Play interactive tour

Edit tour

Analysis Report gnRxs96FsV

Overview

General Information

Sample Name:	gnRxs96FsV (renamed file extension from none to exe)
Analysis ID:	373986
MD5:	5313e9992ef078a5e58f9f416ce99645
SHA1:	3efc88de42d37c02ee4f3ed4f78f7855d805869e
SHA256:	372fa440571b4ab1db28d8736c9014e11d8e27277c094062f2c444b6b97e8182
Tags:	Ransomware
Infos:
Most interesting Screenshot:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Binary contains a suspicious time stamp

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Abnormal high CPU Usage

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

gnRxs96FsV.exe (PID: 5376 cmdline: 'C:\Users\user\Desktop\gnRxs96FsV.exe' MD5: 5313E9992EF078A5E58F9F416CE99645)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: gnRxs96FsV.exe	Virustotal: Detection: 58%			Perma Link
Source: gnRxs96FsV.exe	ReversingLabs: Detection: 54%

Machine Learning detection for sample

Show sources

Source: gnRxs96FsV.exe

Joe Sandbox ML: detected

Source: gnRxs96FsV.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\aaa\source\repos\covid\covid\obj\Debug\covid.pdb source: gnRxs96FsV.exe

Source: C:\Users\user\Desktop\gnRxs96FsV.exe

Code function: 4x nop then dec eax

0_2_00007FFAEEB31D11

Source: gnRxs96FsV.exe, 00000000.00000003.201138555.000000001BA8B000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: gnRxs96FsV.exe, 00000000.00000003.198404633.000000001BA60000.00000004.00000001.sdmp	String found in binary or memory: http://en.wd
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: gnRxs96FsV.exe, 00000000.00000003.212479145.000000001BA63000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: gnRxs96FsV.exe, 00000000.00000003.206343542.000000001BA91000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: gnRxs96FsV.exe, 00000000.00000003.211449917.000000001BA9D000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: gnRxs96FsV.exe, 00000000.00000003.203864501.000000001BA64000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.commp
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: gnRxs96FsV.exe, 00000000.00000003.205058045.000000001BA9D000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Spam, unwanted Advertisements and Ransom Demands:

Modifies existing user documents (likely ransomware behavior)

Show sources

Source: C:\Users\user\Desktop\gnRxs96FsV.exe	File deleted: C:\Users\user\Desktop\DUUDTUBZFW.jpg	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	File deleted: C:\Users\user\Desktop\EWZCVGNOWT.png	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	File deleted: C:\Users\user\Desktop\BNAGMGSPLO.jpg	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	File deleted: C:\Users\user\Desktop\GAOBCVIQIJ.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	File deleted: C:\Users\user\Desktop\GAOBCVIQIJ.docx	Jump to behavior

Source: C:\Users\user\Desktop\gnRxs96FsV.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\gnRxs96FsV.exe

Code function: 0_2_00007FFAEEB3063D

0_2_00007FFAEEB3063D

Source: gnRxs96FsV.exe, 00000000.00000000.195804191.0000000000E06000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamecovid.exe, vs gnRxs96FsV.exe
Source: gnRxs96FsV.exe, 00000000.00000002.464718966.000000000129D000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs gnRxs96FsV.exe
Source: gnRxs96FsV.exe	Binary or memory string: OriginalFilenamecovid.exe, vs gnRxs96FsV.exe

Source: gnRxs96FsV.exe, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.gnRxs96FsV.exe.e00000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.gnRxs96FsV.exe.e00000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal60.rans.winEXE@1/67@0/0

Source: C:\Users\user\Desktop\gnRxs96FsV.exe

File created: C:\Users\user\Desktop\BNAGMGSPLO.jpg.ncovid

Jump to behavior

Source: gnRxs96FsV.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gnRxs96FsV.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\gnRxs96FsV.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\gnRxs96FsV.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gnRxs96FsV.exe	Virustotal: Detection: 58%
Source: gnRxs96FsV.exe	ReversingLabs: Detection: 54%

Source: gnRxs96FsV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: gnRxs96FsV.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: gnRxs96FsV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\aaa\source\repos\covid\covid\obj\Debug\covid.pdb source: gnRxs96FsV.exe

Data Obfuscation:

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xF4D93BFE [Thu Mar 4 21:02:54 2100 UTC]

Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Code function: 0_2_00E02312 push rax; ret		0_2_00E02313
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Code function: 0_2_00E0248A push rax; ret		0_2_00E0248B

Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\gnRxs96FsV.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: gnRxs96FsV.exe, 00000000.00000002.466407375.0000000001A50000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: gnRxs96FsV.exe, 00000000.00000002.466407375.0000000001A50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: gnRxs96FsV.exe, 00000000.00000002.466407375.0000000001A50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: gnRxs96FsV.exe, 00000000.00000002.466407375.0000000001A50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Users\user\Desktop\gnRxs96FsV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gnRxs96FsV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\gnRxs96FsV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Process Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	System Information Discovery12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Timestomp1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
gnRxs96FsV.exe	59%	Virustotal		Browse
gnRxs96FsV.exe	54%	ReversingLabs	ByteCode-MSIL.Ransomware.CryptoLock
gnRxs96FsV.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.sakkal.commp	0%	Avira URL Cloud	safe
http://en.wd	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false		high
http://www.tiro.com	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	gnRxs96FsV.exe, 00000000.00000003.212479145.000000001BA63000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://en.w	gnRxs96FsV.exe, 00000000.00000003.201138555.000000001BA8B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.commp	gnRxs96FsV.exe, 00000000.00000003.203864501.000000001BA64000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://en.wd	gnRxs96FsV.exe, 00000000.00000003.198404633.000000001BA60000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	gnRxs96FsV.exe, 00000000.00000003.206343542.000000001BA91000.00000004.00000001.sdmp	false		high
http://www.monotype.	gnRxs96FsV.exe, 00000000.00000003.211449917.000000001BA9D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false		high
http://www.fonts.com	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de	gnRxs96FsV.exe, 00000000.00000003.205058045.000000001BA9D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	gnRxs96FsV.exe, 00000000.00000002.475569200.000000001CD02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	373986
Start date:	23.03.2021
Start time:	14:44:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	gnRxs96FsV (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.rans.winEXE@1/67@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 10.9% (good quality ratio 8.7%) Quality average: 38.6% Quality standard deviation: 21.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 12 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\BNAGMGSPLO.jpg.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.7945323963253275
Encrypted:	false
SSDEEP:	24:cPV/hzluCwNYXNbPPjGuMe9RDPBTedLtj:ExANabDGvw15ed5j
MD5:	A91181ACE46070C93135D5CE6A57964D
SHA1:	7B189035BACE9C201B564B58D7C9BFDB57B34EFD
SHA-256:	C91F1FDD5630EEC05FAF8F7E0AD5D26CBD6F7EEFDD7666FACDA98509F035FE0B
SHA-512:	D856515D019344F39AD834B700F7C9CF48884D984EBDCD940F29DD97A83629CD9828DE45FE40F501A8C4401E0C579283DB49E500FAE41CA40914488053EDA163
Malicious:	false
Reputation:	low
Preview:	......]?^WqNK$..V..,.>.e.@...(...6...w..C...eQ..`./6._............;Q.._.>).#...C...?h.S.@N6..3..}..../;.PR...iN......S(...\|....gwk.{?}SDS...W6$)..7.#Q......1@.rf....ZU&.y.F...b..7.C..)a........Cr..+.6..G...'....f....J. .&...`V'-...b.....82}+...v.w..4.j.qU.@...IA.QH-.1....GA..:?/......Qp+..N..h.,[...`..re$/.H.N..j..Q......g.....K....../x.CJ.;.......z!.0/....dHC..9.fo.2g-...u....;..l..c..U.../%...dX..V....@..I....Y..s...\|.. ..v.#..L.=d.O,..8...ju.+.`..4Rj.$...E.....X..V.m...J...c.U..Dx&.[.JR...{.o...0>4.A.y..8C.....t=d..Q9.....+...r`]oc..a"....a..m..]..qT...k...\|>....R..-."6Q.....N.6......./.gZ.c....^..(.g...@....Qf..O&#U.y.d.....CDM....%C'......`..?....>.0ky.q..$...2v..vr.,..1..(.I.9}.1..6.}.W?kb..u.w+p..6....:..meZ....hk...0........g..wgRo....BG...A.....1,..Vw...fS.....j.......&.,.+m ....%.t.'T.......t...h...z.s..v..N..A.o.H...M.q6...T...8.~.`.?r..}....$./....*x.w.pY..q?_jH............P....W..4..M...%.UJ......UOs.d..4......F.fS

C:\Users\user\Desktop\BNAGMGSPLO.xlsx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.796354791329504
Encrypted:	false
SSDEEP:	24:75LntrG/88jJJoyPRXx+0qPR8gFBGfLJLHvK78:vrG/BjJuoX6em2HCA
MD5:	8C2A3B1FBA74D4C0698B08E1F497DF67
SHA1:	F23B78E33C81CE9CDDD4ACAD7A23F8DD4ED08695
SHA-256:	5415B9E464CCC5FCECCA03F33C036267C87159D53C81162FB496B9EA0D064766
SHA-512:	224F841550F3808F9D3AE9F6AF755644E12A88E93572806781BD0EAC07D10BCC3B6D6DB17C956165E854A2A959BDC6BF4DBA57D9B8F6F977B504C63D3173CD69
Malicious:	false
Reputation:	low
Preview:	2-,R...WM%.9x.r/J.Qx.8..X...!.......].^......]...........}!.knH.#./.k..g.!PB.Ne{.y......blJg.R.[I..uP'.c./..C..Y.$4d.._...G..l...T...?..eP.\..u.u}..\|iP.D..6la.J......5..U....KK.._7.......l...>KB....).\!47f}\|.2w..l.4.~....r...U._..0...P..c'...v.f..]...7.?..iP\|.@.g..L.....XJ..=...SU.e..>%.g.`.......A.o...n..VQI....W...9'...........%~)......A...8..nS.w.(N...r)...m....G.^>..&.=..(....L/...r..........h..N.f.....Wq.%..Xxv.......x9..=KU~.k[..n(Tbo..{b..7...g....cy.0..z..?.RN..O...]..){If..[iiKqht.2}.JZ~>...#.%..W...E8.+8$.p.I....I....A.X./.?...}~p.4......h..~43..Y(..ggG9....5......4..yg....4...d...f..AA......j..F.....n.&i..@.-.l3.spX....l...!n .;7.Ad/I0B...''....../..~Q.....B..+.+,9.....,Q4!a$i`..}.m.Px/a..]Z#.a4}..ouzG.O......ST..^?F..BT"}..g....rA.d.jP5.{1...M&.....P...m..Sd)j8..w.B\I,.]....(..n..m.%Z0.........2..O....Q>8......{..........w#..,q....%9.YM...u2.}.[..n.xo*....d,.g.d._o.+.K.y}....Tu...[....hM......x..C2..S&..K'9r..i...`.b..

C:\Users\user\Desktop\DUUDTUBZFW.jpg.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.820986056109094
Encrypted:	false
SSDEEP:	24:k3HFonuMs6LH3DcdncevH6tyZlW3COmKRH5I5zp:k3HGxs6nctcSfZQ3COrROb
MD5:	41DD2D0FC77B3283F5EC5927F0605E11
SHA1:	0D2E1CE754CD0714106AD7F6AE466B3248D07991
SHA-256:	26DDF8226C19CD8D5B2702C6A5E120CF59953F976B7226B9A799659865E1CA58
SHA-512:	49A729D063C8AFF4EFD9643D412BC91F38676231D4A06257910EFEE62EA1DEF1E6BFA926E7664E4AED06B6BAEC6675BA4C39D5237C919570BA58396C2A7BA9A7
Malicious:	false
Reputation:	low
Preview:	.c..dM.M..ht.`..b....T..;......9...1-Yd..\ .P..W..]gp....g.J..>.M..TS...W....b..o.....{^Bq...A....bn..O.S&UT..=....6..82.......l-.S.1v..&66pY8.V../d\..A.3..p.c.I.......$j.A4^f..\|.yw........b....w.c. ..A..$#].AbB.S..}=..}Y..c..d.c.v..@x.a-....1.c.....[..1......U.z..NliU.Ww..T.)SvM.J. .u..h.....$......!)#.......b9.:Lc..t..nf+l\|..9..%......CL......s#P..?.2._..VQgt...[Q.....9...@.U....p......<.X.S..J./y.S;#.}....te.m.V.TN._].7...w.. j.U.0.F......8.c.K...H......_.}....w+.I.._.M\).....E...UR?OA&m.?.I!..D..8.g...e..9.4]..<c....."....8.rL/ZM...0.&.....TN..<....Fp.I.Ht.vz.....ve.......e..3Qi....N...@..=.q.2.AV3..53..]......g40...8.A...'a..O.._\W..O...K]27,.\|.0...s"..m....dU...nO....K..9..w.>....lA.l....b..1:..p.cv......".e.-....%...I.......`...5.....`..jR.qZ...@....@0+...'.-3Ko.[."N8U.....!GGT....C....X...6H...g.......g..+<_......s........X...y......~.......=.v....B....@.Y...I.......R!r3v.n..y......}.G.[hP...k.U.N...a.m..c....X.=.F>..z.gN.

C:\Users\user\Desktop\EEGWXUHVUG.png.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.8255721500416255
Encrypted:	false
SSDEEP:	24:afa894figjlGKEPZYXzLNvlM0W0WVXrXIc2WunhhXV253:afhYigjkYXzx1W0WJrIuunhhl25
MD5:	44CA64311AAD859D7EF934A416516B77
SHA1:	CC758AFB5531A80A6BA1A68F248803BE9B3AD640
SHA-256:	4559FB6E9137445CE72B2D36768EB1E71815B5A7E55C0AF6E27E2FE6CC8F8771
SHA-512:	B8431F5E35A0520B50868651FB43B6B94A80CEE456DCAB1A7AD2158C6FD3A22C55F22ED450430D9AB514318C4392DDAE6CFABDDFBF837980365AB7CD6823108E
Malicious:	false
Reputation:	low
Preview:	@..+G....O.C_.P...e...!lg.(.#j......XUr.,X.....0l....H.a.......%z8.....KW.!.]$.p..Tu.K.....)......l......\|..JNe.w..NH(3.4..l..B .r1......u.....U...j......y\|zS`...>a.P..;.;......D.....).z...E...?)/zYTR5.)_I.e#.{H..1...........r...I..w.IM..sF=.3XS.%.'...l....U..WL...k.;..N....7.M..c.N1.N......Y&'..{...S~3.I}!...<v....G...az.Y.B...J.S..Q..ZqQ..;$.j9....i.@y...>..\G...!&0W1..C.D...)"WD.~.^.R.^....b20..>O.th..jU.q.P?........oG..6..\.G...' a{.F.L...<..TJ.9l......L[J3.......S5..m....l.!H...jB&.O.NFT</.ru........6.}...R]......M"]...oUB.r.2w..~......6~k].Y.... ei[.t.J..<.xd.....".q....Z...W.._...h...RD0..>..L.+.tm;..I....\|z....K..O....E...f6...n.\.......3...u(..}..}....[k ..33WX.....!.....Y........z#:..7(..qU.!Ox8......*2..."..?H...(W....s.Sf.J.^.........+..v}P.v....D..;B..z..d).I?......G:..$..%........".9'@w..Z. ....9..Wu...T...k..J........OI..4s../7...y.m2U\|..'-f..8S....]f..?.7......o.j.W.............O.......k%).....x..V.m=.V!.

C:\Users\user\Desktop\EFOYFBOLXA.jpg.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.828586929919877
Encrypted:	false
SSDEEP:	24:RtlJ7tMdShSfRojtaNEeksQfAUc95M7jfLt0BC5W31BS0aAFbf7Bn:jP5MdIsRS5ekzAUWKJ0BCi1BXd3B
MD5:	C5E6950D228C3D8D394F42D7D2FB4065
SHA1:	A3FE0D10E910822F0653E9ECFDA1470E6EABC322
SHA-256:	07D4D34754BF0E02BEB8B67FA61FB4C0CF3D9FCF32FDB6A8229ABE56AB328700
SHA-512:	CBBF7E93617458BB98599A44BD6EC30A48A85F917E6960ABA4A7937A07F0C9B708D5C66017F59E901CD382D5873630E757F9EE85EBEA9BBEE72751A3F166D56C
Malicious:	false
Reputation:	low
Preview:	$>..%._.z@].%.Y..G..O.T..@.>..&K..bI.Hs.._"0.c..%..........w.Y...3.:..........mi..Huw6..M....qn........Q.$.-.4.. .^..oi3.Yd.\|..0..$C2..y...fUD....k.6.3.pS...b<.W..7.2....K....~j...kd*.2.N.X....g...b).....<......'l.]dN.F:.m%K..-..t.!...m.'.b3..T.wm!Y..<..%z0..........l.n.M......C..tH.....PH...D..//.Lf.G,.h...:3...Mh....E.."`....8.2Z)7MsS..#.....z.......x ../.Lc....i..p.^.U..~.v...f.6...k+.?A@V.dK..sP..[?.Q]H..s...7F.d......o..YI.:.a....-..Y...l......S.6..e.r....!..>..B.Z..)...U..@%...t....N!....:.:iJ.~X.((oO..B3.X.'t......C.3.:.....9.9}..D....PhM+.M...3..$.....3)..<p.[..<.b.{.G.;lH...15\W..h.._. ...V)...`M.....!...9q.{w....?~C..o<.c.bb!s=.8..2..W.{..1..h..yQj1>.e...J..e.........r...3Hao?..3.q.....s.1)l.v.{..'..,Lc;.....jVV.%'%..if.r.p.@.Q.}Z...%$_p....T(.ms;.BJG[T.m....`.T.Vvfw..i,.'........_...1R.t....O..o...Ep...B._..f.O].F.bO...!....d.CB;.\......:A.2..W..`I.............H...D.\%.=...4.Jp..p.Z.d....S.../c..8.x.....4{o}.).S.......s.q

C:\Users\user\Desktop\EFOYFBOLXA.mp3.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.831632856724732
Encrypted:	false
SSDEEP:	24:EBW1PkMEqg9/8LVpCqpl0OtRILqBP3zqP72PyAwMp:ZEDahpnP7Iu272PPd
MD5:	B0801AC7E90FCE506D63D84A02A3829D
SHA1:	A5A8DB799DA2A91E75CE83C4B7CA7C7FC9BCBA15
SHA-256:	227F481EDFE9A260BD25F3E896EC61C6906B83CD9E48D304919658AC7B85E294
SHA-512:	ABF7F9AF69C3051A3B531C8AE1F516C0173A9224D5ED71D09FC4E4F09ADFFB790C2851C11AA9AFCE3D5BC36F1A35C5E71B63F157417B62D2F2441FCAC9494596
Malicious:	false
Reputation:	low
Preview:	.a.lY^..._.z....g..4...&.......mt.j?.....`.=.............8.M.......@+..qW=T3...<qK..w.r.>..9....4tq...k..7....kb..[.d...-....(..[X.B..&..y.h.9../\....g...".k..'....;.b...."...'q.........Z5m........c.Je.t. &9....y=......U...K.......UeO9.3..~....j.._.S....ug.MG...4..T.t.@;m..2F0'.R.@.d....w....Y.....2....^S].W3...z\|.0..a1...#D..D.x...b..p.5-<.s1wg._GG..(..*.j.xx\|..H.g^4MI.......7...$..1.+b......xc...H.a)_:K.NV.G......1._.n\x.4.,...7}.....A..eY..<....(..L..l..7.s...<{..W..w.8..}Q..>..\|k{... L:."....z......5r.H.7Y"K.M.).kZ.A../A...!........X9....0..O.j#....!..A....j4q...D....+.&O.E....x......d_/..+.-D.\|FW5.[.h....\.H@E.B...{.=...D......K...y..X...z.?-2W\o..].GL..7QEU...Gq.T&..p?...E.m.QG...fK.8"....%.@......N.i?..ns.+...b..w....x..3.........z..[tP..L.?tN....m.V0T8.J..t.K.K..Y.!......[....IMP..0......J..nq{N..,kf..:..9h.w....D......z.S....g.G..,6i.vw={.,=,}.0B.\...4.\|.R^yG7.@cg..R../w".-..f...b..O)J.r.._......qm.B...P_.

C:\Users\user\Desktop\EFOYFBOLXA.pdf.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.820393861974555
Encrypted:	false
SSDEEP:	24:bkAt+uW5FkTmZxW726Eq6uDtc87vbV72VR/jZ9vA9i:t+h6me724hcMvbV72zbDYg
MD5:	051F895E2B84162D20AA4A95FC0B09D2
SHA1:	1B19300AC2BFE4A7BECFD3BAC48DCB899690FBC5
SHA-256:	40BA2640FB0A91E79052017156E75784572E9BB03BF383122C1C5BF14588ADB7
SHA-512:	5700B916022755DA65B4FE52821137E8F8192B0069DC20D52E4CAF967A1FFC47CC652CE4D81705486882B6DBDAE10973BE04519902D78485151855A2ABA03F1A
Malicious:	false
Reputation:	low
Preview:	.d....&.#.[. ..e@..... .&.#./(.I.L.2...QFd?.F?l..X.s..@.B.8...q..u_.'mC.xk...}....(....^....x..x..f5\...]..u..E..v&A..m}.Y...ko... ......ag.O..P_..jug N.......3.~.-...;.fq&vj..q.t4e.d.{.-..".1v[X.....c.3Q.@2D....y.E..y....s.RR.}.u.0..].\|M...fSY..R..hG..6x..\|..+.z..&h\. uH.!....C^+.1../J.%.6.,..g.Ob2..o...=j..L...Du{V..z.......qa.m._sC]......Y9=]...FQ.D.r!.'..G.mfW....-\|B+.,U..Q.d.D...U.....!..~_...#.....A..=5^U.4.Y.'....,IT..s<D.9xcO;.......#.m.3./.Q.n.\......-G/.5..].'9X..;.....wLsd8.W`r=..1...1,..F...X.<...M.8.eY.)o$.Lq......R.I&Av2v].A{.L.%.adRS.C..'.:.'..o.O......A.x..BD}.>...4..W.x.=.O..8......Z.N....~....K.@..xw.l.......(....TTu.@y.../.1.'....Y..Q.......G.....Z.......+.g8......}.8..,O........:.D.J;.......5S..y.5.h.A....X8{...:.bU..b\|....@Ls.#.R....b...W.1...W!..M....,o...xF........%.7.q.....,S.=..\.g.\..1.+)_@i.,'/-~`...<t.J^....n..........uin.$....d3...~]:...P...d...wLJZ\.......&j^Pg..`...!.x.38...dc~In..x.K..V.....>.@.Mc....9.

C:\Users\user\Desktop\EWZCVGNOWT.png.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.812252217348642
Encrypted:	false
SSDEEP:	24:m330UhKorqsSP4K9E9rgNNcJvQcq03ChNoFMGaTL:uTW4Kg4Ncz6hyFMGiL
MD5:	99A4E0A4CA344BC07D25AB8F74EBCC73
SHA1:	56D5308DB7201E72D6806857CEDEDCEEA9A8DBF2
SHA-256:	85147B358CA7E3AC483EFF24F1887A9BDE88CAD050160B030FD2B3D1E0E49BA9
SHA-512:	0D5778CF43B5F668C0924C9622BBCD9B9A843FB4AE735F9A8E16633515DBFB251CB69CC843EB59782AA59489A42F44AA1A2669D68A15D964FD2C4F80CF48316F
Malicious:	false
Reputation:	low
Preview:	.....<.f.r..Vh.k.3o.[K...xq....Y...j..1.F./&.c;..fC.D+_..qC..3..5.0zw.<A...`.{.....X.P...2.g.....1.D.9..4.\|.P`D..,y=...%x.qF.../..M..g..Q.-b.Ky.:5.....5. .....7..8.43....I.M.G.P..T..t....^...0.M..9w..Y.0p';.....rr.=A2.....`...I....p.$=...)..=.?.U...K{...Up.-......Y'....Y9..$..g.j.d.d.......e.'......by5......Vdt.\|].....4..a44.j..P.K:gZ.J57<6.J4g...X..\|.0C4...+2o.....5.F.6...~..v.!..>.#..S.,J...L.g\.<......5z......H.-.u.qi...Mw.w.>....2G..W...\|..4\L.Q7.JY`M.....4.....+5..fV:`V"S..g.R.......Z.h^..w....L.....\B....@...=b,.Z.[.c.s.5O..4&...{F{.o..q}kQ.[...t" ..K;\....V.......{-f.6.`_; .I.s=.".-.UR.fL:%.....M.U......>...}.0........=3{xT...D.V....O.^.K.U.2Z.).E...u..n..['....:.....:H..Y.x..@..\|Yh.)`.~...D.V.s..7h.....C...-........\.B..{.0.;...H.412..LW.A...(Fc..&...Vu..b...5....a..%.^...O..Yz......&..%.R. <.D..u.(px...$.p.\...pd.j.4....U.T.....R.N.....4..;.....8.h.....p.,.\|..G.....#...V>..V..ZV..eD".-).gU....x...E.6..Z...9......;.9....[n.

C:\Users\user\Desktop\Excel 2016.lnk.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	2704
Entropy (8bit):	7.934117512230167
Encrypted:	false
SSDEEP:	48:cSl9tHtIEvd+Wjyia9MUtXRiaoNwf+3uTDw+hXga7HQR8QH:cA9DIN8yibU9RiJKThXga76H
MD5:	7A6A761B31D7E12F426297A94BDE3457
SHA1:	C6A8CA179AE640C14DE77F3F5D6BBB42201CB32E
SHA-256:	1CA9883AA77DF7376C594A496BBC1FAE9A8360687BAD405AAC05DB587E74C0C7
SHA-512:	DC8846B23D8BDADB770800A88810E772E484F08FAFDC8FE3A85E273D14E63FF74387C61F9E6538B0A1A621B0E6B834838F67F6A01941B560F0A68D265FC35265
Malicious:	false
Reputation:	low
Preview:	$d`..T..5U2.9.U..."f.M9..D.M.j.Q7..8i...H.T.....tG...W.....#.>.3...^.G..R.Y.~..N..V....y@....s...^y.(7.?edRa.vPO.....q#M-..'[.!......1.#L...~b...y..7d\..w.#..N.........P.....I...Y..}.Ql.....hq.).!....b.1.!.$c...9...9....>.....sm3)+.. >.........f+?.{..<u.1.%..N.3{..f.{.\|..V.....~.A~[z.d...[.1.L..._.O]3..t.I..h._.nZ.O.F..(.b....U.....BS....M....g`.$.6cng...y'...QC....L?..k\.+...0.......W`.....f...S9I.<Z.g.....t#5....=..B......N.g..........Z"4..[..\l6.y..qH.[.Y.E.=j-.#&....DA$@.B.....-.>P.uY..A.q.R..A..Z.....A...R...7..~..aI>...\|......Ub+..mT..0.^.#......< ..B..!w..(cR..6.Q#...o.............._........p.YH4v!...elY.r.......W....6..2...9F.Z.dC..8h._...=.~..!..A.&.=...?..F....G.8..(}...f..L.nS.o....0g...8D.#8`W.1..5Ku.."H.2.BN.`\|o.B...,...H..Ut....x..........!M9....w`.%..u.C.C8:.Z7&<`...9.o{.N.Az....{.....D..O.~.oV...t.........r.q\|.k.....1.....k....'...c.Kn..U."...Ep\..YY`y...l.....B.`3!0.h.4}.f..a.L...F.>.1.I..].3..3.y}.....>O....HF..

C:\Users\user\Desktop\GAOBCVIQIJ.docx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.835924114529518
Encrypted:	false
SSDEEP:	24:FRqUHab/LD/T2q941eMaKIj3KHjgWzVClitKNyHdSHd8P:FRn6DLD/Sa64KIj0sWgTEHIHGP
MD5:	6E215EA2D933B5FA80A1CB053E800A93
SHA1:	81B9C383FCA9752991338766E7D7A40A7F63DDAD
SHA-256:	F0379BEF2EF1698DAFD1E48DDBE646EC0C0EFCE2B9BCA7466CFA4DCDC0AA0FEB
SHA-512:	D4D223637C902B4FCEDA9A6355C9BA3FBB6EDA0E10B902CC0180B47480A689006408C2E59F7B705D35B494AA6084A08B44BFDFB13B9EAD2E4B6CA0B755CDB3EF
Malicious:	false
Reputation:	low
Preview:	q.)80...B....Mq_:..).},.e....1......ngD...QQ......4].8~v ..a...R.........i....E....V..L.f;.k'G.5....&.W....q..f'..,.$...!...2.9^...../&.Q.........U..SE.%....^.._O.UE..E...6..f..#...6...X.:.!.Y/._.......bz.\|_y.AD?W.m.@.2.pXr.._....Q..[....c.Y.Pz..<0...W.V...#.2FQ=..+4.V....S..-S..B.j.G0H..R.Fg.O.$......{....{^cQ...]a w.}:,...%..>c......j0.......I.^.K.x..1.7Q.....h.EJ..........#...};...d...N..E..t..G.<z..............d..l.-.Sc.=.VO.....%...;.h+.Ho/......1l4.[.".^.z.9x.?..E2...32E..S....)\|...W.]fN...v.)W!.y.$...<..zV....c-].5.."\|..bNs.F......e{n.M8.,...N?..2.E\|ex^t9...jg..b..S....d."..n.E..?...R.>_L..Y...9D._.A......X..-b...]c...p....._...t......#.S....jz.odn...v.!..3I...E.'....\?..9.hz..5....!\|\|l...Z.;o......l.....".....Y../...h..#\.....:.....x...A.....J..Y..]......-..k...O.;.B...9.c=..c.:..x......; ...o3.{o.......x5B.-m$...w...DD4.*.b.&.!...9..\.h........U+G...U.G.(Q....}w}.s......Y..............3...~di......f..57.{.....D..M

C:\Users\user\Desktop\GAOBCVIQIJ.xlsx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.793954524182793
Encrypted:	false
SSDEEP:	24:d7aCrzXSJO0TeyJXnG782Xb+42jva7EzZvEKZPxbJ3theb:d7aCrehZXnGxb+42jvWEzZvEKzd3jE
MD5:	7DAB03E62588A29FCF7D4E875F7FDC23
SHA1:	22EE7AE26F5A36DBF00332C428FCFC1CA6548C70
SHA-256:	B9F24F3F529AED023907E44F46203DDEAC53EA77A51827681E4A764F3806C5A1
SHA-512:	4BC3B6D5F1622664FB341BC2938C5663377AB9ED2E32BC1497CE4EAF7B7A97B64B3F37975990E2030BCCCEB580E6717EB28E1FDC6DC4201809A9C1039E0B31D0
Malicious:	false
Reputation:	low
Preview:	_.i.Y...\\ ...{......U......V]=...a`(.....wwb.;.G..,Een.8......'..H...I.yeL..Z...k..B@.\.....$X\|{}...Z...Fn7....E..;{..&..:.3...".q.4...-......k.C.\|K....Z'lj.4i..#.`..U...........+].9.c.G>i.k`....P.......2Y.CG.......5.h..I..v#.}...I.q.&4...V.?]..p.4f.."}...J.........N..9.M.L.l......f...F...........N...q.\|...H.HB....Z.C..Y..C.s...P...O..n.......$/s...^.H.ei..\.C.e......U.1n...89g..d{..#a_b./_8.O...........8..sQ.k.+.N....J..c...`{-...~..F}.:.}.........Y...5p1uI..l09.9.S..=A..I.g...8..fr...+....w....w.awAJ.)...t.....h.I..t.1585.O.1..^.?)f.0...n..&.E........"\.w....K07.w...'~..]N.....H6.II....j..!.^......h.....x.............\|.I[#1$......mj.;5wIl...Y...w.R..!y... b.t.....\|L...m.......l.h0OH.H.d.p.F[3.EX.r......7+.y2G2.Qi..<>U.y..-.s..Q..)M)w...d.i.-.....g:9.~3>...k.]^r3A.a2.%.Ym.8,s..:.9).}b..Xt5...s......7......7........-[_..r./..T..(....`..Q....\.q=a...._J..R..bH...u.Y.h?Z.?.X.....F.~...........4..M.].......H.&*..!...Y.I!`...m.

C:\Users\user\Desktop\___RECOVER__FILES__.ncovid.txt Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	modified
Size (bytes):	3158
Entropy (8bit):	5.403959821339989
Encrypted:	false
SSDEEP:	24:DmdBuPL+W+XJ2dDorGbkoKPT8elU0U2mMIW+p8/cHkDJYCpRA:Dmd55XcdDoSbkJA5omMr+pwy
MD5:	D9AF330E248580BC140798E5B6BD7661
SHA1:	840B1DB7FF63E384D0FB4FAE54860CD4E9FA4621
SHA-256:	1FFDF6DED9DF30E927F2A95DBC0A2E8EF5084777977E80D63CC8B060048079E6
SHA-512:	78C56735E5DAA36BA78FFC64CC33DF1E60E78CFE970FD5AD85194511FE588C510916E46E74E9D999925765A0DB432C9B08932692761F4F03BB2E3771D9A0C2F3
Malicious:	false
Reputation:	low
Preview:	All of your files have been encrypted...To unlock them, please send 1 bitcoin(s) to BTC address: 4HD74J5gd6G6f6jj49786.Afterwards, please email your transaction ID to: Ciastko.zlukrem@gmail.com..Thank you and have a nice day!..Encryption Log:.----------------------------------------...C:\Users\user\Desktop\BNAGMGSPLO.jpg.C:\Users\user\Desktop\BNAGMGSPLO.xlsx.C:\Users\user\Desktop\desktop.ini.C:\Users\user\Desktop\DUUDTUBZFW.jpg.C:\Users\user\Desktop\EEGWXUHVUG.png.C:\Users\user\Desktop\EFOYFBOLXA.jpg.C:\Users\user\Desktop\EFOYFBOLXA.mp3.C:\Users\user\Desktop\EFOYFBOLXA.pdf.C:\Users\user\Desktop\EWZCVGNOWT.png.C:\Users\user\Desktop\Excel 2016.lnk.C:\Users\user\Desktop\GAOBCVIQIJ.docx.C:\Users\user\Desktop\GAOBCVIQIJ.xlsx.C:\Users\user\Pictures\desktop.ini.C:\Users\user\Pictures\Camera Roll\desktop.ini.C:\Users\user\Documents\BNAGMGSPLO.jpg.C:\Users\user\Documents\BNAGMGSPLO.xlsx.C:\Users\user\Documents\desktop.ini.C:\Users\user\Documents\DUUDTUBZFW.jpg.C:\Users\user\D

C:\Users\user\Desktop\desktop.ini.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	320
Entropy (8bit):	7.405170555669357
Encrypted:	false
SSDEEP:	6:YELbzsG0kii4eDdCNfy2IpUgCeNd47+Pfc9cTUP6IJn9OE96OQsun:YaslvkBCNfyZUgCeNd4CMZPjJ9hYOqn
MD5:	C6A452E0632079B78F749377E4EFB585
SHA1:	8610842F17470DD66A08AF5712E04B5333E6FA9B
SHA-256:	E595C269A726C92D538F56132F55C883B40E724D4C528550A7CB7563E229CCAF
SHA-512:	A98709B07CD50C5820C8E1A492320E0FBCCE1C2E7A6F34AF0D931C7EFD08A707613757DB57FAEB6EBC18D5D57E2CA3865BC6B49A4CCD910C044F6FEC34B4107C
Malicious:	false
Reputation:	low
Preview:	.....W..EG..G9!.D.g...>c....wh3:.........R.V~.<jFh?........dP...E....ier..&$.......M.x.AW.#..t~..2'....7..B^M.9........#.YV.\bl....P.)..j.!..p..n#`g4...=...........}...I.;.b..3.S..M....!..-f:drpy.P.d..B[..s.&.3.S%."..B..V...]5;..+.E.__...d..XTY..}..&.l ..ZZk..a...= .C1.LQL.FU...k.4.....j...

C:\Users\user\Desktop\gnRxs96FsV.exe.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.875
Encrypted:	false
SSDEEP:	3://A2ovnaFnVSen:Xon0VSe
MD5:	52ED47E51D0D6E841EEE6A7C7061CB03
SHA1:	03041E4436F458B8D0071ABA6370F3CF5CE9FC0E
SHA-256:	B20E6C4D1D144431FD7D9CE42A9593B898138D7F3548FE18DC4B1D1DF6BB5277
SHA-512:	A56719D2A44D42812F225CC369032D8DB5661DA0958E30FF3E0A5D50725BE661DC2A36AB5FA59653A774BDB8E0DB6D67EC5427D5733BC1E827C99FAA9F00F4ED
Malicious:	true
Reputation:	low
Preview:	XK...%.....h..Q..a69%...PB.....

C:\Users\user\Documents\BNAGMGSPLO.jpg.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.804642854761931
Encrypted:	false
SSDEEP:	24:nyscABkr66CKNp3sd9Drm3/EZyfwYJ9H1LHrHh7brDlFNzGWxXhrVkn:nAAOr66nNp3a9DrRyBhHB/lXGaXhy
MD5:	5DDEEE1D4BBEE8A6B23EB498DB0D858B
SHA1:	21924FE0B3B27955B6BB75FBD67DF4B19D46130E
SHA-256:	36D3840B7AD19D3F3BE3ED8992A5BEF0776E7013F8270328F65B0F6B633A6336
SHA-512:	5E41F76490603AE348BADDECA63CA58DAC6E55FC1E87D4DFC4397B100D05B00989DE45FEEA92366EA3F8D31565D88C1AC521FA404416E99009AAC049797001AF
Malicious:	false
Reputation:	low
Preview:	U....J....fG`Z..ov..\....!..g......;....@...^...m.....J.A.....d....=.\|.r;C\....^.&..m..V.K.k....-.Z1..o...w....g.db!.....?..r..\...J..pg_J.G.1U......\|..[l5BfN.I}PU.....k-].L\|2..r.w.Z(.SW>.[..'.`X.5...K.RQ3J.@.;(...7...,...X.n.....-...m..1...Q/E._...i..s...pd..r.hk..8.=.^B0..`.S.R5DH.....k.....F[...U.......Fd.Dc)..-..A.;.'.Aj.n...C.BW...BT4...v..nF.4.l.#..s.....e....qEv.....3........d.U.I.[G.E:......z/+...Z?.b.C.,.PN@..(.l<....i....=...7;....h.....Q.3.C.{../...^..R......d......bV....].}..y.K/..H..W......].J.. ..?:..i.. ...:..\|..;.oM.{...8z.~?.R.p...>...MX<x..<.....'...2b.:c.}.....i4.7#.&...A...~..A..x..h....k..f.P..9.yxj.L...).5.]..I.....`5.......].....9.5..3Ko.....q./[.../.D..).&..j.`..0..H&.Om..6.8..".@......#r/........=..}.8e....N....K....'.k.K.iPn n..\|..:+.t....o...rjE...9k...Y^..E...K.6..X.B....sN....y.'.2....{@\|..y...\|. ....=h...q...a...\L........].`.....A2.pi..5.Y.JI.9.Wq6..}E..2.....R.&..">.x.r..c....Q. .3"..bH....

C:\Users\user\Documents\BNAGMGSPLO.xlsx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.838699586394545
Encrypted:	false
SSDEEP:	24:odn8datkGomSk3Y/xzaIP7FpfRP0FcYs3hmNjgC/jHzAzQe:odnaRGoXCQzyFVs3hmNjD/zz5e
MD5:	AE55B91A52E2AAB8CDE71FECF9CADAC3
SHA1:	3EA6ACDFB991A3B6A00267A3E93F3F4FD7A63D05
SHA-256:	DBC14147A283D5588C191175B1FF9A62ADADBB02D5CFBA80261D0484FE31E4D8
SHA-512:	466E1482B0701D0265997FC64F8FD17D8C6C55375E3DAB1539373F46A6E0B201E9BBB804BB82F70100E6A9283EBEAA75B88D14E03FA756412369EE6B2E97A2A9
Malicious:	false
Reputation:	low
Preview:	..u..=.?&?..A.w.T4.2H..K....N.<W..........\|.u....H...T.].Q...T.NHr...C..r...mB./.9~.c..P.b..r"...A.1........d+u.jE....s....m.U..$.........).'6.~....<......Jh~..N.L...6...m.K......?..E...ag.qFb....<(..K...0.G\..Q{..!@...h..D.u..}...M]O.`...X...j......74j..OL.#.h.. .o\|.k.....9...).p...ao.p....y-.g..m...C.~....L5..iEX...s........N....(...<.Li..R.8.....f".... ....^...=..B.gNF~.Q..^...H[..g.g....6I.`..e1...S..R=P.........(..b>.i.9.k.....(9p..].h+D..T..0..v...h.D8..U...\.3K.0c....B...{..e..C._...V....EA.E.J..A\.c.$.tqW..o..+._......)......NYF............N.._."......m..!......../h..?k.Vo._@..CJ>.R.%t..,.2.Z.d..l.O.5.hp.>...M.Ht.z.......9..;P?.t.H....'l.../.hL..Z....+.........{T.S.....z.Vm..:.".}y.O./..e.)9.(....XV}$...H.Y#.}C......`.....O.3...U.W...2..3..nDA..5:....m.8..X..o..,.y."...?...aZ..Z?.ON....e..>..Z..[ .U[.........!9.....(..:..J<o.q...Qa........[.a2..@VEz..>2.y<[...\|me..KJO`..~...qxj....0.....T[9.....L............7..{.9}.7.P.

C:\Users\user\Documents\DUUDTUBZFW.jpg.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.797756355939905
Encrypted:	false
SSDEEP:	24:QIyYeZEC86O5K1vp3pzF6BDP/sXmkB6uATQSxDCc8B:Q3YdC8BKhp3pwRotATQSxIB
MD5:	C69A95200F39DFBA03BF6BC97D000673
SHA1:	864138174E1582FC16D8AE2D1B7F766DAD275AF4
SHA-256:	F1A7A3197E0826E4B35BDBC040188DC8863609D7A4C2E804B9EC27C56FC6FF2A
SHA-512:	BF6D9D4E11979ABB1BD59A98578136AE6D214B455818C4623522A8B476049FB8E672694F0B0581C66AD0033FB9C27879BB9B167E82B02112744DE9A99405DC55
Malicious:	false
Reputation:	low
Preview:	N=d8(2.J...1...;.v..>.0I...Tn.I.Lr..}Car....U....g..Y.GsD.^.[.p..."l........Y..q.].....Jf... ..B]c."wq.w..<..[+..a.....QM..h.7m.....:"..\|..0.6u..Rq`.gzh..ef.LU...\.........+.&..[.-..../...r9...P.S.....)...`..+.....SaB.UD.S.wq..7.3jjU#..,.%.......T..&Ls.u..}\.R..&.......z.,.'g.....d.f.%.mw....V.0..-%J..JzW.D.......'....U..>...ij..[.Exx..%...<.A..bV..N..f.L.......K...W1...^...y...NQ...Q..b@.Bx.1.....Y.o.ecn......L.%..0...i87..Nz...\..~..a1.U...$.;+'r.S.9..6....u...e..;....4l].9H..J}..L.u..7.ZK+.V..v.@.;<\w....x.l..J.Z........k.-.D.......}.5..Uf..S.`...I..Y.38.6/.:6d."Q.K..7..5.v..S.D...TN$.O.0w.....P..&cP.1.......F...3..N.q..V.gu#.....{.`.._.[............4..k'.6....^.{...a..s...P.<D.`n...Z.C..Z~46[...Rs*.]..~.Y. d...%.[.7Fq.X...7.r.W....^.....5n....xD.g%g....1?D.b...0lt'u_n..L.....}3..\|...'X/..z.b..S.(!x.q.w.+....P.yn......=./..V...%....... .8B. ...pl..k..L......lK."...t.i..xOw..q=.B.{.$M.......h;.z.9........A^.6....i..r.0...K...

C:\Users\user\Documents\EEGWXUHVUG.png.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.826896830778007
Encrypted:	false
SSDEEP:	24:b/bp8NJ2QY+Ynm+kn8rRpFXu3vlMDyKerNByTHMJFAds6vJD:PcJlSc8rRpFXu3vlMDydygAdv
MD5:	05AFE473A84D72CDE38B3EE6898CA1D1
SHA1:	08AF2EA32B99862B900D12258E1672919D9550A9
SHA-256:	FACEEF339C6E01250F49079253E897AA2FD397E789CF97874D416BB4CA1E14F0
SHA-512:	DC2F7CA7F03FE895E6C486BA39E581EA56C19A50FE159819A066D393AB3BB6826603DD3D4EDCC95752856093230812E6D529578A709AC0FD62A1C38CBC94CDB4
Malicious:	false
Reputation:	low
Preview:	....z}.rLs[."s.T.....i.-..I.R}B+....k.b......2.^.........m4]0.NuV .GW.1.?7..tI_tb.R....ns<.di...3......M...%/..'/..i[....}..=.v:.'h..........C.8.<......d.`k..a;,.tr..S..E[.<.....d}.8P...N.16u.q.!hIi.......9.....D.....-. Z.......f...g....N.y.m.[O..fD.gn.....`..v7H:.>.d....:H/..r.N.....q..\.b$p..m.X. ...r.J.........,7.~./@.f..:...)#I..X..x..i.w.p.....Y.=.~.uv1..`.gX.>{\|..[a...`..=.......7...fO....x...1.3...m.&.....mf6...y;J.....$.?.Y.4`.....{_l..l..7~M...SE....L..o:.+..D...\.R....P....g4..o%..T.<F.f...../3Yw......B&.:p.S....c..#l.:..C..v..).....,...yd-..XfI......O..8..Si.P...........sa.?..Rz....>..\>V...%.H\|_\|Zs....1..C1.S.......\M..0m......#..:...,..N..E..\|0..#.5HF.~.q...V...J.....M.=N.RW..Q.t...:..uT.. @...X9=..z..J;.p."...u..... .s.....hu..z.j..Ua..y.`f.(.^.cn.....U. .86(..B.pX.#.0mD...t.E.:......_-i._.....X.z.s.......D.;......H.".E"b....NY&.x.6.x.4...'.........~9...3(.^..{......^Oj....(.^.s..3.*..~..,.s..'~$\|1.f.?@.;.<....,..p.

C:\Users\user\Documents\EFOYFBOLXA.jpg.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.823876120553568
Encrypted:	false
SSDEEP:	24:G3UzPWDmzEI4VC/h15BpkRgLgZCtdDllU:GcpP4VCp15BsgMZmdU
MD5:	AFB6BC2490CD00201DE136689469ED0A
SHA1:	704F5E47B3061CA880DF58ED678B345123EC2398
SHA-256:	87EE25E12977D20FE3F8D0EFE08E568257CBF74CBA54B59296E18E33740ACA95
SHA-512:	BB7648F00461764E540B1AF2D75B6BC98BC0011EB87BDF0DF295BA96F504EF6C932FABFDFDB461CC4BD2EA30A2B6E8D5AACA01DFB66E2D3828A74306C3216DF8
Malicious:	false
Preview:	..ium9.}?va.~.+.^..E iZI.h.....,.......m'.U.7.rm.:.t.../..wT.E............$G....N.8WJ.y.{....-.u..r.5..Uk....h.6.tejC.O...HA....[&v.^..z.....dl..0...5.D.8h.W.#...h.b.v......q...N6..}[....:.........z..Z..n.l......k..M.J.,?n.........H....=......F.....;..L....!...K.L-...(hZD..[..."...-.?..r...V..2.,.\|..g .%\|`......i./..3.#..:+0KI........4.......Hx..(.c..'.> zPd....4.....X...........>!.~72G.X#.=.z..w>.Sf.'0......%I`..).v..~......g...<.w>\|..75.\|g\|.>..H..I..'....n.o.D...-4...#...R.F..@p..;.]=.....^..:f/`..^!Y..O.........DAb6.N..d!.Ifb8k{..I2..7..dt?.i.d?k..)@...B...Y....)l.?.%n..6....G.w.S(...c.@.....)U...._%...}X..\|.k..)...b..n..:....j..r..7QG....kb......T..~..t.LTi.u...].?U<.^...#...>.....t......(....Fm.&.fn2m.8.`....k...L..~..mt+.C...Z.*P^.K3..w........\|...88f,.q.'n8.F..."_.O.0%..d.8./5..#..z.....j.......B.W.+.t..@.).@.... ....b,.Av..........f^1b$.jaiE.3.........)..h.7.&....#.I..2i.......t.j..[..yz...C..fC'l"CC..%j.e!=$r.....

C:\Users\user\Documents\EFOYFBOLXA.mp3.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.808252749080132
Encrypted:	false
SSDEEP:	24:Hg9SXROssXWV33Of07aMMFvNzsuzdAOV+5FFiwP6I0p7SZfqQ:HYohH4TNzsgHV+7F36zpW1qQ
MD5:	802B9111BDE9D6952284FA5A93DF10DA
SHA1:	7F171A7ACF8679D8A55276502C4EA104197C9CB4
SHA-256:	C9A0177B085197F508E337846D04F24B2952D581894C23D3C4E49A43295F8922
SHA-512:	9E01ACA38A39A4AF4FE1FDF024348A93A11E2644114D0341247179E8841D15A4E1858DC73E0896C7C1DE8366FD1C680919E5CDE69A1FD9AE18EC9F20EB2CE7EF
Malicious:	false
Preview:	....U1..@..3T.9l5;dQ.......(.uD..H.....7.../v{.....U.....;L^..O..)...../.+EN..x......V65r.z>.N.v.......:....$y.L.M...0&...T...d...........,]\|..D..X=U!.5`6.0.......IQ.+..KH....L3.kq.e.+..I..b...9..AK.[...U\.e..W>F..z..$...+.......'h".5dg.q..G.7...6=.&P1.j.~z......4,...........y...c,....,E.c.j.......K..&.?.4rk.Q2B.V...U>\|...u....~..,.'..6.h.9...>..r$....S....Wz...3.V....1 .>@<...02...{..j.Y...g..3.".F....Q.....z.?4EL."kJD.Z.d..k...q. .7.l^........#.(.Mw..'...L..=.>.o.....~.#(..f...{.=wzS-d...-...3.R......p....2....=...oYN..r....s.@...D.....O.8.....].@y.x..T.u......V.R.v.^.n..,..2qCeg...^.....^.?..X..r&6.H..)].....v.....q!%...8u..!G....O......z.._'E..b....U.E...M...+...V...\.....<.k~.....]q.E.qI(."...6.u.2.d.6...L...o.P.E1+......J .....h..(l...\'.....e.......C.ed....I...l......j....a......e.......K......~..&..r.^;F.....j..=...C4...._.^{6..(..[/{^s.`.. 2.....S...)Xz.....d.@..U2.{'......v...'`.....V..:}ip...}..V...]..;W.A.....Q..b.1W?D.#....^E..

C:\Users\user\Documents\EFOYFBOLXA.pdf.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.79823319704819
Encrypted:	false
SSDEEP:	24:IGfsOlhatc7YSslsSsvuvP+jJOOWnMmTL01h448qmh0:IksIsQVuvmoFMmEhb8qz
MD5:	CA5642A6345C9A17040D4CA02945F219
SHA1:	4779EB5587761FD289052997F8E0DA26D0DF4527
SHA-256:	0C58970047399EDDCF8D743FEB81A008E1AA6B14E0415BE9C3AC9AEB4705851B
SHA-512:	59E2C037C732ADFA788A0975517C6987C3066D89D62AF3BBC356F3E1BB2D5ECAE2DEB5396DB499F8A2558B3A6F61BE7BC5AB49B258FCEDAF76F292C6175C9E8E
Malicious:	false
Preview:	J%..3.E#w^%...h._)..{....N.N ..#....\|...WK.C...f.....n....:d=..@......F.../.....,..H.,...$.@n...e.....skr....8W.^..MU&..V.9[e...Q..._..B...$.b.o,(.&o^...Pm+L......;.3oU.IS5.e}j.,... j.p.o.I..q3.{../y,a_.a?.-&X.`I..c......8...].D}.RX.QV<^OT.vCw.....(...a//.@......h7....D-.......P.{.1Xe...c...N..T.)..j..gkU....../.C4......Z1.k...L...:Q..Q...F.....R.[......5.....w.D...UI4=.=..V\..@K....>...Sj..r....k.`..(...._.3.Qp.}..;M.6y..k.<..U.i.?a....Y...P:.Q..^.../..xM6..eB..Q..T..%w.....U........K...L...0..@...7.C....'....z..t....i\|.....n...M.1Jybg.P..].{.......w..w.O.?S....K].....".l..8.DZ-..E.`.M.e.3,.3.p;...\|/..@_........4.:..v.....7..mC..}.w..IFS..7. .'.I.a.c.z..R.....{1...G.?w.....<.!~S..Xs..%E.Wu..O+.&..^.L{.j...i.s(.c..A.C......'.....3.$.....r.......`....).Gt[.@x)..q...1.m..Ku..\?...L.R.[L?..`.............\|...}[...`e.L.(P@a......9.:m..Z.....O....u~>..\..54..N3+.....JQ...uS.L]._D..l.\|...6X...5.....z`x..;dc.[fW..p...)...l.c..M6u...

C:\Users\user\Documents\EWZCVGNOWT.png.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.826915447400125
Encrypted:	false
SSDEEP:	24:LTBPb6GZd+egVz0qAHkrA+Stvo5GRsskOMCG8+G2E9L3h:8GZdCRLtSikUo+GT1
MD5:	1BE12EDEB331A73CDD64ADDBAF228FC6
SHA1:	FFA0C74DBF153B069937A3C0CBD0BD371260E527
SHA-256:	A979C0C0FF07E0980B6D26B5B050FF193A3D474807CBF116F5971B0B639D3977
SHA-512:	EEC5F73097FAD75D3FB77B7C94CDD70795AD2330440D49F7FED4975710236C053EA2652A78732F1A8787B6233BF535B51B341E86E4AF7411C5BA68DCB67056DA
Malicious:	false
Preview:	tR.f..-....;j)].^.....5..i.............D{.0.Z...... ^@#1...t.E.ZR~.y..g(%.,.%.3.Tyw.#.\........c.9.'...c.$.v...i.u..V.c......<.... ..E.u.HP.....E.Q..>r8..p....<.K.......r....-J.9.q..`./.n.M~.........w........SRNR.......8..3f...F.z......O..8(...i.s.0.E....,e.........?,..........Zr{.F.>..C.}..d[.....s;.e!.5..u_.-.<z.............zW.V..=.......4..Jxu...;..l?.`~9....H...O.xP'......I.N..'..MM.f....E....:...57..D\|.."km5.?.Pe1.`...]........Q}.Q..e.."/..4.Q...w...fi........l.;D.~-u0N..p3...T).]g<R..tx..=Fn...wQ.;.vmj+<.^..6.D....PBA.#.......s.m.4a..r0.Bf.".C.u).].JL.] ....g.]....(9)D.[...c.?%%..H.s..T./.K:..z..e{.??=\.A.@/........L...._.b...1.P......I.`.A:.r<.../....v...C.......W..`b..?NY).w0...v....f.V8.h.-.}pB`[X.D.G.9....J....e.3A.-.$..~wU..A1#.I.\9.]..m.EF8..f....I.@..!"x....3ZX}..n.%&.AT..r...a)~.A..~.....m..I...'./ ..A...I.U..6..<....-MO.qw8.+.Rq....gf"....AI...}CS[26.,gT..D.&].}..a.....+^N....`....k....p......4O'..e........Ds.d...~...{

C:\Users\user\Documents\GAOBCVIQIJ.docx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.828557055981438
Encrypted:	false
SSDEEP:	24:frQsdEvYyxEpLIuKDJGnGiPyXHH2WpCNYmhl6u9dDZ:frQsOBxEpLyDgGN32WgxhlNdDZ
MD5:	EAA2F9C3E4DF516C85A4F4C0F5433370
SHA1:	1272C5947AF236DB13F8783CABA89B759D011B94
SHA-256:	4D62823833A516391363B0EC30C5FF7F78FF8924A812757F5337605D5E1D129F
SHA-512:	5378486C43B6231C2AF2C6B88AE07C136CB04B814E15E88377FD20C38ECEF0B5713A22AA4F715ED394187969B52F33404983DECAD9D9618C9471AFFAA59BDC7B
Malicious:	false
Preview:	.{hd....6..K..b.s9T.g._Va..Y.....q...'..it.j.Q.(oC.C.&.fT.P^..`..../.....X....Y....[S.{nkJ....Y.(.)..s....SG.M2....v.0..u"\...p..A...%E.D.._AE.;..t7z.-t...f......C.Z..u.+.^.....\|.%-.?..6..l....iy....]>.:_.wC:]..j3..^.h.l.>E?...7`\|...Wj.AOZ7h.SUA.\|.L.5.-8b..MFy...R.i..6....o6....eS.0.$e...p.;.b..RU....1../+.(...I...Yj.....4....Z".xd..PD..).<.RX..d.;j.a......F..}.?.u..N...{......R....^w..io.G\|..d`...........I..=5Wv...N.......Hs.* ...l...$...9..T....D..9.v......(.).\.....wN.S...S.F..9.=:HHn..>........0f../8..!...Lo..A....VZ.S..$ed7.R.H.7y....E.Js..(.._J.)8S.\...Y..yW/}.......4H.7......_#.Gm .k.O.....yE...M.wu..($.}Y....,..X.]..w...p.<.rxXr"ZJ\|.`%....P)e.G.w..A..0...HGE....{C.j1.......w.U>.... ao..nyB..cxFL.4.\|.}.C.p..\|.s..N.iGF..[...s.X.]....n..b}>.d.,-1...R....N................H.....dg.Qi.7....>.w.8.#,.}l.6q...#...^.m>qBI...&...)...<.p..G.ul......g...4...n.`P.v.....$.Q....H..@..bs....._..R...Y...~5Qw.*...c....K..=.....:... @.p..

C:\Users\user\Documents\GAOBCVIQIJ.xlsx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.8093605337530185
Encrypted:	false
SSDEEP:	24:q6tMU9cDhVJHoe96WVLlGCfTJI1D6S2LDTvdENgkIshr/6yBQj+t1:qDFHlhVRBT+l2TLkp/6yBn1
MD5:	9E6917C946AB3AE94760BE58FB589180
SHA1:	AE73F24BCAB6BF8611CB4659F69B6E84C5D208C3
SHA-256:	67691B7B7B6CFC288E805F16707C5E7D083FA67DD4ACF0EB4E761E338633363D
SHA-512:	A2A506BA61F83D633779FD589BBD567FD7C8029BD6422EE9CFFDA011D0656AED9BD940311121B2AC53908A7B637C43B60F5CF232A573F927A9A9D74C9815C3C0
Malicious:	false
Preview:	>..i...pB0...5.bZ.I.,B..%......UU.8.%.c+.poG..A..S...0...>.t^)9Tn.\|..<...........^5.R.....(........<...r[F.}.,H1....T..5.t.\.l..)3p...)e`..2.}C....C..\B...v........I. ...9$...1N..}.0.).{...6R.Z......3...a....p.%......JLu.<...%Z..7mP.".8CM....+..h.E....\.z.5......,.V..5.A.?..+.Zz.+dC....Ev.Q....].Mh..>X.0GZgS.Q.b.&F../..<.wT..-Z.t.......F}..Z....R.1..<..........S1..\|.VT:..v~c.Gp../?....w....8i]..O....l.L.......}.zq.m...]T..jJ.]_cS..cG6E.[.%.Wvu...qv...20..g[%.."`.s.B @.og3.O4..W.Gv..... ..W9=.R..1....5......A81.\!..n.a.ej_d....={-....onN./>.....~.].Z.4..ZdS.......\|..#...........9.`.....k.w.....W....r...?/`.8Q...M.T.c.B......h^...v...Wu.....z....#.......}...=..aV5....3..l.@V~..n.=.[xy.)..{&s.....R......!./.X..<.g.{..J...[...E..B.j.I..............:.G_R.~V;.k...H.}'!Sw..n..<S...uP6EgQ...J._.r.P..N.......E...=W.]..@...Is.8....].Q..9.N\)...v...HH]......#.....s.).$.+.?.T`.}QnN-..fU.-=.[.DT..h.t.....z7}...G..Sr.n..}........!.%..

C:\Users\user\Documents\GAOBCVIQIJ\BNAGMGSPLO.jpg.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	SysEx File -
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.814534662774716
Encrypted:	false
SSDEEP:	24:3qb7ojL0LhhcX1J3hQmrYl3OaPSM0r+zzDDpelQD:c8jL6+vC9knKXDD1D
MD5:	70AAFCFE97342FE3DC15D2AD8AA3FB26
SHA1:	6B7CBFB9220F23A891B027DBC7256643C718EA86
SHA-256:	3C3963C26975A827233CC0A6BC81093B195BA945402B51CCD5F978CDD58B7080
SHA-512:	0B7DD7F6C5A4634A9406AB9CBBC62D4677DE9D0DF4C67A197F3CAB073121C864271419451A3B16D9DC45A895A29771CC47EF9A3700897B0C3CE03F82C09848EF
Malicious:	false
Preview:	.q......4...9....n..~w...._.a..Q........a...N{7qr.6h![.De.. B...?...D.G..N.o..s?j.J..1.B....j..W6.....O.....H...MJ..i.eC..g.S!.xM......\........N.H.,...4B.....e.l-. 45P...8\F.x..m..g........Q.B)Q..k.F/L.B8..9xs.....'..#..vrj......>...9..#...............B...U....%....G.o...n`.!....a.A....h.%............Rdn...P....:%..h..G.:.C..o...D.._....Uh.....u.3.\+....A.5.....q.T..n...e".........l..\.;.m.t...^._v...+......q.ea.?.\.t......Tc.D.Y>4.q.bk..8.#......k._...@Q...&..x.1..R...^..?...1..J...s25...K...\|a......&`....z;A......u.Z...s.bV.wEh.......\...9.5..]{.....m......+z(......&..V...3j.......1K9..\|...%3.=.4.LQ....]Ng...L.v..9bq.].rd......N.X.x$..U...b....Q.X.F.e=hy....n.=m...:..L......s%#.?(.............{...x.r......[^br.'"..C.k......m,.$......jh.%7....'`.n...R]..Z>t..WU.e#..'/U.././O.S.3.....I......]H.Q!...QW.o..(.-..rM...b.)......c@..D?d.s.X,Zb.o....L.......p.,.ss5...m.7.......U...g..)po........Gj...7O.=......l2d;c].MT....q..-..b..KN...n!

C:\Users\user\Documents\GAOBCVIQIJ\EEGWXUHVUG.png.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.837405805778614
Encrypted:	false
SSDEEP:	24:MwBeyxo86ZT7aKnYyyKhKJHbTWfHfAbrVwyBUpThwrDV4SMz6o:vzkTGGqKwHEfAfBcmqWo
MD5:	A4CE2DD9D906FD85A896BE07A0C0B390
SHA1:	C504CE29605250541A9F491656671259B8B93B17
SHA-256:	01ABE29F5CFE3B79FAEDCF4ED5B561AD40BC2D94E35A0CB35411AB7CD806674C
SHA-512:	6E44B03E7E9506897382072D4FCF60B0CFFFA7E3E4D565A6F1AAEAB6D7E76DB6EBFED456367C04D3DF8087B1CDF7FD4B7029103F34DB5647C623CA5E9566D17D
Malicious:	false
Preview:	.=z..xG.8.E.P.\|.K..p...R .....{z$D..G4R..~.....w....+...V.U.h0Q. $.D.W.....}b.....).......,....Gt...6....We.y ..m}.f!!\|.?.$C0.%...,.f..\|.....m.F..W...g....].M%.J......0-...o.2E......0..d.B.z!.M!..y.?.g.0.UX.;.J.....1....l.....a....o.^TRE.7......+..=..l.. .~&.../.....8pC.on..`x..{... ...W.._V...mH..K...E&....E...d.....H.I..cc3.^sDR!2....j...jq.n.x..G=Ogc....F[N..D..8.b...>....4.m.. ...u......e$.c../T0o9..w..x.....,...n.../.o...T...g%.#..)u.5..N.U..6....BxQv..\.8..i.M...Ps.{>.Q.C%.Q.+..<.}.F.LY..S]W..8v.I\NIf.H.HR....#....-(.+........? f.5..........;..#.....}.n.\|..^.S9 .N.E.=.tb...6S.....-k.^..=.......W..[Y..P.\...V.s..r..ch...$...aAG...2:.,&O4$._#...vm.~.....F?1...[..<b. ..HD.pM....TZBI.q.6.R".;.g>-.4....y.;\.EV..5./......L..........}h....G...+L..a.`.;^;xi4.\|^.3.H.S.""+Cp.B....\..........$...:....4Z._=Q\|...h.....d{.......l...f.v.6..u...b.C..m...N..."N`G.MR.`.WT.J...........^.\Q.>W.@{.Q...A.....@.s..w3.J..j.Y..2~.Q:.?..+.4.K....U}4.....rD..}..

C:\Users\user\Documents\GAOBCVIQIJ\EFOYFBOLXA.mp3.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.833754320319511
Encrypted:	false
SSDEEP:	24:kpNp2Z0j07yF9qfBJNxS24cygSxojsh9B7DStM16g2qZIIXXJv:k5ygsyF9qfvSSygO6W7OtM16PqfHR
MD5:	07FB8AA560D59DB1CD23AF3314103CB3
SHA1:	D5988113F2B7B8477AE66961E1C924468801005B
SHA-256:	C0F7924B4CE7516418D94014E579129C7EF1D6405D8621E6C501B830A8991C5A
SHA-512:	C6555EE689B4B41CE4FD92A8B340495541BBE05008A75A7B7F9F6589C5B08F5313F79C53EDC79CEAF4022A82C0C71BCAC1F11C0D09117F5B1EC10A9661D9414C
Malicious:	false
Preview:	..>.........]./]./.}..N.T...T-t.WOl3.......;.5...H.....LT.@ ..Ub..2..:$.t..Sn,d....\|.P=..].<..v...nh;.{~.....Z.Yi\|...(....0.e!...o.H...g....d...&..S..?..$.@k9..Y_..Q.}5A. .\.jd....[!.....Y.qG.....e.t...N.O8P...c..&... ..'u..."..5..R.....w..R..,Z...(0T.Qc.....2.I.^..;.Xg...a.@..t'<..6o.F.......G..N'N..."+.pp.e....O..d..f.0...&>A&.wSf..x.q3@..8...H..{).4..8.01....f.Z....n..z....C!v..K..N..{........"W...y..Z..9J...Fk.:.._.e;.@\..G.yFq...........tK......`.....S....._"%[.._......p....XmE......T 5.Z'-.w9u.....u.....\|..Q..6....H\.w...._..O...pYn....p.];.-.4..?K.............[........+..........u.<..S p..~XX.lOg..K.ee..].a(..i1S!...(.5...... .w.n.H....#...5....=<....U.a..e7...Y..=......XcL..........i...../.#..r....KM.)....5..}.K.c8.K\.5.6..Y>...qE.Q.-....xR@...t......@..h_....=.....4... .v..l....P........U..0Y~1ll..f~..Wq2dd..@.h...S.6..l....."S.~r..?$.\~.H..i.cUt....l+...$..7..p..P........}...N.....dG...^g".d(..8.$....2.......Z..\|\|.g\|....Y.y.m..

C:\Users\user\Documents\GAOBCVIQIJ\GAOBCVIQIJ.docx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.788620051296064
Encrypted:	false
SSDEEP:	24:T51YiS86RG6z89sG68HPqyMr6tVox3Vkq/0bgGsCpvxn:IiSrTpGpv8UoVL/0Ekpvxn
MD5:	9D467EEE21A632874786005CBEAEC432
SHA1:	810FF38CB883C3655D8050982FF871A2FF5C6F37
SHA-256:	AFC2FC21CCC8385041F8D430D65FCA49556A93C0F2F4AE56E8458484F6307509
SHA-512:	B3C327EEDD8B9E49A54DB3443DE4075A14EB415DCCA5A4AD554E3F79D522ED541DDB3056AE663B3D78ACF1D42F12B51733BC295C811D9537B7D5D9464A70AA7D
Malicious:	false
Preview:	U1.)..~....X.<...k....8.....>.....~...v..(......a..^......;.1..1=...N..5<.e".8...d.18.&.......a......F=........M....ib-../Pl..f.p...h64F1bv..h.p.<9.../...1\.D..qJ........, .'..A....t..h[..GfI./.<S...R.....M....M.....1..$.5..k....C..o$...6m..Z.\.)....'.W.......v..5AK.......n...~q[r5...._"..ZtQ..D..:.vJ.X#.=b/a.y.......!.....O........0.1Z..p...Of.loR...5wM.....KI...<..P.);>.....\.a........f.(..=....T.2... !Q@.6pG z.=F(.x..n..k!Yk.v..KyI..#Z........".;2.b.M.U...FP. ......B.....Al....q.VC.9 ./.v..;.....y.2.......Cf...o.:.Y#.9.bx.....$.....V..l;..m..y.S..Ur...5a........!.O..j.J.v..Z..#a4~i.@....G.r....l.YJ.r. ?24...%.K....h...&..6.6.......pXE.i<...U....o.a>...w....v=.M.?o9.a.h(o..2...M]..d.j...w\S..]...tR...(4l\U'..I....5.f.j`.v..j.k\|@f.(.....V'..l..<...x.+1..T....W..d..J.:..B$.R...R.`.m...cV..D.e..E.m........V.....-..3W...6....../.F....-.........H_.).....'.B..~I..u@......OB.e.Z.7....f.....j8....eB.....V<..#..-k.Eg<.CVb.f

C:\Users\user\Documents\GAOBCVIQIJ\QCFWYSKMHA.xlsx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.823153253572287
Encrypted:	false
SSDEEP:	24:IvVH280yXRiKVv/1+gR2WVzGMpZJEUhgSb2YKNzoNn:Ivl2kpVH1fQIGMp4GfVKa
MD5:	C59266E951FE6ADD1609CFCD55A008CA
SHA1:	D34EC87B9E369FB808DDA06ADA39B9CA893EFA64
SHA-256:	A068A5C4E19642C5DAFC5674DDFF6DFF9BA5D159955A068CE333FCAF80ABBA4B
SHA-512:	C030FE5BBCD77A5B4D12E77EAF23C92BA7E0CB8360CEFFD365836EC7CEA01F4552C6D6E5600A1D3BD6641F40AAD6CD852031F537A2CDB4F71286E763C9599D74
Malicious:	false
Preview:	...0.r...f..Nn.<r:.av.@..&....}.#..9..+....Q.+.........6...8x...F.K....@...r'..C..._.+...;A........ .b..k.'.#..4.<..............5b..........E..UH.}.{...y$f..R..z.....6Q@..L4./.Q.<Z...........[..&.V.;.dS....`w>3..,.t4...@...d...:G.......K^pH.Q`A[F.L.......Tk .%k.R.2.u....\|.. ..w4S"v.......Z#`.\|.QWv...`..&ff.a...lF}?..."..1..}.[iG9K...`..sD......F.j5..0...w.K..a..6"5.61$6..x.4c.+....T.r..c..#...8..q50n.)/7U.2-\|E...>7..Dz...\|.Y...5...\|..Z.).QW....b...(..S...g......3$Dy.pb......-0^-R....^..'......f~<.L._..,QXx...{....[H..yy... .7.S1........\`.`...82~{"f..iLL../.:.",5..4%j...4r@/O>.K.Y.5 ..g.DF].u#...]..$.$.....R.+...4....Lk.T.....x..m.^..:.h.....2M.<.?..5.......F(.<PIZ..g...RX.r..\..y..>..g.!A..+-m,.R}.O&D<.../H.2..B...aY...jb3H.%.H.....}...^.9..C.P]...W3....~...#.<....$.\eYM-.9../O.KJ<.+...x.WU.....Z.)...........I..)....y..sCCJc.....+.k..j~.>..*....I'.y.....^...$......._.Z{LwX...\|...td./...a...T.)P....q-.00.Y'..R@..c..a.6..<..`.bB.4@z....X.`C.R..G....

C:\Users\user\Documents\GAOBCVIQIJ\SUAVTZKNFL.pdf.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.827648500255231
Encrypted:	false
SSDEEP:	24:kSIBBxmBt+blVB+R3FxzovgYx6kEBZOnklNkXfrb4Miivotxwawe1:kSIBbmBt+p0jzbVTB8nkwPIzigtxR7
MD5:	BEC9944C433665FD82D584B351948CF4
SHA1:	2058E68078F90C1085DA77C85D2FC8B39BC75BA0
SHA-256:	088A48426E411F436AA39ECAFAAC23F0EA81CF581C4FBC1884BECB1C3C50A380
SHA-512:	1F2EF1E46A0EB64A3D871C0D344BD1ACFBB86DA8BBF1C5C422C112D1709E28A50571558700CE68FC911A4BA5969EDF145A336B435D33E4DC35B0BA650E902E77
Malicious:	false
Preview:	$K.+x.-........ _%.t.0..."0?cv.IKIL...%w. _#A...U.R....3..n..........t..D]/.43}...T....]......nj..6.....E.X..L..{g0.+j.h/...u..Q.!...1{P.D..3.....T-X.-..C..d..n..........J.p4.:yy.S.;..}.FTs..2.0....%......)..C..%.$.=...0.......?........0[..'.Y.KurzgB...m...jC .K...t......q....q..........%.X_..[..:...#....BQ...kE...O._.8~%..X..nKp....u......h.4.5!..g^-...p+.k.{gP..D.3.E./E..H=.....F.G.0...5.hVD...-.`I.R.GZ.!.........H.@..}..2../...'.l....hY..L...ss.....P._K.-.......:....C.A.....v"<.W.P.o..5.....g...u..,W{.2.....~............4.W.D.D8.......9..1..O.....o.....<....9a...G....3..W;.q.W%6;.l...2.]...sP..M.Bd/.8.1@.[.hT2.j.K..ev..qx1.e.)..O.y..Z.......XKS..GN<......r.L2....g.&.o.SVd..<..,/...@W?`Z.U:@6...h.l.0M..r.?.#...O.Q.E4...........W.O.[.X...^...3.a.G.7.[.X{.B*.....O.<'.....(.r....)%....c..8.kN!o.&....U./..{...C..5...O..Y`.A...+...U...K....j.Y...).(.i.(..a..>....ra.U_..P...,u..#.r.....%..:L..HB...p.....!Y.e...A..Cl.!..].......4.

C:\Users\user\Documents\JDDHMPCDUJ.mp3.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.813043103119217
Encrypted:	false
SSDEEP:	24:ouIQwxST/uHKZoI6D0EWLL2tfZYayy0Jpxnq4BdZm/li:ohx8/x6D0EWLL21ZYaN0vxnq4/Zm/w
MD5:	12D6152CF9F19EA3E1545E15A29C2C43
SHA1:	222417721E0DD84A9C0668671D622852903002DD
SHA-256:	8A7983F69378FC10EF204B42D33E1CC32BEE59B9BB06C3CBC859D388F463C7EE
SHA-512:	B96F2C6C26621FA84980B9346C44C47C785F2BB81E38B4F2FBC1C032D767C78E67EE2B773EBBE7A3FB7F347758B1921FC0161003EB813D745C3014EF0F2EDE1D
Malicious:	false
Preview:	.B.MA..........@..i.X.......3<g.Nv......R.....'..!"....4.%~~e........e..T....@.p7...IRC.?.+..\2..+..>..DT.......w4.;\|>R.L.KU./.Z.....6..1.(.Q.V{..O..n..8M.Nc/...., ^......g:....1./.....N....U+...\|.......N.He.}.`,.WCx.9FQ.R...l[..2>....t3.\|.dK.p3....T.w/.....8......Q.o.h..R.-...P]q.&Q.we...].R.f..P.O..!...{g....U..8mC.........-....x....a......l...q....R...Y..nh...*.^0K......D.m......,2dH.p...,. ..J.K.Y. ...wz...F..p....=.....'.Ux<.o3...cc....{wW..n3U..!.45C.&..'z.........Z.s..$9s.i..eY.........LY.r...e.1Z....&P=..6.....k...?=Y..M.....yr.q...)..^.^Q9l.....u..v%...#^...`n.9r`:C.....(..A!o.PR......e".qX.....1b..6.z...$.i...y...H.$9.@...-..z....M..n...P..~.V..dY....t..:....qc.sVq..@W.2..-JCiD.\..vgG..I.j...zg ..q@.........}..`Yq. .9.5..A#IX.^......Qn..>.4.....kh....e.BF..Y..X0....++A..3P..E....-8..Z..44.....\.0.8.#....e...Sg.=...dy..c[...gd...\.....V.n...'.Q..r........g.Y....ZOC;...,$.\.e.A\u..a......t.Mh!.c.L.5............FC.HnzS{.T..

C:\Users\user\Documents\PALRGUCVEH.png.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.798119543747345
Encrypted:	false
SSDEEP:	24:qrTy1aZ2cAvqz85ZqWLobJxHYmXki1y8Nu3w:q12885ZqKobJumXT1HWw
MD5:	26F6B6E30D63DC453F84E1C17CF9F7DB
SHA1:	032B501F209D8D0C9F1DB5925550A6D3CA9BB220
SHA-256:	9FC5F69A9276843EF597805E8465713FC1AFC79DBF0A1C4F217D5964EBAC54C0
SHA-512:	9EF108418CB6D44E71D0D81D427DA95644BA28B9DC02CE0E87498B32C12D31AA57CF56A63F5A54A0E16540F0D9C0A0D1C26147841BAFAC681A93804FB1D61BB1
Malicious:	false
Preview:	..11..p..b.....B%S.Q..B..Z..`.QO/...]...P..5...m-.z.V4?#1.F<&.Fk.in.>.....i...r...C...Un.s.e...WX..y.'%.%..,.8.6..Y...D...w..f\..t.......{.].Y..&..........3-.I..y.\|...^]....~.O.5.k.4~..U.ya.....`K.uk.o....O.......G.;].#U...J..?.c.C........Q...9.Gp8..U;Hvm4....h...g....@.jL......c)ce4.....9.;p..k}0{.."G.u'+O...!A...d..]N.._.....V.....\|.........Qiq......5..;.h...=.%"N;.W.....I...bi0"....W......aLh..........(R.7Q....l. ....]d...!..._\..`....?.5..'.8.l...l.xd...6.H...t./!Y..+.....@...WQ$..2.i.w.{b.@....'.2EO/....\={m.....A..s..Ol.;........`a..t....z...`.i...G.kR()D.)l..zo...WUY.v;&e.].R#..?...... '....Q....j[D&.C..q.g..eZ....:........k.b.....<...o..5..A7..I.1!.2r3..~..~...p.c(..........._..........}.....u@..j......./"n6...:...8s.yh7..h=:0.k..{9a..;6m.=O....t..W.[..6..I\..DGkl..F.pPK..DuT~..Bq.}...+i.....B".b1.....".Gc.ql..J..\E.l.(Y.]..I.....s...6z..k5 .d..J'.j&..).N........#l$...<..c..D....:..K...........]p.....~#.0Dc./

C:\Users\user\Documents\PWCCAWLGRE.png.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.817020113726208
Encrypted:	false
SSDEEP:	24:Th54JTawQ7qOkHJji9nf0uDjxHf1RjFEwxJW:TgndIeUjZFH+
MD5:	363728FA190E903D91B9893A47225387
SHA1:	8F23FCF4A6C9CDD732BF7473B35604D7393374CB
SHA-256:	9E5D5447DD55B3A2142363F60619C9A8122108BE064D89EC83A71FDB92E6EA0A
SHA-512:	18B99441C5CD9BEC3B5CC67339C0DFF395201B1223F53A4D58FDF09274339C7265C3E3094E181151FECF51B7BC248D81A0DF33C18FFC765818EF048C75CC02B9
Malicious:	false
Preview:	.17... (..\..z..l....)..C X.c...d!.....>p^..(....rw....b....p\|...N.Y.X..w.w..G...%..D?[....4..c.Ta}.r$..C3..bG.....D....RJ..j.Q..$....].>.?.....l.I...:2...bH.Wa.-.Q..:U.-`...........L>...x.....U.J...\...].(........F$ko}y..2....E..5Uxk..%... ~C....>.Y.F.w-....w.#....p...}.C....g<rQ\.`....d~...9WA...74Y..<}.,.....<o.Z.\|h......\|.3...t.6..c..k0...Td...i..-.E...9.86k...[2.............E.J...00..i.....V....,.V.0.D....\q....\K!c.5.>L..j.{....A]..:..y.~s...W/..i..5/.`.$.0.q.WD..S...Mg<.O.R...~..[..@Q....nT...nLQ. m......P....}w.d.M.....M..d.p..K1...'.{}0^#..;.......Z.n9.J.h....c....P.{.....!.......v...X....r/.I..w..$...v....!..H...Ua..J.~.k..@.h+.@z.....&.........@ X...=....8.1El.........I.~...+...Q.G..*7......V5...^..'Q.)K.9...]`N.1c.....e.b.........(..e....9K.}............(....;.Q....Q.}..J..c:./.6....)S.<":,.v.Bn.0Wc..,E...od..+./Y.v..@..u..-..).S).].[....1..$7.g...ccQ...x.....V...9..f.2f...m..hm.LfR..3....1.B..F.d>{..\|G..}....6.

C:\Users\user\Documents\QCFWYSKMHA.docx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.824628756272328
Encrypted:	false
SSDEEP:	24:xTCUlVm7ZpCPhZqM2M6Urs+OYNdwMhnG1DJBFW9YkBNmXnIJziEwBwaobzAd1E:pCZpahY/x+pwMhIDRoYkXIewn281E
MD5:	96C30FADC2B823417AD83AC9B39450BA
SHA1:	BFCF94E85B2145C5CF14F9A357D2E4EBC82C58BF
SHA-256:	145084783F93DD441561C79D2255405A618FBB8E48121C5D54CCF0492EA0B4CC
SHA-512:	88A678ADCA3A0AE57B898EFBEE5EFA5008A4936CCCA280D625A17BB417270F915E149D566A7FAFD099E0B9F3252CB1142B16CA14FF49B46009CC0282CDC289D5
Malicious:	false
Preview:	...._$K9bg.H..((...^........#._.HQ..{..8.....2...g..w...\..(x.E,r.Ms~.V-..^.....A.k..g.<..].n.....4vy6N.G.G.,.<..H.....!B7...w.e.....>b.m\....0....P9q.k.T.=.0..3.'.Ii...j.&."..v..Q..a..^.x.l.e1...t..l..x2........Ku..:b..5.t............".48......J....p=.....b.T._...Ni.k..>..D.p..7..m......)....EMl.a.a._.G.".......q..^.^..J......=..'s..!.i....q..]..Z....;~R...@..s.,..S.@>o..[2.f.J+.O..N....].e(..T.h..(h,.\|x.'..I..8c.7.....P.\|........c.2R@.bkt':.-.=...K?;.0.C.d.s...T....u..I>..k..X..'.P.[..I.D.,g..3..R../8.L.\.v.S....wt.T..Zk..T~."..$....."...B..3..D../.............vM.x..p;L.x.AH.M@-.6.....l..t...a...!...iL..w.'2..N.y..f...Pg...r..u...f...X.b5..ir.$...e(.(.1.f.7}..[..H.%......L.c.;...,.H....w.....\|......I.hv...y+.Y2bM.y...+.j.h,\|:rX..G'....A.....F}dDW.?!....H......T...S.g6_..#.".N..Z.CNH....:....;Q.%..n.v.W.$>.......x .,..T...".@..z.w..GP.t...8{T.'c8o.i.....kow)sQ..C..:JHF.J.a8L...r_<;.D......\|..p..2:Isg..y..Y.e......vc..o.......L..`.

C:\Users\user\Documents\QCFWYSKMHA.jpg.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.815193729986289
Encrypted:	false
SSDEEP:	24:N8RUdrGiscfDax1++xkCLzHNMC71rvrtWXxNJ3r33gjTyUS3:EWdC++8C7Rh6J7Hky33
MD5:	DDA45005EE2F0A1B2D3DFBE47402B659
SHA1:	7CEF43FE8249AB0033E6D0AFC5E12D7DD31FA91E
SHA-256:	C57A6A867195DC5C8D15992901A3D3BC3C512B9592EAB01C776D634960C667AD
SHA-512:	000C8F78B87189D0786D748D152D727C6A6865A74B279F4C1F29F9808044F7278644EF118C8ECE662692FBF33247B4B3EF88153BCB59A36926B2DFAD197BFB9A
Malicious:	false
Preview:	.XA.MH\|=......2\...)../..!"..#.........q...."..?......,...oH..Z.....#].U....g..n"&2.3=....>X..V.{..m....h,......`k..z.t&....I.........../....l4.._r.u.{@.ig..m.u.t..$.I...xI.....,<..Z.{.....j..../3g..x...j.{...:....G....Y..&U...../.} .....\#`..".~..Q..h.2.P~j~.`..._.ltD.3.qx......4.#e[....0..A..4..7..6..I.V....a..VS....J.02i.PL..V....6....#.H.p.o#.D...'@.2+.q.U.^.....7.t.....=T...8J5.....H].R....Jf..P....Wb.'l.3..J.h.o}....,..e..s...U.B.Itv..z.u..$.........V.EF.....9ij.u.4.4..H....p..?..#.!!....c.,L..T.,......0.....ds~....g..(@&=?n+...x....o..;.o]o......w......@.....L.#Zc`rX ..:jn..Ed..+.IN.~.Cc.Z.5.b...z.9..O./...N. 9..%F.....8....YYU....T..T.5..'X.x0=..@.Y.....(k....Dc..@....@.(R....0..d...]C=....1......zwS&5..N=........3p...V.c...i1....}.B.......D..0....9.j.mI..#.(.H...&LX.n....Y:..@k...G6....7.........`I,.e3DQ..R?....._..q.y..yH1X.....!...q#...t#...m.B..27...Y683u..P.d.O%..W..I..y~....{........v.r.@G.D...F....[.%.....my0$..

C:\Users\user\Documents\QCFWYSKMHA.xlsx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.806743228724293
Encrypted:	false
SSDEEP:	24:lqDKk98TUCgLzVXX4TguHn8wGPMH8kjlmjPbk9pxq6R:IOk98TUfLzVH4TguHyPMnM6G4
MD5:	F05828652097D9223E7043E622A122AA
SHA1:	F5819BB3A796B55A07DF4A543A7EAFAD0B615D95
SHA-256:	1675007D2C91A80AEF1E309A74F1FD22D897995CE6D36E92A7A328BE4F31E2BD
SHA-512:	8C2E6A9A82FAA78AA14BE0DAE7B45FEB3D25C23A0D226D81FF960228DFD879FF03E5ECEE51244DA89490EBD49B706BDD53E412BB81012808F977A20BCA72A752
Malicious:	false
Preview:	UP6.i/.;.G..}..(.x.1.....yX.....:........{...#...Zv#.......u....9.T...Z..3..anei.S.Q..Lu.....\.Z.....C`3.h.i..3.C.......\|&.i[Z..Mm..T.).0..l.r.......?."..........n..Q....@.P.H.FzJk..w{...s:ZAvx?....fGM.k05JH.V.d._..u.I....>#..R7[...~T.n...8.U..Nc..s..M.,,.".8......?a.6...x.io.9.f...'....~bk..&....rP...k.....x.0.p$.....Z?2..[.\|'..';b.oX....x.....1.&`.U..a..p.....b.>-{..$....i5._Z.Vl..UR...^MZ7.....d.......m.N.\|^..w0T.Q......9....d.j.P....;....5.f......\|..x.5...J............)t....0...D.*...b....\|....@..v..m....oS-..[2.....(..4<....I.Dx.....>.^.W.(L.....p..P...]2oN3...x....@....C1.X....%,.."..Q.w....^..-`..)I. r.P...M&.(.e.S...0......1.4d..W.).......d...S.i&V....k..."..d.U.f.8(E>..!.....9....!.g. ...4..h,.1...2..a....S..".l.>..eD..uce.K.Y..(5.z@\|...rBV.p..b....qGCM.^_.1...W.9.W...b..l..fY.G9.iE.:.M..U.....c.x.H.U4.._95Qt1..i0I.on'...{0.-0M]w..b'.Q..g..$....y..M....}.90.Xc.TIF..P. .^.sL...r5j....WW{......x.7/..,>...j.... a.....j.b

C:\Users\user\Documents\QCFWYSKMHA\BNAGMGSPLO.xlsx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.8234478724417045
Encrypted:	false
SSDEEP:	24:Lpd6jQE1zPT/nm5XKvvf2IOCpyl+jiFtgMBTiieoY/I:L6jQ+PTPR2DCpylFF+M5yA
MD5:	FE12F283ECAFB615DDE962B8398445A9
SHA1:	3C0C27B174585BB64AD221DBEDDB9BC2F413DB6C
SHA-256:	D793A7916BE6CCF663C3558914636C662F452EBF8DB5223F26E7A5B3A1314C06
SHA-512:	B0053638EA8308CBB8DDB51CD7415955D0D109FB49CD778F856F0B3C380FF85FA292599D5E1F4A0CB0508251972ADDB3BB313278459E519A13352EEF6EE354CA
Malicious:	false
Preview:	.s..s.^...e..BV}..mn.....o@.q.dv........./...H..u(+..\..L...=..e../...@..wc.... .5u...c.i_PQ. .E1..1.R...0...#G..KO.3W..2..F..$..\|.U....i...._..\|.P8...k.b.~..1.8....s..b.]H....9...1.]JAs..gA..R.....g.....>.l~..c.Y...wn.~c;.]..E.w.{m;\|.E.:Z.zkJ...Rd.y.....`.D.."'C..t...G-..,0.u.y.^.f.....>.1N~..@.#=#..=5s.....lj.S...c.?.[.7.mZ.......". ld....`...D.K...-..s..N..o...y...rn.".`.".v...<......=E....<Y\k...?..".&-yr.U\.h..@.e.?fqij01q5....a...]...lH..^.+..c..o.Zo.DBv..aE.!..]..S...&.q.......q...:.KG....ZY30.uD.........,.=\|.\|.[~...,P,.5....ix......Kq).....9.iy.\|..=.M....M.W]B...P.kK<.#...KP..).akRM1.......zT.....>..I..Wp.,.;..!="J..K..,..Q..;..!..8..^.../..A.......E......).\..y...=.fm8\.&)C...Qg...{,.....`......{...R...my..J.k8..].3.?.L.}..\|..{-...KOS._.X7U.\|"UT...xi....4.:.D8.os.......c....kA..'.\|{..8...>hot.n..e6.w.].V.0q`..V......3...~4.[.q{.....oj.5.Y.......$..[..h.t..".R`...%..P"?...X./..[.1Jd..8{Sb...WX..5.LU.......g...z...aR.......W..5.>...

C:\Users\user\Documents\QCFWYSKMHA\DUUDTUBZFW.jpg.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.838527950760559
Encrypted:	false
SSDEEP:	24:yIGIN1HYh53jKSAGoXA4E5VpPX4xa+7CbAAqmJhJiiaKZn:yIfY9tA5XXGia+7CD7hJNZn
MD5:	1F83F9F1C546D28B5F1503F41FE1FD68
SHA1:	91B760B683FCF259B2969B7A5A82FB2500EE8E8E
SHA-256:	0162134E6E961532AAA9E16FBF09AB788B4C8B57D824B7F6B936CFF86D394884
SHA-512:	52D9DB613142D7FC7A26661688A9B2958FAEB329101F69FFA270970EC3B5A7C8F95BDC12C9E8CFE2F210C8940DE506B33BBD2C48CCA420F205F20C5981A9F392
Malicious:	false
Preview:	..)=..F.=(`sW.@...p..n[........D.T......8.U..`...S..R ...-..kC.T[?.P1.......C.4.BB2........r.......K5.;/?.F.;.r.....e .;.`..!r...7....C8......n....n.........:.2.&....w.5Zv.:1$...M..H-.-~wE..h.}..W..W.1..qJ..SW.I..>...E..q..?y.V....[!...............\|W...B..@...(....."X/q....~.h....>..Y\|.=.....g....eE..#....a..t.(.x&k.....&...0.u...T7.G....4.....J.q~.L..../.K.Q...8JdNi.....R.n...(X.(hb.5Z.0....2%....9.8\".uh".P....2...d.`..Y.....xi>....^i2w....@6.Y.X...7s..'......@....p.t>C7......8..P...''`.....ef.;.&...eu....#....H..w...1..!.....Tc..V.c...No...a&.(.4.....(.Iz.i.\|....d.CX.......w.u."......nK..-.j...m.1.,...3U-...e.......,...l&\......".?...J.p..v;...H....t.....P.G2)a....Q.7KG...._.8....,.+.TgV....\|.c.2.q..."..._..}V..........F...:+M./..X.-...3%e.....~...N..h.........%.....`.j.........).EI..i.m.D.U...Vo...0/j...3}:@Z1...J{...8=JU...K.P.G4,.:M......y.....;....}~;..C1...x..$."!f....Y.&...B.)V.4..4'.C...MJ.....^..4Bj...y..Q

C:\Users\user\Documents\QCFWYSKMHA\EFOYFBOLXA.pdf.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.814761907422488
Encrypted:	false
SSDEEP:	24:t6XeKamBW8COJU/y7y0N5/oJ6Va1MWw2LT8P6klJiCkgsvzatG3E8rQmgz1XB:t6kpORH0qa1gHqPatG3E8rQmgzH
MD5:	E38C907234C642214821C946DB847533
SHA1:	3357CD6FE383487987312BDD850D448FC56FF6D3
SHA-256:	4EA0A7043985BEAE682BCFA504681AD3140F61FB5292C7ED713531E7DA62A228
SHA-512:	470DA6366E57C4F44C02186F91B89CC285FC7AC4E0623550027167746601AE8EF4428358A45A65497B646FF31C4FDB5E2AD18F031B87E0556E70BA66ECDB5959
Malicious:	false
Preview:	...\|m...].D.<....rw.I..j.V...$........3G..d...n....d+.kfn.P\...g..Ry... vt.=......j..ZBC.:..2...D..SWh[....<....o.!.[..........5-...G....5...'..t.c..l.S{..t.?.>./.3q.p...s..$...P.k..k..'.E'B..p..E...+_.>..........g...<..2.9..O""M!.k.q...k......9.DL...Sy...J.J.....,.........M.L.L8.w7a.4q...y.T.....?..t....$...<..p\.1....v........T..~.IpQ.~....G........=.]23.W\Q.s(..8.....L..KwhK..U+..)..lu....eS.TC.e.......YNq..._....=P.la.-.].....Z./?,..g....`o....33..\..h_.T.G.e.h...1.............i.!1..ZXKR...=..;.Q.g=G...8.`.6..6H..e.P...{..a...2...+...J.1.....G..W..xK..<..;...._.DAu2.q..W.......R.V.U.K.....\...&.Z.VPp...d...)..]C..tdy......Lp./...a,.....R..S.....C...tz..4.@..eq..N.N.+..Y...........B\|...(.rL..k.......G..B..`.~..;4...PJ..D.,kD.....-wM..Te..E..^J.Jr....I\|.#..,....D.MI..a.$.....{.X.A.....@ah.>..E -j..).&..H.v.P...a..{xZ..W.......1..,.L&3C5.y)....clg...).h..2.X....c\|..{?.Cq.A..j...K...K/.}.D~...O+..<..T.3.....{....!......;v.....K.....

C:\Users\user\Documents\QCFWYSKMHA\EWZCVGNOWT.png.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.816460092904725
Encrypted:	false
SSDEEP:	24:X9W+G25COyKVU0H5v2R1ww8a/ar0Q+FdT2Sertubc:X9WB72UU2/BT/kp+FdT2Sertubc
MD5:	25306E7B28B1DDF615879BD139A227AE
SHA1:	79E40A17AB0E2EFCEAE1C705274E86400CD3D953
SHA-256:	9D46AF59D07CB7C816A4860BD012818EB2358054371207B2A6DEB8AFFD8A31AC
SHA-512:	A819573DEE70B602F1CB8F20B09603C029B820928CDF0925101C8005A605BF59D23D5A97EC73F41711B910D104C13C30EBBF60399F8320AE19F6234A194E3337
Malicious:	false
Preview:	..........8...w.....W.%..L8..8;N....:..^...x..w/..^H.w......5...$V.~`KA.0T..4...Vr]J...&..0./E.......z.L..S6.j\k.....q..CG.hx..JrzI.d..../.i.?....=.67nk.C..)....>.'./.=.v..>....h.=.l.Ab?..So...j...q.~OK3kZ..\n.Jb.h....2...p`h.T.S....9.H...4$.......Ez....`3.0....T81...PgS.Y9...iSx..R..=.......l.B9-..53.......'`$...Z...a...)...L............(...Hn..G..e.]....^....<....@.<....6R.lk.................%...6......w.N...#8.RAp.D.H2tM%Z.O.....$;...<.5#.uqN.J....B.\|.K].b.'......`..L..k6X.M..r.%.6a...$.=....EnbP.Q.....W<.$.u..Rl.p.%zR.V........A.q..h..uX?.3..b.E.....aGu..A(.W.$/..]..T...y9.R.wu{-P...ml.,.d...0N..)..]..qQI..N.I{c...U;....wQ..$ Y.YE.k.r...\|c.K.i9.0.{.0..S'PN93.......{;A..;nW..\|..+..r..;.....Yv..a/.Tk1.}u.J.FA.....h.a.....g..L..z...[......JH..-........\|.&.e...VNn..........S[<......!9Q.....l.%".9M.G..HF.r35........v..X.b.....p......1...gj..!.NN......={KGO8.>....=l..T.I'.p.K%..I.&.$..d...;..4S?...}..`.N......-.&Q.

C:\Users\user\Documents\QCFWYSKMHA\JDDHMPCDUJ.mp3.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.825999985958838
Encrypted:	false
SSDEEP:	24:mepjulL3MKNiY3XKSaLysXegm4KazsPexPUhwoCn+z2WsHWox+:OlrM0aSaLy2q4jI2xPUhwRn+SWso
MD5:	69C27638CE3E4BA6E0257654685A0393
SHA1:	80D8D021DDDFA5489DBF9C02E507D6233DD6A360
SHA-256:	A56D82BDBAA0368A4E704E7E116AFBD6CF57E59EAB7EE8313313D4B5A44E0846
SHA-512:	FDD969FA3839923CE0639FDF1E4555261A7161561D728BE0894839CE5B2667EB6981C98A7C61EEC0A9C3405D840C15A9D0BBD21F0FB28A9042BF9027391B3480
Malicious:	false
Preview:	..,..Q.^HN......g....n.N.z,.[8..h..6....q....-1.U.^...<.+.416?......J.........>....}u[....gb.3..\....8Q.e..b.]J{.^Rq.T...C...Z...G.....:&.4.z...{E......x,`..0.k#..T.f..8.0.......zn.K..6....s..u5.U...0.+`.!..G...#...-..$\MY.ts[.....J,.....(.}.."1.eo:....".....>r1.lT.d.v.Y.?C.......7.>O&..S.k$...#.;ow..9...-.._VL.R6............)....e.....p......^D\..r..O....r..w....-`B(.w....C..R.@...M.e..).R.O?.......?.{..p!...@..@...x..&c%>a..+...X/.:85m........[...s}.3.....q1?. .Cwd.?.e.9..}..'.l..C...;.V..xv...Y..P,...S. .-.r.L.\!R..!.9....{.e.C..)...:....*}."O.oBXT.6."z~S...1...VEx..o...a..:..r...V...T.F.....H\|+.bF2=[....'1.t...&9%.,.... ...Z.i.r0v.x..n.7T...b.J..;84M[V...ov..Q.[.........d...!......Z.2.......\..d.>..tf..D~..........Gjf...Bz.g....~.A....).+l+....f...#..5...........(...-"M@5]}..8....;...'.~.Y.L.).g5...'....~..qJWh.s..:..\...F..Bt.Q..F......4..E.U.=......C...#.%9..o.=..O..>. .t..f'..E.,W~$k..>...]Jd0..\|&4..N_A.R....d....)......G..A<7..2QA.7....

C:\Users\user\Documents\QCFWYSKMHA\QCFWYSKMHA.docx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.838887743833857
Encrypted:	false
SSDEEP:	24:CDLbVyqK9L0YNvg2wytKroAvSgXfH70YS3Ic3JVHJyXdT9E/FPJKq2YPFJt:WL4PjwcWb0Ypc3/cXFeNBd2OFJt
MD5:	2C89F9B38D20645479C7385ED0088936
SHA1:	B6E0B0C32FFB335CA45124427D420022A1EDE7A6
SHA-256:	E4C0974EF6CDF7094E76946B6633EEC45EF7A52F1E634154E0B6E7F891270818
SHA-512:	4A36A2CACB68911DCF840F726517E2F8210D55AEC24FAC596BFACDEE539F1F5E203899E3DC548A6EFFA9FD6ECB9509974E0AD3F05062C475538659D83C0B1068
Malicious:	false
Preview:	...3.R.l(......6M..m.b........C..x..)z.j......0=..F..g..@{$c...7%3...W."..O..%.!{......U.JQ.....A..w>.EfJi.).#..).03......H..$./cf......c.+..G.E%..@<[..~...C'.Z%..U.{\U..j.............].q.....(=-...;..S\|...~8Q.p..CF$O.<.#T.I..w"a........a...KR9..Y...,.f}>...s..B....dsTS....Q...Tr......y@.{...a&hl..2.s...8/...>.QS..(4.?x..&..e..O.S........a...y.UC..v...qJ....w..RX...7...`......"Z>tW....r.^.h...\....x.a...c....=.......i$....._.......m.D=.D..8g.}...+.a.j....I.".%q.7...)...#y....E."..1..y)lb.,..q.b-w.<-.M...XO.#........5.....O.@.[..#I[r.._.`..bo<.....b...;..e.b#7..?.[y.....=.iU.Lo.o{.^gg..qG.../...>..<z.:..HH..B.....?.....]%.....].e...Me...eW.!xu.<.yj.$.2!u?G..Ou..(........v@...W.7...X..t.[%H.M....%n.%Y..zu......1.Z.(...rw...1..^......K.....kI..Q..s..."...c..>.....U....dE..BY.@.[....W./.........TZ..xV.. .Yl....XJ.....w<..7..^...kjA4.VL.Q..u...G...6I../.....E...~....~.D.c.f>......$_z..9.EA.2b.p....+Pw..=!5.n....r}.:..0.....M.:.....

C:\Users\user\Documents\QNCYCDFIJJ.docx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.756292348943025
Encrypted:	false
SSDEEP:	24:Elj+USE3tnaYAQSb73fGOis/rEIpxdCppJG5SOzDJtz7kiE:wn3teP3oOrEIpCHJUSa7hE
MD5:	8365F4556791E10B7A1A9CE0CB16B938
SHA1:	D2194F400560B894B9E7E5DFD1298A28D54EDECE
SHA-256:	5309D51B7B140A869FB11874DCC02C5582B57A43649CE6D1B10C1B5ECF9524D4
SHA-512:	CFC46F87B3DED453013D061136E27C597D7901C1C9A8F0A11CBCA7DD131862342040D16D51A56851634E25DA7E9DF866B58E0E33AD72DF99343A0D5FF60465A7
Malicious:	false
Preview:	...^......[]....1.....!5p..[....2b4.\0...3n. ..g:.).s~xrB..p.'.... )..n.H9..C..`..Wg........m.#:..w....W.Y.j.L.......r..B........^.m$....F.g........uiY7.....#....d.....bG...uB.._.0.y........t..#..cQX..\|o....n..h...c.....?..o.r.Jr<...]Q....]m(....^...i.....;,....y...U..J.\.1.....X~...q.j...1...>.S.).t.v..g.`...-..w...Q.n.w......t&N..V.."..r.....<+..\|.6.c..*...}l..U]...5X......T%..4..UG..<%.Y<S..I1.,.WI.....i.]&P1.&<._.x7P}x....-S.8A........L.5"...M.7...;t=k...../....K`.V.w....+~wS.b.V...`Z.r.(.qW4.\|..j.V..2.Y...4...R..f..1..W....i`...............G....:..C.....Ku.. ...%9wIIc..`...y.:\|3."..-.&. ..D.y......:...].......ow)`.$:n.o.......EV.L.Z....[....j.Afh.U.V-.J.]'e..6..w.3.a...1..g}.(?."L.EK.$..Z..7bU....9..7...r)..h)..v... .....NX2.fZZ...;a:...........\|.&k3...7...Iu0.. W..B.2..&...o._AI...AC.........YM.#G.F...fB.x...G.Hw[.4...}..y....e9...J.m.....]...[.'......O.........]S... ._...../.}.Bl..&C..5.B....!B..xM....e.....:...

C:\Users\user\Documents\QNCYCDFIJJ.pdf.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.812858127267209
Encrypted:	false
SSDEEP:	24:RWOzG30kbD746F2KZGboXoFKBWeAk77BN2+Ub3hDdGiKR/I1:VGkkD7pYnboZWNkD2+0hxGiQ/I
MD5:	C2EF5B83DEC053CA2B7DBD6C8C45368B
SHA1:	811F4E7AE9A07AE838E3DE253992F872985A65F7
SHA-256:	5EEE22427CF47AE598774E61C532BF71AE6CE3857E443614E104ABEDC7029119
SHA-512:	21782A40D5AB14D9A0E33C95BEA014C8A72C87C41AD206E5DBC876EE79B19A8F0D0A89432B3FC5777A23DEE021BE856F5055332E5E2B7A134DC0B02CCF9F3D1D
Malicious:	false
Preview:	K.S..U.6xs.OqHg.T}x..U..lP~E.<V.e....k.Q!.aX.....i..\|..y.n.>+.<.xi..k-...A.L.K.Tt..m..7..M.......,...H...;S.....Y{.#..p.W.d.M.@...D..s.....m.q.....I...9.Zr...........E.).V...$P."..wA.O.X..&.....^..>\....5}.C...:.+..eK..~......y..7.$1....._p!Y%..k.o.0.ib..V..g"..;;.)+.$W..AI...F@..l.].U..kE.K,.>qX..Vr_j...6....W.,(.0`%>Uz;f.[.h....i.........n.4...~q....lO.r".aGcj..lb........GL.r.:..... .,..Q.HZ..Nyu.:iTF.A..HD:+_$.B.q......N.$.*...3`}dF..1..u.OQ`i./9.1F.i..f..%8L\|......P..Y:..L..n.3.."...W.2...t#..#VQ..^...O&>.[2...o!.b/.n.;.5....k...V..H...5$pz..K...L...Q.....V[..s..O.W&..j.tM.A..(....l.[Gn...f..".U...p.-i...4~.8...Fo.....K?Ue...........i45Z9...%...-..6..@......H.Q..tl..F^qz}...a.+....z...l.et.D.F.h../....}K.B.O..p7.3...-.9..2...Wg.(...+S..x....{.]./..YS^..nO..<..ZH...K&...y......Z...kh#......s....5h..&...{.XX.LBwF/._...[=m..... .S...!.\|U.........4b>w...Q..Z^9u8...H(.-.n&c.K....F.E.)...r.......N.a..=.L.-........i....{..m.U......\|..q...'@qpK.Ot.m+

C:\Users\user\Documents\QNCYCDFIJJ\EFOYFBOLXA.jpg.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.823726688694133
Encrypted:	false
SSDEEP:	24:cAWBBr7zHb5WMyjtLr4HFjigRcNCLfwrZj+ZAAIM2LNTpN8eIMWV1tWc:6BT7yUjd5cdjAF2LN11HW3t/
MD5:	B0A6E682805C1FC9F0A23D2DE05CE1EE
SHA1:	2EB7BDA372D14F5C5B8BFB6A77A70C674741F33D
SHA-256:	D45EA00848009E06970202645E1E4E19298F5D0E7343F077D91CFBDCE13606FF
SHA-512:	681436D8BEF42309D0AF0C6A79F9CE99B73806022CDA01B6123E0BC12D46E35B1E607BDE0AA70BF4A1532C96ED7BD0C7F6BE1E0A857442A2E7A9A70D668CDA7D
Malicious:	false
Preview:	.......6%q....!G....B...m.NP(...(......>!:F.d.....p..WQ....=....".R.7....R.x.I.f.Aq.0...[.V$kA..L........+........]........jXq...<......O..E...F...c\....i[9<J.G.."....9...K67a....6\.q=.[.H..........._c.....4N....?...b.]...Z._........._.V..TIca..c.$....F.P.d..>.y1..G.V...T.....w.%et.=...&....d`.a.........NtB..%.F.j....=..zcG)...Wh.H..z..Z......O`:'.U&w..?.vbK..@]....S..eH0J.j.....(..[4.A.....Ud..R......5.~u'^......\|.`.X...X...E..Z..@V\|.7.E...d4=.'..^..F....:.......xYR.)VfW.o..lUI0.v.C..\..a..T.l........T%.+...m.oD...\|.G._.4.gc.&....).l>x..I..L#}./...!XG.>.._.......>.'E.;bjb.p.aZq_.q....u.;..b/.. .:..:..M..t./..scsF;.X..}....k..5@........Cz.3.F=.S.......#..m.nj..8.....~.\Vt.iS.dc...N.;.of..04.....K./l....OWj.D.:YSd^m,.T..;.6..Y.8.Zx..g.o:'....T..6..)P.....=X^.B..!d(.....&.....p-.)....4]...F.T..B`.cd.p7.t.;......C.!WL... k...t.n.4o-.S@dZk{...:.L. ..5.i..m..f.......9Mc]...5..v....z8h..z.U+^?.Ql.....TyM....Aj.xU.........s.p3...v.UQ(.`.!J.'..^...S.

C:\Users\user\Documents\QNCYCDFIJJ\PALRGUCVEH.png.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.827220808955346
Encrypted:	false
SSDEEP:	24:c6w+C52IEQHBUuhaDxH2psb4STVgoUYKNs+/2lLS1NzKfYV0IgN0:xCfl02ZSh1KNs+/08zKAV/m0
MD5:	AC2197A04201D333559DB71457CD80CC
SHA1:	2C85DB3E5CF5512C3A39BF52D56B7DAF56FC10B8
SHA-256:	89C8279A82296E9256C17BB87C7FA4F05F0520E3D85EA21965BA3C688957D39A
SHA-512:	93F6298E95BB6CD377D10F0E40C36FF561DFF16EE9BB31F71B2E3ABB2F7C0CDE7055C054234244F790949A538FA4EA3D9F9F941448AEB87FC354202AE28D65BA
Malicious:	false
Preview:	"L....../.-.....a...vd......Ca7@......q[.1.G..&....5.2@...=.V....sp.....Q.%C........t0..t%.{(..K.7.n..`....kXB.yG]..K.r.....P..":...kf"..l.4.q_&[.2....L...&..,#......h...5....{(.X.]..F...* .. ..d/...w9.....hN.>}.id..Nf...2...e&.E}W.DV.T:(...... ...........Z.7.S.n...Y=...1..rS...".e=....1...$.!...Y......K.e.....5Z.#.....0.:..c...D./..5.6.....qI&.:.......~.....#t...(..T..<....]Ic..t......,.....^#i.=..t%h....6<N.+}?.w=M$...?....Y'..\#....{.`..db..3v>....G.....(e..%.F...g;.UwQ.Q......e...&!..i.Q.....n.....H8)......[~...Xw..Z.....SC..Jy..Ni..c........TCrx..../.l.{5..d.e..EFb..C..S..._<.U.\..H.....94..-..."$..e."$?C.....j-.1w....X...^.'....r+.s............>.I.F....m7}i8j._..)....oV.D".6auQ.....7...v..)...l..r....0..l..:..p].r.YD...e.k.@...L.N.!.g. gs=u.l^.V..<..iv,@.....i...s...T. ....Q.o.H..K...F....E....P.:.h..A.)A..s9K`.9J....A.^X..h....z...;;......C..._+..r.5\|C...Y..Yh`......e...p.je..L..M...NZ.&...t.@.ir..Y\|L=1...G8..u" ./Id.[....`s

C:\Users\user\Documents\QNCYCDFIJJ\QNCYCDFIJJ.docx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.827042325771515
Encrypted:	false
SSDEEP:	24:UFy9T71pkjx9BjoK+nFz8WuLmHZU7E6VWfizkmzM6h121zTvYE95G:UC5yjVB+xluSHZYvUJmpCF9k
MD5:	071D7BEBA4703BB1B99B241D42893293
SHA1:	E190FE1814C84F700D2138BEED800DA8CF97098A
SHA-256:	D0C1AC9A39B33EA25B75C3DEFABC6C2285B03262FC2158CA39C84FB186F3A7A7
SHA-512:	CE8EB701E04B3AD750FA81156E2EB9F1524E9E1E79853E26AF2D75DB6DA1EF4D0B3CAADF629D526DCF4102BEEE5216B4A77A569F36B2F58D2045528E45D46782
Malicious:	false
Preview:	..J....L..C.3.W.N.B.Zp.g..E&.$...p"6.......)...X......q8b.....V..P..]O...\.cE.%...q.HA.......F..6.J.W......t.8.j.W../G..X....5."6=........YrP.\.-.....L.nZ.....z....#.l@.?.o......A.p...G.....S.5Y..N.L/./\/..K<.H..K..G@..v..d.o. .....m.W5....0...t."..NP..<o.GR@.U.$I7..._Y.w....:e.!F.#`.P.9.,.p..>..U.-5f=......A...r..s...Ri..\|[s...[.Zv(X.8..YO...).1....L..+.....{...c..`$....;.[..D..#??.a7........Q...P.M.._.}.....[J..+../u&_.........j....8;....a.,...f,..Y...U..].hZ%.FW......W.._G0C.......%...<..e...%,I.k.C..$............+..$.h.....)...(.J#.b......>.....)%3.&B~.6.<vb.....N....x...'...$...MY.0......:y.6.zv..xy..$....#P`..i...B..}.>.>>..........89K.#....nM....v.........b..u...3...T.K..4....l=v...q.zs....\|YU...ih*....rX.....?OM.".....~k..........2.NF.G.2..ZA._{.%....z.J..k$<..).lH..Y.I..'B./..j?.....a...I."..r.y.E]7];...b.......k]..X....y;y.....qnj.6b..N..&v,>t".<..6. .1U.. ......6......."R..?..1'.d].0J.y.0...\H.k}..]h.f8...pm.w.K.o 2....!#.q[.g.

C:\Users\user\Documents\QNCYCDFIJJ\SQSJKEBWDT.pdf.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.816745859142864
Encrypted:	false
SSDEEP:	24:dRmRSyPjuv/cCa+PyKVlmh2th3ZDybZKH++vQctxWlt5i:dggQuvEC3yKNHJ+RqWlLi
MD5:	E2270FA079DF5817F97D53C6A93725A1
SHA1:	B0E6D916CD7F1E1F0BEAA161F6076C4A16A23BAC
SHA-256:	E23CDC87422DA15A5F85A7E69AA34B2724D7ABAC8AFB53C3BD29E572AE917B30
SHA-512:	3AC9C23A1D13C3783EB94FA535D305E38DD201CCF03136606324325E2C87CBDD536E86A843024393F823C0B400E2C4A148CB36151245D007EF7653A28534AD27
Malicious:	false
Preview:	..d...I..R..P...<#........F%yD...W"LW..4}.iD.u...9..?..Tm..oQ...Q...s._G...$`?.T.?..{.<Y...I0U...]..I6..h=+.."......#B...{,...q..E...}.)[....w2;.X...Q..4,...G.@....-...2...&.l..8.._.d..............6\n}....ki...<..h.r)..t.&..;_h.x.`u.9v........._7.w..WuJ.:u..1r.vY.5...!..ZX..DB><.RJ!.....'..#.qE.k..>.U.3.%.=Q.......90.......;...h...IV3.z.V...{...M........T..d.~y.s:..r.....l.b.].$@,.5.h....,.(z...h$.pa.b.w.=Y.P..P........Z~.oOw.tw((Y1`.d..v....D...D@....`..VK..4.9....4..'...F.-P..2.......A.....W/...2..?.e?.N.r..:mH.f......l.W..5A...$o.I%qC.S.6.j..Q..CSR...l../.]".y..~X8_......2.... ...f2;.......dw........n,o..7.CU/.J-`#%.K.fT.e.......`s..Q..9.<.b..P..;.....P%Q..P.....\|..D....A>..^..1T..\|).........FfZ36...\|.U.%>(..'Ju..."..,-...2....m.k.].ZD.1J.H-B..\|..-..{u...'..!].....3...ER.N..].........7.>.B..\....(D.w.m.3..+n.+.S.c.j2...s#.m-6.&.nQ..}j{........y...c..V.....&._4@...Q...h..q.2rp.*t}.....2...4kc..%a....\]..O.S.?...#..@W.v..:5.....I....

C:\Users\user\Documents\QNCYCDFIJJ\SUAVTZKNFL.xlsx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.833795552910824
Encrypted:	false
SSDEEP:	24:iWIPlm4kzmX4XepVRKuRU1QWF9uiIFiwTxFtF/NpSEN2Atnw7ljoLmRr+D:gs4kio8nZfWFIiIMwTLSEN2o6RSD
MD5:	549CA0A28DD19A64A6C69F695AFD6E67
SHA1:	F6BD0439FC1B311FDD8B1163F56892D8EBFE1773
SHA-256:	C42E9DE0B07137260884DBFFC5E929FB65A709F361141F51D32CEF28C7282CF2
SHA-512:	540A77962C26A30D20632322B27DCC998C3D85D006B41907E4936144633AF2E70AF9A06225983804D7BD6B8EEFB4EC8A8263DDC7A95192B34918A00127E2BDCF
Malicious:	false
Preview:	..Yu+'..+.\|.7..t.Cz..Z........l0 ..y.D.n......k.I....<X...b...f.....Dy..`.[b.$....N..(.z.....`.9."..f...ni.3o>..Q.}.S3A.p...\|.).4.0....A..G..:.......4v~..+........h.._=.....Vt...>.nzL..5.W....."..(.{.......S..l`t.@.s........AA..6/)3.Cx..wg.../Hr.@Q.........:...a./.......;..!R.N...]4sK.U...<.%...~.....w..c..).....=H..".....)...8uIw4.....o.c1K\..T7..\|.8)o._..F).m....%.a...r.c...(....MT...=c..<.an0...$l6.F.&..c..n....e./.TF:$u.S.7..}....../.....ua.)..~W.v..]..gc1.d.d.M........h.E...#...bN..g.@.....6.......qT..e...y..2rx.2.g........P...8:%...VC28M.",......?%.`.7.').Bf.~k aCs...LUR..6T+........6<.B.VO5....W.x..p&.4...NO5G..D.lK..8.._.t.8{...PK.m[R...:.o.Id.............@#>.37.v..c#...F...9..\|..@O..n...c...v....R{...B....q`.,3dj..].f...$...P_........^....I/_.d...Rp.at.2.8..-.'3..>........._....O..r..'gE.tb.R..(.{U:v.....{%.4....7.^..2v.4.&......b....v%-........I!.).........z...2...4>Ad...`..E...5..6(.8..[..4g&...)S0..Y.:..qRQ./.X...T..g.C

C:\Users\user\Documents\QNCYCDFIJJ\ZGGKNSUKOP.mp3.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.790746982162419
Encrypted:	false
SSDEEP:	24:sTlaRiYLGQDiFW4dHX92m8bYWcBV7zcrPck+k+5F:ElkdLdENd392pbYLB5zuPM
MD5:	ED0BD436BD1A9D859757B7F70315C23C
SHA1:	62C5D663997E6F0B0FC05274F68F3D0201CC97D6
SHA-256:	C9602848499730EE26C9FD0825FD337DFB55DB308EFF3835912895C759200F47
SHA-512:	0E27DD6FD5E542B15FBC77B872243ED125B028491FA805156EFABFFE8F15A2AF79ADBFF1B28C38703D2CB0F01C059A2C5924245C336B31A9A897FAAE210B1553
Malicious:	false
Preview:	..y..){p...)NF...eF.w.>..;.l.z.)xlCR<..%......z..r...H.......6.+.t}/.T.u....'....g..p...p......X}Y..4......N..S>.....@.n...8x..L..]..GW.....w....o...+.p.AA.G0....f....5(QF..$.4..v....{..3.-.-.y.X.%..I..IA..c.....\.....k.W.....B]..\|.#'.8.I..a...o.9-^W.\PP....^.&gW\|..E"S._...Y...c....K.,...G.........r.jjK+....}/.K..K#....C.)7.F.N....F.. .........d....u.%..L.B.nw.Y...5ioC.)......j..~..y..$.;..mToX.J/G g....pt.g.\z..+.f`...I..".<......w.O..7.....B.!........U..-"o.Jg.....N&U.....C..O.....B(.%.;..p'p..}.2..x.G....Iv..q2 5.!..I...t..7).1$X..........Q.]..Mc........>.......$.57N.C.LC.=.>.....P+...-..FQ7v..v@....~.$..T. .8......S..ME" ...>G..y..(......"%.......&....dD...I8q=..x...g.NC./....8.`4....t".8.cZ..i6.e...tZ.V8.9./...H...(.P%.a7..`79.U....U..$C....v1...Y.(.Cw`...e..),x..k..Q".#c..[8.pSV.,%.=e<.......u.2.S.-A....;...pl.V......g.8...5.....:...n.1 ... ...z.......TS.f.....S...R..:...:.8.2I...._......h...wX=......kX.=..m...;#........1...0..[r..

C:\Users\user\Documents\SQSJKEBWDT.pdf.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.805770940701389
Encrypted:	false
SSDEEP:	24:JYZv0ZuyN5xK3aCIzh9LFDmFYzQz8cuh9PCvQWBErO9rVdO3/1:JYZv0gyNrK3TyFDqYz/NzOQR8rO3/1
MD5:	85B55ECBACC44375D0C5D5C87C651377
SHA1:	4D1FC0D7F10665144064958736288319972E3CE0
SHA-256:	D62E0775EDFDE46BA54956377C2F018897A6D3F453C4C103B5FA6204C535951D
SHA-512:	0115EF1EBF5E3AB20C3E9AA4B6CDC97DC22078F28A7A93190A03A7517FF999A74BCA35FD22341DEB55EF64C896EB55585DC8A1CB5EACE7CCB6BFECC715C830EA
Malicious:	false
Preview:	q.Z.)..w..z.....M....EX....;].I[.......<.:.:.V..-.e....\...X\....Ms..i...o.G.....d.M...f5....Z..C.W..?....\.2...4:p.9D$.7..h..?]f.5......hHe..........E..:.E..@.....>..8_7T..s.:u...@Ub.F_.'.QT.....m.......fM..MRZ.{.`i$4..HO.F!.nV%.A)..WB..u..i..C'.`.......(~.0VhH..............MNqX.I#=.'RE..3.N.ZK..Y.U.V....Dz.`:m.4.,.Tv(.3..q.`..m....1...mO}?.`..^.z...&@..`...../..\|.U...q.0uE.A..m....\@.%7#mb..U...",W.zN.4......n.4 ...@V...s.9...RE.......A.....9..7d;..DO..,.Ds.S......F.,.WS ..(.5U.\|.Y..Gh.`..\|.pT..9....D...i~..-.....^..@.Q?Ab.^sD..w.....E?.4k..".5.......f#..D..M..........B....J.D.....6..Y.1.>...l..E.W..$...."d.~8+...y..wZ~-..<.........r../.MO..w.....=.....9S.$&.^.+.....v...Lv.7.e.h"..f4...5.N[.-.a.-W@..... 6.(0.6.U.5q}....{...........3..G.$..W....K.W.v(.^.g......v...Z .C..v..+/K.u.......6.....iA.........q. ...%.....86\|H.B...C7.).,.6......i.vf...(\|X......r......*...,....9{.N..9.i..^dfu_...J2...1...p...d.. a..U.L.z.)HC.............]E.

C:\Users\user\Documents\SUAVTZKNFL.mp3.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.812187441110712
Encrypted:	false
SSDEEP:	24:/zFTqpMOaG0gC/xa7l53v4RujqQfzo6KcWC84eq+S80:7caj/xmvkQLozZ4ey
MD5:	5BF5EE90D1A849AB48EC2CAEB74AFC08
SHA1:	7CDBE8DE720D57713E1FD62D185F9839430695A4
SHA-256:	4AC11E625554F718EA802F3D49143037A660EF9CD1932A6B23E397C9B6359876
SHA-512:	A321583E64A182C1B844680BDB311C6377CF87C5F41BF2A5E760D71B692759F377CAD18C7BC4A627C06E4C1F1AC58DEBCAE6779948D0A1EE85E4F7F5907D7C61
Malicious:	false
Preview:	"..@IG.c...W..dD..&...$T2...%.[..(.........A,z........}W......6.B+~......S..%.....;...u.k&L~.........>~.k.d{.;N..Pt..G...........~bFC\&....<..t..7-M^.R._.u....o.....;...E..$.p.Y.(....}.g..<..a6.g...../PU ..... ..^}.(...>. z-.k..F.....j\+.I......7U.g.....A.+In.nAIe..]...y....ry..H.0C.h..........%.Y.Z..l.....K......2...K...`..".....s`A...uxk..KV.zaCM..oG}.y+..]v.,.nSu...L.=....j....z.?$....B....s.h.h...K8E.3.m}-5a;.-zx.Go.^.5..I...OG._..hT.b..h5l...T'...y.....^.....>]....&Y..(pI.j.....zS..?.!_@..<......%.y.cE9w...Vu.}.q.:.ZC.U.....c-.=~`j...G..f....6Z..V..}.yVy...?....,qR...-.X...e.n.2..G.Qs..B.q...MK...7..sv..d..`....}.....1.6\.@g..R.[.w.."......Z........3..y....l.%1a.\|\|"q..?...j\..{4.67..o.$...f.".+x.e.A.}.._.(;WYK...O.X..............a.Ija.bKP.1.Z.k.=...JSq.9...C1....7o.#.9.....-..9g..*.&'=m.......O..h..F.k.b.7...^....&........4..E...7{$..4U.M..D.x.....J.....T.L...I....b....Z..K....v:k..m.....". ...K]..(.~_....6.U^..a.....lv...;6Pz,

C:\Users\user\Documents\SUAVTZKNFL.pdf.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.809971342667569
Encrypted:	false
SSDEEP:	24:m2rRwOol8mq0IusvVuVCCiBff+0RnUxdhf28cFL:m2rfoq50I3vVuQCnCnUHwT
MD5:	707E6FDEF845233C6FD5EBFC72987270
SHA1:	DAE5F56F37FF961A175BD7876659C6C280C70724
SHA-256:	E7C9A91F29278A54521E400510921E6BDC0F847E3513D8D50A964CFC19AC70CE
SHA-512:	9717A13B92D1FA99566135DF8ABA7D74FB7E7A087DC85BD038D4C6278B0314EDBDBD0FFA7C7408331E82BE9541BB7304F60EBC5A175A01560E99C34F56FE21FC
Malicious:	false
Preview:	"..os<.S(...^[,8C6..r.~.A......:.........X3......@..F.....\|...k.gdj...E...0....k^...E=^o..P...........hT"N..uY[....Y......k2!...I^3}...`..P..]./mU.Efn.o.......139.E.t6W....t,.4.$.C.s..../..?.K...D.ouL..Tw0:...SRIg...U..O......._..r.6...x1.....7...&..T...b...0.VA..8...LD..{.2.. ....U...]..t7.%........"...>v.P....._.$...^..Q&.._O.X.I...,.8.o.Z ...(....J.-C...v7q..Y...`.A..2. 7..#_u...A)3......Ul.................a,....h{.F....<?.....).\..v..l<,.."kv..l4].........1;h.;.....J. .F...k&2...'$.....Q..D.t..f.`....3.)$."x#,a.@.q@...b..9.....6.........-.....:.e?..x"4.9...E..{..2t......).....\|0..D.y........5..#6hd.fD,.).j..+v.mZ..../1.}I ..5.J>:\..N...5.YI.P.Q...o.^...9....gp..1^.XD....Z...C..W-...M".....s.7..W7&P4.]......Q.W~.Us.F.,>....?.'d.?}.i.X....^G..U.,n...^.@..}..F.i..=.O.....n...+.>.."......)..!v=qt..gq..<.-..m....y...0......;.-o.^.0..JQp.I.W....j..% }^..)..t3...gI>@.N..ID.....3..z0.....~.P!5\|..j.Q.:..,.#.B+zs..K.s...6.i.......`W.....Y..x

C:\Users\user\Documents\SUAVTZKNFL.xlsx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.822718788353395
Encrypted:	false
SSDEEP:	24:22hyTkrek/3qTn0dLbOvAQWKiAhoolDRH:9ek/aj4LuBoolDRH
MD5:	EEC62FEA612FD3374EEC148F7373E04E
SHA1:	7659AB172D4867E09A5B70A7189B1240C2D58FED
SHA-256:	871E9B2C21F5B1BFF28D9ED007CCC63B0C89B14D685A7B1460DE79D2CDAB46F9
SHA-512:	C90B60E715D3663B074506D113810707D3A053A68CD47870DD3AEE825ACC29AAA6FE99AA09CF99A7BDD4B1EE2432605C3337EF03EC649D94E620431E3D3AB628
Malicious:	false
Preview:	.S%.sI.gf.-....o.=t?p....V.r.6..@P.."...-TM..Q.dz(9.Dg.O.2.Y.,/).=.%.\|.{..8...Y.......Kn......6.?;.._.).r.F.....j$y.!....Q.K0b...\|...LO...t..L.....e.hF.>.A8:.Nw......V.:N...0<..a....<...v. ...{...y.g..t.....u.a..u.$.mh-..,..`......`.q.ZW.....Z.....#^...a......T.Q.W..g.n>....).`....y.o..Ck.......q.:....!..>.../..G. ........=b....Mp..%...:.Up;"......c}UY..". ..r.....O.....zR.t....6.d.O..8.=.e....K......9...O}..F..m7...wdsx.>.8m.Mq...}......b..O.....z...\|.....n7.....?..e..:.p..z..#....S..rh....z.2...Jl...K.4i......i.l.kC.00KB......~.Yf.-.J.\t.Mo...p.hgD-.r.h...(..)U..7.:.<i.....71........~...o...kjc....pLB..E;.......r.k......[...r.~p,.%9..YV......]......^...y\|..2.....u.p.q..M..1..f.....f..1...x../....5..G....dM..:.?/.......bA..-....N..v..jE="c..).....< ...J..R..D.0v...."......m....z2...3.j..K...._2cV...L[...Jop$..'.V.*.......x./L..8.>...=.......u6...>1......i ..6&Q./...d....v..d..Tz.h[..p=.k..Z....>.1.:.s..(...;...W.:G.....Sh.

C:\Users\user\Documents\ZGGKNSUKOP.mp3.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.831375588011162
Encrypted:	false
SSDEEP:	24:fouCHc04pRiGKr7goFbMztml3asH2VxVaA9t+lzfA7SZn:gu/0cRibr7/bBB0+Dt
MD5:	2CA30C18BBB1150994C55AFDA8ABFE2B
SHA1:	EAD607113D0FE3856726796049473A7135FA99F4
SHA-256:	4C012BFD6912B38D1EAF7C870F8FB86C81F0D00B040DD725DEA5122991103C4A
SHA-512:	DEB7417ADB920FE313750E4C99DFAB18DE8BE586A8B43A832D68D3282046C6C01345AAF3929C22564629957A8BA74E68BE66EBC32DEE1C306CECB2B31D76091F
Malicious:	false
Preview:	f'.\|.o...C{w..=..0....F..o....W.W.YU....5.....bP...w.Hg....b....%.......-.k.!.f"..&.D)..19b/...[.$#..J.....Wp..(..jOJ.......e..:)...R8.h.3..D{.y.`ui..h..@..`k.7.Sy......z.o.V..l~....Z.u....[.E?M.;LK.+K.[BA........v+.\|IG.`.......{.......Q.u!.Q..[.......D7%...D.O.G...R....n'.Pb.,..... "..h.x.8.I..Lq......v..U..P...c...11....q;.7..b-.H....e.Gx.8v..{..i~.....}.....s\.(.._..)...i..9.....3.e_....\.5Z...BZ:..n.q. ..a...:%...U...w8...~....2E.)^...........Q$..T.&R{....gpe...F^je......y0.1t..'..i3...";F.>.v......m/.\.q.D<...R.f.,{..[.....Bp.@....@)<..b..o.m&\..x.$..$..]..Z#.\....`U..^...0...-Xd.T.....SJ.b.....h....1..........-^PF{..+....J5&....i..m{.......i.7..=..=w)...Sk..Nc9-..6....#V.xC^.!"..!...AE0.[..;.....@ML.z..7.......U.V.......`.f3...0...L"..9^..*#b.y.5...L.q.,...S..#,.2].eg....\|$.`.2t....8-...Z.{.7H(.d....8<&..b..4...i..#d^........ vY.X.sZ.w8.P.6.u.p..\|..L.a.2..W...L......Q.."...W..R..z...:F...?.o...\|-T.....(.#........

C:\Users\user\Documents\ZQIXMVQGAH.docx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.849661102136846
Encrypted:	false
SSDEEP:	24:XNEkYrbw9d9kskgYaFhTLEGDKoK5OHdBtwFy4p8WM6yhZ:61cahipIGDGFfZ9uZ
MD5:	F854CFC257D592F6E5C9BC5661C5B746
SHA1:	9E6FB31C8D4D9CF5D11926E9ADA2EC67AA1397A6
SHA-256:	76CFA3059F0DCA34318F77AB18D039215CD090E7093BD44CCECA679FABF04DC3
SHA-512:	EF91EB49CD7D65D316CDF1331EDE767EED7D7BF3F531EBA4E883B8306727FE6B39C38E4A861FD4A3D3F440F56E1FE918315E1314DC001B5FCC32C7DA4097AE13
Malicious:	false
Preview:	..N..7..&b..njX.T..J.....v..!;m...`..^...(.>fq..}.....7@..+....fy.>........s.......,.. ...&.>.P.\.)`........#..&....L_7....gd.f.....G.K...{.Wm..<.[/Lc........UY=!.1..xa...'.j...`...W...D.'rX5...XR..&O=s.....^...2.}....A..4,..\|.....g...p..2.........o.V.kK..ZO.3..5m6.5.q3.i..(.q.`.A5=,.#...xQ.+.0.....y.....F....hw... fQ;.=<..U.z......1...Z.8g}J.........k........<e.I.........(#rU....u$.C...oT.....kloy{..>n..u...y.y...6..P....\.L...t$q...d......\|.6..a>.....w......B..o...h....y.....S...Hj..H\e...l.O.f..E/.j....%2..@......a......x,....b...s........!....F..\....:....>...0..\|.D.. ..Q.&]c..v...(..2..[e..1...D.^D.L.s.3.hR..S(..i..-....T.+s.....ZZvY............j.v...._].7.!....pk.L.G.O...;...1.\.F......a^.AA..4.PwyO..\.....~....".3..f3.<........m.p.x........$a.#..-..j..t.h....ooq';;....9.v....C......P.Z...3..Y....g.f...T!.....l[a..FH.->.y..H....{?.Q+.0jr.q..ns.-2.,....{.S...l..E.0B..[.........C..b..J..j.d.xn.....-'W.4qwuM.....Xr........W...

C:\Users\user\Documents\ZQIXMVQGAH\GAOBCVIQIJ.xlsx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.825071158694087
Encrypted:	false
SSDEEP:	24:6ZvoX8gKLA8FfFZi98HT3U5eaZTBxbbTchouIH:UvoX8gKLA8vg8HT3U5e6rbncSuIH
MD5:	A772214AE11B16DEB342D20D4283CF6F
SHA1:	8D4570E63CFEBC92E7870AD6EA8E0087D760BF1F
SHA-256:	183B5735DF590460F7513224B011E1F4F6DCE468747433324FFC13660AF8667E
SHA-512:	7DFFFECF55212D5853C046CA506BA3BDDB7700197D31690616E377D9648A0E00A4409D698292CA25454E0B0713AC532E776274A4B645974376AB39A1E1E35310
Malicious:	false
Preview:	....s...(.DY../=.N...z=n..X.].......D.......b.v.......-..mc...+]R......0w....m..#C.F..b.....i's..k=....).I<.A..,...M...j......j8.w4.\.D:.U?.....l6.g.....<rn..HA?....yz..b..........u+.........W....3...u..Qx.G.B..Eg.@i1..4.z.f........P.t.......>.].- EE..)..W.^.`r+.....+..B5r)...9..vdS&.l..#)-..P.P.?;.#).K..w.\......s..`..n..g.............yF.`..@..A]......(..]=y.g.&.m.....Z.]!....]..jm./5.....q....&B.^.O.%';Y.T].$.+.......11a..&G..do..c.....U.........}.O...ne.M<..w!..o.A..4........>!....yL...p..F8..Afr$m./...;....kA.XRbL.......I...^.(f..'.$......I..../E!.6.^..c.@'...<..-..J.s....x..;.E.._.y0.l..J......X_..X...d^L<A..._...d...I......3.2..8f']..y........I8.YS..a.,..F.w-l..B....M0m.,.v.].......R.vp..9.CD.s.1q..}........1%.$..}y1...3.....3c+.'.P..q^..........5.v..sA..0G...X(.~.mr..x....&'u1..g.qL. ....%.Q.7._........\.m.....H....D..<`.....&..f..L..Ru.nB{..{......."e.#.....e7..k.s.....T)A...R.h6. ..lE=u@........s..G...cH!.."u....-.W8....T..

C:\Users\user\Documents\ZQIXMVQGAH\PWCCAWLGRE.png.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.8037059069591805
Encrypted:	false
SSDEEP:	24:O19cfoUUAIopRNUNRqXVPSoEiWbDWh30iGXDSeNu:09aUKoqtkqx0iGzNNu
MD5:	5F4A32730D1C9B1B3CDE3BB3536F403D
SHA1:	97E285654BE9F0C05F652D005065DF5B46EFDC1E
SHA-256:	283FA4B48A738E140EBF0FC93F4D4F8874B8810673E74815189240AC3484A074
SHA-512:	5344BC5604389820747E10904BAEBDBC0DFE4042E53D60D13324826F6FFC7DE66D88809184E7CE49E299165F35146AC0DE6022B9D2AE464E8FB90A87BAF614E6
Malicious:	false
Preview:	..#..2N+...a....>......n...t..V.v0\.+.0#....#Tg...L.I...#...NF......9>+2..8..{.{.4..(xU..._.J3....e..~,...g.R{D...@........0...I,.N".]..P.@....m.!.-..7.....H......24.O>m.h..bU.Uip/qJ...w..[..]g.m.OH.+....2.Z.[C.Z.3..>..7#...G..b..j~.......+...X.I 3..4.ig.d_.>...=h...h.`Aj.mR8..R.....gH..B....q.lM\.Z.bB.a....hpF...z`c...+.!....}}tb .3.!oE.rY."<j...vo.fVZ..j..M....m.%f.b....b.}....e v..D.V&..$.4......z<V...E..x..r..+...+Z....t......H.>F.....T...........m..D.M..+..(....dM=..8..."....p]:I...9c4...._.px..!.A.<B.w!k9.7....T.....M.......a.......2.K.........(..FgEOG...2..?.L.....9..-qgZ.pzI ....u~./U.aeR"=C.Q...W.Y....H.........6..z.8.....G...9......)lc..Dx....pr..O.$.X+.S.v\|.r....9.Ra.....<...p.7......W(..=.L.6..sA.>m~D..t=Z......lO.DK...Y....1s.PD$.0m...MM.W..W.~c.xO...4+B..1.$to.{....$..;B..&#....;..o..Wb..zk....r".../.p..k......@d.4..iIB...@Y........-.h.....G.."I0.G(t58.X..p...uB).w...-2.\...95.x....v....J..vu.aF..%e'@...b....jr.Q..=.1;

C:\Users\user\Documents\ZQIXMVQGAH\QCFWYSKMHA.jpg.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.818235363150874
Encrypted:	false
SSDEEP:	24:2iaLeNmH1k/0nK0s/BPa+jpcXfSjMZBAS:C4/0KDBPdKKjMZCS
MD5:	5681EC0A48123856944851868998C90F
SHA1:	20284844FE5AF0BED6EC762021DC1007B8C495DC
SHA-256:	9464394193FDECE91CAE260470CBEAD82BCBBD6C63AA9BA5F27A3719DDF1E31C
SHA-512:	8CC8C0A58E03A78537C4DE7EFF0F331D2B6FAC6A48A703497E5D2C90AD696A167E557CEFD644D0ABDF5153E465729A67F1379FE437B7006258D84F8756B663E9
Malicious:	false
Preview:	.;..T..V>HY.[..[..N..{.g.e..<.p..FZA.&.0g&0....Na.#...k.R.......I9.#p.."...q......(..]..t..R8:n.>...]..~..9.m.....2.....U0....7...u...E....!.d.q..KsO..7..Yv...h.&...W.,:^.)......U.2..8]..[+.$...Y.)[..\VO..?.'$...f....}....'s..)B.Lbb...\U...#q!.L....I`..e.v..d..\....0lC6`.".......'KTH?.....u./....vH.8.bn&....A.....z;.....JF........e.).:.o......)....x.j...Y.,.S....wh.X=.wg..Fv.....>8.].H..qs...W.'w.7.d...{.....w,}....{..4Uw.=!F.xT..2.^<./~.;...=(1.%Z........<..f.wH......Z.._..7.....t.>%;V..N../....}....Wc.^E^j(..$....h.2.........7..TS.q.C..x...+..o.h.r...X.YH........Y.q...#..e^oy..!....t...'V.c"$.,!..h9..-...Xh..W....%.AB.......I..UcU..K...B.....I..[s.G...vm~.q..Z9.~..(..E../E].9X;nWt....R...H..L...L..:..p..^.J.'.B....s7`m....z.....k.../.....+.H....B....l..m&5.c5...r%f.a.C..!..h.O......J1...X..n..PP..\|.!~.O!.d6Y.\|...\.0..z9..[$........DO.....Rd.~M....X...[.C.p...U.`.0.../.}......J0..F..G.......t....'......\|.T:....D...O.H3..I.\i,0..@.DL..$

C:\Users\user\Documents\ZQIXMVQGAH\QNCYCDFIJJ.pdf.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.827249046187877
Encrypted:	false
SSDEEP:	24:JelkdVC/RgThc5AQ/I+PNub8Uj9aM0HX7kHebYSS3/J+g6E:Jqk4FI+lEbj9F0HXKyNS+E
MD5:	5FAFA33DFD6BE096738CCEEA8568E298
SHA1:	C2F86057089E9E4392A873D8781CDBE6753D29FC
SHA-256:	08682D0571FEB3E25A3A764847C9314DF5528C3F8A9950B5681548FA9D3985BE
SHA-512:	3BEBFBDEC86286F30EB01781784F3FED3F9319381D9953BFD38BE298CCCF850645FEBDC97E4FBAD546C6614F378574461EC8803F42F15D6C882649056AAF2A6A
Malicious:	false
Preview:	...../.[4.n..L.....A.k.u..eb..u..ON.iQ.m\.S(.._...>B.."...sa..y.WW........%.>4f.Tr..kt0......S....+!..........c.6...$Z?...l.J...\$Go.j.)fP.Q-jUiF9Yq.../....."e...c.g+..U.W.z.Wb.!.....0i]...f...c.!..n[..T.XvC$..%...cS.k>..E..g...Ny.U.8..^o.e..<.t;...t.9H.%U.....cs..W........tCi..c.......0..$G=3.9.3...j...g\...5..-H...Tj.;....d"...x........O..r........Z....G.!....o..7SJ.cw.).,.~.@...i_.B.H...z6.P.....~.p..D..P.H-.i\|.q.d.. p.VD..P9.G./r.{Rk..\|......E..-;...Tmk ..q...eh....nQ7.K.p..n....@.r.[...<!H..<...\..S..,0(.....+.jg.........U.E%..B.0.D.j`l... .~../..(.K..t%C.&.q......V.v$..b2.8.`..+....g-.....&.*}.L...S}...a3.a.t..G..Q..M.B!{7<8.A)...U.K0.....7......_...:g..I9.o.-!..L..n4....^F...`S.`=w?..L..(.wez..N.<..X.$../.....'x.<....b.._?...D.<?:O.s..(t....,.6.W..2p.uC$y.lM....dak.p>s.m.O.8.(E3....0...$...?...;l.x+...\..q.f..a..........>:..x!#h..R....-...."&..a.....=.K..@-x......va..MV.".;GHa.Z..Q3..&0k$.w...}...?..+ja-...x^%.R._0..]...?o9.

C:\Users\user\Documents\ZQIXMVQGAH\SUAVTZKNFL.mp3.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.800960823663098
Encrypted:	false
SSDEEP:	24:9QUCHScFh4vZhrFcZo0xhDj9emcfNNw6xEs85gFGdF/9Nt5xth:SHScFCjGo8ph4Hn85YuFJ5xth
MD5:	4649BBBE4F6488D8C43D35AE5810CB36
SHA1:	900847FB55776B7F69FBF91D968F2D8054E5A272
SHA-256:	56F763980AA879DE9316EDBC387950508E771BA04A6BE3090AEE25EACB31A002
SHA-512:	941C8BCAEC692DA5A4E4E7A709DFB59B593E652713E7E2EC950A918468BFB6B46E6873EF8669DA03B02A9A9169A9F43873117B947C05D9DEF42FF634F3339C2A
Malicious:	false
Preview:	5C......fGc>&(.c..q..S..#1l..^.5.{{..X.c;'..2y....#O\|.3.....5.\....(.WB.....Bb..9q.k......"...o.lN.....:.5....s.u....b.3z+..c.l.z%.p...K....4.....%x&.q.[~....^..C...3.!x..ei....Y.{MIf&Y1+...I\...L.c..).(.c.l.}Gz.-...ifH.G.pjp.#u........mI.j...4C.....s....A...r.Z...$v<.$Itf....H.U.]...}..&..}.;...3...I=.......z.m.#P......5...U&n^)}..K`.c<).APd..-..X[...+.ZG{..j....r."1/..E..L.O..eR..\|1./ow.'..K.v.W.....I.I..3uhb.KD....c.....z.\<.<.W(....(...%.r...h7.Q.....\.&?...x.=K`...S.p...M.-.~...^....g.szZ...Y_.2.o.g.....Bv...(...................q.`.<-.....b~.(.S.x...*-.,%....:.+....hT%.V..;t4.h\|kX.91]q....IxE..VQ.....<8..f;SA..'.......QzT.oI.....D..M.kN5..r..t.V.+..>.......\.D.e.o9....9"K0..9...DV[u...$.\|{A.....2.....Z.!J.(S...h....o..%.j.B..Ly5n.%.y.+ ...1.5?...H..G=..m9..)..O.....>.3..`..T...oZ.m.>:..\..O2...G.....=.......\l^-....u.-.....(st...Pc$......iW..w$Y2..uP...i.U#.X.q.1E."..d.....<...rT.D(.1....<..A."...w.1...&FX./.+.?X.?.(.

C:\Users\user\Documents\ZQIXMVQGAH\ZQIXMVQGAH.docx.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	7.842365700839332
Encrypted:	false
SSDEEP:	24:vK65m59UUsgA0cHRf4VVFmXKmA8qmwXMnyd85irpw:SOYJcJ4VVkXKmA8jwXMI8cre
MD5:	194EE0959FC40D5E5EFA384D49410907
SHA1:	38CB0BDB1F01D5AFB54BA2CE7BEEE896E054684B
SHA-256:	EB61CBCAAC299EC1ADEA3CD789690489D623A2CB71512EBF911953602F363850
SHA-512:	D50A93F20C225DE5BD40DF553C010EDF1F229C02597F6CC3F13C0189E1E0C1B402DB68058DE13AB15E372F7A1F60FD1654C86AC499CCD2B55521323598D2C0E6
Malicious:	false
Preview:	/V.9i^t;..2.*.q../&.W...Nn.8..y..zd..v..<I.O..s...x.....9,3.]b..}.M...Y.c..w1....I@..PL.....>!..:.........[,...LD....9.o#.\|vn.,ye...5....X\|K1.M.r...?Rq.......;Dh.(L.T.....(}....../.....=&0......B}..B....A.^.5+.+Wh.f{O".d.u.....mj.?&>..&.ON`.{s_.$....J_!.3 ....%}....B6a.Z.=Ua;.8..(8....E.sKov..2..I.mO...V.F}.P.....J..'.E...Z+.Hf..].>..b.D..!9.%A\|.svbdL..=...{.z.P0.!P/.e..M...6..y..9.do..s....9#...,.......#.YFr...Ye.y...........u......p.b#.Kn$m...?......1....>...@.....)...D.(...!ZD..b.Q...4P.J........z.K..q.,D..b..o......u.$HY.#.......1....0.p.!.._!Il...)Am.7...<)SR.U~..f).6.k......>.9.i...I..k.&....y...>..&T...G......].'J.A.(o.QA.V$.3".Q..)...PX=.g..hV.bN.?.. .~?i.]z.............H..?]2._.N...M..LL..`u.7.o......i.4.gx..4....mm~..G....(.O.6Q....v.\..,..........1..k.-..,.cg..VRf.............]lh.l..&.......P.Lc.h....dS.+x.......[....v^.\...Xyokx.[.M.....s.../9.....=...S.......X."z.........n..z({u..V.....::S..\5.._.;n.P...<...miV!.l._......rpP...

C:\Users\user\Documents\desktop.ini.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	448
Entropy (8bit):	7.564528368619984
Encrypted:	false
SSDEEP:	12:bgmKU5gsVJSr+88vCj873vOd4G+v7N6W4GEgPrBuEHn:bBKU6sr5HvCIx+WAgPr0EHn
MD5:	0271569B2C49FC80843115B092FA3BB5
SHA1:	DA895D47561B9957B92B91A0E16D7E945797698B
SHA-256:	1BC6F4A437D635C360FFB279B60B494BB979379EC5DCC9C88EBC5A5EC08A3E21
SHA-512:	224963D4089C79861D88B53AE6BD08148812D201877019083805505705CF3418E96EFD88AD59F5AD08CABF0439DFDE441D738D12E6B72AE7C8BF39B34A80BAF7
Malicious:	false
Preview:	:.=}....s\..g..LS.!D.R....t ?.i.S$.rB.{.).;.......?.5........{...<.8...gJ._....\|q4...a.J.........=.....1.............z...2.~R*....}..AHx.-.e&...o(.H.UW..<..zN.......Z...............{...E.Ii.]"y.{.x.t...>.......2..xV..4F@.w.#....F.B7....Q..0...c....U.3.W.....)....(W.'.u.Vv..`l.YYlM.x}..RPn..pA.@.n......dn$.....4x`.'#...f.eT....p..C..Y/.[..A!..{.l.c.C.\|........pC......!'.c.).$.J#....%.....,.@..M<.z..F..5^]....T...."....20.

C:\Users\user\Music\desktop.ini.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	544
Entropy (8bit):	7.617180295851001
Encrypted:	false
SSDEEP:	12:Ve4OrsdsFtWxK/HiB9CDs7V0byHOxbNHoenuGdm7ceNxyipm5dw1FWPc1pv+6wG:geM/HiB9is7ObyHcBHo25A3xyipiw1EG
MD5:	5E3C0E8C3938814419167E4584D966C5
SHA1:	F1C64311BC0358D046F621D5D3C7B61C5C2985D9
SHA-256:	2487AE9A2A938373F7592D51BDEA2BE13A7E89F2D34FF1A368CD3994D0969090
SHA-512:	62F1613938EE5B4EF3F2DC20FC669E21E3319AD944346B64BC0AAA6FC850BC316F6D60630D383A6720DD202952503F3AF7725139652CEAAA2A8FFED724C0CD71
Malicious:	false
Preview:	d%......~,.l^..86.....c8Y.......~,......$t.I..W.a...%...nEwov.z...T-mq!.79:.M.%4...X..~..!_.....H_.3..`....j...xgW..{[.....-J..}.:.1.6..Y^...,..{"CO....D.....~%.TO.;.$.V#.$.fk...X...6O. .J.....\...Y.h45.M?..D..N...Lf.%&B....'..$.....5;....g....W2Cm..m....-.1.!..h...p.9*-ZC..0..s{......9...NtP.>.&;y.JQ........_e.....Ot.........r]q..8.Yu...Q..`.....7Yh!.{..n.nv+>...5&.bA-....o^H,.\o....B.C..Q....<W.<x@k.T...&&K.H..hF.....HJ.w..#.g...k....^5z..0a.c.zoI...T....@.0(..i.05`.@t...[......p..+.p...7....F.d.E.w.7....

C:\Users\user\Pictures\Camera Roll\desktop.ini.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	224
Entropy (8bit):	6.995687343807029
Encrypted:	false
SSDEEP:	3:SsS+CQ7T6R2xy+fogBU4NwnG8gbrX4sQgnCutCnKbbneC8i46wR6lyO684449T6H:xCQXFoOKnGtH7Qgn+mTd8n6oV8peC
MD5:	1DEEBA4C7984B0A5AE03B21FF7DD598F
SHA1:	A7EC89FF74518B798AF20F53433B7F878599FA7E
SHA-256:	C03E3E15571968D502324529B82B2EB50B899B9BC6F3562125FA66A8AA3942B4
SHA-512:	2904ACC288839E45A42725BEC2A6B6D409A7465F97E9A8A39F9B3AE2C641B8ABF53F581766C4766B646100741E31BCC234E82D022305CF4A56A31BE59DDE5ED6
Malicious:	false
Preview:	..TI9F.....t.....U.D.6.....z.T._.2..~MEI.....qb..&c6u.h....P..,.\N...H.2..9.....k.P...u.&.M,.......i....t.3...pFG..v.5...+.^.#..M2..r...a.L..j.4.g._.,{0...'..O.rFh........G\|q.....Z.@.Pj..j.pX...O....l.B...yRw.n.._./,

C:\Users\user\Pictures\desktop.ini.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	544
Entropy (8bit):	7.63209153075476
Encrypted:	false
SSDEEP:	12:HKeCbcocEDKSNaSHT9YovEPhbRmdGhKk4vxLSHSWYCPatI7V01J7D:qVbcocw9HTKVb4dt9FQatI7V0Pn
MD5:	3A23DF5AA1FC5BE79A021AD3E45F9B54
SHA1:	01EA0C6DDC36F7475608F8F554707954E6A0BA2E
SHA-256:	B7537CA13FBA2E31D43AA4B2CD70B0341ABBAB68AF85EF93BB852E54B49B638F
SHA-512:	2E4DAC973213E3B4402000BE515F597C51B19FECF3DFD0F61FF5CB09E5E2C25ADC76E866FF3CED99868257574D4BABA14F56771DBACF4F3A0E63305D20760ADD
Malicious:	false
Preview:	..Oj.{.a.Ztt.......x..O.N..M.U..)...?...Y..u.S.[...u....&.I...OK.e.UL...p.o..L=.X.T~.'-V..Y.1.....b1.....A~(....m$...C7fG.h...,....Gq#....U...c.^6V..p8...?.Jz.P[..v"..7....u...:'......%Q\..K......u....1.....QW.S......M.....LDk0.LA.B;N...t.m.63..2.j...E.$..yX.~4.1.y.j...:..g?.g....{)..Q.,..!..5.d..5B..g.O....g...)3.Z..^......px......+.Qq.B..E....6G+.e.....=........\|...f..t......Y....P.Sck......pg.4.O.{..16.6.y..rU9..}......Z.4.$[....e^......mql.....M.u..r..a<..O.......cgB....t..i;..O#e..#H..".>R.....u....

C:\Users\user\Videos\desktop.ini.ncovid Download File
Process:	C:\Users\user\Desktop\gnRxs96FsV.exe
File Type:	data
Category:	dropped
Size (bytes):	544
Entropy (8bit):	7.638276183557499
Encrypted:	false
SSDEEP:	12:Mg+5jVYS2pPenviv0urlXHyCsgSua8Cx6w:MtVwheveZ3yCQ98Q
MD5:	BC6854FA257213AAF8F73BD2B3A1D3F4
SHA1:	07E52B25863CA3A1CDE15230180851DAD63EF4ED
SHA-256:	45E9EE4CEAE988AF1F18FC731114FEB1EFF8B9DBE620D47A4A4B66A87EB8BFBB
SHA-512:	86E6F357F59F6E6DD53966E237540B0A95215F39C5CF1DAB337D01E38079BED1AC8E82D889A7CE90AD185F9C73EF5BC14C3B30ADEDA4391426C42AB7116946C2
Malicious:	false
Preview:	?..v.p..T..r........fm'....._..vH...."TD.'..}..{J...H.~..aseEo3../.....). M...\}.g5..W..L.\..}..v.......&I..,$...O-XGM^?5.d."".Z.Tn..d.]T.3<..!D}..]D0.QV.\..V.I...&....C......z.(3.d.j..........).....H.f....^C.Y...n......+.@..:.P.=r^k.....B...f. ....M>.H..Ey5tk....'..![.%..?...b.lx-..Ag......*:M....s...i.\..P.k....X....).q.B..ZC..B.\.f..).Vr9.2..I.Wn....1...XhT",O..>...sed....a.....}.._....e.....r...B..R\.)OS...>...@...Ys.iY......mZ.U...t..K]..#..}0.-....`..z..v.k..t...C.E.`Rv:.........L...Z.Z;...........F.......5..B

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.4209988474875805
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	gnRxs96FsV.exe
File size:	16384
MD5:	5313e9992ef078a5e58f9f416ce99645
SHA1:	3efc88de42d37c02ee4f3ed4f78f7855d805869e
SHA256:	372fa440571b4ab1db28d8736c9014e11d8e27277c094062f2c444b6b97e8182
SHA512:	a904639c7cbe309936019f194ac2992a4c203feaf82111fc27dbdf36a03d81723c956b3f0fb2e7b11a6133817f4862c65c947f9f97f029ebc81927b93861a1cf
SSDEEP:	384:BFOjDL3OyGtKgFKOwfyvHYYPNOcvifzrkYcKV1:BYjDL3wtKgFKKVkYYcKV1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;............"...0..*...........I... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4049f2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xF4D93BFE [Thu Mar 4 21:02:54 2100 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x499e	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x10f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4914	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x29f8	0x2a00	False	0.5	data	5.5571059786	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x10f0	0x1200	False	0.390190972222	data	5.07660882123	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x6090	0x2fc	data
RT_MANIFEST	0x639c	0xd50	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2021
Assembly Version	1.0.0.0
InternalName	covid.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	covid
ProductVersion	1.0.0.0
FileDescription	covid
OriginalFilename	covid.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: gnRxs96FsV.exe PID: 5376 Parent PID: 5736

General

Start time:	14:44:54
Start date:	23/03/2021
Path:	C:\Users\user\Desktop\gnRxs96FsV.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\gnRxs96FsV.exe'
Imagebase:	0xe00000
File size:	16384 bytes
MD5 hash:	5313E9992EF078A5E58F9F416CE99645
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: gnRxs96FsV.exe PID: 5376 Parent PID: 5736 gnRxs96FsV.exeCOMMON

Executed Functions

Function 00007FFAEEB3063D, Relevance: 5.7, Strings: 4, Instructions: 679COMMON

Download Yara Rule

Strings

X38K, xrefs: 00007FFAEEB306FF
X38K, xrefs: 00007FFAEEB306CF
X38K, xrefs: 00007FFAEEB3072F
X38K, xrefs: 00007FFAEEB3069F

Memory Dump Source

Source File: 00000000.00000002.481356043.00007FFAEEB30000.00000040.00000001.sdmp, Offset: 00007FFAEEB30000, based on PE: false

Similarity

API ID:
String ID: X38K$X38K$X38K$X38K
API String ID: 0-1694107225
Opcode ID: 95325d277ae1b3664621127af5817e3ef989c6a9c3852485663953b6dd3b37b2
Instruction ID: cd149881aa580632a15f82cd220514a3dbf4c87bc0d2f59444279eb2dd83579c
Opcode Fuzzy Hash: 95325d277ae1b3664621127af5817e3ef989c6a9c3852485663953b6dd3b37b2
Instruction Fuzzy Hash: A032E870A08A0E8FDB98EF28C895BA973B1FF59305F1141B9E01DD7696CA75AD81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEB31D11, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.481356043.00007FFAEEB30000.00000040.00000001.sdmp, Offset: 00007FFAEEB30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f297323d3da61ae4fba77f55a76cec9c4e48ca440c0ff1f86c02845056c50ee
Instruction ID: 695bdd0fc005ec5b311ef8e1b5620c5e4000db1545892583722d4021bde3e7b8
Opcode Fuzzy Hash: 7f297323d3da61ae4fba77f55a76cec9c4e48ca440c0ff1f86c02845056c50ee
Instruction Fuzzy Hash: DE11F030A1894DCFCB84EF58D884EA9B7F1FB9A305F4114A4E00DD7261CB75E9918B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEB3184D, Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

x\)M, xrefs: 00007FFAEEB318ED
x\)M, xrefs: 00007FFAEEB31B9E

Memory Dump Source

Source File: 00000000.00000002.481356043.00007FFAEEB30000.00000040.00000001.sdmp, Offset: 00007FFAEEB30000, based on PE: false

Similarity

API ID:
String ID: x\)M$x\)M
API String ID: 0-4116677298
Opcode ID: 4a7871dc1231430d10b067e0f6b3807dd340c60cb1a1137e5982b9bf62e683e6
Instruction ID: f34881ef51bdb61a7b929876203d088d69be7fadb169476bfda92d9dd626bd05
Opcode Fuzzy Hash: 4a7871dc1231430d10b067e0f6b3807dd340c60cb1a1137e5982b9bf62e683e6
Instruction Fuzzy Hash: 28E1B270A0891D8FDB94EF58C895BA8BBF1FF69301F1541A9E00DE7261DA74AD81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEB300B8, Relevance: 2.9, Strings: 2, Instructions: 417COMMON

Download Yara Rule

Strings

x\)M, xrefs: 00007FFAEEB318ED
x\)M, xrefs: 00007FFAEEB31B9E

Memory Dump Source

Source File: 00000000.00000002.481356043.00007FFAEEB30000.00000040.00000001.sdmp, Offset: 00007FFAEEB30000, based on PE: false

Similarity

API ID:
String ID: x\)M$x\)M
API String ID: 0-4116677298
Opcode ID: 75535de562c88aac37c1f0ecf2dc55e21b0e9e953461c859c55f670a8fe805aa
Instruction ID: b124b5ce63e04780b031b7ad0dbbb64a6026b615e4699786013fa3189300d509
Opcode Fuzzy Hash: 75535de562c88aac37c1f0ecf2dc55e21b0e9e953461c859c55f670a8fe805aa
Instruction Fuzzy Hash: 5EE19F70A1891D8FDB94EF58C899BA8B7F1FF69301F1541A9E00DE7261DB70AD81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEB3052D, Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFAEEB3060D

Memory Dump Source

Source File: 00000000.00000002.481356043.00007FFAEEB30000.00000040.00000001.sdmp, Offset: 00007FFAEEB30000, based on PE: false

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: b1ba34d985f785f4c9f9cf62a2d1970d960942598c93d688cdd5d9b53ecff95b
Instruction ID: 19d152c247df67c7948ee1227457761d4eadf18a6a8270f9945ed9f889715ec2
Opcode Fuzzy Hash: b1ba34d985f785f4c9f9cf62a2d1970d960942598c93d688cdd5d9b53ecff95b
Instruction Fuzzy Hash: D8316B71908A4E8FEB84EF68C895BED77B1FF59300F01417AE009E3286DE74A8118B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEB300E5, Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.481356043.00007FFAEEB30000.00000040.00000001.sdmp, Offset: 00007FFAEEB30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86ab0170ce2fbb4bf646038ab2f95d99ac58e9d0fea2a2197c51c644c703d1e
Instruction ID: 0acdf1582e891446ed72349eaa739ab70416cca7d00cb81248f9f1770c305352
Opcode Fuzzy Hash: e86ab0170ce2fbb4bf646038ab2f95d99ac58e9d0fea2a2197c51c644c703d1e
Instruction Fuzzy Hash: B3118F72D0D6C94EE756AB7498A62E87F70EF47210F4A84F7D14DC70A3D96919088712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEB300B0, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.481356043.00007FFAEEB30000.00000040.00000001.sdmp, Offset: 00007FFAEEB30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079a23750474192fe72531c545b03eb2413b2518eac940407a46fc6e61eb7ba3
Instruction ID: 8e3af655e18c58f266cd7e0d393ae35995a11794672326fcc331e350fba172c2
Opcode Fuzzy Hash: 079a23750474192fe72531c545b03eb2413b2518eac940407a46fc6e61eb7ba3
Instruction Fuzzy Hash: 43511570E0891ECFDB84EFA9D495AADB7B2FF99300F118169D00EE7291CB74A841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEB30DE3, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.481356043.00007FFAEEB30000.00000040.00000001.sdmp, Offset: 00007FFAEEB30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca388051331673c46d04730cadfe94afd257a3bd1d76266e5600fb5dfe86e79
Instruction ID: 9927340552f81ef86e81245e139236a6f5aaa5acee01b726175016e4552b3a68
Opcode Fuzzy Hash: 9ca388051331673c46d04730cadfe94afd257a3bd1d76266e5600fb5dfe86e79
Instruction Fuzzy Hash: 9E31AD30D4D64E8FDB84EF24D895BF97BA1EF4A300F05547AE40DE3292CAB9A854CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEB31FCE, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.481356043.00007FFAEEB30000.00000040.00000001.sdmp, Offset: 00007FFAEEB30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11ae521c208dea6e91c2fcb8aa5f3be4677d315312fd240e87a325a5bdef958
Instruction ID: 548fe8f545f2eccb6f4db691fd71f4bc688100beb0c70a54a3f074d859fcc3d3
Opcode Fuzzy Hash: d11ae521c208dea6e91c2fcb8aa5f3be4677d315312fd240e87a325a5bdef958
Instruction Fuzzy Hash: 7E313A30A0894E8FDF84EF98C485EE9BBF1FF59311F0541A5D10DD7251CA75A855CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEB30F09, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.481356043.00007FFAEEB30000.00000040.00000001.sdmp, Offset: 00007FFAEEB30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b857cabb279f8e9047e654c24ed09ccbd54227ca29d7b728c4257109a5a27462
Instruction ID: 49bb128bdc6d7cdb13826c3762768d4fbd5d7ecadf355bb90670d01f12f3aae9
Opcode Fuzzy Hash: b857cabb279f8e9047e654c24ed09ccbd54227ca29d7b728c4257109a5a27462
Instruction Fuzzy Hash: 6F310734A0895E8FDB84EF68C898AA977E1FF69304F0544B9E41DC7296CBB5A911CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEB31EE9, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.481356043.00007FFAEEB30000.00000040.00000001.sdmp, Offset: 00007FFAEEB30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b8b468a4870a60980f2f54e03d60bb513ce947694d6cc47e573daa7ad3b6cb
Instruction ID: 3b952b295b9d90cf91e4560874b23bd8ff1268edd8ff16ecc5b5ba979ca1df98
Opcode Fuzzy Hash: c8b8b468a4870a60980f2f54e03d60bb513ce947694d6cc47e573daa7ad3b6cb
Instruction Fuzzy Hash: CB31933590DA898FDB85EF68C895BE97BF1FF5A300F0540BAE00CD3291CBA89945C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEB30D9E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.481356043.00007FFAEEB30000.00000040.00000001.sdmp, Offset: 00007FFAEEB30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9689917b1050a9398691f83f417afac5cbe2093a134e6ae3ef1598290441fb45
Instruction ID: 95f7ad1d76849bfc847968f61f1929bebcd05684638cbf395eff463281a0f3cf
Opcode Fuzzy Hash: 9689917b1050a9398691f83f417afac5cbe2093a134e6ae3ef1598290441fb45
Instruction Fuzzy Hash: B6E0E531A5851E8FDB94FE28D9916FAB362FF88200F815874E51DC3196CE35AC218B40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report gnRxs96FsV

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: gnRxs96FsV.exe PID: 5376 Parent PID: 5736

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: gnRxs96FsV.exe PID: 5376 Parent PID: 5736 gnRxs96FsV.exeCOMMON

Executed Functions

Function 00007FFAEEB3063D, Relevance: 5.7, Strings: 4, Instructions: 679COMMON