\Program Files\HOW_TO_RECOVER_FILES.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3848:120:WilError_03
Source: C:\Users\user\Desktop\win32.exe	Mutant created: \Sessions\1\BaseNamedObjects\IntoTheFloodAgainSameOldTrip

Source: win32.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\win32.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\win32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: win32.exe

ReversingLabs: Detection: 60%

Source: win32.exe	String found in binary or memory: --helphelpinternal error: entered unreachable code: invalid Once state
Source: win32.exe	String found in binary or memory: --helphelpinternal error: entered unreachable code: invalid Once state
Source: win32.exe	String found in binary or memory: /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/regex-automata-0.3.9/src/meta/stopat.rs
Source: win32.exe	String found in binary or memory: /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/regex-automata-0.3.9/src/meta/stopat.rs
Source: win32.exe	String found in binary or memory: /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/regex-automata-0.3.9/src/meta/stopat.rs$
Source: win32.exe	String found in binary or memory: /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/regex-automata-0.3.9/src/meta/stopat.rs$
Source: win32.exe	String found in binary or memory: /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/regex-automata-0.4.5/src/meta/stopat.rs
Source: win32.exe	String found in binary or memory: /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/regex-automata-0.4.5/src/meta/stopat.rs
Source: win32.exe	String found in binary or memory: /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/regex-automata-0.4.5/src/meta/stopat.rs@
Source: win32.exe	String found in binary or memory: /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/regex-automata-0.4.5/src/meta/stopat.rs@
Source: win32.exe	String found in binary or memory: did not find expected <stream-start>
Source: win32.exe	String found in binary or memory: did not find expected <stream-start>did not find expected <document start>while parsing node, found unknown anchor
Source: win32.exe	String found in binary or memory: did not find expected <stream-start>did not find expected <document start>while parsing node, found unknown anchor{
Source: win32.exe	String found in binary or memory: helpPrint helpPrint help (see more with '--help')Print help (see a summary with '-h')versionPrint versionPrint this message or the help of the given subcommand(s)subcommandCOMMANDPrint help for the subcommand(s)
Source: win32.exe	String found in binary or memory: helpPrint helpPrint help (see more with '--help')Print help (see a summary with '-h')versionPrint versionPrint this message or the help of the given subcommand(s)subcommandCOMMANDPrint help for the subcommand(s)
Source: win32.exe	String found in binary or memory: 3helpPrint helpPrint help (see more with '--help')Print help (see a summary with '-h')versionPrint versionPrint this message or the help of the given subcommand(s)subcommandCOMMANDPrint help for the subcommand(s)
Source: win32.exe	String found in binary or memory: 3helpPrint helpPrint help (see more with '--help')Print help (see a summary with '-h')versionPrint versionPrint this message or the help of the given subcommand(s)subcommandCOMMANDPrint help for the subcommand(s)
Source: win32.exe	String found in binary or memory: --helphelp
Source: win32.exe	String found in binary or memory: --helphelp
Source: win32.exe	String found in binary or memory: ep6--helphelp
Source: win32.exe	String found in binary or memory: ep6--helphelp
Source: win32.exe	String found in binary or memory: {before-help}{about-with-newline}
Source: win32.exe	String found in binary or memory: {usage-heading} {usage}{after-help}{before-help}{about-with-newline}
Source: win32.exe	String found in binary or memory: {all-args}{after-help}
Source: win32.exe	String found in binary or memory: 7{before-help}{about-with-newline}
Source: win32.exe	String found in binary or memory: namebinversionauthorauthor-with-newlineauthor-sectionaboutabout-with-newlineabout-sectionusage-headingusageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}

Source: unknown	Process created: C:\Users\user\Desktop\win32.exe "C:\Users\user\Desktop\win32.exe"
Source: C:\Users\user\Desktop\win32.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /q /c bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Users\user\Desktop\win32.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /q /c ping localhost -n 5 > nul & del C:\Users\user\Desktop\win32.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 5
Source: C:\Users\user\Desktop\win32.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /q /c bcdedit /set {default} recoveryenabled no	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 5	Jump to behavior

