Play interactive tour

Edit tour

Analysis Report 7eIebouyqg.exe

Overview

General Information

Sample Name:	7eIebouyqg.exe
Analysis ID:	420695
MD5:	1e0be273be7e3c0587cd7fd1878431b2
SHA1:	9bc3e71c07bfe589e633340533e44f32cb4e5b35
SHA256:	5847c10d87797bc92bbe204885b79204b491dafe0b591b1277a5ec39e11db532
Tags:	Ransomware
Infos:
Most interesting Screenshot:

Detection

UnlockYourFiles

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected UnlockYourFiles Ransomware

Modifies existing user documents (likely ransomware behavior)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

7eIebouyqg.exe (PID: 6892 cmdline: 'C:\Users\user\Desktop\7eIebouyqg.exe' MD5: 1E0BE273BE7E3C0587CD7FD1878431B2)

explorer.exe (PID: 1872 cmdline: 'C:\Windows\explorer.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 952 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
7eIebouyqg.exe	JoeSecurity_UnlockYourFiles	Yara detected UnlockYourFiles Ransomware	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\BascordApp\TypeYourPassword.exe	JoeSecurity_UnlockYourFiles	Yara detected UnlockYourFiles Ransomware	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000000.319368736.00000000009E2000.00000002.00020000.sdmp	JoeSecurity_UnlockYourFiles	Yara detected UnlockYourFiles Ransomware	Joe Security
00000001.00000002.343908786.00000000009E2000.00000002.00020000.sdmp	JoeSecurity_UnlockYourFiles	Yara detected UnlockYourFiles Ransomware	Joe Security
Process Memory Space: 7eIebouyqg.exe PID: 6892	JoeSecurity_UnlockYourFiles	Yara detected UnlockYourFiles Ransomware	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.7eIebouyqg.exe.9e0000.0.unpack	JoeSecurity_UnlockYourFiles	Yara detected UnlockYourFiles Ransomware	Joe Security
1.2.7eIebouyqg.exe.9e0000.0.unpack	JoeSecurity_UnlockYourFiles	Yara detected UnlockYourFiles Ransomware	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\BascordApp\TypeYourPassword.exe

ReversingLabs: Detection: 51%

Multi AV Scanner detection for submitted file

Show sources

Source: 7eIebouyqg.exe	Virustotal: Detection: 29%			Perma Link
Source: 7eIebouyqg.exe	ReversingLabs: Detection: 51%

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Unpacked PE file: 1.2.7eIebouyqg.exe.9e0000.0.unpack

Source: 7eIebouyqg.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 7eIebouyqg.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: .core.pdb.ico.pas source: 7eIebouyqg.exe

Source: explorer.exe, 00000004.00000003.431288383.000000000C639000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000004.00000002.591670319.0000000000AA0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.364992486.0000000002810000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 7eIebouyqg.exe, 00000001.00000003.326932615.000000001B890000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 7eIebouyqg.exe, 00000001.00000003.329831645.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 7eIebouyqg.exe, 00000001.00000003.329831645.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: 7eIebouyqg.exe, 00000001.00000003.330653085.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comH
Source: 7eIebouyqg.exe, 00000001.00000003.330653085.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalicx
Source: 7eIebouyqg.exe, 00000001.00000003.330827187.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcomva
Source: 7eIebouyqg.exe, 00000001.00000003.335789519.000000001B86B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsiv
Source: 7eIebouyqg.exe, 00000001.00000003.330809973.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comva
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 7eIebouyqg.exe, 00000001.00000003.324487754.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 7eIebouyqg.exe, 00000001.00000003.333534852.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 7eIebouyqg.exe, 00000001.00000003.333770545.000000001B890000.00000004.00000001.sdmp, 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp, 7eIebouyqg.exe, 00000001.00000003.333352249.000000001B890000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 7eIebouyqg.exe, 00000001.00000003.323726479.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krh
Source: 7eIebouyqg.exe, 00000001.00000003.326660538.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 7eIebouyqg.exe, 00000001.00000003.326490141.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/F
Source: 7eIebouyqg.exe, 00000001.00000003.326660538.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0TTF
Source: 7eIebouyqg.exe, 00000001.00000003.326660538.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: 7eIebouyqg.exe, 00000001.00000003.326791088.000000001B865000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/x
Source: 7eIebouyqg.exe, 00000001.00000003.332436682.000000001B890000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.1
Source: 7eIebouyqg.exe, 00000001.00000003.332436682.000000001B890000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.Y
Source: 7eIebouyqg.exe, 00000001.00000003.322245721.000000001B856000.00000004.00000001.sdmp, 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 7eIebouyqg.exe, 00000001.00000003.322245721.000000001B856000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com8
Source: 7eIebouyqg.exe, 00000001.00000003.322245721.000000001B856000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comj
Source: 7eIebouyqg.exe, 00000001.00000003.322245721.000000001B856000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.como5
Source: 7eIebouyqg.exe, 00000001.00000003.326953644.000000001B852000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 7eIebouyqg.exe, 00000001.00000003.323829635.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krh
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 7eIebouyqg.exe, 00000001.00000003.322917467.000000001B86C000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.net
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Spam, unwanted Advertisements and Ransom Demands:

Yara detected UnlockYourFiles Ransomware

Show sources

Source: Yara match	File source: 7eIebouyqg.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000000.319368736.00000000009E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.343908786.00000000009E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7eIebouyqg.exe PID: 6892, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\BascordApp\TypeYourPassword.exe, type: DROPPED
Source: Yara match	File source: 1.0.7eIebouyqg.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.7eIebouyqg.exe.9e0000.0.unpack, type: UNPACKEDPE

Modifies existing user documents (likely ransomware behavior)

Show sources

Source: C:\Users\user\Desktop\7eIebouyqg.exe	File moved: C:\Users\user\Desktop\YPSIACHYXW\RAYHIWGKDI.jpg	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	File deleted: C:\Users\user\Desktop\YPSIACHYXW\RAYHIWGKDI.jpg	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	File moved: C:\Users\user\Desktop\WUTJSCBCFX\WUTJSCBCFX.docx	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	File deleted: C:\Users\user\Desktop\WUTJSCBCFX\WUTJSCBCFX.docx	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	File moved: C:\Users\user\Desktop\WUTJSCBCFX\JSDNGYCOWY.jpg	Jump to behavior

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Code function: 1_2_00007FFD03393679

1_2_00007FFD03393679

Source: 7eIebouyqg.exe	Binary or memory string: OriginalFilename vs 7eIebouyqg.exe
Source: 7eIebouyqg.exe, 00000001.00000002.352667589.000000001D420000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs 7eIebouyqg.exe
Source: 7eIebouyqg.exe, 00000001.00000002.349500805.000000001CE70000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 7eIebouyqg.exe
Source: 7eIebouyqg.exe, 00000001.00000002.355554587.000000001F0F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs 7eIebouyqg.exe
Source: 7eIebouyqg.exe, 00000001.00000003.339492493.000000001EF65000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUnlockYourFiles.exeD vs 7eIebouyqg.exe
Source: 7eIebouyqg.exe, 00000001.00000002.351386167.000000001CF70000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 7eIebouyqg.exe
Source: 7eIebouyqg.exe, 00000001.00000002.351386167.000000001CF70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 7eIebouyqg.exe
Source: 7eIebouyqg.exe, 00000001.00000002.344225010.0000000000EAD000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 7eIebouyqg.exe
Source: 7eIebouyqg.exe	Binary or memory string: OriginalFilenameUnlockYourFiles.exeD vs 7eIebouyqg.exe

Source: 7eIebouyqg.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal76.rans.evad.winEXE@4/65@0/1

Source: C:\Users\user\Desktop\7eIebouyqg.exe

File created: C:\Users\user\AppData\Roaming\BascordApp

Jump to behavior

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Mutant created: \Sessions\1\BaseNamedObjects\user45f56

Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: 7eIebouyqg.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\7eIebouyqg.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7eIebouyqg.exe	Virustotal: Detection: 29%
Source: 7eIebouyqg.exe	ReversingLabs: Detection: 51%

Source: C:\Users\user\Desktop\7eIebouyqg.exe

File read: C:\Users\user\Desktop\7eIebouyqg.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7eIebouyqg.exe 'C:\Users\user\Desktop\7eIebouyqg.exe'
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe'
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe'	Jump to behavior

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\MsftEdit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\7eIebouyqg.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 7eIebouyqg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 7eIebouyqg.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: .core.pdb.ico.pas source: 7eIebouyqg.exe

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Unpacked PE file: 1.2.7eIebouyqg.exe.9e0000.0.unpack

Source: C:\Users\user\Desktop\7eIebouyqg.exe	Code function: 1_2_009E3943 push rax; ret		1_2_009E3946
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Code function: 1_2_009E9E51 push rsi; ret		1_2_009E9E5F

Source: C:\Users\user\Desktop\7eIebouyqg.exe

File created: C:\Users\user\AppData\Roaming\BascordApp\TypeYourPassword.exe

Jump to dropped file

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\explorer.exe	File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior
Source: C:\Windows\explorer.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\7eIebouyqg.exe TID: 6964

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 00000004.00000003.460757328.000000000C68B000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}s
Source: explorer.exe, 00000004.00000003.460757328.000000000C68B000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B5
Source: explorer.exe, 00000004.00000003.404840284.000000000C510000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.399678934.0000000006DDF000.00000004.00000001.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 00000004.00000003.382712854.000000000C624000.00000004.00000001.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.460757328.000000000C68B000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B)
Source: explorer.exe, 00000004.00000003.402144714.000000000C595000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000003.431269478.000000000C624000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B93
Source: 7eIebouyqg.exe, 00000001.00000002.355554587.000000001F0F0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000003.430263229.000000000C607000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BUY
Source: explorer.exe, 00000004.00000003.460240075.000000000C606000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 00000004.00000003.405143890.000000000C511000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}jA
Source: explorer.exe, 00000004.00000003.546587835.000000000C470000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00nT
Source: explorer.exe, 00000004.00000003.400155966.000000000C525000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}
Source: explorer.exe, 00000004.00000003.547511297.000000000C61E000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ber
Source: explorer.exe, 00000004.00000003.546587835.000000000C470000.00000004.00000001.sdmp	Binary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.462465620.000000000C68B000.00000004.00000001.sdmp	Binary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}s
Source: explorer.exe, 00000004.00000003.401564013.000000000C5EE000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
Source: explorer.exe, 00000004.00000003.437694327.000000000C68B000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BC
Source: explorer.exe, 00000004.00000003.552497234.000000000C68E000.00000004.00000001.sdmp	Binary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.556714150.000000000C5F0000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000004.00000003.460757328.000000000C68B000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BH
Source: explorer.exe, 00000004.00000003.552863772.000000000C470000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}argetedContent
Source: 7eIebouyqg.exe, 00000001.00000002.355554587.000000001F0F0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000004.00000003.383041352.000000000C525000.00000004.00000001.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00
Source: 7eIebouyqg.exe, 00000001.00000002.355554587.000000001F0F0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000003.460757328.000000000C68B000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}soft.Windows.ContentDeliveryManager_cw5n1h2txyewy
Source: explorer.exe, 00000004.00000003.552863772.000000000C470000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}PackagesBo^
Source: explorer.exe, 00000004.00000003.549717866.000000000C3F2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ba
Source: explorer.exe, 00000004.00000003.430263229.000000000C607000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000004.00000003.399678934.0000000006DDF000.00000004.00000001.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.435588388.000000000C622000.00000004.00000001.sdmp	Binary or memory string: 0ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&ys
Source: explorer.exe, 00000004.00000003.403786280.000000000C523000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00}*?=
Source: explorer.exe, 00000004.00000003.436580761.000000000C622000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Users
Source: explorer.exe, 00000004.00000003.547511297.000000000C61E000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BRs
Source: explorer.exe, 00000004.00000003.552863772.000000000C470000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000w
Source: explorer.exe, 00000004.00000003.433643401.000000000C622000.00000004.00000001.sdmp	Binary or memory string: }\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&ft
Source: explorer.exe, 00000004.00000003.547511297.000000000C61E000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BsX8
Source: explorer.exe, 00000004.00000003.546587835.000000000C470000.00000004.00000001.sdmp	Binary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}PackagesBo^
Source: explorer.exe, 00000004.00000003.400391061.000000000C5E8000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.399678934.0000000006DDF000.00000004.00000001.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}5
Source: explorer.exe, 00000004.00000003.434410286.000000000C61E000.00000004.00000001.sdmp	Binary or memory string: Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA8q:D
Source: explorer.exe, 00000004.00000003.550613486.000000000C622000.00000004.00000001.sdmp	Binary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}gr
Source: explorer.exe, 00000004.00000003.460240075.000000000C606000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.Local
Source: explorer.exe, 00000004.00000003.547511297.000000000C61E000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B_t
Source: explorer.exe, 00000004.00000003.401564013.000000000C5EE000.00000004.00000001.sdmp	Binary or memory string: 0ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.433965208.000000000C61E000.00000004.00000001.sdmp	Binary or memory string: 4f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA8q:D
Source: explorer.exe, 00000004.00000003.552863772.000000000C470000.00000004.00000001.sdmp	Binary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i@
Source: explorer.exe, 00000004.00000003.463940855.000000000C622000.00000004.00000001.sdmp	Binary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000004.00000003.549754474.000000000C3F8000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000a^
Source: 7eIebouyqg.exe, 00000001.00000002.355554587.000000001F0F0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000003.546587835.000000000C470000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i@
Source: explorer.exe, 00000004.00000003.555685530.000000000C699000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B{

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe'

Jump to behavior

Source: explorer.exe, 00000004.00000002.611337967.0000000004392000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.590228297.0000000000938000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.592329970.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: Program Manager,

Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Users\user\Desktop\7eIebouyqg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7eIebouyqg.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\7eIebouyqg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Security Software Discovery111	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Virtualization/Sandbox Evasion31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
7eIebouyqg.exe	30%	Virustotal		Browse
7eIebouyqg.exe	52%	ReversingLabs	ByteCode-MSIL.Ransomware.CryptoLock

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\BascordApp\TypeYourPassword.exe	52%	ReversingLabs	ByteCode-MSIL.Ransomware.CryptoLock

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.comalicx	0%	Avira URL Cloud	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comH	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.sajatypeworks.com8	0%	Avira URL Cloud	safe
http://www.sajatypeworks.como5	0%	Avira URL Cloud	safe
http://www.fontbureau.comcomva	0%	Avira URL Cloud	safe
http://www.fontbureau.comsiv	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.sandoll.co.krh	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0TTF	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/x	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.monotype.Y	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comva	0%	Avira URL Cloud	safe
http://www.monotype.1	0%	Avira URL Cloud	safe
http://www.typography.net	0%	URL Reputation	safe
http://www.typography.net	0%	URL Reputation	safe
http://www.typography.net	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.goodfont.co.krh	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sajatypeworks.comj	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	7eIebouyqg.exe, 00000001.00000003.329831645.000000001B86C000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/	7eIebouyqg.exe, 00000001.00000003.333534852.000000001B86C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comalicx	7eIebouyqg.exe, 00000001.00000003.330653085.000000001B86C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comF	7eIebouyqg.exe, 00000001.00000003.329831645.000000001B86C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comH	7eIebouyqg.exe, 00000001.00000003.330653085.000000001B86C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com8	7eIebouyqg.exe, 00000001.00000003.322245721.000000001B856000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.como5	7eIebouyqg.exe, 00000001.00000003.322245721.000000001B856000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcomva	7eIebouyqg.exe, 00000001.00000003.330827187.000000001B86C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comsiv	7eIebouyqg.exe, 00000001.00000003.335789519.000000001B86B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krh	7eIebouyqg.exe, 00000001.00000003.323829635.000000001B86C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/F	7eIebouyqg.exe, 00000001.00000003.326490141.000000001B86C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.kr	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	7eIebouyqg.exe, 00000001.00000003.326660538.000000001B86C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0TTF	7eIebouyqg.exe, 00000001.00000003.326660538.000000001B86C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/x	7eIebouyqg.exe, 00000001.00000003.326791088.000000001B865000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.monotype.Y	7eIebouyqg.exe, 00000001.00000003.332436682.000000001B890000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	7eIebouyqg.exe, 00000001.00000003.322245721.000000001B856000.00000004.00000001.sdmp, 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	7eIebouyqg.exe, 00000001.00000003.333770545.000000001B890000.00000004.00000001.sdmp, 7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp, 7eIebouyqg.exe, 00000001.00000003.333352249.000000001B890000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	7eIebouyqg.exe, 00000001.00000003.324487754.000000001B86C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comva	7eIebouyqg.exe, 00000001.00000003.330809973.000000001B86C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.1	7eIebouyqg.exe, 00000001.00000003.332436682.000000001B890000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.typography.net	7eIebouyqg.exe, 00000001.00000003.322917467.000000001B86C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	7eIebouyqg.exe, 00000001.00000003.326660538.000000001B86C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.krh	7eIebouyqg.exe, 00000001.00000003.323726479.000000001B86C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.%s.comPA	explorer.exe, 00000004.00000002.591670319.0000000000AA0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.364992486.0000000002810000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.ascendercorp.com/typedesigners.html	7eIebouyqg.exe, 00000001.00000003.326932615.000000001B890000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	7eIebouyqg.exe, 00000001.00000002.348584872.000000001CA62000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	7eIebouyqg.exe, 00000001.00000003.326953644.000000001B852000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.comj	7eIebouyqg.exe, 00000001.00000003.322245721.000000001B856000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	420695
Start date:	22.05.2021
Start time:	10:29:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	7eIebouyqg.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.rans.evad.winEXE@4/65@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 40.2% (good quality ratio 28.8%) Quality average: 45.6% Quality standard deviation: 39.2%
HCA Information:	Successful, ratio: 98% Number of executed functions: 2 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, audiodg.exe, BackgroundTransferHost.exe, rundll32.exe, ShellExperienceHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, mobsync.exe, wuapihost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:30:46	API Interceptor	857x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7eIebouyqg.exe.log Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1281
Entropy (8bit):	5.367899416177239
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
MD5:	7115A3215A4C22EF20AB9AF4160EE8F5
SHA1:	A4CAB34355971C1FBAABECEFA91458C4936F2C24
SHA-256:	A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
SHA-512:	2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db Download File
Process:	C:\Windows\explorer.exe
File Type:	data
Category:	modified
Size (bytes):	29232
Entropy (8bit):	0.005825795080889479
Encrypted:	false
SSDEEP:	3:tnU:
MD5:	6326A1BF8AD27DECC3DC78696518BD27
SHA1:	DE0C595370968E0B340B20AD81659FF36617817C
SHA-256:	744CAE6963AF3F46A72495B1BDC7BD2343C9EBB19BE4C28251C03FB7F5FFB6DD
SHA-512:	E9501A13BE73D022EC6ECDD8E79489DCC028CED01E2FC381BF1E90E995F7D95B7E21D9212580F26EC926311738A7198A48F1D494C5C881C30D8A20BCA2296560
Malicious:	false
Reputation:	low
Preview:	..0 IMMM ...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BascordApp\TypeYourPassword.exe Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	100864
Entropy (8bit):	5.198302365758033
Encrypted:	false
SSDEEP:	768:W0Ddf1GaICq5m5ZfRjPV4vCKBKPhVZlQESdrT8BB6N+NwccIubm47cZ5:/Ddf1SCq5sLUCKW4s1bSmh
MD5:	1E0BE273BE7E3C0587CD7FD1878431B2
SHA1:	9BC3E71C07BFE589E633340533E44F32CB4E5B35
SHA-256:	5847C10D87797BC92BBE204885B79204B491DAFE0B591B1277A5EC39E11DB532
SHA-512:	939F3A72D6DFB689D1360F6BC5854375B885AAB632D2C9ACBD562E6715B4957E10EA6B21F4396844E5614587B24ECE4AE0507A0F47B8FA6116CB610C55ADEF61
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UnlockYourFiles, Description: Yara detected UnlockYourFiles Ransomware, Source: C:\Users\user\AppData\Roaming\BascordApp\TypeYourPassword.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 52%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....).`.................<...L......>[... ...`....@.. ....................................@..................................Z..W....`..>H........................................................................... ............... ..H............text...D;... ...<.................. ..`.rsrc...>H...`...J...>..............@..@.reloc..............................@..B................ [......H...........(;......5....M...............................................................6.{.....o......(......,..{.......+..-..{....o......(...."..(J.....{....(K...o1... ....(L....(.....d(L....{....(0...o1.....,..{.......+..-..{....o......(.....(y.....,..{&......+..-..{&...o......(....b.o.....j......j...(....j.o.....j.....j...(.......Z(.....(....s....(......(.......1.....(....Vs<...(....t.....;.......0..$...........}.....(.....(......(......(....*.0..........

C:\Users\user\AppData\Roaming\BascordApp\TypeYourPassword.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\Excel 2016.lnk Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2154
Entropy (8bit):	4.653742352990946
Encrypted:	false
SSDEEP:	48:q+MceHuJTu9CEQ1kHxZZaY+yTDaJTm+vl:Z+uMCeHxn+CO0+9
MD5:	853E41D227056B6A24C3CA7550F5DEB1
SHA1:	C33150046A08C7FC0B6A4A7E7EBCCCB17FF4C11E
SHA-256:	A7E30DA5ECC202FF11B0CC3E3838D1A2FE90901C51627E3BD7581ADABEE74D18
SHA-512:	5ED8FDCA5B33534BB768E6847B433618399F4F866F47531D6CB9C3A7852527AB22EFC246092A0D36426797721FEC8D9BEAFB76B640AF8984DBA95435D0E7AD83
Malicious:	false
Reputation:	low
Preview:	<EncyptedKey>FZ7Q30VNCJ5WXWDNDQDOUV31FI38WXM<EncyptedKey> 0JTvv73vv73vv70i77+9T++/ve+/vSPvv73vv706NmhJCi/vv70FZzxs77+977+977+977+9IiYpLu+/ve+/ve+/ve+/vVpLExXvv71m77+977+9eO+/vTXvv73vv73vv73vv73vv73vv71zfmlXU++/vSpC77+9LO+/ve+/ve+/vcue77+977+9Du+/ve+/vRrYn++/vXzvv70s77+977+9TmtgWTlRd0Q+B17vv73vv707OiQ577+977+977+9bgzvv73vv73vv73am9+677+9X++/ve+/vVxa77+9Mizvv716JkdiBu+/vQ5G77+9Ze+/vUNwNQd3QsKX77+9X++/ve+/ve+/vWPvv73vv71cd++/vXnvv70M77+9fHEm77+977+9KcmU77+9ei7vv73ui4Tvv70Y77+977+977+9W8SO77+977+9XgHvv73Pu++/vTbvv73vv73vv71Q77+9IG7vv73Ltx1bzLkS2JHvv716V2Ft77+977+9ae+/vUMnGO+/vULvv73vv71gRu+/ve+/vX/vv70s77+9DHBiMe+/ve+/ve+/vT3vv71xQu+/vToB77+977+977+977+9R++/vQZ177+977+9a3NB77+977+9SO+/vSpu3atyBnnvv704P++/vU4dUu+/vQvvv70777+977+9AO+/vVLvv73vv73vv73vv70x77+977+9QO+/ve+/vRdmXVVA77+9dD4OYX8mcXLvv71nce+/vU7vv73vv71FHFMV77+9au+/vW3vv71QRu+/vUk7Je+/vXnvv73vv70e77+977+977+9CnBwKe+/ve+/vTw/77+977+9Nu+/vUkKQO+/vXXvv73RgxA477+9Jzfvv73vv73vv73vv73vv73vv73vv71vK0jvv70gQc6jTRBU77+9E2nbozlLV13vv71S77+977

C:\Users\user\Desktop\KZWFNRXYKI.pdf Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	894
Entropy (8bit):	4.628466136328864
Encrypted:	false
SSDEEP:	12:fYxKSzrOhYkSkegCS5Ku7NRszUPKaCcCa9682VAzA7r/IMR2J+BR112Z:fYx7rOBRcONmARYsHQzIMsJSK
MD5:	E7D0E46A8C20228B8E72ADCBEA8E2BF9
SHA1:	B62A09DC603BD61EE354B6E7E0991763AFBE7382
SHA-256:	2BC3537B7931899990A82CCF7C523E8DF2093050AF455813A2F90A65BC57C32C
SHA-512:	967AC55A50B4A202EA0D8272F9F88F5AFCCDCD6F97D45EC46DC3A5F6ED975BCB3BBC29CECDEF0AB0BC16DC9CE48BA392F464A7C632796F6B4C3A33597E194D7C
Malicious:	false
Reputation:	low
Preview:	<EncyptedKey>L3YM656CDE6YUUL46BFLXOPGT5GLV7W<EncyptedKey> UUvvv70eNhoKbu+/vUXvv73vv73vv71bHe+/ve+/vQ5I77+9WO+/ve+/ve+/vTfvv70f77+9Y++/vT0wde+/vXtbce+/ve+/vRQMNlxaGu+/vWPvv73npZJu77+977+977+9Au+/ve+/ve+/vTrvv73vv704R3ZdNO+/ve+/ve+/vVMW77+977+9TO+/ve+/ve+/vXzvv71877+977+977+9bO+/vWl8QHnvv73vv73vv71UKSPvv70V77+9e++/ve+/vU5Se++/vdutE2wPCXjvv71hSXvbp++/vUYo77+9Zx5k77+9KO+/ve+/ve+/ve+/vQrvv73vv71Pau+/vRnvv73vv70sDO+/ve+/vX/vv73vv73Zgjo877+9w5Xvv71o77+9XFAa77+977+977+9WEpuHO+/ve+/vRDvv71l77+9GhxD77+977+977+977+9TgBGee+/vUcL77+954CU77+9c0rvv70fSe+/vRF677+977+9ck/vv71j77+9e++/vSRk77+977+9IDbvv73vv73vv71UJhEEEu+/vVbvv73vv71+77+977+977+9U++/vW7vv73vv73Lkm7vv70X77+9HO+/vUdTEwp6a0Lvv71o77+977+977+977+977+9cTrvv73vv70qdC4uIe+/vQPvv70T77+977+977+977+9T3N+fe+/ve+/vXPvv73vv73vv73vv73vv70H77+977+977+977+9IDPvv71j77+977+977+9GDFKB++/vVfvv70y77+9Cn1vem3Tr++/vTLvv73HikMZJ1jvv70z77+977+97om377+977+9ZWw=

C:\Users\user\Desktop\Microsoft Edge.lnk Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1198
Entropy (8bit):	4.608443315924579
Encrypted:	false
SSDEEP:	24:flArOBRcONmARYsHQzIMsJSWPZ10GMIVpXUP:NArOYumec8MOCG7UP
MD5:	32F0FA41C579B83C42C8AA25AFF86028
SHA1:	86A525FA6D0B4C7F1FB8BC1334E892E047837C35
SHA-256:	100CAB9C809E445276BE2A6FDDDF7C40C746E27B64E9855168E160CC41CBEA10
SHA-512:	C73EAE09B718DA00E87A491AD3705153B33C7DC6084C608AF9C11CFE737BCD509DCF15DB81FBD769881D7A914495E2D9B783C1BCD0CFCE60A4ABA4A9B5B8BD38
Malicious:	false
Reputation:	low
Preview:	<EncyptedKey>1O7U39KHRGO9KX6JG4O67RMY6NS2AYV<EncyptedKey> UUvvv70eNhoKbu+/vUXvv73vv73vv71bHe+/ve+/vQ5I77+9WO+/ve+/ve+/vTfvv70f77+9Y++/vT0wde+/vXtbce+/ve+/vRQMNlxaGu+/vWPvv73npZJu77+977+977+9Au+/ve+/ve+/vTrvv73vv704R3ZdNO+/ve+/ve+/vVMW77+977+9TO+/ve+/ve+/vXzvv71877+977+977+9bO+/vWl8QHnvv73vv73vv71UKSPvv70V77+9e++/ve+/vU5Se++/vdutE2wPCXjvv71hSXvbp++/vUYo77+9Zx5k77+9KO+/ve+/ve+/ve+/vQrvv73vv71Pau+/vRnvv73vv70sDO+/ve+/vX/vv73vv73Zgjo877+9w5Xvv71o77+9XFAa77+977+977+9WEpuHO+/ve+/vRDvv71l77+9GhxD77+977+977+977+9TgBGee+/vUcL77+954CU77+9c0rvv70fSe+/vRF677+977+9ck/vv71j77+9e++/vSRk77+977+9IDbvv73vv73vv71UJhEEEu+/vVbvv73vv71+77+977+977+9U++/vW7vv73vv73Lkm7vv70X77+9HO+/vUdTEwp6a0Lvv71o77+977+977+977+977+9cTrvv73vv70qdC4uIe+/vQPvv70T77+977+977+977+9T3N+fe+/ve+/vXPvv73vv73vv73vv73vv70H77+977+977+977+9IDPvv71j77+977+977+9GDFKB++/vVfvv70y77+9Cn1vem3Tr++/vTLvv73HikMZJ1jvv70z77+977+97om377+977+9ZWxAbO+/vTcrcQTvv70jO++/vXJM77+9CjHvv73vv70e77+9FyPvv70aI9+t77+977+9xqPvv70IZm4ce2Tvv70ZPxwEHS3vv71UAO+/vVfvv7

C:\Users\user\Desktop\NIKHQAIQAU.mp3 Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	894
Entropy (8bit):	4.633153156991874
Encrypted:	false
SSDEEP:	12:f3RKIVjzrOhYkSkegCS5Ku7NRszUPKaCcCa9682VAzA7r/IMR2J+BR112Z:fhrOBRcONmARYsHQzIMsJSK
MD5:	4E43D0470D036D584A99687874446B96
SHA1:	AF9B3D0828D744692F1F52FBC663DFD36AD75D34
SHA-256:	30938F199B058B102CC65CF572236D094FEAF9FE06740FB5D9682F27EE3B4D22
SHA-512:	CFDCC07A8F8EC082984CBD86631A6D178F55D714ADD739D5FD73B784C3ACF88C827D8B831D18369337235D7AD64C31F3BDCD361555F44B4E6CB43BAD1681FB21
Malicious:	false
Reputation:	low
Preview:	<EncyptedKey>QGRFKWAS4W4XEJOFSXVAQHAZKBJXPRR<EncyptedKey> UUvvv70eNhoKbu+/vUXvv73vv73vv71bHe+/ve+/vQ5I77+9WO+/ve+/ve+/vTfvv70f77+9Y++/vT0wde+/vXtbce+/ve+/vRQMNlxaGu+/vWPvv73npZJu77+977+977+9Au+/ve+/ve+/vTrvv73vv704R3ZdNO+/ve+/ve+/vVMW77+977+9TO+/ve+/ve+/vXzvv71877+977+977+9bO+/vWl8QHnvv73vv73vv71UKSPvv70V77+9e++/ve+/vU5Se++/vdutE2wPCXjvv71hSXvbp++/vUYo77+9Zx5k77+9KO+/ve+/ve+/ve+/vQrvv73vv71Pau+/vRnvv73vv70sDO+/ve+/vX/vv73vv73Zgjo877+9w5Xvv71o77+9XFAa77+977+977+9WEpuHO+/ve+/vRDvv71l77+9GhxD77+977+977+977+9TgBGee+/vUcL77+954CU77+9c0rvv70fSe+/vRF677+977+9ck/vv71j77+9e++/vSRk77+977+9IDbvv73vv73vv71UJhEEEu+/vVbvv73vv71+77+977+977+9U++/vW7vv73vv73Lkm7vv70X77+9HO+/vUdTEwp6a0Lvv71o77+977+977+977+977+9cTrvv73vv70qdC4uIe+/vQPvv70T77+977+977+977+9T3N+fe+/ve+/vXPvv73vv73vv73vv73vv70H77+977+977+977+9IDPvv71j77+977+977+9GDFKB++/vVfvv70y77+9Cn1vem3Tr++/vTLvv73HikMZJ1jvv70z77+977+97om377+977+9ZWw=

C:\Users\user\Desktop\NIKHQAIQAU.pdf Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	894
Entropy (8bit):	4.629868283877723
Encrypted:	false
SSDEEP:	12:fdu+01zrOhYkSkegCS5Ku7NRszUPKaCcCa9682VAzA7r/IMR2J+BR112Z:fsjrOBRcONmARYsHQzIMsJSK
MD5:	9D13762E49B8034B181F4F71BA572494
SHA1:	2AAC99E1ED820569400C72F8DD81FC10E9DFFB5C
SHA-256:	51E5F600DC50298E9D3F5C05D7A60D2ABCB57050477C1E0CA1BFDC0384157F04
SHA-512:	BAB08AC92B56B0E5179111213E0AF6D04FB5ED914012BC8F1781B1737C1F34769E835ABBBAACC60FE62176C3D98AE9F2C52A4A83B0A0A2390B743916FF4E6C0D
Malicious:	false
Reputation:	low
Preview:	<EncyptedKey>G2U732SVWFMTKC3IOSIAFOYFJG14JNN<EncyptedKey> UUvvv70eNhoKbu+/vUXvv73vv73vv71bHe+/ve+/vQ5I77+9WO+/ve+/ve+/vTfvv70f77+9Y++/vT0wde+/vXtbce+/ve+/vRQMNlxaGu+/vWPvv73npZJu77+977+977+9Au+/ve+/ve+/vTrvv73vv704R3ZdNO+/ve+/ve+/vVMW77+977+9TO+/ve+/ve+/vXzvv71877+977+977+9bO+/vWl8QHnvv73vv73vv71UKSPvv70V77+9e++/ve+/vU5Se++/vdutE2wPCXjvv71hSXvbp++/vUYo77+9Zx5k77+9KO+/ve+/ve+/ve+/vQrvv73vv71Pau+/vRnvv73vv70sDO+/ve+/vX/vv73vv73Zgjo877+9w5Xvv71o77+9XFAa77+977+977+9WEpuHO+/ve+/vRDvv71l77+9GhxD77+977+977+977+9TgBGee+/vUcL77+954CU77+9c0rvv70fSe+/vRF677+977+9ck/vv71j77+9e++/vSRk77+977+9IDbvv73vv73vv71UJhEEEu+/vVbvv73vv71+77+977+977+9U++/vW7vv73vv73Lkm7vv70X77+9HO+/vUdTEwp6a0Lvv71o77+977+977+977+977+9cTrvv73vv70qdC4uIe+/vQPvv70T77+977+977+977+9T3N+fe+/ve+/vXPvv73vv73vv73vv73vv70H77+977+977+977+9IDPvv71j77+977+977+9GDFKB++/vVfvv70y77+9Cn1vem3Tr++/vTLvv73HikMZJ1jvv70z77+977+97om377+977+9ZWw=

C:\Users\user\Desktop\WUTJSCBCFX.docx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	894
Entropy (8bit):	4.627895938113152
Encrypted:	false
SSDEEP:	12:f+9zrOhYkSkegCS5Ku7NRszUPKaCcCa9682VAzA7r/IMR2J+BR112Z:f+RrOBRcONmARYsHQzIMsJSK
MD5:	7BFB76124748958EA43BEC4A84BEA24F
SHA1:	EF91833AA70F6CF939447F55BCC5B79DBB1C756D
SHA-256:	06649E376A69551BCD75373489EF0BC86C503493A8A22BE7CAFBA89CD28EC05A
SHA-512:	5DDD51A23E751585007B7BB54F796845753C7782BB3201FF3DA8C93C8385BED802C461E372A98D1D18874668D4A652B9B6D78A8434D34850DF4D855B913724CB
Malicious:	false
Reputation:	low
Preview:	<EncyptedKey>MI2KFEO9YC76ADP4BVQEOQTI56360EY<EncyptedKey> UUvvv70eNhoKbu+/vUXvv73vv73vv71bHe+/ve+/vQ5I77+9WO+/ve+/ve+/vTfvv70f77+9Y++/vT0wde+/vXtbce+/ve+/vRQMNlxaGu+/vWPvv73npZJu77+977+977+9Au+/ve+/ve+/vTrvv73vv704R3ZdNO+/ve+/ve+/vVMW77+977+9TO+/ve+/ve+/vXzvv71877+977+977+9bO+/vWl8QHnvv73vv73vv71UKSPvv70V77+9e++/ve+/vU5Se++/vdutE2wPCXjvv71hSXvbp++/vUYo77+9Zx5k77+9KO+/ve+/ve+/ve+/vQrvv73vv71Pau+/vRnvv73vv70sDO+/ve+/vX/vv73vv73Zgjo877+9w5Xvv71o77+9XFAa77+977+977+9WEpuHO+/ve+/vRDvv71l77+9GhxD77+977+977+977+9TgBGee+/vUcL77+954CU77+9c0rvv70fSe+/vRF677+977+9ck/vv71j77+9e++/vSRk77+977+9IDbvv73vv73vv71UJhEEEu+/vVbvv73vv71+77+977+977+9U++/vW7vv73vv73Lkm7vv70X77+9HO+/vUdTEwp6a0Lvv71o77+977+977+977+977+9cTrvv73vv70qdC4uIe+/vQPvv70T77+977+977+977+9T3N+fe+/ve+/vXPvv73vv73vv73vv73vv70H77+977+977+977+9IDPvv71j77+977+977+9GDFKB++/vVfvv70y77+9Cn1vem3Tr++/vTLvv73HikMZJ1jvv70z77+977+97om377+977+9ZWw=

C:\Users\user\Desktop\WUTJSCBCFX\JSDNGYCOWY.jpg Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.62388137518985
Encrypted:	false
SSDEEP:	12:f6CTTGMyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:f6CfGzXIVYacqWrROzSzCufd5lwMYTy
MD5:	6E1A521AC3844067343383A19179C624
SHA1:	74FD503F42642B8D8E35C0A4DD99509C21755DC2
SHA-256:	A5284B6663F9387AC6371E98D29D22D473CE33CEA9800BBCAE8C42CDA2F7357E
SHA-512:	053DC6BC76C6B8DA4BAC1FF5CA0983B60AD417C966ED2995044A41A426CA86EC73A45937717ED60B438425C7874BE75A3D580E3A815BDD6CE03DBC9A23EBD074
Malicious:	true
Preview:	<EncyptedKey>TCJ8FOE02Y6VY8CA93HC10BMVLGMBOK<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Desktop\WUTJSCBCFX\KZWFNRXYKI.pdf Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.6262152427340295
Encrypted:	false
SSDEEP:	12:fuogUSyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fuorXIVYacqWrROzSzCufd5lwMYTy
MD5:	E2C1E22A3A3AFA4F6B28663F56312529
SHA1:	A308C3F0A77587F53113F4ADC96B76F9AAA41FDB
SHA-256:	4DDFA28FB26435415C4116592416543A4CC78F28EEA01B60376547A66383894E
SHA-512:	BEF464A16BA9357BE7A0ABEF8ADC36CC1C96E04BF988895F47356B1AB1AC563C7767A0CFD917557B753AFE7ED3349C88B2ACD4253B46A7E9281747A7DD6124F9
Malicious:	false
Preview:	<EncyptedKey>4Z3LXQ93GUZX9LRLXOT2VWVJ3B6N4H1<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Desktop\WUTJSCBCFX\NIKHQAIQAU.mp3 Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.622174856601241
Encrypted:	false
SSDEEP:	12:fO59jyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fO5wXIVYacqWrROzSzCufd5lwMYTy
MD5:	4813165D8EEACBE703FC0EB7C9FB782A
SHA1:	6FD9E83DB351687BA53DBB19CEF51BD10C05919B
SHA-256:	0965D5B75D6C3F99E7FF507ABC8AC345D7C24B2315E05317D53508B335D32131
SHA-512:	A163DEDE1A2DDC1D3B4F2D21E846B4E716B18A94D9795AE8D330C095C80712005FFC212A2B7E6F0009BBD0CA8489BE7B876BBCBD124C610B72262385E45BF173
Malicious:	false
Preview:	<EncyptedKey>ZNNB55WPTA9BRBCBBD9S8SVYIETRWTV<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Desktop\WUTJSCBCFX\WUTJSCBCFX.docx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.618136553379788
Encrypted:	false
SSDEEP:	12:f9IlTyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:f9GWXIVYacqWrROzSzCufd5lwMYTy
MD5:	B6AFC8D8E052E4AC87977DA31611DDDB
SHA1:	64C537C8075706306F2F9AC0CC962DCDFE9F9B66
SHA-256:	0C3A17E537A99EE36EBDE9C35BDA641A18F27A10108BEE839C7B222B0DE4124A
SHA-512:	3851ACD1A5732CC295EED482C41356996229DB3913ED37CF6F7761816B2D60A421139C33282B4782D7E4572C40CFFDDD115BB284C3577B8D7EA9BFFAE5C56E7D
Malicious:	true
Preview:	<EncyptedKey>983AKVJWQA892WVDI195K5Y2G1Z21LF<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Desktop\WUTJSCBCFX\YPSIACHYXW.xlsx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.620861974029692
Encrypted:	false
SSDEEP:	12:fegfyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fegKXIVYacqWrROzSzCufd5lwMYTy
MD5:	661CCEDBDB5705275E7F3507C4D93B04
SHA1:	94D1DE5133FB01889FBE3CD1B7A97634C547CA47
SHA-256:	9AA031602B934AAB56E596D9EF7CF9D0B6C205FCA120538586A58F76544193A9
SHA-512:	E67131F8E6DEA9AD19E073CEFF2DE0EFF12FA6C625133B91C462B8E98F32210FE040BF584449E11C78336CF46127301B9373ED18B7A8C9EBC03391D754899A01
Malicious:	false
Preview:	<EncyptedKey>3AOACYB1Q2RTSAT2CXAL0XYKDJA3T5Q<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Desktop\WUTJSCBCFX\ZBEDCJPBEY.png Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.623200088004686
Encrypted:	false
SSDEEP:	12:felTLLbyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fEqXIVYacqWrROzSzCufd5lwMYTy
MD5:	CC0A1ED6746590921FC92F11A079B586
SHA1:	CAB5DC60125C9053D894E8D24C346AF4B64B6259
SHA-256:	1CBFFAAE94963D3AA0605371454A969EB4EF96FD8B6DF35F78343C2AE94C9896
SHA-512:	0E829BEF3E54C77AEC4D73A09BD9E95073C9EEEE00874C116C076F2FAC8064F15DDDBC32B89B203291999626D4333ED0B523849E27916D7F4FDF9CB0C7AA09B0
Malicious:	false
Preview:	<EncyptedKey>5E5F8OWSPG9SD3MG2X8XF09OGLD62XH<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Desktop\Word 2016.lnk Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2190
Entropy (8bit):	4.6144887827354015
Encrypted:	false
SSDEEP:	24:f//rOBRcONmARYsHQzIMsJSWPZ10GMIVpXUNdT2Fe7VBWFMewVPffe+bKXE+0HM6:n/rOYumec8MOCG7U7TXBYseErMh/IIBo
MD5:	5228178E603F7452DF40ECEF08D728C3
SHA1:	A2B6858BFB4EEBF83A19BAF23E959FF8475B44AE
SHA-256:	D0E43A6E82CFD3A0C7AAF045C943FBE0959B64ADD87D13E7FC49925F49A45E8A
SHA-512:	2C8176B35D577C0CE5F8EAB9B7038B047BC8301A6A7DB30C308136041AC13BFCBB59A612F89C5BED9F3BD76350910AE1172C219F1DD7BA4F42C9A83C5365D9CC
Malicious:	false
Preview:	<EncyptedKey>CNFY4UMVM9B94DX0WQ34EGRL1EPXWBY<EncyptedKey> UUvvv70eNhoKbu+/vUXvv73vv73vv71bHe+/ve+/vQ5I77+9WO+/ve+/ve+/vTfvv70f77+9Y++/vT0wde+/vXtbce+/ve+/vRQMNlxaGu+/vWPvv73npZJu77+977+977+9Au+/ve+/ve+/vTrvv73vv704R3ZdNO+/ve+/ve+/vVMW77+977+9TO+/ve+/ve+/vXzvv71877+977+977+9bO+/vWl8QHnvv73vv73vv71UKSPvv70V77+9e++/ve+/vU5Se++/vdutE2wPCXjvv71hSXvbp++/vUYo77+9Zx5k77+9KO+/ve+/ve+/ve+/vQrvv73vv71Pau+/vRnvv73vv70sDO+/ve+/vX/vv73vv73Zgjo877+9w5Xvv71o77+9XFAa77+977+977+9WEpuHO+/ve+/vRDvv71l77+9GhxD77+977+977+977+9TgBGee+/vUcL77+954CU77+9c0rvv70fSe+/vRF677+977+9ck/vv71j77+9e++/vSRk77+977+9IDbvv73vv73vv71UJhEEEu+/vVbvv73vv71+77+977+977+9U++/vW7vv73vv73Lkm7vv70X77+9HO+/vUdTEwp6a0Lvv71o77+977+977+977+977+9cTrvv73vv70qdC4uIe+/vQPvv70T77+977+977+977+9T3N+fe+/ve+/vXPvv73vv73vv73vv73vv70H77+977+977+977+9IDPvv71j77+977+977+9GDFKB++/vVfvv70y77+9Cn1vem3Tr++/vTLvv73HikMZJ1jvv70z77+977+97om377+977+9ZWxAbO+/vTcrcQTvv70jO++/vXJM77+9CjHvv73vv70e77+9FyPvv70aI9+t77+977+9xqPvv70IZm4ce2Tvv70ZPxwEHS3vv71UAO+/vVfvv7

C:\Users\user\Desktop\YPSIACHYXW.docx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	894
Entropy (8bit):	4.636018031875438
Encrypted:	false
SSDEEP:	12:fifE0WjzrOhYkSkegCS5Ku7NRszUPKaCcCa9682VAzA7r/IMR2J+BR112Z:fJ0WXrOBRcONmARYsHQzIMsJSK
MD5:	7EC02A0EDDD8A5A2AF6B93DF225358FA
SHA1:	748EC08BF9E5EE8B37238FF8E7B260767C3B8CE3
SHA-256:	39908EDE65A622BA11E01BAD4CCA2BE5551DFD6CDAAE5D77772E8F41C99D1DA0
SHA-512:	8A89892F4A3F46732FFDAB9FB5737840F5510021AB889174E25A0F438624414C7956E049D411B47CD5ABFA903574A5878641FA69D0126DD04A830F5E95F7003B
Malicious:	false
Preview:	<EncyptedKey>8LLZ0B3SVHRF2HKQILJNBG6K6ZTOILS<EncyptedKey> UUvvv70eNhoKbu+/vUXvv73vv73vv71bHe+/ve+/vQ5I77+9WO+/ve+/ve+/vTfvv70f77+9Y++/vT0wde+/vXtbce+/ve+/vRQMNlxaGu+/vWPvv73npZJu77+977+977+9Au+/ve+/ve+/vTrvv73vv704R3ZdNO+/ve+/ve+/vVMW77+977+9TO+/ve+/ve+/vXzvv71877+977+977+9bO+/vWl8QHnvv73vv73vv71UKSPvv70V77+9e++/ve+/vU5Se++/vdutE2wPCXjvv71hSXvbp++/vUYo77+9Zx5k77+9KO+/ve+/ve+/ve+/vQrvv73vv71Pau+/vRnvv73vv70sDO+/ve+/vX/vv73vv73Zgjo877+9w5Xvv71o77+9XFAa77+977+977+9WEpuHO+/ve+/vRDvv71l77+9GhxD77+977+977+977+9TgBGee+/vUcL77+954CU77+9c0rvv70fSe+/vRF677+977+9ck/vv71j77+9e++/vSRk77+977+9IDbvv73vv73vv71UJhEEEu+/vVbvv73vv71+77+977+977+9U++/vW7vv73vv73Lkm7vv70X77+9HO+/vUdTEwp6a0Lvv71o77+977+977+977+977+9cTrvv73vv70qdC4uIe+/vQPvv70T77+977+977+977+9T3N+fe+/ve+/vXPvv73vv73vv73vv73vv70H77+977+977+977+9IDPvv71j77+977+977+9GDFKB++/vVfvv70y77+9Cn1vem3Tr++/vTLvv73HikMZJ1jvv70z77+977+97om377+977+9ZWw=

C:\Users\user\Desktop\YPSIACHYXW.xlsx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	894
Entropy (8bit):	4.623259461279371
Encrypted:	false
SSDEEP:	12:fQ7zrOhYkSkegCS5Ku7NRszUPKaCcCa9682VAzA7r/IMR2J+BR112Z:fQvrOBRcONmARYsHQzIMsJSK
MD5:	DA30C1D19580762B2DCE97D63D08F04A
SHA1:	53BA1FD7A600C1BE499C39D70234F1DCEDDFC1C9
SHA-256:	ACE27D92192CED7D7B3A0E70C91AD36109247F6B3BC5307D9C90D641BDD1DB63
SHA-512:	92919FD421EB8495AE7552419EEFDC54BBE3AC7E958AA3864DDC7316A1CF69DEDC7C9DBC418DF5876172C6C281C1177150D3B7CC60EE97B0DA6276AF800953D1
Malicious:	false
Preview:	<EncyptedKey>JTN9UZNZ2HD466K1BUQUUQ0W1PA3BRP<EncyptedKey> UUvvv70eNhoKbu+/vUXvv73vv73vv71bHe+/ve+/vQ5I77+9WO+/ve+/ve+/vTfvv70f77+9Y++/vT0wde+/vXtbce+/ve+/vRQMNlxaGu+/vWPvv73npZJu77+977+977+9Au+/ve+/ve+/vTrvv73vv704R3ZdNO+/ve+/ve+/vVMW77+977+9TO+/ve+/ve+/vXzvv71877+977+977+9bO+/vWl8QHnvv73vv73vv71UKSPvv70V77+9e++/ve+/vU5Se++/vdutE2wPCXjvv71hSXvbp++/vUYo77+9Zx5k77+9KO+/ve+/ve+/ve+/vQrvv73vv71Pau+/vRnvv73vv70sDO+/ve+/vX/vv73vv73Zgjo877+9w5Xvv71o77+9XFAa77+977+977+9WEpuHO+/ve+/vRDvv71l77+9GhxD77+977+977+977+9TgBGee+/vUcL77+954CU77+9c0rvv70fSe+/vRF677+977+9ck/vv71j77+9e++/vSRk77+977+9IDbvv73vv73vv71UJhEEEu+/vVbvv73vv71+77+977+977+9U++/vW7vv73vv73Lkm7vv70X77+9HO+/vUdTEwp6a0Lvv71o77+977+977+977+977+9cTrvv73vv70qdC4uIe+/vQPvv70T77+977+977+977+9T3N+fe+/ve+/vXPvv73vv73vv73vv73vv70H77+977+977+977+9IDPvv71j77+977+977+9GDFKB++/vVfvv70y77+9Cn1vem3Tr++/vTLvv73HikMZJ1jvv70z77+977+97om377+977+9ZWw=

C:\Users\user\Desktop\YPSIACHYXW\CURQNKVOIX.png Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.625318602545547
Encrypted:	false
SSDEEP:	12:fu0wgV1yXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fu0wg+XIVYacqWrROzSzCufd5lwMYTy
MD5:	96C16F9F7D957A5169149AE6AA1A4651
SHA1:	6FF49BBB18160A990496D835E27A1AE85402B580
SHA-256:	F6316987600F462BF9B9DB8A583E0F59B80FA0CBBFF6C28FF985D829D87305DE
SHA-512:	5DC3B2412B813955B3BDCDFE986E3526A466B2B907F5C66BE7F813E1F5601CF6FFA28DB18B518EB2EDD3FE82F0AE042153D7413249881A818F65AEEFC3081DCB
Malicious:	false
Preview:	<EncyptedKey>IULVOX5UOPEUE0EVR1DIGUILEFQ8XKZ<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Desktop\YPSIACHYXW\JSDNGYCOWY.xlsx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.625503745993789
Encrypted:	false
SSDEEP:	12:fqcZoV1yXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fNjXIVYacqWrROzSzCufd5lwMYTy
MD5:	AE5B13436B8C225527EB91D28723C941
SHA1:	E3FDF77186A535C11EA33323C7C6D6AFEE60413F
SHA-256:	AA4883589930793A2397AF145483B088152737E212D099E0D4A78E458E561BBD
SHA-512:	FBE0AB4EB0EE28D041C17D49DD245347E0233AB616D1FEF1AA68857B269351151014FACCDD28FCC4FFC45A3385704CF9B6DC7DAFD47D2D6D64C80CDFD311B59C
Malicious:	false
Preview:	<EncyptedKey>029181H8T6CTHAF5YB0WFZOBXL9RJG6<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Desktop\YPSIACHYXW\NIKHQAIQAU.pdf Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.609397491017485
Encrypted:	false
SSDEEP:	12:fHyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fSXIVYacqWrROzSzCufd5lwMYTy
MD5:	C511DEFD3751D40E78710907965517DD
SHA1:	C6B85618DA3B295AAFC6DF2163E6FF67A3B1D4ED
SHA-256:	A96BA454CCDD12DF390194969FC71C82A21A304B073A32B5D4D7039B3B65AE1D
SHA-512:	CCB951EDA820EAD072E5D8778F1D280282380CC760DFD30A91667079DDDBEE5B980E97B426FD5EB1EBB25578A0D497F66B2062CE8E0926D69F93A5E8A2FFC8D6
Malicious:	false
Preview:	<EncyptedKey>7E0O2F9G3J3ULDBBK8K276YUAN7DW20<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Desktop\YPSIACHYXW\RAYHIWGKDI.jpg Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.631098393385576
Encrypted:	false
SSDEEP:	12:f2cr1yXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:f2PXIVYacqWrROzSzCufd5lwMYTy
MD5:	2D0B4C6952AF3EEF0BA478541A1E1ACE
SHA1:	4C42EB0B3E962A0AE5A2F8C8119DD8208F3B6DEE
SHA-256:	15E0229F4E8B9497C4960FF2134CD349D721D362015FBC6BAA8FC2912FFCF9DD
SHA-512:	77A3238D52CA2EC179C0534D7753178CBDFEED1FB12F89B3B67AECB3F611813546971B06670EF0042E65FED2C13B6AFF4C696D8443D73BC00C59E6642FCC8D2B
Malicious:	true
Preview:	<EncyptedKey>ZMAFPQWNZY56MLED7WKYS8O9APGNOH6<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Desktop\YPSIACHYXW\YPSIACHYXW.docx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.625155446379995
Encrypted:	false
SSDEEP:	12:ffx4mwyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fZ4WXIVYacqWrROzSzCufd5lwMYTy
MD5:	07669141E8D6AD77D14C5E7D05E7DC9B
SHA1:	C5F669CC6838BD3FFF1F7475E11625A705B1525B
SHA-256:	D83DF2B67D481442E698C1957EE9D6CC1E65DB29F17EAF29A5817D517B0F7A74
SHA-512:	AFFFACE21F721935955D403441D7283C19B9D6168A41B36AB1A055999327E270633A0CA255CA3E4F121CC8212A41E7A1FFA3C5EA72BBC2880AEF7B791E23DBCC
Malicious:	false
Preview:	<EncyptedKey>UBTEHL8VUYVUEBALI6KAQLDH07BF9KI<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Desktop\YPSIACHYXW\ZTGJILHXQB.mp3 Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.599532369262391
Encrypted:	false
SSDEEP:	12:fiDqyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fKXIVYacqWrROzSzCufd5lwMYTy
MD5:	C045D49CBD3FF98C9B557A9D33A96B53
SHA1:	A3593A66AD8ED3DFAF1409B15166B2EBE95A4915
SHA-256:	B7741249C4154121C2B66A1C9F9F67C75C96CECB2AFBF7E3379000BFD9D3F8BC
SHA-512:	C44B54589521ED8DEE2649E02CFFE898101644F80D16CC0A8A27CC684AF6BE909D1E214DD3E151B8D8D5C1FFCD64F29BD052DCD2FC15F639CAFDDA527044FDC5
Malicious:	false
Preview:	<EncyptedKey>8R1L52H719AZA7OK7AE7RDHPI8MOKK3<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Desktop\ZBEDCJPBEY.png Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	894
Entropy (8bit):	4.623714406382958
Encrypted:	false
SSDEEP:	12:fUbzrOhYkSkegCS5Ku7NRszUPKaCcCa9682VAzA7r/IMR2J+BR112Z:fWrOBRcONmARYsHQzIMsJSK
MD5:	F56F67643CFE581FA9BCE6978F4D5AA0
SHA1:	77E28D74CCBB34FE685CC4CFCCF4FFCC89946B56
SHA-256:	66DF275AF20768ED7E3E8422040149087A4789427186DF7751C4073236297BE2
SHA-512:	E6CA3DA809C56D1F4B51F4433E4F83A9787F346FCAA3E7AE01BFC8F66A5716255E369149F81B69B3155E62519756FC365BF3AB0D43D8F46DA50A17DAD447DD30
Malicious:	false
Preview:	<EncyptedKey>JJZHWOHZ04WQG8L9NV8S3207220HFYU<EncyptedKey> UUvvv70eNhoKbu+/vUXvv73vv73vv71bHe+/ve+/vQ5I77+9WO+/ve+/ve+/vTfvv70f77+9Y++/vT0wde+/vXtbce+/ve+/vRQMNlxaGu+/vWPvv73npZJu77+977+977+9Au+/ve+/ve+/vTrvv73vv704R3ZdNO+/ve+/ve+/vVMW77+977+9TO+/ve+/ve+/vXzvv71877+977+977+9bO+/vWl8QHnvv73vv73vv71UKSPvv70V77+9e++/ve+/vU5Se++/vdutE2wPCXjvv71hSXvbp++/vUYo77+9Zx5k77+9KO+/ve+/ve+/ve+/vQrvv73vv71Pau+/vRnvv73vv70sDO+/ve+/vX/vv73vv73Zgjo877+9w5Xvv71o77+9XFAa77+977+977+9WEpuHO+/ve+/vRDvv71l77+9GhxD77+977+977+977+9TgBGee+/vUcL77+954CU77+9c0rvv70fSe+/vRF677+977+9ck/vv71j77+9e++/vSRk77+977+9IDbvv73vv73vv71UJhEEEu+/vVbvv73vv71+77+977+977+9U++/vW7vv73vv73Lkm7vv70X77+9HO+/vUdTEwp6a0Lvv71o77+977+977+977+977+9cTrvv73vv70qdC4uIe+/vQPvv70T77+977+977+977+9T3N+fe+/ve+/vXPvv73vv73vv73vv73vv70H77+977+977+977+9IDPvv71j77+977+977+9GDFKB++/vVfvv70y77+9Cn1vem3Tr++/vTLvv73HikMZJ1jvv70z77+977+97om377+977+9ZWw=

C:\Users\user\Desktop\ZTGJILHXQB.mp3 Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	894
Entropy (8bit):	4.616777627869271
Encrypted:	false
SSDEEP:	12:f0RzrOhYkSkegCS5Ku7NRszUPKaCcCa9682VAzA7r/IMR2J+BR112Z:fCrOBRcONmARYsHQzIMsJSK
MD5:	C04CD7F249FFA9F4F0893D52BEF0B7EA
SHA1:	A3E1D2EB0CF49AC9EBB38DEEBAAA013CBAF08205
SHA-256:	8D93CD1EA223AEB349E54F56D27AD367E02CE848643EC0916DE48E873D674BC4
SHA-512:	A08770F743C2E780BD8F159DC9DF75645F0272CA0541B4852CB389CDCCA3A86E89C809D8E06F5AF1BC2A67FA122A30F5EDB674774FE8933D199B7F435E0017D4
Malicious:	false
Preview:	<EncyptedKey>XK23UHZYN35Z089UYQPXHC9VRT2O3XA<EncyptedKey> UUvvv70eNhoKbu+/vUXvv73vv73vv71bHe+/ve+/vQ5I77+9WO+/ve+/ve+/vTfvv70f77+9Y++/vT0wde+/vXtbce+/ve+/vRQMNlxaGu+/vWPvv73npZJu77+977+977+9Au+/ve+/ve+/vTrvv73vv704R3ZdNO+/ve+/ve+/vVMW77+977+9TO+/ve+/ve+/vXzvv71877+977+977+9bO+/vWl8QHnvv73vv73vv71UKSPvv70V77+9e++/ve+/vU5Se++/vdutE2wPCXjvv71hSXvbp++/vUYo77+9Zx5k77+9KO+/ve+/ve+/ve+/vQrvv73vv71Pau+/vRnvv73vv70sDO+/ve+/vX/vv73vv73Zgjo877+9w5Xvv71o77+9XFAa77+977+977+9WEpuHO+/ve+/vRDvv71l77+9GhxD77+977+977+977+9TgBGee+/vUcL77+954CU77+9c0rvv70fSe+/vRF677+977+9ck/vv71j77+9e++/vSRk77+977+9IDbvv73vv73vv71UJhEEEu+/vVbvv73vv71+77+977+977+9U++/vW7vv73vv73Lkm7vv70X77+9HO+/vUdTEwp6a0Lvv71o77+977+977+977+977+9cTrvv73vv70qdC4uIe+/vQPvv70T77+977+977+977+9T3N+fe+/ve+/vXPvv73vv73vv73vv73vv70H77+977+977+977+9IDPvv71j77+977+977+9GDFKB++/vVfvv70y77+9Cn1vem3Tr++/vTLvv73HikMZJ1jvv70z77+977+97om377+977+9ZWw=

C:\Users\user\Documents\CURQNKVOIX.png Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.632330990839639
Encrypted:	false
SSDEEP:	12:fwVNyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fwVQXIVYacqWrROzSzCufd5lwMYTy
MD5:	49580DB93F2DF77910B12E4445D2047E
SHA1:	2DB0D0021E3AA4F8E29A9432122A1355F94BB2E0
SHA-256:	A94CB302610F26EE7E38100FA1095EA3CCC97B76A637B1B46B67E29D04E76C0D
SHA-512:	96884B63F0992EF7B3667D99DC8FEF3B552C77891998EB10B94D4182A7D0A276E5ACBBFCABE0AF063A51593758F6D6B5D2B7F253FE9BE1445CF52F939995C442
Malicious:	false
Preview:	<EncyptedKey>HCHLB5AGT9AZ6JKQIJEMQCO0ALRZS4S<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Documents\JSDNGYCOWY.jpg Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.63356830603107
Encrypted:	false
SSDEEP:	12:fBe1yXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fs4XIVYacqWrROzSzCufd5lwMYTy
MD5:	8894A190B652EB42E5B5CBC96A005186
SHA1:	686EB7D6BE996FD530C8FC2AE896AF5FE08110FF
SHA-256:	9D2B877A0F5C401D49857A0534C934FAA715F35245B4AB5DB75100E4BBAE9CD0
SHA-512:	BDAE7656C92CC95B9D672A4F086450D5A4B9701E918D9C8437F7BE38C94CBB674C06412C117563BA7B9B9EDC164FE96E9114A05BB7882CA27092954CDD609452
Malicious:	false
Preview:	<EncyptedKey>S8SXTYGTK8PLCB7JOPQRSYXHFXRL0NL<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Documents\JSDNGYCOWY.xlsx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.621687586573752
Encrypted:	false
SSDEEP:	12:fmyq3ntJyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fmyqd0XIVYacqWrROzSzCufd5lwMYTy
MD5:	A02C7BF1842F738A365798B1E655A088
SHA1:	AB6AC328A6C92AEA465D1E334661201B897B5DA6
SHA-256:	4096F7A8EC5C053E363E9A6076AD87D29C147CD2D6BB85BCD98F5F928A4E0756
SHA-512:	BAF7F42E8C07EC09971E88EC4DDBA514E4E244C4131B4C73B23D35B1C1284DF83EEDF2D77ECF19B08B0A8DE8C7A7A9207851EAA8CD87D11FD9FD26817D5BBDC4
Malicious:	false
Preview:	<EncyptedKey>XZRS0OW12BZ3OB0LYCBDJCM94LLR5H5<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Documents\KZWFNRXYKI.pdf Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.6217665948647015
Encrypted:	false
SSDEEP:	12:fS9yXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fpXIVYacqWrROzSzCufd5lwMYTy
MD5:	7F9B2A63B72B2931633D807179B62BB6
SHA1:	13B8ED67A336C4D290F61919DD2DA647905D4F8A
SHA-256:	23A0E1161D542C203F9C2029387B897915C0EBCC188937789E40D9D0EAEDE07A
SHA-512:	A3395020DBFDF694745B476F54ED794E56B6EA02F762278866FF7380E776AE1C69432CE7C68ADD0E6F87656473A8E881D1914E995424DCCBA3FB8248612910B5
Malicious:	false
Preview:	<EncyptedKey>37W1WVTG51YXQ34IFPM2JYJCVNRXPDF<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Documents\NIKHQAIQAU.mp3 Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.624177711515188
Encrypted:	false
SSDEEP:	12:fVxuKyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fVxuxXIVYacqWrROzSzCufd5lwMYTy
MD5:	9A77C4897ADCE34D4BF62D75A499FCF1
SHA1:	FD4DC06DA5C9C0D3E2420E513F4386164574F553
SHA-256:	11B2EB1D2F6E9FB8A980EF0C2B002CC1F513118C894F5C723890BDF9F4767B95
SHA-512:	118F8E3C08D63E8BE4754C39FA68EB8308A01EC660F6A05D5FD8C19FA00A71EC988C0ABB0A35B197A39C514D85C8FB99D84B84A585EBDF1F78FB543D2BCE4144
Malicious:	false
Preview:	<EncyptedKey>5VF551JEZF5GLUP5G9CFCTPWFXUGJE5<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Documents\NIKHQAIQAU.pdf Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.6027591778676715
Encrypted:	false
SSDEEP:	12:fDEY5uyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:fDv5NXIVYacqWrROzSzCufd5lwMYTy
MD5:	D63B5466419D0571F54B5595A80D62AE
SHA1:	23C8AD8F0E29B7632AA3C20EFC85956528D5BC5B
SHA-256:	DA9D169B5FC552CCEA5C5064649C4D2F08B6FED43878C4CB9C6801800413254F
SHA-512:	515432E2571C1C9CEA111418E4D7F6F16BEF5D220D3132D5CBC080B612EB186B3306619A8A1E9AE6D76D9622D89B067B52DA5A3C2594AB2DAFD7C3733B8B8D5B
Malicious:	false
Preview:	<EncyptedKey>12W3CK79R5KWWNR7SGRKYM7CMGT0HHD<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Documents\RAYHIWGKDI.jpg Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.618054957362943
Encrypted:	false
SSDEEP:	12:fUIqyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3jhCh:f1XIVYacqWrROzSzCufd5lwMYTy
MD5:	4F95D309BC390D56A46097AC145212EE
SHA1:	47004D94C111085453704F4685F7D9B9BACF1941
SHA-256:	1AB27201264FAE26E81CE9E33348A183A3DE097E53FD2757437E80F6BBBA9649
SHA-512:	8E71B768EB8F13189B39323DC3DB72E5174B90EC6A62D0902489B526C7D07A9F523343D0B36BFFF7D42E7AC6C403E6D5D03D5359EC0D3B80E9504D0858359C42
Malicious:	false
Preview:	<EncyptedKey>5VJEOZ1MVJAVJ172IXZBA13HO4TR61G<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv71J77+9Mu+/vRfvv70677+977+977+977+9Nibvv71C77+9U++/ve+/vWzvv70VauuZig==

C:\Users\user\Documents\WUTJSCBCFX.docx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.540796051781105
Encrypted:	false
SSDEEP:	24:fKRFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:u8VHpvaTOgn
MD5:	79FBA181ED318A06AD7E7D3E242ADBEA
SHA1:	D67E37582467448432904C277C4B53D0549419D0
SHA-256:	DD30C40A8AED25E302BB16B13EE5FDE88C75114695F3998E9F0419640828B00E
SHA-512:	27EEA4FE28749DF430EED86804F5A570D25AA2D7EC0FE0FBC2722C57FBCB800C9B1EE7B0132C08B82D8749FC800B8438FB6B040F76FD018FD552C4F888BA1B0C
Malicious:	false
Preview:	<EncyptedKey>1J2PANJDI036BX1XLONKCSFCD2BZTFJ<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\WUTJSCBCFX\JSDNGYCOWY.jpg Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.5319260782705335
Encrypted:	false
SSDEEP:	24:f6iyFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:iiy8VHpvaTOgn
MD5:	14714B1F710C06A5AAC58FB02F8C241B
SHA1:	4F83233BE6276C0ABC5761DBEAD724214679EDFC
SHA-256:	64C5B4A7ACA66BE8145128AF3DC4BA58A8F044A072EBDDB7F190EE3C042B1301
SHA-512:	800D242185A4CF7F7DEFEC41D0ECE753E41F145A905730604488323B4C754EAAF61BFA1F3652888C400898245BC6735F323957E8ACFB661B112A439759628B98
Malicious:	false
Preview:	<EncyptedKey>D20BUH3VKCVJ107RZ2RWASWWIRHHY7X<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\WUTJSCBCFX\KZWFNRXYKI.pdf Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.537183629287018
Encrypted:	false
SSDEEP:	24:f3NFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:fJ8VHpvaTOgn
MD5:	335DE29DE04F28A5E35D5C42C78CD8DF
SHA1:	247CEE7686C9E46CF13C5AC94841B9270B144E7F
SHA-256:	29ABD0A3ACD4F4FABAB37A5F2EE230F7BA5B559E4BE73516B84B62403C5C3B16
SHA-512:	F194FF761031CA1F14F6F40CD33E60D2A43EE9A298CB1DC6FACBD93544F9C15868F64FA7F55F47B03115245703309A4F8D2ABF2CF0C767089AC53023CA314F5E
Malicious:	false
Preview:	<EncyptedKey>OPYKQV12Q326KGZGCX1IBZ8NVGE3DAV<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\WUTJSCBCFX\NIKHQAIQAU.mp3 Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.522990660315083
Encrypted:	false
SSDEEP:	24:fBBFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:j8VHpvaTOgn
MD5:	398E0FEA4275BDD2F00E0D245AB77B1D
SHA1:	47083B133E4CAD52D5E1062BC1B9DFC184608204
SHA-256:	CAE0822980FBB9EE1C9F4AC4A6E8E3A2AD63E5C3B2D663C5C845E17A9321CC01
SHA-512:	B4522BFC2DECEC5FE3DC4FAF106A2E94BA1CE5565B4D296B22922E38C4805EE0F3D038A2AADC6D2DEB719668D64F84107EEA9EAA214229DC13FF38067E16DDC2
Malicious:	false
Preview:	<EncyptedKey>7NPG3DQQ579B3HWLPSLEU6YVZRLZJR7<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\WUTJSCBCFX\WUTJSCBCFX.docx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.5543761344494
Encrypted:	false
SSDEEP:	24:f/An5FJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:yt8VHpvaTOgn
MD5:	3B8A2CCF485621C81F9D6AC3EEB10A1D
SHA1:	F34E146AE633A8854CCCD446C8521AF1A5F3B1FF
SHA-256:	0B3C5469DEE88A3E60AE36A4331EDD64E0223CF2571629ECFF19A5E9720EFF27
SHA-512:	FADD5D14DCE2718C1C03BBC037BBDF2707B64F00B5B3692D9928E2736D743C35C513919519631F2389A8EE120DB6C6CCB81865FE275FE4232CC83CBD97BFF8F8
Malicious:	false
Preview:	<EncyptedKey>ZQH5S5A5CWG6KCYEF85ZK25BAY3RM20<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\WUTJSCBCFX\YPSIACHYXW.xlsx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.5316418352280365
Encrypted:	false
SSDEEP:	24:fZlFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:xB8VHpvaTOgn
MD5:	51DAC1A927500F15ADAD9869F907FB76
SHA1:	07833082E521667FEFD9113D33609CAB16B4A64D
SHA-256:	EBBEF7B0E6859FEF57F41B9F799D8A3392C62B84BBDA0C019F26978918CF9D42
SHA-512:	E05DA9A75874144E85235F62A4E7EF8402BC78C7E8E9CECB38663C9432503DD5FA873FF7C32B0CA3C704C598F5865FBE946ED5947614E41B5D94285F9F0824C5
Malicious:	false
Preview:	<EncyptedKey>HN9KVVMDPPXIROAOTAMF0N1X7UG44CS<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\WUTJSCBCFX\ZBEDCJPBEY.png Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.537202449069256
Encrypted:	false
SSDEEP:	24:fmpFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:w8VHpvaTOgn
MD5:	11CF3B56998E51077F9FA7E7607FF4FC
SHA1:	4F2B245216A74DD0D5D50ADD4C1200E3E683F80C
SHA-256:	6D983AA4405BC2790051FDB5CD03BA1675A6CCA6691A75C3AF5B16A5191EA6E3
SHA-512:	6B806ADB308A939B8BAF26886FC9DDE50ADAB64380B6962EC7C3833B54E63A9178239F6B92382895EA52B78D9C63684D6D5E840A5AB0E26EF016B584F43D4526
Malicious:	false
Preview:	<EncyptedKey>TK68SK1DT25QKXUOXAKJQ9W93WMMAPR<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\YPSIACHYXW.docx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.53355053739454
Encrypted:	false
SSDEEP:	24:f5MFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:W8VHpvaTOgn
MD5:	36FDD4059F6BB2F6A318173EBCF75C5B
SHA1:	C4BB8EE3C17BB3F7100DB07F21830E06B592BADD
SHA-256:	04C93966050EFE378D6B97CF026EF3E40F5253736585DC4B3D5056BFB0505503
SHA-512:	9D2A093BD3AAEF8A94761B8D4730C455F1AE1E58C3C9B20B21C697EF0F2BF4339AAE5E90DDA346C4935172E5841EEC06C29BB2548E163FDCA5F16D64631C9754
Malicious:	false
Preview:	<EncyptedKey>Q3CJMRL7O9URLH51TXGICSQDJDZMHLT<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\YPSIACHYXW.xlsx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.540285395391444
Encrypted:	false
SSDEEP:	24:fNd3FJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:ldj8VHpvaTOgn
MD5:	12BE20E6BB70C1648C12AE52A110FF04
SHA1:	DD2BFE95514BE65C24E25C418251251778A7A13C
SHA-256:	8382044036D227A05FF592F1C565F4987E100CF01566BCE9BFDD680CAF25DF8D
SHA-512:	B736C267A77C2BFFFCF8537899002A4920B9F4D8B137A428C0ABF7B1FB390060C0911ECD04384EC4797F73BB4D8F03E08EF592C894496C6619F663BC9575756A
Malicious:	false
Preview:	<EncyptedKey>TDQNC8OOG9R9KSA45HBSBN6H7M8AI18<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\YPSIACHYXW\CURQNKVOIX.png Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.5230632437527465
Encrypted:	false
SSDEEP:	24:fmFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:G8VHpvaTOgn
MD5:	3D3CA0210F0463E71A6EC9F79FEB6567
SHA1:	F9A2C4E79EFBFE9559ECBA977AD17EBF51BF65DA
SHA-256:	196BD05F04E49DC46037835F07C41444A7E66F626C2538D8C795B0BD17DCE93F
SHA-512:	A6B3E2A21AD84CA38F982D1C6CE03956FDC45AC56BF2B2B70431F789C211E4BB49D146F3710EA0A5EB22681B5C883AA17B1C5D18EC2B3F7C199B5EEE587282B3
Malicious:	false
Preview:	<EncyptedKey>IN6D7VPRD173N57R9NGS4U2CUY7E68P<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\YPSIACHYXW\JSDNGYCOWY.xlsx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.545688684402041
Encrypted:	false
SSDEEP:	24:flEt3AyFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:iR8VHpvaTOgn
MD5:	055DF90CF6A7C7FDB5B73AAF6DCA3F1F
SHA1:	7131E49D0311DE6C5FA0E59CCD3CC21F4EE85C5A
SHA-256:	5EEC79464A775885B5A6BBF6EEEF72EE66C6304B3351D5E2252EB39B48DF866E
SHA-512:	A74F163E6AB4578FAB2A6877D2CB7268F88BF810B19B3362057DD022A16E3714A496EF8DFCC68C2B3C7C74F54A7758FE0F2CDA1061FE52D5CC5FFD74746B7712
Malicious:	false
Preview:	<EncyptedKey>CELWCOTW2HSHRTGJD6FM946WYU4TJYL<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\YPSIACHYXW\NIKHQAIQAU.pdf Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.533781606364676
Encrypted:	false
SSDEEP:	24:f6FJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:i8VHpvaTOgn
MD5:	DAC0A433BADC7CDD560979AC576579D0
SHA1:	E649680A80F45E00BFF705FE69193E2A464CC8ED
SHA-256:	680925E837241BAD077BBFBE3D98EEFFF29EC069BDF11157545061BB4CB80262
SHA-512:	48F98551239E6F0FE69D430D9492F49CDC713E35B4E85321F450CF2321AB98DF39634078AAF1BFB9A49461C0B26ECDC13E764A6757732F798DD60C21D80ACD16
Malicious:	false
Preview:	<EncyptedKey>VEM4YBI4DP0NLMMKSNO3I1VQHIY7STA<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\YPSIACHYXW\RAYHIWGKDI.jpg Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.5558295960945205
Encrypted:	false
SSDEEP:	24:fJyPFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:c78VHpvaTOgn
MD5:	7286A64FA754B083B10458D1BA1968EC
SHA1:	FE4217686062BC6ED5F526CB32A39F8DCCFF8087
SHA-256:	4A6AEA31FFB4D2D3A8907B4E6C93777B9B51B733F24152DBC0365F8848152943
SHA-512:	115929FA5158AEA733E8204D9B1FD9A4D01D3013ABC97CBC1BC8F4043713A2128369D26728AE46F058F989A629CAB2B8F69F60474F29250D321A70519B84FF70
Malicious:	false
Preview:	<EncyptedKey>NE66CFYRH4BB6IRUKLJLF44D4T6XQNK<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\YPSIACHYXW\YPSIACHYXW.docx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.541279694010864
Encrypted:	false
SSDEEP:	24:fPSFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:C8VHpvaTOgn
MD5:	741636386601B5FA8FC268F385728C11
SHA1:	AFA053ACC68D16FF877819408E039F30C038A30C
SHA-256:	9F4C0E57CC0BADD7AF51DEFA835DAF896539AE9B7F779CA5423289719CC0DB24
SHA-512:	86CCF018E2E57CF213E789622B74BBF75950A958CDA34EEEE91DE30DAA27CAA315E93E220ED00DD109916C7A0EF370ADA8ED6AD85498650A780424A98165AD86
Malicious:	false
Preview:	<EncyptedKey>MTPNIOQKF36G8GZYI0XNWII5SJ3BTJB<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\YPSIACHYXW\ZTGJILHXQB.mp3 Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.54178285597114
Encrypted:	false
SSDEEP:	24:f7b/PFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:XD8VHpvaTOgn
MD5:	E56BE23BB5CBB508E822507505B990A9
SHA1:	7543080A3B52BFDDF5552E4986800457D0BB414E
SHA-256:	769F040828DA80EDDA0157C72088E466EE7EACEDEBD80DA4FC69C5F1CD0D3536
SHA-512:	2F4E323894397E438D106E51B01749424A34E9D961B629DFEBE94B2E3927FF52674E1A3389D8DEE2E77053054AA6E2D4397BA52377D4FCC503C0ED2C96007AC4
Malicious:	false
Preview:	<EncyptedKey>B3UZSR4IG4BDRJX66F4X63AYDLU49VO<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\ZBEDCJPBEY.png Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.523048930514733
Encrypted:	false
SSDEEP:	24:fuFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:u8VHpvaTOgn
MD5:	D5BC385F45AE2FD43B7A6DFD5319A671
SHA1:	42314DC237A5325B44C2003412539CADDA3A6769
SHA-256:	E1A4A7B7E0CD56ECB47C66F5C7B63509058E0376DD189C0874982C3860432BB4
SHA-512:	9AF357765BB64F17465AF9429A2F6A70A455F4CD9AF3B231C998469E0E12F64E863DC761C9BAA13B0ACCB2A06F578AABBC681488386D9C53DF2F91858D3DEB79
Malicious:	false
Preview:	<EncyptedKey>ZCPAO4332FI9IUSFVIJ3FF3SGGJPZ9O<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Documents\ZTGJILHXQB.mp3 Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.527414799150541
Encrypted:	false
SSDEEP:	24:f8hU3FJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:Uej8VHpvaTOgn
MD5:	7A660A3CAC2DA2C0D6120BA9A344BD92
SHA1:	9DD0071C74DB08B15C3F7CCB0F7D1B18317062D7
SHA-256:	11EA68A9871667019F29C70E818EE9F427F436A27A2F4D200413D5F8404101F1
SHA-512:	0136F35F4467521E9C30C392920DB4B14AF2113C6F9B2642A50C6C17E9E2391E26F1039A99B25604C703419612F383E52C5551A8A4C1CA84EE7E82D122D534DB
Malicious:	false
Preview:	<EncyptedKey>GPA175SWACOIM3NYWOHN2873UI74HUO<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Downloads\CURQNKVOIX.png Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.539375211498022
Encrypted:	false
SSDEEP:	24:fgmFJvrgO4XDlibvAWypyoa+k6uojyzMFWGhUn:4O8VHpvaTOgn
MD5:	5D810EF9898F3E9647BA4A53BEE5D383
SHA1:	7816C111C46AF71AF1C732852A42C0CBC2FA9C12
SHA-256:	75CBEE47AC3B7F9B5A3CB8E5EA13F94D6AD957129C0C1B2A698FA9BD021B0FDB
SHA-512:	132C1DB81743C661758A8DF83F2B70103CEC5E4F2975AB3F42F6205D467BC26D4677E6DDAF2E168CB56274BBEBA7006F89DB62DD53AC10C826F94E66D2B0EE68
Malicious:	false
Preview:	<EncyptedKey>1625NORGHNSRTUF0V4N65YVEI35WH79<EncyptedKey> 77+9chTvv73vv73vv73esO+/vQzvv73vv73Qqu+/ve+/vRjvv71477+9Le+/vX/Gnu+/vTjvv704Su+/vVMtU9Ov77+977+977+977+9Ju+/vV/FuO+/vTvvv71T77+9Ge+/ve+/vXfvv73vv73vv70GV86l1p7vv70IZe+/vVYf77+9Chrvv73vv73vv71v77+977+9Dhbvv73vv73vv71iMBzvv73vv73vv71SGu+/ve+/vSJPH++/ve+/vVLvv73vv71tVe+/ve+/ve+/ve+/ve+/vTzvv73vv73vv71ANO+/vVA777+977+977+977+977+9J3MM77+9Q0/vv73vv73vv70x77+9PjDvv70w77+977+977+9amM+77+9Ze+/vSjvv73vv70N0Jfvv70177+9ce+/ve+/ve+/vWrvv73vv73vv73vv708D3/vv70f77+9YGcJG0Vp77+9PA1PZUNr77+9KyM5f++/ve+/ve+/ve+/vUYvfWdf77+9Vj1s77+9P++/vWnvv73vv73vv70277+9Z347BF3vv70V77+9GO+/vQAdYO+/ve+/vW3vv73vv73vv70CRe+/ve+/vRLvv71jLDnvv73vv71d77+9aO+/vSXvv71C77+977+9Uu+/ve+/ve+/vT1P77+977+977+977+977+977+9KDPvv73vv73vv70pC++/vVTvv73vv714cO+/vW0o77+977+977+9Gcuw77+977+9NdWq77+9R++/ve+/vWxmNGvvv71d77+9Ntende+/vREIzJoSZFtOS++/vVzvv73vv73eklNhF++/ve+/vSzvv70LCu+/vQJ2OBhJQQ==

C:\Users\user\Downloads\JSDNGYCOWY.jpg Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.649932206309949
Encrypted:	false
SSDEEP:	12:fkYYlDNJGAgbQ7h+N3OeCH+IcOliJea8cO7O5VNOXj/OoVTDh4OaMKVqrWHy:fkXDv1FYkeCeIcOlicMYGi/OSxfHWHy
MD5:	EAE38ED692C7D8914CBF030D10B2EE59
SHA1:	C66B443572E427054EC7F0B7FD4052672BDC682E
SHA-256:	29A58FF458506328030A759921BB6CAE7FCD5BF0112A224EAC2F3E8DE2792DAF
SHA-512:	A46D7161C414C8B355BD1706F02E071DD77B7E9CC9B004C117BA4D80E81AC89A970BEEDFF16EBD94CE1CE2AB68F7DA6C541D1D32991437C89C00A9811A04B93C
Malicious:	false
Preview:	<EncyptedKey>JUPKHZOKRP8XKNLQE8U8AVYSCKXXTT5<EncyptedKey> 77+9Te+/vVPvv73vv73vv70MRTXvv71tDe+/ve+/vQ7vv73vv70iQSM277+9fNeI77+977+977+977+9EO+/vXTvv71M77+977+9akTvv71D77+9SSTvv73Lr++/vWZe77+977+9cz7vv73vv73vv71JezAdB3J+JDnvv70h77+9OWUX77+9Wu+/vXTtjY4M77+9HlY8Nu+/vUc1Qu+/ve+/vV/vv70T77+9Oz3vv73vv73vv73Sjhst77+9ee+/vRlANe+/vQ7vv71vWO+/ve+/vTZI77+977+977+977+977+9QQUp77+977+977+9NiHvv73vv706SQIpQu+/ve+/vS7vv70M77+977+9fu+/ve+/ve+/vQfvv71b77+9Du+/vUPvv73vv71QYWl977+977+977+977+9NQ/vv73vv73vv70R77+977+977+977+9WGHvv73vv70FOS/vv70yFCvvv73vv70+T2ww77+9eA1maO+/vUnvv73vv70BFO+/vUoBQO+/vWPvv73vv73vv73vv71jRO+/ve+/vU7vv70Jdz1K77+9H++/ve+/vVXvv71577+9YCZWNxvvv73vv70S77+9W++/ve+/vcahYTQ+chnvv70/NHHvv71w77+9aATvv70b77+977+9RGgNDO+/vU1m77+9H++/ve+/ve+/vVhA77+9Ie+/vQbWrCHvv73vv71/77+977+9fw3vv73vv71xCMqBOFQn77+9Je+/vTcgdu+/vRjvv71/KGnJlu+/ve+/vUYjdifvv70If++/vSAfcO+/vRzvv70HRu+/ve+/vQ==

C:\Users\user\Downloads\JSDNGYCOWY.xlsx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.626672213777288
Encrypted:	false
SSDEEP:	12:f+gYlDNJGAgbQ7h+N3OeCH+IcOliJea8cO7O5VNOXj/OoVTDh4OaMKVqrWHy:f+fDv1FYkeCeIcOlicMYGi/OSxfHWHy
MD5:	FE9D2B902FEE85DF87A49C3BBA8DBEF4
SHA1:	F29EA1FC3AE9150437AC8309E80B08ED1E37C5BA
SHA-256:	242700130A888629ACB3AFF1CAC17167FD1EE90CD136379885A0F3E40A820194
SHA-512:	D9807681664F254A58392D0580F99951BA767790A1B12FD54DA1EF18FD25A47B447AF1C597AB5C8EE77D4FB04189B954168F4BCED4AC4BAF7F2D07A446FE21C5
Malicious:	false
Preview:	<EncyptedKey>9JNJ6EK7BHU5R7BK16N1XW99X56I6B1<EncyptedKey> 77+9Te+/vVPvv73vv73vv70MRTXvv71tDe+/ve+/vQ7vv73vv70iQSM277+9fNeI77+977+977+977+9EO+/vXTvv71M77+977+9akTvv71D77+9SSTvv73Lr++/vWZe77+977+9cz7vv73vv73vv71JezAdB3J+JDnvv70h77+9OWUX77+9Wu+/vXTtjY4M77+9HlY8Nu+/vUc1Qu+/ve+/vV/vv70T77+9Oz3vv73vv73vv73Sjhst77+9ee+/vRlANe+/vQ7vv71vWO+/ve+/vTZI77+977+977+977+977+9QQUp77+977+977+9NiHvv73vv706SQIpQu+/ve+/vS7vv70M77+977+9fu+/ve+/ve+/vQfvv71b77+9Du+/vUPvv73vv71QYWl977+977+977+977+9NQ/vv73vv73vv70R77+977+977+977+9WGHvv73vv70FOS/vv70yFCvvv73vv70+T2ww77+9eA1maO+/vUnvv73vv70BFO+/vUoBQO+/vWPvv73vv73vv73vv71jRO+/ve+/vU7vv70Jdz1K77+9H++/ve+/vVXvv71577+9YCZWNxvvv73vv70S77+9W++/ve+/vcahYTQ+chnvv70/NHHvv71w77+9aATvv70b77+977+9RGgNDO+/vU1m77+9H++/ve+/ve+/vVhA77+9Ie+/vQbWrCHvv73vv71/77+977+9fw3vv73vv71xCMqBOFQn77+9Je+/vTcgdu+/vRjvv71/KGnJlu+/ve+/vUYjdifvv70If++/vSAfcO+/vRzvv70HRu+/ve+/vQ==

C:\Users\user\Downloads\KZWFNRXYKI.pdf Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.632610617039884
Encrypted:	false
SSDEEP:	12:fq7VfYlDNJGAgbQ7h+N3OeCH+IcOliJea8cO7O5VNOXj/OoVTDh4OaMKVqrWHy:fkVIDv1FYkeCeIcOlicMYGi/OSxfHWHy
MD5:	F7E3D2E99DE75EB213A2CCB962C533C4
SHA1:	2CED8BE53F1F35FE28DB99B2132AE702CC7C772B
SHA-256:	897C33C3871F7BA21012A53E51036F9A788EBEFE54E80298C5F2BDD88DAE84F1
SHA-512:	8B63710E8C204B886AE09A517A07F6BA57B091A4D56A0030430B415D2A2C8898CBAF409CFDF5E194252A6B62251E42B5263A14AD7185482FFBFAA8D795646E9D
Malicious:	false
Preview:	<EncyptedKey>08U8O7EOM3AT0PZHVA960G2HNJNVAHC<EncyptedKey> 77+9Te+/vVPvv73vv73vv70MRTXvv71tDe+/ve+/vQ7vv73vv70iQSM277+9fNeI77+977+977+977+9EO+/vXTvv71M77+977+9akTvv71D77+9SSTvv73Lr++/vWZe77+977+9cz7vv73vv73vv71JezAdB3J+JDnvv70h77+9OWUX77+9Wu+/vXTtjY4M77+9HlY8Nu+/vUc1Qu+/ve+/vV/vv70T77+9Oz3vv73vv73vv73Sjhst77+9ee+/vRlANe+/vQ7vv71vWO+/ve+/vTZI77+977+977+977+977+9QQUp77+977+977+9NiHvv73vv706SQIpQu+/ve+/vS7vv70M77+977+9fu+/ve+/ve+/vQfvv71b77+9Du+/vUPvv73vv71QYWl977+977+977+977+9NQ/vv73vv73vv70R77+977+977+977+9WGHvv73vv70FOS/vv70yFCvvv73vv70+T2ww77+9eA1maO+/vUnvv73vv70BFO+/vUoBQO+/vWPvv73vv73vv73vv71jRO+/ve+/vU7vv70Jdz1K77+9H++/ve+/vVXvv71577+9YCZWNxvvv73vv70S77+9W++/ve+/vcahYTQ+chnvv70/NHHvv71w77+9aATvv70b77+977+9RGgNDO+/vU1m77+9H++/ve+/ve+/vVhA77+9Ie+/vQbWrCHvv73vv71/77+977+9fw3vv73vv71xCMqBOFQn77+9Je+/vTcgdu+/vRjvv71/KGnJlu+/ve+/vUYjdifvv70If++/vSAfcO+/vRzvv70HRu+/ve+/vQ==

C:\Users\user\Downloads\NIKHQAIQAU.mp3 Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.632052932380862
Encrypted:	false
SSDEEP:	12:fshYlDNJGAgbQ7h+N3OeCH+IcOliJea8cO7O5VNOXj/OoVTDh4OaMKVqrWHy:fsmDv1FYkeCeIcOlicMYGi/OSxfHWHy
MD5:	4FC4EA60411EDA1A2E600743E8189CB2
SHA1:	A72329EED955D49FE0B868D91ABC68E636FD33B4
SHA-256:	435C1AF6E1B7F218A3F8946AD35670ABCD45CCDBE6949D7BDAB8C566148EE0BB
SHA-512:	81E76ACA4E999330A2D2C28576A16101B4E1F7BAEA559021088FF667CA5DF43261252760E45FDA048C9C8FF501514688005EB2681CAB5ACEAE1EEE29A5B46644
Malicious:	false
Preview:	<EncyptedKey>AAQ3768XNWRA7WCIU8YKH6EAUGNUETS<EncyptedKey> 77+9Te+/vVPvv73vv73vv70MRTXvv71tDe+/ve+/vQ7vv73vv70iQSM277+9fNeI77+977+977+977+9EO+/vXTvv71M77+977+9akTvv71D77+9SSTvv73Lr++/vWZe77+977+9cz7vv73vv73vv71JezAdB3J+JDnvv70h77+9OWUX77+9Wu+/vXTtjY4M77+9HlY8Nu+/vUc1Qu+/ve+/vV/vv70T77+9Oz3vv73vv73vv73Sjhst77+9ee+/vRlANe+/vQ7vv71vWO+/ve+/vTZI77+977+977+977+977+9QQUp77+977+977+9NiHvv73vv706SQIpQu+/ve+/vS7vv70M77+977+9fu+/ve+/ve+/vQfvv71b77+9Du+/vUPvv73vv71QYWl977+977+977+977+9NQ/vv73vv73vv70R77+977+977+977+9WGHvv73vv70FOS/vv70yFCvvv73vv70+T2ww77+9eA1maO+/vUnvv73vv70BFO+/vUoBQO+/vWPvv73vv73vv73vv71jRO+/ve+/vU7vv70Jdz1K77+9H++/ve+/vVXvv71577+9YCZWNxvvv73vv70S77+9W++/ve+/vcahYTQ+chnvv70/NHHvv71w77+9aATvv70b77+977+9RGgNDO+/vU1m77+9H++/ve+/ve+/vVhA77+9Ie+/vQbWrCHvv73vv71/77+977+9fw3vv73vv71xCMqBOFQn77+9Je+/vTcgdu+/vRjvv71/KGnJlu+/ve+/vUYjdifvv70If++/vSAfcO+/vRzvv70HRu+/ve+/vQ==

C:\Users\user\Downloads\NIKHQAIQAU.pdf Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.646604469415878
Encrypted:	false
SSDEEP:	24:fxGpNDv1FYkeCeIcOlicMYGi/OSxfHWHy:cdPxL/fBb
MD5:	1B66D18F99A823FA123D3CE67AEA9683
SHA1:	47C197D72AD8E37A98ADE605385C9CD5ADC843C9
SHA-256:	8C8C46339B48A3C86C4B5F8692A2BDF1775F409BDFD4B3DA9010D0A026A723DF
SHA-512:	7E8FBAF956D0BC92472CEDACDCC33A2326854D4476C36AAA522ED8EF2937DFE0A8BC79BD70F97FDF3A40CEB65AAA62FF9A067DC3DACA47B22EDF9F19DDC85979
Malicious:	false
Preview:	<EncyptedKey>OE1ATKW2KWNWJJF4ULB3XM65D5PI0TO<EncyptedKey> 77+9Te+/vVPvv73vv73vv70MRTXvv71tDe+/ve+/vQ7vv73vv70iQSM277+9fNeI77+977+977+977+9EO+/vXTvv71M77+977+9akTvv71D77+9SSTvv73Lr++/vWZe77+977+9cz7vv73vv73vv71JezAdB3J+JDnvv70h77+9OWUX77+9Wu+/vXTtjY4M77+9HlY8Nu+/vUc1Qu+/ve+/vV/vv70T77+9Oz3vv73vv73vv73Sjhst77+9ee+/vRlANe+/vQ7vv71vWO+/ve+/vTZI77+977+977+977+977+9QQUp77+977+977+9NiHvv73vv706SQIpQu+/ve+/vS7vv70M77+977+9fu+/ve+/ve+/vQfvv71b77+9Du+/vUPvv73vv71QYWl977+977+977+977+9NQ/vv73vv73vv70R77+977+977+977+9WGHvv73vv70FOS/vv70yFCvvv73vv70+T2ww77+9eA1maO+/vUnvv73vv70BFO+/vUoBQO+/vWPvv73vv73vv73vv71jRO+/ve+/vU7vv70Jdz1K77+9H++/ve+/vVXvv71577+9YCZWNxvvv73vv70S77+9W++/ve+/vcahYTQ+chnvv70/NHHvv71w77+9aATvv70b77+977+9RGgNDO+/vU1m77+9H++/ve+/ve+/vVhA77+9Ie+/vQbWrCHvv73vv71/77+977+9fw3vv73vv71xCMqBOFQn77+9Je+/vTcgdu+/vRjvv71/KGnJlu+/ve+/vUYjdifvv70If++/vSAfcO+/vRzvv70HRu+/ve+/vQ==

C:\Users\user\Downloads\RAYHIWGKDI.jpg Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.655034196084803
Encrypted:	false
SSDEEP:	12:fWZyV1YlDNJGAgbQ7h+N3OeCH+IcOliJea8cO7O5VNOXj/OoVTDh4OaMKVqrWHy:fW0EDv1FYkeCeIcOlicMYGi/OSxfHWHy
MD5:	D41D8AF57C959827565B31B193FAFF08
SHA1:	84E85B38462246498B1458AA03E7F7EAA12C4CCD
SHA-256:	4A91FD5AE5D134AFBF9494FFD5B425C8E1E143CA4BF3E22E47DF3B741A314568
SHA-512:	F79FE87695175FF3ED3E790B0BC672062A69EE7883926402CC4507A3C2983DE7DF86130BF59E941BD6B25CCADED9CFE3EC6401F4AE2D67D076A31DE727E5823E
Malicious:	false
Preview:	<EncyptedKey>T4ED6GWT87FNY3K41PL2JDZ4BH56X5N<EncyptedKey> 77+9Te+/vVPvv73vv73vv70MRTXvv71tDe+/ve+/vQ7vv73vv70iQSM277+9fNeI77+977+977+977+9EO+/vXTvv71M77+977+9akTvv71D77+9SSTvv73Lr++/vWZe77+977+9cz7vv73vv73vv71JezAdB3J+JDnvv70h77+9OWUX77+9Wu+/vXTtjY4M77+9HlY8Nu+/vUc1Qu+/ve+/vV/vv70T77+9Oz3vv73vv73vv73Sjhst77+9ee+/vRlANe+/vQ7vv71vWO+/ve+/vTZI77+977+977+977+977+9QQUp77+977+977+9NiHvv73vv706SQIpQu+/ve+/vS7vv70M77+977+9fu+/ve+/ve+/vQfvv71b77+9Du+/vUPvv73vv71QYWl977+977+977+977+9NQ/vv73vv73vv70R77+977+977+977+9WGHvv73vv70FOS/vv70yFCvvv73vv70+T2ww77+9eA1maO+/vUnvv73vv70BFO+/vUoBQO+/vWPvv73vv73vv73vv71jRO+/ve+/vU7vv70Jdz1K77+9H++/ve+/vVXvv71577+9YCZWNxvvv73vv70S77+9W++/ve+/vcahYTQ+chnvv70/NHHvv71w77+9aATvv70b77+977+9RGgNDO+/vU1m77+9H++/ve+/ve+/vVhA77+9Ie+/vQbWrCHvv73vv71/77+977+9fw3vv73vv71xCMqBOFQn77+9Je+/vTcgdu+/vRjvv71/KGnJlu+/ve+/vUYjdifvv70If++/vSAfcO+/vRzvv70HRu+/ve+/vQ==

C:\Users\user\Downloads\WUTJSCBCFX.docx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.6283590401171235
Encrypted:	false
SSDEEP:	12:fB1tKdfYlDNJGAgbQ7h+N3OeCH+IcOliJea8cO7O5VNOXj/OoVTDh4OaMKVqrWHy:fPKIDv1FYkeCeIcOlicMYGi/OSxfHWHy
MD5:	2830C71983E083F38CC057F1774A819B
SHA1:	69090ACEE9B4B9FF92EFD0ADA8FA4C64F38CD114
SHA-256:	93CF255A4079AF9878AE2094F5FC9349208028B907816E6CD8796C850D0D8900
SHA-512:	D86963BFE2F7A643A2D0CBA7D137DBB7D50C34342449A3FA1A16700308A16E033CC4CE21E990E06BD5C9919FE5945E2A81BF06FAE1BD7828B7FB900AFF905979
Malicious:	false
Preview:	<EncyptedKey>B1I41FFIY71D5R9IB3AY3O0EQEJBZK0<EncyptedKey> 77+9Te+/vVPvv73vv73vv70MRTXvv71tDe+/ve+/vQ7vv73vv70iQSM277+9fNeI77+977+977+977+9EO+/vXTvv71M77+977+9akTvv71D77+9SSTvv73Lr++/vWZe77+977+9cz7vv73vv73vv71JezAdB3J+JDnvv70h77+9OWUX77+9Wu+/vXTtjY4M77+9HlY8Nu+/vUc1Qu+/ve+/vV/vv70T77+9Oz3vv73vv73vv73Sjhst77+9ee+/vRlANe+/vQ7vv71vWO+/ve+/vTZI77+977+977+977+977+9QQUp77+977+977+9NiHvv73vv706SQIpQu+/ve+/vS7vv70M77+977+9fu+/ve+/ve+/vQfvv71b77+9Du+/vUPvv73vv71QYWl977+977+977+977+9NQ/vv73vv73vv70R77+977+977+977+9WGHvv73vv70FOS/vv70yFCvvv73vv70+T2ww77+9eA1maO+/vUnvv73vv70BFO+/vUoBQO+/vWPvv73vv73vv73vv71jRO+/ve+/vU7vv70Jdz1K77+9H++/ve+/vVXvv71577+9YCZWNxvvv73vv70S77+9W++/ve+/vcahYTQ+chnvv70/NHHvv71w77+9aATvv70b77+977+9RGgNDO+/vU1m77+9H++/ve+/ve+/vVhA77+9Ie+/vQbWrCHvv73vv71/77+977+9fw3vv73vv71xCMqBOFQn77+9Je+/vTcgdu+/vRjvv71/KGnJlu+/ve+/vUYjdifvv70If++/vSAfcO+/vRzvv70HRu+/ve+/vQ==

C:\Users\user\Downloads\YPSIACHYXW.docx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.650776985860539
Encrypted:	false
SSDEEP:	12:fPOhYlDNJGAgbQ7h+N3OeCH+IcOliJea8cO7O5VNOXj/OoVTDh4OaMKVqrWHy:fPOmDv1FYkeCeIcOlicMYGi/OSxfHWHy
MD5:	620DAFC8DC47138D2F8C571FE24AE296
SHA1:	266303BEEBA8A47E1B9920E7284B32943F4B2BCD
SHA-256:	B4C3D3E26D6C401B923535C93DCFF2B923F9FEE017FFE1A4875368BD3E1DF911
SHA-512:	CF3E3536A650B36E7DF0AFF4EC94F63EDA75106611727E48524FAED3D9E96CC9034A51FAB712E4C921A030CD028F3E8730E2FFEC788C8DDB0F10A8BA72921D70
Malicious:	false
Preview:	<EncyptedKey>5CUEVP9TZVGX4R94MC84DXGTWBEOX5E<EncyptedKey> 77+9Te+/vVPvv73vv73vv70MRTXvv71tDe+/ve+/vQ7vv73vv70iQSM277+9fNeI77+977+977+977+9EO+/vXTvv71M77+977+9akTvv71D77+9SSTvv73Lr++/vWZe77+977+9cz7vv73vv73vv71JezAdB3J+JDnvv70h77+9OWUX77+9Wu+/vXTtjY4M77+9HlY8Nu+/vUc1Qu+/ve+/vV/vv70T77+9Oz3vv73vv73vv73Sjhst77+9ee+/vRlANe+/vQ7vv71vWO+/ve+/vTZI77+977+977+977+977+9QQUp77+977+977+9NiHvv73vv706SQIpQu+/ve+/vS7vv70M77+977+9fu+/ve+/ve+/vQfvv71b77+9Du+/vUPvv73vv71QYWl977+977+977+977+9NQ/vv73vv73vv70R77+977+977+977+9WGHvv73vv70FOS/vv70yFCvvv73vv70+T2ww77+9eA1maO+/vUnvv73vv70BFO+/vUoBQO+/vWPvv73vv73vv73vv71jRO+/ve+/vU7vv70Jdz1K77+9H++/ve+/vVXvv71577+9YCZWNxvvv73vv70S77+9W++/ve+/vcahYTQ+chnvv70/NHHvv71w77+9aATvv70b77+977+9RGgNDO+/vU1m77+9H++/ve+/ve+/vVhA77+9Ie+/vQbWrCHvv73vv71/77+977+9fw3vv73vv71xCMqBOFQn77+9Je+/vTcgdu+/vRjvv71/KGnJlu+/ve+/vUYjdifvv70If++/vSAfcO+/vRzvv70HRu+/ve+/vQ==

C:\Users\user\Downloads\YPSIACHYXW.xlsx Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.6363325363786885
Encrypted:	false
SSDEEP:	12:fIgtHYlDNJGAgbQ7h+N3OeCH+IcOliJea8cO7O5VNOXj/OoVTDh4OaMKVqrWHy:fj6Dv1FYkeCeIcOlicMYGi/OSxfHWHy
MD5:	4A8965D599A20A30AB3ABB5300D48950
SHA1:	D51180B0C77101C6F2D26319D8D6B8C9859152AC
SHA-256:	CB04CF567E7B6FF25EC18E1068478A92A362FB7F7317AFF4E0B28C64BE6CFDFC
SHA-512:	26B3BACC934DBE9EC02EC1C2DBD94C81A7EC0F313DED082253B7182A3DEFBCD34F6F979B5D1BD0A65CBFAC67FE9E0FC9ABFD052CCFE2469153CCB8E05C0BA21B
Malicious:	false
Preview:	<EncyptedKey>TNH6ALNN3BJLCX15WQK790PWI6ARULV<EncyptedKey> 77+9Te+/vVPvv73vv73vv70MRTXvv71tDe+/ve+/vQ7vv73vv70iQSM277+9fNeI77+977+977+977+9EO+/vXTvv71M77+977+9akTvv71D77+9SSTvv73Lr++/vWZe77+977+9cz7vv73vv73vv71JezAdB3J+JDnvv70h77+9OWUX77+9Wu+/vXTtjY4M77+9HlY8Nu+/vUc1Qu+/ve+/vV/vv70T77+9Oz3vv73vv73vv73Sjhst77+9ee+/vRlANe+/vQ7vv71vWO+/ve+/vTZI77+977+977+977+977+9QQUp77+977+977+9NiHvv73vv706SQIpQu+/ve+/vS7vv70M77+977+9fu+/ve+/ve+/vQfvv71b77+9Du+/vUPvv73vv71QYWl977+977+977+977+9NQ/vv73vv73vv70R77+977+977+977+9WGHvv73vv70FOS/vv70yFCvvv73vv70+T2ww77+9eA1maO+/vUnvv73vv70BFO+/vUoBQO+/vWPvv73vv73vv73vv71jRO+/ve+/vU7vv70Jdz1K77+9H++/ve+/vVXvv71577+9YCZWNxvvv73vv70S77+9W++/ve+/vcahYTQ+chnvv70/NHHvv71w77+9aATvv70b77+977+9RGgNDO+/vU1m77+9H++/ve+/ve+/vVhA77+9Ie+/vQbWrCHvv73vv71/77+977+9fw3vv73vv71xCMqBOFQn77+9Je+/vTcgdu+/vRjvv71/KGnJlu+/ve+/vUYjdifvv70If++/vSAfcO+/vRzvv70HRu+/ve+/vQ==

C:\Users\user\Downloads\ZBEDCJPBEY.png Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.639209976140895
Encrypted:	false
SSDEEP:	12:fG6LYlDNJGAgbQ7h+N3OeCH+IcOliJea8cO7O5VNOXj/OoVTDh4OaMKVqrWHy:fGZDv1FYkeCeIcOlicMYGi/OSxfHWHy
MD5:	B51474478BD8BE7B5E9F0D8D6BDD7D9A
SHA1:	7C4346E07C3F70A075BF3DDB5A522F28BBB045B5
SHA-256:	DD6F75A69BCA578572DC7961C954B4FF0FB46C0C7F49C454596153CE4FC64AF8
SHA-512:	FE1C60D07006C8470E9349B5E807383CDDAD24752090415D2819C894EFE650E5052F67999666858F0207D7A4348A40185CBD0053EA1298F426840F4234F9BBDA
Malicious:	false
Preview:	<EncyptedKey>53RWJXV9S9ZF23LE65FR7M8F27UYEL5<EncyptedKey> 77+9Te+/vVPvv73vv73vv70MRTXvv71tDe+/ve+/vQ7vv73vv70iQSM277+9fNeI77+977+977+977+9EO+/vXTvv71M77+977+9akTvv71D77+9SSTvv73Lr++/vWZe77+977+9cz7vv73vv73vv71JezAdB3J+JDnvv70h77+9OWUX77+9Wu+/vXTtjY4M77+9HlY8Nu+/vUc1Qu+/ve+/vV/vv70T77+9Oz3vv73vv73vv73Sjhst77+9ee+/vRlANe+/vQ7vv71vWO+/ve+/vTZI77+977+977+977+977+9QQUp77+977+977+9NiHvv73vv706SQIpQu+/ve+/vS7vv70M77+977+9fu+/ve+/ve+/vQfvv71b77+9Du+/vUPvv73vv71QYWl977+977+977+977+9NQ/vv73vv73vv70R77+977+977+977+9WGHvv73vv70FOS/vv70yFCvvv73vv70+T2ww77+9eA1maO+/vUnvv73vv70BFO+/vUoBQO+/vWPvv73vv73vv73vv71jRO+/ve+/vU7vv70Jdz1K77+9H++/ve+/vVXvv71577+9YCZWNxvvv73vv70S77+9W++/ve+/vcahYTQ+chnvv70/NHHvv71w77+9aATvv70b77+977+9RGgNDO+/vU1m77+9H++/ve+/ve+/vVhA77+9Ie+/vQbWrCHvv73vv71/77+977+9fw3vv73vv71xCMqBOFQn77+9Je+/vTcgdu+/vRjvv71/KGnJlu+/ve+/vUYjdifvv70If++/vSAfcO+/vRzvv70HRu+/ve+/vQ==

C:\Users\user\Downloads\ZTGJILHXQB.mp3 Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.636320101589269
Encrypted:	false
SSDEEP:	12:f+NYlDNJGAgbQ7h+N3OeCH+IcOliJea8cO7O5VNOXj/OoVTDh4OaMKVqrWHy:fVDv1FYkeCeIcOlicMYGi/OSxfHWHy
MD5:	5950B28A71DCB00818CDDEABFFA9BDBB
SHA1:	5C69FFC1BDEB9A38C102F5F6E544060231BF8642
SHA-256:	33AF89A43EBDA7E18243B8A29F05C248C167CBA8D582B716E2BAFBDB898DDCAD
SHA-512:	F283D346415228E9F69D2BE5327ECF30BF2FF1DE93CE4F18E00919CDD64A6A9C92A83EB51A96B9678EF28F11C592E5652E0AF63C974CC151075791F66C6ACBDC
Malicious:	false
Preview:	<EncyptedKey>2SQNRVARIBQ27JVX361DVP3XT5M4LC7<EncyptedKey> 77+9Te+/vVPvv73vv73vv70MRTXvv71tDe+/ve+/vQ7vv73vv70iQSM277+9fNeI77+977+977+977+9EO+/vXTvv71M77+977+9akTvv71D77+9SSTvv73Lr++/vWZe77+977+9cz7vv73vv73vv71JezAdB3J+JDnvv70h77+9OWUX77+9Wu+/vXTtjY4M77+9HlY8Nu+/vUc1Qu+/ve+/vV/vv70T77+9Oz3vv73vv73vv73Sjhst77+9ee+/vRlANe+/vQ7vv71vWO+/ve+/vTZI77+977+977+977+977+9QQUp77+977+977+9NiHvv73vv706SQIpQu+/ve+/vS7vv70M77+977+9fu+/ve+/ve+/vQfvv71b77+9Du+/vUPvv73vv71QYWl977+977+977+977+9NQ/vv73vv73vv70R77+977+977+977+9WGHvv73vv70FOS/vv70yFCvvv73vv70+T2ww77+9eA1maO+/vUnvv73vv70BFO+/vUoBQO+/vWPvv73vv73vv73vv71jRO+/ve+/vU7vv70Jdz1K77+9H++/ve+/vVXvv71577+9YCZWNxvvv73vv70S77+9W++/ve+/vcahYTQ+chnvv70/NHHvv71w77+9aATvv70b77+977+9RGgNDO+/vU1m77+9H++/ve+/ve+/vVhA77+9Ie+/vQbWrCHvv73vv71/77+977+9fw3vv73vv71xCMqBOFQn77+9Je+/vTcgdu+/vRjvv71/KGnJlu+/ve+/vUYjdifvv70If++/vSAfcO+/vRzvv70HRu+/ve+/vQ==

C:\Users\user\Links\Desktop.lnk Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	462
Entropy (8bit):	4.649621257341385
Encrypted:	false
SSDEEP:	6:UG+3RamnOlFFQXu+yVaTZSrMMZVHA1bB2Ra0mEJTgflbEiHxDJMMMhv5H:fe5nOfyXurVYZcfAhB8a0TqVrRDJYH
MD5:	B2860D1FA348695C6AC911B0E1A49615
SHA1:	66E976B37A402D65FAD3EA1FCB00DFE64C2863DB
SHA-256:	CA9431FB0D923685E8F4EB9E92A5FF132D3D295639FBE4877702C1B567DCD951
SHA-512:	A120BEED68CBDA0CBBD9D758A86BE2B13C22321907D312122E368D1E1EEF961ED0EE179DD1938FD00BDA684EA8B81507E3E2A433ED021F4E05A148EEDFA60B9A
Malicious:	false
Preview:	<EncyptedKey>VKQWDM0ESB8SBQWDKLXDE5N04KMC7Q3<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9

C:\Users\user\Links\Downloads.lnk Download File
Process:	C:\Users\user\Desktop\7eIebouyqg.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	806
Entropy (8bit):	4.637816194827596
Encrypted:	false
SSDEEP:	12:fEKwyXurVYZcfAhB8a0TqVrRDJY0SS7OCPPA91u2hKTUc5letXJSY3SYn:fzXIVYacqWrROzSzCufd5lwMYiY
MD5:	CFB2A29A1FEFABEE25986247D136C32E
SHA1:	285BD118A96442C9140FB0EB50D6D855FD97EAD5
SHA-256:	296C254714175C8D99079C44233BD45A8439458F59923AED7B96DF4187454C7D
SHA-512:	3E058DB1947D131D07451C0BDF124B7E43C0566070A4704A3A40835FD63A56DE36230F081A8A0C6250F73DD84CD638C8E202536935D63D59989848C522E139BD
Malicious:	false
Preview:	<EncyptedKey>XRGPPTKL8G5V6SVG9V5CCWGY06Z229Y<EncyptedKey> 25diRTRr77+9U2fvv70E77+977+9GUtkS1jvv71PIzHvv73vv73vv73vv70Y77+977+977+9Mm5bE++/vWjvv73vv71M77+9Me+/ve+/ve+/vWDXs0ga77+977+9E0Xvv71m77+9fn5DOu+/vV7vv73vv70kKQXvv73vv73vv73vv71h77+977+977+9D1UUAdCP77+977+9Hynvv73vv73vv73vv705OAhiczzvv73vv70777+977+977+9HhAW77+977+977+977+977+977+9KWlCai5+77+977+977+9WO+/vSVZaVhPflkgPBpmUx5x77+977+9be+/ve+/ve+/ve+/vVYQ77+977+977+9RO+/ve+/vSA/J1Xvv73vv73vv73vv71YQ0h277+9RA4C77+9S++/ve+/vQtEZe+/vXvvv73vv71I77+977+9Vznvv71DHO+/vT/vv70veBguFVHvv71m77+9EQHvv73XrO+/vRDvv73vv73vv71877+9BiluEu+/ve+/vQ7cmCc077+977+9HEXvv73vv70vExYU77+9R82777+977+977+9cUAB77+9JChO77+9G09l77+977+9Ze+/ve+/vQnvv71Beu+/ve+/vWbvv70bbCdFCkFcUibvv70zAO+/ve+/ve+/ve+/ve+/vd+u77+977+977+977+9ee+/ve+/vRpxD33vv707XF8M77+977+9RSQoOD4C77+9CBvvv70=

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.198302365758033
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	7eIebouyqg.exe
File size:	100864
MD5:	1e0be273be7e3c0587cd7fd1878431b2
SHA1:	9bc3e71c07bfe589e633340533e44f32cb4e5b35
SHA256:	5847c10d87797bc92bbe204885b79204b491dafe0b591b1277a5ec39e11db532
SHA512:	939f3a72d6dfb689d1360f6bc5854375b885aab632d2c9acbd562e6715b4957e10ea6b21f4396844e5614587b24ece4ae0507a0f47b8fa6116cb610c55adef61
SSDEEP:	768:W0Ddf1GaICq5m5ZfRjPV4vCKBKPhVZlQESdrT8BB6N+NwccIubm47cZ5:/Ddf1SCq5sLUCKW4s1bSmh
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....).`.................<...L......>[... ...`....@.. ....................................@................................

File Icon


Icon Hash:	69cc4cd4ccccccd4

Static PE Info

General
Entrypoint:	0x415b3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x608C29F1 [Fri Apr 30 16:01:53 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15ae4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x483e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x13b44	0x13c00	False	0.339658326741	data	5.58761512491	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x483e	0x4a00	False	0.11597339527	data	3.20763398029	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x16130	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0x1a358	0x14	data
RT_VERSION	0x1a36c	0x2e8	data
RT_MANIFEST	0x1a654	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2020
Assembly Version	1.0.0.0
InternalName	UnlockYourFiles.exe
FileVersion	1.0.0.0
ProductName	Unlock Your Files
ProductVersion	1.0.0.0
FileDescription	Unlock Your Files
OriginalFilename	UnlockYourFiles.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 7eIebouyqg.exe PID: 6892 Parent PID: 5872

General

Start time:	10:30:34
Start date:	22/05/2021
Path:	C:\Users\user\Desktop\7eIebouyqg.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\7eIebouyqg.exe'
Imagebase:	0x9e0000
File size:	100864 bytes
MD5 hash:	1E0BE273BE7E3C0587CD7FD1878431B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_UnlockYourFiles, Description: Yara detected UnlockYourFiles Ransomware, Source: 00000001.00000000.319368736.00000000009E2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_UnlockYourFiles, Description: Yara detected UnlockYourFiles Ransomware, Source: 00000001.00000002.343908786.00000000009E2000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 952 Parent PID: 568

General

Start time:	10:30:45
Start date:	22/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 1872 Parent PID: 6892

General

Start time:	10:30:46
Start date:	22/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\explorer.exe'
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 7eIebouyqg.exe PID: 6892 Parent PID: 5872 7eIebouyqg.exeCOMMON

Executed Functions

Function 00007FFD03393679, Relevance: 1.7, APIs: 1, Instructions: 218COMMON

Download Yara Rule

APIs

SHChangeNotify.SHELL32 ref: 00007FFD033937F6

Memory Dump Source

Source File: 00000001.00000002.356113554.00007FFD03390000.00000040.00000001.sdmp, Offset: 00007FFD03390000, based on PE: false

Similarity

API ID: ChangeNotify
String ID:
API String ID: 3893256919-0
Opcode ID: 9d4114ee45101c003a48aad062dd08dd4dd082f6acb2cef65dd4cc6f741d097c
Instruction ID: aef59086ee3023b0ddf27ee3b6f62425ad587d205bd4110a6df8140508f5edf5
Opcode Fuzzy Hash: 9d4114ee45101c003a48aad062dd08dd4dd082f6acb2cef65dd4cc6f741d097c
Instruction Fuzzy Hash: AB61F3A845E3C5AED713AB785CB05B27FF8DF4322AB1800EFE0D896097D658181AC757

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD0339014A, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

SHChangeNotify.SHELL32 ref: 00007FFD033937F6

Memory Dump Source

Source File: 00000001.00000002.356113554.00007FFD03390000.00000040.00000001.sdmp, Offset: 00007FFD03390000, based on PE: false

Similarity

API ID: ChangeNotify
String ID:
API String ID: 3893256919-0
Opcode ID: cede93a033084c06e381c042d2d57b5bb19c74a29329a858d06fc78e6a995466
Instruction ID: fb70f0a7bf174a753455b284033158486aad91d796576e8887349b23e9dfcc97
Opcode Fuzzy Hash: cede93a033084c06e381c042d2d57b5bb19c74a29329a858d06fc78e6a995466
Instruction Fuzzy Hash: B2311531A0CA488FDB08EB68D8566E87BE0FF95321F00017FD04AD31A2DA647856CB86

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 7eIebouyqg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior