Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 31.exe

Overview

General Information

Sample Name:31.exe
Analysis ID:321991
MD5:af8e86c5d4198549f6375df9378f983c
SHA1:7ab5ed449b891bd4899fba62d027a2cc26a05e6f
SHA256:7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

Most interesting Screenshot:

Detection

Ursnif AgentTesla FormBook Wadhrama
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Yara detected Ursnif
Yara detected AgentTesla
Yara detected FormBook
Yara detected Wadhrama Ransomware
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide a thread from the debugger
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates files in the recycle bin to hide itself
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes registry values via WMI
Yara detected Allatori_JAR_Obfuscator
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses cacls to modify the permissions of files
Uses reg.exe to modify the Windows registry
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • 31.exe (PID: 6020 cmdline: 'C:\Users\user\Desktop\31.exe' MD5: AF8E86C5D4198549F6375DF9378F983C)
    • cmd.exe (PID: 6028 cmdline: 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.bat C:\Users\user\Desktop\31.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 4388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • javaw.exe (PID: 4656 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\1.jar' MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
        • icacls.exe (PID: 6180 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)
          • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • 2.exe (PID: 5612 cmdline: C:\Users\user\AppData\Roaming\2.exe MD5: 715C838E413A37AA8DF1EF490B586AFD)
        • 2.exe (PID: 6760 cmdline: C:\Users\user\AppData\Roaming\2.exe MD5: 715C838E413A37AA8DF1EF490B586AFD)
      • 3.exe (PID: 6188 cmdline: C:\Users\user\AppData\Roaming\3.exe MD5: D2E2C65FC9098A1C6A4C00F9036AA095)
        • 3.exe (PID: 6888 cmdline: C:\Users\user\AppData\Roaming\3.exe MD5: D2E2C65FC9098A1C6A4C00F9036AA095)
      • 4.exe (PID: 6220 cmdline: C:\Users\user\AppData\Roaming\4.exe MD5: EC7506C2B6460DF44C18E61D39D5B1C0)
        • conhost.exe (PID: 6272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • 5.exe (PID: 6264 cmdline: C:\Users\user\AppData\Roaming\5.exe MD5: 4FCC5DB607DBD9E1AFB6667AB040310E)
        • conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • 6.exe (PID: 6288 cmdline: C:\Users\user\AppData\Roaming\6.exe MD5: CF04C482D91C7174616FB8E83288065A)
      • 7.exe (PID: 6352 cmdline: C:\Users\user\AppData\Roaming\7.exe MD5: 42D1CAF715D4BD2EA1FADE5DFFB95682)
      • 8.exe (PID: 6556 cmdline: C:\Users\user\AppData\Roaming\8.exe MD5: DEA5598AAF3E9DCC3073BA73D972AB17)
        • cmd.exe (PID: 6928 cmdline: 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 7140 cmdline: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • 9.exe (PID: 6772 cmdline: C:\Users\user\AppData\Roaming\9.exe MD5: EA88F31D6CC55D8F7A9260245988DAB6)
      • 10.exe (PID: 6808 cmdline: C:\Users\user\AppData\Roaming\10.exe MD5: 68F96DA1FC809DCCDA4235955CA508B0)
      • 11.exe (PID: 6848 cmdline: C:\Users\user\AppData\Roaming\11.exe MD5: 9D4DA0E623BB9BB818BE455B4C5E97D8)
      • 12.exe (PID: 6868 cmdline: C:\Users\user\AppData\Roaming\12.exe MD5: 192830B3974FA27116C067F019747B38)
      • 13.exe (PID: 6900 cmdline: C:\Users\user\AppData\Roaming\13.exe MD5: 349F49BE2B024C5F7232F77F3ACD4FF6)
        • 13.exe (PID: 6412 cmdline: C:\Users\user\AppData\Roaming\13.exe MD5: 349F49BE2B024C5F7232F77F3ACD4FF6)
      • 14.exe (PID: 7032 cmdline: C:\Users\user\AppData\Roaming\14.exe MD5: 9ACD34BCFF86E2C01BF5E6675F013B17)
      • 15.exe (PID: 7120 cmdline: C:\Users\user\AppData\Roaming\15.exe MD5: D43D9558D37CDAC1690FDEEC0AF1B38D)
      • 16.exe (PID: 6240 cmdline: C:\Users\user\AppData\Roaming\16.exe MD5: 56BA37144BD63D39F23D25DAE471054E)
        • cmd.exe (PID: 6608 cmdline: C:\Windows\system32\cmd.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 4440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • mode.com (PID: 3228 cmdline: mode con cp select=1251 MD5: 1A3D2D975EB4A5AF22768F1E23C9A83C)
      • 17.exe (PID: 4568 cmdline: C:\Users\user\AppData\Roaming\17.exe MD5: 15A05615D617394AFC0231FC47444394)
      • 18.exe (PID: 3620 cmdline: C:\Users\user\AppData\Roaming\18.exe MD5: BF15960DD7174427DF765FD9F9203521)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\1.jarJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exeMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exeJoeSecurity_WadhramaYara detected Wadhrama RansomwareJoe Security
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exeMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exeJoeSecurity_WadhramaYara detected Wadhrama RansomwareJoe Security
            Click to see the 6 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
              0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                  00000003.00000003.277524584.0000000002178000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
                    0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                      Click to see the 58 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      4.2.2.exe.23f0000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
                        4.2.2.exe.23f0000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
                        • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                        • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                        • 0x149b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
                        • 0x144a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
                        • 0x14ab7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
                        • 0x14c2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
                        • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
                        • 0x1371c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
                        • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
                        • 0x19d27:$sequence_8: 3C 54 74 04 3C 74 75 F4
                        • 0x1ad2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
                        4.2.2.exe.23f0000.2.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
                        • 0x17639:$sqlite3step: 68 34 1C 7B E1
                        • 0x1774c:$sqlite3step: 68 34 1C 7B E1
                        • 0x17668:$sqlite3text: 68 38 2A 90 C5
                        • 0x1778d:$sqlite3text: 68 38 2A 90 C5
                        • 0x1767b:$sqlite3blob: 68 53 D8 7F 8C
                        • 0x177a3:$sqlite3blob: 68 53 D8 7F 8C
                        4.2.2.exe.26d0000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
                          4.2.2.exe.26d0000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
                          • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                          • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                          • 0x149b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
                          • 0x144a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
                          • 0x14ab7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
                          • 0x14c2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
                          • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
                          • 0x1371c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
                          • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
                          • 0x19d27:$sequence_8: 3C 54 74 04 3C 74 75 F4
                          • 0x1ad2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
                          Click to see the 25 entries

                          Sigma Overview

                          System Summary:

                          barindex
                          Sigma detected: Add file from suspicious location to autostart registryShow sources
                          Source: Process startedAuthor: Joe Security: Data: Command: 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe', CommandLine: 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\8.exe , ParentImage: C:\Users\user\AppData\Roaming\8.exe, ParentProcessId: 6556, ProcessCommandLine: 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe', ProcessId: 6928

                          Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Antivirus / Scanner detection for submitted sampleShow sources
                          Source: 31.exeAvira: detected
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Roaming\10.exeAvira: detection malicious, Label: TR/Kryptik.pwjxv
                          Source: C:\Users\user\AppData\Roaming\2.exeAvira: detection malicious, Label: DR/Delphi.vmrvj
                          Source: C:\Users\user\AppData\Roaming\21.exeAvira: detection malicious, Label: TR/AD.AgentTesla.vbfpc
                          Source: C:\Users\user\AppData\Roaming\12.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                          Source: C:\Users\user\AppData\Roaming\17.exeAvira: detection malicious, Label: TR/AD.StellarStealer.cqjpr
                          Source: C:\Users\user\AppData\Roaming\20.exeAvira: detection malicious, Label: TR/AD.VBCryptor.fqgod
                          Source: C:\Users\user\AppData\Roaming\22.exeAvira: detection malicious, Label: TR/Dropper.MSIL.nkkbi
                          Source: C:\Users\user\AppData\Roaming\19.exeAvira: detection malicious, Label: TR/AD.VBCryptor.dplvu
                          Source: C:\Users\user\AppData\Roaming\14.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.zbsyd
                          Source: C:\Users\user\AppData\Roaming\13.exeAvira: detection malicious, Label: TR/AD.VBCryptor.zlvmk
                          Source: C:\Users\user\AppData\Roaming\18.exeAvira: detection malicious, Label: TR/AD.Swotter.pxvkb
                          Source: C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exeAvira: detection malicious, Label: TR/AD.VBCryptor.zlvmk
                          Source: C:\Users\user\AppData\Roaming\16.exeAvira: detection malicious, Label: TR/Dropper.Gen
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exeAvira: detection malicious, Label: TR/Dropper.Gen
                          Source: C:\Users\user\AppData\Roaming\15.exeAvira: detection malicious, Label: TR/AD.VBCryptor.qvkoq
                          Source: C:\Users\user\AppData\Roaming\11.exeAvira: detection malicious, Label: TR/AD.Swotter.vtqjg
                          Multi AV Scanner detection for dropped fileShow sources
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exeMetadefender: Detection: 81%Perma Link
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exeReversingLabs: Detection: 95%
                          Source: C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exeMetadefender: Detection: 18%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exeReversingLabs: Detection: 70%
                          Source: C:\Users\user\AppData\Roaming\10.exeMetadefender: Detection: 27%Perma Link
                          Source: C:\Users\user\AppData\Roaming\10.exeReversingLabs: Detection: 87%
                          Source: C:\Users\user\AppData\Roaming\11.exeMetadefender: Detection: 60%Perma Link
                          Source: C:\Users\user\AppData\Roaming\11.exeReversingLabs: Detection: 83%
                          Source: C:\Users\user\AppData\Roaming\12.exeMetadefender: Detection: 51%Perma Link
                          Source: C:\Users\user\AppData\Roaming\12.exeReversingLabs: Detection: 70%
                          Source: C:\Users\user\AppData\Roaming\13.exeMetadefender: Detection: 18%Perma Link
                          Source: C:\Users\user\AppData\Roaming\13.exeReversingLabs: Detection: 70%
                          Source: C:\Users\user\AppData\Roaming\14.exeMetadefender: Detection: 21%Perma Link
                          Source: C:\Users\user\AppData\Roaming\14.exeReversingLabs: Detection: 80%
                          Source: C:\Users\user\AppData\Roaming\15.exeMetadefender: Detection: 16%Perma Link
                          Source: C:\Users\user\AppData\Roaming\15.exeReversingLabs: Detection: 86%
                          Multi AV Scanner detection for submitted fileShow sources
                          Source: 31.exeVirustotal: Detection: 74%Perma Link
                          Source: 31.exeMetadefender: Detection: 21%Perma Link
                          Source: 31.exeReversingLabs: Detection: 77%
                          Yara detected FormBookShow sources
                          Source: Yara matchFile source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Roaming\10.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\2.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\12.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\17.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\22.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\14.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\18.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\16.exeJoe Sandbox ML: detected
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\11.exeJoe Sandbox ML: detected
                          Source: 4.2.2.exe.26d0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                          Source: 13.0.7.exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.cciav
                          Source: 4.2.2.exe.23f0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                          Source: 36.0.13.exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.zlvmk
                          Source: 24.0.13.exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.zlvmk
                          Source: 28.0.15.exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.qvkoq
                          Source: 6.0.3.exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.ulxin
                          Source: 22.2.12.exe.fd0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                          Source: 12.2.6.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                          Source: 22.0.12.exe.fd0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                          Source: 12.0.6.exe.400000.0.unpackAvira: Label: TR/AD.UrsnifDropper.xapkh
                          Source: 18.2.2.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                          Source: 23.0.3.exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.ulxin
                          Source: 36.2.13.exe.22c0000.0.unpackAvira: Label: TR/AD.VBCryptor.zlvmk
                          Source: 18.1.2.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                          Source: 31.0.16.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                          Source: 31.2.16.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00408420 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_004050AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4x nop then cmp word ptr [ebp-00000128h], 07E0h
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4x nop then movzx eax, word ptr [ebp-00000126h]
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 5x nop then clc
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 6x nop then clc
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 5x nop then clc
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 4x nop then pushad
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 4x nop then mov eax, 00000539h
                          Source: Joe Sandbox ViewIP Address: 195.201.225.248 195.201.225.248
                          Source: Joe Sandbox ViewIP Address: 104.20.22.46 104.20.22.46
                          Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                          Source: Joe Sandbox ViewJA3 fingerprint: d2935c58fe676744fecc8614ee5356c7
                          Source: unknownDNS traffic detected: queries for: nodejs.org
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2011/12/glossy-spot-penis.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2011/12/penis-rash.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2011/12/penis-spot_3.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2012/01/inflamed-penis-lips.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2012/02/penis-pubic-area.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2012/02/penis_52.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2012/06/penis-bumps_5.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2013/03/penis-image-1.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://25.media.tumblr.com/75120c9da3c7b904df34a194c3e2743a/tumblr_mi5079TNHE1qktt95o1_500.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://b.vimeocdn.com/ts/433/181/433181005_640.jpg
                          Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                          Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
                          Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                          Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
                          Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://i.imgur.com/MXfKOl.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://i.imgur.com/tbnq3.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://i845.photobucket.com/albums/ab17/mtgman123/Herpes-On-Penis-6_zpsfd9dc212.jpg
                          Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                          Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://origin-ars.els-cdn.com/content/image/1-s2.0-S019096220501488X-gr5.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://thebigredapple.net/wp-content/uploads/2009/07/scott_reeder_american_dick.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://thi.uloz.to/a/9/1/a91a3952080abe8277b7e881d9651ff5.640x360.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://upload.wikimedia.org/wikipedia/commons/0/0d/Penis_ultra06.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://upload.wikimedia.org/wikipedia/commons/1/14/Erect_penis3.png
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://upload.wikimedia.org/wikipedia/commons/2/2c/Normal_erect_penis.JPG
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://upload.wikimedia.org/wikipedia/commons/c/cd/Human_Penis.png
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://www.dermnet.com/dn2/allJPG3/Lichen-Sclerosus-Penis-37.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://www.genitalsurgerybelgrade.com/admin/uploads/Outcome_after_penile_reconstruction.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma1_001.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma2_001.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma3_001.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://www.meatspin.com
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://www.pegym.com/forums/members/vikingman-albums-my-penis-before-i-start-jp90-picture17193-still
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://www.pegym.com/wp-content/uploads/2013/05/HappyPenis1.jpg
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://www.photosez.com/images/challenges/answers/1853/f41ee1953a2d72b1d9fdda355e3405d9_00000000-000
                          Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpString found in binary or memory: http://www.xnview.comJ
                          Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpString found in binary or memory: http://xaf.xanga.com/54be253506d37284803879/z227269259.jpg
                          Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                          Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0B
                          Source: 6.exeString found in binary or memory: https://sibelikinciel.xyz
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Yara detected UrsnifShow sources
                          Source: Yara matchFile source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 6.exe PID: 6288, type: MEMORY
                          Contains functionality to log keystrokes (.Net Source)Show sources
                          Source: 9.0.5.exe.2e0000.0.unpack, WindowsLocalHostProcess.cs.Net Code: SetHook
                          Source: 9.2.5.exe.2e0000.0.unpack, WindowsLocalHostProcess.cs.Net Code: SetHook
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00420D5C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0043D010 GetKeyboardState,

                          E-Banking Fraud:

                          barindex
                          Yara detected UrsnifShow sources
                          Source: Yara matchFile source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 6.exe PID: 6288, type: MEMORY
                          Yara detected FormBookShow sources
                          Source: Yara matchFile source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE

                          Spam, unwanted Advertisements and Ransom Demands:

                          barindex
                          Yara detected Wadhrama RansomwareShow sources
                          Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\16.exe, type: DROPPED
                          Source: Yara matchFile source: 31.0.16.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.2.16.exe.400000.0.unpack, type: UNPACKEDPE

                          System Summary:

                          barindex
                          Malicious sample detected (through community Yara rule)Show sources
                          Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000000.00000003.244904275.00000000037FB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                          Source: 00000000.00000003.245364175.0000000003820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                          Source: 00000000.00000003.243963950.00000000037E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                          Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPEDMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPEDMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPEDMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                          Source: C:\Users\user\AppData\Roaming\16.exe, type: DROPPEDMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                          Source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          Source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          Source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          Source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          Source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          Source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          Source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          Source: 31.0.16.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                          Source: 31.2.16.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                          Source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                          Source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                          .NET source code contains very large array initializationsShow sources
                          Source: feeed.exe.15.dr, iKu002a.csLarge array initialization: Y%i: array initializer size 58880
                          Source: 15.2.8.exe.7e0000.0.unpack, iKu002a.csLarge array initialization: Y%i: array initializer size 58880
                          Source: 15.0.8.exe.7e0000.0.unpack, iKu002a.csLarge array initialization: Y%i: array initializer size 58880
                          Writes registry values via WMIShow sources
                          Source: C:\Users\user\AppData\Roaming\6.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                          Source: C:\Users\user\AppData\Roaming\6.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                          Source: C:\Users\user\AppData\Roaming\6.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                          Source: C:\Users\user\AppData\Roaming\6.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                          Source: C:\Users\user\AppData\Roaming\6.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00462850 NtCreateSection,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0045AAF4 NtdllDefWindowProc_A,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0045B29C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0045B34C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00429DF8 NtdllDefWindowProc_A,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0044FE20 GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0043FF8C NtdllDefWindowProc_A,GetCapture,
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_020C2A35 NtProtectVirtualMemory,
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_020C0F76 NtWriteVirtualMemory,
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_020C0192 EnumWindows,NtSetInformationThread,TerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_020C112C NtWriteVirtualMemory,
                          Source: C:\Users\user\AppData\Roaming\16.exeFile created: C:\Windows\System32\16.exe
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00412181
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00454FEC
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0044FE20
                          Source: C:\Users\user\AppData\Roaming\3.exeCode function: 6_2_00401DE8
                          Source: C:\Users\user\AppData\Roaming\3.exeCode function: 6_2_00401E86
                          Source: C:\Users\user\AppData\Roaming\3.exeCode function: 6_2_00401E97
                          Source: C:\Users\user\AppData\Roaming\3.exeCode function: 6_2_00401EA9
                          Source: C:\Users\user\AppData\Roaming\3.exeCode function: 6_2_00401EB5
                          Source: C:\Users\user\AppData\Roaming\3.exeCode function: 6_2_00401EBD
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401DF3
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_004015B0
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401E7E
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401E38
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401EC3
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401ECC
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401EF0
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401EF3
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401EFC
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401EFF
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401EA2
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401EA5
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401EAC
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401EB4
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401EB7
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401F5C
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_00401F08
                          Source: Joe Sandbox ViewDropped File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe 307077D1A3FD2B53B94D88268E31B0B89B8C0C2EE9DBB46041D3E2395243F1B3
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: String function: 00403FD4 appears 68 times
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: String function: 004060E0 appears 63 times
                          Source: 2.exe.0.drStatic PE information: Resource name: RT_CURSOR type: PARIX executable
                          Source: 2.exe.0.drStatic PE information: Resource name: RT_CURSOR type: DOS executable (COM, 0x8C-variant)
                          Source: 2.exe.0.drStatic PE information: Resource name: RT_CURSOR type: 370 XA sysV pure executable not stripped - 5.2 format
                          Source: 2.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                          Source: Styltendeschris.exe.36.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 31.exe, 00000000.00000003.244922847.000000000380A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameslettebeskyttet.exe vs 31.exe
                          Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegasforsy.exe vs 31.exe
                          Source: 31.exe, 00000000.00000003.244046307.000000000331D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindows Local Host Process.exeX vs 31.exe
                          Source: 31.exe, 00000000.00000003.612340393.0000000003EFC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBORTSK.exe vs 31.exe
                          Source: 31.exe, 00000000.00000003.245407775.000000000382D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGELEN.exe vs 31.exe
                          Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
                          Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000000.00000003.244904275.00000000037FB000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 00000000.00000003.245364175.0000000003820000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 00000000.00000003.243963950.00000000037E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPEDMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPEDMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPEDMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                          Source: C:\Users\user\AppData\Roaming\16.exe, type: DROPPEDMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                          Source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: 31.0.16.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                          Source: 31.2.16.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                          Source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                          Source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                          Source: 16.exe.31.drStatic PE information: Section: .data ZLIB complexity 0.991606212798
                          Source: 16.exe0.31.drStatic PE information: Section: .data ZLIB complexity 0.991606212798
                          Source: 16.exe1.31.drStatic PE information: Section: .data ZLIB complexity 0.991606212798
                          Source: 19.2.9.exe.580000.0.unpack, _2dShooter/ControllerSettings.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                          Source: 19.0.9.exe.580000.0.unpack, _2dShooter/ControllerSettings.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                          Source: 21.2.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.csCryptographic APIs: 'CreateDecryptor'
                          Source: 21.2.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 21.0.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.csCryptographic APIs: 'CreateDecryptor'
                          Source: 21.0.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 22.2.12.exe.fd0000.0.unpack, License.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 22.2.12.exe.fd0000.0.unpack, License.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 22.2.12.exe.fd0000.0.unpack, License.csCryptographic APIs: 'CreateDecryptor'
                          Source: classification engineClassification label: mal100.rans.troj.adwa.spyw.evad.winEXE@79/168@120/2
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0041DE44 GetLastError,FormatMessageA,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_004085D2 GetDiskFreeSpaceA,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0045F0D5 CreateToolhelp32Snapshot,VirtualAlloc,Process32FirstW,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00416430 FindResourceA,LoadResource,SizeofResource,LockResource,
                          Source: C:\Users\user\Desktop\31.exeFile created: C:\Users\user\AppData\Roaming\1.jarJump to behavior
                          Source: C:\Users\user\Desktop\31.exeFile created: C:\Users\user\AppData\Local\Temp\F93E.tmpJump to behavior
                          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeSection loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll
                          Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.bat C:\Users\user\Desktop\31.exe'
                          Source: C:\Users\user\AppData\Roaming\2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Users\user\AppData\Roaming\4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Users\user\AppData\Roaming\4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Users\user\AppData\Roaming\3.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                          Source: C:\Users\user\AppData\Roaming\7.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                          Source: C:\Users\user\AppData\Roaming\13.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                          Source: C:\Users\user\AppData\Roaming\15.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                          Source: C:\Users\user\AppData\Roaming\5.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Roaming\5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                          Source: C:\Users\user\AppData\Roaming\5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                          Source: C:\Users\user\AppData\Roaming\8.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Roaming\9.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Roaming\11.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Roaming\12.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Roaming\12.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                          Source: C:\Users\user\AppData\Roaming\12.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                          Source: C:\Users\user\AppData\Roaming\18.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Roaming\6.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
                          Source: C:\Users\user\Desktop\31.exeFile read: C:\Users\desktop.iniJump to behavior
                          Source: 31.exeVirustotal: Detection: 74%
                          Source: 31.exeMetadefender: Detection: 21%
                          Source: 31.exeReversingLabs: Detection: 77%
                          Source: unknownProcess created: C:\Users\user\Desktop\31.exe 'C:\Users\user\Desktop\31.exe'
                          Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.bat C:\Users\user\Desktop\31.exe'
                          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\1.jar'
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe
                          Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\3.exe C:\Users\user\AppData\Roaming\3.exe
                          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\4.exe C:\Users\user\AppData\Roaming\4.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\5.exe C:\Users\user\AppData\Roaming\5.exe
                          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\6.exe C:\Users\user\AppData\Roaming\6.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\7.exe C:\Users\user\AppData\Roaming\7.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\8.exe C:\Users\user\AppData\Roaming\8.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\9.exe C:\Users\user\AppData\Roaming\9.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\10.exe C:\Users\user\AppData\Roaming\10.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\11.exe C:\Users\user\AppData\Roaming\11.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\12.exe C:\Users\user\AppData\Roaming\12.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\3.exe C:\Users\user\AppData\Roaming\3.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe
                          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
                          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\14.exe C:\Users\user\AppData\Roaming\14.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\15.exe C:\Users\user\AppData\Roaming\15.exe
                          Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\16.exe C:\Users\user\AppData\Roaming\16.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\17.exe C:\Users\user\AppData\Roaming\17.exe
                          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
                          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe
                          Source: unknownProcess created: C:\Windows\System32\mode.com mode con cp select=1251
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\18.exe C:\Users\user\AppData\Roaming\18.exe
                          Source: C:\Users\user\Desktop\31.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.bat C:\Users\user\Desktop\31.exe'
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\1.jar'
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\3.exe C:\Users\user\AppData\Roaming\3.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\4.exe C:\Users\user\AppData\Roaming\4.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\5.exe C:\Users\user\AppData\Roaming\5.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\6.exe C:\Users\user\AppData\Roaming\6.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\7.exe C:\Users\user\AppData\Roaming\7.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\8.exe C:\Users\user\AppData\Roaming\8.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\9.exe C:\Users\user\AppData\Roaming\9.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\10.exe C:\Users\user\AppData\Roaming\10.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\11.exe C:\Users\user\AppData\Roaming\11.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\12.exe C:\Users\user\AppData\Roaming\12.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\14.exe C:\Users\user\AppData\Roaming\14.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\15.exe C:\Users\user\AppData\Roaming\15.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\16.exe C:\Users\user\AppData\Roaming\16.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\17.exe C:\Users\user\AppData\Roaming\17.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\18.exe C:\Users\user\AppData\Roaming\18.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
                          Source: C:\Users\user\AppData\Roaming\2.exeProcess created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe
                          Source: C:\Users\user\AppData\Roaming\3.exeProcess created: C:\Users\user\AppData\Roaming\3.exe C:\Users\user\AppData\Roaming\3.exe
                          Source: C:\Users\user\AppData\Roaming\4.exeProcess created: unknown unknown
                          Source: C:\Users\user\AppData\Roaming\7.exeProcess created: unknown unknown
                          Source: C:\Users\user\AppData\Roaming\8.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
                          Source: C:\Users\user\AppData\Roaming\13.exeProcess created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
                          Source: C:\Users\user\AppData\Roaming\15.exeProcess created: unknown unknown
                          Source: C:\Users\user\AppData\Roaming\16.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con cp select=1251
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Users\user\Desktop\31.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\AppData\Roaming\8.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                          Source: 31.exeStatic file information: File size 13128192 > 1048576
                          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                          Source: 31.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xc70000
                          Source: Binary string: c:\Users\Leon Li\Documents\Visual Studio 2012\Projects\A Logger\Windows Local Host Process\obj\Debug\Windows Local Host Process.pdb source: 5.exe

                          Data Obfuscation:

                          barindex
                          Detected unpacking (changes PE section rights)Show sources
                          Source: C:\Users\user\AppData\Roaming\6.exeUnpacked PE file: 12.2.6.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
                          Source: C:\Users\user\AppData\Roaming\2.exeUnpacked PE file: 18.2.2.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
                          Source: C:\Users\user\AppData\Roaming\10.exeUnpacked PE file: 20.2.10.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Users\user\AppData\Roaming\14.exeUnpacked PE file: 27.2.14.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Users\user\AppData\Roaming\17.exeUnpacked PE file: 33.2.17.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Detected unpacking (overwrites its own PE header)Show sources
                          Source: C:\Users\user\AppData\Roaming\6.exeUnpacked PE file: 12.2.6.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Roaming\10.exeUnpacked PE file: 20.2.10.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Roaming\14.exeUnpacked PE file: 27.2.14.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Roaming\17.exeUnpacked PE file: 33.2.17.exe.400000.0.unpack
                          .NET source code contains potential unpackerShow sources
                          Source: 19.2.9.exe.580000.0.unpack, _2dShooter/ControllerSettings.cs.Net Code: ShipDestroy System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 19.0.9.exe.580000.0.unpack, _2dShooter/ControllerSettings.cs.Net Code: ShipDestroy System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 21.2.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 21.0.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 22.2.12.exe.fd0000.0.unpack, License.cs.Net Code: ValidateSignature System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 22.2.12.exe.fd0000.0.unpack, License.cs.Net Code: GizmoDecompress System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 22.0.12.exe.fd0000.0.unpack, License.cs.Net Code: ValidateSignature System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 22.0.12.exe.fd0000.0.unpack, License.cs.Net Code: GizmoDecompress System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Yara detected Allatori_JAR_ObfuscatorShow sources
                          Source: Yara matchFile source: 00000003.00000003.277524584.0000000002178000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.262372271.0000000002178000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.250295715.0000000002091000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000002.649277074.0000000002178000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.289049530.0000000002178000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.334171362.0000000002178000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\1.jar, type: DROPPED
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00426470 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                          Source: 31.exeStatic PE information: section name: .code
                          Source: 4.dll.8.drStatic PE information: section name: .didata
                          Source: C:\Users\user\AppData\Roaming\16.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exeJump to dropped file
                          Source: C:\Users\user\AppData\Roaming\16.exeFile created: C:\Windows\System32\16.exe

                          Boot Survival:

                          barindex
                          Creates an autostart registry key pointing to binary in C:\WindowsShow sources
                          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed
                          Creates autostart registry keys with suspicious namesShow sources
                          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed
                          Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
                          Source: C:\Users\user\AppData\Roaming\3.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4 C:\Users\user\AppData\Local\Temp\Dibromob\PRECONCE.vbsJump to behavior
                          Source: C:\Users\user\AppData\Roaming\3.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4 C:\Users\user\AppData\Local\Temp\Dibromob\PRECONCE.vbsJump to behavior
                          Source: C:\Users\user\AppData\Roaming\13.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.vbs
                          Source: C:\Users\user\AppData\Roaming\13.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.vbs
                          Creates multiple autostart registry keysShow sources
                          Source: C:\Users\user\AppData\Roaming\16.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 16.exe
                          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed
                          Source: C:\Users\user\AppData\Roaming\3.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\13.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM
                          Drops PE files to the startup folderShow sources
                          Source: C:\Users\user\AppData\Roaming\16.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exeJump to dropped file
                          Source: C:\Users\user\AppData\Roaming\16.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exeJump to dropped file
                          Source: C:\Users\user\AppData\Roaming\16.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe
                          Source: C:\Users\user\AppData\Roaming\16.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe
                          Source: C:\Users\user\AppData\Roaming\16.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\16.exe
                          Source: C:\Users\user\AppData\Roaming\3.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\3.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\3.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\3.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\13.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM
                          Source: C:\Users\user\AppData\Roaming\13.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM
                          Source: C:\Users\user\AppData\Roaming\13.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM
                          Source: C:\Users\user\AppData\Roaming\13.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM
                          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed
                          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed
                          Source: C:\Users\user\AppData\Roaming\16.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 16.exe
                          Source: C:\Users\user\AppData\Roaming\16.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 16.exe

                          Hooking and other Techniques for Hiding and Protection:

                          barindex
                          Yara detected UrsnifShow sources
                          Source: Yara matchFile source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 6.exe PID: 6288, type: MEMORY
                          Creates files in the recycle bin to hide itselfShow sources
                          Source: C:\Users\user\AppData\Roaming\16.exeFile created: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO
                          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                          Source: C:\Users\user\AppData\Roaming\8.exeFile opened: C:\Users\user\AppData\Roaming\8.exe:Zone.Identifier read attributes | delete
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0045AB7C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_004247B8 IsIconic,GetWindowPlacement,GetWindowRect,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00442888 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0045B29C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0045B34C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_004416B0 IsIconic,GetCapture,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00457BA4 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00441F64 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00426470 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                          Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M

                          Malware Analysis System Evasion:

                          barindex
                          Contains functionality to detect sleep reduction / modificationsShow sources
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_004365DC
                          Tries to detect Any.runShow sources
                          Source: C:\Users\user\AppData\Roaming\3.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
                          Source: C:\Users\user\AppData\Roaming\3.exeFile opened: C:\Program Files\qga\qga.exe
                          Source: C:\Users\user\AppData\Roaming\7.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
                          Source: C:\Users\user\AppData\Roaming\7.exeFile opened: C:\Program Files\qga\qga.exe
                          Source: C:\Users\user\AppData\Roaming\3.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
                          Source: C:\Users\user\AppData\Roaming\3.exeFile opened: C:\Program Files\qga\qga.exe
                          Source: C:\Users\user\AppData\Roaming\13.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
                          Source: C:\Users\user\AppData\Roaming\13.exeFile opened: C:\Program Files\qga\qga.exe
                          Source: C:\Users\user\AppData\Roaming\15.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
                          Source: C:\Users\user\AppData\Roaming\15.exeFile opened: C:\Program Files\qga\qga.exe
                          Source: C:\Users\user\AppData\Roaming\13.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
                          Source: C:\Users\user\AppData\Roaming\13.exeFile opened: C:\Program Files\qga\qga.exe
                          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                          Source: 7.exeBinary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
                          Source: 7.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
                          Tries to detect virtualization through RDTSC time measurementsShow sources
                          Source: C:\Users\user\AppData\Roaming\2.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Roaming\2.exeRDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Roaming\15.exeRDTSC instruction interceptor: First address: 00000000021524B4 second address: 00000000021524D6 instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 lfence 0x00000006 shl edx, 20h 0x00000009 or edx, eax 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 fnop 0x00000015 cpuid 0x00000017 bt ecx, 1Fh 0x0000001b jc 00007F787038E503h 0x0000001d clc 0x0000001e popad 0x0000001f lfence 0x00000022 rdtsc
                          Source: C:\Users\user\AppData\Roaming\15.exeRDTSC instruction interceptor: First address: 00000000021524D6 second address: 00000000021524B4 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F7870ADEC2Ah 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F7870ADEC53h 0x0000001b push ecx 0x0000001c call 00007F7870ADEC7Eh 0x00000021 clc 0x00000022 lfence 0x00000025 clc 0x00000026 rdtsc
                          Source: C:\Users\user\AppData\Roaming\7.exeRDTSC instruction interceptor: First address: 00000000020C24FC second address: 00000000020C251D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d nop 0x0000000e mov eax, 00000001h 0x00000013 nop 0x00000014 cpuid 0x00000016 clc 0x00000017 bt ecx, 1Fh 0x0000001b jc 00007F787038E502h 0x0000001d popad 0x0000001e lfence 0x00000021 rdtsc
                          Source: C:\Users\user\AppData\Roaming\7.exeRDTSC instruction interceptor: First address: 00000000020C251D second address: 00000000020C24FC instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F7870ADEC29h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F7870ADEC53h 0x0000001b push ecx 0x0000001c call 00007F7870ADEC7Eh 0x00000021 fnop 0x00000023 lfence 0x00000026 fnop 0x00000028 rdtsc
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_020C24F5 rdtsc
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                          Source: C:\Users\user\AppData\Roaming\8.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_004365DC
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0045E4B0 GetSystemTime followed by cmp: cmp word ptr [ebp-00000128h], 07e0h and CTI: jnc 0045E4E1h
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00408420 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_004050AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0041E3D4 GetSystemInfo,
                          Source: 7.exeBinary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
                          Source: 2.exeBinary or memory string: VMwareVMware
                          Source: 7.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

                          Anti Debugging:

                          barindex
                          Contains functionality to hide a thread from the debuggerShow sources
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_020C0192 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000
                          Source: C:\Users\user\AppData\Roaming\2.exeProcess queried: DebugFlags
                          Source: C:\Users\user\AppData\Roaming\2.exeProcess queried: DebugObjectHandle
                          Source: C:\Users\user\AppData\Roaming\2.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_020C24F5 rdtsc
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00426470 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_020C220A mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_020C277D mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_020C139C mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_020C2431 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_020C08BE mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Roaming\7.exeCode function: 13_2_020C0CC8 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Roaming\5.exeProcess token adjusted: Debug
                          Source: C:\Users\user\AppData\Roaming\8.exeProcess token adjusted: Debug
                          Source: C:\Users\user\AppData\Roaming\2.exeProcess token adjusted: Debug
                          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeMemory protected: page read and write | page guard

                          HIPS / PFW / Operating System Protection Evasion:

                          barindex
                          Modifies the context of a thread in another process (thread injection)Show sources
                          Source: C:\Users\user\AppData\Roaming\2.exeThread register set: target process: 3472
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_00464127 cpuid
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: GetLocaleInfoA,GetACP,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_0045E4B0 GetSystemTime,RtlExitUserThread,GetSystemTimeAsFileTime,GetModuleHandleA,GetProcAddress,RtlExitUserThread,
                          Source: C:\Users\user\AppData\Roaming\2.exeCode function: 4_2_004474D0 GetVersion,
                          Source: C:\Users\user\AppData\Roaming\6.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

                          Stealing of Sensitive Information:

                          barindex
                          Yara detected UrsnifShow sources
                          Source: Yara matchFile source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 6.exe PID: 6288, type: MEMORY
                          Yara detected AgentTeslaShow sources
                          Source: Yara matchFile source: 0000000F.00000003.506552159.00000000060E4000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000000.260831311.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.515536645.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\feeed.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\8.exe, type: DROPPED
                          Source: Yara matchFile source: 15.2.8.exe.7e0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.0.8.exe.7e0000.0.unpack, type: UNPACKEDPE
                          Yara detected FormBookShow sources
                          Source: Yara matchFile source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE

                          Remote Access Functionality:

                          barindex
                          Yara detected UrsnifShow sources
                          Source: Yara matchFile source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 6.exe PID: 6288, type: MEMORY
                          Yara detected AgentTeslaShow sources
                          Source: Yara matchFile source: 0000000F.00000003.506552159.00000000060E4000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000000.260831311.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.515536645.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\feeed.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\8.exe, type: DROPPED
                          Source: Yara matchFile source: 15.2.8.exe.7e0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.0.8.exe.7e0000.0.unpack, type: UNPACKEDPE
                          Yara detected FormBookShow sources
                          Source: Yara matchFile source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE

                          Mitre Att&ck Matrix

                          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                          Valid AccountsWindows Management Instrumentation111Startup Items1Startup Items1Disable or Modify Tools1Input Capture111System Time Discovery11Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                          Default AccountsScripting1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture111Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                          Domain AccountsNative API1Registry Run Keys / Startup Folder521Process Injection11Scripting1Security Account ManagerSystem Information Discovery125SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                          Local AccountsAt (Windows)Services File Permissions Weakness1Registry Run Keys / Startup Folder521Obfuscated Files or Information2NTDSSecurity Software Discovery651Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                          Cloud AccountsCronNetwork Logon ScriptServices File Permissions Weakness1Software Packing32LSA SecretsVirtualization/Sandbox Evasion12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                          Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading21Cached Domain CredentialsProcess Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncApplication Window Discovery11Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection11/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories2Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronServices File Permissions Weakness1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321991 Sample: 31.exe Startdate: 24/11/2020 Architecture: WINDOWS Score: 100 80 www.sensomaticloadcell.com 2->80 82 www.fisioservice.com 2->82 84 13 other IPs or domains 2->84 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus detection for dropped file 2->120 122 Antivirus / Scanner detection for submitted sample 2->122 124 13 other signatures 2->124 10 31.exe 39 2->10         started        signatures3 process4 file5 54 C:\Users\user\AppData\Roaming\8.exe, PE32 10->54 dropped 56 C:\Users\user\AppData\Roaming\7.exe, PE32 10->56 dropped 58 C:\Users\user\AppData\Roaming\6.exe, PE32 10->58 dropped 60 28 other files (18 malicious) 10->60 dropped 13 cmd.exe 3 2 10->13         started        process6 process7 15 16.exe 13->15         started        19 13.exe 13->19         started        21 2.exe 13->21         started        23 16 other processes 13->23 dnsIp8 64 C:\Users\user\AppData\Roaming\...\16.exe, PE32 15->64 dropped 66 C:\ProgramData\Microsoft\Windows\...\16.exe, PE32 15->66 dropped 68 C:\Windows\System32\16.exe, PE32 15->68 dropped 70 desktop.ini.id-63A...otonmail.com].BOMBO, data 15->70 dropped 92 Antivirus detection for dropped file 15->92 94 Creates files in the recycle bin to hide itself 15->94 96 Machine Learning detection for dropped file 15->96 98 Drops PE files to the startup folder 15->98 26 cmd.exe 15->26         started        100 Multi AV Scanner detection for dropped file 19->100 102 Creates autostart registry keys with suspicious values (likely registry only malware) 19->102 104 Creates multiple autostart registry keys 19->104 28 13.exe 19->28         started        106 Detected unpacking (changes PE section rights) 21->106 108 Tries to detect virtualization through RDTSC time measurements 21->108 110 Contains functionality to detect sleep reduction / modifications 21->110 32 2.exe 21->32         started        88 telete.in 195.201.225.248, 443, 49714, 49715 HETZNER-ASDE Germany 23->88 90 nodejs.org 104.20.22.46, 443, 49712 CLOUDFLARENETUS United States 23->90 72 C:\Users\user\AppData\Roaming\feeed.exe, PE32 23->72 dropped 74 C:\Users\user\...\configure, Bourne-Again 23->74 dropped 76 C:\Users\user\...\npx-cli.js, a 23->76 dropped 78 7 other files (none is malicious) 23->78 dropped 112 Detected unpacking (overwrites its own PE header) 23->112 114 Tries to detect Any.run 23->114 116 3 other signatures 23->116 34 cmd.exe 23->34         started        36 3.exe 23->36         started        39 icacls.exe 1 23->39         started        41 2 other processes 23->41 file9 signatures10 process11 dnsIp12 43 conhost.exe 26->43         started        45 mode.com 26->45         started        62 C:\Users\user\AppData\...\Styltendeschris.exe, PE32 28->62 dropped 126 Tries to detect Any.run 28->126 128 Modifies the context of a thread in another process (thread injection) 32->128 47 reg.exe 34->47         started        50 conhost.exe 34->50         started        86 ffvgdsv.ug 36->86 52 conhost.exe 39->52         started        file13 signatures14 process15 signatures16 130 Creates autostart registry keys with suspicious names 47->130 132 Creates multiple autostart registry keys 47->132 134 Creates an autostart registry key pointing to binary in C:\Windows 47->134

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          31.exe74%VirustotalBrowse
                          31.exe24%MetadefenderBrowse
                          31.exe77%ReversingLabsWin32.Infostealer.Racealer
                          31.exe100%AviraTR/AD.Crysis.slaiv

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Roaming\10.exe100%AviraTR/Kryptik.pwjxv
                          C:\Users\user\AppData\Roaming\2.exe100%AviraDR/Delphi.vmrvj
                          C:\Users\user\AppData\Roaming\21.exe100%AviraTR/AD.AgentTesla.vbfpc
                          C:\Users\user\AppData\Roaming\12.exe100%AviraTR/Crypt.XPACK.Gen7
                          C:\Users\user\AppData\Roaming\17.exe100%AviraTR/AD.StellarStealer.cqjpr
                          C:\Users\user\AppData\Roaming\20.exe100%AviraTR/AD.VBCryptor.fqgod
                          C:\Users\user\AppData\Roaming\22.exe100%AviraTR/Dropper.MSIL.nkkbi
                          C:\Users\user\AppData\Roaming\19.exe100%AviraTR/AD.VBCryptor.dplvu
                          C:\Users\user\AppData\Roaming\14.exe100%AviraTR/Crypt.ZPACK.zbsyd
                          C:\Users\user\AppData\Roaming\13.exe100%AviraTR/AD.VBCryptor.zlvmk
                          C:\Users\user\AppData\Roaming\18.exe100%AviraTR/AD.Swotter.pxvkb
                          C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe100%AviraTR/AD.VBCryptor.zlvmk
                          C:\Users\user\AppData\Roaming\16.exe100%AviraTR/Dropper.Gen
                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe100%AviraTR/Dropper.Gen
                          C:\Users\user\AppData\Roaming\15.exe100%AviraTR/AD.VBCryptor.qvkoq
                          C:\Users\user\AppData\Roaming\11.exe100%AviraTR/AD.Swotter.vtqjg
                          C:\Users\user\AppData\Roaming\10.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\2.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\12.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\17.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\22.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\14.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\18.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\16.exe100%Joe Sandbox ML
                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\11.exe100%Joe Sandbox ML
                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe84%MetadefenderBrowse
                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe96%ReversingLabsWin32.Ransomware.Crysis
                          C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe19%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe71%ReversingLabsWin32.Trojan.Vebzenpak
                          C:\Users\user\AppData\Roaming\10.exe27%MetadefenderBrowse
                          C:\Users\user\AppData\Roaming\10.exe87%ReversingLabsWin32.Trojan.Kryptik
                          C:\Users\user\AppData\Roaming\11.exe66%MetadefenderBrowse
                          C:\Users\user\AppData\Roaming\11.exe84%ReversingLabsByteCode-MSIL.Trojan.FormBook
                          C:\Users\user\AppData\Roaming\12.exe57%MetadefenderBrowse
                          C:\Users\user\AppData\Roaming\12.exe71%ReversingLabsByteCode-MSIL.Trojan.NetSeal
                          C:\Users\user\AppData\Roaming\13.exe19%MetadefenderBrowse
                          C:\Users\user\AppData\Roaming\13.exe71%ReversingLabsWin32.Trojan.Vebzenpak
                          C:\Users\user\AppData\Roaming\14.exe22%MetadefenderBrowse
                          C:\Users\user\AppData\Roaming\14.exe81%ReversingLabsWin32.Infostealer.Racealer
                          C:\Users\user\AppData\Roaming\15.exe16%MetadefenderBrowse
                          C:\Users\user\AppData\Roaming\15.exe86%ReversingLabsWin32.Infostealer.PonyStealer

                          Unpacked PE Files

                          SourceDetectionScannerLabelLinkDownload
                          39.0.18.exe.c60000.0.unpack100%AviraHEUR/AGEN.1136141Download File
                          27.1.14.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          4.2.2.exe.26d0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                          13.0.7.exe.400000.0.unpack100%AviraTR/AD.VBCryptor.cciavDownload File
                          27.0.14.exe.400000.0.unpack100%AviraHEUR/AGEN.1136028Download File
                          15.2.8.exe.7e0000.0.unpack100%AviraHEUR/AGEN.1137332Download File
                          4.2.2.exe.23f0000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                          36.0.13.exe.400000.0.unpack100%AviraTR/AD.VBCryptor.zlvmkDownload File
                          24.0.13.exe.400000.0.unpack100%AviraTR/AD.VBCryptor.zlvmkDownload File
                          28.0.15.exe.400000.0.unpack100%AviraTR/AD.VBCryptor.qvkoqDownload File
                          20.0.10.exe.400000.0.unpack100%AviraHEUR/AGEN.1136028Download File
                          6.0.3.exe.400000.0.unpack100%AviraTR/AD.VBCryptor.ulxinDownload File
                          8.0.4.exe.400000.0.unpack100%AviraHEUR/AGEN.1137280Download File
                          6.2.3.exe.400000.0.unpack100%AviraHEUR/AGEN.1135507Download File
                          22.2.12.exe.fd0000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                          21.2.11.exe.3f0000.0.unpack100%AviraHEUR/AGEN.1135794Download File
                          12.2.6.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                          22.0.12.exe.fd0000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                          27.2.14.exe.400000.0.unpack100%AviraHEUR/AGEN.1137972Download File
                          19.2.9.exe.580000.0.unpack100%AviraHEUR/AGEN.1136898Download File
                          12.0.6.exe.400000.0.unpack100%AviraTR/AD.UrsnifDropper.xapkhDownload File
                          18.2.2.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                          23.0.3.exe.400000.0.unpack100%AviraTR/AD.VBCryptor.ulxinDownload File
                          33.0.17.exe.400000.0.unpack100%AviraHEUR/AGEN.1136028Download File
                          12.1.6.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          28.2.15.exe.400000.0.unpack100%AviraHEUR/AGEN.1135507Download File
                          20.2.10.exe.400000.0.unpack100%AviraHEUR/AGEN.1137972Download File
                          39.2.18.exe.c60000.0.unpack100%AviraHEUR/AGEN.1136141Download File
                          36.2.13.exe.22c0000.0.unpack100%AviraTR/AD.VBCryptor.zlvmkDownload File
                          33.2.17.exe.400000.0.unpack100%AviraHEUR/AGEN.1137972Download File
                          15.0.8.exe.7e0000.0.unpack100%AviraHEUR/AGEN.1137332Download File
                          13.2.7.exe.400000.0.unpack100%AviraHEUR/AGEN.1135507Download File
                          4.2.2.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                          18.1.2.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                          19.0.9.exe.580000.0.unpack100%AviraHEUR/AGEN.1136898Download File
                          24.2.13.exe.400000.0.unpack100%AviraHEUR/AGEN.1137666Download File
                          31.0.16.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                          33.1.17.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          31.2.16.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                          21.0.11.exe.3f0000.0.unpack100%AviraHEUR/AGEN.1135794Download File

                          Domains

                          SourceDetectionScannerLabelLink
                          shawcn1.sytes.net5%VirustotalBrowse
                          runeurotoolz.hopto.org1%VirustotalBrowse
                          telete.in4%VirustotalBrowse
                          sensomaticloadcell.com0%VirustotalBrowse

                          URLs

                          SourceDetectionScannerLabelLink
                          https://sectigo.com/CPS00%URL Reputationsafe
                          https://sectigo.com/CPS00%URL Reputationsafe
                          https://sectigo.com/CPS00%URL Reputationsafe
                          http://ocsp.sectigo.com00%URL Reputationsafe
                          http://ocsp.sectigo.com00%URL Reputationsafe
                          http://ocsp.sectigo.com00%URL Reputationsafe
                          http://thebigredapple.net/wp-content/uploads/2009/07/scott_reeder_american_dick.jpg0%Avira URL Cloudsafe
                          http://www.xnview.comJ0%Avira URL Cloudsafe
                          https://sibelikinciel.xyz0%Avira URL Cloudsafe
                          http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%Avira URL Cloudsafe
                          http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                          http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                          http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                          http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                          http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                          http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                          https://sectigo.com/CPS0B0%Avira URL Cloudsafe
                          http://www.photosez.com/images/challenges/answers/1853/f41ee1953a2d72b1d9fdda355e3405d9_00000000-0000%Avira URL Cloudsafe
                          http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          shawcn1.sytes.net
                          		0.0.0.0
                          		truefalseunknown
                          nodejs.org
                          		104.20.22.46
                          		truefalse
                            		high
                            smtp.yandex.ru
                            		77.88.21.158
                            		truefalse
                              		high
                              HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com
                              		3.223.115.185
                              		truefalse
                                		high
                                runeurotoolz.hopto.org
                                		0.0.0.0
                                		truefalseunknown
                                telete.in
                                		195.201.225.248
                                		truefalseunknown
                                sensomaticloadcell.com
                                		148.66.138.171
                                		truefalseunknown
                                www.bestmedicationstore.com
                                		unknown
                                		unknownfalse
                                  		unknown
                                  ffvgdsv.ug
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.fisioservice.com
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      smtp.ecojett.co
                                      		unknown
                                      		unknownfalse
                                        		unknown
                                        smtp.yandex.com
                                        		unknown
                                        		unknownfalse
                                          		high
                                          tdaztq.by.files.1drv.com
                                          		unknown
                                          		unknownfalse
                                            		high
                                            onedrive.live.com
                                            		unknown
                                            		unknownfalse
                                              		high
                                              www.sensomaticloadcell.com
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                sibelikinciel.xyz
                                                		unknown
                                                		unknownfalse
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://b.vimeocdn.com/ts/433/181/433181005_640.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.genitalsurgerybelgrade.com/admin/uploads/Outcome_after_penile_reconstruction.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://origin-ars.els-cdn.com/content/image/1-s2.0-S019096220501488X-gr5.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://xaf.xanga.com/54be253506d37284803879/z227269259.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://sectigo.com/CPS031.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://upload.wikimedia.org/wikipedia/commons/1/14/Erect_penis3.png31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://ocsp.sectigo.com031.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://thebigredapple.net/wp-content/uploads/2009/07/scott_reeder_american_dick.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.xnview.comJ31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://sibelikinciel.xyz6.exefalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://i.imgur.com/MXfKOl.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.pegym.com/forums/members/vikingman-albums-my-penis-before-i-start-jp90-picture17193-still31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma3_001.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://25.media.tumblr.com/75120c9da3c7b904df34a194c3e2743a/tumblr_mi5079TNHE1qktt95o1_500.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://upload.wikimedia.org/wikipedia/commons/c/cd/Human_Penis.png31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.pegym.com/wp-content/uploads/2013/05/HappyPenis1.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://upload.wikimedia.org/wikipedia/commons/2/2c/Normal_erect_penis.JPG31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://sectigo.com/CPS0B31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.photosez.com/images/challenges/answers/1853/f41ee1953a2d72b1d9fdda355e3405d9_00000000-00031.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.meatspin.com31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://i845.photobucket.com/albums/ab17/mtgman123/Herpes-On-Penis-6_zpsfd9dc212.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.dermnet.com/dn2/allJPG3/Lichen-Sclerosus-Penis-37.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://upload.wikimedia.org/wikipedia/commons/0/0d/Penis_ultra06.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://i.imgur.com/tbnq3.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma1_001.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma2_001.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://thi.uloz.to/a/9/1/a91a3952080abe8277b7e881d9651ff5.640x360.jpg31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown

                                                                                          Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          195.201.225.248
                                                                                          		unknownGermany
                                                                                          		24940HETZNER-ASDEfalse
                                                                                          104.20.22.46
                                                                                          		unknownUnited States
                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                          General Information

                                                                                          Joe Sandbox Version:31.0.0 Red Diamond
                                                                                          Analysis ID:321991
                                                                                          Start date:24.11.2020
                                                                                          Start time:09:24:22
                                                                                          Joe Sandbox Product:CloudBasic
                                                                                          Overall analysis duration:0h 17m 43s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:light
                                                                                          Sample file name:31.exe
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                          Number of analysed new started processes analysed:40
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • HDC enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Detection:MAL
                                                                                          Classification:mal100.rans.troj.adwa.spyw.evad.winEXE@79/168@120/2
                                                                                          EGA Information:Failed
                                                                                          HDC Information:
                                                                                          • Successful, ratio: 94.1% (good quality ratio 84.8%)
                                                                                          • Quality average: 76.6%
                                                                                          • Quality standard deviation: 32.3%
                                                                                          HCA Information:Failed
                                                                                          Cookbook Comments:
                                                                                          • Adjust boot time
                                                                                          • Enable AMSI
                                                                                          • Found application associated with file extension: .exe
                                                                                          Warnings:
                                                                                          Show All
                                                                                          • Exclude process from analysis (whitelisted): audiodg.exe, backgroundTaskHost.exe, svchost.exe
                                                                                          • TCP Packets have been reduced to 100
                                                                                          • Created / dropped Files have been reduced to 100
                                                                                          • Excluded IPs from analysis (whitelisted): 40.88.32.150, 2.18.68.82, 51.103.5.186, 104.108.39.131, 152.199.19.161, 104.43.193.48, 13.107.42.13, 13.107.42.12, 52.255.188.83
                                                                                          • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, l-0004.l-msedge.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, go.microsoft.com, l-0003.l-msedge.net, emea1.notify.windows.com.akadns.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, odc-by-files-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, odc-by-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, odc-by-files-geo.onedrive.akadns.net, cs9.wpc.v0cdn.net
                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size exceeded maximum capacity and may have missing network information.
                                                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                          • Report size getting too big, too many NtWriteFile calls found.

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          09:25:45API Interceptor42x Sleep call for process: 8.exe modified
                                                                                          09:25:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4 C:\Users\user\AppData\Local\Temp\Dibromob\PRECONCE.vbs
                                                                                          09:26:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run feeed C:\Windows\system32\pcalua.exe -a C:\Users\user\AppData\Roaming\feeed.exe
                                                                                          09:26:07API Interceptor7x Sleep call for process: 10.exe modified
                                                                                          09:26:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4 C:\Users\user\AppData\Local\Temp\Dibromob\PRECONCE.vbs
                                                                                          09:26:28API Interceptor4x Sleep call for process: 14.exe modified
                                                                                          09:26:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.vbs
                                                                                          09:26:49Task SchedulerRun new task: hgstrnee path: "C:\Users\user\AppData\Roaming\27.exe" s>/I hgstrnee
                                                                                          09:27:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run feeed C:\Windows\system32\pcalua.exe -a C:\Users\user\AppData\Roaming\feeed.exe
                                                                                          09:27:24AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run 16.exe C:\Windows\System32\16.exe
                                                                                          09:27:51AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe
                                                                                          09:28:09AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PickerHost.url
                                                                                          09:28:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.vbs
                                                                                          09:29:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run CpSnJ C:\Users\user\AppData\Local\Temp\CpSnJ\CpSnJ.exe

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          195.201.225.248http://telete.inGet hashmaliciousBrowse
                                                                                          • telete.in/
                                                                                          104.20.22.46RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                                                                                            jar.jarGet hashmaliciousBrowse
                                                                                              T-online.de.jar.zipGet hashmaliciousBrowse
                                                                                                PO Quotation.jarGet hashmaliciousBrowse
                                                                                                  taFb3igNeB.jarGet hashmaliciousBrowse
                                                                                                    taFb3igNeB.jarGet hashmaliciousBrowse
                                                                                                      Rechnung 1.jarGet hashmaliciousBrowse
                                                                                                        DHL_Nov 2020 at 1.60_8BZ290_JPG.jarGet hashmaliciousBrowse
                                                                                                          DHL_Nov 2020 at 1.30_8BZ290_JPG.jarGet hashmaliciousBrowse
                                                                                                            VEM RFQ.jarGet hashmaliciousBrowse
                                                                                                              VEM RFQ.jarGet hashmaliciousBrowse
                                                                                                                FedEx #187320605737.jarGet hashmaliciousBrowse
                                                                                                                  Statement 04 Oct-20.img.jarGet hashmaliciousBrowse
                                                                                                                    Statement 04 Oct-20.img.jarGet hashmaliciousBrowse
                                                                                                                      Facture Octobre #052020.pdf.jarGet hashmaliciousBrowse
                                                                                                                        AWB051120.jarGet hashmaliciousBrowse
                                                                                                                          Remittance Advice 06 Nov_20.jarGet hashmaliciousBrowse
                                                                                                                            Remittance Advice 06 Nov_20.jarGet hashmaliciousBrowse
                                                                                                                              Ordine Novembre.jarGet hashmaliciousBrowse
                                                                                                                                Shipment_774994746621.jarGet hashmaliciousBrowse

                                                                                                                                  Domains

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                  HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comShipping Documents (INV,PL,BL)_pdf.exeGet hashmaliciousBrowse
                                                                                                                                  • 3.223.115.185
                                                                                                                                  ORDER LIST.exeGet hashmaliciousBrowse
                                                                                                                                  • 3.223.115.185
                                                                                                                                  ALPHA_PO_16201844580.exeGet hashmaliciousBrowse
                                                                                                                                  • 3.223.115.185
                                                                                                                                  H4A2-423-EM152-010.TIF.exeGet hashmaliciousBrowse
                                                                                                                                  • 3.223.115.185
                                                                                                                                  Cirwgl94Bl.exeGet hashmaliciousBrowse
                                                                                                                                  • 3.223.115.185
                                                                                                                                  wPthy7dafVcH94f.exeGet hashmaliciousBrowse
                                                                                                                                  • 3.223.115.185
                                                                                                                                  Agolives.exeGet hashmaliciousBrowse
                                                                                                                                  • 3.223.115.185
                                                                                                                                  lzQr2RjcQJ.exeGet hashmaliciousBrowse
                                                                                                                                  • 3.223.115.185
                                                                                                                                  xYctZarwRn.exeGet hashmaliciousBrowse
                                                                                                                                  • 3.223.115.185
                                                                                                                                  mani.exeGet hashmaliciousBrowse
                                                                                                                                  • 3.223.115.185
                                                                                                                                  PO8479349743085.exeGet hashmaliciousBrowse
                                                                                                                                  • 3.223.115.185
                                                                                                                                  smtp.yandex.ruSecuriteInfo.com.Trojan.PackedNET.469.3076.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  productSpec_2141176 PHES.xlsxGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  VhkiqePZan.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  Request for Quotation for supply - specification and requirements for south american market.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  SecuriteInfo.com.Trojan.PackedNET.461.20928.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  CdmgSj4BO8.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  rURZ9qp1cE.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  kaeHibiTa3.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  ZBldmfU3KWpJB3r.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  RFQs.xlsmGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  nnab.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  Purchase Order903882772.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  Proof Of Payment...Absa.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  6266715850.xlsxGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  Request for Quotation Commercial Offer and Official PriceList for 2020.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  cL6qhldO7O.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  PSR002330 - DURSTONE CADE S L.xlsxGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  SWIFT.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  MD6J6Opim9.exeGet hashmaliciousBrowse
                                                                                                                                  • 77.88.21.158
                                                                                                                                  nodejs.orgFedEx AWB #2893627763.24.11.20.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.23.46
                                                                                                                                  FedEx AWB #2893627763.24.11.20.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.23.46
                                                                                                                                  RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.23.46
                                                                                                                                  RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  jar.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  T-online.de.jar.zipGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  PO Quotation.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  PO Quotation.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.23.46
                                                                                                                                  Mailbox-Terms&Conditions.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.23.46
                                                                                                                                  Mailbox-Terms&Conditions.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.23.46
                                                                                                                                  taFb3igNeB.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  taFb3igNeB.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  Rechnung 1.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.23.46
                                                                                                                                  Rechnung 1.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  DHL_Nov 2020 at 1.60_8BZ290_JPG.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  DHL_Nov 2020 at 1.60_8BZ290_JPG.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.23.46
                                                                                                                                  FEDEX1090231102994010211000.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.23.46
                                                                                                                                  FEDEX1090231102994010211000.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.23.46
                                                                                                                                  DHL_Nov 2020 at 1.30_8BZ290_JPG.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.23.46
                                                                                                                                  DHL_Nov 2020 at 1.30_8BZ290_JPG.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46

                                                                                                                                  ASN

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                  HETZNER-ASDEcli.exeGet hashmaliciousBrowse
                                                                                                                                  • 88.99.66.31
                                                                                                                                  R7w74RKW9A.exeGet hashmaliciousBrowse
                                                                                                                                  • 88.99.66.31
                                                                                                                                  http://www.receive-sms-online.info/Get hashmaliciousBrowse
                                                                                                                                  • 94.130.57.68
                                                                                                                                  https://web.tresorit.com/l/H4A7J#-uiPekmXHVly1ASTD6JwPQGet hashmaliciousBrowse
                                                                                                                                  • 138.201.9.137
                                                                                                                                  8VtIv7uONi.exeGet hashmaliciousBrowse
                                                                                                                                  • 144.76.108.82
                                                                                                                                  http://ec.autohonda.itGet hashmaliciousBrowse
                                                                                                                                  • 95.216.26.30
                                                                                                                                  http://www.portal.office.com.s3-website.us-east-2.amazonaws.com#p.steinberger@wafra.comGet hashmaliciousBrowse
                                                                                                                                  • 95.216.15.24
                                                                                                                                  https://storage.googleapis.com/storesll0f4bb6d9b7f964569155d2bb42628/a83416219a20d87f4dabde9f057f93b5.html#p.steinberger@wafra.comGet hashmaliciousBrowse
                                                                                                                                  • 95.216.15.24
                                                                                                                                  iG9YiwEMru.exeGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  SaXJC2CZ8m.exeGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  https://kimiyasanattools.com/outlook/latest-onedrive/microsoft.phpGet hashmaliciousBrowse
                                                                                                                                  • 138.201.123.145
                                                                                                                                  http://decarbheat.eu/Get hashmaliciousBrowse
                                                                                                                                  • 138.201.223.98
                                                                                                                                  https://download.anydesk.com/AnyDesk.exe?_ga=2.5204531.1823000373.1605785469-1740974547.1605537346Get hashmaliciousBrowse
                                                                                                                                  • 188.40.104.135
                                                                                                                                  07DYwxlVm4.exeGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  e2b97ee03b4b38578f04d0cc93d8effd.exeGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  https://msgcash.com/click/NzhlMWY1MTltNzg3NS00ZDFmLTk1YmQtODZiZGQ3MzQwZGMzGet hashmaliciousBrowse
                                                                                                                                  • 116.202.204.6
                                                                                                                                  baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                                                                                  • 5.9.122.172
                                                                                                                                  CLOUDFLARENETUSNTS_eTaxInvoice.pptGet hashmaliciousBrowse
                                                                                                                                  • 172.67.219.133
                                                                                                                                  Inv.exeGet hashmaliciousBrowse
                                                                                                                                  • 66.235.200.146
                                                                                                                                  com.mbsb.ewallet_2.0.7.apkGet hashmaliciousBrowse
                                                                                                                                  • 104.18.225.52
                                                                                                                                  R7w74RKW9A.exeGet hashmaliciousBrowse
                                                                                                                                  • 172.67.158.111
                                                                                                                                  NTS_eTaxInvoice.pptGet hashmaliciousBrowse
                                                                                                                                  • 104.18.49.20
                                                                                                                                  test.pptGet hashmaliciousBrowse
                                                                                                                                  • 104.18.49.20
                                                                                                                                  FedEx AWB #2893627763.24.11.20.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.23.46
                                                                                                                                  New Microsoft Office Excel Worksheet.xlsxGet hashmaliciousBrowse
                                                                                                                                  • 162.159.129.233
                                                                                                                                  FedEx AWB #2893627763.24.11.20.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.23.46
                                                                                                                                  BTNCRKWd.exeGet hashmaliciousBrowse
                                                                                                                                  • 104.23.98.190
                                                                                                                                  https://www.mastercardconnect.com/Get hashmaliciousBrowse
                                                                                                                                  • 104.20.185.68
                                                                                                                                  data7195700.xlsGet hashmaliciousBrowse
                                                                                                                                  • 104.28.23.244
                                                                                                                                  data7195700.xlsGet hashmaliciousBrowse
                                                                                                                                  • 104.28.23.244
                                                                                                                                  IRS NOTICE LETTER.exeGet hashmaliciousBrowse
                                                                                                                                  • 172.67.188.154
                                                                                                                                  http://mastergamenameper.clubGet hashmaliciousBrowse
                                                                                                                                  • 104.24.122.22
                                                                                                                                  https://westsactrucklube.com/cda-file/Doc.htmGet hashmaliciousBrowse
                                                                                                                                  • 104.20.21.239
                                                                                                                                  http://www.rate.com/SusanHines?utm_source=grMktg&utm_medium=email&utm_term=SusanHines&utm_content=text&utm_campaign=sigGet hashmaliciousBrowse
                                                                                                                                  • 104.16.123.96
                                                                                                                                  SecuriteInfo.com.Trojan.Siggen11.48004.19433.exeGet hashmaliciousBrowse
                                                                                                                                  • 172.67.143.180
                                                                                                                                  https://doks.live/6d8ddGet hashmaliciousBrowse
                                                                                                                                  • 172.67.75.100
                                                                                                                                  https://ilovesanmarzanodop.com/wp-content/uploads/2020/supp/adfs/index.htmlGet hashmaliciousBrowse
                                                                                                                                  • 104.16.18.94

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                  ce5f3254611a8c095a3d821d44539877data7195700.xlsGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  PAYMENT COPY.xlsGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  PI0987650.docxGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  161120.exeGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  iG9YiwEMru.exeGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  SaXJC2CZ8m.exeGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  noosbt.dllGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  doc2227740.xlsGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  WSGaRIW.dllGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  ddos________ (IW0Irt2zSey6D6LMEgcs2kqQiSuMa 8 G).jsGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  ddos________ (IW0Irt2zSey6D6LMEgcs2kqQiSuMa 8 G).jsGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  e2b97ee03b4b38578f04d0cc93d8effd.exeGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  MIT-MULTA5600415258.msiGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  Q4Esp4M8dM.msiGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  WOHSFR01BZAC6VP3YOYSGIHL92J4B0XM50RJR34.dllGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  #U007e370531.dllGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  WSGaRIW.dllGet hashmaliciousBrowse
                                                                                                                                  • 195.201.225.248
                                                                                                                                  d2935c58fe676744fecc8614ee5356c7ShippingDoc.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  ORGINV687400321566.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  02_extracted.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  https://protect-eu.mimecast.com/s/HPS1C6XWNSMg8gQup-dAS?domain=linkbuildingseohub.com/Get hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  meWMpiDNKM.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  list of equipment.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  ntfsmgr.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  Specification-037-31-08.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  04_extracted.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  Order Quotation ....jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  Order Quotation ....jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  tsts11.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  tsts11.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  Spec#-0537354-17-08.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  Spec#-0537354-17-08.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  Spec-10-8-20.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  Spec-10-8-20.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  Payment Advice.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  https://1drv.ms/u/s!AjkNQ7L0-bMSkmSt07fhRYHCFhZm?e=136OWpGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46
                                                                                                                                  ORDER SPECIFICATIONS.jarGet hashmaliciousBrowse
                                                                                                                                  • 104.20.22.46

                                                                                                                                  Dropped Files

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exepayload.exeGet hashmaliciousBrowse
                                                                                                                                    C:\Users\user\AppData\Local\Temp\InstallUtil.exeORDER FORM DENK.exeGet hashmaliciousBrowse
                                                                                                                                      niMONOdcTZ.exeGet hashmaliciousBrowse
                                                                                                                                        XiCfDFLACR.exeGet hashmaliciousBrowse
                                                                                                                                          Q7kSO3iJN3.exeGet hashmaliciousBrowse
                                                                                                                                            BL, Invoices.exeGet hashmaliciousBrowse
                                                                                                                                              crypt.exeGet hashmaliciousBrowse
                                                                                                                                                IEcYhddAMD.exeGet hashmaliciousBrowse
                                                                                                                                                  FRI5A2QZI7.exeGet hashmaliciousBrowse
                                                                                                                                                    kM16L0Vybr.exeGet hashmaliciousBrowse
                                                                                                                                                      SecuriteInfo.com.Generic.mg.e1df690a980825ac.exeGet hashmaliciousBrowse
                                                                                                                                                        9SI5dPQJ7G.exeGet hashmaliciousBrowse
                                                                                                                                                          FH11m70Scj.exeGet hashmaliciousBrowse
                                                                                                                                                            http://cdn.discordapp.com/attachments/776234221668270104/776349109195898880/AWB_DHL733918737WA56301224799546260.pdf.7zGet hashmaliciousBrowse
                                                                                                                                                              bKs9QjrX1q.exeGet hashmaliciousBrowse
                                                                                                                                                                Y7ET38qc5y.exeGet hashmaliciousBrowse
                                                                                                                                                                  IIOCxnn1ho.exeGet hashmaliciousBrowse
                                                                                                                                                                    Jn3wr6uaNK.exeGet hashmaliciousBrowse
                                                                                                                                                                      ODoXtvoj7j.exeGet hashmaliciousBrowse
                                                                                                                                                                        jG1KyDSHKK.exeGet hashmaliciousBrowse
                                                                                                                                                                          1w7eJazhPu.exeGet hashmaliciousBrowse

                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                            C:\$Recycle.Bin\S-1-5-18\desktop.ini.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):378
                                                                                                                                                                            Entropy (8bit):6.962927020736794
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6:Fk5uihM56ssu0EphKvISGwkH1Tl8YTnRsVc6WCaZ2EHiDECVr+YxTGNykC+VMxKy:W57qwBwYve3H1TrR0G2pDEB0KzC+VMxt
                                                                                                                                                                            MD5:CBA6B40EA0FD1AF5191B33ECA7305851
                                                                                                                                                                            SHA1:9D962C84FFAB88E95A30FC930CE82793B363F763
                                                                                                                                                                            SHA-256:04C74A4568792C06BEC52004E2A54FE705730A8B8DAF0DD2ACB168FF571A6076
                                                                                                                                                                            SHA-512:8576BA2BDE62E4E5F1800E0082168377B80DE86A9AD08C8269ACF5B6BA316DF010C7F6993E05916355AFD689C27CC4E2C45B13CEF0288D7164C7FE3D38B4636D
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: .y*}.w..A...\Pv.....D..r...SD...tI*...|.r..8.h.-..N...9............^.~ ...[.........j.b)....\.v}B..i...5.....P.j.9`.m?...4.8..6.. ~....C............zA............ .......d.e.s.k.t.o.p...i.n.i...YR3GUF..aj. `.t..Y.b..>).b...I...;.......v;.](-3.k..;5H..3.M....OSF.S...>..DL.)...[sz.=.SR~.N5.......q.t.B.)#0...q|..... ...A!.._f~/..R.a.lT...^.C.&.t...?.......Y8...
                                                                                                                                                                            C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):378
                                                                                                                                                                            Entropy (8bit):6.922775523979601
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6:u+5cxNhL6PZa1s2Or03RFmNz56WCaZ2UT1elIVr+YxTGNykC+VMxKtHJ/Hml:fqjL6RZpoL2sG2AeB0KzC+VMxK//Hml
                                                                                                                                                                            MD5:FB05D0CB8E01EA29AD020004CBB14064
                                                                                                                                                                            SHA1:23B2528714E3E82D71E0A5B6C12B1B50FADFB9ED
                                                                                                                                                                            SHA-256:3CB564AE2FC7C3B886F8D28D0E2484D6D32FC2496F91C7137FAF4C966D1236A6
                                                                                                                                                                            SHA-512:6193F8407AA7A7841E3E862440D6D927377EFD540EE6925E6D966DDE23C85680EC57AE76E071DB1740BFF734DDAE4212FE2DCA7A3102BAC143DC17BCD7D1AD4B
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Preview: ,....(..^..Q9....v...Q...$1......`...o..V.7..c.iS\.$...\...p3...b.vX|..'..bM`.j....+....z.FP..Ru..W`....:.s<6.<...S=..l..J.G.!.'..(.es..............zA............ .......d.e.s.k.t.o.p...i.n.i...YR3GUF..aj. `.t..Y.b..>)F..:.+.`..ov.......v;.](-3.k..;5H..3.M....OSF.S...>..DL.)...[sz.=.SR~.N5.......q.t.B.)#0...q|..... ...A!.._f~/..R.a.lT...^.C.&.t...?.......Y8...
                                                                                                                                                                            C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\desktop.ini.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):378
                                                                                                                                                                            Entropy (8bit):7.003625639745402
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6:vg5ySoSog3rCp52y0dRHWqe6/by6WCaZ2GZc/3FVr+YxTGNykC+VMxKtHJ/Hml:vP43YqWqeC5G2GZ03a0KzC+VMxK//Hml
                                                                                                                                                                            MD5:13ED0C831CCDFF0F8A8FAA029C890DF3
                                                                                                                                                                            SHA1:EF99CEABDACC0F3A64E861421BEF5E29ED6EBDC1
                                                                                                                                                                            SHA-256:3D59B6F70219EAE015F97D00E373E32FA3D9672F180699907B71278071603071
                                                                                                                                                                            SHA-512:26D4A9EF829786FAB5BC07D5D69A97B6AA2234FB6078D785DD685C8963F29881C0EAE95222896D9717B5F8C1113673801975E9CC2EBA7EA0593DDCA3AEC1620C
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: .N.y..t.)ra?...ClJ.B.z........u.T....q8..!. ..Q.....,..,.*s..Rg:>..<Fz"...S$x.w.O..X.j..e......._......W..$.V2..y..?.C.Kl...e.Z..#..@..........zA............ .......d.e.s.k.t.o.p...i.n.i...YR3GUF..aj. `.t..Y.b..>)....%I.-...:......v;.](-3.k..;5H..3.M....OSF.S...>..DL.)...[sz.=.SR~.N5.......q.t.B.)#0...q|..... ...A!.._f~/..R.a.lT...^.C.&.t...?.......Y8...
                                                                                                                                                                            C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):378
                                                                                                                                                                            Entropy (8bit):6.970497864586424
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6:20kXqex68h1Rj0fQTVdDM9I2+BRV3DuU6WCaZ2AmXVr+YxTGNykC+VMxKtHJ/Hml:LAJhgEMO2TG2jQ0KzC+VMxK//Hml
                                                                                                                                                                            MD5:B8D426C1B2FC3F1EB4694FDB212F0C74
                                                                                                                                                                            SHA1:FEA9C3FC78BE21733D92503E4F21D4933A864C49
                                                                                                                                                                            SHA-256:E550471F7513A422475F28870C9B5A5AAF107232901F096DD3263B55F89AB8BD
                                                                                                                                                                            SHA-512:D3B7D24DAE1EB1AE66576705322BE73C7B8229E450696F2A097B1C8CCE9D84AA6BD35092F9471D83B6412579DFC8BE67308243916B1A0B1DAE33F3BE26812ED2
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: Z.E.....VUO_:st.p...hW.d...........;......^....ap...+6&..|O..!&.a...2Q..;.4Y.I.l........L.(59/E.m...B...?....N....Z....K`c'..!o..............zA............ .......d.e.s.k.t.o.p...i.n.i...YR3GUF..aj. `.t..Y.b..>).O^....2Ad.i..q....v;.](-3.k..;5H..3.M....OSF.S...>..DL.)...[sz.=.SR~.N5.......q.t.B.)#0...q|..... ...A!.._f~/..R.a.lT...^.C.&.t...?.......Y8...
                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):94720
                                                                                                                                                                            Entropy (8bit):7.440949090833539
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:1536:mBwl+KXpsqN5vlwWYyhY9S4A40fMnvzbBb3b2wKbs1V3Mr:Qw+asqN5aW/hLdMvzbMlUK
                                                                                                                                                                            MD5:56BA37144BD63D39F23D25DAE471054E
                                                                                                                                                                            SHA1:088E2AFF607981DFE5249CE58121CEAE0D1DB577
                                                                                                                                                                            SHA-256:307077D1A3FD2B53B94D88268E31B0B89B8C0C2EE9DBB46041D3E2395243F1B3
                                                                                                                                                                            SHA-512:6E086BEA3389412F6A9FA11E2CAA2887DB5128C2AD1030685E6841D7D199B63C6D9A76FB9D1ED9116AFD851485501843F72AF8366537A8283DE2F9AB7F3D56F0
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Yara Hits:
                                                                                                                                                                            • Rule: MAL_Ransomware_Wadhrama, Description: Detects Wadhrama Ransomware via Imphash, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, Author: Florian Roth
                                                                                                                                                                            • Rule: JoeSecurity_Wadhrama, Description: Yara detected Wadhrama Ransomware, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, Author: Joe Security
                                                                                                                                                                            • Rule: MAL_Ransomware_Wadhrama, Description: Detects Wadhrama Ransomware via Imphash, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, Author: Florian Roth
                                                                                                                                                                            • Rule: JoeSecurity_Wadhrama, Description: Yara detected Wadhrama Ransomware, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, Author: Joe Security
                                                                                                                                                                            • Rule: MAL_Ransomware_Wadhrama, Description: Detects Wadhrama Ransomware via Imphash, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, Author: Florian Roth
                                                                                                                                                                            • Rule: JoeSecurity_Wadhrama, Description: Yara detected Wadhrama Ransomware, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, Author: Joe Security
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                            • Antivirus: Metadefender, Detection: 84%, Browse
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                            • Filename: payload.exe, Detection: malicious, Browse
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gaT.............~..............................Rich....................PE..L...r..X.........................................@.............................................................................(...................................0...................................................(............................text...%........................... ..`.rdata..6&.......(..................@..@.data..............................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d83e2.timestamp
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):57
                                                                                                                                                                            Entropy (8bit):4.777820444210045
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:oFj4I5vpN6yUZbWdSG5Uov:oJ5X6yOOSGKy
                                                                                                                                                                            MD5:C77E788C0FF29146F379B21A77F2ED20
                                                                                                                                                                            SHA1:C7A306BA79328DB2020EE65B30E8233C5782F3B3
                                                                                                                                                                            SHA-256:0EE3F13A72AE3E364B14D9F949097DA6A1C3712F175F53DC3A1639E515ECA7D7
                                                                                                                                                                            SHA-512:E1017A8CCF5052C81B74A2495B00A61F81D5509A97BFF7173911FDF478D010535EE17D9E12A0E3F7FC307B6B113EA758058F0AA372DA5D23CADA360AB3B35851
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: C:\Program Files (x86)\Java\jre1.8.0_211..1606238723061..
                                                                                                                                                                            C:\Users\user\3D Objects\desktop.ini.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):538
                                                                                                                                                                            Entropy (8bit):7.331069458432567
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:IedYomsCfu9/n9pDSH9oy39PrYo+Yw0kHG21qZB0KzC+VMxK//Hml:BOoms++FpDON5UswX1qcez/Gl
                                                                                                                                                                            MD5:9DA61B5D703AA7461C2FD804A7D7116F
                                                                                                                                                                            SHA1:0062809D8D1E957676A6DC8BCCEF77275F261A55
                                                                                                                                                                            SHA-256:96B501E441C87704E65A245A5840BEB717FA1951EB326969EE40D1B211FB9DBC
                                                                                                                                                                            SHA-512:F17F4CC73E85CE0370E33DF014CE61C9F38055EC3CD6CC92B1222A12DFB067C846A4FBDEE0B8243390BA62212DA374B298D7423D9FDF93AC47DFAD8A7AF9B735
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: /Z."@Q.D...kN.l..=......O?..`)..yb....f......s...o...3)..."HB.=...^.@M.gv..>.+l_+....S7`},.>...};4..A....t/][V.....SeR.0.'..K.%.."..,8.$._....=....._.......&...uDL.Tw...i^.)......}.`.xC.....T...\.}.d...o......[...2.........7....\..Fl..q.W.d..,...8.?.%..1....o.#M..#e...W^..Z-..o:....+..2..........zA............ .......d.e.s.k.t.o.p...i.n.i...YR3GUF..aj. `.t..Y.b..>).lT:..P{h.HG.!'....v;.](-3.k..;5H..3.M....OSF.S...>..DL.)...[sz.=.SR~.N5.......q.t.B.)#0...q|..... ...A!.._f~/..R.a.lT...^.C.&.t...?.......Y8...
                                                                                                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1288
                                                                                                                                                                            Entropy (8bit):7.750090548257741
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:o6Lyio+ofTlXmH/IFNaMDAmPDe0AjOgicvR0WIkkxjkm7RfoL/QOCLmHLyspkdd0:JLhBONGYgi2exxkt4mryXdd5i
                                                                                                                                                                            MD5:A362D8345BE09921CF69D62EA4644BE0
                                                                                                                                                                            SHA1:0305983F40DA3A02A09374ED7461DDC52E490DD1
                                                                                                                                                                            SHA-256:D4311755265B4AD8169C2B506E3D399745E7FB90203AFFDE17037D77E16F1A6C
                                                                                                                                                                            SHA-512:24347F11DE91063534BD2D2E50CFB3E4EF2F7043C902E14585C92BB53B1294FB42824320F5881591B2388E1CEF41B942F979DF50A05C375D9D72910B0159139F
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: :.y.....L..l...%.X|.3N.>G.g......u.(G...H..7..-...N.X.Fb..3J0..._L......=..D.r{+%..:.4..{....j......4P..?V.....t`e0...5.#suBt-....(h{..Jy..~k{z........9.0$..RYqz.j}.......#..Iy.n...j.].@...&....... .x...LL..d...N.y._.;O.....::...~ct..-.T..~..w...e ..G......Ms...QD|nKpCb=.m'.60Z...........o?n.;.V..b..m..M....I.~.5FXj...*.....=...........r..Y?N..}../...V.....D.Z7..:.&M.z..V..x...~.0Vw!G.U.N...S...8. u.Nua..m...0.2..=Es....TT.....J..A....1........h.w.@.;......:'..law}..}.lN.y...0.Vae...9.D.9,..|<e...L.^...7.E..S.o......-!@...B....|.....0.9?.)<....d.;..|..7.._E.~d..h~..dJ....=..{.....;.d......n-.....'...a$.../3.. .Z.uk......ei.4Q.?4c .u.>j.vG.......M..|l.M..d.@.....<.<..Q:.....E....1.&.[\n.O.Ct..Ls..n...V.s6..l.qm...:.^...Ou*3..<.z.lC.....C....H....7....:7....Nm^.".T"..?Gq..>....}5h..~6;..'.M...*...e.m.(.e ..y....=I......\.....~n..M,f.q.}..z....;z...\..f.W...A.[...Q.8......P.g..V....D.Go.5........w...Y.ks.)..t.<.T'..W.P|..S.jN.(...\....:..
                                                                                                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):80646
                                                                                                                                                                            Entropy (8bit):7.997462012307578
                                                                                                                                                                            Encrypted:true
                                                                                                                                                                            SSDEEP:1536:CIOLZvKW1E8rzYmUKtervyv9jDosyRq2a1Mi0mOekRssdycH65TSkeXFK:CIOLF71PPYuer8VDCA2YOJRnF6reVK
                                                                                                                                                                            MD5:46FBA69D55BED34EEC37ACD07B149CEA
                                                                                                                                                                            SHA1:E33B01389017DE95ECBE230EAC16EFCF2F09F330
                                                                                                                                                                            SHA-256:E9950755D18DA2B4CC7DD2CBAC5C7129776682F9936B36547AF6A5B9094726AA
                                                                                                                                                                            SHA-512:E115C968F6B4527809EEC554504B1F66BBAC9DD5001970EC9B5CDB2B86D44B5A32D1F0EED5219494D945F3CE4B81B235B8A19CBBB0EFDDB40844131DA127D00B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: 8..~.......pa......<.H......:...s....e......... h.....G.6.=...z.KZ.L..n....4+Q..M..lW#]..K..M@...\.Dk..s....1i(.....?.C.~h......S.u`.Ru1.7_..@.V......)?..>....q...Ob.....\..-_!i........%.3...]jl?F..i$..G=........6."&...hM....ytM..Eo..5 ..c....s.|...x.l9.g.....^L.c...y.........."B...ZF.....<v....D..'*.G.$.]._e9..4.x.....V..k.Q4u...4:.TU2u..f..@w...w..-.....V!...ut....0.3..~.....;+.2.....o.u.....j....$(....S..e7K..].. .l.6..4......[9.](.m...x......!..s..L...iTg...}.X..........Rv.(...30.X{Ml..'...'..B|.....@Q.3......-=..h.4.e....2.......f#...H"....+.<..(..9.."...d.R......3L..."b..U."1..e...B,W...m..9[........y.........W...-X.R...LqnPNgH..Y.\.F{3.M.#.....!....Y/.y.W..M.O...."Vh.....Mp3..m.~..&.o.,..Z=!i.r.)....~.V..n.x..{t.vz.L.II.........](..:!..E..k..L.5Judz.l.....Vb#.&+.Lh.Cd..r.!".Z......?.M.[..X.K?.tp..p..6..Q......g..$3.n..S...(..Y...0.,Ha.%.L.qf.N..h).U.t.J.A.....~....+...1V.g-|.th;,...O..T.7:.o.d..l.B.B..*)@.O.w....cp,..a....Jh.n\.
                                                                                                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):9806
                                                                                                                                                                            Entropy (8bit):7.976235931622355
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:wyCZ6hHEu7Rl67/uC5nCnJz39SscxUM77z4UL3ZjfrDccFw5bL7pfFi:wyhEu7Rl6juCUJztSscGu5jrDcQOPNFi
                                                                                                                                                                            MD5:F0C731B4455E75E2A29E881BFE440634
                                                                                                                                                                            SHA1:8CBC3CE3A8EA7AF8979CD3C5179BC5D57829F5AD
                                                                                                                                                                            SHA-256:BB53E809B92E1A2F0C497691BB37EA3743394F14B58E4BCC274BC7204E644973
                                                                                                                                                                            SHA-512:0CF4D6442FA26B70A501258ECB817AD666B53ADEE3DEBE1CDE6B3FB0BE912E07D1903CD8F63B0F751435F574EAE5F7A9299E59A91F7B05CD0E42F8076CA2F88C
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: H......m..8.....HK6B.........H7x7.Nk......(bUY.4...iI.D.<.M..$A%b...;.)..p.....]...O..G.Yb...R....q..U..v.i......$wo%O...g.?2>...T....@..2{R.a...J..Ic.....A...'`.)....ZGp. ..........o.p....z$.7.Lp....%:.Mr.Ls....3........}....g7..y..%..+0.....c,DX..))...(p...L..\08.l../.=.G......[g.......[C5.j....f.....O.....90.`.,O.e.`.....nG..D....C.x..*T.I..>.(Y\..me....c.E..\..........`.P.a...a.....o.|....j2..NX.....P.....q^j..c....:...!j..T...H...v....Y(2......D>..>6k k.....7...$%O.^?xB.).|u....J.w.... { ....a.w..T.]....|Jb`9._.d......P..E.u3=..Y.8...9=...K...KiC....GXk`9.#......\..tR...G~G..U..Xn...i.>#......@...T....../U'..(y.U........<.*L<f....c...XY.Y..p{;I.&.T}AV}.:..F..e..y.C.....;F.K...]a.QD..[.|..<.'.//.xYv^r.+..t.:%e.a.(6.nr.k...*....7.....2.I.NR..X........B.......=........!.CZ-.h....H.l9T..Yh.).l)..6L;.....O4..D.N..f.P.:C?i..*@...m....d...2...?....f[...Z....WSB.*.........x..m.....f....6.4XO...6(HT...6#3w.&.*...m...C.4.......u-P.|....
                                                                                                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:modified
                                                                                                                                                                            Size (bytes):252254
                                                                                                                                                                            Entropy (8bit):7.999286145706664
                                                                                                                                                                            Encrypted:true
                                                                                                                                                                            SSDEEP:6144:eCrsiivN4fmVoCaS+DjxM96XRDNwwiLSNjY:FIiqGfmVP3+DjqwiLSm
                                                                                                                                                                            MD5:228679B6049CC66F8D8EE5DF418AF987
                                                                                                                                                                            SHA1:946F4DF54DB14A8EAC2FB9D7331A0A482FD76FA8
                                                                                                                                                                            SHA-256:B837DE52566E17FFA93EF79D48A3A5B7EB4CF9E51F9048DEA61AB732DBAD13B2
                                                                                                                                                                            SHA-512:D840524B9A7622701698BEDF632F4B90496969570BE20C986FF50D7AFE35AF536DB4F87A77C9461F170356F270C97152E8336C799C4D4CAC8D64645949617394
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: .!...o._...-2...N........w.).zkvh.q.m....(.*...j.F.....)..m.......,|..OM......:...l.Q.!...mgz.F..&..<A`>?..1..$......K..y{l$.9..8[!..q.-D_...._!+...c...4.{v..-.1..... ...R2......ow.50+.....9rAa.s....]1C..."D.m..5K...C.7.cT.z..gR..l.,.2.S.N{e.h."X.2..@P.G..E.G.Q.zO...G..:j....slLSME.8...B.'..n.^]....8.t.....M$..t.x.e.c...Tc.T...t...-..A...Z.i.).e......%.hE.M.r"...b.z...*..?.{..}...JQ.....B.....O!...}.....[Q..j...,.y.d.......b.yM.V..o.Z..dNC..v....'.y(n..{...!..a..p..(.f......0..[..n"X...J..@....C.k.S.\$.|2.W.C..a...u..G.k....g..........W|.=.......u|........<y..6...kR3.N..i6.....LkN.[-w..\[..H.,T...8...c}}............'..tBd.S..K.O....$.2(IRm.......,.....ul...^....~G....,C.'.r.J.vb6H.!...J.a..;..4L.K.....4...K.}...=...?J.*l.&..o.z.J>.'..._..~k.Ko..k]Cqn..I.....b0..k.5.......{y.........i...@r.)KRg.).[./;.A...'.D...\.{.{n/..............&)..yJ............,....ts..R.%o.p{{..^ip.7AU.,...y.b..*;..........do.....Z.$.......)....:..B=VlV...7+.......r.
                                                                                                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):12548
                                                                                                                                                                            Entropy (8bit):7.981632746417613
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:X5OvTcvi8h8e76ogqSB7+otfpiLDSNqIxPfFwGu1I:X5OOi817jgqS+ShASNHxvcI
                                                                                                                                                                            MD5:7307BA2F8609180D52D8D3B24D387FC5
                                                                                                                                                                            SHA1:EC1F9BE231F0099348C929EE313A878BDA8345F5
                                                                                                                                                                            SHA-256:09A0F30145BB68A8518E3A43D952EB59C56B7B85757E5E14216DF9D7707DE572
                                                                                                                                                                            SHA-512:7563EC0211F2A7AB7C864C5EC275F58947CD00447C88F8D878B5957469BB7CB5981E2A05541F70BD3657FD4268CC067E67DDF5FC90EA695FCA800824EA3D41DE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: .:.|D.@^i..V.<.EjT...%.U7..a.........V.e."h.[........Vf.oV..G>*R.[..~.*....(+?u...*`.oa(.....p%F.$.<.h.f...p.#..}.#a...WEje.b..H...B..-#....y...s{.m6t,...JlKy.|...l2.]......r../H.....8..?..A......R.X..4;.y.E.3...mU20|.6s]...r..RNe.+...".j...........).jH~...y...1..Om..fF@....-.R.i...._.E...X..ed..Q=c...`.<.'......vl..0W.VW.34..Lz....Lk.L_.v].%...B.~q.rd.....z..{...M.I-..~... ot.=..Uw.....f./A.e<.y../.5W...o..@...&..L.Y 9.C........6.....Rc.}m6#.).a..l...D...J.v_9....9Dk.6..K.q.G|z.._[....i..2.8.........,k....M}...LR..O...J..h.!....lm.P..o.k:do....y<h.v..(K[.ZX[c.UF.....83....Y81..^.2..0.{.(.^._......@|.?.c...}.%..c+......Z...*+...b.T.....G8..p.......s.o.j#.@........W.h..Lq...>.:.....P".}.?j..c]x..toq.,[.....s.1...&/.u?..>.Zi.xG.K.Egb.............0..I...F=|......^..;.;........lV.jk3p..->d....Cri.......[...@.....L'XJ.,....8F.EF.W...J.........(....-......]....3........L@.3iw^".$l.3{.t.i\.r2...$.-{.g.....<.E.R.Y-e.m....6....9.sq.u.....7...|..g.
                                                                                                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):32894
                                                                                                                                                                            Entropy (8bit):7.993880713370895
                                                                                                                                                                            Encrypted:true
                                                                                                                                                                            SSDEEP:768:twKfSSfAO6e9gEJBtE71EptUekQ+LcuM29emPJCoDWqIcbL:LN76eietW1zesj9emRCk/L
                                                                                                                                                                            MD5:8A6B0C1D87B43218812EA8E9FD7536CF
                                                                                                                                                                            SHA1:EE10675FA528AE1B3B5545A57687E66BAE8E26C4
                                                                                                                                                                            SHA-256:E0337CD2D046FD6B608DF57AACB263D0C3E8BC65CE28033A9F00C365F3B11902
                                                                                                                                                                            SHA-512:5905CC87EBFF09168BA9E71CDB07331CB3118709A3111D0D701EA952976044564B7BA0C28B9CE1E9A5EE97652FDF28504C40F714C577CC888337B103002735B0
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ._......m...R.f...z..Z..DK..u...8......j:..C.O.c.l...&..j.lz..*pg....M8..!.'...s..3..&.zpmB.^.'.Y..Xo..d.._O. .....1S*.F..w.T.4.......'mp'.*.At.0....n..av.....nH..}$..6.;....>..@.O.w.I/......f9a5.....L......s.*.Aq@.@......'..&b`)z....Y. ..F....hO.T#...Z..s...}}fY.Be/9..S@.YL..u.f.....wn\..}.S..&.t@v..j.k..xl...Ek.....!C..=Vz.-[9.......Q......W9;n.h.ZV...W..].)?..^-MHJ$6.U....|...-....J..uT.d.L...B......_.2Q.n..t.+....W...P%...dJR.....G....|+...M.c....:...*.I...G..w.1L............u..|...........m.1..N..7`.....[....3..=...a#...g.@........?d. .dt"p.B.Mr+.....sll...42..o".....V.8.j_s.xB.F.x1.,@...@A..sRL.\....R..[.S;.....E....o..(.'5....,i!...R.L.....bE....6...B;..;..H...A}...W......N(..t.V.3D.9........w..&>61 ..2.c.o,&.]...!.8.{.....O...]j....l.&1....R.....>..<['...JF....Y7n.n......=?.>....0.E.Y.>`........a0...;P...O..Y.$...o..#B..o.9.V..T.....b.A[s.......GS....+.[......K..d.K......h..YkVa.p.&L\..W.D..~;y..q..W..X...Z-)..}..
                                                                                                                                                                            C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):848
                                                                                                                                                                            Entropy (8bit):7.5889277520535225
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:Gbyir2VRc8esmtTz6TalQHkqMI1y8CYNdxrzHCh7JFnSEwZ+E50Q0BtExbSd0qd9:wyRczFWkeAwycFjiNFpgxxbx8SNbdd5K
                                                                                                                                                                            MD5:E8947BFB70053331FA6B00CF24B146F1
                                                                                                                                                                            SHA1:BB2C61FA5540915A281A7660FBD0D22B02028518
                                                                                                                                                                            SHA-256:B59F06BA029ECAFCEBBB11DD5937B1F719D7ED230225AD327C944686534583E8
                                                                                                                                                                            SHA-512:231DF7B8CA2F45A192485E71181306979FCD51CC1C9F54B44AD22F675D22E3EE3681720AAA324D090B5624E90F78F50FE04E11668BEB787EF0A40E38E11BAED7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: .b+.H...m.....J.H..._%....:#..K0....E..l.x+&.q7x,..M.....Gm..3..F......}.......c|a../.B.d%.8.z.0....nP^:.T9!.)N!..|t....n{'u:......(.EMe"qe.G".u.....G....-.s.9....[..*$..l... ..ND.W.;..C...=.........t..x-..}......:.w.......O...b..6.~..Z.zvx..._5.|.JMR_..|.. y..W,./...0.g..+o$..&.C)."..2..;.h..t-.Jr..o.l..;....Y_....w*.J.gp.@...<.A....`...R.../..`.......h..6.2..%...l.*j.s9.|..w.....b"..e.uv....m.......4.....s..Q..c.h.....VA"Z.\m..v....>..2w!LM..r.{r.#..{...8..y.......06....u.l1.,......t..m-......=.|...;f.c.K.(...$....NSH...K....bp..q..g...h.bZ.'t.h......R?....n ..........zA............ .......A.C.E.C.a.c.h.e.1.1...l.s.t...YR3GUF..aj. `.t..Y.b..>).;..l..............sw5..G$x9`.E..G..p...U..?C[.......\.R.......0q.L......_mijQI....2..?n...A.).`...........0.'8.1D....A.v.3....>n.G."M.0.f.>...
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.bat
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):755
                                                                                                                                                                            Entropy (8bit):4.0481947856997875
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:NSFFCGcuE9BaEBJEIueZNqFhuFnBFUPFpBFt6pFftFOFnFJuFJ30BALNE/yBzKEO:QFgGcuE9BaEBq3eZwTubQ/BypfkNLuTU
                                                                                                                                                                            MD5:BA36077AF307D88636545BC8F585D208
                                                                                                                                                                            SHA1:EAFA5626810541319C01F14674199AB1F38C110C
                                                                                                                                                                            SHA-256:BEC099C24451B843D1B5331686D5F4A2BEFF7630D5CD88819446F288983BDA10
                                                                                                                                                                            SHA-512:933C2E5DE3BC180DB447E6864D7F0FA01E796D065FCD8F3D714086F49EC2F3AE8964C94695959BEACF07D5785B569FD4365B7E999502D4AFA060F4B833B68D80
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: @shift /0..@echo off..start %appdata%\1.jar..start %appdata%\2.exe..start %appdata%\3.exe..start %appdata%\4.exe..start %appdata%\5.exe..start %appdata%\6.exe..start %appdata%\7.exe..start %appdata%\8.exe..start %appdata%\9.exe..start %appdata%\10.exe..start %appdata%\11.exe..start %appdata%\12.exe..start %appdata%\13.exe..start %appdata%\14.exe..start %appdata%\15.exe..start %appdata%\16.exe..start %appdata%\17.exe..start %appdata%\18.exe..start %appdata%\19.exe..start %appdata%\20.exe..start %appdata%\21.exe..start %appdata%\22.exe..start %appdata%\23.exe..start %appdata%\24.exe..start %appdata%\25.exe..start %appdata%\26.exe..start %appdata%\27.exe..start %appdata%\28.exe..start %appdata%\29.exe..start %appdata%\30.exe..start %appdata%\31.exe
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\8.exe
                                                                                                                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):41064
                                                                                                                                                                            Entropy (8bit):6.164873449128079
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                                                                                                                            MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                                                                                            SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                                                                                                                            SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                                                                                                                            SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                            • Filename: ORDER FORM DENK.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: niMONOdcTZ.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: XiCfDFLACR.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: Q7kSO3iJN3.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: BL, Invoices.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: crypt.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: IEcYhddAMD.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: FRI5A2QZI7.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: kM16L0Vybr.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: SecuriteInfo.com.Generic.mg.e1df690a980825ac.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: 9SI5dPQJ7G.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: FH11m70Scj.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: , Detection: malicious, Browse
                                                                                                                                                                            • Filename: bKs9QjrX1q.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: Y7ET38qc5y.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: IIOCxnn1ho.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: Jn3wr6uaNK.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: ODoXtvoj7j.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: jG1KyDSHKK.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: 1w7eJazhPu.exe, Detection: malicious, Browse
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\13.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):69632
                                                                                                                                                                            Entropy (8bit):5.1890463495811465
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:BBA2ouzTe5mP/OZQ/MTmfP7dilw7hAd7o35XyUKLhqmgwHS+lBb+6XNE1lzW:BbK0/t/VL8q7hAdM8tpnNXNEn
                                                                                                                                                                            MD5:349F49BE2B024C5F7232F77F3ACD4FF6
                                                                                                                                                                            SHA1:515721802486ABD76F29EE6ED5B4481579AB88E5
                                                                                                                                                                            SHA-256:262D38348A745517600ABE0719345C6D17C8705DD3B4D67E7A545A94B9388B60
                                                                                                                                                                            SHA-512:A6C9A96C7738F6408C28B1579009167136CE9D3D68DEB4C02F57324D800BCE284F5D63A9D589651E8AB37B2AC17BF94E9BD59C63AAA3B66F0891E55BA7D646A0
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Metadefender, Detection: 19%, Browse
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L....jR..................... ....................@.................................8...........................................(...........................................................................(... ....................................text...L........................... ..`.data...$...........................@....rsrc...............................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\1.jar
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:Java archive data (JAR)
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):9900
                                                                                                                                                                            Entropy (8bit):7.508567751520895
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:GXxfTBcDFG4RQT1vT0baQhpN2d0ZtavZgrWseU5P:sx7BcD84+vAbaQDN2d0ziZLUl
                                                                                                                                                                            MD5:A5D6701073DBE43510A41E667AABA464
                                                                                                                                                                            SHA1:E3163114E4E9F85FFD41554AC07030CE84238D8C
                                                                                                                                                                            SHA-256:1D635C49289D43E71E2B10B10FBB9EA849A59EACEDFDB035E25526043351831C
                                                                                                                                                                            SHA-512:52F711D102CB50FAFEFC2A9F2097660B950564FF8E9324471B9BD6B7355321D60152C78F74827B05B6332D140362BD2C638B8C9CDB961431AB5114E01851FBE4
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Yara Hits:
                                                                                                                                                                            • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: C:\Users\user\AppData\Roaming\1.jar, Author: Joe Security
                                                                                                                                                                            Preview: PK.........3.P................META-INF/......PK..............PK.........3.P................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3...M...u.I,..R(...d^.^..PK...<.-.......PK.........3.P................1274.17.....W].../..P....E)x. .rZ..)[HS..M^..8...xjh.N....MY...PH......Z.~....G...{......P~Q.!s..K..aSU......lRRM......'..~.m..R@m....g:.,....3.+g..X.#.g..ru.G)....H.9...:...V..y.B..7Y...qS...N"S.E.s...;..T...D.(.c.:.~9....34....A}a=. ..<`..:.x...)E..G....U..c..r.b.u.\B".b...%.._.jE..GV.h.........r.....m..,**Xd.L...9.d....Y8........@..z&.$.R}.b..<....%.....7 .v.....X...o..{.._R...1..... H.7.H..0$.2$.p^.x..#.G...G..7d....j..Rh...&]...... ..?)VL.....<.>..>....#.$..7...y...K..`....n ........ Z+....$B..&p.............l..}@.a.(.D.n(..y%,.t.G,Y..i.....7\...tN.n.l.!8>.Am.T.(..eg.&.?]..u@E.TLruu.D.iU4.:.Cd...`hy.F..8.M..].;"xwx..@..u.F...4.".......Dw.....;_.Av.}M.s.8n......0Pe...bnNda...j.?.E{.~6..._..K]....$.....3..."...J..P.!.E..z.a..1.a....j;.:.Z.....(
                                                                                                                                                                            C:\Users\user\AppData\Roaming\10.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):421888
                                                                                                                                                                            Entropy (8bit):7.763407095558549
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6144:TmtqBpgmAjEKKoHNOMlWPK40AELuhTvOvRhyf8T+2+XHajW/hHwPYvGYECxS7/:Rj0/rAPK40AsulGvRcaaHajW53QCY
                                                                                                                                                                            MD5:68F96DA1FC809DCCDA4235955CA508B0
                                                                                                                                                                            SHA1:F182543199600E029747ABB84C4448AC4CAFEF82
                                                                                                                                                                            SHA-256:34B63AA5D2CFF68264891F11E8D6875A38FF28854E9723B1DB9C154A5ABE580C
                                                                                                                                                                            SHA-512:8512AA47D9D2062A8943239AB91A533AD0FA2757AAC8DBA53D240285069DDBBFF8456DF20C58E063661F7E245CB99CCBB49C6F9A81788D46072D5C8674DA40F7
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                            • Antivirus: Metadefender, Detection: 27%, Browse
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 87%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........S.g.S.g.S.g.<..Z.g.<...Z.g.<..k.g.Z...V.g.S.f...g.<..R.g.<...R.g.<...R.g.RichS.g.................PE..L...f..].................|...........*............@..................................K.........................................(....0..............................@...............................`(..@............................................text....{.......|.................. ..`.data...............................@....rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\11.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):367104
                                                                                                                                                                            Entropy (8bit):7.58761853923235
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6144:e63vySINq574S8oDv6Z/pkBjOXB7Y/DqLCxOPgURtZhVpk7VFsxHfGn+9WnBsgs2:e63qPNWMh8vWGgmmvP/TZTe7oxHfG+9+
                                                                                                                                                                            MD5:9D4DA0E623BB9BB818BE455B4C5E97D8
                                                                                                                                                                            SHA1:9BC2079B5DD2355F4D98A2FE9879B5DB3F2575B0
                                                                                                                                                                            SHA-256:091FF5F5BAB1CBB2D27A32FEDAFF1F64DD4004E4A68665E8D606E28585D928A8
                                                                                                                                                                            SHA-512:6E6FAB5F4A045349717762FF782527E778B40C5F41CE32428C63AEA0DD6E8B73BFDAF3AC55474275F716E9F84632906196EDAFC4337D816055A69B2EA0904E37
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                            • Antivirus: Metadefender, Detection: 66%, Browse
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 84%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........c...J..........0...x...........................................~9..,p.g.9.wZ@.._.a..[c.H#....B......cb...-i7.9.....+k.,.V..q...n......3..Ka...{5...L,'V.$.U}.._."k....hZ.W.......".........9..W.L..9.PB8...T.Tdj....k............-... T.'.|.m}[.g.B....F.k...N.V.u..,s.5......|..4_.:.....].P[..4e...0!&.Mi.P.J..+QV.. +R....]O.C.....T...]...S.....;?g.u'..".f.(..._.d.BS@,*..Xs....:.T..e..]d..g.K.O....:..'-. z.. ...u.....B....@.TTy...R$..3...Z.1.=...^..Zi..>..........
                                                                                                                                                                            C:\Users\user\AppData\Roaming\12.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):207872
                                                                                                                                                                            Entropy (8bit):5.367604357829135
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3072:DNWEVgmcebG4mZw4I4mZmET3N60YkEFP2TW4mZ:DLgm9bGjZw4IjZmETXqjZ
                                                                                                                                                                            MD5:192830B3974FA27116C067F019747B38
                                                                                                                                                                            SHA1:469FD8A31D9F82438AB37413DAE81EB25D275804
                                                                                                                                                                            SHA-256:116E5F36546B2EC14ABA42FF69F2C9E18ECDE3B64ABB44797AC9EFC6C6472BFF
                                                                                                                                                                            SHA-512:74EBE5ADB71C6669BC39FC9C8359CC6BC9BB1A77F5DE8556A1730DE23104FE95EC7A086C19F39706286B486314DEAFD7E043109414FD5CE0584F2FBBC6D0658A
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                            • Antivirus: Metadefender, Detection: 57%, Browse
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D.W................................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............*..............@..B........................H.......(7..\...........pw...............................................0...........s.........o.......o......o....r...po....&.o....r...po....&.o....rI..po....&.ro..po......,...i......+.......-4........+.........o.....o....&....X.......i......-..s......r...pr...po.......o......s.......>............o........o....o..............:........o....o......+r..o ...tD.....................r...p......o!.......r...p......o"....E.......r...p......o#......($...r...p...(%...&...o&.......-...
                                                                                                                                                                            C:\Users\user\AppData\Roaming\13.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):69632
                                                                                                                                                                            Entropy (8bit):5.1890463495811465
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:BBA2ouzTe5mP/OZQ/MTmfP7dilw7hAd7o35XyUKLhqmgwHS+lBb+6XNE1lzW:BbK0/t/VL8q7hAdM8tpnNXNEn
                                                                                                                                                                            MD5:349F49BE2B024C5F7232F77F3ACD4FF6
                                                                                                                                                                            SHA1:515721802486ABD76F29EE6ED5B4481579AB88E5
                                                                                                                                                                            SHA-256:262D38348A745517600ABE0719345C6D17C8705DD3B4D67E7A545A94B9388B60
                                                                                                                                                                            SHA-512:A6C9A96C7738F6408C28B1579009167136CE9D3D68DEB4C02F57324D800BCE284F5D63A9D589651E8AB37B2AC17BF94E9BD59C63AAA3B66F0891E55BA7D646A0
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Metadefender, Detection: 19%, Browse
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L....jR..................... ....................@.................................8...........................................(...........................................................................(... ....................................text...L........................... ..`.data...$...........................@....rsrc...............................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\14.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):507904
                                                                                                                                                                            Entropy (8bit):7.12875324490502
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6144:CEAi+nC7ByjfdrPrIUf6y5DnySic/O/IFaQoBxIy5HfKkIai72oYsjNp:L+CwrdI+hqc/OQFWxIoTIR72rs
                                                                                                                                                                            MD5:9ACD34BCFF86E2C01BF5E6675F013B17
                                                                                                                                                                            SHA1:59BC42D62FBD99DD0F17DEC175EA6C2A168F217A
                                                                                                                                                                            SHA-256:384FEF8417014B298DCA5AE9E16226348BDA61198065973537F4907AC2AA1A60
                                                                                                                                                                            SHA-512:9DE65BECDFC9AAAB9710651376684EE697015F3A8D3695A5664535D9DFC34F2343CE4209549CBF09080A0B527E78A253F19169D9C6EB6E4D4A03D1B31DED8933
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                            • Antivirus: Metadefender, Detection: 22%, Browse
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 81%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L...~..\.................j...........*............@..........................`......(.......................................\t..(.... ..`;..........................0...............................P(..@............................................text....i.......j.................. ..`.data...@............n..............@....rsrc...`;... ...<..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\15.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):5.375534679376702
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:RjXuaPRsPVidQh3avLQdvd7JHFIGhCDouQ+3ev09R8gEyFaX5Y3VKd:9+9PVidQmstHIou/3ev0HEyFaX2
                                                                                                                                                                            MD5:D43D9558D37CDAC1690FDEEC0AF1B38D
                                                                                                                                                                            SHA1:98E6DFDD79F43F0971C0EAA58F18BCE0E8CBF555
                                                                                                                                                                            SHA-256:501C921311164470CA8CB02E66146D8E3F36BAA54BFC3ECB3A1A0ED3186ECBC5
                                                                                                                                                                            SHA-512:9A357C1BBC153DDC017DA08C691730A47AB0FF50834CDC69540EDE093D17D432789586D8074A4A8816FB1928A511F2A899362BB03FEAB16CA231ADFDC0004ACA
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Metadefender, Detection: 16%, Browse
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 86%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......Q.....................0....................@.........................................................................4...(...........................................................................(... ....................................text...8........................... ..`.data...t...........................@....rsrc............ ..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):94720
                                                                                                                                                                            Entropy (8bit):7.440949090833539
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:1536:mBwl+KXpsqN5vlwWYyhY9S4A40fMnvzbBb3b2wKbs1V3Mr:Qw+asqN5aW/hLdMvzbMlUK
                                                                                                                                                                            MD5:56BA37144BD63D39F23D25DAE471054E
                                                                                                                                                                            SHA1:088E2AFF607981DFE5249CE58121CEAE0D1DB577
                                                                                                                                                                            SHA-256:307077D1A3FD2B53B94D88268E31B0B89B8C0C2EE9DBB46041D3E2395243F1B3
                                                                                                                                                                            SHA-512:6E086BEA3389412F6A9FA11E2CAA2887DB5128C2AD1030685E6841D7D199B63C6D9A76FB9D1ED9116AFD851485501843F72AF8366537A8283DE2F9AB7F3D56F0
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Yara Hits:
                                                                                                                                                                            • Rule: MAL_Ransomware_Wadhrama, Description: Detects Wadhrama Ransomware via Imphash, Source: C:\Users\user\AppData\Roaming\16.exe, Author: Florian Roth
                                                                                                                                                                            • Rule: JoeSecurity_Wadhrama, Description: Yara detected Wadhrama Ransomware, Source: C:\Users\user\AppData\Roaming\16.exe, Author: Joe Security
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gaT.............~..............................Rich....................PE..L...r..X.........................................@.............................................................................(...................................0...................................................(............................text...%........................... ..`.rdata..6&.......(..................@..@.data..............................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\17.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):508416
                                                                                                                                                                            Entropy (8bit):7.130192674029213
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6144:U5AsPB11nhnbsG6rvCXkYvs+88VFrbCRESudmcg98yxQsNDSYC49mEmstDip:GPBPnhbsRKXv588pSCmd8yx93Vmjs
                                                                                                                                                                            MD5:15A05615D617394AFC0231FC47444394
                                                                                                                                                                            SHA1:D1253F7C5B10E7A46E084329C36F7692B41C6D59
                                                                                                                                                                            SHA-256:596566F6CB70D55B1B0978A0FAB4CFFD5049559545FE7EE2FA3897CCBC46C013
                                                                                                                                                                            SHA-512:6DEEA7C0C3795DE7360B11FA04384E0956520A3A7BF5405D411B58487A35BBA51EACA51C1E2DDA910D4159C22179A9161D84DA52193E376DFDF6BDFBE8E9F0F1
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L...N.m].................l...........*............@..........................`...............................................v..(.... ..`;..........................0...............................P(..@............................................text....k.......l.................. ..`.data...@............p..............@....rsrc...`;... ...<..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\18.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):420864
                                                                                                                                                                            Entropy (8bit):7.505859957698974
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:/Xi2sbRksUhd4cEw+o0mvbYdAcf0nRba7qoOu:62oRUhXXtFqOt/u
                                                                                                                                                                            MD5:BF15960DD7174427DF765FD9F9203521
                                                                                                                                                                            SHA1:CB1DE1DF0C3B1A1CC70A28629AC51D67901B17AA
                                                                                                                                                                            SHA-256:9187706072F008A27C26421791F57EC33A59B44B012500B2DB3EEB48136FB2DA
                                                                                                                                                                            SHA-512:7E8B9907233234440135F27AD813DB97E20790BAF8CB92949AE9185FA09CB4B7B0DA35B6DA2B33F3AC64A33545F32F959D90D73F7A6A4F14988C8AC3FD005074
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^................................. ... ....@.. ....................................@.................................<...W....@..0.................... ....................................................... ............... ..H............text........ ...................... ..`.reloc....... ......................@..B.rsrc...0....@......................@..@................x.......H........F..................8............................................(....('...*..(....*..{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....(....*..{....*"..}....*...2.(.........*...6..( ...(....*....*..0#...........o....(.....o......E........H.......H.......H....... ...........H...7...H...H.......N...H...H...H...|...H...e.......H...0...8C.....tu...o....(!...(....8......tv...o.....(....8......t....o*....(....8......te...o.....(....8......tY...oS....(....8......t
                                                                                                                                                                            C:\Users\user\AppData\Roaming\19.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):5.138662248263347
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:1536:MI+AtwHKZA+ZeDFwR9oJ8F7AS7BWdlPjQQn:ZtevZORmJ8SDvHn
                                                                                                                                                                            MD5:FF96CD537ECDED6E76C83B0DA2A6D03C
                                                                                                                                                                            SHA1:EC05B49DA2F8D74B95560602B39DB3943DE414CB
                                                                                                                                                                            SHA-256:7897571671717742304ACDE430E5959C09FD9C29FBBE808105F00A1F663927AC
                                                                                                                                                                            SHA-512:24A827FDA9DB76C030852EF2DB73C6B75913C9EE55E130A3C9A7C6FF7AFF0FB7192FF1C47CD266B91500A04657B2DA61A5FC00E48E7FBC27A6CBC9B7D91DAA4B
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...s..Y.....................0....................@.................................o..........................................(...........................................................................(... ....................................text............................... ..`.data...t...........................@....rsrc............ ..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\2.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):696320
                                                                                                                                                                            Entropy (8bit):7.111401427922594
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:ImAkV+u+nTM8IC9iz3ZflCyaf2CFbnb9AX0M7PV1B2sC2eqn9A6WwsUKVy:1UFTM814hadJ8ddeqn9D
                                                                                                                                                                            MD5:715C838E413A37AA8DF1EF490B586AFD
                                                                                                                                                                            SHA1:4AEF3A0036F9D2290F7A6FA5306228ABDBC9E6E1
                                                                                                                                                                            SHA-256:4C21A70DBC6B9BC5E1EE1E7506EE205EECDB14CC45571423E6BCC86DBE4001E7
                                                                                                                                                                            SHA-512:AF13C0EFB1552BBFBB517E27FF70A00CBA5C230E3D2E707BD28A9CCCE40E0402793C4ECC32BA1418F19A3744B78B89E5C8709EAE3AD5F883C474832C182DE861
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                            Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................B...X......<Q.......`....@..............................................@...............................!...P..D.......................@n..................................................................................CODE.....A.......B.................. ..`DATA.... ....`.......F..............@...BSS..................Z...................idata...!......."...Z..............@....tls.................|...................rdata...............|..............@..P.reloc..@n.......p...~..............@..P.rsrc...D....P......................@..P.....................X..............@..P........................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\20.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):5.3400070147634775
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:7FrtXu91DBzpwNtlyWv77zehpI9CX6/0BBwNqYk7Cf7MYiI:pJ+L817v77t0X6/0zYk7Cf7iI
                                                                                                                                                                            MD5:DDCDC714BEDFFB59133570C3A2B7913F
                                                                                                                                                                            SHA1:D21953FA497A541F185ED87553A7C24FFC8A67CE
                                                                                                                                                                            SHA-256:BE3E6008DDE30CB959B90A332A79931B889216A9483944DC5C0D958DEC1B8E46
                                                                                                                                                                            SHA-512:A1D728751490C6CF21F9597C6DF6F8DB857C28D224B2D03E6D25CE8F17557ACCBD8EF2972369337B9D3305D5B9029001E5300825C23CE826884DCEE55B37562C
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...}.#W.....................0....................@..................................x..........................................(...........................................................................(... ....................................text............................... ..`.data...t...........................@....rsrc............ ..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\21.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):397312
                                                                                                                                                                            Entropy (8bit):7.906199800781096
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6144:QQk968UNAhzFt52TIEK2rinDB1noNx1ymJqy4VwSpIqxxqrRqkLDnUlQ:GK6ptOWDkvJqy4bc/L7U
                                                                                                                                                                            MD5:9A7F746E51775CA001EFD6ECD6CA57EA
                                                                                                                                                                            SHA1:7EA50DE8DD8C82A7673B97BB7CCD665D98DE2300
                                                                                                                                                                            SHA-256:C4C308629A06C9A4AF93FBD747ED2421E2FF2460347352366E51B91D19737400
                                                                                                                                                                            SHA-512:20CD6AF47A92B396AE565E0A21D3ACAA0D3A74BCDCCC1506A55DEA891DA912B03256BA9900C2C089FE44D71210E3C100BA4601CF4D6C9B492A2CE0D323D4C57F
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^..............0.............."... ...@....@.. ....................................@.................................L"..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................."......H........c...J......_...T....s...........................................0..{............s....}.....s....}......}......}.....(.......(......(......s....% ....o.....}.....{...........s....o......{.....o.....*..0............{.......s....o......{.......s....o......{.......s....o......{.......s....o......{.......s....o......{.......s....o......{.......s....o......{.......s....o......{.......s....o......{........s....o......{........s....o.....*.0..!.........(.......(.......(.....
                                                                                                                                                                            C:\Users\user\AppData\Roaming\22.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1547264
                                                                                                                                                                            Entropy (8bit):7.985837033002535
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24576:Btfzn83OZdOpSOKnnnBC12uacGIqsFWSTI0OJUAMekzSjS9mmCJad18lfWK4E6ou:Pzn83wdkSJBW1GIqsF9TIfJrzkAS99Hv
                                                                                                                                                                            MD5:48E9DF7A479E3FD63064EC66E2283A45
                                                                                                                                                                            SHA1:A8DCCE44DE655A97A3448758B397A37D1F7DB549
                                                                                                                                                                            SHA-256:C7D8C3C379DCC42FA796B07B6A9155826D39CBD2F264BC68D22A63B17C8EF7DF
                                                                                                                                                                            SHA-512:6CC839F118CAD9982EC998665B409DC297A8CFF9B23EC2A9105D15CF58D9ADBF46D0048DDA76C8E1574F6288D901912B7DE373920B68B53DBDA43D6075611016
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^............................. ....... ....@.. .......................@............@.....................................W.......@"........................................................................... ..................H...........u('3o.Ln..... ......................@....text............................... ..`.rsrc...@".......$...t..............@..@.reloc..............................@..B............. ...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\23.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):131072
                                                                                                                                                                            Entropy (8bit):5.1340602045868575
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3072:YeraZCkz8+a92rT2pNeZB0b7nx0RGs7GgaD1UA2n3KH23vJwvTVIvVZT+8Y6:7vkLaxm
                                                                                                                                                                            MD5:0DCA3348A8B579A1BFA93B4F5B25CDDD
                                                                                                                                                                            SHA1:1EE1BCFD80CD7713093F9C053EF2D8C2CD673CD7
                                                                                                                                                                            SHA-256:C430A15C1712A571B0CD3ED0E5DFEEFA7E78865A91BDC12E66666CD37C0E9654
                                                                                                                                                                            SHA-512:F0A17A940DD1C956F2578ED852E94631A9762FDD825ED5160B3758E427E8EFA2FF0BFC83F239976B1D2765FEFC8F9182E41C2DA8F5746B36D4B7D189CB14A1B8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......Z.....................0....................@...........................................................................(...........................................................................(... ....................................text...4........................... ..`.data...t...........................@....rsrc............ ..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\24.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):409088
                                                                                                                                                                            Entropy (8bit):7.909073259736735
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:sSyQ1uMC1uBQM8qX3x6n8GnCc+mIqGm6/aCMX:sS3YbMhRK8GnPTIOgaC
                                                                                                                                                                            MD5:43728C30A355702A47C8189C08F84661
                                                                                                                                                                            SHA1:790873601F3D12522873F86CA1A87BF922F83205
                                                                                                                                                                            SHA-256:CECDF155DB1D228BC153EBE762D7970BD6A64E81CF5F977343F906A1E1D56E44
                                                                                                                                                                            SHA-512:B2D0882D5392007364E5F605C405B98A375E34DEC63BE5D16D9FAE374313336FA13EDBB6B8894334AFB409833FFC0DBBC9BE3D7B4263BDF5B77DBFF9F2182E1E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|q.^..............0..2...........P... ...`....@.. ....................................@..................................O..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............<..............@..B.................O......H........c..lK......_....................................................0..{............s....}.....s....}......}......}.....(.......(......(......s....% ....o.....}.....{...........s....o......{.....o.....*..0............{.......s....o......{.......s....o......{.......s....o......{.......s....o......{.......s....o......{.......s....o......{.......s....o......{.......s....o......{.......s....o......{........s....o......{........s....o.....*.0..!.........(.......(.......(.....
                                                                                                                                                                            C:\Users\user\AppData\Roaming\25.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):5.422072243293651
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:1536:+/L+n1l1QwMVNOpJnxYLMaR0rznXX7Hw9T:JMkJnyb0rznnLwB
                                                                                                                                                                            MD5:4BBCDF7F9DEB1025CA56FA728D1FFF48
                                                                                                                                                                            SHA1:BDC80DFB759C221A850AC29664A27EFD8D718A89
                                                                                                                                                                            SHA-256:D2C49CE7E49109214A98EAA2D39F0749C1E779BD139AF1CADAE55E1CCB55753B
                                                                                                                                                                            SHA-512:EA78C4935864DCDDBF6F0516E1D5C095C4814AC988CCC038D0DC11C1FAB7127DED45FF35B12BAD845422C20F45311101706F0EF14CB1D629277AE276A2535383
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...l..W.....................0....................@.............................................................................(...........................................................................(... ....................................text.............................. ..`.data...t...........................@....rsrc............ ..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\26.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):590336
                                                                                                                                                                            Entropy (8bit):7.801581282705874
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:GvEiv5OLAedu+cxfduwNBtfM5OdK4SOXZjZcaRW7sDciN8tUDzMh8FlyDZA:Gco5Oxu+ofdji5OY4t
                                                                                                                                                                            MD5:C3DA5CB8E079024E6D554BE1732C51CF
                                                                                                                                                                            SHA1:E8F4499366FE67C9AE6FD1F5ACBF56A9B956D4C3
                                                                                                                                                                            SHA-256:D7479A2F9F080742D17077FB4CCFC24583FA7A35842BA505CD43ED266734CE1F
                                                                                                                                                                            SHA-512:2395E084AEF01C2A3F18524EE2C860F21E785849CE588A6AC7F58B45B6F7BA6DD25C052C49CC41DD72B3EBB7D476D88787AA273AF82AFC6FE17EB9E0AD4D7043
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....16...............0..z...........`....... ....@.. ....................................@.....................................K.... .......................@.......................................................`..................H...........M.qO.*[v.e... ...f..................@....text...0w.......x...j.............. ..`.rsrc........ ......................@..@.reloc.......@......................@..B.............`...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\27.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):642560
                                                                                                                                                                            Entropy (8bit):5.512456581925804
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6144:6Wua+Ibn2rqMO+4ykMJGXQIPV77s3fBHeg487ebTkOEe:6VaF2rqP+4k0V7oPOE
                                                                                                                                                                            MD5:3D2C6861B6D0899004F8ABE7362F45B7
                                                                                                                                                                            SHA1:33855B9A9A52F9183788B169CC5D57E6AD9DA994
                                                                                                                                                                            SHA-256:DBE95B94656EB0173998737FB5E733D3714C8E3B58226A1A038CA85257C8B064
                                                                                                                                                                            SHA-512:19B28A05D6E0D6026FB47A20E2FF43BFDF32387EE823053DCD4878123B20730C0EA65D01FF25080C484F67EEEDB2CAA45B4B5EB01A3A3BB2D3BC5246CC73AA6E
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^...............2.d...f.......e............@..........................................................................#.......P..4............................................................................)...............................text....c.......d.................. ..`.rdata...............h..............@..@.data....8.......:..................@....rsrc...4....P.......*..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\28.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):5.396260265860007
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:oXudKRlhdO0PoZChnzyva07/9fZLWhiwYVEZPeDIDj/PAafbrRT9R:o+dWfdO0Pa4ziaGZZGZPeq/PAa3R
                                                                                                                                                                            MD5:2EF457653D8AEB241637C8358B39863F
                                                                                                                                                                            SHA1:578ED06D6C32C44F69A2C2454F289FB0A5591F30
                                                                                                                                                                            SHA-256:DCFFE599C886878ED4BED045140BD13D7BC9BD5085163EA00857AA09A93F4060
                                                                                                                                                                            SHA-512:16F98C1D29B8CFAAF3003C5264CA6B4363764C351D5106919EAF2C3BFAB26E0FB189DD0E0B82B4D294BA5F3FE535D71CD25C93C2BF9FD27D84C2DD0A2BC99B69
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....TM.....................0....................@.................................P...........................................(...........................................................................(... ....................................text...,........................... ..`.data...t...........................@....rsrc............ ..................@..@l.[J............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\29.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2768896
                                                                                                                                                                            Entropy (8bit):7.920440146277786
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:Nn9lSFGEc34bOlUiLWnOkjPURdstK/RJBNkSoKdo3Rd9YReAmYnnLnI1k:NnTEGEcb3LWnOkjPUX0sRJBNfHa3/W8w
                                                                                                                                                                            MD5:0009EFE13EAF4DD3D091BC6E9CA7C1E7
                                                                                                                                                                            SHA1:F2BE84149784DB1D1B7746AFDE07D781805BD35F
                                                                                                                                                                            SHA-256:DE30D86CFF3D838162AA88112A946DFB3AF84005DDA6BBC70CEE15E8DFF70BA3
                                                                                                                                                                            SHA-512:CF96410D5A528B52D92C37FAC77FF3A8326AD6C2B3BBE00B44D55C758C5521870B9149B2FE8F743E6E7D90259EAB5B3D19ED253ABB8BEA7660530C9B9EA70405
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L...G.\..................'..........*........(...@.................................s.+...............................'.E.....'.(.......`;..........................0........................(.......................................................text...E.'.......'................. ..`.data...@.....(.......'.............@....tls..................).............@....rsrc...`;.......<....).............@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\3.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):5.437755318915183
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:IPqTXu0Ee0J9PL8Ln0Rq4YK7NqqhGiZRYPPCI/YzHC2munTDWXQeYJurR:9T+0wH8Lnej597Yhw5TDWXQ3u
                                                                                                                                                                            MD5:D2E2C65FC9098A1C6A4C00F9036AA095
                                                                                                                                                                            SHA1:C61B31C7DBEBDD57A216A03A3DC490A3EA9F5ABD
                                                                                                                                                                            SHA-256:4D7421E6D0AC81E2292BCFF52F7432639C4F434519DB9CF2985B46A0069B2BE8
                                                                                                                                                                            SHA-512:B5BD047CA4EE73965719669B29478A9D33665752E1DBE0F575A2DA759B90819E64125675DA749624B2D8C580707FD6A932685AB3962B5B88353981E857FE9793
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....5P.....................0....................@..................................\..........................................(...........................................................................(... ....................................text... ........................... ..`.data...t...........................@....rsrc............ ..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\30.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1470976
                                                                                                                                                                            Entropy (8bit):7.292646421548412
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24576:Ktb20pkaCqT5TBWgNQ7aW32hGJlOYETC+11w7qiJJVHCz496A:3Vg5tQ7aW32hOlETFTGxJVH2I5
                                                                                                                                                                            MD5:FC44B935B0188657684C40113F7AB81C
                                                                                                                                                                            SHA1:76C4A1262EB49DAA55A24AADD7E3A48F2C22ABD2
                                                                                                                                                                            SHA-256:F5B2489109D68B6AC83B453B8DF1C7E1E9EC2636E162EFDBAAB4D27C1CE2DD69
                                                                                                                                                                            SHA-512:95CDF42503A546B8C3DE9C1D0F0FFC5FCA9955739591E011EC1DFD8B5C83492BC14261BBB042275F281CC12B59EDB071E3DD72DAD64C11481D118910A6052F9A
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L......^..........".................t_............@..................................+....@...@.......@......................p..|....@.......................0..Ll..................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc........@......................@..@.reloc..t....0......................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\31.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):5.20163705563317
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:1536:V3+qSYG80/4+ZeDpMVVMJ8hP4SjZOBd7nUy6:DSGrZ2VKJ8CTbm
                                                                                                                                                                            MD5:4C4F3C4C8145B2BB3F79DC1A79F013A9
                                                                                                                                                                            SHA1:9B1D80F6F950D30D134537F16F1F24FB66A41543
                                                                                                                                                                            SHA-256:F9F9B4E7ABF29743486AEB210D474FEE24B38A0E2F97D082AB0FE3DABC14B47B
                                                                                                                                                                            SHA-512:7C842577871A8BDF80A3DA9DAD91DEA92DCE764C00C874C821CBE2998A0A9D9921F0EFB28BD5465DEEF02A6A6FDCB682A75B25976D7FAC421FAD8BF39D1C6C37
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...*.gQ.....................0....................@.................................N..........................................(...........................................................................(... ....................................text............................... ..`.data...t...........................@....rsrc............ ..................@..@l.[J............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\4.dll
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\4.exe
                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2485264
                                                                                                                                                                            Entropy (8bit):6.646979581093372
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24576:yqUUcYHqhhW1bCYo9mvn9YDq+0as+MqYrtaBwSbx3jMUAlZSVV4VHa4k3NkZpyM4:yJmFyqC4aeSN3oRlZyA/o7I3fOis
                                                                                                                                                                            MD5:986D769A639A877A9B8F4FB3C8616911
                                                                                                                                                                            SHA1:BA1CC29D845D958BD60C989EAA36FDAF9DB7EA41
                                                                                                                                                                            SHA-256:C94374155DDED12D9F90D16F03470B12B14C4DF109A9CF8DBF26E9CD66850457
                                                                                                                                                                            SHA-512:3A1E2A6B57278071906EE2D7B1F9CA6D1ED98084C80512DA854E5C1F73E480B92F2B1CCECCF87523184BF34250E3CB6A0E1172D7F5478777570F807820D9A187
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....P.^..................!..R......d.!.......!...@...........................&.......................................".0.....".:=...@&..h...................."..C..................................................l.".d.....".^....................text....z!......|!................. ..`.itext........!.......!............. ..`.data....V....!..X....!.............@....bss.....l...."..........................idata..:=...."..>....!.............@....didata.^....."......0".............@....edata..0....."......<".............@..@.rdata..D....."......>".............@..@.reloc...C...."..D...@".............@..B.rsrc....h...@&..h....%.............@..@..............&.......%.............@..@........................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\4.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2700800
                                                                                                                                                                            Entropy (8bit):7.985150041592273
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:kBAxF8n3cdlgjGgwrHzdszaZ5E6UKB5xipj6qKBlqX:kBECaNTdvzI61Blq
                                                                                                                                                                            MD5:EC7506C2B6460DF44C18E61D39D5B1C0
                                                                                                                                                                            SHA1:7C3E46CD7C93F3D9D783888F04F1607F6E487783
                                                                                                                                                                            SHA-256:4E36DC0D37EAD94CBD7797668C3C240DDC00FBB45C18140D370C868915B8469D
                                                                                                                                                                            SHA-512:CF16F6E5F90701A985F2A2B7AD782E6E1C05A7B6DC0E644F7BDD0350F717BB4C9E819A8E9F383DA0324B92F354C74C11B2D5827BE42E33F861C233F3BAAB687E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Sbi.Sbi.Sbi.<..Zbi.<...Zbi.<..kbi.Z...Vbi.Sbh.2bi.<..Rbi.<..Rbi.<...Rbi.RichSbi.................PE..L...+=.]..................'........2,........(...@...................................*.....................................L.'.(.......`9..........................@........................(.......................................................text...>.'.......'................. ..`.data.........(.......'.............@....tls..................'.............@....rsrc...`9.......:....'.............@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\5.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):11776
                                                                                                                                                                            Entropy (8bit):5.173456967793414
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:hdNCR3+MNrJfGz90t3a0ajYTeSDy4amDTWG11h5O8zCd2TYaKldWD:hdkNtOQq0ajYTeIPLOo3O8GccaKldW
                                                                                                                                                                            MD5:4FCC5DB607DBD9E1AFB6667AB040310E
                                                                                                                                                                            SHA1:48AF3F2D0755F0FA644FB4B7F9A1378E1D318AB9
                                                                                                                                                                            SHA-256:6FB0EACC8A7ABAA853B60C064B464D7E87B02EF33D52B0E9A928622F4E4F37C7
                                                                                                                                                                            SHA-512:A46DED4552FEBD7983E09069D26AB2885A8087A9D43904AD0FEDCC94A5C65FE0124BBF0A7D3E7283CB3459883E53C95F07FA6724B45F3A9488B147DE42221A26
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.W.................$...........C... ...`....@.. ....................................@.................................dC..W....`..............................,B............................................... ............... ..H............text....#... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................C......H........+..t............................................................0..|...............s....s.........~.....o.....~....o............s....s.........~.....o.....~....o.....~....(.........(.....~....(....&*.0.............+.. ....(...... ....X...~..........-.~....~....(...........-..(.....8.....r...pr...p(....r...pr...p(....s.....s......o....r...pr...p(....o......r...pr...p(....s....o......( ...r5..p(!...r9..p("...o#.....~....o$....rE..prc..p(%...s&......o'......o(......o)..
                                                                                                                                                                            C:\Users\user\AppData\Roaming\6.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):232605
                                                                                                                                                                            Entropy (8bit):5.423718212124099
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:1536:JVS+N3WyTgsvrHb2IcMenJQcwtNvjf6lypSr2o5X+mz2dIxxXIogPwFE4e5:JVpRltHPxeCZ6Fj+mzqIx9vg
                                                                                                                                                                            MD5:CF04C482D91C7174616FB8E83288065A
                                                                                                                                                                            SHA1:6444EB10EC9092826D712C1EFAD73E74C2ADAE14
                                                                                                                                                                            SHA-256:7B01D36AC9A77ABFA6A0DDBF27D630EFFAE555AAC9AE75B051C6EEDAF18D1DCF
                                                                                                                                                                            SHA-512:3ECA1E17E698C427BC916465526F61CAEE356D7586836B022F573C33A6533CE4B4B0F3FBD05CC2B7B44568E814121854FDF82480757F02D925E293F7D92A2AF6
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^...............2.6...(...............P....@..........................................................................w..d.......\............b..8$...........................................................x...............................text...'5.......6.................. ..`.rdata..E....P.......:..............@..@.data........`.......<..............@....rsrc...\............X..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\7.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):5.354591933878196
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:pQZXuayX7rznPVKY1cu6rDJahVAJUVx4b/yYBHHoPBeLjQ2oMYOYu1:G+a+7fF1c3DniVHGn93Q2oMYk
                                                                                                                                                                            MD5:42D1CAF715D4BD2EA1FADE5DFFB95682
                                                                                                                                                                            SHA1:C26CFF675630CBC11207056D4708666A9C80DAB5
                                                                                                                                                                            SHA-256:8EA389EE2875CC95C5CD2CA62BA8A515B15AB07D0DD7D85841884CBB2A1FCEEA
                                                                                                                                                                            SHA-512:B21A0C4B19FFBAFB3CAC7FAD299617CA5221E61CC8D0DCA6D091D26C31338878B8D24FE98A52397E909AAAD4385769AEE863038F8C30663130718D577587527F
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....mOL.....................0....................@.................................hi..........................................(...........................................................................(... ....................................text............................... ..`.data...t...........................@....rsrc............ ..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\8.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):682496
                                                                                                                                                                            Entropy (8bit):5.467275757816082
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:M5GS7AGzH76VEt6fXEmT6JTn/unkZyNjcpKqx:MoSUGzH76NMmT6/89qtx
                                                                                                                                                                            MD5:DEA5598AAF3E9DCC3073BA73D972AB17
                                                                                                                                                                            SHA1:51DA8356E81C5ACFF3C876DFFBF52195FE87D97F
                                                                                                                                                                            SHA-256:8EC9516AC0A765C28ADFE04C132619170E986DF07B1EA541426BE124FB7CFD2C
                                                                                                                                                                            SHA-512:A6C674BA3D510120A1D163BE7E7638F616EEDB15AF5653B0952E63B7FD4C2672FAFC9638AB7795E76B7F07D995196437D6C35E5B8814E9AD866EA903F620E81E
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Yara Hits:
                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Roaming\8.exe, Author: Joe Security
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.^.................T...........s... ........@.. ....................................`.................................Ps..K.......I............................................................................ ............... ..H............text....S... ...T.................. ..`.rsrc...I............V..............@..@.reloc...............h..............@..B.................s......H........S..H ......5....4..>................................................;...g..#<...)../5......CM.....]...#....?...{...<.......r...<......%...W...m...d...Z...R........D...@...H......"q..............i.......V=.......J......5...r....w..zc..y*..jr..............#..h.......}.......b......u...*...}.......D...........*L...A..{...m...C_..h....f...................O......J...+.......Y..^.......-..p%...I..([..e....U...}...1......*...5V......s........f...+...!..........w...~...
                                                                                                                                                                            C:\Users\user\AppData\Roaming\9.exe
                                                                                                                                                                            Process:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):762368
                                                                                                                                                                            Entropy (8bit):7.389863526799688
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:9r5TpNl9E96cWBX2FqwaHJRZ3EW7Wsv8kixW3pFMcmyuWp7pPmTppppppppppppy:zTN9fBmdapHEaW0iUuyq8a9
                                                                                                                                                                            MD5:EA88F31D6CC55D8F7A9260245988DAB6
                                                                                                                                                                            SHA1:9E725BAE655C21772C10F2D64A5831B98F7D93DD
                                                                                                                                                                            SHA-256:33F77B1BCA36469DD734AF67950223A7B1BABD62A25CB5F0848025F2A68B9447
                                                                                                                                                                            SHA-512:5952C4540B1AE5F2DB48AAAE404E89FB477D233D9B67458DD5CECC2EDFED711509D2E968E6AF2DBB3BD2099C10A4556F7612FC0055DF798E99F9850796A832AD
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7................0.................. ........@.. ....................................@.................................P...O.......,...........................4................................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H............W......Z...t................................................0..w........~....}.....~....}......}.....r...p(....}.....s....}......<}.....s....}......}.....(.......(......{....~....o......{..... o......{....~....o......{..... o......{....r...p.|....(....(....o......{....o......{..... o......{.....o......{.....{.....{....o ...%.o!.....o!.....{......{.....i.Yo"......{......}.....{..... o......{.....{....o......{....o.......(....}.....{....o#....*..0.............{....
                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\83aa4cc77f591dfc2374580bbd95f6ba_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):45
                                                                                                                                                                            Entropy (8bit):0.9111711733157262
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:/lwlt7n:WNn
                                                                                                                                                                            MD5:C8366AE350E7019AEFC9D1E6E6A498C6
                                                                                                                                                                            SHA1:5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
                                                                                                                                                                            SHA-256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
                                                                                                                                                                            SHA-512:33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ........................................J2SE.
                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):94720
                                                                                                                                                                            Entropy (8bit):7.440949090833539
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:1536:mBwl+KXpsqN5vlwWYyhY9S4A40fMnvzbBb3b2wKbs1V3Mr:Qw+asqN5aW/hLdMvzbMlUK
                                                                                                                                                                            MD5:56BA37144BD63D39F23D25DAE471054E
                                                                                                                                                                            SHA1:088E2AFF607981DFE5249CE58121CEAE0D1DB577
                                                                                                                                                                            SHA-256:307077D1A3FD2B53B94D88268E31B0B89B8C0C2EE9DBB46041D3E2395243F1B3
                                                                                                                                                                            SHA-512:6E086BEA3389412F6A9FA11E2CAA2887DB5128C2AD1030685E6841D7D199B63C6D9A76FB9D1ED9116AFD851485501843F72AF8366537A8283DE2F9AB7F3D56F0
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gaT.............~..............................Rich....................PE..L...r..X.........................................@.............................................................................(...................................0...................................................(............................text...%........................... ..`.rdata..6&.......(..................@..@.data..............................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\AppData\Roaming\feeed.exe
                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\8.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):682496
                                                                                                                                                                            Entropy (8bit):5.467275757816082
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:M5GS7AGzH76VEt6fXEmT6JTn/unkZyNjcpKqx:MoSUGzH76NMmT6/89qtx
                                                                                                                                                                            MD5:DEA5598AAF3E9DCC3073BA73D972AB17
                                                                                                                                                                            SHA1:51DA8356E81C5ACFF3C876DFFBF52195FE87D97F
                                                                                                                                                                            SHA-256:8EC9516AC0A765C28ADFE04C132619170E986DF07B1EA541426BE124FB7CFD2C
                                                                                                                                                                            SHA-512:A6C674BA3D510120A1D163BE7E7638F616EEDB15AF5653B0952E63B7FD4C2672FAFC9638AB7795E76B7F07D995196437D6C35E5B8814E9AD866EA903F620E81E
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Yara Hits:
                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Roaming\feeed.exe, Author: Joe Security
                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.^.................T...........s... ........@.. ....................................`.................................Ps..K.......I............................................................................ ............... ..H............text....S... ...T.................. ..`.rsrc...I............V..............@..@.reloc...............h..............@..B.................s......H........S..H ......5....4..>................................................;...g..#<...)../5......CM.....]...#....?...{...<.......r...<......%...W...m...d...Z...R........D...@...H......"q..............i.......V=.......J......5...r....w..zc..y*..jr..............#..h.......}.......b......u...*...}.......D...........*L...A..{...m...C_..h....f...................O......J...+.......Y..^.......-..p%...I..([..e....U...}...1......*...5V......s........f...+...!..........w...~...
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\CHANGELOG.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):55641
                                                                                                                                                                            Entropy (8bit):5.48429304075906
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:jO4mhhDVuShnZvkuW9brH68EvgHRHkyv2urnuAcRE667TlS0zKdLTQqa+nkQUBu5:8HDVuSh9q9brH60HR7HxW
                                                                                                                                                                            MD5:4B4151CB6CA2A9CD66238FB8EEC003A3
                                                                                                                                                                            SHA1:D0142FB715466B0B8FF0572DB972263128ABAE6D
                                                                                                                                                                            SHA-256:271FCB46F0552F847E6E5B88CDDD03168ED11E6E354B1C15FA92ED553B92EF5B
                                                                                                                                                                            SHA-512:22A3975B3809BB723A4FAF4E985BFE0394394183DC394726C5C007CD4F67FFA39AC02712ACA54B974E498D4ECC1BCEE6C3631AC50868B15C7A7673F41317D9BD
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: # Node.js Changelog....Select a Node.js version below to view the changelog history:....* [Node.js 13](doc/changelogs/CHANGELOG_V13.md) **Current**..* [Node.js 12](doc/changelogs/CHANGELOG_V12.md) **Long Term Support**..* [Node.js 11](doc/changelogs/CHANGELOG_V11.md) End-of-Life..* [Node.js 10](doc/changelogs/CHANGELOG_V10.md) Long Term Support..* [Node.js 9](doc/changelogs/CHANGELOG_V9.md) End-of-Life..* [Node.js 8](doc/changelogs/CHANGELOG_V8.md) End-of-Life..* [Node.js 7](doc/changelogs/CHANGELOG_V7.md) End-of-Life..* [Node.js 6](doc/changelogs/CHANGELOG_V6.md) End-of-Life..* [Node.js 5](doc/changelogs/CHANGELOG_V5.md) End-of-Life..* [Node.js 4](doc/changelogs/CHANGELOG_V4.md) End-of-Life..* [io.js](doc/changelogs/CHANGELOG_IOJS.md) End-of-Life..* [Node.js 0.12](doc/changelogs/CHANGELOG_V012.md) End-of-Life..* [Node.js 0.10](doc/changelogs/CHANGELOG_V010.md) End-of-Life..* [Archive](doc/changelogs/CHANGELOG_ARCHIVE.md)....Please use the following table to find the changelog for a sp
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\LICENSE
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:UTF-8 Unicode text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):78660
                                                                                                                                                                            Entropy (8bit):5.037214645673343
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:1536:agCpHubDXgE6gQTO98V9KTRjjIPzgzOY6Z2IJA1GUEYVzOCDSlEBvaSYUkwoELbq:gObrgjgQa9k9Aj8Pkz9IJ4zal2vxYURq
                                                                                                                                                                            MD5:698CF46FBBD1EF7145D1D4F4977E9743
                                                                                                                                                                            SHA1:03AB233704C529B1AFA63E800E7A98D97FE86D76
                                                                                                                                                                            SHA-256:EAC4065F78A73669E3058A72CB936D5C79E7CE766C6ACF87A6AB37CF8D702064
                                                                                                                                                                            SHA-512:D235B25020921937B204FC85D66642681CF973D4B2351CE066C9CFA2C9B347D3C8A9AD2714E05FC343F1930F1E2F73A5C95550E06C84998402BDE8A207C33764
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: Node.js is licensed for use as follows:...."""..Copyright Node.js contributors. All rights reserved.....Permission is hereby granted, free of charge, to any person obtaining a copy..of this software and associated documentation files (the "Software"), to..deal in the Software without restriction, including without limitation the..rights to use, copy, modify, merge, publish, distribute, sublicense, and/or..sell copies of the Software, and to permit persons to whom the Software is..furnished to do so, subject to the following conditions:....The above copyright notice and this permission notice shall be included in..all copies or substantial portions of the Software.....THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR..IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,..FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE..AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER..LIABILITY, WHETHER IN AN
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\install_tools.bat
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:DOS batch file, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2951
                                                                                                                                                                            Entropy (8bit):4.919691691684371
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:nBE1+R7TbX7+hhRhQZ6PjAHRsnQ5hpWj54qlBygy1wHnEpKmrZw:BDR/SWQARsnCfqexhr2
                                                                                                                                                                            MD5:4E46AD93BAC466280DED1D0C19863A26
                                                                                                                                                                            SHA1:F4B635A74081CC34A02365404B3FE99FB03B6129
                                                                                                                                                                            SHA-256:4B1E875422E7A3BA28DC1A618E7569A27E2A491C161E0ADB742434B14F773BED
                                                                                                                                                                            SHA-512:D840B3B60BB549DDD8D7E488B74B56EAF12D749C05994C56FD33BC53B88B4C150E3917705837B4F6F72DAB46197697A8B3B6F7ABF94DE0145FCAAFED7F8346D9
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: @echo off....setlocal..title Install Additional Tools for Node.js....cls....echo ====================================================..echo Tools for Node.js Native Modules Installation Script..echo ====================================================..echo...echo This script will install Python and the Visual Studio Build Tools, necessary..echo to compile Node.js native modules. Note that Chocolatey and required Windows..echo updates will also be installed...echo...echo This will require about 3 Gb of free disk space, plus any space necessary to..echo install Windows updates. This will take a while to run...echo...echo Please close all open programs for the duration of the installation. If the..echo installation fails, please ensure Windows is fully updated, reboot your..echo computer and try to run this again. This script can be found in the..echo Start menu under Node.js...echo...echo You can close this window to stop now. Detailed instructions to install these..echo tools manually
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node.exe
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):54795416
                                                                                                                                                                            Entropy (8bit):6.5671628029108815
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:393216:GJNn0p9T9pTEozFcAts7q8hiDRXM5Giiy5d5wYE9jrBTOFo3SHWcGKP8PBq2FAdu:GQDb1J8WcGKtK63FQl
                                                                                                                                                                            MD5:18A6630DB8040AB7389D17783E306020
                                                                                                                                                                            SHA1:754149EB115CF889025AA1116F23742E231D9FF7
                                                                                                                                                                            SHA-256:C61B9279BE8701A3F66C482A166C4FFF9BA43DA64403158E4C4F82E271F309FA
                                                                                                                                                                            SHA-512:EC2D89E4262D42997993DBAB070FD2705F4F51CC282BACA98EDA58A4555856999E880F39ADA0C50AB3473A32FABFE99BE3F4F41C02E40F674E4ACBD539D1D373
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......9.A.}./.}./.}./...+.S./...,.j./...*.../..d.w././.,.t././.*..././.+.Y./..,.|./.}./.c./..*.../..+.G./.....j./.}...../..&.y./../.|./...|./.}..../..-.|./.Rich}./.................PE..d.....^.........."...........x.....X..........@..............................o.....diD...`.........................................p)........1.......k.pE... _.......D......`m.P....o..p....................q..(....p...............................................text............................... ..`.rdata.."";......$;.................@..@.data....'-...1..h....1.............@....pdata....... _......64.............@..@.rsrc...pE....k..F..."@.............@..@.reloc..P....`m......hB.............@..B........................................................................................................................................................................................
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_etw_provider.man
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):10630
                                                                                                                                                                            Entropy (8bit):4.42501285375615
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:Y55SUaOHITT3yclGnDJopeSd/82w9GbLN7ig2GbLN7+g2YGbLN7CSkThMz2OoQIc:4SjH/895kt+Nm1l4Ll
                                                                                                                                                                            MD5:1D51E18A7247F47245B0751F16119498
                                                                                                                                                                            SHA1:78F5D95DD07C0FCEE43C6D4FEAB12D802D194D95
                                                                                                                                                                            SHA-256:1975AA34C1050B8364491394CEBF6E668E2337C3107712E3EECA311262C7C46F
                                                                                                                                                                            SHA-512:1ECCBE4DDAE3D941B36616A202E5BD1B21D8E181810430A1C390513060AE9E3F12CD23F5B66AE0630FD6496B3139E2CC313381B5506465040E5A7A3543444E76
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: <instrumentationManifest.. xmlns="http://schemas.microsoft.com/win/2004/08/events".. xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events".. xmlns:xs="http://www.w3.org/2001/XMLSchema">.. <instrumentation>.. <events>.. <provider name="NodeJS-ETW-provider".. guid="{77754E9B-264B-4D8D-B981-E4135C1ECB0C}".. symbol="NODE_ETW_PROVIDER".. message="$(string.NodeJS-ETW-provider.name)".. resourceFileName="node.exe".. messageFileName="node.exe">.... <tasks>.. <task name="MethodRuntime" value="1".. symbol="JSCRIPT_METHOD_RUNTIME_TASK">.. <opcodes>.. <opcode name="MethodLoad" value="10".. symbol="JSCRIPT_METHOD_METHODLOAD_OPCODE"/>.. </opcodes>.. </task>.. </tasks>.... <opcodes>..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\.licensee.json
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):260
                                                                                                                                                                            Entropy (8bit):4.556869783583283
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6:3HCkN2Vr/zMgAgHwL1VTxWDi0RNmQ6u2U+sQAHfgo+MEJ1CxS/r:kLvgVlW+W6uvLf6PCxC
                                                                                                                                                                            MD5:B133415ABE39E5C1865AAD84712B3941
                                                                                                                                                                            SHA1:E988C32BFF0FC1F72D27EFCE28B01A32E7A4914E
                                                                                                                                                                            SHA-256:66218BC67A524799BA7CCAD7C493A8D24EEED81C07BED24E0C3034ABA6014061
                                                                                                                                                                            SHA-512:C41C9C99308CD61E8428AD445A145966248AA98E7F778EDCEE32F7AAEB5B9B5F1E558F73D6FE0502A6B666F1A914CA9555F96EC5DB05F03A28410076E0AB1E1D
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: {.. "licenses": {.. "spdx": [.. "CC-BY-3.0".. ],.. "blueOak": "bronze".. },.. "corrections": true,.. "packages": {.. "config-chain": "1.1.12",.. "cyclist": "0.2.2",.. "json-schema": "0.2.3",.. "qrcode-terminal": "0.12.0".. }..}..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\.mailmap
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:UTF-8 Unicode text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):3351
                                                                                                                                                                            Entropy (8bit):5.018239056625139
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:OVU0zaj2NomzBHkj2RuiEfvb14VuRRmU1:v02o3828XN1
                                                                                                                                                                            MD5:50FF5F4745B5210D1DDC6CB3AD21216B
                                                                                                                                                                            SHA1:298B624905B72D60D7613780E9C0FA0CEF9361E3
                                                                                                                                                                            SHA-256:EC219650D5ED44D58B1F6CD6E8CCC116E118D7569E09ED19E9B80F5C8BE87D5B
                                                                                                                                                                            SHA-512:93F9A8D02C80C651D8BD5535F96D74AF48A6F14B5AFA9040809D9E8DBC06C0DA76165D34CE8A6BE78F04E12E44B5582730EAF904E048F5B3D322F7EB7C81B88E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: Alex K. Wolfe <alexkwolfe@gmail.com>..Andrew Bradley <cspotcode@gmail.com>..Andrew Lunny <alunny@gmail.com>..Arlo Breault <arlolra@gmail.com>..Ashley Williams <ashley@npmjs.com> <ashley666ashley@gmail.com>..Ashley Williams <ashley@npmjs.com> <ashley@bocoup.com>..Benjamin Coe <bencoe@gmail.com>..Benjamin Coe <bencoe@gmail.com> <ben@npmjs.com>..Brian White <mscdex@mscdex.net> <mscdex@gmail.com>..Cedric Nelson <cedric.nelson@gmail.com>..Charlie Robbins <charlie.robbins@gmail.com>..Claudia Hern.ndez <cghr1990@gmail.com>..Dalmais Maxence <root@ip-10-195-202-5.ec2.internal>..Danila Gerasimov <danila.gerasimov@gmail.com>..Dave Galbraith <dave@jut.io>..David Beitey <david@davidjb.com>..David Rousselie <guido.dassori@gmail.com>..Domenic Denicola <domenic@domenicdenicola.com>..Einar Otto Stangvik <einaros@gmail.com>..Emma Ramirez <ramirez.emma.g@gmail.com>..Erik Wienhold <git@ewie.name>..Evan Lucas <evan@btc.com> <evan.lucas@hattiesburgclinic.com>..Evan Lucas <evan@btc.com> <evanlucas@me.com>..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\.npmignore
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):385
                                                                                                                                                                            Entropy (8bit):4.623052803400193
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6:URChGWoGB/egBe7TaVscKsMNJciot3o7vZ4VoVuEl0vgwQIiSWhV/NLLix59:URC5BegBe7TeUsK1oW7vuoMQeilTReV
                                                                                                                                                                            MD5:4416DF8582A08A4C3297F4DD5DE3908B
                                                                                                                                                                            SHA1:81878E227181476B36D9C0AD9DD0BFA766C0A4C1
                                                                                                                                                                            SHA-256:F885519DB536EC02B192521A48D63E2EE9B849092905D117E07A862DBB6C73B1
                                                                                                                                                                            SHA-512:4D08E0FB3983D614558F7744745C3963A9E8C0D9AC9A2AE3595D898AB95167B87DC8CD2A4B7B2C877AAB1FC0057317D1A3C5116A5575973A570BD429B2132ABA
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: *.swp...*.swp..netlify.toml..npm-debug.log../.github../test..node_modules/marked..node_modules/marked-man..node_modules/tap..tap-snapshots..node_modules/.bin..node_modules/npm-registry-mock../npmrc../release/....# don't need these in the npm package...html/*.png....# don't ignore .npmignore files..# these are used in some tests...!.npmignore..../npm-*.tgz....*.pyc.......nyc_output..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\.travis.yml
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):344
                                                                                                                                                                            Entropy (8bit):4.981689273342171
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6:SJWTcER44SmP26aWKwvLKNVPp2108TJMFc52WbWi1Urop6kHoxlx9v:cER4GxaWKAKNVR2108Tq3TAHoDxN
                                                                                                                                                                            MD5:7A15CCC612A136E7096930734D633B21
                                                                                                                                                                            SHA1:C310FB614C1E93072C2725E103D71F2A493FDA0D
                                                                                                                                                                            SHA-256:471E07C40FA3588317141FC1E43BDE68F5FCA7511724852E9CD5588470C5C1A4
                                                                                                                                                                            SHA-512:D6378402793B2821AC515ED6064E63144155AEED603902A381D8318683F9687884652ECB04D16A17F6E9BCB3585D0C763D4DE24F60775045EFFC741426D1745C
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: # need to declare the language as well as the matrix below..language: node_js....os:.. - windows....node_js:.. - 12.. - 10.. - 8.. - 6....env: "DEPLOY_VERSION=testing"....notifications:.. slack: npm-inc:kRqQjto7YbINqHPb1X6nS3g8....install:.. - "node . install"....script:.. - "node . run tap -- \"test/tap/*.js\" -t600 -Rclassic -c"..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\AUTHORS
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:UTF-8 Unicode text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):27043
                                                                                                                                                                            Entropy (8bit):5.097925208214625
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:Ca96DcCOzIYcoIO59s49M54NiPHT8OA0oPvw+fS6T2Xy80K9M6OsJSdSFsUu:8Ogo+49O33A0sVfyXyJK9QsJSdF
                                                                                                                                                                            MD5:8E0621AA4B3C6AF29CD281BE18AD666D
                                                                                                                                                                            SHA1:41F83E9A0F1564050897C88F4A025DB0DE5D4F54
                                                                                                                                                                            SHA-256:41E1395C2082DA627E8C08033FF12BE6261F52B03C22B55ED8B4E623AE24B099
                                                                                                                                                                            SHA-512:E6FF47D487A39F6ACA3C51A18951D5B70BD3479C367EF321925E12197D8C0175503F8662A2A1FF7B3FA2DD82DFDA4ABC33A890FDF552687E9025192BB3310123
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: # Authors sorted by whether or not they're me..isaacs <i@izs.me>..Steve Steiner <ssteinerX@gmail.com>..Mikeal Rogers <mikeal.rogers@gmail.com>..Aaron Blohowiak <aaron.blohowiak@gmail.com>..Martyn Smith <martyn@dollyfish.net.nz>..Charlie Robbins <charlie.robbins@gmail.com>..Francisco Treacy <francisco.treacy@gmail.com>..Cliffano Subagio <cliffano@gmail.com>..Christian Eager <christian.eager@nokia.com>..Dav Glass <davglass@gmail.com>..Alex K. Wolfe <alexkwolfe@gmail.com>..James Sanders <jimmyjazz14@gmail.com>..Reid Burke <me@reidburke.com>..Arlo Breault <arlolra@gmail.com>..Timo Derstappen <teemow@gmail.com>..Bart Teeuwisse <bart.teeuwisse@thecodemill.biz>..Ben Noordhuis <info@bnoordhuis.nl>..Tor Valamo <tor.valamo@gmail.com>..Whyme.Lyu <5longluna@gmail.com>..Olivier Melcher <olivier.melcher@gmail.com>..Toma. Muraus <kami@k5-storitve.net>..Evan Meagher <evan.meagher@gmail.com>..Orlando Vazquez <ovazquez@gmail.com>..Kai Chen <kaichenxyz@gmail.com>..George Miroshnykov <gmiroshnykov@lohika
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\CHANGELOG.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):154564
                                                                                                                                                                            Entropy (8bit):5.400081439502239
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:1536:CcnZb93jTA3dSKcPmUOreatL4ysH9fC5ueKp+PCgwYvH8zwCp:Cqe3tZN5tMnHxUueKYagwYvS
                                                                                                                                                                            MD5:193A6E48AC2037C9B26994225BE8FE0C
                                                                                                                                                                            SHA1:46D52878A982071CB0462A1C9FA95EC28C479BFE
                                                                                                                                                                            SHA-256:0DB395F19A78AAAAD081609A93635BED43BA99B28F20ED7F636ED386C76ED1B7
                                                                                                                                                                            SHA-512:EBA11DBB80EA6F9F7F8A0371A788A67062BF4376E4D0BE61B09F2544DD2D6019119911DDEC1F04A4A4E2AAB7624A7F9CC956F7FD2C955843E71BED4298B65404
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ## 6.14.4 (2020-03-24)....### DEPENDENCIES....* Bump `minimist@1.2.5` transitive dep to resolve security issue.. * [`9c554fd8c`](https://github.com/npm/cli/commit/9c554fd8cd1e9aeb8eb122ccfa3c78d12af4097a) `update-notifier@2.5.0`.. * bump `deep-extend@1.2.5`.. * bump `deep-extend@0.6.0`.. * bump `is-ci@1.2.1`.. * bump `is-retry-allowed@1.2.0`.. * bump `rc@1.2.8`.. * bump `registry-auth-token@3.4.0`.. * bump `widest-line@2.0.1`..* [`136832dca`](https://github.com/npm/cli/commit/136832dcae13cb5518b1fe17bd63ea9b2a195f92) `mkdirp@0.5.4`..* [`8bf99b2b5`](https://github.com/npm/cli/commit/8bf99b2b58c14d45dc6739fce77de051ebc8ffb7) [#1053](https://github.com/npm/cli/pull/1053) deps: updates term-size to use signed binary.. * [`d2f08a1bdb`](https://github.com/nodejs/node/commit/d2f08a1bdb78655c4a3fc49825986c148d14117e) ([@rvagg](https://github.com/rvagg))....## 6.14.3 (2020-03-19)....### DOCUMENTATION....* [`4ad221487`](https://github.com/npm/cli/commit4ad2214873cddfd4a0eff1bd188516b08f
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\CONTRIBUTING.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):9707
                                                                                                                                                                            Entropy (8bit):4.991870031745418
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:MWyeYnQgwQDgGNR0huG/gEQ9d3bVmLfRF++D9z+obrv+i4R6hU7vMe+XuqJY36lk:MWyeiDNR0huL9d3bk7R1QoMz7vMW3Ou
                                                                                                                                                                            MD5:7620DBDAE466562DDAFBFF8EA58F9DB9
                                                                                                                                                                            SHA1:F72A305F16FAF50C4943B5D869AB57226852E753
                                                                                                                                                                            SHA-256:D775C5277D1699828B08288419A0D23B41A02F450B2ADAA7CE9E44B2A10DD242
                                                                                                                                                                            SHA-512:D215E0B2E97E35961E0A2E5FB5705E68257D6737113DF21C1397BC3513C2872F2819AC0A273E27E070D0ACAA3143F9054DB1E8058E765C8CB749CC11843973F6
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: # npm CLI Contributor Roles and Responsibilities....## Table of Contents....* [Introduction](#introduction)..* [Code Structure](#code-structure)..* [Running Tests](#running-tests)..* [Debugging](#debugging)..* [Coverage](#coverage)..* [Benchmarking](#benchmarking)..* [Types of Contributions](#types-of-contributions).. * [Contributing an Issue?](#contributing-an-issue).. * [Contributing a Question?](#contributing-a-question).. * [Contributing a Bug Fix?](#contributing-a-bug-fix).. * [Contributing a Feature?](#contributing-a-bug-feature)..* [Development Dependencies](#development-dependencies)..* [Dependencies](#dependencies)....## Introduction....Welcome to the npm CLI Contributor Guide! This document outlines the npm CLI repository's process for community interaction and contribution. This includes the issue tracker, pull requests, wiki pages, and, to a certain extent, outside communication in the context of the npm CLI. This is an entry point for anyone wishing to contribute their
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\node-gyp-bin\node-gyp
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:a /usr/bin/env sh script, ASCII text executable, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):178
                                                                                                                                                                            Entropy (8bit):4.80854872781414
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:TKQWaHMPhMZ6jLitQXxVC/lfnl6X1+CM/zM++w8v3AWFH3IGXxVdBlIvNn:HWaHjg3ioclfK16R+Nv3n94oBBqvN
                                                                                                                                                                            MD5:6E25816F1EC43CA4D9DF43634F4FDC74
                                                                                                                                                                            SHA1:34DFF6B10E03A33507FB0AD9131304EE036381CC
                                                                                                                                                                            SHA-256:EE2C0CD004287093A3767C0A31D9A0A3C4B00C0517CC974473E2B483EEF438E7
                                                                                                                                                                            SHA-512:55D1A85AB49A293A7787A7A223977E8472B8204A447135DE7E01E8E82566485A268508497BD81FA9D5CA454D23541035E9D7A75AD5521F82C84BD4065D1EA76B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: #!/usr/bin/env sh..if [ "x$npm_config_node_gyp" = "x" ]; then.. node "`dirname "$0"`/../../node_modules/node-gyp/bin/node-gyp.js" "$@"..else.. "$npm_config_node_gyp" "$@"..fi..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\node-gyp-bin\node-gyp.cmd
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):149
                                                                                                                                                                            Entropy (8bit):4.537198857842976
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:CxK7mbzL4KLXxVCDKiKVVNx+26M8jMNNqaXodFLKisLXxVikK:Cxe4HT9q26T68amFuTGkK
                                                                                                                                                                            MD5:BB78133F243EC53A16C89C436AB54216
                                                                                                                                                                            SHA1:E6071DD04DBE0B3560C3279DED8E44E1D0A0CEDE
                                                                                                                                                                            SHA-256:8CB8B915E6F433F7F8994EAE04E74595D5A169D1E593833BB4A5F2CBE213F02D
                                                                                                                                                                            SHA-512:8A94C4AD3CD4B414D5C6788083B801A6273C970A173461DDEF7EC48626FDBA8040C9A8F4D1D848BF05240A36AE0EEC40DB2C779D1A5C3CB04C99EF5BDADDFB59
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: if not defined npm_config_node_gyp (.. node "%~dp0\..\..\node_modules\node-gyp\bin\node-gyp.js" %*..) else (.. node "%npm_config_node_gyp%" %*..)..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\npm
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:POSIX shell script, ASCII text executable, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):930
                                                                                                                                                                            Entropy (8bit):5.311699175313889
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:P1q4gq4puY1n+rf7gNwY9L3j+B3lwNY9L3lwZBK7gNwY9L3j+B3lwNY9L3lwZxHh:ca1YS7guY9L3S3WNY9L3WZ47guY9L3So
                                                                                                                                                                            MD5:BA553D663CD364A71842375B7613DED2
                                                                                                                                                                            SHA1:DA664DD6249D3CFBB858BA67234E213B526497D8
                                                                                                                                                                            SHA-256:C7326730E2E51652DC605BCA7CEE7199E6362DD6AE97C8352586E8E96D2CD9D1
                                                                                                                                                                            SHA-512:E01A1D83FA652A010BB97B50FCC12EDB0950C868DFF28923D976517243B52BB591AEB162516752F0A1AD29ADB787A2E7210BD776581D3ACE886F4B4C3EBBDD0A
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: #!/bin/sh..(set -o igncr) 2>/dev/null && set -o igncr; # cygwin encoding fix....basedir=`dirname "$0"`....case `uname` in.. *CYGWIN*) basedir=`cygpath -w "$basedir"`;;..esac....NODE_EXE="$basedir/node.exe"..if ! [ -x "$NODE_EXE" ]; then.. NODE_EXE="$basedir/node"..fi..if ! [ -x "$NODE_EXE" ]; then.. NODE_EXE=node..fi....NPM_CLI_JS="$basedir/node_modules/npm/bin/npm-cli.js"....case `uname` in.. *MINGW*).. NPM_PREFIX=`"$NODE_EXE" "$NPM_CLI_JS" prefix -g`.. NPM_PREFIX_NPM_CLI_JS="$NPM_PREFIX/node_modules/npm/bin/npm-cli.js".. if [ -f "$NPM_PREFIX_NPM_CLI_JS" ]; then.. NPM_CLI_JS="$NPM_PREFIX_NPM_CLI_JS".. fi.. ;;.. *CYGWIN*).. NPM_PREFIX=`"$NODE_EXE" "$NPM_CLI_JS" prefix -g`.. NPM_PREFIX_NPM_CLI_JS="$NPM_PREFIX/node_modules/npm/bin/npm-cli.js".. if [ -f "$NPM_PREFIX_NPM_CLI_JS" ]; then.. NPM_CLI_JS="$NPM_PREFIX_NPM_CLI_JS".. fi.. ;;..esac...."$NODE_EXE" "$NPM_CLI_JS" "$@"..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\npm-cli.js
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:a /usr/bin/env node script, UTF-8 Unicode text executable, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4768
                                                                                                                                                                            Entropy (8bit):4.6995051799240315
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:aQpdCf2RDeV4S64+dajUZbYcuYi5GbJZjH3j3jejlGj2LnxQ0AxTOx4Vv9:aQpdk2a4S64+dcUJYchiErTzElMa+VV
                                                                                                                                                                            MD5:FEE55245473B64B1D48A1EF54983F65E
                                                                                                                                                                            SHA1:F21AE5A56BBECE2679220552AF96BC0FE6B0F57D
                                                                                                                                                                            SHA-256:0212F0919888EF1A830C2537044EC2CA987705A5945784B3A3FD18CB2AB7EFCB
                                                                                                                                                                            SHA-512:BE421306CF0F116761C1CA564AA6FF751F9677B9317540534C976A1E9AA3F824A99B7ABF9BCC6959682B33A240A5FC9058737257A7F34E7A40F49E4DD3D1BE6D
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: #!/usr/bin/env node..;(function () { // wrapper in case we're in module_context mode.. // windows: running "npm blah" in this folder will invoke WSH, not node... /* global WScript */.. if (typeof WScript !== 'undefined') {.. WScript.echo(.. 'npm does not work when run\n' +.. 'with the Windows Scripting Host\n\n' +.. "'cd' to a different directory,\n" +.. "or type 'npm.cmd <args>',\n" +.. "or type 'node npm <args>'.".. ).. WScript.quit(1).. return.. }.... process.title = 'npm'.... var unsupported = require('../lib/utils/unsupported.js').. unsupported.checkForBrokenNode().... var log = require('npmlog').. log.pause() // will be unpaused when config is loaded... log.info('it worked if it ends with', 'ok').... unsupported.checkForUnsupportedNode().... var npm = require('../lib/npm.js').. var npmconf = require('../lib/config/core.js').. var errorHandler = require('../lib/utils/error-handler.js').... var configDefs = npmconf.defs..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\npm.cmd
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):483
                                                                                                                                                                            Entropy (8bit):5.282027163722619
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:n5aE4YBYu9AfGoAD7PlwYzAO9ewAo5YjiwAIQAZ:cEFBYu+hAfNwYsO9ewAo5YewAIQAZ
                                                                                                                                                                            MD5:D5B5ACB61C9BF69FB8BFC65EBA28C6AB
                                                                                                                                                                            SHA1:EEBDD696F7F1AAEA15AC4E10F5A6E5AA5A6ACA8C
                                                                                                                                                                            SHA-256:AFA68B96334EA8493BCB908743AF3DBD619CF26BE7B44460179ABD4D75D849D2
                                                                                                                                                                            SHA-512:69483D7C5E49EFDCDF054B3C5D96D9D315E436F60EF3059DD6A80472445D79068655A8A27D868E907F2EBAFC49B8F638947B2FB49D42E4A9F427FEC74FB58822
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: :: Created by npm, please don't edit manually...@ECHO OFF....SETLOCAL....SET "NODE_EXE=%~dp0\node.exe"..IF NOT EXIST "%NODE_EXE%" (.. SET "NODE_EXE=node"..)....SET "NPM_CLI_JS=%~dp0\node_modules\npm\bin\npm-cli.js"..FOR /F "delims=" %%F IN ('CALL "%NODE_EXE%" "%NPM_CLI_JS%" prefix -g') DO (.. SET "NPM_PREFIX_NPM_CLI_JS=%%F\node_modules\npm\bin\npm-cli.js"..)..IF EXIST "%NPM_PREFIX_NPM_CLI_JS%" (.. SET "NPM_CLI_JS=%NPM_PREFIX_NPM_CLI_JS%"..)...."%NODE_EXE%" "%NPM_CLI_JS%" %*..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\npx
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:POSIX shell script, ASCII text executable, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):922
                                                                                                                                                                            Entropy (8bit):5.333666314300635
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:P1q4puY1n+TY1njrf7g9Y9L3jjB3leY9L3lZBK7g9Y9L3jjB3leY9L3lZxHqcon:c1YUYB7g9Y9L3h3leY9L3lZ47g9Y9L3C
                                                                                                                                                                            MD5:F3AC8B0BCC82456D9C702DD17C232796
                                                                                                                                                                            SHA1:C1292E0207DDE6F295B02B6C87C79554174F783F
                                                                                                                                                                            SHA-256:99911D9C4BEBA98143FE160A55999331DD5C80038E48F23EE517A0E0DAD4BFB3
                                                                                                                                                                            SHA-512:8C842301E40DF13175E03C57A7C7DAF9EE41C811908068BACE14FE78CCA445F191D047FC8949ED8F18BFE2BD84E248FB14857F338D8E19D53A6B4F3578197FE2
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: #!/bin/sh..(set -o igncr) 2>/dev/null && set -o igncr; # cygwin encoding fix....basedir=`dirname "$0"`....case `uname` in.. *CYGWIN*) basedir=`cygpath -w "$basedir"`;;..esac....NODE_EXE="$basedir/node.exe"..if ! [ -x "$NODE_EXE" ]; then.. NODE_EXE=node..fi....NPM_CLI_JS="$basedir/node_modules/npm/bin/npm-cli.js"..NPX_CLI_JS="$basedir/node_modules/npm/bin/npx-cli.js"....case `uname` in.. *MINGW*).. NPM_PREFIX=`"$NODE_EXE" "$NPM_CLI_JS" prefix -g`.. NPM_PREFIX_NPX_CLI_JS="$NPM_PREFIX/node_modules/npm/bin/npx-cli.js".. if [ -f "$NPM_PREFIX_NPX_CLI_JS" ]; then.. NPX_CLI_JS="$NPM_PREFIX_NPX_CLI_JS".. fi.. ;;.. *CYGWIN*).. NPM_PREFIX=`"$NODE_EXE" "$NPM_CLI_JS" prefix -g`.. NPM_PREFIX_NPX_CLI_JS="$NPM_PREFIX/node_modules/npm/bin/npx-cli.js".. if [ -f "$NPM_PREFIX_NPX_CLI_JS" ]; then.. NPX_CLI_JS="$NPM_PREFIX_NPX_CLI_JS".. fi.. ;;..esac...."$NODE_EXE" "$NPX_CLI_JS" "$@"..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\npx-cli.js
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:a /usr/bin/env node script, ASCII text executable, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):185
                                                                                                                                                                            Entropy (8bit):5.039941343359361
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:TKQWaHMPM2rGDHFKjhGL6Fyp9AP8UooXzBMEI/V1eUWCevhP/RAWMPFAEvn:HWaH68HkGIcHJoaEWdWDv5JzMtv
                                                                                                                                                                            MD5:69A0449C521A0E31A33C40913D14091A
                                                                                                                                                                            SHA1:9826B461B059FDA91CF79F0744128AB366B89D5F
                                                                                                                                                                            SHA-256:FC4100FB911676666A322A3932CF110D097A60ADDC1356E7EE6483CEB2B9BCDB
                                                                                                                                                                            SHA-512:7D7E60347935BEDB1131DA097EEDBE0BC2842D1792B3E391B555215C30D4111DE1474770FA7706CDF8A2EF126F258A49814A873487A33D7FFB5B6A556983FD93
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: #!/usr/bin/env node....const npx = require('libnpx')..const path = require('path')....const NPM_PATH = path.join(__dirname, 'npm-cli.js')....npx(npx.parseArgs(process.argv, NPM_PATH))..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\npx.cmd
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):539
                                                                                                                                                                            Entropy (8bit):5.311229339197417
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:n5aE4YBYu9AJYujfGoAD7PxeCYpO9geCAoiYjEeCAIDeCAZ:cEFBYu+JYujhAf9YpO90AoiY0AIDeCAZ
                                                                                                                                                                            MD5:D679D19CFAB093D75D4B75672A0BA98A
                                                                                                                                                                            SHA1:515C2954D10D4C27B564A11631AD29B553531731
                                                                                                                                                                            SHA-256:B6004636A98CBB9814FDFC98BB7365E78AB48B3208F60AC5B2F17794C5285F26
                                                                                                                                                                            SHA-512:26EEB8E686470C0BF036C50BC9E05635D1EC28D278290C201111F431771E9AF4E0BE8AF3D69993736FE1712AE8CD1173F9E07F54422F7289A128D7EA6275BC97
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: :: Created by npm, please don't edit manually...@ECHO OFF....SETLOCAL....SET "NODE_EXE=%~dp0\node.exe"..IF NOT EXIST "%NODE_EXE%" (.. SET "NODE_EXE=node"..)....SET "NPM_CLI_JS=%~dp0\node_modules\npm\bin\npm-cli.js"..SET "NPX_CLI_JS=%~dp0\node_modules\npm\bin\npx-cli.js"..FOR /F "delims=" %%F IN ('CALL "%NODE_EXE%" "%NPM_CLI_JS%" prefix -g') DO (.. SET "NPM_PREFIX_NPX_CLI_JS=%%F\node_modules\npm\bin\npx-cli.js"..)..IF EXIST "%NPM_PREFIX_NPX_CLI_JS%" (.. SET "NPX_CLI_JS=%NPM_PREFIX_NPX_CLI_JS%"..)...."%NODE_EXE%" "%NPX_CLI_JS%" %*..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\changelogs\CHANGELOG-1.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):38997
                                                                                                                                                                            Entropy (8bit):5.329444677067971
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:evvmSRHCXMKnXpnTV5FGQDGW61zIZBWuCjNef/wrM2QAF6GbuuCO22Wj+FDsji6M:IyBXiQDGW61uffYUA1HC+ZsjijyQd
                                                                                                                                                                            MD5:B0D864C09FDEA56FF8E6B9AC5688A0C2
                                                                                                                                                                            SHA1:1AE29F1D0472C74578F61C0A79ECFBC80F88D925
                                                                                                                                                                            SHA-256:6AABE89D12842077BD772A6A794F0BC0A96615BAADDD36D75ADFA19F274893DD
                                                                                                                                                                            SHA-512:12595CCD92D8FE9DC9A698C24790BD95C946AD4D672CDFA79C8B5FCE8821E24ED203F9B3F1E5D10621BA47D1593567B5FC2E6FC4E6EB399155177B53A2A9DA2B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ### v1.4.29 (2015-10-29):....#### THINGS ARE HAPPENING IN LTS LAND....In a special one-off release as part of the [strategy to get a version of npm..into Node LTS that works with the current..registry](https://github.com/nodejs/LTS/issues/37), modify npm to print out..this deprecation banner literally every time npm is invoked to do anything:....```..npm WARN deprecated This version of npm lacks support for important features,..npm WARN deprecated such as scoped packages, offered by the primary npm..npm WARN deprecated registry. Consider upgrading to at least npm@2, if not the..npm WARN deprecated latest stable version. To upgrade to npm@2, run:..npm WARN deprecated..npm WARN deprecated npm -g install npm@latest-2..npm WARN deprecated..npm WARN deprecated To upgrade to the latest stable version, run:..npm WARN deprecated..npm WARN deprecated npm -g install npm@latest..npm WARN deprecated..npm WARN deprecated (Depending on how Node.js was installed on your system, you..npm WARN depr
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\changelogs\CHANGELOG-2.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):304000
                                                                                                                                                                            Entropy (8bit):5.399062442201225
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3072:WbkEcahg+LjXdX++GGJs7zWHJR+BQbcSj4gNKD/+pDc0iot+yDrhq:WoGjXh+tGJKzyJE2kgNCAws+yHY
                                                                                                                                                                            MD5:0017BE359776784C54D71C7BBE874334
                                                                                                                                                                            SHA1:3E5BF46828148E5FDA683DBE65B013563665FE46
                                                                                                                                                                            SHA-256:61735EEEEE27C15263E56261305C18BBA36C54891909D4881406F367EB0DF03A
                                                                                                                                                                            SHA-512:7F36777EC0CA5A0B80BE537D0BCE9BC0EF123809A33275B4AB8B8D0538D750027C45D5B9B6A098D0203E05A0AAD4A2876C13AA417A11A815AF67AD2FFF178AF7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ### v2.15.12 (2017-03-24):....This version brings the latest `node-gyp` to a soon to be released Node.js..4.x. The `node-gyp` update is particularly important to Windows folks due to..its addition of Visual Studio 2017 support.....* [`cdd60e733`](https://github.com/npm/npm/commit/cdd60e733905a9994e1d6d832996bfdd12abeaee).. `node-gyp@3.6.0`:.. Improvements to how Python is located. New `--devdir` flag... Support for VS2017... Chakracore support on ARM... Remove path-array dependency, reducing size significantly... ([@bnoordhuis](https://github.com/bnoordhuis)).. ([@mhart](https://github.com/mhart)).. ([@refack](https://github.com/refack)).. ([@kunalspathak](https://github.com/kunalspathak))....### v2.15.11 (2016-09-08):....On we go with our monthly release cadence! This week is pretty much all..dependency updates and some documentation changes, as can be expected by now.....Note that `npm@4` will almost certainly be released next month! It's not final..what we'll end up doing
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\changelogs\CHANGELOG-3.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:UTF-8 Unicode text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):258246
                                                                                                                                                                            Entropy (8bit):5.336825368573546
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3072:E08Sn22t1ScaBJHUEfvnGDKgDIoWxK/lE9Wt+fE56KqP65pZVIyr/bgROfZpfik3:E0882e1P6nBlEYEXwbM+yrjKOnKK1
                                                                                                                                                                            MD5:C9BFE2D06607ED17E8EDA7A306EF52F4
                                                                                                                                                                            SHA1:6D33962D4937A3310314A232C5C77757F312FBDC
                                                                                                                                                                            SHA-256:2E9003EA236EBF0F0A20A69C77AD19E30D78D616F4FD85D99C46DE498D2A7188
                                                                                                                                                                            SHA-512:CAA43F83B437C4DE251A8EAE375D6BA4372E11D98433D9F4972021402B310AEEA2EA54268B27210B6F79536962B74561CDB8C18842E953DE6080722BB59FA227
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ### v3.10.10 (2016-11-04)....See the discussion on [#14042](https://github.com/npm/npm/issues/14042) for..more context on this release, which is intended to address a serious regression..in shrinkwrap behavior in the version of the CLI currently bundled with Node.js..6 LTS "Boron". You should never install this version directly; instead update..to `npm@4`, which has everything in this release and more.....#### REGRESSION FIX....* [`9aebe98`](https://github.com/npm/npm/commit/9aebe982114ea2107f46baa1dcb11713b4aaad04).. [#14117](https://github.com/npm/npm/pull/14117).. Fixes a bug where installing a shrinkwrapped package would fail if the.. platform failed to install an optional dependency included in the shrinkwrap... ([@watilde](https://github.com/watilde))....#### UPDATE SUPPORT MATRIX....With the advent of the second official Node.js LTS release, Node 6.x..'Boron', the Node.js project has now officially dropped versions 0.10..and 0.12 out of the maintenance phase of LTS. (Also, N
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\changelogs\CHANGELOG-4.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:UTF-8 Unicode text, with very long lines, with CR, LF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):81175
                                                                                                                                                                            Entropy (8bit):5.310518604356336
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:Icqr2N7CCLNCRXMR4BNa7l0N0tI14JyklKUHOkgKYHLLPyYp7ZhwJJvH/OQzF6Jh:x0XfBS2rsgpnyYp0zH64BQlOAC16V
                                                                                                                                                                            MD5:C7082B57E90D8D70115E20FAC9B5D636
                                                                                                                                                                            SHA1:860C1FD23F929C1695263FD3703F6B0DA26D06B6
                                                                                                                                                                            SHA-256:8964772A33A347AC22FBC536EB4BEE525F33EDBEFE4633746B444E1A2041A132
                                                                                                                                                                            SHA-512:032C5F372C22450EEE5FAB84F97C67452F401FA214E267A39487B7E824AB003C286AEB5233D7AC3369717E7938EB9F084C63E548E6E2B0D773B24475F047BDC5
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ## v4.6.1 (2017-04-21)..A little release to tide you over while we hammer out the last bits for npm@5...### FEATURES..* [`d13c9b2f2`](https://github.com/npm/npm/commit/d13c9b2f24b6380427f359b6e430b149ac8aaa79). `init-package-json@1.10.0`:. The `name:` prompt is now `package name:` to make this less ambiguous for new users... The default package name is now a valid package name. For example: If your package directory. has mixed case, the default package name will be all lower case..* [`f08c66323`](https://github.com/npm/npm/commit/f08c663231099f7036eb82b92770806a3a79cdf1). [#16213](https://github.com/npm/npm/pull/16213). Add `--allow-same-version` option to `npm version` so that you can use `npm version` to run. your version lifecycles and tag your git repo without actually changing the version number in. your `package.json`.. ([@lucastheisen](https://github.com/lucastheisen)).* [`f5e8becd0`](https://github.com/npm/npm/commit/f5e8becd05e0426379eb0c999abdbc8e87a7f6f2). Timing h
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\changelogs\CHANGELOG-5.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):134900
                                                                                                                                                                            Entropy (8bit):5.330350691462
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:1536:TFcVNLfaI7Hh7vLa5CXAHqJWvwgwsHTgW2i9HNO:TuVNDPjh7vLc+Uq8orsHTgW2i9H8
                                                                                                                                                                            MD5:4235B14FFF7F0DD8CB614A6024DC5CB7
                                                                                                                                                                            SHA1:A177D68E9A610193F96D4D811CB4ED393812879F
                                                                                                                                                                            SHA-256:67C7BF6281E3500DF52C4BB8E65C632B6F5382D5E9CAAE39F641AC20FFEF4452
                                                                                                                                                                            SHA-512:9538530668B39CDAB59ED9DD91BD25B69D270A2A1E99D8FE86E7709E23DCC986301A3071B813DDE8D1C4FAD890081908991223666705387EC1BAE44F491AD37B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ## v5.10.0 (2018-05-10):....### AUDIT SHOULDN'T WAIT FOREVER....This will likely be reduced further with the goal that the audit process..shouldn't noticibly slow down your builds regardless of your network..situation.....* [`3dcc240db`](https://github.com/npm/npm/commit/3dcc240dba5258532990534f1bd8a25d1698b0bf).. Timeout audit requests eventually... ([@iarna](https://github.com/iarna))......## v5.10.0-next.1 (2018-05-07):....### EXTENDED `npm init` SCAFFOLDING....Thanks to the wonderful efforts of [@jdalton](https://github.com/jdalton) of..lodash fame, `npm init` can now be used to invoke custom scaffolding tools!....You can now do things like `npm init react-app` or `npm init esm` to scaffold an..npm package by running `create-react-app` and `create-esm`, respectively. This..also adds an `npm create` alias, to correspond to Yarn's `yarn create` feature,..which inspired this.....* [`adc009ed4`](https://github.com/npm/npm/commit/adc009ed4114ed1e692f8ef15123af6040615cee).. [`f363edd0
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\configure
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:Bourne-Again shell script, ASCII text executable, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):562
                                                                                                                                                                            Entropy (8bit):5.026226094344221
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:HEoa+sG4AV4REXCnU5xkv9NDZsbzoRGfszd2ApCfbKZ3F:R4AR0lwoRGfaIuxF
                                                                                                                                                                            MD5:505C5D03B2435A06B1DE505A1FAEDAF4
                                                                                                                                                                            SHA1:B2E899F8A4DB963F93ABE383D82B15EE0FA47224
                                                                                                                                                                            SHA-256:D319C4521702CE5C0F8F317679E0704287A012D47754B07F483570279258C5E3
                                                                                                                                                                            SHA-512:A778C9673D8F356B984036F4A8216894F3B8F061DAEE5E92820699B67B250C718723A52386DE3503CA8D8F3617B68E9FAC30E4B1C20FDAF75A51144C6E3E4F17
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: #!/usr/bin/env bash....# set configurations that will be "sticky" on this system,..# surviving npm self-updates.....CONFIGS=()..i=0....# get the location of this file...unset CDPATH..CONFFILE=$(cd $(dirname "$0"); pwd -P)/npmrc....while [ $# -gt 0 ]; do.. conf="$1".. case $conf in.. --help).. echo "./configure --param=value ...".. exit 0.. ;;.. --*).. CONFIGS[$i]="${conf:2}".. ;;.. *).. CONFIGS[$i]="$conf".. ;;.. esac.. let i++.. shift..done....for c in "${CONFIGS[@]}"; do.. echo "$c" >> "$CONFFILE"..done..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\LICENSE
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1098
                                                                                                                                                                            Entropy (8bit):5.146640036217327
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:DrzJHkH0yw3gt3DQJq1hBE9QHbsUv4fOk4/+8/3oqaFE:DHJMlUE/BGQHbs5JK/3oDFE
                                                                                                                                                                            MD5:ACF493D5FCF4AA73CD99CCB09DBCF59B
                                                                                                                                                                            SHA1:A973DA683163CE137B53AF4B88C41482B6449177
                                                                                                                                                                            SHA-256:00F0F93605A19F32A7251A9629F84A8C6102F9469141DA66DF83757C42AEA497
                                                                                                                                                                            SHA-512:B5DBF516A41A2D653B13773E78BC83AAF19A2230BD9DC74E813361505363ABF3689545884914204E27376BB86B27D8299AA1D504C444C4F5CE3A3477167D3FA7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: The MIT License (MIT)....Copyright (c) 2015 gatsbyjs....Permission is hereby granted, free of charge, to any person obtaining a copy..of this software and associated documentation files (the "Software"), to deal..in the Software without restriction, including without limitation the rights..to use, copy, modify, merge, publish, distribute, sublicense, and/or sell..copies of the Software, and to permit persons to whom the Software is..furnished to do so, subject to the following conditions:....The above copyright notice and this permission notice shall be included in all..copies or substantial portions of the Software.....THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR..IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,..FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE..AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER..LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING F
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-access.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):3021
                                                                                                                                                                            Entropy (8bit):4.767111532296895
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:qkZg5ZsWHCE49cGWya/6+0A1W6BcfPetT/nzC0YZZeL+eE+KfgGY0v:XZsZswHbnZBcHaT/69eA7v
                                                                                                                                                                            MD5:163782FCEF710B73BA0BC7496E09A45D
                                                                                                                                                                            SHA1:78FBBDD814581CBAAF1EFAB50F4A143E54C1364A
                                                                                                                                                                            SHA-256:8DCA8233C11FF62524134AC8C18C1BE7A38AE46AED9EACA7AEDC329AF8D1A18B
                                                                                                                                                                            SHA-512:BFE9A85D3A7E5D7D7045611A2205B22B81BC6178966B5607D3A2E87E58FA3932B00F9A9F318A6C36C597AF465C14B34FF9D4271B5044E45107C618CD0FDF295C
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands..title: npm-access..description: Set access level on published packages..---....# npm-access(1)....## Set access level on published packages....### Synopsis....```bash..npm access public [<package>]..npm access restricted [<package>]....npm access grant <read-only|read-write> <scope:team> [<package>]..npm access revoke <scope:team> [<package>]....npm access 2fa-required [<package>]..npm access 2fa-not-required [<package>]....npm access ls-packages [<user>|<scope>|<scope:team>]..npm access ls-collaborators [<package> [<user>]]..npm access edit [<package>]..```....### Description....Used to set access controls on private packages.....For all of the subcommands, `npm access` will perform actions on the packages..in the current working directory if no package name is passed to the..subcommand.....* public / restricted:.. Set a package to be either publicly accessible or restricted.....* grant / revoke:.. Add or remove the ability of users and teams to have read
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-adduser.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):3081
                                                                                                                                                                            Entropy (8bit):4.833273173254553
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:rZpq2kjN1QedaS8GIc8G/ATNacQAaFrfQoc6s/:r/q5UeMFrap46s/
                                                                                                                                                                            MD5:8B7FCF57785E731C5B4AD944A1677999
                                                                                                                                                                            SHA1:F9F535AEC997F6095C0C74A2AA67EB393DB8DB23
                                                                                                                                                                            SHA-256:F9B8A540661EFD6D685E555F3C7B0B15648392E22DBB8EF1313E4DEC73D06EE2
                                                                                                                                                                            SHA-512:15B73A2359B2D75E0633E1CC864B1FB110EB6DD60D4F06475A08AAC17B3A134C45CFBEB1C3B246D5D10BBEBB4AADA5A97D69DA3C4E349CFCE13BF48281D17508
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands..title: npm-adduser..description: Set access level on published packages..---....# npm-adduser(1)....## Add a registry user account....### Synopsis....```bash..npm adduser [--registry=url] [--scope=@orgname] [--always-auth] [--auth-type=legacy]....aliases: login, add-user..```....### Description....Create or verify a user named `<username>` in the specified registry, and..save the credentials to the `.npmrc` file. If no registry is specified,..the default registry will be used (see [`config`](/using-npm/config)).....The username, password, and email are read in from prompts.....To reset your password, go to <https://www.npmjs.com/forgot>....To change your email address, go to <https://www.npmjs.com/email-edit>....You may use this command multiple times with the same user account to..authorize on a new machine. When authenticating on a new machine,..the username, password and email address must all match with..your existing record.....`npm login` is an alias
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-audit.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4311
                                                                                                                                                                            Entropy (8bit):4.78853000805756
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:bAAfmAI+0ntfuFuJr9bSO6Iy85I4iyz2+C:bAXAPUukZbeIy85I4iyz2J
                                                                                                                                                                            MD5:6C9D183556928FC65FDB79DF56314E91
                                                                                                                                                                            SHA1:588A0138A0CAD2D89280FBD7AB396A39D0B2C221
                                                                                                                                                                            SHA-256:45A2046DB86D767E0BC9C11B0657505BC86BB49865B20A4C10E6B73F5D3E3645
                                                                                                                                                                            SHA-512:96B949C164176818B324D6E8A2B8F9E71591E6CDE928EA64B5A38FF5E0F88DF0ECB54F37D97F568644AA0911528FF9B26CA1B27B2E00F9F38B564538FE5B1155
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-audit..description: Run a security audit..---....# npm-audit(1)....## Run a security audit....### Synopsis....```bash..npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)]..npm audit fix [--force|--package-lock-only|--dry-run]....common options: [--production] [--only=(dev|prod)]..```....### Examples....Scan your project for vulnerabilities and automatically install any compatible..updates to vulnerable dependencies:..```bash..$ npm audit fix..```....Run `audit fix` without modifying `node_modules`, but still updating the..pkglock:..```bash..$ npm audit fix --package-lock-only..```....Skip updating `devDependencies`:..```bash..$ npm audit fix --only=prod..```....Have `audit fix` install semver-major updates to toplevel dependencies, not just..semver-compatible ones:..```bash..$ npm audit fix --force..```....Do a dry run to get an idea of what `audit fix` will do, and _also_ output..install information in JSON format:..```bash
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-bin.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):466
                                                                                                                                                                            Entropy (8bit):4.848451785356942
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:StRq2TNbkETN7p3e/YpwAChBIym8CEtG2pfPC7:qR3TNnTNdu/YpchuymsGN
                                                                                                                                                                            MD5:DB5B85655F6ACDC1C10374089230C49F
                                                                                                                                                                            SHA1:D25013149BCF2B26BF7E9CDFC249DEE1E51D3979
                                                                                                                                                                            SHA-256:44257B8E8A38BF3E7AD4FAE9E7B5F938CF3269EBBB47633A900F0316F356F035
                                                                                                                                                                            SHA-512:BC44B7EABDAECB3CA43614C2EE8FC23C1EB2498407D81F71A8A43C4EB851331FCF4FB41421F9E398ED31871C043BC0303902FEB5B9FB07B95612BD3938DEA8B9
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-bin..description: Display npm bin folder..---....# npm-bin(1)....## Display npm bin folder....### Synopsis..```bash..npm bin [-g|--global]..```....### Description....Print the folder where npm will install executables.....### See Also....* [npm prefix](/cli-commands/prefix)..* [npm root](/cli-commands/root)..* [npm folders](/configuring-npm/folders)..* [npm config](/cli-commands/config)..* [npmrc](/configuring-npm/npmrc)..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-bugs.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1136
                                                                                                                                                                            Entropy (8bit):5.000437444787411
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:qRIQOHNbOnpFo55H1OYr2E+jG+0fGDMRdS1vUPPjl1i0VG8rW:q2QcbUuJEYrRevvaPjl1i0VGt
                                                                                                                                                                            MD5:A9B9534131FA969E2B6D1A2F39FC7FC2
                                                                                                                                                                            SHA1:47C19DC39E8C82CEFAE608781EEBA69524B0B22C
                                                                                                                                                                            SHA-256:A848A0B738A82B44E67A6B937DF1B7F766C29AEC711F4780070FC8EEBA69EADB
                                                                                                                                                                            SHA-512:E1850DAA59B616B8708B2BACB5126BA1A0DEE94BAEB7CCB69726EABEC2648834C537A6A7FD5912B9F74A373039BE47EEB64EE499E4468B649910D9E1250CAEBE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-bugs..description: Bugs for a package in a web browser maybe..---....# npm-bugs(1)....## Bugs for a package in a web browser maybe....### Synopsis..```bash..npm bugs [<pkgname>]....aliases: issues..```....### Description....This command tries to guess at the likely location of a package's..bug tracker URL, and then tries to open it using the `--browser`..config param. If no package name is provided, it will search for..a `package.json` in the current folder and use the `name` property.....### Configuration....#### browser....* Default: OS X: `"open"`, Windows: `"start"`, Others: `"xdg-open"`..* Type: String....The browser that is called by the `npm bugs` command to open websites.....#### registry....* Default: https://registry.npmjs.org/..* Type: url....The base URL of the npm package registry.......### See Also....* [npm docs](/cli-commands/docs)..* [npm view](/cli-commands/view)..* [npm publish](/cli-commands/publish)..* [npm registry](/using-n
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-build.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):671
                                                                                                                                                                            Entropy (8bit):4.861245593618684
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:StRqhZVTerEW9Gj3JlvKG4RobI73mRBoosDhvXhvnxCcrckCJSVGYyErQCm:qRFEW9M3J1KG4yM7aGDhvlnxEpAVGYhi
                                                                                                                                                                            MD5:A683629E8DF4B69D7FD7E443026F8D57
                                                                                                                                                                            SHA1:6198143A4C5D4963205D05D3E236A947121E8AD7
                                                                                                                                                                            SHA-256:4117C61D40759FA67A481B3103C79C8F0AEADE8CC4B1A208C640CFBAAA7B927C
                                                                                                                                                                            SHA-512:8D531F54B4FA3BB1B37C54AAADB857A94E08D2DFF1A3F6F9AAF8EA2945D7E078B85EB21E35245653E1584ED606013D68250F4DEDBDCC3BC995B74B37308EE433
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-build..description: Build a package..---....# npm-build(1)....## Build a package....### Synopsis..```shell..npm build [<package-folder>]..```....* `<package-folder>`:.. A folder containing a `package.json` file in its root.....### Description....This is the plumbing command called by `npm link` and `npm install`.....It should generally be called during installation, but if you need to run it..directly, run:..```bash.. npm run-script build..```....### See Also....* [npm install](/cli-commands/install)..* [npm link](/cli-commands/link)..* [npm scripts](/using-npm/scripts)..* [package.json](/configuring-npm/package-json)..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-bundle.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):433
                                                                                                                                                                            Entropy (8bit):4.797831502363045
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:StRqvvxefvZDCm9m7XWc21HZzZQKaRtNrWrckCy:qRi0v5PmicQENrRpy
                                                                                                                                                                            MD5:3B83D7D2C81ED702678B85E669D7F313
                                                                                                                                                                            SHA1:15076EA26A31D90662B375D7CB5057A4BC7C592F
                                                                                                                                                                            SHA-256:BDF1EE836FC80C36174E5D22A7B5194D9F189892BDC7EE43AE3BCF8DF5DC2A53
                                                                                                                                                                            SHA-512:5099D7AAA2E6994ADDFE1B4F71A1AD461073978EBAB267C44D2478AD15EFD98AF46E820A53DE803A54D2819AB5EEC0D51B9BBC5A254480F108D7289EC9FB1832
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-bundle..description: REMOVED..---....# npm-bundle(1)....## REMOVED....### Description....The `npm bundle` command has been removed in 1.0, for the simple reason..that it is no longer necessary, as the default behavior is now to..install packages into the local space.....Just use `npm install` now to do what `npm bundle` used to do.....### See Also....* [npm install](/cli-commands/install)..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-cache.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2871
                                                                                                                                                                            Entropy (8bit):4.679758832450013
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:quN5EQHUk21zfFFVzvroVN+fHXza0/uc4pAJ2NG6nW0ficj4ZTRVaXJONrVP3KYT:nNaliEWqr4p096TeJRIYlVvVdZ
                                                                                                                                                                            MD5:D18358EE22DDEB98EE86114B9BB85EDA
                                                                                                                                                                            SHA1:725D2EDC20C43C6FBF89AE5B14569D91587EF504
                                                                                                                                                                            SHA-256:B170512819E24C316C8362BAED62895ADC09F4351C5CF33942CFFE48F7CA6E83
                                                                                                                                                                            SHA-512:98036BB14D4B558C4E688C60482A5B17637725C7A49C7496F5DC5C4130B2272CD283E0D77570C21D49284A23F2833525EE637A5EA035A09E27679AF8F57E8598
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-cache..description: Manipulates packages cache..---....# npm-cache(1)....## Manipulates packages cache....### Synopsis....```bash..npm cache add <tarball file>..npm cache add <folder>..npm cache add <tarball url>..npm cache add <name>@<version>....npm cache clean [<path>]..aliases: npm cache clear, npm cache rm....npm cache verify..```....### Description....Used to add, list, or clean the npm cache folder.....* add:.. Add the specified package to the local cache. This command is primarily.. intended to be used internally by npm, but it can provide a way to.. add data to the local installation cache explicitly.....* clean:.. Delete all data out of the cache folder.....* verify:.. Verify the contents of the cache folder, garbage collecting any unneeded data,.. and verifying the integrity of the cache index and all cached data.....### Details....npm stores cache data in an opaque directory within the configured `cache`,..named `_cacache`. Thi
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-ci.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2020
                                                                                                                                                                            Entropy (8bit):4.743961027742439
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:qDt0tBmtyQoM65EGonqG12/+QxAhwO4yStX:66bmocTc/+QxAWHP
                                                                                                                                                                            MD5:A2F2C3EF06D330D628E191788C7EDFB1
                                                                                                                                                                            SHA1:D31877F5D80B5857E2E7CB09279A2B89E6E89A14
                                                                                                                                                                            SHA-256:4B9EEDE0BCBFE404E14AF451B5F8B606CF2857883188B44C161F7EE086432A68
                                                                                                                                                                            SHA-512:8047916C273D38379596D5A74BA1B5A8258F31625E0D27B91C27372302EBB341EB01BFB336F54C3835A6A7C8845656526322307E973E631D005341450ECEC5A5
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-ci..description: Install a project with a clean slate..---....# npm-ci(1)....## Install a project with a clean slate....### Synopsis..```bash..npm ci..```....### Example....Make sure you have a package-lock and an up-to-date install:....```bash..$ cd ./my/npm/project..$ npm install..added 154 packages in 10s..$ ls | grep package-lock..```....Run `npm ci` in that project....```bash..$ npm ci..added 154 packages in 5s..```....Configure Travis to build using `npm ci` instead of `npm install`:....```bash..# .travis.yml..install:..- npm ci..# keep the npm cache around to speed up installs..cache:.. directories:.. - "$HOME/.npm"..```....### Description....This command is similar to [`npm install`](/cli-commands/install), except it's meant to be used in..automated environments such as test platforms, continuous integration, and..deployment -- or any situation where you want to make sure you're doing a clean..install of your dependencies. It can be sig
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-completion.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):978
                                                                                                                                                                            Entropy (8bit):4.932780701241402
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:qR4mGgxMZ6LkIsoes7h+YOhWd3AztPqDhg:qK/0oIHH3sWd3bDm
                                                                                                                                                                            MD5:E3FB9F72E68EF91EAC0813487C26166B
                                                                                                                                                                            SHA1:68A89D78A4872691960B5FD333681E67DBB54CA7
                                                                                                                                                                            SHA-256:323B060749FEBF95EE9BECD668553F1F475078CCC66086C9F835D176F5A98723
                                                                                                                                                                            SHA-512:2E2515CA893FFDB380FE3A545BEC0F97195E9B683D7887773237F68837BE2E93941C65291EF1A556B38ED8440CFDDE4B4021CD5FDC795E0B7FB66CB121AD936E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-completion..description: Tab Completion for npm..---....# npm-completion(1)....## Tab Completion for npm....### Synopsis..```bash..source <(npm completion)..```....### Description....Enables tab-completion in all npm commands.....The synopsis above..loads the completions into your current shell. Adding it to..your ~/.bashrc or ~/.zshrc will make the completions available..everywhere:....```bash..npm completion >> ~/.bashrc..npm completion >> ~/.zshrc..```....You may of course also pipe the output of `npm completion` to a file..such as `/usr/local/etc/bash_completion.d/npm` or ..`/etc/bash_completion.d/npm` if you have a system that will read ..that file for you.....When `COMP_CWORD`, `COMP_LINE`, and `COMP_POINT` are defined in the..environment, `npm completion` acts in "plumbing mode", and outputs..completions based on the arguments.....### See Also....* [npm developers](/using-npm/developers)..* [npm](/cli-commands/npm)..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-config.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1736
                                                                                                                                                                            Entropy (8bit):4.834326635430188
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:qRgmJCpNJgbbb0vKbbGL/gcE43G5SG9r/CB5wTR/JsmgbWcN2Bgq2fUAymsGBrTm:qhwv8qDgcE6G9ryed/rOvigJfsGpm
                                                                                                                                                                            MD5:12B0A832ADF845C9184C9256AC8EFB05
                                                                                                                                                                            SHA1:8D4BA72D3A91FAF9E36D305D36EE252F2B6E878D
                                                                                                                                                                            SHA-256:B18856DC2B157F0F3CDD37BA5602237A1E192A493264BA519D00F012FC82FC5A
                                                                                                                                                                            SHA-512:C3336C941756B4519AB860B8F6A4DCD75A46DA1EA6DBA67E88E87F68C66EE4C5281FE5744195120184F3F88E9C375F896C988D8B8132B4173BB64707A4BE4F14
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-config..description: Manage the npm configuration files..---....# npm-config(1)....## Manage the npm configuration files....### Synopsis..```bash..npm config set <key> <value> [-g|--global]..npm config get <key>..npm config delete <key>..npm config list [-l] [--json]..npm config edit..npm get <key>..npm set <key> <value> [-g|--global]....aliases: c..```....### Description....npm gets its config settings from the command line, environment..variables, `npmrc` files, and in some cases, the `package.json` file.....See [npmrc](/configuring-npm/npmrc) for more information about the npmrc files.....See [config](/using-npm/config) for a more thorough discussion of the mechanisms..involved.....The `npm config` command can be used to update and edit the contents..of the user and global npmrc files.....### Sub-commands....Config supports the following sub-commands:....#### set..```bash..npm config set key value..```..Sets the config key to the value.....If
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-dedupe.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1526
                                                                                                                                                                            Entropy (8bit):4.75479810837188
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:qRfgwtqlLcU7TVvrtoUu6ImIiZssyLUPW5rPZThTwt86SO0cfpy:qSeqlLp7Frt/tDIAspLoW17EtHX0cf4
                                                                                                                                                                            MD5:02E3AB2AE5BC548891C13E478773413F
                                                                                                                                                                            SHA1:C24D82401486732BF192F481A4E7DBB2AC15057A
                                                                                                                                                                            SHA-256:D90A3FB23DA4B4EAC8FA1D25F1093A44A1C11B3BD9378491548D4126EA373A27
                                                                                                                                                                            SHA-512:3E5CF26E5B62D65BDA0B510FC79DB49FD0C868393C641125AD95DB63347342FC5383EE477AC9EFCA56A804BA231EADF473D2A87AEB709A0C39C272F2222D16CC
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-dedupe..description: Reduce duplication..---....# npm-dedupe(1)....## Reduce duplication....### Synopsis..```bash..npm dedupe..npm ddp....aliases: find-dupes, ddp..```....### Description....Searches the local package tree and attempts to simplify the overall..structure by moving dependencies further up the tree, where they can..be more effectively shared by multiple dependent packages.....For example, consider this dependency graph:....```bash..a..+-- b <-- depends on c@1.0.x..| `-- c@1.0.3..`-- d <-- depends on c@~1.0.9.. `-- c@1.0.10..```....In this case, `npm dedupe` will transform the tree to:....```bash..a..+-- b..+-- d..`-- c@1.0.10..```....Because of the hierarchical nature of node's module lookup, b and d..will both get their dependency met by the single c package at the root..level of the tree.....The deduplication algorithm walks the tree, moving each dependency as far..up in the tree as possible, even if duplicates are not found.
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-deprecate.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):985
                                                                                                                                                                            Entropy (8bit):4.851078215452427
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:qReHbOFLYLsjbMGDr5DumMo+PFGIIH6cI0r4v3jK4i0v:qUHyyWbJDuG+PFG9H6kr4vW4i0v
                                                                                                                                                                            MD5:DE99E6CF328D1C1C7E9A184AFFC374D2
                                                                                                                                                                            SHA1:EFC75185FA1EF94592416F32549E79D516D69058
                                                                                                                                                                            SHA-256:69E5AB3C96C60E0F9B8483BE256E8F8F9834BEB0D5123264B1DBA53D4D5D36D8
                                                                                                                                                                            SHA-512:C847F0D50DC5CC4A6491E8EC2CA656AE520A1E8071C1E46E260BF077AEF02AD1AB5648306BA2111EC9BC7D20F30C210CC7FE240AD28FB5EDA4A0D9AD1A4625E3
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-deprecate..description: Deprecate a version of a package..---..# npm-deprecate(1)....## Deprecate a version of a package....### Synopsis..```bash..npm deprecate <pkg>[@<version>] <message>..```....### Description....This command will update the npm registry entry for a package, providing..a deprecation warning to all who attempt to install it.....It works on [version ranges](https://semver.npmjs.com/) as well as specific ..versions, so you can do something like this:..```bash..npm deprecate my-thing@"< 0.2.3" "critical bug fixed in v0.2.3"..```....Note that you must be the package owner to deprecate something. See the..`owner` and `adduser` help topics.....To un-deprecate a package, specify an empty string (`""`) for the `message` ..argument. Note that you must use double quotes with no space between them to ..format an empty string.....### See Also....* [npm publish](/cli-commands/publish)..* [npm registry](/using-npm/registry)..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-dist-tag.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:UTF-8 Unicode text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):3101
                                                                                                                                                                            Entropy (8bit):4.799043711231311
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:gvaxqfpI5TClfbA5KCtIpV6cZiYP9L+3JLvm4hcb/80VGN:BehVpCFaW1m4hYsN
                                                                                                                                                                            MD5:1C6AE64B85B9353C144F4E1B192DF36E
                                                                                                                                                                            SHA1:F730B825421455492B9875C5593B4D42153F20E1
                                                                                                                                                                            SHA-256:998C3F43AF8B9C9C105DCF04E9AAAED583BDE49EC870ABBF428390BEE00A434A
                                                                                                                                                                            SHA-512:20D6A899AE4BDB7DC31567BFC72CFF5A807F2849D59E43EFF122FF23ABE8DC4832E3C6380EFC11030DE7829ECFEDF90128FC98B636606602E505A7A1013B70F8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-dist-tag..description: Modify package distribution tags..---....# npm-dist-tag(1)....## Modify package distribution tags......### Synopsis..```bash..npm dist-tag add <pkg>@<version> [<tag>]..npm dist-tag rm <pkg> <tag>..npm dist-tag ls [<pkg>]....aliases: dist-tags..```....### Description....Add, remove, and enumerate distribution tags on a package:....* add:.. Tags the specified version of the package with the specified tag, or the.. `--tag` config if not specified. If you have two-factor authentication on.. auth-and-writes then you.ll need to include a one-time password on the.. command line with `--otp <one-time password>`.....* rm:.. Clear a tag that is no longer in use from the package.....* ls:.. Show all of the dist-tags for a package, defaulting to the package in.. the current prefix. This is the default action if none is specified.....A tag can be used when installing packages as a reference to a version instead..of using a spe
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-docs.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1212
                                                                                                                                                                            Entropy (8bit):4.987670381104922
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:qRiHurnO1YB55H1pr2JtFEhD1/0fGDMRdkvUPJl1i0VG8rW:q6MJTrmleLvaJl1i0VGt
                                                                                                                                                                            MD5:8450765F9BAB7C5873327A5451A55ACA
                                                                                                                                                                            SHA1:24F577EC9CA393EC523F062328FD40A9AD57FFC9
                                                                                                                                                                            SHA-256:E0508F53E817C8A48EF2610AF9926670DE784AA2AFBBBED33ACEA78ED5F5F479
                                                                                                                                                                            SHA-512:E36E98363B4DEA0A8D8200304302FD574AB7D38723DFE7FEFD9A60F143535622BFD4A2B468C630AAABD4EE54D23A4336603967BC7855D04F185C16447DA66048
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-docs..description: Docs for a package in a web browser maybe..---....# npm-docs(1) ....## Docs for a package in a web browser maybe....### Synopsis....```bash..npm docs [<pkgname> [<pkgname> ...]]..npm docs ...npm home [<pkgname> [<pkgname> ...]]..npm home ...```....### Description....This command tries to guess at the likely location of a package's..documentation URL, and then tries to open it using the `--browser`..config param. You can pass multiple package names at once. If no..package name is provided, it will search for a `package.json` in..the current folder and use the `name` property.....### Configuration....#### browser....* Default: OS X: `"open"`, Windows: `"start"`, Others: `"xdg-open"`..* Type: String....The browser that is called by the `npm docs` command to open websites.....#### registry....* Default: https://registry.npmjs.org/..* Type: url....The base URL of the npm package registry.......### See Also....* [npm view](/cli-comma
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-doctor.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:UTF-8 Unicode text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4864
                                                                                                                                                                            Entropy (8bit):4.689107814650677
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:pk9cQFiUHUj9ZdJoBOm/8z0Ikwa5D3v4Y42K8g3ZJB95bLf+l+D6k1zlTCQ:pk9cQP0JZd8//8AIkwa5D3w6K5LBfThj
                                                                                                                                                                            MD5:66F73AB77E7A119D665AE93207D85694
                                                                                                                                                                            SHA1:76A85B8AB5A9B4C4E493422C0F367C612F6D8AF2
                                                                                                                                                                            SHA-256:1E68270C3323D6A9A0E4D67D2DF53C9F777964E340FD84F6213627CF359A2115
                                                                                                                                                                            SHA-512:D97C6541206B2AD4830BE6ECAB28AF083CDEE3641E28436E91575CC51855447238FEDC2B4A8F5863018A8FCFE5BCB3D354D5A2F30FD723AB28CD67D26F9313FD
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-doctor..description: Check your environments..---....# npm-doctor(1)....## Check your environments....### Synopsis....```bash..npm doctor..```....### Description....`npm doctor` runs a set of checks to ensure that your npm installation has..what it needs to manage your JavaScript packages. npm is mostly a standalone tool, but it does..have some basic requirements that must be met:....+ Node.js and git must be executable by npm...+ The primary npm registry, `registry.npmjs.com`, or another service that uses.. the registry API, is available...+ The directories that npm uses, `node_modules` (both locally and globally),.. exist and can be written by the current user...+ The npm cache exists, and the package tarballs within it aren't corrupt.....Without all of these working properly, npm may not work properly. Many issues..are often attributable to things that are outside npm's code base, so `npm..doctor` confirms that the npm installation is in a
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-edit.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1132
                                                                                                                                                                            Entropy (8bit):4.8782316201557485
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:qRp0BG8dJDcLasFTlj++I3UqcFQGzocIMK9IC7F2HosymTnpiGN:qb0BG8d+L3pJ++EGzwK0F2IATnYGN
                                                                                                                                                                            MD5:AEAB52181B5131D3960EE2198DF05F60
                                                                                                                                                                            SHA1:89F870499216BC5C7D0BBF0B2EB28E3E8C8774D1
                                                                                                                                                                            SHA-256:8746A795D26343BA0DA07974562F16E340753DB274F226F86A4A75C8054DD808
                                                                                                                                                                            SHA-512:1F9E58EAF95C8BAEEBE55B686FF662A902D47831281D8A76E5BB67CD62852C389739EA45644561D34679F7899C7610D3968ED64D7E4B2CEE62EFAEC5634FF17B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-edit..description: Edit an installed package..---....# npm-edit(1)....## Edit an installed package....### Synopsis....```bash..npm edit <pkg>[/<subpkg>...]..```....### Description....Selects a (sub)dependency in the current..working directory and opens the package folder in the default editor..(or whatever you've configured as the npm `editor` config -- see..[`npm-config`](npm-config).)....After it has been edited, the package is rebuilt so as to pick up any..changes in compiled packages.....For instance, you can do `npm install connect` to install connect..into your package, and then `npm edit connect` to make a few..changes to your locally installed copy.....### Configuration....#### editor....* Default: `EDITOR` environment variable if set, or `"vi"` on Posix,.. or `"notepad"` on Windows...* Type: path....The command to run for `npm edit` or `npm config edit`.....### See Also....* [npm folders](/configuring-npm/folders)..* [npm explore](/cli-
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-explore.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1098
                                                                                                                                                                            Entropy (8bit):4.898772985603958
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:gRxwhLaDilQ/HmUzbHF9LVqDAATdF8zCymSuKspy:gzwhLVQ/HbP/QtBSOSuKs4
                                                                                                                                                                            MD5:3C4DF18569971E20EEA2F1B5AC9B3E43
                                                                                                                                                                            SHA1:BEAD15AE629524CA43669E056AA7502BFA3CF0CC
                                                                                                                                                                            SHA-256:A3AD01D5884B291D2071520C75A9C74FA246F04110CEDEC6F82255164A736467
                                                                                                                                                                            SHA-512:237AB3F4748699597A250FFB22B7FFB88F255BA5B8A2F4A45604C096413A04B2AC965B426999581FF338C388B1BD2C049C2EB2C345DC1AD60211E154CABE1EE2
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-explore..description: Browse an installed package..---....# npm-explore(1)....## Browse an installed package....### Synopsis....```bash..npm explore <pkg> [ -- <command>]..```....### Description....Spawn a subshell in the directory of the installed package specified.....If a command is specified, then it is run in the subshell, which then..immediately terminates.....This is particularly handy in the case of git submodules in the..`node_modules` folder:....```bash..npm explore some-dependency -- git pull origin master..```....Note that the package is *not* automatically rebuilt afterwards, so be..sure to use `npm rebuild <pkg>` if you make any changes.....### Configuration....#### shell....* Default: SHELL environment variable, or "bash" on Posix, or "cmd" on.. Windows..* Type: path....The shell to run for the `npm explore` command.....### See Also....* [npm folders](/configuring-npm/folders)..* [npm edit](/cli-commands/edit)..* [npm rebuild](/c
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-fund.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1684
                                                                                                                                                                            Entropy (8bit):4.814232386519794
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:qR9FuSO58/O3w+vLFMry7dY2+J56YWsVKSDMRdk4fx2ciNXNrc6hnZHJkWGxpXN:q5uSE8/lry7dY1h3gzQXNQ6JkWGxlN
                                                                                                                                                                            MD5:9E1706E7857D9C1253F46964532E6A7E
                                                                                                                                                                            SHA1:F75E7BC0084CD3B4679C5D95277D4C0EA233486A
                                                                                                                                                                            SHA-256:6324907B083888A13522B19B44E7AA1117A977D71ED7BC892E0156FF37CB1704
                                                                                                                                                                            SHA-512:B67AD03F520721E326116E30AEDE8CA5DAF09062BFD743B999E3C019EFE695D2B91EA267BFF0CE095AB80A0AA0DDF27654637C5DFC18EA5103A6825AF2AB33D6
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-fund..description: Retrieve funding information..---....# npm-fund(1)....## Retrieve funding information....### Synopsis....```bash.. npm fund [<pkg>]..```....### Description....This command retrieves information on how to fund the dependencies of..a given project. If no package name is provided, it will list all..dependencies that are looking for funding in a tree-structure in which..are listed the type of funding and the url to visit. If a package name..is provided then it tries to open its funding url using the `--browser`..config param; if there are multiple funding sources for the package, the..user will be instructed to pass the `--which` command to disambiguate.....The list will avoid duplicated entries and will stack all packages..that share the same type/url as a single entry. Given this nature the..list is not going to have the same shape of the output from `npm ls`.....### Configuration....#### browser....* Default: OS X: `"open"`,
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-help-search.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):949
                                                                                                                                                                            Entropy (8bit):4.721337830488287
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:qRZL/xQBVhz5R6lN2+KLXEx8R0Phr2fplBSGlLTkmsJFl4rhrG:qr/eBVhNo2xJWBqlB7VRlFG
                                                                                                                                                                            MD5:B76F112A2967A09F12499BC0309FF242
                                                                                                                                                                            SHA1:1FBF5AC90FA634273AF01ADDBB1EAC4B9A0AB69C
                                                                                                                                                                            SHA-256:7C0C5A450517647EE6DD33DD6DCBCEEDDB56184F3A91BF3BF0AF984F598106A2
                                                                                                                                                                            SHA-512:DD25081D32BEA2B322AE5B36E15E4996253F38AE289A384D2FBBD034EC4F8E42FC848FE7C42C4380AF9B75ABC7A69A6F816AA6081D21CB76873717C827D4053A
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-help-search..description: Search npm help documentation..---....# npm-help-search(1)....## Search npm help documentation....### Synopsis....```bash..npm help-search <text>..```....### Description....This command will search the npm markdown documentation files for the..terms provided, and then list the results, sorted by relevance.....If only one result is found, then it will show that help topic.....If the argument to `npm help` is not a known help topic, then it will..call `help-search`. It is rarely if ever necessary to call this..command directly.....### Configuration....#### long....* Type: Boolean..* Default: false....If true, the "long" flag will cause help-search to output context around..where the terms were found in the documentation.....If false, then help-search will just list out the help topics found.....### See Also....* [npm](/cli-commands/npm)..* [npm help](/cli-commands/help)..
                                                                                                                                                                            C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-help.md
                                                                                                                                                                            Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1025
                                                                                                                                                                            Entropy (8bit):4.893264578969805
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:qR5Nhv+JF9k7ZpOQQhYUGuZBMigh9ymsG8rGN:qjvmFqp72jjMz/sG9N
                                                                                                                                                                            MD5:AC2D5F27FA28131432D450C91C617308
                                                                                                                                                                            SHA1:FFC4EF58FD0EC9F81519E2AF217D73BEA20E9FF8
                                                                                                                                                                            SHA-256:58D8AC9AE525CF0B78348CE257D98AB97AF41B7DCC5675A38E81A97B520C8AB9
                                                                                                                                                                            SHA-512:6E8E43725D166C28C2ECBC063A043D8114E3B024A0D2D1C88453828B44C48C868683E647A050AF9F01837ED69FBC9772A724315139E14EF7ECCAC918ECD143AC
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview: ---..section: cli-commands ..title: npm-help..description: Get help on npm..---....# npm-help(1)....## Get help on npm....### Synopsis....```bash..npm help <term> [<terms..>]..```....### Description....If supplied a topic, then show the appropriate documentation page.....If the topic does not exist, or if multiple terms are provided, then run..the `help-search` command to find a match. Note that, if `help-search`..finds a single subject, then it will run `help` on that topic, so unique..matches are equivalent to specifying a topic name.....### Configuration....#### viewer....* Default: "man" on Posix, "browser" on Windows..* Type: path....The program to use to view help content.....Set to `"browser"` to view html help content in the default web browser.....### See Also....* [npm](/cli-commands/npm)..* [npm folders](/configuring-npm/folders)..* [npm config](/cli-commands/config)..* [npmrc](/configuring-npm/npmrc)..* [package.json](/configuring-npm/package-json)..* [npm help-search](/cl

                                                                                                                                                                            Static File Info

                                                                                                                                                                            General

                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Entropy (8bit):7.999672247327866
                                                                                                                                                                            TrID:
                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                            • VXD Driver (31/22) 0.00%
                                                                                                                                                                            File name:31.exe
                                                                                                                                                                            File size:13128192
                                                                                                                                                                            MD5:af8e86c5d4198549f6375df9378f983c
                                                                                                                                                                            SHA1:7ab5ed449b891bd4899fba62d027a2cc26a05e6f
                                                                                                                                                                            SHA256:7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
                                                                                                                                                                            SHA512:137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
                                                                                                                                                                            SSDEEP:393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r
                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2.....F............... ....@........................................................................

                                                                                                                                                                            File Icon

                                                                                                                                                                            Icon Hash:c6b0d0c4d4d0b0ce

                                                                                                                                                                            Static PE Info

                                                                                                                                                                            General

                                                                                                                                                                            Entrypoint:0x401000
                                                                                                                                                                            Entrypoint Section:.code
                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                                                                            DLL Characteristics:
                                                                                                                                                                            Time Stamp:0x5A7375F8 [Thu Feb 1 20:18:00 2018 UTC]
                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                            File Version Major:4
                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                            Import Hash:5877688b4859ffd051f6be3b8e0cd533

                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                            Instruction
                                                                                                                                                                            push 000000ACh
                                                                                                                                                                            push 00000000h
                                                                                                                                                                            push 00417008h
                                                                                                                                                                            call 00007F7870974C61h
                                                                                                                                                                            add esp, 0Ch
                                                                                                                                                                            push 00000000h
                                                                                                                                                                            call 00007F7870974C5Ah
                                                                                                                                                                            mov dword ptr [0041700Ch], eax
                                                                                                                                                                            push 00000000h
                                                                                                                                                                            push 00001000h
                                                                                                                                                                            push 00000000h
                                                                                                                                                                            call 00007F7870974C47h
                                                                                                                                                                            mov dword ptr [00417008h], eax
                                                                                                                                                                            call 00007F7870974BC1h
                                                                                                                                                                            mov eax, 00416084h
                                                                                                                                                                            mov dword ptr [0041702Ch], eax
                                                                                                                                                                            call 00007F787097D982h
                                                                                                                                                                            call 00007F787097D6EEh
                                                                                                                                                                            call 00007F787097A5E8h
                                                                                                                                                                            call 00007F7870979E6Ch
                                                                                                                                                                            call 00007F78709798FFh
                                                                                                                                                                            call 00007F7870979679h
                                                                                                                                                                            call 00007F787097919Dh
                                                                                                                                                                            call 00007F787097891Dh
                                                                                                                                                                            call 00007F7870974F45h
                                                                                                                                                                            call 00007F787097C268h
                                                                                                                                                                            call 00007F787097AD10h
                                                                                                                                                                            mov edx, 0041602Ah
                                                                                                                                                                            lea ecx, dword ptr [00417014h]
                                                                                                                                                                            call 00007F7870974BD8h
                                                                                                                                                                            push FFFFFFF5h
                                                                                                                                                                            call 00007F7870974BE8h
                                                                                                                                                                            mov dword ptr [00417034h], eax
                                                                                                                                                                            mov eax, 00000200h
                                                                                                                                                                            push eax
                                                                                                                                                                            lea eax, dword ptr [004170B0h]
                                                                                                                                                                            push eax
                                                                                                                                                                            xor eax, eax
                                                                                                                                                                            push eax
                                                                                                                                                                            push 00000015h
                                                                                                                                                                            push 00000004h
                                                                                                                                                                            call 00007F78709798C2h
                                                                                                                                                                            push dword ptr [00417098h]

                                                                                                                                                                            Data Directories

                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x161740xc8.data
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000xc6ff08.rsrc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x164680x22c.data
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                            Sections

                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                            .code0x10000x37f00x3800False0.472307477679data5.61235572875IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .text0x50000xcfa20xd000False0.513502854567data6.58582031604IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .rdata0x120000x33a00x3400False0.804612379808data7.1102355063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .data0x160000x17240x1200False0.390625data4.93818143768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .rsrc0x180000xc6ff080xc70000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                            Resources

                                                                                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                                                                                            RT_ICON0x193240x4faaPNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                            RT_RCDATA0x1e2d00x6062ddata
                                                                                                                                                                            RT_RCDATA0x7e9000x28884cdata
                                                                                                                                                                            RT_RCDATA0x30714c0x6acedata
                                                                                                                                                                            RT_RCDATA0x30dc1c0x6b86data
                                                                                                                                                                            RT_RCDATA0x3147a40x5c456data
                                                                                                                                                                            RT_RCDATA0x370bfc0xf35b8data
                                                                                                                                                                            RT_RCDATA0x4641b40x5b92data
                                                                                                                                                                            RT_RCDATA0x469d480x1297fdata
                                                                                                                                                                            RT_RCDATA0x47c6c80x5da0ddata
                                                                                                                                                                            RT_RCDATA0x4da0d80x2001SysEx File - Twister
                                                                                                                                                                            RT_RCDATA0x4dc0dc0x7fc55data
                                                                                                                                                                            RT_RCDATA0x55bd340x46ea1data
                                                                                                                                                                            RT_RCDATA0x5a2bd80x28864cdata
                                                                                                                                                                            RT_RCDATA0x82b2240x6977data
                                                                                                                                                                            RT_RCDATA0x831b9c0x6bbedata
                                                                                                                                                                            RT_RCDATA0x83875c0x2e9data
                                                                                                                                                                            RT_RCDATA0x838a480x17146adata
                                                                                                                                                                            RT_RCDATA0x9a9eb40xa77adata
                                                                                                                                                                            RT_RCDATA0x9b46300x6bbbdata
                                                                                                                                                                            RT_RCDATA0x9bb1ec0x6c37cdata
                                                                                                                                                                            RT_RCDATA0xa275680x552data
                                                                                                                                                                            RT_RCDATA0xa27abc0x6data
                                                                                                                                                                            RT_RCDATA0xa27ac40x68bbdata
                                                                                                                                                                            RT_RCDATA0xa2e3800x1600data
                                                                                                                                                                            RT_RCDATA0xa2f9800x6df8data
                                                                                                                                                                            RT_RCDATA0xa367780x10edadata
                                                                                                                                                                            RT_RCDATA0xa476540x1very short file (no magic)
                                                                                                                                                                            RT_RCDATA0xa476580x6b4fdata
                                                                                                                                                                            RT_RCDATA0xa4e1a80xf479data
                                                                                                                                                                            RT_RCDATA0xa5d6240x47b4ddata
                                                                                                                                                                            RT_RCDATA0xaa51740x15zlib compressed data
                                                                                                                                                                            RT_RCDATA0xaa518c0x8f0a6PGP\011Secret Sub-key -
                                                                                                                                                                            RT_RCDATA0xb342340x4f041data
                                                                                                                                                                            RT_RCDATA0xb832780x4913adata
                                                                                                                                                                            RT_RCDATA0xbcc3b40x5ad44data
                                                                                                                                                                            RT_RCDATA0xc270f80x60856data
                                                                                                                                                                            RT_GROUP_ICON0xc879500x14data
                                                                                                                                                                            RT_VERSION0xc879640x304data
                                                                                                                                                                            RT_MANIFEST0xc87c680x2a0XML 1.0 document, ASCII text, with very long lines, with no line terminators

                                                                                                                                                                            Imports

                                                                                                                                                                            DLLImport
                                                                                                                                                                            MSVCRT.dllmemset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, memcpy, tolower, wcscat, malloc
                                                                                                                                                                            KERNEL32.dllGetModuleHandleW, HeapCreate, GetStdHandle, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, GetExitCodeProcess, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetNativeSystemInfo, GetShortPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, Sleep, GetProcAddress, GetVersionExW, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, TerminateProcess, SetUnhandledExceptionFilter, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, InterlockedCompareExchange, InterlockedExchange, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, DuplicateHandle, RegisterWaitForSingleObject
                                                                                                                                                                            USER32.DLLCharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, DestroyWindow, GetWindowLongW, GetWindowTextLengthW, GetWindowTextW, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, EnableWindow, GetSystemMetrics, CreateWindowExW, SetWindowLongW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
                                                                                                                                                                            GDI32.DLLGetStockObject
                                                                                                                                                                            COMCTL32.DLLInitCommonControlsEx
                                                                                                                                                                            SHELL32.DLLShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
                                                                                                                                                                            WINMM.DLLtimeBeginPeriod
                                                                                                                                                                            OLE32.DLLCoInitialize, CoTaskMemFree
                                                                                                                                                                            SHLWAPI.DLLPathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW

                                                                                                                                                                            Version Infos

                                                                                                                                                                            DescriptionData
                                                                                                                                                                            LegalCopyrightfuck
                                                                                                                                                                            InternalNamefuck
                                                                                                                                                                            FileVersionfuck
                                                                                                                                                                            CompanyNamefuck
                                                                                                                                                                            PrivateBuildfuck
                                                                                                                                                                            LegalTrademarksfuck
                                                                                                                                                                            Commentsfuck
                                                                                                                                                                            ProductNamefuck
                                                                                                                                                                            SpecialBuildfuck
                                                                                                                                                                            ProductVersionfuck
                                                                                                                                                                            FileDescriptionfuck
                                                                                                                                                                            OriginalFilenamefuck
                                                                                                                                                                            Translation0x0000 0x04e4

                                                                                                                                                                            Network Behavior

                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                            TCP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Nov 24, 2020 09:25:39.331079006 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.347402096 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.347546101 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.393194914 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.409611940 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.421662092 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.421751976 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.421811104 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.421832085 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.421870947 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.421921968 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.421937943 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.470537901 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.486962080 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.487144947 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.491512060 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.503360033 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.507705927 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.510195971 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.515719891 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.532095909 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654489994 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654521942 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654535055 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654546976 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654558897 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654572964 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654581070 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654593945 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654608011 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654620886 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654639006 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654654980 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654668093 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654685020 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654704094 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654721975 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654741049 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654751062 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.654757977 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654772043 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654788971 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654802084 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654814005 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654823065 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.654834032 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654850006 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654866934 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.654870987 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654890060 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654898882 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.654906988 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654921055 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654938936 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654953957 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654968977 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.654970884 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654983997 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.654998064 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.655011892 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.655014992 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.655025959 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.655038118 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.655044079 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.655055046 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.655073881 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.655095100 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.655116081 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.655117989 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.655134916 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.655150890 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.655152082 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.655168056 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.655177116 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.655179977 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.655217886 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.655256987 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.656661987 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656687975 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656698942 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656708002 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656721115 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656737089 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656749964 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656765938 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656781912 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656795025 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.656799078 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656819105 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656836987 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656842947 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.656851053 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656867027 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656883955 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656898022 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.656899929 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.656930923 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.656960964 CET49712443192.168.2.5104.20.22.46
                                                                                                                                                                            Nov 24, 2020 09:25:39.671416044 CET44349712104.20.22.46192.168.2.5
                                                                                                                                                                            Nov 24, 2020 09:25:39.671451092 CET44349712104.20.22.46192.168.2.5

                                                                                                                                                                            DNS Queries

                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                            Nov 24, 2020 09:25:39.268326044 CET192.168.2.58.8.8.80x7a43Standard query (0)nodejs.orgA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:05.682933092 CET192.168.2.58.8.8.80xac3aStandard query (0)telete.inA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:10.383198977 CET192.168.2.58.8.8.80x9cefStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:11.446753025 CET192.168.2.58.8.8.80x9cefStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:12.714274883 CET192.168.2.58.8.8.80x9cefStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:16.073544025 CET192.168.2.58.8.8.80x6425Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:17.327871084 CET192.168.2.58.8.8.80x6425Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:18.498929024 CET192.168.2.58.8.8.80x6425Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:20.614865065 CET192.168.2.58.8.8.80x6425Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:23.047736883 CET192.168.2.58.8.8.80xf79Standard query (0)telete.inA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:40.964576006 CET192.168.2.58.8.8.80xcaf9Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:42.157048941 CET192.168.2.58.8.8.80xcaf9Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:42.776110888 CET192.168.2.58.8.8.80x77a1Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:43.324320078 CET192.168.2.58.8.8.80xcaf9Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:45.512393951 CET192.168.2.58.8.8.80xcaf9Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:50.880844116 CET192.168.2.58.8.8.80x89a2Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:52.081027031 CET192.168.2.58.8.8.80x89a2Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:53.299964905 CET192.168.2.58.8.8.80x89a2Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:55.513952971 CET192.168.2.58.8.8.80x89a2Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:02.638164043 CET192.168.2.58.8.8.80x439fStandard query (0)sibelikinciel.xyzA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:02.842159033 CET192.168.2.58.8.8.80x87f6Standard query (0)sibelikinciel.xyzA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:03.055341959 CET192.168.2.58.8.8.80x120dStandard query (0)sibelikinciel.xyzA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:10.056058884 CET192.168.2.58.8.8.80x633cStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:11.165030003 CET192.168.2.58.8.8.80x5e9eStandard query (0)telete.inA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:11.214669943 CET192.168.2.58.8.8.80x633cStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:12.330944061 CET192.168.2.58.8.8.80x633cStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:15.018429041 CET192.168.2.58.8.8.80x633cStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:17.776218891 CET192.168.2.58.8.8.80xc7c3Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:18.185502052 CET192.168.2.58.8.8.80xcb81Standard query (0)telete.inA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:18.962304115 CET192.168.2.58.8.8.80xc7c3Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:20.128969908 CET192.168.2.58.8.8.80xc7c3Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:22.327970982 CET192.168.2.58.8.8.80xc7c3Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:25.212737083 CET192.168.2.58.8.8.80x1700Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:26.493582010 CET192.168.2.58.8.8.80x1700Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:27.696723938 CET192.168.2.58.8.8.80x1700Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:29.950222969 CET192.168.2.58.8.8.80x1700Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:32.425625086 CET192.168.2.58.8.8.80xec4cStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:33.802175999 CET192.168.2.58.8.8.80xec4cStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:35.039921999 CET192.168.2.58.8.8.80xec4cStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:37.347503901 CET192.168.2.58.8.8.80xec4cStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:39.392579079 CET192.168.2.58.8.8.80x3eStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:40.725584984 CET192.168.2.58.8.8.80x3eStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:41.896480083 CET192.168.2.58.8.8.80x3eStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:44.082806110 CET192.168.2.58.8.8.80x3eStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:46.634996891 CET192.168.2.58.8.8.80x6a28Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:48.173460960 CET192.168.2.58.8.8.80x6a28Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:49.390487909 CET192.168.2.58.8.8.80x6a28Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:51.604049921 CET192.168.2.58.8.8.80x6a28Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:51.900012016 CET192.168.2.58.8.8.80x13f7Standard query (0)smtp.ecojett.coA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:53.557974100 CET192.168.2.58.8.8.80xbfc4Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:54.753536940 CET192.168.2.58.8.8.80xbfc4Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:56.085397005 CET192.168.2.58.8.8.80xbfc4Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:56.141482115 CET192.168.2.58.8.8.80x799dStandard query (0)runeurotoolz.hopto.orgA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:58.361831903 CET192.168.2.58.8.8.80xbfc4Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:58.934884071 CET192.168.2.58.8.8.80xcfb2Standard query (0)www.sensomaticloadcell.comA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:00.486381054 CET192.168.2.58.8.8.80xdaeStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:01.075553894 CET192.168.2.58.8.8.80xbc2aStandard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:01.340651989 CET192.168.2.58.8.8.80x2947Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:01.729120970 CET192.168.2.58.8.8.80xdaeStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:02.975703955 CET192.168.2.58.8.8.80xdaeStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:05.293260098 CET192.168.2.58.8.8.80xdaeStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:06.482104063 CET192.168.2.58.8.8.80x1209Standard query (0)runeurotoolz.hopto.orgA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:07.663281918 CET192.168.2.58.8.8.80x99a5Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:08.902590036 CET192.168.2.58.8.8.80x99a5Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:10.162061930 CET192.168.2.58.8.8.80x99a5Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:12.384720087 CET192.168.2.58.8.8.80x99a5Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:14.337162971 CET192.168.2.58.8.8.80xe89eStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:15.640055895 CET192.168.2.58.8.8.80xe89eStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:16.870069027 CET192.168.2.58.8.8.80xe89eStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:17.543220043 CET192.168.2.58.8.8.80x8c38Standard query (0)runeurotoolz.hopto.orgA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:19.121113062 CET192.168.2.58.8.8.80xe89eStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:21.929404974 CET192.168.2.58.8.8.80xb99dStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:23.174340963 CET192.168.2.58.8.8.80xb99dStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:24.421922922 CET192.168.2.58.8.8.80xb99dStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:26.729981899 CET192.168.2.58.8.8.80xb99dStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:28.311961889 CET192.168.2.58.8.8.80xd9a9Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:28.911278009 CET192.168.2.58.8.8.80x29a4Standard query (0)runeurotoolz.hopto.orgA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:29.467081070 CET192.168.2.58.8.8.80x73ceStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:30.005181074 CET192.168.2.58.8.8.80x8036Standard query (0)www.fisioservice.comA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:30.538712978 CET192.168.2.58.8.8.80x8a0dStandard query (0)tdaztq.by.files.1drv.comA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:30.795193911 CET192.168.2.58.8.8.80x73ceStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:32.060585976 CET192.168.2.58.8.8.80x73ceStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:34.367872953 CET192.168.2.58.8.8.80x73ceStandard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:34.375983953 CET192.168.2.58.8.8.80xa783Standard query (0)shawcn1.sytes.netA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:36.250082016 CET192.168.2.58.8.8.80x10a0Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:38.061779976 CET192.168.2.58.8.8.80x10a0Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:39.287987947 CET192.168.2.58.8.8.80x10a0Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:39.924760103 CET192.168.2.58.8.8.80x8c40Standard query (0)shawcn1.sytes.netA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:40.062524080 CET192.168.2.58.8.8.80xf67Standard query (0)runeurotoolz.hopto.orgA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:43.079086065 CET192.168.2.58.8.8.80x4e48Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:44.331168890 CET192.168.2.58.8.8.80x4e48Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:45.565404892 CET192.168.2.58.8.8.80x4e48Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:45.692405939 CET192.168.2.58.8.8.80x427dStandard query (0)shawcn1.sytes.netA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:47.844793081 CET192.168.2.58.8.8.80x4e48Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:50.235812902 CET192.168.2.58.8.8.80xa039Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:50.816322088 CET192.168.2.58.8.8.80x56c8Standard query (0)runeurotoolz.hopto.orgA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:51.158057928 CET192.168.2.58.8.8.80xe0faStandard query (0)shawcn1.sytes.netA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:51.453821898 CET192.168.2.58.8.8.80xa039Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:52.674376011 CET192.168.2.58.8.8.80xa039Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:54.954263926 CET192.168.2.58.8.8.80xa039Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:56.660072088 CET192.168.2.58.8.8.80xb50dStandard query (0)shawcn1.sytes.netA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:57.190537930 CET192.168.2.58.8.8.80xec03Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:58.429991961 CET192.168.2.58.8.8.80xec03Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:59.750230074 CET192.168.2.58.8.8.80xec03Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:01.723103046 CET192.168.2.58.8.8.80xbfb2Standard query (0)runeurotoolz.hopto.orgA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:02.095407963 CET192.168.2.58.8.8.80xec03Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:03.071640968 CET192.168.2.58.8.8.80x4731Standard query (0)shawcn1.sytes.netA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:04.166924000 CET192.168.2.58.8.8.80xcc3Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:05.454869986 CET192.168.2.58.8.8.80xcc3Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:06.751894951 CET192.168.2.58.8.8.80xcc3Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:08.647159100 CET192.168.2.58.8.8.80x5a45Standard query (0)www.bestmedicationstore.comA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:08.783937931 CET192.168.2.58.8.8.80x8a95Standard query (0)shawcn1.sytes.netA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:09.070981979 CET192.168.2.58.8.8.80xcc3Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:11.545669079 CET192.168.2.58.8.8.80x7a85Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:12.271002054 CET192.168.2.58.8.8.80xeff8Standard query (0)runeurotoolz.hopto.orgA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:12.761178970 CET192.168.2.58.8.8.80x7a85Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:14.024912119 CET192.168.2.58.8.8.80x7a85Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:14.362282991 CET192.168.2.58.8.8.80x5bbfStandard query (0)shawcn1.sytes.netA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:16.214539051 CET192.168.2.58.8.8.80x7a85Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:18.253427029 CET192.168.2.58.8.8.80x8f49Standard query (0)ffvgdsv.ugA (IP address)IN (0x0001)

                                                                                                                                                                            DNS Answers

                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                            Nov 24, 2020 09:25:39.303608894 CET8.8.8.8192.168.2.50x7a43No error (0)nodejs.org104.20.22.46A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:25:39.303608894 CET8.8.8.8192.168.2.50x7a43No error (0)nodejs.org104.20.23.46A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:05.718705893 CET8.8.8.8192.168.2.50xac3aNo error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:14.513211966 CET8.8.8.8192.168.2.50x9cefServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:16.474240065 CET8.8.8.8192.168.2.50x9cefServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:17.741775036 CET8.8.8.8192.168.2.50x9cefServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:21.101612091 CET8.8.8.8192.168.2.50x6425Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:22.356010914 CET8.8.8.8192.168.2.50x6425Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:23.083214998 CET8.8.8.8192.168.2.50xf79No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:23.527312994 CET8.8.8.8192.168.2.50x6425Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:25.643265009 CET8.8.8.8192.168.2.50x6425Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:42.811624050 CET8.8.8.8192.168.2.50x77a1No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:42.811624050 CET8.8.8.8192.168.2.50x77a1No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:45.992312908 CET8.8.8.8192.168.2.50xcaf9Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:47.185269117 CET8.8.8.8192.168.2.50xcaf9Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:48.352252960 CET8.8.8.8192.168.2.50xcaf9Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:50.540637970 CET8.8.8.8192.168.2.50xcaf9Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:55.908505917 CET8.8.8.8192.168.2.50x89a2Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:57.108644962 CET8.8.8.8192.168.2.50x89a2Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:26:58.328376055 CET8.8.8.8192.168.2.50x89a2Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:00.542273045 CET8.8.8.8192.168.2.50x89a2Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:02.677773952 CET8.8.8.8192.168.2.50x439fName error (3)sibelikinciel.xyznonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:02.881159067 CET8.8.8.8192.168.2.50x87f6Name error (3)sibelikinciel.xyznonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:03.090917110 CET8.8.8.8192.168.2.50x120dName error (3)sibelikinciel.xyznonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:11.200496912 CET8.8.8.8192.168.2.50x5e9eNo error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:15.084676981 CET8.8.8.8192.168.2.50x633cServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:16.242604017 CET8.8.8.8192.168.2.50x633cServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:17.358505964 CET8.8.8.8192.168.2.50x633cServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:18.221434116 CET8.8.8.8192.168.2.50xcb81No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:20.046510935 CET8.8.8.8192.168.2.50x633cServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:22.804486990 CET8.8.8.8192.168.2.50xc7c3Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:23.990577936 CET8.8.8.8192.168.2.50xc7c3Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:25.156625032 CET8.8.8.8192.168.2.50xc7c3Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:27.356040001 CET8.8.8.8192.168.2.50xc7c3Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:30.240842104 CET8.8.8.8192.168.2.50x1700Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:31.521162033 CET8.8.8.8192.168.2.50x1700Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:31.739120007 CET8.8.8.8192.168.2.50x1700Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:34.978370905 CET8.8.8.8192.168.2.50x1700Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:37.453357935 CET8.8.8.8192.168.2.50xec4cServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:38.831001043 CET8.8.8.8192.168.2.50xec4cServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:40.067775965 CET8.8.8.8192.168.2.50xec4cServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:42.375525951 CET8.8.8.8192.168.2.50xec4cServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:44.420334101 CET8.8.8.8192.168.2.50x3eServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:45.753943920 CET8.8.8.8192.168.2.50x3eServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:46.924758911 CET8.8.8.8192.168.2.50x3eServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:49.110797882 CET8.8.8.8192.168.2.50x3eServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:51.662632942 CET8.8.8.8192.168.2.50x6a28Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:51.938966990 CET8.8.8.8192.168.2.50x13f7Name error (3)smtp.ecojett.cononenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:53.201354027 CET8.8.8.8192.168.2.50x6a28Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:54.418663979 CET8.8.8.8192.168.2.50x6a28Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:56.179025888 CET8.8.8.8192.168.2.50x799dNo error (0)runeurotoolz.hopto.org0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:56.632179022 CET8.8.8.8192.168.2.50x6a28Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:58.585724115 CET8.8.8.8192.168.2.50xbfc4Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:58.974898100 CET8.8.8.8192.168.2.50xcfb2No error (0)www.sensomaticloadcell.comsensomaticloadcell.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:58.974898100 CET8.8.8.8192.168.2.50xcfb2No error (0)sensomaticloadcell.com148.66.138.171A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:27:59.781841993 CET8.8.8.8192.168.2.50xbfc4Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:01.111572981 CET8.8.8.8192.168.2.50xbc2aNo error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:01.111572981 CET8.8.8.8192.168.2.50xbc2aNo error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:01.113132000 CET8.8.8.8192.168.2.50xbfc4Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:01.378854990 CET8.8.8.8192.168.2.50x2947No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:01.378854990 CET8.8.8.8192.168.2.50x2947No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:03.390284061 CET8.8.8.8192.168.2.50xbfc4Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:05.514338970 CET8.8.8.8192.168.2.50xdaeServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:06.518193960 CET8.8.8.8192.168.2.50x1209No error (0)runeurotoolz.hopto.org0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:06.756386042 CET8.8.8.8192.168.2.50xdaeServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:08.003633976 CET8.8.8.8192.168.2.50xdaeServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:10.320811033 CET8.8.8.8192.168.2.50xdaeServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:12.691405058 CET8.8.8.8192.168.2.50x99a5Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:13.930882931 CET8.8.8.8192.168.2.50x99a5Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:15.190160990 CET8.8.8.8192.168.2.50x99a5Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:17.412256956 CET8.8.8.8192.168.2.50x99a5Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:17.582700968 CET8.8.8.8192.168.2.50x8c38No error (0)runeurotoolz.hopto.org0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:19.365319014 CET8.8.8.8192.168.2.50xe89eServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:20.667649984 CET8.8.8.8192.168.2.50xe89eServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:21.898422003 CET8.8.8.8192.168.2.50xe89eServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:24.149513960 CET8.8.8.8192.168.2.50xe89eServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:26.957573891 CET8.8.8.8192.168.2.50xb99dServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:28.202641964 CET8.8.8.8192.168.2.50xb99dServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:28.339346886 CET8.8.8.8192.168.2.50xd9a9No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:28.948890924 CET8.8.8.8192.168.2.50x29a4No error (0)runeurotoolz.hopto.org0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:29.450057983 CET8.8.8.8192.168.2.50xb99dServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:30.130388021 CET8.8.8.8192.168.2.50x8036No error (0)www.fisioservice.comHDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:30.130388021 CET8.8.8.8192.168.2.50x8036No error (0)HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com3.223.115.185A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:30.623635054 CET8.8.8.8192.168.2.50x8a0dNo error (0)tdaztq.by.files.1drv.comby-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:30.623635054 CET8.8.8.8192.168.2.50x8a0dNo error (0)by-files.fe.1drv.comodc-by-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:31.757539034 CET8.8.8.8192.168.2.50xb99dServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:34.413445950 CET8.8.8.8192.168.2.50xa783No error (0)shawcn1.sytes.net0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:34.495026112 CET8.8.8.8192.168.2.50x73ceServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:35.822901011 CET8.8.8.8192.168.2.50x73ceServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:37.088732958 CET8.8.8.8192.168.2.50x73ceServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:39.395796061 CET8.8.8.8192.168.2.50x73ceServer failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:39.962738991 CET8.8.8.8192.168.2.50x8c40No error (0)shawcn1.sytes.net0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:40.098014116 CET8.8.8.8192.168.2.50xf67No error (0)runeurotoolz.hopto.org0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:41.278275967 CET8.8.8.8192.168.2.50x10a0Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:43.089540958 CET8.8.8.8192.168.2.50x10a0Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:44.315501928 CET8.8.8.8192.168.2.50x10a0Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:45.730535030 CET8.8.8.8192.168.2.50x427dNo error (0)shawcn1.sytes.net0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:48.106796026 CET8.8.8.8192.168.2.50x4e48Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:49.359690905 CET8.8.8.8192.168.2.50x4e48Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:50.593556881 CET8.8.8.8192.168.2.50x4e48Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:50.852030993 CET8.8.8.8192.168.2.50x56c8No error (0)runeurotoolz.hopto.org0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:51.193794012 CET8.8.8.8192.168.2.50xe0faNo error (0)shawcn1.sytes.net0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:52.872883081 CET8.8.8.8192.168.2.50x4e48Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:55.263794899 CET8.8.8.8192.168.2.50xa039Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:56.481632948 CET8.8.8.8192.168.2.50xa039Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:56.697802067 CET8.8.8.8192.168.2.50xb50dNo error (0)shawcn1.sytes.net0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:57.702299118 CET8.8.8.8192.168.2.50xa039Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:28:59.982451916 CET8.8.8.8192.168.2.50xa039Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:01.758682013 CET8.8.8.8192.168.2.50xbfb2No error (0)runeurotoolz.hopto.org0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:02.218291044 CET8.8.8.8192.168.2.50xec03Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:03.107014894 CET8.8.8.8192.168.2.50x4731No error (0)shawcn1.sytes.net0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:03.457192898 CET8.8.8.8192.168.2.50xec03Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:04.777878046 CET8.8.8.8192.168.2.50xec03Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:07.122875929 CET8.8.8.8192.168.2.50xec03Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:08.694153070 CET8.8.8.8192.168.2.50x5a45Name error (3)www.bestmedicationstore.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:08.819622040 CET8.8.8.8192.168.2.50x8a95No error (0)shawcn1.sytes.net0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:09.194823027 CET8.8.8.8192.168.2.50xcc3Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:10.482996941 CET8.8.8.8192.168.2.50xcc3Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:11.779402018 CET8.8.8.8192.168.2.50xcc3Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:12.306396961 CET8.8.8.8192.168.2.50xeff8No error (0)runeurotoolz.hopto.org0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:14.989147902 CET8.8.8.8192.168.2.50xcc3Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:15.014022112 CET8.8.8.8192.168.2.50x5bbfNo error (0)shawcn1.sytes.net0.0.0.0A (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:16.573693991 CET8.8.8.8192.168.2.50x7a85Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                            Nov 24, 2020 09:29:17.789237022 CET8.8.8.8192.168.2.50x7a85Server failure (2)ffvgdsv.ugnonenoneA (IP address)IN (0x0001)

                                                                                                                                                                            Code Manipulations

                                                                                                                                                                            Statistics

                                                                                                                                                                            Behavior

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            System Behavior

                                                                                                                                                                            Analysis Process: 31.exe PID: 6020 Parent PID: 5760

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:17
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\Desktop\31.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:'C:\Users\user\Desktop\31.exe'
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:13128192 bytes
                                                                                                                                                                            MD5 hash:AF8E86C5D4198549F6375DF9378F983C
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000003.244904275.00000000037FB000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                            • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000003.245364175.0000000003820000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                            • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000003.243963950.00000000037E6000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: cmd.exe PID: 6028 Parent PID: 6020

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:21
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.bat C:\Users\user\Desktop\31.exe'
                                                                                                                                                                            Imagebase:0x7ff7eef80000
                                                                                                                                                                            File size:273920 bytes
                                                                                                                                                                            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high

                                                                                                                                                                            Analysis Process: conhost.exe PID: 4388 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:21
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high

                                                                                                                                                                            Analysis Process: javaw.exe PID: 4656 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:22
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\1.jar'
                                                                                                                                                                            Imagebase:0xe0000
                                                                                                                                                                            File size:192376 bytes
                                                                                                                                                                            MD5 hash:4BFEB2F64685DA09DEBB95FB981D4F65
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:Java
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000003.00000003.277524584.0000000002178000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000003.00000003.262372271.0000000002178000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000003.00000003.250295715.0000000002091000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000003.00000002.649277074.0000000002178000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000003.00000003.289049530.0000000002178000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000003.00000003.334171362.0000000002178000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                            Analysis Process: 2.exe PID: 5612 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:22
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\2.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\2.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:696320 bytes
                                                                                                                                                                            MD5 hash:715C838E413A37AA8DF1EF490B586AFD
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: icacls.exe PID: 6180 Parent PID: 4656

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:23
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
                                                                                                                                                                            Imagebase:0x1090000
                                                                                                                                                                            File size:29696 bytes
                                                                                                                                                                            MD5 hash:FF0D1D4317A44C951240FAE75075D501
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high

                                                                                                                                                                            Analysis Process: 3.exe PID: 6188 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:23
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\3.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\3.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:65536 bytes
                                                                                                                                                                            MD5 hash:D2E2C65FC9098A1C6A4C00F9036AA095
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:Visual Basic
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: conhost.exe PID: 6212 Parent PID: 6180

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:23
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high

                                                                                                                                                                            Analysis Process: 4.exe PID: 6220 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:24
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\4.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\4.exe
                                                                                                                                                                            Imagebase:0x7ff797770000
                                                                                                                                                                            File size:2700800 bytes
                                                                                                                                                                            MD5 hash:EC7506C2B6460DF44C18E61D39D5B1C0
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: 5.exe PID: 6264 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:25
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\5.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\5.exe
                                                                                                                                                                            Imagebase:0x2e0000
                                                                                                                                                                            File size:11776 bytes
                                                                                                                                                                            MD5 hash:4FCC5DB607DBD9E1AFB6667AB040310E
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: conhost.exe PID: 6272 Parent PID: 6220

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:25
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high

                                                                                                                                                                            Analysis Process: conhost.exe PID: 6280 Parent PID: 6264

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:25
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high

                                                                                                                                                                            Analysis Process: 6.exe PID: 6288 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:25
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\6.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\6.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:232605 bytes
                                                                                                                                                                            MD5 hash:CF04C482D91C7174616FB8E83288065A
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: 7.exe PID: 6352 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:26
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\7.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\7.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:65536 bytes
                                                                                                                                                                            MD5 hash:42D1CAF715D4BD2EA1FADE5DFFB95682
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:Visual Basic
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: 8.exe PID: 6556 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:27
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\8.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\8.exe
                                                                                                                                                                            Imagebase:0x7e0000
                                                                                                                                                                            File size:682496 bytes
                                                                                                                                                                            MD5 hash:DEA5598AAF3E9DCC3073BA73D972AB17
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000003.506552159.00000000060E4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.260831311.00000000007E2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.515536645.00000000007E2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Roaming\8.exe, Author: Joe Security
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: 2.exe PID: 6760 Parent PID: 5612

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:37
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\2.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\2.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:696320 bytes
                                                                                                                                                                            MD5 hash:715C838E413A37AA8DF1EF490B586AFD
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: 9.exe PID: 6772 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:37
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\9.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\9.exe
                                                                                                                                                                            Imagebase:0x580000
                                                                                                                                                                            File size:762368 bytes
                                                                                                                                                                            MD5 hash:EA88F31D6CC55D8F7A9260245988DAB6
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: 10.exe PID: 6808 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:38
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\10.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\10.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:421888 bytes
                                                                                                                                                                            MD5 hash:68F96DA1FC809DCCDA4235955CA508B0
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                            • Detection: 27%, Metadefender, Browse
                                                                                                                                                                            • Detection: 87%, ReversingLabs
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: 11.exe PID: 6848 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:41
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\11.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\11.exe
                                                                                                                                                                            Imagebase:0x3f0000
                                                                                                                                                                            File size:367104 bytes
                                                                                                                                                                            MD5 hash:9D4DA0E623BB9BB818BE455B4C5E97D8
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                            • Detection: 66%, Metadefender, Browse
                                                                                                                                                                            • Detection: 84%, ReversingLabs
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: 12.exe PID: 6868 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:42
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\12.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\12.exe
                                                                                                                                                                            Imagebase:0xfd0000
                                                                                                                                                                            File size:207872 bytes
                                                                                                                                                                            MD5 hash:192830B3974FA27116C067F019747B38
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                            • Detection: 57%, Metadefender, Browse
                                                                                                                                                                            • Detection: 71%, ReversingLabs
                                                                                                                                                                            Reputation:low

                                                                                                                                                                            Analysis Process: 3.exe PID: 6888 Parent PID: 6188

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:43
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\3.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\3.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:65536 bytes
                                                                                                                                                                            MD5 hash:D2E2C65FC9098A1C6A4C00F9036AA095
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                            Analysis Process: 13.exe PID: 6900 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:43
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\13.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\13.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:69632 bytes
                                                                                                                                                                            MD5 hash:349F49BE2B024C5F7232F77F3ACD4FF6
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:Visual Basic
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                            • Detection: 19%, Metadefender, Browse
                                                                                                                                                                            • Detection: 71%, ReversingLabs

                                                                                                                                                                            Analysis Process: cmd.exe PID: 6928 Parent PID: 6556

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:44
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
                                                                                                                                                                            Imagebase:0x150000
                                                                                                                                                                            File size:232960 bytes
                                                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                            Analysis Process: conhost.exe PID: 6964 Parent PID: 6928

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:45
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                            Analysis Process: 14.exe PID: 7032 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:47
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\14.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\14.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:507904 bytes
                                                                                                                                                                            MD5 hash:9ACD34BCFF86E2C01BF5E6675F013B17
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                            • Detection: 22%, Metadefender, Browse
                                                                                                                                                                            • Detection: 81%, ReversingLabs

                                                                                                                                                                            Analysis Process: 15.exe PID: 7120 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:52
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\15.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\15.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:65536 bytes
                                                                                                                                                                            MD5 hash:D43D9558D37CDAC1690FDEEC0AF1B38D
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:Visual Basic
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                            • Detection: 16%, Metadefender, Browse
                                                                                                                                                                            • Detection: 86%, ReversingLabs

                                                                                                                                                                            Analysis Process: reg.exe PID: 7140 Parent PID: 6928

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:52
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
                                                                                                                                                                            Imagebase:0xa40000
                                                                                                                                                                            File size:59392 bytes
                                                                                                                                                                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                            Analysis Process: 16.exe PID: 6240 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:25:56
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\16.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:94720 bytes
                                                                                                                                                                            MD5 hash:56BA37144BD63D39F23D25DAE471054E
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: MAL_Ransomware_Wadhrama, Description: Detects Wadhrama Ransomware via Imphash, Source: C:\Users\user\AppData\Roaming\16.exe, Author: Florian Roth
                                                                                                                                                                            • Rule: JoeSecurity_Wadhrama, Description: Yara detected Wadhrama Ransomware, Source: C:\Users\user\AppData\Roaming\16.exe, Author: Joe Security
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML

                                                                                                                                                                            Analysis Process: 17.exe PID: 4568 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:26:00
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\17.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\17.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:508416 bytes
                                                                                                                                                                            MD5 hash:15A05615D617394AFC0231FC47444394
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML

                                                                                                                                                                            Analysis Process: cmd.exe PID: 6608 Parent PID: 6240

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:26:05
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe
                                                                                                                                                                            Imagebase:0x7ff7eef80000
                                                                                                                                                                            File size:273920 bytes
                                                                                                                                                                            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                            Analysis Process: conhost.exe PID: 4440 Parent PID: 6608

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:26:05
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                            Analysis Process: 13.exe PID: 6412 Parent PID: 6900

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:26:08
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\13.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\13.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:69632 bytes
                                                                                                                                                                            MD5 hash:349F49BE2B024C5F7232F77F3ACD4FF6
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                            Analysis Process: mode.com PID: 3228 Parent PID: 6608

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:26:09
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Windows\System32\mode.com
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:mode con cp select=1251
                                                                                                                                                                            Imagebase:0x7ff68b140000
                                                                                                                                                                            File size:31232 bytes
                                                                                                                                                                            MD5 hash:1A3D2D975EB4A5AF22768F1E23C9A83C
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                            Analysis Process: 18.exe PID: 3620 Parent PID: 6028

                                                                                                                                                                            General

                                                                                                                                                                            Start time:09:26:10
                                                                                                                                                                            Start date:24/11/2020
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\18.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\18.exe
                                                                                                                                                                            Imagebase:0xc60000
                                                                                                                                                                            File size:420864 bytes
                                                                                                                                                                            MD5 hash:BF15960DD7174427DF765FD9F9203521
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML

                                                                                                                                                                            Disassembly

                                                                                                                                                                            Code Analysis

                                                                                                                                                                            Reset < >