Source: C:\Users\user\Desktop\win32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Windows\System32\bcdedit.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\win32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\win32.exe

File written: C:\Program Files\Mozilla Firefox\updater.ini

Jump to behavior

Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\MSBuild\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\MSBuild\Microsoft\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\uninstall\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\fonts\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\browser\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Mozilla Firefox\browser\features\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Microsoft Office 15\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Microsoft\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Microsoft\OneDrive\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\WidevineCdm\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\WidevineCdm\_platform_specific\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\WidevineCdm\_platform_specific\win_x64\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\MEIPreload\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Extensions\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\{AC76BA86-1033-1033-7760-BC15014EA700}\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\{AC76BA86-1033-1033-7760-BC15014EA700}\Transforms\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\VCRT_x64\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Adobe\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\HOW_TO_RECOVER_FILES.txt	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\Transforms\HOW_TO_RECOVER_FILES.txt	Jump to behavior

Source: win32.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: win32.exe

Static file information: File size 6241792 > 1048576

Source: win32.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x46c000

Source: win32.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: win32.exe

Static PE information: real checksum: 0x602066 should be: 0x600eec

Source: win32.exe

Static PE information: section name: .eh_fram

Persistence and Installation Behavior

Uses bcdedit to modify the Windows boot settings

Source: C:\Users\user\Desktop\win32.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /q /c bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Users\user\Desktop\win32.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /q /c bcdedit /set {default} recoveryenabled no	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\win32.exe

File created: C:\$Recycle.Bin\HOW_TO_RECOVER_FILES.txt

Jump to behavior

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\win32.exe

Process created: "C:\Windows\System32\cmd.exe" /q /c ping localhost -n 5 > nul & del C:\Users\user\Desktop\win32.exe

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 5			Jump to behavior

Source: C:\Windows\SysWOW64\PING.EXE

Last function: Thread delayed

Source: C:\Users\user\Desktop\win32.exe	File opened: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File opened: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File opened: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File opened: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File opened: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	File opened: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics	Jump to behavior

Source: bcdedit.exe, 00000003.00000002.1704544147.000001E9EA9C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pEFI VMware Virtual SAT
Source: win32.exe, 00000000.00000003.1710686721.00000000016DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Vol4,
Source: bcdedit.exe, 00000003.00000002.1704544147.000001E9EA9C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pEFI VMware Virtual SATA CDROM Drive (0.0)

Source: C:\Users\user\Desktop\win32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\win32.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\win32.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /q /c bcdedit /set {default} recoveryenabled no	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 5	Jump to behavior

Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Recovery VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\$Recycle.Bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\$WinREAgent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Recovery VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\$Recycle.Bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\$WinREAgent\Scratch VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\$WinREAgent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\$WinREAgent\Scratch VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Recovery VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Recovery VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\EFI\Microsoft\Recovery VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Program Files\7-Zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Program Files\Adobe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Program Files\Common Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Program Files\Google VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\win32.exe	Queries volume information: C:\Program Files\Microsoft VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\win32.exe

Directory queried: C:\Documents and Settings

Jump to behavior

Source: C:\Users\user\Desktop\win32.exe

Directory queried: number of queries: 1001

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	2 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Data from Local System	1 Proxy	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	1 Inhibit System Recovery
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	23 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
win32.exe	61%	ReversingLabs	Win32.Ransomware.Embargo
win32.exe	100%	Avira	TR/AD.Nekark.xkwab

Name	Source	Malicious	Reputation
https://www.torproject.org/download/	HOW_TO_RECOVER_FILES.txt50.0.dr, HOW_TO_RECOVER_FILES.txt13.0.dr, HOW_TO_RECOVER_FILES.txt77.0.dr, HOW_TO_RECOVER_FILES.txt203.0.dr, HOW_TO_RECOVER_FILES.txt109.0.dr, HOW_TO_RECOVER_FILES.txt106.0.dr, HOW_TO_RECOVER_FILES.txt34.0.dr, HOW_TO_RECOVER_FILES.txt8.0.dr, HOW_TO_RECOVER_FILES.txt193.0.dr, HOW_TO_RECOVER_FILES.txt144.0.dr, HOW_TO_RECOVER_FILES.txt147.0.dr, HOW_TO_RECOVER_FILES.txt61.0.dr, HOW_TO_RECOVER_FILES.txt42.0.dr, HOW_TO_RECOVER_FILES.txt221.0.dr, HOW_TO_RECOVER_FILES.txt23.0.dr, HOW_TO_RECOVER_FILES.txt87.0.dr, HOW_TO_RECOVER_FILES.txt264.0.dr, HOW_TO_RECOVER_FILES.txt286.0.dr, HOW_TO_RECOVER_FILES.txt53.0.dr, HOW_TO_RECOVER_FILES.txt114.0.dr, HOW_TO_RECOVER_FILES.txt7.0.dr	true	unknown
https://github.com/clap-rs/clap/issues/home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001	win32.exe	false	unknown
http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion/#/73298b954035a575199ccc340f6f	HOW_TO_RECOVER_FILES.txt50.0.dr, HOW_TO_RECOVER_FILES.txt13.0.dr, HOW_TO_RECOVER_FILES.txt77.0.dr, HOW_TO_RECOVER_FILES.txt203.0.dr, HOW_TO_RECOVER_FILES.txt109.0.dr, HOW_TO_RECOVER_FILES.txt106.0.dr, HOW_TO_RECOVER_FILES.txt34.0.dr, HOW_TO_RECOVER_FILES.txt8.0.dr, HOW_TO_RECOVER_FILES.txt193.0.dr, HOW_TO_RECOVER_FILES.txt144.0.dr, HOW_TO_RECOVER_FILES.txt147.0.dr, HOW_TO_RECOVER_FILES.txt61.0.dr, HOW_TO_RECOVER_FILES.txt42.0.dr, HOW_TO_RECOVER_FILES.txt221.0.dr, HOW_TO_RECOVER_FILES.txt23.0.dr, HOW_TO_RECOVER_FILES.txt87.0.dr, HOW_TO_RECOVER_FILES.txt264.0.dr, HOW_TO_RECOVER_FILES.txt286.0.dr, HOW_TO_RECOVER_FILES.txt53.0.dr, HOW_TO_RECOVER_FILES.txt114.0.dr, HOW_TO_RECOVER_FILES.txt7.0.dr	true	unknown
https://github.com/clap-rs/clap/issues	win32.exe	false	unknown
http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/	HOW_TO_RECOVER_FILES.txt50.0.dr, HOW_TO_RECOVER_FILES.txt13.0.dr, HOW_TO_RECOVER_FILES.txt77.0.dr, HOW_TO_RECOVER_FILES.txt203.0.dr, HOW_TO_RECOVER_FILES.txt109.0.dr, HOW_TO_RECOVER_FILES.txt106.0.dr, HOW_TO_RECOVER_FILES.txt34.0.dr, HOW_TO_RECOVER_FILES.txt8.0.dr, HOW_TO_RECOVER_FILES.txt193.0.dr, HOW_TO_RECOVER_FILES.txt144.0.dr, HOW_TO_RECOVER_FILES.txt147.0.dr, HOW_TO_RECOVER_FILES.txt61.0.dr, HOW_TO_RECOVER_FILES.txt42.0.dr, HOW_TO_RECOVER_FILES.txt221.0.dr, HOW_TO_RECOVER_FILES.txt23.0.dr, HOW_TO_RECOVER_FILES.txt87.0.dr, HOW_TO_RECOVER_FILES.txt264.0.dr, HOW_TO_RECOVER_FILES.txt286.0.dr, HOW_TO_RECOVER_FILES.txt53.0.dr, HOW_TO_RECOVER_FILES.txt114.0.dr, HOW_TO_RECOVER_FILES.txt7.0.dr	true	unknown
https://docs.rs/getrandom#nodejs-es-module-support	win32.exe	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541094
Start date and time:	2024-10-24 12:09:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	win32.exe
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@10/1299@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: win32.exe

Process:	C:\Users\user\Desktop\win32.exe
File Type:	data
Category:	dropped
Size (bytes):	20640
Entropy (8bit):	7.990017822957713
Encrypted:	true
SSDEEP:	384:jgIMCQ0AmpmpYXOSHD+9LGh6c0WBDAn/8eT89Ox9iROlshAv8EBGKkJJmFl:jgI5AAmpgXf3DBDAn/z8UQROlzzQKkO
MD5:	D7A38C98A084BBECFC4D7DF12DCBB9EF
SHA1:	F928D24820B9924ED3BF5EE296CE5E1ED27FECCB
SHA-256:	C8DC220DF0102E9050892890C60E2C7523342153C6AB1F7790DCD4CA81B0D547
SHA-512:	DF87FF82159EA0FEEF8D00F5E28E64D78BD43E79927B7960E6AAF36ADDB829DAA244D360EDA1B430547C91596CDD7585CC2A249B05E041D1AAF828C63DA576BE
Malicious:	true
Reputation:	low
Preview:	\|.<.[..Q28.NE..'Z..r7.<......i..Fi.S.]....Mt......n....`._2...(K....\|?.Kmo..yZ......L...)..Q#t.J.u..J.#J.$).a.....l30.1\|`8...\|....3...tu..GAy...L.\f...c.>...PH..^.$...b.k....".vl6...W]O..by%.m..Q.w.7.C._. Qu......@...?..Yyc.v........r...a)PfF..6.\|~.nA..1.;.<...]t....)<e.m4....-fEo%...4..k.sK..~i.h`...7.X..P.#.i,...Z`._..=.Y..[.R.Q.1y....B...&...2.i9.2...$...i...b..1w..o.$..T..TM.pt........4..g..Z.....UW@..A.{..(+.n..43.3..._/.nA.h..-.@.....s.IP....n....q.u%\|.By...u.M.].[....wC.4...O,...k...X..y.r.....E~.WF......RD.T...m.AY.=hpY.........,Z..H.3m.Db.-..s`.I...S...\|.6.t......%{.....o.a...U..J./T.5.+....,..(.m.....8.....$...aR..`FKo.U.Ce[......Z....#.....Kq.c3f.....D...;...,s..M....]...H...\.u...,.....zG1...y=...Q..P...._k.~.....&Z.#..b...n....B)E:..y,..>8....iZD....m<.l.kKW.]........d.XU.Zg.-.M.h. .'...E.t..8..3....[?.e.i}....d...f.LA@%.*+%.X..E.......=1`FN..S.M.Da%.<..~.XH....8.2..5......+...) #[n......\|...(....R1.....4gt.'.Q..`xT...\|n...SY

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	365
Entropy (8bit):	4.7468302356135865
Encrypted:	false
SSDEEP:
MD5:	26344623BCA6E5AA1E82FF713260945B
SHA1:	5656E4D403FC725DDD7ACACA10AD1EEC6D67F1CD
SHA-256:	2A3359748601AA4C7A27A814807B866A227E22B3E9923F07A51156CE855DE40D
SHA-512:	278E4A04E78A1D98D6C86572B19FD02131AD89AA26CA71C7398DDC22721C2211E47124E5F0C0CEE27F92AEC38C7AED587A54A27DBA10C0D872DC808530DCC15A
Malicious:	false
Preview:	..Pinging 927537 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.520178122484576
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	win32.exe
File size:	6'241'792 bytes
MD5:	5d55fb708834d5ccde15d36554ea63e8
SHA1:	612ec1d41b2aa2518363b18381fd89c12315100f
SHA256:	ebffc9ced2dba66db9aae02c7ccd2759a36c5167df5cd4adb151b20e7eab173c
SHA512:	41aca4e3899158e02a74c4a661d6927ba4561aafb5572ec05098fff087ae73af6f822062c320a5c81b0c478227eaaf1c9bde20f3e58ed9c35303f30173d22950
SSDEEP:	98304:W3UW0wJh+x0CQluvl1kRz/eqWgUX7eDxen:aWb0CQluvlaeqZUX7eD
TLSH:	25565B0AF813A999D97F65B0606FE735DD35482D00039D33CFDA9E306A6E7112E8DA1E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n.f...............(..F..:_...............F...@..........................._.....f `...@... ............................

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66916E02 [Fri Jul 12 17:55:14 2024 UTC]
TLS Callbacks:	0x81c2c0, 0x869270, 0x869220
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c870ba25f44c51987b6d4037448b82e5

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5cb000	0x2070	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5d0000	0x2b2f4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x549274	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5cb554	0x428	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x46be3c	0x46c000	9da8ac190efbe3ebef17dbd87536f5bb	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x46d000	0x3c0	0x400	d092f1c71744f4e4e330b9159e875d59	False	0.4814453125	dBase III DBT, version number 0, next free block index 10, 1st item "\201]\217"	3.891504091061547	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x46e000	0xdb528	0xdb600	3b1f855835f1b88f4354a3810b938789	False	0.355890535968661	data	5.904279833567703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x54a000	0x7e5bc	0x7e600	0cb1c55d1c33e0be9c1db70692bb2b6f	False	0.25661860163204747	data	4.648135091723182	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x5c9000	0x1470	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5cb000	0x2070	0x2200	d5f94baeeffb3e19bd60402ec8d2e014	False	0.3220358455882353	data	5.0142397737160245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x5ce000	0x38	0x200	4e652713eb50a884e6fe09387dc0dbc1	False	0.080078125	data	0.3413119142480582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x5cf000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5d0000	0x2b2f4	0x2b400	b6f97f1c19d91630b83e24baf9709f0a	False	0.5534343388728323	data	6.611541602622622	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
kernel32.dll	AcquireSRWLockExclusive, AcquireSRWLockShared, AddVectoredExceptionHandler, AttachConsole, CancelIo, CloseHandle, CompareStringOrdinal, CopyFileExW, CreateDirectoryW, CreateEventW, CreateFileMappingA, CreateFileW, CreateHardLinkW, CreateMutexA, CreateMutexW, CreateNamedPipeW, CreateProcessW, CreateSymbolicLinkW, CreateThread, CreateToolhelp32Snapshot, CreateWaitableTimerExW, DeleteFileW, DeleteProcThreadAttributeList, DeviceIoControl, DuplicateHandle, ExitProcess, FindClose, FindFirstFileW, FindFirstVolumeW, FindNextFileW, FindNextVolumeW, FindVolumeClose, FlushFileBuffers, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, GetCommandLineW, GetComputerNameExW, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDriveTypeW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetLogicalDriveStringsW, GetLogicalDrives, GetLogicalProcessorInformation, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetProcessId, GetStartupInfoA, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetVolumePathNamesForVolumeNameW, GetWindowsDirectoryW, GlobalAlloc, GlobalFree, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, InitializeProcThreadAttributeList, IsWow64Process, LoadLibraryA, LoadLibraryExA, MapViewOfFile, Module32FirstW, Module32NextW, MoveFileExW, MultiByteToWideChar, OpenProcess, Process32FirstW, Process32NextW, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleW, ReadFile, ReadFileEx, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSRWLockShared, RemoveDirectoryW, RtlCaptureContext, SetConsoleMode, SetConsoleTextAttribute, SetCurrentDirectoryW, SetEnvironmentVariableW, SetEvent, SetFileAttributesW, SetFileInformationByHandle, SetFilePointerEx, SetFileTime, SetHandleInformation, SetLastError, SetProcessShutdownParameters, SetThreadStackGuarantee, SetUnhandledExceptionFilter, SetVolumeMountPointW, SetWaitableTimer, Sleep, SleepConditionVariableSRW, SleepEx, SwitchToThread, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, TzSpecificLocalTimeToSystemTime, UnmapViewOfFile, UpdateProcThreadAttribute, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, WriteConsoleW, WriteFileEx
mpr.dll	WNetAddConnection2W, WNetCancelConnection2W, WNetCloseEnum, WNetEnumResourceW, WNetOpenEnumW
netapi32.dll	NetApiBufferFree, NetShareEnum
ntdll.dll	NtCreateFile, NtReadFile, NtWriteFile, RtlNtStatusToDosError
ole32.dll	CoCreateGuid
oleaut32.dll	GetErrorInfo, SetErrorInfo, SysAllocStringLen, SysFreeString, SysStringLen
rstrtmgr.dll	RmEndSession, RmGetList, RmRegisterResources, RmShutdown, RmStartSession
shell32.dll	SHEmptyRecycleBinW
userenv.dll	GetUserProfileDirectoryW
ws2_32.dll	WSACleanup, WSADuplicateSocketW, WSAGetLastError, WSARecv, WSASend, WSASocketW, WSAStartup, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, getpeername, getsockname, getsockopt, ioctlsocket, listen, recv, recvfrom, select, send, sendto, setsockopt, shutdown
ADVAPI32.dll	AdjustTokenPrivileges, AllocateAndInitializeSid, ChangeServiceConfigW, CloseServiceHandle, ControlService, EnumDependentServicesW, EnumServicesStatusExW, ImpersonateLoggedOnUser, LogonUserW, LookupPrivilegeValueW, OpenProcessToken, OpenSCManagerW, OpenServiceW, QueryServiceStatusEx, RevertToSelf, SetEntriesInAclW, SetNamedSecurityInfoW, SystemFunction036
bcrypt.dll	BCryptGenRandom
KERNEL32.dll	CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, InitializeCriticalSection, LeaveCriticalSection, ReleaseSemaphore, VirtualProtect, VirtualQuery
msvcrt.dll	__getmainargs, __initenv, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _fpreset, _initterm, _iob, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcmp, memcpy, memmove, memset, signal, strlen, strncmp, vfprintf, wcslen

Target ID:	0
Start time:	06:10:05
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\win32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\win32.exe"
Imagebase:	0x860000
File size:	6'241'792 bytes
MD5 hash:	5D55FB708834D5CCDE15D36554EA63E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	16
Start time:	06:12:09
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /q /c ping localhost -n 5 > nul & del C:\Users\user\Desktop\win32.exe
Imagebase:	0x260000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report win32.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

B:\EFI\Microsoft\Recovery\BCD.3d828a.partial (copy)

B:\EFI\Microsoft\Recovery\BCD.LOG.3d828a.partial (copy)

B:\EFI\Microsoft\Recovery\BCD.LOG1.3d828a.partial (copy)

B:\EFI\Microsoft\Recovery\BCD.LOG2.3d828a.partial (copy)

C:\$Recycle.Bin\HOW_TO_RECOVER_FILES.txt

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\HOW_TO_RECOVER_FILES.txt

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\HOW_TO_RECOVER_FILES.txt

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\HOW_TO_RECOVER_FILES.txt

C:\$WinREAgent\HOW_TO_RECOVER_FILES.txt

C:\$WinREAgent\Scratch\HOW_TO_RECOVER_FILES.txt

C:\EFI\HOW_TO_RECOVER_FILES.txt

C:\EFI\Microsoft\HOW_TO_RECOVER_FILES.txt

C:\EFI\Microsoft\Recovery\BCD

C:\EFI\Microsoft\Recovery\BCD.LOG

C:\EFI\Microsoft\Recovery\BCD.LOG1

C:\EFI\Microsoft\Recovery\BCD.LOG2

C:\EFI\Microsoft\Recovery\HOW_TO_RECOVER_FILES.txt

C:\HOW_TO_RECOVER_FILES.txt

C:\Program Files\Adobe\Acrobat DC\Acrobat\HOW_TO_RECOVER_FILES.txt

C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\HOW_TO_RECOVER_FILES.txt

Windows Analysis Report
win32.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.This may deny access to available backups and recovery options.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Deletion, Command: Command Execution, File: File Deletion, Process: Process Creation, Service: Service Metadata, Snapshot: Snapshot Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre